manager: add permissions based access to global journal (#52765)

2021-04-07 17:22:23 +02:00 · 2021-04-07 17:22:23 +02:00 · 40e5bc9f0d
parent cfb8a0619f
commit 40e5bc9f0d
4 changed files with 19 additions and 11 deletions
--- a/src/authentic2/manager/journal_views.py
+++ b/src/authentic2/manager/journal_views.py
@ -129,13 +129,10 @@ class BaseJournalView(views.TitleMixin, views.MediaMixin, views.MultipleOUMixin,
        return ctx


-class GlobalJournalView(BaseJournalView):
+class GlobalJournalView(views.PermissionMixin, BaseJournalView):
    template_name = 'authentic2/manager/journal.html'
-
-    def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_superuser:
-            raise PermissionDenied
-        return super().dispatch(request, *args, **kwargs)
+    permissions_global = True
+    permissions = ['custom_user.view_user', 'a2_rbac.view_role']


 journal = GlobalJournalView.as_view()
--- a/src/authentic2/manager/templates/authentic2/manager/homepage.html
+++ b/src/authentic2/manager/templates/authentic2/manager/homepage.html
@ -6,13 +6,17 @@

 {% block appbar %}
  <h2>{% blocktrans %}Here you can manage objects related to organizational units, users, roles and applications.{% endblocktrans %}</h2>
-  {% if user.is_superuser %}
+  {% if user.is_superuser or can_view_journal %}
  <span class="actions">
  <a class="extra-actions-menu-opener"></a>
  <ul class="extra-actions-menu">
+    {% if user.is_superuser %}
    <li><a download href="{% url 'a2-manager-site-export' %}">{% trans 'Export Site' %}</a></li>
    <li><a href="{% url 'a2-manager-site-import' %}" rel="popup">{% trans 'Import Site' %}</a></li>
+    {% endif %}
+    {% if user.is_superuser or can_view_journal %}
    <li><a href="{% url 'a2-manager-journal' %}">{% trans 'Journal' %}</a></li>
+    {% endif %}
  </ul>
  </span>
  {% endif %}
--- a/src/authentic2/manager/views.py
+++ b/src/authentic2/manager/views.py
@ -658,6 +658,9 @@ class HomepageView(TitleMixin, PermissionMixin, MediaMixin, TemplateView):

    def get_context_data(self, **kwargs):
        kwargs['entries'] = self.get_homepage_entries()
+        kwargs['can_view_journal'] = self.request.user.has_perms(
+            ['custom_user.view_user', 'a2_rbac.view_role']
+        )
        return super(HomepageView, self).get_context_data(**kwargs)


--- a/tests/test_manager_journal.py
+++ b/tests/test_manager_journal.py
@ -28,14 +28,18 @@ from authentic2.custom_user.models import User
 from authentic2.journal import journal
 from authentic2.models import Service

-from .utils import login, text_content
+from .utils import login, logout, text_content


-def test_journal_authorization(app, db, admin):
-    response = login(app, admin, path='/manage/')
-    assert 'Journal' not in response
+def test_journal_authorization(app, db, simple_user, admin):
+    response = login(app, simple_user)
    app.get('/manage/journal/', status=403)

+    logout(app)
+    response = login(app, admin, path='/manage/')
+    assert 'Journal' in response
+    app.get('/manage/journal/', status=200)
+

@pytest.fixture(autouse=True)
 def events(db, freezer):