From cfb360a9e514a512f73d244dcef21b266de509dc Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 7 May 2019 11:24:55 +0200
Subject: [PATCH 6/8] manager: handle special cases of access control (#33515)

Making use of the new could_{action} attribute previously introduced.
---
 src/authentic2/manager/ou_views.py   | 2 +-
 src/authentic2/manager/role_views.py | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/authentic2/manager/ou_views.py b/src/authentic2/manager/ou_views.py
index a9904a70..2c0b7f89 100644
--- a/src/authentic2/manager/ou_views.py
+++ b/src/authentic2/manager/ou_views.py
@@ -63,7 +63,7 @@ class OrganizationalUnitDetailView(views.BaseDetailView):
 
     def authorize(self, request, *args, **kwargs):
         super(OrganizationalUnitDetailView, self).authorize(request, *args, **kwargs)
-        self.can_delete = self.can_delete and not self.object.default
+        self.could_delete = self.could_delete and not self.object.default
 
 detail = OrganizationalUnitDetailView.as_view()
 
diff --git a/src/authentic2/manager/role_views.py b/src/authentic2/manager/role_views.py
index 7df448a0..923e130d 100644
--- a/src/authentic2/manager/role_views.py
+++ b/src/authentic2/manager/role_views.py
@@ -27,6 +27,7 @@ from django.db.models import Count
 from django.core.urlresolvers import reverse
 from django.contrib.auth import get_user_model
 
+from django_rbac.exceptions import InsufficientAuthLevel
 from django_rbac.utils import get_role_model, get_permission_model, get_ou_model
 
 from authentic2.utils import redirect
@@ -79,7 +80,7 @@ class RolesView(views.HideOUColumnMixin, RolesMixin, views.BaseTableView):
 
     def authorize(self, request, *args, **kwargs):
         super(RolesView, self).authorize(request, *args, **kwargs)
-        self.can_add = bool(request.user.ous_with_perm('a2_rbac.add_role'))
+        self.could_add = bool(request.user.ous_with_perm('a2_rbac.add_role'))
 
 
 listing = RolesView.as_view()
@@ -176,6 +177,8 @@ class RoleMembersView(views.HideOUColumnMixin, RoleViewMixin, views.BaseSubTable
                     hooks.call_hooks('event', name='manager-remove-role-member',
                                      user=self.request.user, role=self.object, member=user)
         else:
+            if self.could_change:
+                raise InsufficientAuthLevel
             messages.warning(self.request, _('You are not authorized'))
         return super(RoleMembersView, self).form_valid(form)
 
@@ -205,6 +208,8 @@ class RoleDeleteView(RoleViewMixin, views.BaseDeleteView):
 
     def post(self, request, *args, **kwargs):
         if not self.can_delete:
+            if self.could_delete:
+                raise InsufficientAuthLevel
             raise PermissionDenied
         return super(RoleDeleteView, self).post(request, *args, **kwargs)
 
@@ -259,6 +264,8 @@ class RolePermissionsView(RoleViewMixin, views.BaseSubTableView):
                         hooks.call_hooks('event', name='manager-remove-permission',
                                          user=self.request.user, role=self.object, permission=perm)
         else:
+            if self.could_change:
+                raise InsufficientAuthLevel
             messages.warning(self.request, _('You are not authorized'))
         return super(RolePermissionsView, self).form_valid(form)
 
-- 
2.20.1