0002-manager-add-separate-role-inheritance-table-views-53.patch
| src/authentic2/manager/forms.py | ||
|---|---|---|
| 133 | 133 | |
| 134 | 134 | |
| 135 | 135 |
class RolesForm(LimitQuerysetFormMixin, CssClass, forms.Form): |
| 136 | ||
| 137 | 136 |
roles = fields.ChooseRolesField(label=_('Add some roles'))
|
| 138 | 137 | |
| 139 | 138 | |
| 140 |
class RoleParentsForm(LimitQuerysetFormMixin, CssClass, forms.Form): |
|
| 141 |
roles = fields.ChooseManageableMemberRolesField(label=_('Add some roles'))
|
|
| 139 |
class RoleParentForm(LimitQuerysetFormMixin, CssClass, forms.Form): |
|
| 140 |
role = fields.ChooseManageableMemberRoleField(label=_('Add some roles'))
|
|
| 141 |
action = forms.CharField(initial='add', widget=forms.HiddenInput) |
|
| 142 | 142 | |
| 143 | 143 | |
| 144 | 144 |
class ChooseUserRoleForm(LimitQuerysetFormMixin, CssClass, forms.Form): |
| src/authentic2/manager/role_views.py | ||
|---|---|---|
| 21 | 21 |
from django.contrib.contenttypes.models import ContentType |
| 22 | 22 |
from django.core.exceptions import PermissionDenied, ValidationError |
| 23 | 23 |
from django.db import transaction |
| 24 |
from django.db.models import Count, F |
|
| 24 |
from django.db.models import BooleanField, Count, ExpressionWrapper, F, Prefetch |
|
| 25 |
from django.db.models.functions import Cast |
|
| 25 | 26 |
from django.db.models.query import Prefetch, Q |
| 26 | 27 |
from django.shortcuts import get_object_or_404 |
| 27 | 28 |
from django.urls import reverse |
| ... | ... | |
| 34 | 35 |
from authentic2.apps.journal.views import JournalViewWithContext |
| 35 | 36 |
from authentic2.forms.profile import modelform_factory |
| 36 | 37 |
from authentic2.utils.misc import redirect |
| 37 |
from django_rbac.utils import get_ou_model, get_permission_model, get_role_model |
|
| 38 |
from django_rbac.utils import get_ou_model, get_permission_model, get_role_model, get_role_parenting_model
|
|
| 38 | 39 | |
| 39 | 40 |
from . import app_settings, forms, resources, tables, views |
| 40 | 41 |
from .journal_views import BaseJournalView |
| ... | ... | |
| 365 | 366 |
members_export = RoleMembersExportView.as_view() |
| 366 | 367 | |
| 367 | 368 | |
| 368 |
class RoleAddChildView( |
|
| 369 |
views.AjaxFormViewMixin, |
|
| 370 |
views.TitleMixin, |
|
| 371 |
views.PermissionMixin, |
|
| 372 |
views.FormNeedsRequest, |
|
| 373 |
SingleObjectMixin, |
|
| 374 |
FormView, |
|
| 375 |
): |
|
| 369 |
class RoleAddChildView(RoleViewMixin, views.HideOUColumnMixin, views.BaseSubTableView): |
|
| 376 | 370 |
title = _('Add child role')
|
| 377 |
model = get_role_model()
|
|
| 378 |
form_class = forms.RolesForm
|
|
| 379 |
success_url = '..'
|
|
| 380 |
template_name = 'authentic2/manager/form.html'
|
|
| 371 |
form_class = forms.ChooseRoleForm
|
|
| 372 |
table_class = tables.InheritanceRolesTable
|
|
| 373 |
search_form_class = forms.RoleSearchForm
|
|
| 374 |
template_name = 'authentic2/manager/roles_inheritance.html'
|
|
| 381 | 375 |
permissions = ['a2_rbac.manage_members_role'] |
| 376 |
success_url = '.' |
|
| 377 |
slug_field = 'uuid' |
|
| 382 | 378 | |
| 383 |
def dispatch(self, request, *args, **kwargs): |
|
| 384 |
self.object = self.get_object() |
|
| 385 |
return super().dispatch(request, *args, **kwargs) |
|
| 379 |
def get_table_queryset(self): |
|
| 380 |
qs = super().get_table_queryset() |
|
| 381 |
qs = qs.exclude(pk=self.object.pk) |
|
| 382 |
children = self.object.children(annotate=True, include_self=False) |
|
| 383 |
children = children.annotate(is_direct=Cast('direct', output_field=BooleanField()))
|
|
| 384 |
qs = qs.annotate( |
|
| 385 |
checked=ExpressionWrapper(Q(pk__in=children.filter(is_direct=True)), output_field=BooleanField()) |
|
| 386 |
) |
|
| 387 |
qs = qs.annotate( |
|
| 388 |
indeterminate=ExpressionWrapper( |
|
| 389 |
Q(pk__in=children.filter(is_direct=False)), output_field=BooleanField() |
|
| 390 |
) |
|
| 391 |
) |
|
| 392 |
RoleParenting = get_role_parenting_model() |
|
| 393 |
rp_qs = RoleParenting.objects.filter(parent__in=children).annotate(name=F('parent__name'))
|
|
| 394 |
qs = qs.prefetch_related(Prefetch('parent_relation', queryset=rp_qs, to_attr='via'))
|
|
| 395 |
return qs |
|
| 386 | 396 | |
| 387 | 397 |
def form_valid(self, form): |
| 388 |
parent = self.get_object() |
|
| 389 |
for role in form.cleaned_data['roles']: |
|
| 390 |
parent.add_child(role) |
|
| 398 |
role = form.cleaned_data['role'] |
|
| 399 |
action = form.cleaned_data['action'] |
|
| 400 |
if action == 'add': |
|
| 401 |
self.object.add_child(role) |
|
| 391 | 402 |
hooks.call_hooks( |
| 392 |
'event', name='manager-add-child-role', user=self.request.user, parent=parent, child=role
|
|
| 403 |
'event', name='manager-add-child-role', user=self.request.user, parent=self.object, child=role
|
|
| 393 | 404 |
) |
| 394 |
self.request.journal.record('manager.role.inheritance.addition', parent=parent, child=role)
|
|
| 405 |
self.request.journal.record('manager.role.inheritance.addition', parent=self.object, child=role)
|
|
| 406 |
elif action == 'remove': |
|
| 407 |
self.object.remove_child(role) |
|
| 408 |
hooks.call_hooks( |
|
| 409 |
'event', |
|
| 410 |
name='manager-remove-child-role', |
|
| 411 |
user=self.request.user, |
|
| 412 |
parent=self.object, |
|
| 413 |
child=role, |
|
| 414 |
) |
|
| 415 |
self.request.journal.record('manager.role.inheritance.removal', parent=self.object, child=role)
|
|
| 395 | 416 |
return super().form_valid(form) |
| 396 | 417 | |
| 418 |
def get_search_form_kwargs(self): |
|
| 419 |
kwargs = super().get_search_form_kwargs() |
|
| 420 |
kwargs['show_all_ou'] = app_settings.SHOW_ALL_OU |
|
| 421 |
kwargs['queryset'] = self.request.user.filter_by_perm( |
|
| 422 |
'a2_rbac.view_role', get_role_model().objects.all() |
|
| 423 |
) |
|
| 424 |
return kwargs |
|
| 425 | ||
| 397 | 426 | |
| 398 | 427 |
add_child = RoleAddChildView.as_view() |
| 399 | 428 | |
| 400 | 429 | |
| 401 |
class RoleAddParentView( |
|
| 402 |
views.AjaxFormViewMixin, views.TitleMixin, views.FormNeedsRequest, SingleObjectMixin, FormView |
|
| 403 |
): |
|
| 430 |
class RoleAddParentView(RoleViewMixin, views.HideOUColumnMixin, views.BaseSubTableView): |
|
| 404 | 431 |
title = _('Add parent role')
|
| 405 |
model = get_role_model() |
|
| 406 |
form_class = forms.RoleParentsForm |
|
| 407 |
success_url = '..' |
|
| 408 |
template_name = 'authentic2/manager/form.html' |
|
| 432 |
form_class = forms.RoleParentForm |
|
| 433 |
table_class = tables.InheritanceRolesTable |
|
| 434 |
search_form_class = forms.RoleSearchForm |
|
| 435 |
template_name = 'authentic2/manager/roles_inheritance.html' |
|
| 436 |
success_url = '.' |
|
| 437 |
slug_field = 'uuid' |
|
| 409 | 438 | |
| 410 | 439 |
def dispatch(self, request, *args, **kwargs): |
| 411 |
self.object = self.get_object() |
|
| 412 |
if self.object.is_internal(): |
|
| 440 |
if self.get_object().is_internal(): |
|
| 413 | 441 |
raise PermissionDenied |
| 414 | 442 |
return super().dispatch(request, *args, **kwargs) |
| 415 | 443 | |
| 444 |
def get_table_queryset(self): |
|
| 445 |
qs = super().get_table_queryset() |
|
| 446 |
qs = self.request.user.filter_by_perm('a2_rbac.manage_members_role', qs)
|
|
| 447 |
qs = qs.exclude(pk=self.object.pk) |
|
| 448 |
parents = self.object.parents(annotate=True, include_self=False) |
|
| 449 |
parents = parents.annotate(is_direct=Cast('direct', output_field=BooleanField()))
|
|
| 450 |
qs = qs.annotate( |
|
| 451 |
checked=ExpressionWrapper(Q(pk__in=parents.filter(is_direct=True)), output_field=BooleanField()) |
|
| 452 |
) |
|
| 453 |
qs = qs.annotate( |
|
| 454 |
indeterminate=ExpressionWrapper( |
|
| 455 |
Q(pk__in=parents.filter(is_direct=False)), output_field=BooleanField() |
|
| 456 |
) |
|
| 457 |
) |
|
| 458 |
RoleParenting = get_role_parenting_model() |
|
| 459 |
rp_qs = RoleParenting.objects.filter(child__in=parents).annotate(name=F('child__name'))
|
|
| 460 |
qs = qs.prefetch_related(Prefetch('child_relation', queryset=rp_qs, to_attr='via'))
|
|
| 461 |
return qs |
|
| 462 | ||
| 416 | 463 |
def form_valid(self, form): |
| 417 |
child = self.get_object() |
|
| 418 |
for role in form.cleaned_data['roles']: |
|
| 419 |
child.add_parent(role) |
|
| 464 |
role = form.cleaned_data['role'] |
|
| 465 |
action = form.cleaned_data['action'] |
|
| 466 |
if action == 'add': |
|
| 467 |
self.object.add_parent(role) |
|
| 468 |
hooks.call_hooks( |
|
| 469 |
'event', name='manager-add-child-role', user=self.request.user, parent=role, child=self.object |
|
| 470 |
) |
|
| 471 |
self.request.journal.record('manager.role.inheritance.addition', parent=role, child=self.object)
|
|
| 472 |
elif action == 'remove': |
|
| 473 |
self.object.remove_parent(role) |
|
| 420 | 474 |
hooks.call_hooks( |
| 421 |
'event', name='manager-add-child-role', user=self.request.user, parent=role, child=child |
|
| 475 |
'event', |
|
| 476 |
name='manager-remove-child-role', |
|
| 477 |
user=self.request.user, |
|
| 478 |
parent=role, |
|
| 479 |
child=self.object, |
|
| 422 | 480 |
) |
| 423 |
self.request.journal.record('manager.role.inheritance.addition', parent=role, child=child)
|
|
| 481 |
self.request.journal.record('manager.role.inheritance.removal', parent=role, child=self.object)
|
|
| 424 | 482 |
return super().form_valid(form) |
| 425 | 483 | |
| 484 |
def get_search_form_kwargs(self): |
|
| 485 |
kwargs = super().get_search_form_kwargs() |
|
| 486 |
kwargs['show_all_ou'] = app_settings.SHOW_ALL_OU |
|
| 487 |
kwargs['queryset'] = self.request.user.filter_by_perm( |
|
| 488 |
'a2_rbac.manage_members_role', get_role_model().objects.all() |
|
| 489 |
) |
|
| 490 |
return kwargs |
|
| 491 | ||
| 426 | 492 | |
| 427 | 493 |
add_parent = RoleAddParentView.as_view() |
| 428 | 494 | |
| src/authentic2/manager/tables.py | ||
|---|---|---|
| 240 | 240 |
attrs = {'class': 'main plaintable', 'id': 'user-authorizations-table'}
|
| 241 | 241 |
fields = ('client', 'created', 'expired')
|
| 242 | 242 |
empty_text = _('This user has not granted profile data access to any service yet.')
|
| 243 | ||
| 244 | ||
| 245 |
class InheritanceRolesTable(tables.Table): |
|
| 246 |
name = tables.LinkColumn( |
|
| 247 |
viewname='a2-manager-role-members', kwargs={'pk': A('pk')}, accessor='name', verbose_name=_('label')
|
|
| 248 |
) |
|
| 249 |
via = tables.TemplateColumn( |
|
| 250 |
'''{% for rel in record.via %}{{ rel.name }} {% if not forloop.last %}, {% endif %}{% endfor %}''',
|
|
| 251 |
verbose_name=_('Inherited from'),
|
|
| 252 |
orderable=False, |
|
| 253 |
) |
|
| 254 |
member = tables.TemplateColumn( |
|
| 255 |
'<input class="role-member{% if record.indeterminate %} indeterminate{% endif %}" name="role-{{ record.pk }}" type="checkbox" {% if record.checked %}checked{% endif %}/>',
|
|
| 256 |
verbose_name='', |
|
| 257 |
) |
|
| 258 | ||
| 259 |
class Meta: |
|
| 260 |
model = get_role_model() |
|
| 261 |
attrs = {'class': 'main plaintable', 'id': 'inheritance-role-table'}
|
|
| 262 |
fields = ('name', 'ou')
|
|
| 263 |
empty_text = _('None')
|
|
| src/authentic2/manager/templates/authentic2/manager/role_members.html | ||
|---|---|---|
| 116 | 116 |
{% endif %}
|
| 117 | 117 |
{% endfor %}
|
| 118 | 118 |
{% if view.can_manage_members %}
|
| 119 |
<a rel="popup" href="{% url "a2-manager-role-add-child" pk=object.pk %}" class="role-add icon-add-sign"></a>
|
|
| 119 |
<a href="{% url "a2-manager-role-add-child" pk=object.pk %}" class="role-add icon-add-sign"></a>
|
|
| 120 | 120 |
{% else %}
|
| 121 | 121 |
<a title="{% trans "Permission denied" %}" class="disabled role-add icon-add-sign"></a>
|
| 122 | 122 |
{% endif %}
|
| ... | ... | |
| 138 | 138 |
{% endif %}
|
| 139 | 139 |
{% endfor %}
|
| 140 | 140 |
{% if not object.is_internal %}
|
| 141 |
<a rel="popup" href="{% url "a2-manager-role-add-parent" pk=object.pk %}" class="role-add icon-add-sign"></a>
|
|
| 141 |
<a href="{% url "a2-manager-role-add-parent" pk=object.pk %}" class="role-add icon-add-sign"></a>
|
|
| 142 | 142 |
{% else %}
|
| 143 | 143 |
<a title="{% trans "This role is technical, you cannot modify its permissions." %}" class="disabled role-add icon-add-sign"></a>
|
| 144 | 144 |
{% endif %}
|
| src/authentic2/manager/templates/authentic2/manager/roles_inheritance.html | ||
|---|---|---|
| 1 |
{% extends "authentic2/manager/role_common.html" %}
|
|
| 2 |
{% load i18n static django_tables2 %}
|
|
| 3 | ||
| 4 |
{% block breadcrumb %}
|
|
| 5 |
{{ block.super }}
|
|
| 6 |
<a href="..">{{ object }}</a>
|
|
| 7 |
<a href="#">{% trans "Role inheritance" %}</a>
|
|
| 8 |
{% endblock %}
|
|
| 9 | ||
| 10 |
{% block extrascripts %}
|
|
| 11 |
{{ block.super }}
|
|
| 12 |
<script src="{% static "authentic2/manager/js/roles_ajax_checkbox.js" %}"></script>
|
|
| 13 |
{% endblock %}
|
|
| 14 | ||
| 15 |
{% block main %}
|
|
| 16 |
{% with row_link=0 %}
|
|
| 17 |
{% render_table table "authentic2/manager/table.html" %}
|
|
| 18 |
{% endwith %}
|
|
| 19 |
{% endblock %}
|
|
| 20 | ||
| 21 |
{% block sidebar %}
|
|
| 22 |
<aside id="sidebar"> |
|
| 23 |
{% include "authentic2/manager/search_form.html" %}
|
|
| 24 |
</aside> |
|
| 25 |
{% endblock %}
|
|
| src/authentic2/manager/templates/authentic2/manager/user_ou_roles.html | ||
|---|---|---|
| 1 | 1 |
{% extends "authentic2/manager/user_common_roles.html" %}
|
| 2 |
{% load django_tables2 %}
|
|
| 2 |
{% load static django_tables2 %}
|
|
| 3 | 3 | |
| 4 | 4 |
{% block extrascripts %}
|
| 5 | 5 |
{{ block.super }}
|
| tests/test_manager.py | ||
|---|---|---|
| 861 | 861 | |
| 862 | 862 | |
| 863 | 863 |
def test_roles_for_change_widget(admin, app, db): |
| 864 |
from authentic2.manager.forms import RoleParentsForm
|
|
| 864 |
from authentic2.manager.forms import RoleParentForm |
|
| 865 | 865 | |
| 866 | 866 |
login(app, admin, '/manage/') |
| 867 | 867 |
Role.objects.create(name='admin 1') |
| 868 | 868 |
Role.objects.create(name='user 1') |
| 869 | 869 | |
| 870 |
form = RoleParentsForm(request=None)
|
|
| 870 |
form = RoleParentForm(request=None) |
|
| 871 | 871 |
assert form.as_p() |
| 872 |
field_id = form.fields['roles'].widget.build_attrs({})['data-field_id']
|
|
| 872 |
field_id = form.fields['role'].widget.build_attrs({})['data-field_id']
|
|
| 873 | 873 |
url = reverse('django_select2-json')
|
| 874 | 874 |
response = app.get(url, params={'field_id': field_id, 'term': 'admin'})
|
| 875 | 875 |
assert len(response.json['results']) == 1 |
| ... | ... | |
| 940 | 940 |
simple_role.permissions.add(view_role_perm) |
| 941 | 941 |
simple_user.roles.add(simple_role) |
| 942 | 942 |
admin.roles.add(role) |
| 943 | ||
| 943 | 944 |
response = app.get('/manage/roles/%s/add-child/' % simple_role.pk)
|
| 944 |
form = response.form
|
|
| 945 |
form['roles'].force_value(role.pk)
|
|
| 946 |
form.submit().follow()
|
|
| 945 |
token = str(response.context['csrf_token'])
|
|
| 946 |
params = {'action': 'add', 'role': role.pk, 'csrfmiddlewaretoken': token}
|
|
| 947 |
response = app.post('/manage/roles/%s/add-child/' % simple_role.pk, params=params)
|
|
| 947 | 948 |
assert role in simple_role.children() |
| 948 | 949 | |
| 950 |
response = app.get('/manage/roles/%s/' % simple_role.pk)
|
|
| 949 | 951 |
url = '/manage/roles/%s/remove-child/%s/' % (simple_role.pk, role.pk) |
| 950 | 952 |
token = str(response.context['csrf_token']) |
| 951 | 953 |
app.post(url, params={'csrfmiddlewaretoken': token})
|
| 952 | 954 |
assert not role in simple_role.children() |
| 953 | 955 | |
| 954 | 956 |
response = app.get('/manage/roles/%s/add-parent/' % role.pk)
|
| 955 |
form = response.form
|
|
| 956 |
form['roles'].force_value(simple_role.pk)
|
|
| 957 |
form.submit().follow()
|
|
| 957 |
token = str(response.context['csrf_token'])
|
|
| 958 |
params = {'action': 'add', 'role': simple_role.pk, 'csrfmiddlewaretoken': token}
|
|
| 959 |
response = app.post('/manage/roles/%s/add-parent/' % role.pk, params=params)
|
|
| 958 | 960 |
assert simple_role in role.parents() |
| 959 | 961 | |
| 962 |
# try to add arbitrary role |
|
| 963 |
admin_role = Role.objects.get(slug='_a2-manager') |
|
| 964 |
response = app.get('/manage/roles/%s/add-parent/' % role.pk)
|
|
| 965 |
token = str(response.context['csrf_token']) |
|
| 966 |
params = {'action': 'add', 'role': admin_role.pk, 'csrfmiddlewaretoken': token}
|
|
| 967 |
response = app.post('/manage/roles/%s/add-parent/' % simple_role.pk, params=params)
|
|
| 968 |
assert admin_role not in role.parents() |
|
| 969 | ||
| 970 |
response = app.get('/manage/roles/%s/' % simple_role.pk)
|
|
| 960 | 971 |
url = '/manage/roles/%s/remove-parent/%s/' % (role.pk, simple_role.pk) |
| 961 | 972 |
token = str(response.context['csrf_token']) |
| 962 | 973 |
app.post(url, params={'csrfmiddlewaretoken': token})
|
| ... | ... | |
| 978 | 989 |
app.get('/manage/roles/%s/delete/' % simple_role.pk, status=403)
|
| 979 | 990 | |
| 980 | 991 | |
| 981 |
def test_manager_permission_inheritance(app, simple_user, admin, simple_role): |
|
| 982 |
admin_role = Role.objects.get(slug='_a2-manager') |
|
| 983 |
view_role_perm = get_permission_model().objects.create( |
|
| 984 |
operation=get_operation(VIEW_OP), |
|
| 985 |
target_ct=ContentType.objects.get_for_model(Role), |
|
| 986 |
target_id=simple_role.pk, |
|
| 987 |
) |
|
| 988 |
simple_role.permissions.add(view_role_perm) |
|
| 989 |
simple_user.roles.add(simple_role) |
|
| 990 |
login(app, simple_user, '/manage/') |
|
| 991 | ||
| 992 |
response = app.get('/manage/roles/%s/add-parent/' % simple_role.pk)
|
|
| 993 |
form = response.form |
|
| 994 |
form['roles'].force_value(admin_role.pk) |
|
| 995 |
response = form.submit() |
|
| 996 | ||
| 997 |
assert response.status_code == 200 |
|
| 998 |
assert not admin_role in simple_role.parents() |
|
| 999 | ||
| 1000 | ||
| 1001 | 992 |
def test_manager_widget_fields_validation(app, simple_user, simple_role): |
| 1002 | 993 |
'''Verify that fields corresponding to widget implement queryset restrictions.''' |
| 1003 | 994 |
from authentic2.manager.forms import ( |
| 1004 | 995 |
ChooseRoleForm, |
| 1005 | 996 |
ChooseUserForm, |
| 1006 | 997 |
ChooseUserRoleForm, |
| 1007 |
RoleParentsForm,
|
|
| 998 |
RoleParentForm, |
|
| 1008 | 999 |
RolesForm, |
| 1009 | 1000 |
UsersForm, |
| 1010 | 1001 |
) |
| ... | ... | |
| 1056 | 1047 |
assert error_message in form.errors['roles'][0] |
| 1057 | 1048 | |
| 1058 | 1049 |
# For those we need manage_members permission |
| 1059 |
form = RoleParentsForm(request=request, data={'roles': [visible_role.pk]})
|
|
| 1060 |
assert error_message in form.errors['roles'][0]
|
|
| 1050 |
form = RoleParentForm(request=request, data={'role': visible_role.pk, 'action': 'add'})
|
|
| 1051 |
assert error_message in form.errors['role'][0] |
|
| 1061 | 1052 | |
| 1062 | 1053 |
form = ChooseUserRoleForm(request=request, data={'role': visible_role.pk, 'action': 'add'})
|
| 1063 | 1054 |
assert error_message in form.errors['role'][0] |
| ... | ... | |
| 1070 | 1061 |
simple_role.permissions.add(change_role_perm) |
| 1071 | 1062 |
del simple_user._rbac_perms_cache |
| 1072 | 1063 | |
| 1073 |
form = RoleParentsForm(request=request, data={'roles': [visible_role.pk]})
|
|
| 1064 |
form = RoleParentForm(request=request, data={'role': visible_role.pk, 'action': 'add'})
|
|
| 1074 | 1065 |
assert form.is_valid() |
| 1075 | 1066 | |
| 1076 | 1067 |
form = ChooseUserRoleForm(request=request, data={'role': visible_role.pk, 'action': 'add'})
|
| 1077 | 1068 |
assert form.is_valid() |
| 1078 | 1069 | |
| 1079 | 1070 | |
| 1080 |
def test_manager_role_widgets_choices(app, simple_user, simple_role): |
|
| 1081 |
def get_choices(response): |
|
| 1082 |
select2_json = request_select2(app, response) |
|
| 1083 |
assert select2_json['more'] is False |
|
| 1084 |
return {result['id'] for result in select2_json['results']}
|
|
| 1085 | ||
| 1071 |
def test_manager_role_inheritance_list(app, simple_user, simple_role, ou1): |
|
| 1086 | 1072 |
visible_role = Role.objects.create(name='visible_role', ou=simple_user.ou) |
| 1073 |
visible_role_2 = Role.objects.create(name='visible_role_2', ou=ou1) |
|
| 1087 | 1074 |
Role.objects.create(name='invisible_role', ou=simple_user.ou) |
| 1088 | 1075 |
admin_of_simple_role = simple_role.get_admin_role() |
| 1089 | 1076 | |
| 1090 | 1077 |
admin_of_simple_role.members.add(simple_user) |
| 1091 |
view_role_perm = get_permission_model().objects.create( |
|
| 1092 |
operation=get_operation(VIEW_OP), |
|
| 1093 |
target_ct=ContentType.objects.get_for_model(Role), |
|
| 1094 |
target_id=visible_role.pk, |
|
| 1095 |
) |
|
| 1096 |
simple_role.permissions.add(view_role_perm) |
|
| 1078 |
for role in (visible_role, visible_role_2): |
|
| 1079 |
view_role_perm = get_permission_model().objects.create( |
|
| 1080 |
operation=get_operation(VIEW_OP), |
|
| 1081 |
target_ct=ContentType.objects.get_for_model(Role), |
|
| 1082 |
target_id=role.pk, |
|
| 1083 |
) |
|
| 1084 |
simple_role.permissions.add(view_role_perm) |
|
| 1097 | 1085 |
simple_user.roles.add(simple_role) |
| 1098 | 1086 | |
| 1099 | 1087 |
response = login(app, simple_user, '/manage/roles/') |
| 1100 | 1088 | |
| 1101 |
# all visible roles are shown |
|
| 1089 |
# all visible roles are shown, except current role
|
|
| 1102 | 1090 |
response = app.get('/manage/roles/%s/add-child/' % simple_role.pk)
|
| 1103 |
assert {visible_role.pk, simple_role.pk} == get_choices(response)
|
|
| 1104 | ||
| 1105 |
# all roles with manage_members permissions are shown |
|
| 1106 |
response = app.get('/manage/roles/%s/add-parent/' % simple_role.pk)
|
|
| 1107 |
assert {simple_role.pk, admin_of_simple_role.pk} == get_choices(response)
|
|
| 1108 | ||
| 1109 |
response = app.get('/manage/roles/%s/add-parent/' % visible_role.pk)
|
|
| 1110 |
assert {simple_role.pk, admin_of_simple_role.pk} == get_choices(response)
|
|
| 1111 | ||
| 1112 | ||
| 1113 |
def test_manager_widgets_field_id_other_user(app, admin, simple_user, simple_role): |
|
| 1114 |
other_role = Role.objects.create(name='visible_role', ou=simple_user.ou) |
|
| 1115 |
simple_role.get_admin_role().members.add(simple_user) |
|
| 1091 |
q = response.pyquery.remove_namespaces() |
|
| 1092 |
assert len(q('table tbody tr')) == 2
|
|
| 1093 |
assert {e.text_content() for e in q('table tbody td.name')} == {visible_role.name, visible_role_2.name}
|
|
| 1116 | 1094 | |
| 1117 |
response = login(app, admin, '/manage/roles/%s/add-child/' % simple_role.pk) |
|
| 1118 |
select2_json = request_select2(app, response) |
|
| 1119 |
assert select2_json['more'] is False |
|
| 1095 |
# filter by ou |
|
| 1096 |
response.form['search-ou'] = ou1.pk |
|
| 1097 |
response = response.form.submit() |
|
| 1098 |
q = response.pyquery.remove_namespaces() |
|
| 1099 |
assert len(q('table tbody tr')) == 1
|
|
| 1100 |
assert {e.text_content() for e in q('table tbody td.name')} == {visible_role_2.name}
|
|
| 1120 | 1101 | |
| 1121 |
# admin can see every roles |
|
| 1122 |
assert {simple_role.pk, other_role.pk} == {result['id'] for result in select2_json['results']}
|
|
| 1102 |
# filter by name |
|
| 1103 |
response.form['search-text'] = '2' |
|
| 1104 |
response.form['search-ou'] = 'all' |
|
| 1105 |
response = response.form.submit() |
|
| 1106 |
q = response.pyquery.remove_namespaces() |
|
| 1107 |
assert len(q('table tbody tr')) == 1
|
|
| 1108 |
assert {e.text_content() for e in q('table tbody td.name')} == {visible_role_2.name}
|
|
| 1123 | 1109 | |
| 1124 |
login(app, simple_user)
|
|
| 1125 |
# same request from the page served for admin
|
|
| 1126 |
select2_json = request_select2(app, response)
|
|
| 1127 |
# simple_user doesn't see all roles
|
|
| 1128 |
assert simple_role.pk == select2_json['results'][0]['id']
|
|
| 1110 |
# all roles with manage_members permissions are shown
|
|
| 1111 |
response = app.get('/manage/roles/%s/add-parent/' % visible_role.pk)
|
|
| 1112 |
q = response.pyquery.remove_namespaces()
|
|
| 1113 |
assert len(q('table tbody tr')) == 1
|
|
| 1114 |
assert {e.text_content() for e in q('table tbody td.name')} == {simple_role.name}
|
|
| 1129 | 1115 | |
| 1130 |
# anymous user receive 404 |
|
| 1131 |
app.session.flush() |
|
| 1132 |
select2_json = request_select2(app, response, get_kwargs={'status': 404})
|
|
| 1116 |
response.form['search-internals'] = True |
|
| 1117 |
response = response.form.submit() |
|
| 1118 |
q = response.pyquery.remove_namespaces() |
|
| 1119 |
assert len(q('table tbody tr')) == 2
|
|
| 1120 |
assert {e.text_content() for e in q('table tbody td.name')} == {
|
|
| 1121 |
simple_role.name, |
|
| 1122 |
admin_of_simple_role.name, |
|
| 1123 |
} |
|
| 1133 | 1124 | |
| 1134 | 1125 | |
| 1135 | 1126 |
def test_display_parent_roles_on_role_page(app, superuser, settings): |
| 1136 |
- |
|