From b7aa9cb169e279a91b875fc0ae6095c6def8e5a2 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 10 Jul 2020 11:59:22 +0200 Subject: [PATCH 2/2] manager: raise PermissionDenied if user has no add user permission (#45009) --- src/authentic2/manager/templates/403.html | 2 +- src/authentic2/manager/user_views.py | 16 ++++++++++------ tests/test_user_manager.py | 10 ++++++++++ 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/src/authentic2/manager/templates/403.html b/src/authentic2/manager/templates/403.html index e2f501cd..c2bf3400 100644 --- a/src/authentic2/manager/templates/403.html +++ b/src/authentic2/manager/templates/403.html @@ -2,7 +2,7 @@ {% load i18n %} {% block content %} -

{% trans "You are not authorized to see this page." %}

+

{% trans "You are not authorized to see this page." %}

diff --git a/src/authentic2/manager/user_views.py b/src/authentic2/manager/user_views.py index dcbb934d..56adad77 100644 --- a/src/authentic2/manager/user_views.py +++ b/src/authentic2/manager/user_views.py @@ -55,6 +55,7 @@ from .utils import get_ou_count, has_show_username from . import app_settings User = get_user_model() +OU = get_ou_model() class UsersView(HideOUColumnMixin, BaseTableView): @@ -145,16 +146,19 @@ class UserAddView(BaseAddView): permissions = ['custom_user.add_user'] template_name = 'authentic2/manager/user_add.html' + def dispatch(self, request, *args, **kwargs): + qs = request.user.ous_with_perm('custom_user.add_user') + try: + self.ou = qs.get(pk=self.kwargs['ou_pk']) + except OU.DoesNotExist: + raise PermissionDenied + return super().dispatch(request, *args, **kwargs) + def get_form_kwargs(self): kwargs = super(UserAddView, self).get_form_kwargs() kwargs['ou'] = self.ou return kwargs - def get_form_class(self): - qs = self.request.user.ous_with_perm('custom_user.add_user') - self.ou = qs.get(pk=self.kwargs['ou_pk']) - return super(UserAddView, self).get_form_class() - def get_fields(self): fields = list(self.fields) if not self.ou.show_username: @@ -200,7 +204,7 @@ class UserAddView(BaseAddView): return initial def get_user_add_policies(self, *args, **kwargs): - ou = get_ou_model().objects.get(pk=self.kwargs['ou_pk']) + ou = OU.objects.get(pk=self.kwargs['ou_pk']) value = ou.user_add_password_policy return ou.USER_ADD_PASSWD_POLICY_VALUES[value]._asdict() diff --git a/tests/test_user_manager.py b/tests/test_user_manager.py index cf9d5e20..caf872e5 100644 --- a/tests/test_user_manager.py +++ b/tests/test_user_manager.py @@ -68,6 +68,16 @@ def test_create_user(app, superuser): assert user.check_password('1234Password') +def test_create_user_permission_denied(app, simple_user, ou1, ou2): + ou1.get_admin_role().members.add(simple_user) + response = login(app, simple_user, '/manage/users/%s/add/' % ou1.id) + + assert 'You are not authorized to see this page.' not in response.text + + response = app.get('/manage/users/%s/add/' % ou2.id, status=403) + assert 'You are not authorized to see this page.' in response.text + + def test_create_user_only_name(app, superuser): response = login(app, superuser, '/manage/users/') response = response.click('Add user') -- 2.26.2