From d955528eafce11d3a3ef5532dfef12da7a8c39aa Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Wed, 7 Apr 2021 17:22:23 +0200
Subject: [PATCH] manager: add permissions based access to global journal
 (#52765)

---
 src/authentic2/manager/journal_views.py              |  9 +++------
 .../templates/authentic2/manager/homepage.html       |  6 +++++-
 src/authentic2/manager/views.py                      |  3 +++
 tests/test_manager_journal.py                        | 12 ++++++++----
 4 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/src/authentic2/manager/journal_views.py b/src/authentic2/manager/journal_views.py
index bada503f..70e8fce2 100644
--- a/src/authentic2/manager/journal_views.py
+++ b/src/authentic2/manager/journal_views.py
@@ -129,13 +129,10 @@ class BaseJournalView(views.TitleMixin, views.MediaMixin, views.MultipleOUMixin,
         return ctx
 
 
-class GlobalJournalView(BaseJournalView):
+class GlobalJournalView(views.PermissionMixin, BaseJournalView):
     template_name = 'authentic2/manager/journal.html'
-
-    def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_superuser:
-            raise PermissionDenied
-        return super().dispatch(request, *args, **kwargs)
+    permissions_global = True
+    permissions = ['custom_user.view_user', 'a2_rbac.view_role']
 
 
 journal = GlobalJournalView.as_view()
diff --git a/src/authentic2/manager/templates/authentic2/manager/homepage.html b/src/authentic2/manager/templates/authentic2/manager/homepage.html
index a9448fc5..3f9ea2b1 100644
--- a/src/authentic2/manager/templates/authentic2/manager/homepage.html
+++ b/src/authentic2/manager/templates/authentic2/manager/homepage.html
@@ -6,13 +6,17 @@
 
 {% block appbar %}
   <h2>{% blocktrans %}Here you can manage objects related to organizational units, users, roles and applications.{% endblocktrans %}</h2>
-  {% if user.is_superuser %}
+  {% if user.is_superuser or can_view_journal %}
   <span class="actions">
   <a class="extra-actions-menu-opener"></a>
   <ul class="extra-actions-menu">
+    {% if user.is_superuser %}
     <li><a download href="{% url 'a2-manager-site-export' %}">{% trans 'Export Site' %}</a></li>
     <li><a href="{% url 'a2-manager-site-import' %}" rel="popup">{% trans 'Import Site' %}</a></li>
+    {% endif %}
+    {% if user.is_superuser or can_view_journal %}
     <li><a href="{% url 'a2-manager-journal' %}">{% trans 'Journal' %}</a></li>
+    {% endif %}
   </ul>
   </span>
   {% endif %}
diff --git a/src/authentic2/manager/views.py b/src/authentic2/manager/views.py
index e1cb61ed..56466bc4 100644
--- a/src/authentic2/manager/views.py
+++ b/src/authentic2/manager/views.py
@@ -658,6 +658,9 @@ class HomepageView(TitleMixin, PermissionMixin, MediaMixin, TemplateView):
 
     def get_context_data(self, **kwargs):
         kwargs['entries'] = self.get_homepage_entries()
+        kwargs['can_view_journal'] = self.request.user.has_perms(
+            ['custom_user.view_user', 'a2_rbac.view_role']
+        )
         return super(HomepageView, self).get_context_data(**kwargs)
 
 
diff --git a/tests/test_manager_journal.py b/tests/test_manager_journal.py
index c19ef4c0..38dd053c 100644
--- a/tests/test_manager_journal.py
+++ b/tests/test_manager_journal.py
@@ -28,14 +28,18 @@ from authentic2.custom_user.models import User
 from authentic2.journal import journal
 from authentic2.models import Service
 
-from .utils import login, text_content
+from .utils import login, logout, text_content
 
 
-def test_journal_authorization(app, db, admin):
-    response = login(app, admin, path='/manage/')
-    assert 'Journal' not in response
+def test_journal_authorization(app, db, simple_user, admin):
+    response = login(app, simple_user)
     app.get('/manage/journal/', status=403)
 
+    logout(app)
+    response = login(app, admin, path='/manage/')
+    assert 'Journal' in response
+    app.get('/manage/journal/', status=200)
+
 
 @pytest.fixture(autouse=True)
 def events(db, freezer):
-- 
2.20.1