0001-general-don-t-allow-admins-to-get-into-new-areas-unl.patch
| extra/auquotidien.py | ||
|---|---|---|
| 28 | 28 |
} |
| 29 | 29 | |
| 30 | 30 | |
| 31 |
def check_visibility(target): |
|
| 32 |
user = get_request().user |
|
| 33 |
if not user: |
|
| 34 |
return False |
|
| 35 |
target = target.strip('/')
|
|
| 36 |
if target == 'management': |
|
| 37 |
target = 'forms' |
|
| 38 |
if target == 'strongbox': |
|
| 39 |
if not get_publisher().has_site_option(target): |
|
| 40 |
# strongbox disabled in site-options.cfg |
|
| 41 |
return False |
|
| 42 |
if not get_cfg('misc', {}).get('aq-strongbox'):
|
|
| 43 |
# strongbox disabled in settings panel |
|
| 44 |
return False |
|
| 45 |
admin_role = get_cfg('aq-permissions', {}).get(target, None)
|
|
| 46 |
if not admin_role: |
|
| 47 |
return False |
|
| 48 |
if not (user.is_admin or admin_role in (user.roles or [])): |
|
| 49 |
return False |
|
| 50 |
return True |
|
| 51 | ||
| 52 | 31 |
rdb = get_publisher_class().backoffice_directory_class |
| 53 | 32 | |
| 54 | 33 |
rdb.items = [] |
| 55 | 34 | |
| 56 | 35 |
rdb.register_directory('announces', modules.announces_ui.AnnouncesDirectory())
|
| 57 |
rdb.register_menu_item('announces/', _('Announces'), check_visibility)
|
|
| 36 |
rdb.register_menu_item('announces/', _('Announces'))
|
|
| 58 | 37 | |
| 59 | 38 |
rdb.register_directory('links', modules.links_ui.LinksDirectory())
|
| 60 |
rdb.register_menu_item('links/', _('Links'), check_visibility)
|
|
| 39 |
rdb.register_menu_item('links/', _('Links'))
|
|
| 61 | 40 | |
| 62 | 41 |
rdb.register_directory('events', modules.events_ui.EventsDirectory())
|
| 63 |
rdb.register_menu_item('events/', _('Events'), check_visibility)
|
|
| 42 |
rdb.register_menu_item('events/', _('Events'))
|
|
| 64 | 43 | |
| 65 | 44 |
rdb.register_directory('payments', modules.payments_ui.PaymentsDirectory())
|
| 66 |
rdb.register_menu_item('payments/', _('Payments'), check_visibility)
|
|
| 45 |
rdb.register_menu_item('payments/', _('Payments'))
|
|
| 67 | 46 | |
| 68 | 47 |
rdb.register_directory('strongbox', modules.strongbox_ui.StrongboxDirectory())
|
| 69 |
rdb.register_menu_item('strongbox/', _('Strongbox'), check_visibility)
|
|
| 48 |
rdb.register_menu_item('strongbox/', _('Strongbox'))
|
|
| 70 | 49 | |
| 71 | 50 |
rdb.register_directory('settings', modules.admin.SettingsDirectory())
|
| 72 | 51 |
rdb.register_directory('categories', modules.categories_admin.CategoriesDirectory())
|
| extra/modules/announces_ui.py | ||
|---|---|---|
| 320 | 320 | |
| 321 | 321 |
subscriptions = SubscriptionsDirectory() |
| 322 | 322 | |
| 323 |
def is_accessible(self, user): |
|
| 324 |
from .backoffice import check_visibility |
|
| 325 |
return check_visibility('announces', user)
|
|
| 326 | ||
| 323 | 327 |
def _q_access(self): |
| 324 | 328 |
user = get_request().user |
| 325 | 329 |
if not user: |
| 326 | 330 |
raise errors.AccessUnauthorizedError() |
| 327 |
admin_role = get_cfg('aq-permissions', {}).get('announces', None)
|
|
| 328 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
| 331 | ||
| 332 |
if not self.is_accessible(user):
|
|
| 329 | 333 |
raise errors.AccessForbiddenError( |
| 330 | 334 |
public_msg = _('You are not allowed to access Announces Management'),
|
| 331 | 335 |
location_hint = 'backoffice') |
| extra/modules/backoffice.py | ||
|---|---|---|
| 14 | 14 |
from qommon import get_cfg, errors |
| 15 | 15 |
from qommon.form import * |
| 16 | 16 | |
| 17 |
CURRENT_USER = object() |
|
| 18 | ||
| 19 |
def check_visibility(target, user=CURRENT_USER): |
|
| 20 |
if user is CURRENT_USER: |
|
| 21 |
user = get_request().user |
|
| 22 |
if not user: |
|
| 23 |
return False |
|
| 24 |
target = target.strip('/')
|
|
| 25 |
if target == 'management': |
|
| 26 |
target = 'forms' |
|
| 27 |
if target == 'strongbox': |
|
| 28 |
if not get_publisher().has_site_option(target): |
|
| 29 |
# strongbox disabled in site-options.cfg |
|
| 30 |
return False |
|
| 31 |
if not get_cfg('misc', {}).get('aq-strongbox'):
|
|
| 32 |
# strongbox disabled in settings panel |
|
| 33 |
return False |
|
| 34 |
admin_role = get_cfg('aq-permissions', {}).get(target, None)
|
|
| 35 |
if not admin_role: |
|
| 36 |
return False |
|
| 37 |
if not (user.is_admin or admin_role in (user.roles or [])): |
|
| 38 |
return False |
|
| 39 |
return True |
|
| 40 | ||
| 41 | ||
| 17 | 42 |
class BackofficeRootDirectory(wcs.backoffice.root.RootDirectory): |
| 18 | 43 |
def _q_access(self): |
| 19 | 44 |
super(BackofficeRootDirectory, self)._q_access() |
| extra/modules/events_ui.py | ||
|---|---|---|
| 304 | 304 | |
| 305 | 305 |
remote = RemoteCalendarsDirectory() |
| 306 | 306 | |
| 307 |
def is_accessible(self, user): |
|
| 308 |
from .backoffice import check_visibility |
|
| 309 |
return check_visibility('events', user)
|
|
| 310 | ||
| 307 | 311 |
def _q_access(self): |
| 308 | 312 |
user = get_request().user |
| 309 | 313 |
if not user: |
| 310 | 314 |
raise errors.AccessUnauthorizedError() |
| 311 |
admin_role = get_cfg('aq-permissions', {}).get('events', None)
|
|
| 312 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
| 315 | ||
| 316 |
if not self.is_accessible(user):
|
|
| 313 | 317 |
raise errors.AccessForbiddenError( |
| 314 | 318 |
public_msg = _('You are not allowed to access Events Management'),
|
| 315 | 319 |
location_hint = 'backoffice') |
| extra/modules/links_ui.py | ||
|---|---|---|
| 101 | 101 |
_q_exports = ['', 'new', 'listing', 'update_order'] |
| 102 | 102 |
label = N_('Links')
|
| 103 | 103 | |
| 104 |
def is_accessible(self, user): |
|
| 105 |
from .backoffice import check_visibility |
|
| 106 |
return check_visibility('links', user)
|
|
| 107 | ||
| 104 | 108 |
def _q_access(self): |
| 105 | 109 |
user = get_request().user |
| 106 | 110 |
if not user: |
| 107 | 111 |
raise errors.AccessUnauthorizedError() |
| 108 |
admin_role = get_cfg('aq-permissions', {}).get('links', None)
|
|
| 109 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
| 112 | ||
| 113 |
if not self.is_accessible(user):
|
|
| 110 | 114 |
raise errors.AccessForbiddenError( |
| 111 | 115 |
public_msg = _('You are not allowed to access Links Management'),
|
| 112 | 116 |
location_hint = 'backoffice') |
| extra/modules/payments_ui.py | ||
|---|---|---|
| 524 | 524 | |
| 525 | 525 |
regie = RegiesDirectory() |
| 526 | 526 | |
| 527 |
def is_accessible(self, user): |
|
| 528 |
from .backoffice import check_visibility |
|
| 529 |
return check_visibility('payments', user)
|
|
| 530 | ||
| 527 | 531 |
def _q_access(self): |
| 528 | 532 |
user = get_request().user |
| 529 | 533 |
if not user: |
| 530 | 534 |
raise errors.AccessUnauthorizedError() |
| 531 |
admin_role = get_cfg('aq-permissions', {}).get('payments', None)
|
|
| 532 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
| 535 | ||
| 536 |
if not self.is_accessible(user):
|
|
| 533 | 537 |
raise errors.AccessForbiddenError( |
| 534 | 538 |
public_msg = _('You are not allowed to access Payments Management'),
|
| 535 | 539 |
location_hint = 'backoffice') |
| extra/modules/strongbox_ui.py | ||
|---|---|---|
| 147 | 147 | |
| 148 | 148 |
types = StrongboxTypesDirectory() |
| 149 | 149 | |
| 150 |
def is_accessible(self, user): |
|
| 151 |
from .backoffice import check_visibility |
|
| 152 |
return check_visibility('strongbox', user)
|
|
| 153 | ||
| 150 | 154 |
def _q_access(self): |
| 151 | 155 |
user = get_request().user |
| 152 | 156 |
if not user: |
| 153 | 157 |
raise errors.AccessUnauthorizedError() |
| 154 |
admin_role = get_cfg('aq-permissions', {}).get('strongbox', None)
|
|
| 155 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
| 158 | ||
| 159 |
if not self.is_accessible(user):
|
|
| 156 | 160 |
raise errors.AccessForbiddenError( |
| 157 | 161 |
public_msg = _('You are not allowed to access Strongbox Management'),
|
| 158 | 162 |
location_hint = 'backoffice') |
| tests/test_admin_pages.py | ||
|---|---|---|
| 72 | 72 |
# this makes sure the extension loaded properly |
| 73 | 73 |
assert '<span id="applabel">Publik</span>' in resp.body |
| 74 | 74 | |
| 75 |
def test_directory_registration(): |
|
| 76 |
create_superuser() |
|
| 77 |
app = login(get_app(pub)) |
|
| 78 |
resp = app.get('/backoffice/links/')
|
|
| 79 | ||
| 80 | 75 |
def test_general_admin_permissions(): |
| 81 | 76 |
create_superuser() |
| 82 | 77 |
app = login(get_app(pub)) |
| ... | ... | |
| 96 | 91 |
resp = app.get('/backoffice/settings/')
|
| 97 | 92 |
assert 'aq/permissions' in resp.body |
| 98 | 93 |
resp = app.get('/backoffice/settings/aq/permissions')
|
| 94 | ||
| 95 |
def test_menu_items(): |
|
| 96 |
create_superuser() |
|
| 97 |
role = create_role() |
|
| 98 | ||
| 99 |
for area in ('links', 'announces', 'events', 'links', 'payments'):
|
|
| 100 |
pub.cfg['aq-permissions'] = {area: None}
|
|
| 101 |
pub.write_cfg() |
|
| 102 | ||
| 103 |
user1.is_admin = True |
|
| 104 |
user1.roles = [] |
|
| 105 |
user1.store() |
|
| 106 | ||
| 107 |
app = login(get_app(pub)) |
|
| 108 |
resp = app.get('/backoffice/')
|
|
| 109 |
assert not '/%s/' % area in resp.body |
|
| 110 |
resp = app.get('/backoffice/%s/' % area, status=403)
|
|
| 111 | ||
| 112 |
pub.cfg['aq-permissions'] = {area: 'XXX'}
|
|
| 113 |
pub.write_cfg() |
|
| 114 | ||
| 115 |
resp = app.get('/backoffice/')
|
|
| 116 |
assert '/%s/' % area in resp.body |
|
| 117 |
resp = app.get('/backoffice/%s/' % area, status=200)
|
|
| 118 | ||
| 119 |
user1.is_admin = False |
|
| 120 |
user1.roles = [role.id] |
|
| 121 |
user1.store() |
|
| 122 |
resp = app.get('/backoffice/')
|
|
| 123 |
assert not '/%s/' % area in resp.body |
|
| 124 |
resp = app.get('/backoffice/%s/' % area, status=403)
|
|
| 125 | ||
| 126 |
user1.is_admin = False |
|
| 127 |
user1.roles = [role.id, 'XXX'] |
|
| 128 |
user1.store() |
|
| 129 |
resp = app.get('/backoffice/')
|
|
| 130 |
assert '/%s/' % area in resp.body |
|
| 131 |
resp = app.get('/backoffice/%s/' % area, status=200)
|
|
| 99 |
- |
|