Révision a685a0ef
Ajouté par Frédéric Péters il y a plus de 8 ans
extra/auquotidien.py | ||
---|---|---|
28 | 28 |
} |
29 | 29 |
|
30 | 30 |
|
31 |
def check_visibility(target): |
|
32 |
user = get_request().user |
|
33 |
if not user: |
|
34 |
return False |
|
35 |
target = target.strip('/') |
|
36 |
if target == 'management': |
|
37 |
target = 'forms' |
|
38 |
if target == 'strongbox': |
|
39 |
if not get_publisher().has_site_option(target): |
|
40 |
# strongbox disabled in site-options.cfg |
|
41 |
return False |
|
42 |
if not get_cfg('misc', {}).get('aq-strongbox'): |
|
43 |
# strongbox disabled in settings panel |
|
44 |
return False |
|
45 |
admin_role = get_cfg('aq-permissions', {}).get(target, None) |
|
46 |
if not admin_role: |
|
47 |
return False |
|
48 |
if not (user.is_admin or admin_role in (user.roles or [])): |
|
49 |
return False |
|
50 |
return True |
|
51 |
|
|
52 | 31 |
rdb = get_publisher_class().backoffice_directory_class |
53 | 32 |
|
54 | 33 |
rdb.items = [] |
55 | 34 |
|
56 | 35 |
rdb.register_directory('announces', modules.announces_ui.AnnouncesDirectory()) |
57 |
rdb.register_menu_item('announces/', _('Announces'), check_visibility)
|
|
36 |
rdb.register_menu_item('announces/', _('Announces')) |
|
58 | 37 |
|
59 | 38 |
rdb.register_directory('links', modules.links_ui.LinksDirectory()) |
60 |
rdb.register_menu_item('links/', _('Links'), check_visibility)
|
|
39 |
rdb.register_menu_item('links/', _('Links')) |
|
61 | 40 |
|
62 | 41 |
rdb.register_directory('events', modules.events_ui.EventsDirectory()) |
63 |
rdb.register_menu_item('events/', _('Events'), check_visibility)
|
|
42 |
rdb.register_menu_item('events/', _('Events')) |
|
64 | 43 |
|
65 | 44 |
rdb.register_directory('payments', modules.payments_ui.PaymentsDirectory()) |
66 |
rdb.register_menu_item('payments/', _('Payments'), check_visibility)
|
|
45 |
rdb.register_menu_item('payments/', _('Payments')) |
|
67 | 46 |
|
68 | 47 |
rdb.register_directory('strongbox', modules.strongbox_ui.StrongboxDirectory()) |
69 |
rdb.register_menu_item('strongbox/', _('Strongbox'), check_visibility)
|
|
48 |
rdb.register_menu_item('strongbox/', _('Strongbox')) |
|
70 | 49 |
|
71 | 50 |
rdb.register_directory('settings', modules.admin.SettingsDirectory()) |
72 | 51 |
rdb.register_directory('categories', modules.categories_admin.CategoriesDirectory()) |
extra/modules/announces_ui.py | ||
---|---|---|
320 | 320 |
|
321 | 321 |
subscriptions = SubscriptionsDirectory() |
322 | 322 |
|
323 |
def is_accessible(self, user): |
|
324 |
from .backoffice import check_visibility |
|
325 |
return check_visibility('announces', user) |
|
326 |
|
|
323 | 327 |
def _q_access(self): |
324 | 328 |
user = get_request().user |
325 | 329 |
if not user: |
326 | 330 |
raise errors.AccessUnauthorizedError() |
327 |
admin_role = get_cfg('aq-permissions', {}).get('announces', None) |
|
328 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
331 |
|
|
332 |
if not self.is_accessible(user):
|
|
329 | 333 |
raise errors.AccessForbiddenError( |
330 | 334 |
public_msg = _('You are not allowed to access Announces Management'), |
331 | 335 |
location_hint = 'backoffice') |
extra/modules/backoffice.py | ||
---|---|---|
14 | 14 |
from qommon import get_cfg, errors |
15 | 15 |
from qommon.form import * |
16 | 16 |
|
17 |
CURRENT_USER = object() |
|
18 |
|
|
19 |
def check_visibility(target, user=CURRENT_USER): |
|
20 |
if user is CURRENT_USER: |
|
21 |
user = get_request().user |
|
22 |
if not user: |
|
23 |
return False |
|
24 |
target = target.strip('/') |
|
25 |
if target == 'management': |
|
26 |
target = 'forms' |
|
27 |
if target == 'strongbox': |
|
28 |
if not get_publisher().has_site_option(target): |
|
29 |
# strongbox disabled in site-options.cfg |
|
30 |
return False |
|
31 |
if not get_cfg('misc', {}).get('aq-strongbox'): |
|
32 |
# strongbox disabled in settings panel |
|
33 |
return False |
|
34 |
admin_role = get_cfg('aq-permissions', {}).get(target, None) |
|
35 |
if not admin_role: |
|
36 |
return False |
|
37 |
if not (user.is_admin or admin_role in (user.roles or [])): |
|
38 |
return False |
|
39 |
return True |
|
40 |
|
|
41 |
|
|
17 | 42 |
class BackofficeRootDirectory(wcs.backoffice.root.RootDirectory): |
18 | 43 |
def _q_access(self): |
19 | 44 |
super(BackofficeRootDirectory, self)._q_access() |
extra/modules/events_ui.py | ||
---|---|---|
304 | 304 |
|
305 | 305 |
remote = RemoteCalendarsDirectory() |
306 | 306 |
|
307 |
def is_accessible(self, user): |
|
308 |
from .backoffice import check_visibility |
|
309 |
return check_visibility('events', user) |
|
310 |
|
|
307 | 311 |
def _q_access(self): |
308 | 312 |
user = get_request().user |
309 | 313 |
if not user: |
310 | 314 |
raise errors.AccessUnauthorizedError() |
311 |
admin_role = get_cfg('aq-permissions', {}).get('events', None) |
|
312 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
315 |
|
|
316 |
if not self.is_accessible(user):
|
|
313 | 317 |
raise errors.AccessForbiddenError( |
314 | 318 |
public_msg = _('You are not allowed to access Events Management'), |
315 | 319 |
location_hint = 'backoffice') |
extra/modules/links_ui.py | ||
---|---|---|
101 | 101 |
_q_exports = ['', 'new', 'listing', 'update_order'] |
102 | 102 |
label = N_('Links') |
103 | 103 |
|
104 |
def is_accessible(self, user): |
|
105 |
from .backoffice import check_visibility |
|
106 |
return check_visibility('links', user) |
|
107 |
|
|
104 | 108 |
def _q_access(self): |
105 | 109 |
user = get_request().user |
106 | 110 |
if not user: |
107 | 111 |
raise errors.AccessUnauthorizedError() |
108 |
admin_role = get_cfg('aq-permissions', {}).get('links', None) |
|
109 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
112 |
|
|
113 |
if not self.is_accessible(user):
|
|
110 | 114 |
raise errors.AccessForbiddenError( |
111 | 115 |
public_msg = _('You are not allowed to access Links Management'), |
112 | 116 |
location_hint = 'backoffice') |
extra/modules/payments_ui.py | ||
---|---|---|
524 | 524 |
|
525 | 525 |
regie = RegiesDirectory() |
526 | 526 |
|
527 |
def is_accessible(self, user): |
|
528 |
from .backoffice import check_visibility |
|
529 |
return check_visibility('payments', user) |
|
530 |
|
|
527 | 531 |
def _q_access(self): |
528 | 532 |
user = get_request().user |
529 | 533 |
if not user: |
530 | 534 |
raise errors.AccessUnauthorizedError() |
531 |
admin_role = get_cfg('aq-permissions', {}).get('payments', None) |
|
532 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
535 |
|
|
536 |
if not self.is_accessible(user):
|
|
533 | 537 |
raise errors.AccessForbiddenError( |
534 | 538 |
public_msg = _('You are not allowed to access Payments Management'), |
535 | 539 |
location_hint = 'backoffice') |
extra/modules/strongbox_ui.py | ||
---|---|---|
147 | 147 |
|
148 | 148 |
types = StrongboxTypesDirectory() |
149 | 149 |
|
150 |
def is_accessible(self, user): |
|
151 |
from .backoffice import check_visibility |
|
152 |
return check_visibility('strongbox', user) |
|
153 |
|
|
150 | 154 |
def _q_access(self): |
151 | 155 |
user = get_request().user |
152 | 156 |
if not user: |
153 | 157 |
raise errors.AccessUnauthorizedError() |
154 |
admin_role = get_cfg('aq-permissions', {}).get('strongbox', None) |
|
155 |
if not (user.is_admin or admin_role in (user.roles or [])):
|
|
158 |
|
|
159 |
if not self.is_accessible(user):
|
|
156 | 160 |
raise errors.AccessForbiddenError( |
157 | 161 |
public_msg = _('You are not allowed to access Strongbox Management'), |
158 | 162 |
location_hint = 'backoffice') |
tests/test_admin_pages.py | ||
---|---|---|
72 | 72 |
# this makes sure the extension loaded properly |
73 | 73 |
assert '<span id="applabel">Publik</span>' in resp.body |
74 | 74 |
|
75 |
def test_directory_registration(): |
|
76 |
create_superuser() |
|
77 |
app = login(get_app(pub)) |
|
78 |
resp = app.get('/backoffice/links/') |
|
79 |
|
|
80 | 75 |
def test_general_admin_permissions(): |
81 | 76 |
create_superuser() |
82 | 77 |
app = login(get_app(pub)) |
... | ... | |
96 | 91 |
resp = app.get('/backoffice/settings/') |
97 | 92 |
assert 'aq/permissions' in resp.body |
98 | 93 |
resp = app.get('/backoffice/settings/aq/permissions') |
94 |
|
|
95 |
def test_menu_items(): |
|
96 |
create_superuser() |
|
97 |
role = create_role() |
|
98 |
|
|
99 |
for area in ('links', 'announces', 'events', 'links', 'payments'): |
|
100 |
pub.cfg['aq-permissions'] = {area: None} |
|
101 |
pub.write_cfg() |
|
102 |
|
|
103 |
user1.is_admin = True |
|
104 |
user1.roles = [] |
|
105 |
user1.store() |
|
106 |
|
|
107 |
app = login(get_app(pub)) |
|
108 |
resp = app.get('/backoffice/') |
|
109 |
assert not '/%s/' % area in resp.body |
|
110 |
resp = app.get('/backoffice/%s/' % area, status=403) |
|
111 |
|
|
112 |
pub.cfg['aq-permissions'] = {area: 'XXX'} |
|
113 |
pub.write_cfg() |
|
114 |
|
|
115 |
resp = app.get('/backoffice/') |
|
116 |
assert '/%s/' % area in resp.body |
|
117 |
resp = app.get('/backoffice/%s/' % area, status=200) |
|
118 |
|
|
119 |
user1.is_admin = False |
|
120 |
user1.roles = [role.id] |
|
121 |
user1.store() |
|
122 |
resp = app.get('/backoffice/') |
|
123 |
assert not '/%s/' % area in resp.body |
|
124 |
resp = app.get('/backoffice/%s/' % area, status=403) |
|
125 |
|
|
126 |
user1.is_admin = False |
|
127 |
user1.roles = [role.id, 'XXX'] |
|
128 |
user1.store() |
|
129 |
resp = app.get('/backoffice/') |
|
130 |
assert '/%s/' % area in resp.body |
|
131 |
resp = app.get('/backoffice/%s/' % area, status=200) |
Formats disponibles : Unified diff
general: don't allow admins to get into new areas, unless authorized (#8562)