entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 32 Releases Activity

authenticators: fix permission checking when editing related objects (#77366) #69

Merged
bdauvergne merged 1 commits from wip/77366-edition-claims-oidc into main 2023-06-12 14:39:31 +02:00
Conversation 1 Commits 1 Files Changed 2 +26 -1
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/authentic2/apps/authenticators/views.py
View File

@ -270,7 +270,9 @@ order = AuthenticatorsOrderView.as_view()
class AuthenticatorRelatedObjectMixin(MediaMixin, TitleMixin, PermissionMixin):
permissions = ['authenticators.search_baseauthenticator']
permissions = ['authenticators.admin_baseauthenticator']
permission_model = BaseAuthenticator
permission_pk_url_kwarg = 'authenticator_pk'
def dispatch(self, request, *args, **kwargs):
self.authenticator = get_object_or_404(

23
tests/test_manager_authenticators.py
View File

@ -393,6 +393,29 @@ def test_authenticators_oidc_import_errors(app, superuser, simple_role):
assert escape("Role not found: {'slug': 'xxx'}.") in resp.text
def test_authenticators_oidc_related_objects_permissions(app, simple_user, simple_role):
authenticator = OIDCProvider.objects.create(slug='idp1', order=42, ou=get_default_ou(), enabled=True)
authenticator.save()
mapping = OIDCClaimMapping.objects.create(authenticator=authenticator, claim='test', attribute='hop')
action = AddRoleAction.objects.create(authenticator=authenticator, role=simple_role)
simple_user.roles.add(simple_role.get_admin_role()) # grant user access to /manage/
role = Role.objects.get(name='Manager of authenticators')
login(app, simple_user, path='/')
app.get(authenticator.get_absolute_url(), status=403)
app.get(f'/manage/authenticators/{authenticator.pk}/oidcclaimmapping/{mapping.pk}/edit/', status=403)
app.get(f'/manage/authenticators/{authenticator.pk}/addroleaction/{action.pk}/delete/', status=403)
app.get(f'/manage/authenticators/{authenticator.pk}/addroleaction/add/', status=403)
simple_user.roles.add(role)
app.get(authenticator.get_absolute_url())
app.get(f'/manage/authenticators/{authenticator.pk}/oidcclaimmapping/{mapping.pk}/edit/')
app.get(f'/manage/authenticators/{authenticator.pk}/addroleaction/{action.pk}/delete/')
app.get(f'/manage/authenticators/{authenticator.pk}/addroleaction/add/')
def test_authenticators_fc(app, superuser):
resp = login(app, superuser, path='/manage/authenticators/')