0002-manager-raise-PermissionDenied-if-user-has-no-add-us.patch
src/authentic2/manager/templates/403.html | ||
---|---|---|
2 | 2 |
{% load i18n %} |
3 | 3 | |
4 | 4 |
{% block content %} |
5 |
<p>{% trans "You are not authorized to see this page." %} </p>
|
|
5 |
<p>{% trans "You are not authorized to see this page." %}</p> |
|
6 | 6 |
<p> |
7 | 7 |
<button onclick="window.location = '/'">{% trans "Homepage" %}</button> |
8 | 8 |
<button onclick="window.history.back()">{% trans "Back" %}</button> |
src/authentic2/manager/user_views.py | ||
---|---|---|
55 | 55 |
from . import app_settings |
56 | 56 | |
57 | 57 |
User = get_user_model() |
58 |
OU = get_ou_model() |
|
58 | 59 | |
59 | 60 | |
60 | 61 |
class UsersView(HideOUColumnMixin, BaseTableView): |
... | ... | |
145 | 146 |
permissions = ['custom_user.add_user'] |
146 | 147 |
template_name = 'authentic2/manager/user_add.html' |
147 | 148 | |
149 |
def dispatch(self, request, *args, **kwargs): |
|
150 |
qs = request.user.ous_with_perm('custom_user.add_user') |
|
151 |
try: |
|
152 |
self.ou = qs.get(pk=self.kwargs['ou_pk']) |
|
153 |
except OU.DoesNotExist: |
|
154 |
raise PermissionDenied |
|
155 |
return super().dispatch(request, *args, **kwargs) |
|
156 | ||
148 | 157 |
def get_form_kwargs(self): |
149 | 158 |
kwargs = super(UserAddView, self).get_form_kwargs() |
150 | 159 |
kwargs['ou'] = self.ou |
151 | 160 |
return kwargs |
152 | 161 | |
153 |
def get_form_class(self): |
|
154 |
qs = self.request.user.ous_with_perm('custom_user.add_user') |
|
155 |
self.ou = qs.get(pk=self.kwargs['ou_pk']) |
|
156 |
return super(UserAddView, self).get_form_class() |
|
157 | ||
158 | 162 |
def get_fields(self): |
159 | 163 |
fields = list(self.fields) |
160 | 164 |
if not self.ou.show_username: |
... | ... | |
200 | 204 |
return initial |
201 | 205 | |
202 | 206 |
def get_user_add_policies(self, *args, **kwargs): |
203 |
ou = get_ou_model().objects.get(pk=self.kwargs['ou_pk'])
|
|
207 |
ou = OU.objects.get(pk=self.kwargs['ou_pk'])
|
|
204 | 208 |
value = ou.user_add_password_policy |
205 | 209 |
return ou.USER_ADD_PASSWD_POLICY_VALUES[value]._asdict() |
206 | 210 |
tests/test_user_manager.py | ||
---|---|---|
68 | 68 |
assert user.check_password('1234Password') |
69 | 69 | |
70 | 70 | |
71 |
def test_create_user_permission_denied(app, simple_user, ou1, ou2): |
|
72 |
ou1.get_admin_role().members.add(simple_user) |
|
73 |
response = login(app, simple_user, '/manage/users/%s/add/' % ou1.id) |
|
74 | ||
75 |
assert 'You are not authorized to see this page.' not in response.text |
|
76 | ||
77 |
response = app.get('/manage/users/%s/add/' % ou2.id, status=403) |
|
78 |
assert 'You are not authorized to see this page.' in response.text |
|
79 | ||
80 | ||
71 | 81 |
def test_create_user_only_name(app, superuser): |
72 | 82 |
response = login(app, superuser, '/manage/users/') |
73 | 83 |
response = response.click('Add user') |
74 |
- |