From 2b4ebd4de529fa9cc30992ce252a7bb817afec6f Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Wed, 24 Apr 2019 11:43:29 +0200
Subject: [PATCH] attributes_ng: limit service roles depending on auth level

---
 src/authentic2/attributes_ng/sources/service_roles.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/authentic2/attributes_ng/sources/service_roles.py b/src/authentic2/attributes_ng/sources/service_roles.py
index 4d1a079f..3b453680 100644
--- a/src/authentic2/attributes_ng/sources/service_roles.py
+++ b/src/authentic2/attributes_ng/sources/service_roles.py
@@ -38,8 +38,9 @@ def get_attributes(instance, ctx):
     if not user or not service:
         return ctx
     ctx = ctx.copy()
+    user_auth_level = ctx['request'].session.get('auth_level', 1)
     roles = Role.objects.for_user(user) \
-        .filter(service=service) \
+        .filter(service=service, auth_level__lte=user_auth_level) \
         .prefetch_related('attributes')
     for service_role in roles:
         for service_role_attribute in service_role.attributes.all():
-- 
2.20.1