From 4374a3838a43e2d297d401be5783b111982a796f Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 16 Aug 2019 19:42:09 +0200 Subject: [PATCH 5/5] a2_rbac: add ROLE_ADMIN_RESTRICT_TO_OU_USERS setting (fixes #35391) It limits visibility of role's administrators to users of the same OU as the role administered. --- src/authentic2/a2_rbac/app_settings.py | 1 + src/authentic2/a2_rbac/models.py | 10 +++++++-- tests/test_a2_rbac.py | 30 ++++++++++++++++++++++++++ 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/authentic2/a2_rbac/app_settings.py b/src/authentic2/a2_rbac/app_settings.py index daa2d04e..35f0ccfc 100644 --- a/src/authentic2/a2_rbac/app_settings.py +++ b/src/authentic2/a2_rbac/app_settings.py @@ -20,6 +20,7 @@ import sys class AppSettings(object): __DEFAULTS = dict( MANAGED_CONTENT_TYPES=None, + ROLE_ADMIN_RESTRICT_TO_OU_USERS=False, ) def __init__(self, prefix): diff --git a/src/authentic2/a2_rbac/models.py b/src/authentic2/a2_rbac/models.py index c3628444..0a77ae06 100644 --- a/src/authentic2/a2_rbac/models.py +++ b/src/authentic2/a2_rbac/models.py @@ -39,7 +39,7 @@ except ImportError: from authentic2.decorators import GlobalCache -from . import managers, fields +from . import managers, fields, app_settings @six.python_2_unicode_compatible @@ -205,13 +205,19 @@ class Role(RoleAbstractBase): def get_admin_role(self, create=True): from . import utils + + if app_settings.ROLE_ADMIN_RESTRICT_TO_OU_USERS: + view_user_perm = utils.get_view_user_perm(ou=self.ou) + else: + view_user_perm = utils.get_view_user_perm() + admin_role = self.__class__.objects.get_admin_role( self, ou=self.ou, name=_('Managers of role "{role}"').format( role=six.text_type(self)), slug='_a2-managers-of-role-{role}'.format( role=slugify(six.text_type(self))), - permissions=(utils.get_view_user_perm(),), + permissions=(view_user_perm,), self_administered=True, update_name=True, update_slug=True, diff --git a/tests/test_a2_rbac.py b/tests/test_a2_rbac.py index 1a40e8dc..1199b842 100644 --- a/tests/test_a2_rbac.py +++ b/tests/test_a2_rbac.py @@ -33,6 +33,9 @@ from authentic2.a2_rbac.models import ( from authentic2.utils import get_hex_uuid +from utils import login + + def test_update_rbac(db): # 3 content types managers and 1 global manager assert Role.objects.count() == 4 @@ -394,3 +397,30 @@ def test_role_rename(db): assert ar1.name == 'Managers of role "r1ter"' assert ar1.slug == '_a2-managers-of-role-r1ter' + + +def test_admin_role_user_view(settings, app, admin, simple_user, ou1, user_ou1, role_ou1): + role_ou1.get_admin_role().members.add(simple_user) + + # Default: all users are visible + response = login(app, simple_user, '/manage/roles/') + response = response.click('role_ou1') + select2_url = response.pyquery('select#id_user')[0].attrib['data-ajax--url'] + select2_field_id = response.pyquery('select#id_user')[0].attrib['data-field_id'] + + select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': ''}) + assert select2_response.json['more'] is False + assert (set(result['id'] for result in select2_response.json['results']) + == set([simple_user.id, user_ou1.id, admin.id])) + + # with A2_RBAC_ROLE_ADMIN_RESTRICT_TO_OU_USERS after a reload of the admin + # page, we should only see user from the same OU as the role + settings.A2_RBAC_ROLE_ADMIN_RESTRICT_TO_OU_USERS = True + response = app.get('/manage/roles/') + response = response.click('role_ou1') + select2_url = response.pyquery('select#id_user')[0].attrib['data-ajax--url'] + select2_field_id = response.pyquery('select#id_user')[0].attrib['data-field_id'] + select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': ''}) + assert select2_response.json['more'] is False + assert (set(result['id'] for result in select2_response.json['results']) + == set([user_ou1.id])) -- 2.23.0.rc1