entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 35 Releases Activity

api: upgrade change_role permission to manage_members (#50889)

This commit is contained in:
Nicolas Roche 2021-03-22 11:30:53 +01:00
parent 9be334320d
commit 852655fb95
2 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/authentic2/api_views.py
View File

@ -888,10 +888,10 @@ class RoleMembershipAPI(ExceptionHandlerMixin, APIView):
self.role = get_object_or_404(Role, uuid=kwargs['role_uuid'])
self.member = get_object_or_404(User, uuid=kwargs['member_uuid'])
perm = 'a2_rbac.change_role'
perm = 'a2_rbac.manage_members_role'
authorized = request.user.has_perm(perm, obj=self.role)
if not authorized:
raise PermissionDenied(u'User not allowed to change role')
raise PermissionDenied(u'User not allowed to manage role members')
def post(self, request, *args, **kwargs):
self.role.members.add(self.member)
@ -920,10 +920,10 @@ class RoleMembershipsAPI(ExceptionHandlerMixin, APIView):
self.role = get_object_or_404(Role, uuid=kwargs['role_uuid'])
self.members = []
perm = 'a2_rbac.change_role'
perm = 'a2_rbac.manage_members_role'
authorized = request.user.has_perm(perm, obj=self.role)
if not authorized:
raise PermissionDenied(u'User not allowed to change role')
raise PermissionDenied(u'User not allowed to manage role members')
if not isinstance(request.data, dict):
raise ValidationError(_('Payload must be a dictionary'))

26
tests/test_api.py
View File

@ -680,7 +680,7 @@ def test_api_users_create_force_password_reset(app, client, settings, superuser)
def test_api_role_add_member(app, api_user, role, member):
app.authorization = ('Basic', (api_user.username, api_user.username))
authorized = api_user.has_perm('a2_rbac.change_role', role)
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
if member.username == 'fake' or role.name == 'fake':
status = 404
@ -697,7 +697,7 @@ def test_api_role_add_member(app, api_user, role, member):
assert resp.json['detail'] == 'User successfully added to role'
else:
assert resp.json['result'] == 0
assert resp.json['errors'] == 'User not allowed to change role'
assert resp.json['errors'] == 'User not allowed to manage role members'
def test_api_role_remove_member(app, api_user, role, member):
@ -721,13 +721,13 @@ def test_api_role_remove_member(app, api_user, role, member):
assert resp.json['detail'] == 'User successfully removed from role'
else:
assert resp.json['result'] == 0
assert resp.json['errors'] == 'User not allowed to change role'
assert resp.json['errors'] == 'User not allowed to manage role members'
def test_api_role_add_members(app, api_user, role, member, member_rando2):
app.authorization = ('Basic', (api_user.username, api_user.username))
authorized = api_user.has_perm('a2_rbac.change_role', role)
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
if role.name == 'fake':
status = 404
@ -756,13 +756,13 @@ def test_api_role_add_members(app, api_user, role, member, member_rando2):
assert m in role.members.all()
else:
assert resp.json['result'] == 0
assert resp.json['errors'] == 'User not allowed to change role'
assert resp.json['errors'] == 'User not allowed to manage role members'
def test_api_role_remove_members(app, api_user, role, member, member_rando2):
app.authorization = ('Basic', (api_user.username, api_user.username))
authorized = api_user.has_perm('a2_rbac.change_role', role)
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
if role.name == 'fake':
status = 404
@ -791,13 +791,13 @@ def test_api_role_remove_members(app, api_user, role, member, member_rando2):
assert m not in role.members.all()
else:
assert resp.json['result'] == 0
assert resp.json['errors'] == 'User not allowed to change role'
assert resp.json['errors'] == 'User not allowed to manage role members'
def test_api_role_set_members(app, api_user, role, member, member_rando2):
app.authorization = ('Basic', (api_user.username, api_user.username))
authorized = api_user.has_perm('a2_rbac.change_role', role)
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
if role.name == 'fake':
status = 404
@ -827,7 +827,7 @@ def test_api_role_set_members(app, api_user, role, member, member_rando2):
assert m in role.members.all()
else:
assert resp.json['result'] == 0
assert resp.json['errors'] == 'User not allowed to change role'
assert resp.json['errors'] == 'User not allowed to manage role members'
def test_api_role_set_empty_members(app, api_user):
@ -843,13 +843,13 @@ def test_api_role_set_empty_members(app, api_user):
role.members.add(user)
status = 200
if not api_user.has_perm('a2_rbac.change_role', role):
if not api_user.has_perm('a2_rbac.manage_members_role', role):
status = 403
resp = app.put_json(
'/api/roles/{}/relationships/members/'.format(role.uuid), params={'data': []}, status=status
)
if api_user.has_perm('a2_rbac.change_role', role):
if api_user.has_perm('a2_rbac.manage_members_role', role):
assert len(role.members.all()) == 0
else:
assert len(role.members.all()) == 1
@ -857,7 +857,7 @@ def test_api_role_set_empty_members(app, api_user):
def test_api_role_get_members(app, api_user, role):
app.authorization = ('Basic', (api_user.username, api_user.username))
authorized = api_user.has_perm('a2_rbac.change_role', role)
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
status = 405 if authorized else 403
app.get('/api/roles/{}/relationships/members/'.format(role.uuid), status=status)
@ -865,7 +865,7 @@ def test_api_role_get_members(app, api_user, role):
def test_api_role_members_payload_missing(app, api_user, role):
app.authorization = ('Basic', (api_user.username, api_user.username))
authorized = api_user.has_perm('a2_rbac.change_role', role)
authorized = api_user.has_perm('a2_rbac.manage_members_role', role)
status = 400 if authorized else 403
app.post_json('/api/roles/{}/relationships/members/'.format(role.uuid), status=status)