api: upgrade change_role permission to manage_members (#50889)
This commit is contained in:
parent
9be334320d
commit
852655fb95
|
@ -888,10 +888,10 @@ class RoleMembershipAPI(ExceptionHandlerMixin, APIView):
|
|||
self.role = get_object_or_404(Role, uuid=kwargs['role_uuid'])
|
||||
self.member = get_object_or_404(User, uuid=kwargs['member_uuid'])
|
||||
|
||||
perm = 'a2_rbac.change_role'
|
||||
perm = 'a2_rbac.manage_members_role'
|
||||
authorized = request.user.has_perm(perm, obj=self.role)
|
||||
if not authorized:
|
||||
raise PermissionDenied(u'User not allowed to change role')
|
||||
raise PermissionDenied(u'User not allowed to manage role members')
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
self.role.members.add(self.member)
|
||||
|
@ -920,10 +920,10 @@ class RoleMembershipsAPI(ExceptionHandlerMixin, APIView):
|
|||
self.role = get_object_or_404(Role, uuid=kwargs['role_uuid'])
|
||||
self.members = []
|
||||
|
||||
perm = 'a2_rbac.change_role'
|
||||
perm = 'a2_rbac.manage_members_role'
|
||||
authorized = request.user.has_perm(perm, obj=self.role)
|
||||
if not authorized:
|
||||
raise PermissionDenied(u'User not allowed to change role')
|
||||
raise PermissionDenied(u'User not allowed to manage role members')
|
||||
|
||||
if not isinstance(request.data, dict):
|
||||
raise ValidationError(_('Payload must be a dictionary'))
|
||||
|
|
|
@ -680,7 +680,7 @@ def test_api_users_create_force_password_reset(app, client, settings, superuser)
|
|||
def test_api_role_add_member(app, api_user, role, member):
|
||||
app.authorization = ('Basic', (api_user.username, api_user.username))
|
||||
|
||||
authorized = api_user.has_perm('a2_rbac.change_role', role)
|
||||
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
|
||||
|
||||
if member.username == 'fake' or role.name == 'fake':
|
||||
status = 404
|
||||
|
@ -697,7 +697,7 @@ def test_api_role_add_member(app, api_user, role, member):
|
|||
assert resp.json['detail'] == 'User successfully added to role'
|
||||
else:
|
||||
assert resp.json['result'] == 0
|
||||
assert resp.json['errors'] == 'User not allowed to change role'
|
||||
assert resp.json['errors'] == 'User not allowed to manage role members'
|
||||
|
||||
|
||||
def test_api_role_remove_member(app, api_user, role, member):
|
||||
|
@ -721,13 +721,13 @@ def test_api_role_remove_member(app, api_user, role, member):
|
|||
assert resp.json['detail'] == 'User successfully removed from role'
|
||||
else:
|
||||
assert resp.json['result'] == 0
|
||||
assert resp.json['errors'] == 'User not allowed to change role'
|
||||
assert resp.json['errors'] == 'User not allowed to manage role members'
|
||||
|
||||
|
||||
def test_api_role_add_members(app, api_user, role, member, member_rando2):
|
||||
app.authorization = ('Basic', (api_user.username, api_user.username))
|
||||
|
||||
authorized = api_user.has_perm('a2_rbac.change_role', role)
|
||||
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
|
||||
|
||||
if role.name == 'fake':
|
||||
status = 404
|
||||
|
@ -756,13 +756,13 @@ def test_api_role_add_members(app, api_user, role, member, member_rando2):
|
|||
assert m in role.members.all()
|
||||
else:
|
||||
assert resp.json['result'] == 0
|
||||
assert resp.json['errors'] == 'User not allowed to change role'
|
||||
assert resp.json['errors'] == 'User not allowed to manage role members'
|
||||
|
||||
|
||||
def test_api_role_remove_members(app, api_user, role, member, member_rando2):
|
||||
app.authorization = ('Basic', (api_user.username, api_user.username))
|
||||
|
||||
authorized = api_user.has_perm('a2_rbac.change_role', role)
|
||||
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
|
||||
|
||||
if role.name == 'fake':
|
||||
status = 404
|
||||
|
@ -791,13 +791,13 @@ def test_api_role_remove_members(app, api_user, role, member, member_rando2):
|
|||
assert m not in role.members.all()
|
||||
else:
|
||||
assert resp.json['result'] == 0
|
||||
assert resp.json['errors'] == 'User not allowed to change role'
|
||||
assert resp.json['errors'] == 'User not allowed to manage role members'
|
||||
|
||||
|
||||
def test_api_role_set_members(app, api_user, role, member, member_rando2):
|
||||
app.authorization = ('Basic', (api_user.username, api_user.username))
|
||||
|
||||
authorized = api_user.has_perm('a2_rbac.change_role', role)
|
||||
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
|
||||
|
||||
if role.name == 'fake':
|
||||
status = 404
|
||||
|
@ -827,7 +827,7 @@ def test_api_role_set_members(app, api_user, role, member, member_rando2):
|
|||
assert m in role.members.all()
|
||||
else:
|
||||
assert resp.json['result'] == 0
|
||||
assert resp.json['errors'] == 'User not allowed to change role'
|
||||
assert resp.json['errors'] == 'User not allowed to manage role members'
|
||||
|
||||
|
||||
def test_api_role_set_empty_members(app, api_user):
|
||||
|
@ -843,13 +843,13 @@ def test_api_role_set_empty_members(app, api_user):
|
|||
role.members.add(user)
|
||||
|
||||
status = 200
|
||||
if not api_user.has_perm('a2_rbac.change_role', role):
|
||||
if not api_user.has_perm('a2_rbac.manage_members_role', role):
|
||||
status = 403
|
||||
|
||||
resp = app.put_json(
|
||||
'/api/roles/{}/relationships/members/'.format(role.uuid), params={'data': []}, status=status
|
||||
)
|
||||
if api_user.has_perm('a2_rbac.change_role', role):
|
||||
if api_user.has_perm('a2_rbac.manage_members_role', role):
|
||||
assert len(role.members.all()) == 0
|
||||
else:
|
||||
assert len(role.members.all()) == 1
|
||||
|
@ -857,7 +857,7 @@ def test_api_role_set_empty_members(app, api_user):
|
|||
|
||||
def test_api_role_get_members(app, api_user, role):
|
||||
app.authorization = ('Basic', (api_user.username, api_user.username))
|
||||
authorized = api_user.has_perm('a2_rbac.change_role', role)
|
||||
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
|
||||
status = 405 if authorized else 403
|
||||
|
||||
app.get('/api/roles/{}/relationships/members/'.format(role.uuid), status=status)
|
||||
|
@ -865,7 +865,7 @@ def test_api_role_get_members(app, api_user, role):
|
|||
|
||||
def test_api_role_members_payload_missing(app, api_user, role):
|
||||
app.authorization = ('Basic', (api_user.username, api_user.username))
|
||||
authorized = api_user.has_perm('a2_rbac.change_role', role)
|
||||
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
|
||||
status = 400 if authorized else 403
|
||||
|
||||
app.post_json('/api/roles/{}/relationships/members/'.format(role.uuid), status=status)
|
||||
|
|
Loading…
Reference in New Issue