From ce93ed1dcf76ce418092cc2c86444daf07a2846b Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 3 Jul 2015 17:48:52 +0200 Subject: [PATCH] a2_rbac: give the permission to view all users to any role administrator --- src/authentic2/a2_rbac/management.py | 11 +++++++++-- src/authentic2/a2_rbac/models.py | 12 ++++++++---- src/authentic2/a2_rbac/utils.py | 17 +++++++++++++++++ 3 files changed, 34 insertions(+), 6 deletions(-) diff --git a/src/authentic2/a2_rbac/management.py b/src/authentic2/a2_rbac/management.py index 2f1f97d..0d64977 100644 --- a/src/authentic2/a2_rbac/management.py +++ b/src/authentic2/a2_rbac/management.py @@ -5,6 +5,7 @@ from django.contrib.contenttypes.models import ContentType from django_rbac.utils import get_role_model, get_ou_model from ..utils import get_fk_model +from . import utils def update_ou_admin_roles(ou): @@ -31,6 +32,8 @@ def update_ou_admin_roles(ou): update_slug=True, update_name=True) ou_ct_admin_role.add_child(admin_role) + if MANAGED_CT[key]['name'].get('must_view_user'): + ou_ct_admin_role.permissions.add(utils.get_view_user_perm()) def update_ous_admin_roles(): @@ -57,6 +60,7 @@ MANAGED_CT = { ('a2_rbac', 'role'): { 'name': _('Manager of roles'), 'scoped_name': _('Roles - {ou}'), + 'must_view_user': True, }, ('a2_rbac', 'organizationalunit'): { 'name': _('Manager of organizational units'), @@ -75,6 +79,7 @@ def update_content_types_roles(): ''' cts = ContentType.objects.all() Role = get_role_model() + view_user_perm = utils.get_view_user_perm() for ct in cts: ct_tuple = (ct.app_label.lower(), ct.model.lower()) @@ -83,5 +88,7 @@ def update_content_types_roles(): # General admin role name = MANAGED_CT[ct_tuple]['name'] slug = '_a2-' + slugify(name) - Role.objects.get_admin_role(instance=ct, name=name, slug=slug, - update_name=True) + admin_role = Role.objects.get_admin_role(instance=ct, name=name, + slug=slug, update_name=True) + if MANAGED_CT[ct_tuple]['name'].get('must_view_user'): + admin_role.permissions.add(view_user_perm) diff --git a/src/authentic2/a2_rbac/models.py b/src/authentic2/a2_rbac/models.py index 71680ae..e19d4d7 100644 --- a/src/authentic2/a2_rbac/models.py +++ b/src/authentic2/a2_rbac/models.py @@ -12,7 +12,7 @@ except ImportError: # Django < 1.8 from django.contrib.contenttypes.generic import GenericForeignKey -from . import managers, fields +from . import managers, fields, utils class OrganizationalUnit(OrganizationalUnitAbstractBase): @@ -93,10 +93,14 @@ class Role(RoleAbstractBase): db_index=True) def get_admin_role(self, ou=None): - return self.__class__.objects.get_admin_role( + admin_role = self.__class__.objects.get_admin_role( self, ou=self.ou, - name=_('Managers of role "{role}"').format(role=unicode(self)), - slug='_a2-managers-of-role-{role}'.format(role=slugify(unicode(self)))) + name=_('Managers of role "{role}"').format( + role=unicode(self)), + slug='_a2-managers-of-role-{role}'.format( + role=slugify(unicode(self)))) + admin_role.permissions.add(utils.get_view_user_perm()) + return admin_role def clean(self): super(Role, self).clean() diff --git a/src/authentic2/a2_rbac/utils.py b/src/authentic2/a2_rbac/utils.py index c8cd696..b6da185 100644 --- a/src/authentic2/a2_rbac/utils.py +++ b/src/authentic2/a2_rbac/utils.py @@ -1,4 +1,21 @@ +from django.contrib.auth import get_user_model +from django.contrib.contenttypes.models import ContentType +from django_rbac.models import VIEW_OP + +from django_rbac import utils as rbac_utils + from . import models + def get_default_ou(): return models.OrganizationalUnit.objects.get(default=True) + + +def get_view_user_perm(): + User = get_user_model() + Permission = rbac_utils.get_permission_model() + view_user_perm, created = Permission.objects.get_or_create( + operation=rbac_utils.get_operation(VIEW_OP), + target_ct=ContentType.objects.get_for_model(ContentType), + target_id=ContentType.objects.get_for_model(User).pk, + ou__isnull=True) -- 2.1.4