From 2b7d3f6b675e1ba6601b7669e0653a2bcffdbc9d Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Thu, 2 Dec 2021 11:26:49 +0100 Subject: [PATCH] a2_rbac: disable required attributes check at OU level (#58546) --- ...unit_check_required_on_login_attributes.py | 20 ++++++++++++++++++ src/authentic2/a2_rbac/models.py | 4 ++++ src/authentic2/manager/forms.py | 1 + src/authentic2/middleware.py | 3 +++ .../test_required_on_login_restriction.py | 21 +++++++++++++++++++ 5 files changed, 49 insertions(+) create mode 100644 src/authentic2/a2_rbac/migrations/0026_organizationalunit_check_required_on_login_attributes.py diff --git a/src/authentic2/a2_rbac/migrations/0026_organizationalunit_check_required_on_login_attributes.py b/src/authentic2/a2_rbac/migrations/0026_organizationalunit_check_required_on_login_attributes.py new file mode 100644 index 00000000..63b6064b --- /dev/null +++ b/src/authentic2/a2_rbac/migrations/0026_organizationalunit_check_required_on_login_attributes.py @@ -0,0 +1,20 @@ +# Generated by Django 2.2.19 on 2021-12-02 10:11 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('a2_rbac', '0025_auto_20210622_1132'), + ] + + operations = [ + migrations.AddField( + model_name='organizationalunit', + name='check_required_on_login_attributes', + field=models.BooleanField( + blank=True, default=True, verbose_name='Check required on login attributes' + ), + ), + ] diff --git a/src/authentic2/a2_rbac/models.py b/src/authentic2/a2_rbac/models.py index b1a252aa..ac6d8cb7 100644 --- a/src/authentic2/a2_rbac/models.py +++ b/src/authentic2/a2_rbac/models.py @@ -73,6 +73,10 @@ class OrganizationalUnit(OrganizationalUnitAbstractBase): show_username = models.BooleanField(blank=True, default=True, verbose_name=_('Show username')) + check_required_on_login_attributes = models.BooleanField( + blank=True, default=True, verbose_name=_('Check required on login attributes') + ) + admin_perms = GenericRelation('Permission', content_type_field='target_ct', object_id_field='target_id') user_can_reset_password = models.NullBooleanField( diff --git a/src/authentic2/manager/forms.py b/src/authentic2/manager/forms.py index 781df100..9075b4ef 100644 --- a/src/authentic2/manager/forms.py +++ b/src/authentic2/manager/forms.py @@ -629,6 +629,7 @@ class OUEditForm(SlugMixin, CssClass, forms.ModelForm): 'email_is_unique', 'validate_emails', 'show_username', + 'check_required_on_login_attributes', 'user_can_reset_password', 'user_add_password_policy', 'clean_unused_accounts_alert', diff --git a/src/authentic2/middleware.py b/src/authentic2/middleware.py index 3235e43a..fd1b4a8e 100644 --- a/src/authentic2/middleware.py +++ b/src/authentic2/middleware.py @@ -152,6 +152,9 @@ class ViewRestrictionMiddleware(MiddlewareMixin): if user.is_superuser: return None + if user.ou and not user.ou.check_required_on_login_attributes: + return None + missing = user.get_missing_required_on_login_attributes() if missing: return 'profile_required_edit' diff --git a/tests/middlewares/test_required_on_login_restriction.py b/tests/middlewares/test_required_on_login_restriction.py index 217c41ea..13310a56 100644 --- a/tests/middlewares/test_required_on_login_restriction.py +++ b/tests/middlewares/test_required_on_login_restriction.py @@ -34,3 +34,24 @@ def test_simple(app_factory, db, simple_user, cgu_attribute, settings): resp = resp.follow() assert 'A2_OPENED_SESSION' in app.cookies assert 'les conditions générales d\'utilisation\xa0:\nTrue' in resp.pyquery.text() + + +def test_superuser(app_factory, db, cgu_attribute, settings, superuser): + app = app_factory('example.com') + settings.A2_OPENED_SESSION_COOKIE_DOMAIN = 'example.com' + settings.ALLOWED_HOSTS = ['example.com'] + + resp = login(app, superuser, path='/accounts/') + assert 'Your account' in resp.text + + +def test_check_disabled_at_ou_level(app_factory, db, cgu_attribute, settings, simple_user): + app = app_factory('example.com') + settings.A2_OPENED_SESSION_COOKIE_DOMAIN = 'example.com' + settings.ALLOWED_HOSTS = ['example.com'] + + simple_user.ou.check_required_on_login_attributes = False + simple_user.ou.save() + + resp = login(app, simple_user, path='/accounts/') + assert 'Your account' in resp.text -- 2.30.2