From 23d36b27437daeaa9cff3fafd77d3f929b924fb6 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 15 Oct 2020 12:30:14 +0200
Subject: [PATCH 2/3] misc: fix admin role bad permissions using get_admin_role
 (#42179)

---
 .../management/commands/check-and-repair.py     | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/authentic2/management/commands/check-and-repair.py b/src/authentic2/management/commands/check-and-repair.py
index b2c09605..8e2ab34c 100644
--- a/src/authentic2/management/commands/check-and-repair.py
+++ b/src/authentic2/management/commands/check-and-repair.py
@@ -331,20 +331,23 @@ class Command(BaseCommand):
             count = admin_permissions.count()
             if not count:
                 self.warning('invalid admin role "%s" no admin permission', admin_role)
-            elif count > 1:
-                self.warning('invalid admin role "%s" too many admin permissions', admin_role)
+            elif count != 2:
+                self.warning('invalid admin role "%s" too few or too many admin permissions', admin_role)
                 for admin_permission in admin_permissions:
                     self.notice(' - %s', admin_permission)
             for admin_permission in admin_permissions:
                 if MANAGE_MEMBERS_OP and admin_permission.operation != manage_members_op:
                     self.warning('invalid admin role "%s" invalid permission "%s": not manage_members operation',
                                  admin_role, admin_permission)
-                if admin_permission != admin_role.admin_scope:
-                    self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope',
-                                 admin_role, admin_permission)
-                if admin_permission.ou != admin_permission.target.ou:
-                    self.warning('invalid admin role "%s" invalid permission "%s": wrong ou',
+                if not (
+                        (admin_permission.target != admin_role and admin_permission == admin_role.admin_scope)
+                        or (admin_permission.target == admin_role)):
+                    self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope and not self manage permission',
                                  admin_role, admin_permission)
+                if admin_permission.ou is not None:
+                    self.warning('invalid admin role "%s" invalid permission "%s": wrong ou "%s"',
+                                 admin_role, admin_permission, admin_permission.ou)
+                    admin_permission.target.get_admin_role()
                 if admin_permission.target.ou != admin_role.ou:
                     self.warning('invalid admin role "%s" wrong ou, should be "%s" is "%s"',
                                  admin_role, admin_permission.target.ou, admin_role.ou)
-- 
2.28.0