misc: fix admin role bad permissions using get_admin_role (#42179)
This commit is contained in:
parent
7c4f725bfc
commit
89814b519b
|
@ -331,20 +331,23 @@ class Command(BaseCommand):
|
|||
count = admin_permissions.count()
|
||||
if not count:
|
||||
self.warning('invalid admin role "%s" no admin permission', admin_role)
|
||||
elif count > 1:
|
||||
self.warning('invalid admin role "%s" too many admin permissions', admin_role)
|
||||
elif count != 2:
|
||||
self.warning('invalid admin role "%s" too few or too many admin permissions', admin_role)
|
||||
for admin_permission in admin_permissions:
|
||||
self.notice(' - %s', admin_permission)
|
||||
for admin_permission in admin_permissions:
|
||||
if MANAGE_MEMBERS_OP and admin_permission.operation != manage_members_op:
|
||||
self.warning('invalid admin role "%s" invalid permission "%s": not manage_members operation',
|
||||
admin_role, admin_permission)
|
||||
if admin_permission != admin_role.admin_scope:
|
||||
self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope',
|
||||
admin_role, admin_permission)
|
||||
if admin_permission.ou != admin_permission.target.ou:
|
||||
self.warning('invalid admin role "%s" invalid permission "%s": wrong ou',
|
||||
if not (
|
||||
(admin_permission.target != admin_role and admin_permission == admin_role.admin_scope)
|
||||
or (admin_permission.target == admin_role)):
|
||||
self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope and not self manage permission',
|
||||
admin_role, admin_permission)
|
||||
if admin_permission.ou is not None:
|
||||
self.warning('invalid admin role "%s" invalid permission "%s": wrong ou "%s"',
|
||||
admin_role, admin_permission, admin_permission.ou)
|
||||
admin_permission.target.get_admin_role()
|
||||
if admin_permission.target.ou != admin_role.ou:
|
||||
self.warning('invalid admin role "%s" wrong ou, should be "%s" is "%s"',
|
||||
admin_role, admin_permission.target.ou, admin_role.ou)
|
||||
|
|
|
@ -25,6 +25,7 @@ from django.utils import six
|
|||
from django.utils.timezone import now
|
||||
import py
|
||||
|
||||
from authentic2.a2_rbac.models import MANAGE_MEMBERS_OP
|
||||
from authentic2.a2_rbac.utils import get_default_ou
|
||||
from authentic2.models import UserExternalId
|
||||
from authentic2_auth_oidc.models import OIDCProvider, OIDCAccount
|
||||
|
@ -299,6 +300,7 @@ def test_check_and_repair_managers_of_roles(db, capsys):
|
|||
role1 = Role.objects.create(name='Role 1', slug='role-1', ou=default_ou)
|
||||
perm1 = Permission.objects.create(
|
||||
operation=admin_op, target_id=role1.id,
|
||||
ou=default_ou,
|
||||
target_ct=ContentType.objects.get_for_model(Role))
|
||||
|
||||
manager_role1 = Role.objects.create(
|
||||
|
@ -312,10 +314,18 @@ def test_check_and_repair_managers_of_roles(db, capsys):
|
|||
captured = capsys.readouterr()
|
||||
assert '"Managers of Role 1": no admin scope' in captured.out
|
||||
assert 'Managers of Role 1" wrong ou, should be "Default organizational unit"' in captured.out
|
||||
assert 'invalid permission "Management / role / Role 1": not manage_members operation' in captured.out
|
||||
assert 'invalid permission "Management / role / Role 1": not admin_scope' in captured.out
|
||||
assert 'invalid permission "Management / role / Role 1": wrong ou' in captured.out
|
||||
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not manage_members operation' in captured.out
|
||||
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not admin_scope' in captured.out
|
||||
assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": wrong ou' in captured.out
|
||||
|
||||
perm1 = Permission.objects.get(operation=admin_op, target_id=role1.id)
|
||||
assert perm1.ou == default_ou
|
||||
manage_members_op = get_operation(MANAGE_MEMBERS_OP)
|
||||
perm1.op = manage_members_op
|
||||
perm1.save()
|
||||
call_command('check-and-repair', '--repair', '--noinput')
|
||||
perm1 = Permission.objects.get(operation=manage_members_op, target_id=role1.id)
|
||||
assert perm1.ou is None
|
||||
|
||||
def test_check_and_delete_unused_permissions(db, capsys, simple_user):
|
||||
Permission = get_permission_model()
|
||||
|
|
Loading…
Reference in New Issue