From 7cac10994319ee1ebb61324262fd4897f9638118 Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 21 May 2019 11:58:58 +0200
Subject: [PATCH 4/5] utils: helper method to check if a user has a role
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We make a distinction between roles which are obtained at the SSO,
stored in session, and roles which the user could have, statically
stored in database.

todo: ce commit dépend totalement du provisionning tel qu'implémenté par
hobo, il faut améliorer ça
---
 mellon/exceptions.py |  4 ++++
 mellon/utils.py      | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 mellon/exceptions.py

diff --git a/mellon/exceptions.py b/mellon/exceptions.py
new file mode 100644
index 0000000..0d4fec2
--- /dev/null
+++ b/mellon/exceptions.py
@@ -0,0 +1,4 @@
+class RolesNotInSession(Exception):
+
+    def __init__(self, roles):
+        self.roles = roles
diff --git a/mellon/utils.py b/mellon/utils.py
index ee8b8a5..1773d13 100644
--- a/mellon/utils.py
+++ b/mellon/utils.py
@@ -6,6 +6,7 @@ import isodate
 from xml.parsers import expat
 
 from django.contrib import auth
+from django.contrib.auth.models import Group
 from django.core.urlresolvers import reverse
 from django.template.loader import render_to_string
 from django.utils.timezone import make_aware, now, make_naive, is_aware, get_default_timezone
@@ -14,6 +15,7 @@ from django.utils.six.moves.urllib.parse import urlparse
 import lasso
 
 from . import app_settings
+from .exceptions import RolesNotInSession
 
 
 def create_metadata(request):
@@ -289,3 +291,20 @@ def has_superuser_flag(idp, saml_attributes):
             if attribute_values & values:
                 return True
     return False
+
+
+def user_has_role(request, role_id):
+    if request.user.is_staff and request.session.get('is_staff'):
+        return True
+    try:
+        group = request.user.groups.get(id=role_id)
+    except Group.DoesNotExist:
+        if request.user.is_staff:
+            raise RolesNotInSession(('staff',))
+        return False
+    role = getattr(group, 'role')
+    if not role:
+        return True
+    if role.uuid in request.session['mellon_session']['role-slug']:
+        return True
+    raise RolesNotInSession((role.uuid,))
-- 
2.20.1