From 2dbc5e00ef1c596da7e35c99c2ce555c2d0fd1d1 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 8 Dec 2017 00:35:30 +0100 Subject: [PATCH] manager: do not use has_any_perm() to get add permission on roles (fixes #20512) This is a temporary fix, the real fix would be to create a real permission to manage members of a roles so that role's admin roles would not have the admin permission but the manage-members permission, so that for an user which can just manager members of a role, request.user.has_any_perm('a2_rbac.add_role') would return False, currently it returns True but it has no meaning. --- src/authentic2/manager/role_views.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/authentic2/manager/role_views.py b/src/authentic2/manager/role_views.py index df9572e..043df38 100644 --- a/src/authentic2/manager/role_views.py +++ b/src/authentic2/manager/role_views.py @@ -62,6 +62,11 @@ class RolesView(views.HideOUColumnMixin, RolesMixin, views.BaseTableView): kwargs['queryset'] = self.get_queryset() return kwargs + def authorize(self, request, *args, **kwargs): + super(RolesView, self).authorize(request, *args, **kwargs) + self.can_add = bool(request.user.ous_with_perm('a2_rbac.add_role')) + + listing = RolesView.as_view() -- 2.1.4