From e535f43dea8be30c865f3d88cf9366afe89037c4 Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 28 May 2019 10:05:03 +0200
Subject: [PATCH 4/8] manager: check authentication level in PermissionMixin
 (#33515)

Authentication level checks should be added where PermissionDenied
exceptions are raised, since they throw a similar access control
exception. In most cases we are not going to check them, for example
when we display buttons.
This commit could be enough, but sadly it isn't. We will have to account
for responses opening in popups, and for some views that rely on
can_{action} for permission control.
---
 src/authentic2/manager/views.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/authentic2/manager/views.py b/src/authentic2/manager/views.py
index cd2873c5..2ac55639 100644
--- a/src/authentic2/manager/views.py
+++ b/src/authentic2/manager/views.py
@@ -42,7 +42,7 @@ from django_rbac.utils import get_ou_model
 
 from authentic2.data_transfer import export_site, import_site, DataImportError, ImportContext
 from authentic2.forms.profile import modelform_factory
-from authentic2.utils import redirect, batch_queryset
+from authentic2.utils import redirect, batch_queryset, login_require
 from authentic2.decorators import json as json_view
 from authentic2 import hooks
 
@@ -103,6 +103,7 @@ class PermissionMixin(object):
     permissions = None
 
     def authorize(self, request, *args, **kwargs):
+        auth_level = request.session.get('auth_level', 1)
         if hasattr(self, 'model'):
             app_label = self.model._meta.app_label
             model_name = self.model._meta.model_name
@@ -124,18 +125,22 @@ class PermissionMixin(object):
                                                         self.object)
                 if self.permissions \
                         and not request.user.has_perms(
-                            self.permissions, self.object):
+                            self.permissions, self.object, auth_level=auth_level):
                     raise PermissionDenied
             elif self.permissions \
-                    and not request.user.has_perm_any(self.permissions):
+                    and not request.user.has_perm_any(self.permissions, auth_level=auth_level):
                 raise PermissionDenied
         else:
             if self.permissions \
-                    and not request.user.has_perm_any(self.permissions):
+                    and not request.user.has_perm_any(self.permissions, auth_level=auth_level):
                 raise PermissionDenied
 
     def dispatch(self, request, *args, **kwargs):
-        response = self.authorize(request, *args, **kwargs)
+        try:
+            response = self.authorize(request, *args, **kwargs)
+        except InsufficientAuthLevel:
+            current_auth_level = request.session.get('auth_level', 1)
+            return login_require(request, params={'auth_level': current_auth_level + 1})
         if response is not None:
             return response
         return super(PermissionMixin, self).dispatch(request, *args, **kwargs)
-- 
2.20.1