idp_oidc: display BO custom client config to superusers only (#71905)
gitea/authentic/pipeline/head Something is wrong with the build of this commit
Details
gitea/authentic/pipeline/head Something is wrong with the build of this commit
Details
This commit is contained in:
parent
92b4eddf31
commit
68fec48b39
|
@ -940,6 +940,14 @@ class APIClientForm(forms.ModelForm):
|
|||
|
||||
|
||||
class ServiceForm(forms.ModelForm):
|
||||
def __init__(self, *args, **kwargs):
|
||||
if 'user' in kwargs:
|
||||
# OIDC services form initialization requires knowing user permissions.
|
||||
# this information isn't used for plain services yet.
|
||||
# TODO stop using a generic ServiceEditView for OIDC services(?)
|
||||
kwargs.pop('user')
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
class Meta:
|
||||
model = Service
|
||||
fields = ['name', 'slug', 'ou', 'unauthorized_url']
|
||||
|
|
|
@ -133,6 +133,11 @@ class ServiceEditView(ServiceMixin, views.BaseEditView):
|
|||
return self.object.manager_form_class
|
||||
return super().get_form_class()
|
||||
|
||||
def get_form_kwargs(self):
|
||||
kwargs = super().get_form_kwargs()
|
||||
kwargs['user'] = self.request.user
|
||||
return kwargs
|
||||
|
||||
|
||||
edit_service = ServiceEditView.as_view()
|
||||
|
||||
|
|
|
@ -15,6 +15,8 @@
|
|||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
from django import forms
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from authentic2.attributes_ng.engine import get_service_attributes
|
||||
from authentic2.forms.mixins import SlugMixin
|
||||
|
@ -43,8 +45,37 @@ class OIDCClientForm(SlugMixin, forms.ModelForm):
|
|||
]
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
user = kwargs.pop('user')
|
||||
super().__init__(*args, **kwargs)
|
||||
self.fields['colour'].widget = forms.TextInput(attrs={'type': 'color'})
|
||||
if user and isinstance(user, get_user_model()) and user.is_superuser:
|
||||
initial_has_api_access = self.instance.has_api_access if self.instance else False
|
||||
initial_activate_user_profiles = self.instance.activate_user_profiles if self.instance else False
|
||||
self.fields['has_api_access'] = forms.BooleanField(
|
||||
initial=initial_has_api_access,
|
||||
label=_("Has access to Authentic's synchronization API"),
|
||||
required=False,
|
||||
)
|
||||
|
||||
self.fields['activate_user_profiles'] = forms.BooleanField(
|
||||
initial=initial_activate_user_profiles,
|
||||
label=_("Activates user profiles selection"),
|
||||
required=False,
|
||||
)
|
||||
|
||||
def save(self, *args, **kwargs):
|
||||
instance = super().save(*args, **kwargs)
|
||||
changed = False
|
||||
for custom_field in ('has_api_access', 'activate_user_profiles'):
|
||||
if (
|
||||
custom_field in self.cleaned_data
|
||||
and getattr(instance, custom_field) != self.cleaned_data[custom_field]
|
||||
):
|
||||
setattr(instance, custom_field, self.cleaned_data[custom_field])
|
||||
changed = True
|
||||
if changed:
|
||||
instance.save()
|
||||
return instance
|
||||
|
||||
|
||||
class OIDCClaimForm(forms.ModelForm):
|
||||
|
|
|
@ -37,6 +37,11 @@ class OIDCServiceAddView(views.ActionMixin, views.BaseAddView):
|
|||
OIDCClaim.objects.get_or_create(client=self.object, **mapping)
|
||||
return reverse('a2-manager-service', kwargs={'service_pk': self.object.pk})
|
||||
|
||||
def get_form_kwargs(self):
|
||||
kwargs = super().get_form_kwargs()
|
||||
kwargs['user'] = self.request.user
|
||||
return kwargs
|
||||
|
||||
|
||||
add_oidc_service = OIDCServiceAddView.as_view()
|
||||
|
||||
|
|
|
@ -27,7 +27,38 @@ def app(app, admin):
|
|||
return app
|
||||
|
||||
|
||||
def test_add_oidc_service(app):
|
||||
@pytest.fixture
|
||||
def superuser_app(app, superuser):
|
||||
login(app, superuser)
|
||||
return app
|
||||
|
||||
|
||||
def test_add_oidc_service_superuser(superuser_app):
|
||||
resp = superuser_app.get('/manage/services/')
|
||||
assert 'Add OIDC service' in resp.text
|
||||
assert OIDCClient.objects.count() == 0
|
||||
assert OIDCClaim.objects.count() == 0
|
||||
|
||||
resp = resp.click('Add OIDC service')
|
||||
form = resp.form
|
||||
form['name'] = 'Test'
|
||||
form['redirect_uris'] = 'http://example.com'
|
||||
form['has_api_access'] = True
|
||||
form['activate_user_profiles'] = True
|
||||
resp = form.submit()
|
||||
|
||||
assert OIDCClient.objects.count() == 1
|
||||
assert OIDCClaim.objects.count() == len(oidc_app_settings.DEFAULT_MAPPINGS)
|
||||
oidc_client = OIDCClient.objects.get()
|
||||
assert oidc_client.has_api_access is True
|
||||
assert oidc_client.activate_user_profiles is True
|
||||
assert resp.location == f'/manage/services/{oidc_client.pk}/'
|
||||
resp = resp.follow()
|
||||
assert "Settings" in resp.text
|
||||
assert "Delete" in resp.text
|
||||
|
||||
|
||||
def test_add_oidc_service_admin(app):
|
||||
resp = app.get('/manage/services/')
|
||||
assert 'Add OIDC service' in resp.text
|
||||
assert OIDCClient.objects.count() == 0
|
||||
|
@ -37,11 +68,15 @@ def test_add_oidc_service(app):
|
|||
form = resp.form
|
||||
form['name'] = 'Test'
|
||||
form['redirect_uris'] = 'http://example.com'
|
||||
assert 'has_api_access' not in form.fields
|
||||
assert 'activate_user_profiles' not in form.fields
|
||||
resp = form.submit()
|
||||
|
||||
assert OIDCClient.objects.count() == 1
|
||||
assert OIDCClaim.objects.count() == len(oidc_app_settings.DEFAULT_MAPPINGS)
|
||||
oidc_client = OIDCClient.objects.get()
|
||||
assert oidc_client.has_api_access is False
|
||||
assert oidc_client.activate_user_profiles is False
|
||||
assert resp.location == f'/manage/services/{oidc_client.pk}/'
|
||||
resp = resp.follow()
|
||||
assert "Settings" in resp.text
|
||||
|
|
Loading…
Reference in New Issue