account: don't display authorization management link unless services (#45635)

src/authentic2/views.py

@@ -506,13 +506,18 @@ class ProfileView(cbv.TemplateNamesMixin, TemplateView):
             'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT,
             'allow_profile_edit': EditProfile.can_edit_profile(),
             'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL,
-            'allow_authorization_management': (
-                app_settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS
-                and 'authentic2_idp_oidc' in settings.INSTALLED_APPS),
+            'allow_authorization_management': False,
             # TODO: deprecated should be removed when publik-base-theme is updated
             'allow_password_change': utils.user_can_change_password(request=request),
             'federation_management': federation_management,
         })
+
+        if ('authentic2_idp_oidc' in settings.INSTALLED_APPS and
+                app_settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS):
+            from authentic2_idp_oidc.models import OIDCClient
+            context['allow_authorization_management'] = OIDCClient.objects.filter(
+                    authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_SERVICE).exists()
+
         hooks.call_hooks('modify_context_data', self, context)
         return context
 

tests/test_profile.py

@@ -22,7 +22,9 @@ import pytest
 
 from django.urls import reverse
 
+from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.models import Attribute
+from authentic2_idp_oidc.models import OIDCClient
 
 from . import utils
 
@@ -194,9 +196,23 @@ def test_account_edit_locked_title(app, simple_user):
     assert len(response.pyquery('input[type="text"][name="edit-profile-title@disabled"][readonly]')) == 1
 
 
-def test_acount_view(app, simple_user, settings):
+def test_account_view(app, simple_user, settings):
     utils.login(app, simple_user)
     url = reverse('account_management')
+    # no oidc client defined -> no authorization management
+    response = app.get(url, status=200)
+    assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
+        reverse('email-change'),
+        reverse('profile_edit'),
+        reverse('delete_account')
+    ]
+
+    # oidc client defined -> authorization management
+    client = OIDCClient.objects.create(
+        name='client',
+        slug='client',
+        ou=get_default_ou(),
+        redirect_uris='https://example.com/')
     response = app.get(url, status=200)
     assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
         reverse('email-change'),
@@ -205,6 +221,21 @@ def test_acount_view(app, simple_user, settings):
         reverse('delete_account')
     ]
 
+    # oidc client defined but no authorization mode -> no authorization management
+    client.authorization_mode = OIDCClient.AUTHORIZATION_MODE_NONE
+    client.save()
+    response = app.get(url, status=200)
+    assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
+        reverse('email-change'),
+        reverse('profile_edit'),
+        reverse('delete_account')
+    ]
+
+    # restore authorization mode
+    client.authorization_mode = OIDCClient.AUTHORIZATION_MODE_BY_SERVICE
+    client.save()
+
+    # disabled authentic2_idp_oidc app -> no authorization management
     settings.INSTALLED_APPS = tuple(x for x in settings.INSTALLED_APPS if x != 'authentic2_idp_oidc')
     url = reverse('account_management')
     response = app.get(url, status=200)
@@ -215,6 +246,7 @@ def test_acount_view(app, simple_user, settings):
     ]
     settings.INSTALLED_APPS += ('authentic2_idp_oidc',)
 
+    # more disabled options -> less actions
     settings.A2_PROFILE_CAN_CHANGE_EMAIL = False
     settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS = False
     settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT = False