From bc4a5c383cbd0f9cedbd3dd8ff76c5e64acd6a7b Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 22 Oct 2019 17:31:37 +0200
Subject: [PATCH 2/4] a2_rbac: add manage members permission for role admins
 (#20513)

---
 src/authentic2/a2_rbac/models.py          | 4 +++-
 src/authentic2/a2_rbac/signal_handlers.py | 4 +++-
 src/authentic2/settings.py                | 5 +++--
 tests/test_a2_rbac.py                     | 2 +-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/authentic2/a2_rbac/models.py b/src/authentic2/a2_rbac/models.py
index ea570172..f4125d09 100644
--- a/src/authentic2/a2_rbac/models.py
+++ b/src/authentic2/a2_rbac/models.py
@@ -243,7 +243,8 @@ class Role(RoleAbstractBase):
             self_administered=True,
             update_name=True,
             update_slug=True,
-            create=create)
+            create=create,
+            operation=MANAGE_MEMBERS_OP)
         return admin_role
 
     def validate_unique(self, exclude=None):
@@ -415,3 +416,4 @@ CHANGE_PASSWORD_OP = Operation(name=_('Change password'), slug='change_password'
 RESET_PASSWORD_OP = Operation(name=_('Reset password'), slug='reset_password')
 ACTIVATE_OP = Operation(name=_('Activate'), slug='activate')
 CHANGE_EMAIL_OP = Operation(name=_('Change email'), slug='change_email')
+MANAGE_MEMBERS_OP = Operation(name=_('Manage role members'), slug='manage_members')
diff --git a/src/authentic2/a2_rbac/signal_handlers.py b/src/authentic2/a2_rbac/signal_handlers.py
index 87667d89..0c401296 100644
--- a/src/authentic2/a2_rbac/signal_handlers.py
+++ b/src/authentic2/a2_rbac/signal_handlers.py
@@ -86,7 +86,8 @@ def update_service_role_ou(sender, instance, created, raw, **kwargs):
 
 def create_default_permissions(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS,
                                **kwargs):
-    from .models import CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP, CHANGE_EMAIL_OP
+    from .models import (CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP, CHANGE_EMAIL_OP,
+                         MANAGE_MEMBERS_OP)
 
     if not router.allow_migrate(using, get_ou_model()):
         return
@@ -96,3 +97,4 @@ def create_default_permissions(app_config, verbosity=2, interactive=True, using=
         get_operation(RESET_PASSWORD_OP)
         get_operation(ACTIVATE_OP)
         get_operation(CHANGE_EMAIL_OP)
+        get_operation(MANAGE_MEMBERS_OP)
diff --git a/src/authentic2/settings.py b/src/authentic2/settings.py
index 17900401..e061da39 100644
--- a/src/authentic2/settings.py
+++ b/src/authentic2/settings.py
@@ -328,10 +328,11 @@ DJANGO_RBAC_PERMISSIONS_HIERARCHY = {
     'reset_password': ['view', 'search'],
     'activate': ['view', 'search'],
     'admin': ['change', 'delete', 'add', 'view', 'change_password', 'reset_password', 'activate',
-              'search', 'change_email'],
-    'change': ['view', 'search'],
+              'search', 'change_email', 'manage_members'],
+    'change': ['view', 'search', 'manage_members'],
     'delete': ['view', 'search'],
     'add': ['view', 'search'],
+    'manage_members': ['view', 'search'],
 }
 
 SILENCED_SYSTEM_CHECKS = ["auth.W004"]
diff --git a/tests/test_a2_rbac.py b/tests/test_a2_rbac.py
index 23062b61..d6a2a46e 100644
--- a/tests/test_a2_rbac.py
+++ b/tests/test_a2_rbac.py
@@ -62,7 +62,7 @@ def test_delete_role(db):
     # There should be two more permissions the admin permission on the role
     # and the admin permission on the admin role
     admin_perm = Permission.objects.by_target(new_role) \
-        .get(operation__slug='admin')
+        .get(operation__slug='manage_members')
     admin_role = Role.objects.get(
         admin_scope_ct=ContentType.objects.get_for_model(admin_perm),
         admin_scope_id=admin_perm.pk)
-- 
2.20.1