From 29948b2b934b71dd986ea0e9bd229e50f36f1b55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Fri, 28 Oct 2016 10:47:47 +0200 Subject: [PATCH] admin: add option to declare roles are managed by identity provider (#13789) --- tests/test_admin_pages.py | 30 ++++++++++++++++++++++++++++++ tests/test_hobo.py | 2 ++ wcs/admin/users.py | 9 +++++---- wcs/ctl/check_hobos.py | 1 + wcs/qommon/ident/idp.py | 10 +++++++++- 5 files changed, 47 insertions(+), 5 deletions(-) diff --git a/tests/test_admin_pages.py b/tests/test_admin_pages.py index 8705a6a..0751fd1 100644 --- a/tests/test_admin_pages.py +++ b/tests/test_admin_pages.py @@ -2489,6 +2489,36 @@ def test_users_edit_edit_account(pub): assert PasswordAccount.has_key('foo') assert PasswordAccount.get('foo').user_id == user.id +def test_users_edit_with_managing_idp(pub): + create_role() + pub.user_class.wipe() + pub.cfg['sp'] = {'idp-manage-user-attributes': True} + pub.write_cfg() + PasswordAccount.wipe() + create_superuser(pub) + user = pub.user_class(name='foo bar') + user.store() + + app = login(get_app(pub)) + resp = app.get('/backoffice/users/%s/' % user.id) + assert '>Manage Roles<' in resp.body + resp = resp.click(href='edit') + assert not 'email' in resp.form.fields + assert 'roles$added_elements' in resp.form.fields + + pub.cfg['sp'] = {'idp-manage-user-roles': True} + pub.write_cfg() + resp = app.get('/backoffice/users/%s/' % user.id) + assert '>Edit<' in resp.body + resp = resp.click(href='edit') + assert 'email' in resp.form.fields + assert not 'roles$added_elements' in resp.form.fields + + pub.cfg['sp'] = {'idp-manage-user-roles': True, 'idp-manage-user-attributes': True} + pub.write_cfg() + resp = app.get('/backoffice/users/%s/' % user.id) + assert not '/edit' in resp.body + def test_users_delete(pub): pub.user_class.wipe() PasswordAccount.wipe() diff --git a/tests/test_hobo.py b/tests/test_hobo.py index 99edd07..82544e0 100644 --- a/tests/test_hobo.py +++ b/tests/test_hobo.py @@ -322,6 +322,8 @@ def test_configure_authentication_methods(): assert len(pub.cfg['idp'].keys()) == 1 assert pub.cfg['saml_identities']['registration-url'] + assert pub.cfg['sp']['idp-manage-user-attributes'] + assert pub.cfg['sp']['idp-manage-user-roles'] def test_deploy(): cleanup() diff --git a/wcs/admin/users.py b/wcs/admin/users.py index b5e0df1..0f4114c 100644 --- a/wcs/admin/users.py +++ b/wcs/admin/users.py @@ -25,7 +25,7 @@ from qommon.backoffice.listing import pagination_links from wcs.roles import Role import qommon.ident -from qommon.ident.idp import is_idp_managing_user_attributes +from qommon.ident.idp import is_idp_managing_user_attributes, is_idp_managing_user_roles from qommon.form import * from qommon.admin.emails import EmailsDirectory from qommon.backoffice.menu import html_top @@ -54,8 +54,9 @@ class UserUI(object): formdef.add_fields_to_form(form, form_data = self.user.form_data) form.add(CheckboxWidget, 'is_admin', title = _('Administrator Account'), value = self.user.is_admin) + roles = list(Role.select(order_by='name')) - if len(roles): + if len(roles) and not is_idp_managing_user_roles(): form.add(WidgetList, 'roles', title = _('Roles'), element_type = SingleSelectWidget, value = self.user.roles, add_element_label = _('Add Role'), @@ -214,9 +215,9 @@ class UserPage(Directory): r = TemplateIO(html=True) r += htmltext('