0002-misc-fix-admin-role-bad-permissions-using-get_admin_.patch
src/authentic2/management/commands/check-and-repair.py | ||
---|---|---|
331 | 331 |
count = admin_permissions.count() |
332 | 332 |
if not count: |
333 | 333 |
self.warning('invalid admin role "%s" no admin permission', admin_role) |
334 |
elif count > 1:
|
|
335 |
self.warning('invalid admin role "%s" too many admin permissions', admin_role) |
|
334 |
elif count != 2:
|
|
335 |
self.warning('invalid admin role "%s" too few or too many admin permissions', admin_role)
|
|
336 | 336 |
for admin_permission in admin_permissions: |
337 | 337 |
self.notice(' - %s', admin_permission) |
338 | 338 |
for admin_permission in admin_permissions: |
339 | 339 |
if MANAGE_MEMBERS_OP and admin_permission.operation != manage_members_op: |
340 | 340 |
self.warning('invalid admin role "%s" invalid permission "%s": not manage_members operation', |
341 | 341 |
admin_role, admin_permission) |
342 |
if admin_permission != admin_role.admin_scope: |
|
343 |
self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope', |
|
344 |
admin_role, admin_permission) |
|
345 |
if admin_permission.ou != admin_permission.target.ou: |
|
346 |
self.warning('invalid admin role "%s" invalid permission "%s": wrong ou', |
|
342 |
if not ( |
|
343 |
(admin_permission.target != admin_role and admin_permission == admin_role.admin_scope) |
|
344 |
or (admin_permission.target == admin_role)): |
|
345 |
self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope and not self manage permission', |
|
347 | 346 |
admin_role, admin_permission) |
347 |
if admin_permission.ou is not None: |
|
348 |
self.warning('invalid admin role "%s" invalid permission "%s": wrong ou "%s"', |
|
349 |
admin_role, admin_permission, admin_permission.ou) |
|
350 |
admin_permission.target.get_admin_role() |
|
348 | 351 |
if admin_permission.target.ou != admin_role.ou: |
349 | 352 |
self.warning('invalid admin role "%s" wrong ou, should be "%s" is "%s"', |
350 | 353 |
admin_role, admin_permission.target.ou, admin_role.ou) |
tests/test_commands.py | ||
---|---|---|
299 | 299 |
role1 = Role.objects.create(name='Role 1', slug='role-1', ou=default_ou) |
300 | 300 |
perm1 = Permission.objects.create( |
301 | 301 |
operation=admin_op, target_id=role1.id, |
302 |
ou=default_ou, |
|
302 | 303 |
target_ct=ContentType.objects.get_for_model(Role)) |
303 | 304 | |
304 | 305 |
manager_role1 = Role.objects.create( |
... | ... | |
312 | 313 |
captured = capsys.readouterr() |
313 | 314 |
assert '"Managers of Role 1": no admin scope' in captured.out |
314 | 315 |
assert 'Managers of Role 1" wrong ou, should be "Default organizational unit"' in captured.out |
315 |
assert 'invalid permission "Management / role / Role 1": not manage_members operation' in captured.out |
|
316 |
assert 'invalid permission "Management / role / Role 1": not admin_scope' in captured.out |
|
317 |
assert 'invalid permission "Management / role / Role 1": wrong ou' in captured.out |
|
316 |
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not manage_members operation' in captured.out
|
|
317 |
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not admin_scope' in captured.out
|
|
318 |
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": wrong ou' in captured.out
|
|
318 | 319 | |
319 | 320 | |
320 | 321 |
def test_check_and_delete_unused_permissions(db, capsys, simple_user): |
321 |
- |