OU consistency check between api client and roles at validation (#72703)
gitea/authentic/pipeline/head This commit looks good
Details
gitea/authentic/pipeline/head This commit looks good
Details
This commit is contained in:
parent
ed292f6515
commit
1d668a16bb
|
@ -939,6 +939,20 @@ class APIClientForm(forms.ModelForm):
|
|||
'apiclient_roles',
|
||||
)
|
||||
|
||||
def clean(self):
|
||||
ou = self.cleaned_data['ou']
|
||||
if ou:
|
||||
unauthorized_roles = self.cleaned_data['apiclient_roles'].exclude(ou=ou)
|
||||
if unauthorized_roles:
|
||||
unauthorized_roles = ', '.join(unauthorized_roles.values_list('name', flat=True))
|
||||
self.add_error(
|
||||
'apiclient_roles',
|
||||
_(
|
||||
f'The following roles do not belong to organizational unit {ou.name}: {unauthorized_roles}.'
|
||||
),
|
||||
)
|
||||
return super().clean()
|
||||
|
||||
class Meta:
|
||||
model = APIClient
|
||||
fields = (
|
||||
|
|
|
@ -20,6 +20,7 @@ import pytest
|
|||
from django.urls import reverse
|
||||
|
||||
from authentic2.a2_rbac.models import Role
|
||||
from authentic2.a2_rbac.utils import get_default_ou
|
||||
from authentic2.models import APIClient
|
||||
|
||||
from .utils import login
|
||||
|
@ -159,8 +160,8 @@ def test_list_show_objects_local_admin(admin_ou1, app, ou1, ou2):
|
|||
|
||||
def test_add(superuser, app):
|
||||
assert APIClient.objects.count() == 0
|
||||
role_1 = Role.objects.create(name='role-1')
|
||||
role_2 = Role.objects.create(name='role-2')
|
||||
role_1 = Role.objects.create(name='role-1', ou=get_default_ou())
|
||||
role_2 = Role.objects.create(name='role-2', ou=get_default_ou())
|
||||
resp = login(app, superuser, 'a2-manager-api-client-add')
|
||||
form = resp.form
|
||||
# password is prefilled
|
||||
|
@ -195,8 +196,8 @@ def test_add_local_admin(admin_ou1, app, ou1, ou2):
|
|||
|
||||
def test_add_description_non_mandatory(superuser, app):
|
||||
assert APIClient.objects.count() == 0
|
||||
role_1 = Role.objects.create(name='role-1')
|
||||
role_2 = Role.objects.create(name='role-2')
|
||||
role_1 = Role.objects.create(name='role-1', ou=get_default_ou())
|
||||
role_2 = Role.objects.create(name='role-2', ou=get_default_ou())
|
||||
resp = login(app, superuser, 'a2-manager-api-client-add')
|
||||
form = resp.form
|
||||
form.set('name', 'api-client-name')
|
||||
|
@ -270,6 +271,27 @@ def test_edit(superuser, app, ou1, ou2):
|
|||
api_client = APIClient.objects.get(password='easy')
|
||||
assert api_client.identifier == 'foo-identifier'
|
||||
|
||||
resp = app.get(reverse('a2-manager-api-client-edit', kwargs={'pk': api_client.pk}))
|
||||
form = resp.form
|
||||
form.set('ou', ou2.id)
|
||||
response = form.submit()
|
||||
errmsg = response.pyquery('div.error')[0].text
|
||||
assert "do not belong to organizational unit OU2: role-1, role-3." in errmsg
|
||||
response.form.set('ou', ou2.id)
|
||||
response.form['apiclient_roles'].force_value([])
|
||||
response.form.submit().follow()
|
||||
api_client = APIClient.objects.get()
|
||||
assert set(api_client.apiclient_roles.all()) == set()
|
||||
assert api_client.ou == ou2
|
||||
|
||||
resp = app.get(reverse('a2-manager-api-client-edit', kwargs={'pk': api_client.pk}))
|
||||
form = resp.form
|
||||
form['apiclient_roles'].force_value([role_2.id])
|
||||
response = form.submit().follow()
|
||||
api_client = APIClient.objects.get()
|
||||
assert api_client.ou == ou2
|
||||
assert set(api_client.apiclient_roles.all()) == {role_2}
|
||||
|
||||
|
||||
def test_edit_local_admin(admin_ou1, app, ou1, ou2):
|
||||
role_1 = Role.objects.create(name='role-1', ou=ou1)
|
||||
|
|
Loading…
Reference in New Issue