From 75dd42ade773991828c4c284c7839ea8e4bcddba Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 9 May 2022 15:58:16 +0200
Subject: [PATCH 7/9] rbac: add helper methods to add/remove permissions from
 roles (#62013)

---
 src/authentic2/a2_rbac/models.py | 40 ++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/src/authentic2/a2_rbac/models.py b/src/authentic2/a2_rbac/models.py
index 88b32ccf..e31b61ce 100644
--- a/src/authentic2/a2_rbac/models.py
+++ b/src/authentic2/a2_rbac/models.py
@@ -342,6 +342,46 @@ class Role(RoleAbstractBase):
     def is_internal(self):
         return self.slug.startswith('_')
 
+    def add_permission(self, model_or_instance, operation_tpl, ou=None):
+        if isinstance(operation_tpl, str):
+            operation = Operation.objects.get(slug=operation_tpl)
+        else:
+            operation = rbac_utils.get_operation(operation_tpl)
+        if isinstance(model_or_instance, models.Model):
+            target_ct = ContentType.objects.get_for_model(model_or_instance)
+            target_id = model_or_instance.pk
+        elif issubclass(model_or_instance, models.Model):
+            target_ct = ContentType.objects.get_for_model(ContentType)
+            target_id = ContentType.objects.get_for_model(model_or_instance).pk
+        else:
+            raise ValueError('invalid model_or_instance')
+        permission, _ = Permission.objects.get_or_create(
+            operation=operation, target_ct=target_ct, target_id=target_id, ou=ou
+        )
+        self.permissions.add(permission)
+
+    def remove_permission(self, model_or_instance, operation_tpl, ou=None):
+        if isinstance(operation_tpl, str):
+            operation = Operation.objects.get(slug=operation_tpl)
+        else:
+            operation = rbac_utils.get_operation(operation_tpl)
+        if isinstance(model_or_instance, models.Model):
+            target_ct = ContentType.objects.get_for_model(model_or_instance)
+            target_id = model_or_instance.pk
+        elif issubclass(model_or_instance, models.Model):
+            target_ct = ContentType.objects.get_for_model(ContentType)
+            target_id = ContentType.objects.get_for_model(model_or_instance).pk
+        else:
+            raise ValueError('invalid model_or_instance')
+        qs = Permission.objects.filter(
+            permission__target_ct=target_ct, permission__target_id=target_id, operation=operation
+        )
+        if ou:
+            qs = qs.filter(ou=ou)
+        else:
+            qs = qs.filter(ou__isnull=True)
+        self.permissions.through.filter(permission__in=qs).delete()
+
     objects = managers.RoleManager()
 
     class Meta:
-- 
2.35.1