From 18cf5622a1fa88033bf8c6cc0cd673a416a97cae Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 23 Apr 2019 10:49:04 +0200
Subject: [PATCH 7/7] attributes_ng: limit user roles depending on
 authentication level

---
 src/authentic2/attributes_ng/sources/django_user.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/authentic2/attributes_ng/sources/django_user.py b/src/authentic2/attributes_ng/sources/django_user.py
index 9ef4b083..ac0f52d7 100644
--- a/src/authentic2/attributes_ng/sources/django_user.py
+++ b/src/authentic2/attributes_ng/sources/django_user.py
@@ -83,7 +83,8 @@ def get_attributes(instance, ctx):
         ctx['django_user_identifier'] = splitted[0]
     ctx['django_user_full_name'] = user.get_full_name()
     Role = get_role_model()
-    roles = Role.objects.for_user(user)
+    user_auth_level = ctx['request'].session.get('auth_level', 1)
+    roles = Role.objects.for_user(user).filter(auth_level__lte=user_auth_level)
     ctx['a2_role_slugs'] = roles.values_list('slug', flat=True)
     ctx['a2_role_names'] = roles.values_list('name', flat=True)
     ctx['a2_role_uuids'] = roles.values_list('uuid', flat=True)
-- 
2.20.1