0002-misc-fix-admin-role-bad-permissions-using-get_admin_.patch
src/authentic2/management/commands/check-and-repair.py | ||
---|---|---|
331 | 331 |
count = admin_permissions.count() |
332 | 332 |
if not count: |
333 | 333 |
self.warning('invalid admin role "%s" no admin permission', admin_role) |
334 |
elif count > 1:
|
|
335 |
self.warning('invalid admin role "%s" too many admin permissions', admin_role) |
|
334 |
elif count != 2:
|
|
335 |
self.warning('invalid admin role "%s" too few or too many admin permissions', admin_role)
|
|
336 | 336 |
for admin_permission in admin_permissions: |
337 | 337 |
self.notice(' - %s', admin_permission) |
338 | 338 |
for admin_permission in admin_permissions: |
339 | 339 |
if MANAGE_MEMBERS_OP and admin_permission.operation != manage_members_op: |
340 | 340 |
self.warning('invalid admin role "%s" invalid permission "%s": not manage_members operation', |
341 | 341 |
admin_role, admin_permission) |
342 |
if admin_permission != admin_role.admin_scope: |
|
343 |
self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope', |
|
344 |
admin_role, admin_permission) |
|
345 |
if admin_permission.ou != admin_permission.target.ou: |
|
346 |
self.warning('invalid admin role "%s" invalid permission "%s": wrong ou', |
|
342 |
if not ( |
|
343 |
(admin_permission.target != admin_role and admin_permission == admin_role.admin_scope) |
|
344 |
or (admin_permission.target == admin_role)): |
|
345 |
self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope and not self manage permission', |
|
347 | 346 |
admin_role, admin_permission) |
347 |
if admin_permission.ou is not None: |
|
348 |
self.warning('invalid admin role "%s" invalid permission "%s": wrong ou "%s"', |
|
349 |
admin_role, admin_permission, admin_permission.ou) |
|
350 |
admin_permission.target.get_admin_role() |
|
348 | 351 |
if admin_permission.target.ou != admin_role.ou: |
349 | 352 |
self.warning('invalid admin role "%s" wrong ou, should be "%s" is "%s"', |
350 | 353 |
admin_role, admin_permission.target.ou, admin_role.ou) |
tests/test_commands.py | ||
---|---|---|
25 | 25 |
from django.utils.timezone import now |
26 | 26 |
import py |
27 | 27 | |
28 |
from authentic2.a2_rbac.models import MANAGE_MEMBERS_OP |
|
28 | 29 |
from authentic2.a2_rbac.utils import get_default_ou |
29 | 30 |
from authentic2.models import UserExternalId |
30 | 31 |
from authentic2_auth_oidc.models import OIDCProvider, OIDCAccount |
... | ... | |
299 | 300 |
role1 = Role.objects.create(name='Role 1', slug='role-1', ou=default_ou) |
300 | 301 |
perm1 = Permission.objects.create( |
301 | 302 |
operation=admin_op, target_id=role1.id, |
303 |
ou=default_ou, |
|
302 | 304 |
target_ct=ContentType.objects.get_for_model(Role)) |
303 | 305 | |
304 | 306 |
manager_role1 = Role.objects.create( |
... | ... | |
312 | 314 |
captured = capsys.readouterr() |
313 | 315 |
assert '"Managers of Role 1": no admin scope' in captured.out |
314 | 316 |
assert 'Managers of Role 1" wrong ou, should be "Default organizational unit"' in captured.out |
315 |
assert 'invalid permission "Management / role / Role 1": not manage_members operation' in captured.out |
|
316 |
assert 'invalid permission "Management / role / Role 1": not admin_scope' in captured.out |
|
317 |
assert 'invalid permission "Management / role / Role 1": wrong ou' in captured.out |
|
318 | ||
317 |
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not manage_members operation' in captured.out |
|
318 |
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not admin_scope' in captured.out |
|
319 |
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": wrong ou' in captured.out |
|
320 | ||
321 |
perm1 = Permission.objects.get(operation=admin_op, target_id=role1.id) |
|
322 |
assert perm1.ou == default_ou |
|
323 |
manage_members_op = get_operation(MANAGE_MEMBERS_OP) |
|
324 |
perm1.op = manage_members_op |
|
325 |
perm1.save() |
|
326 |
call_command('check-and-repair', '--repair', '--noinput') |
|
327 |
perm1 = Permission.objects.get(operation=manage_members_op, target_id=role1.id) |
|
328 |
assert perm1.ou is None |
|
319 | 329 | |
320 | 330 |
def test_check_and_delete_unused_permissions(db, capsys, simple_user): |
321 | 331 |
Permission = get_permission_model() |
322 |
- |