authenticators: fix permission checking when editing related objects (#77366) #69
|
@ -270,7 +270,9 @@ order = AuthenticatorsOrderView.as_view()
|
|||
|
||||
|
||||
class AuthenticatorRelatedObjectMixin(MediaMixin, TitleMixin, PermissionMixin):
|
||||
permissions = ['authenticators.search_baseauthenticator']
|
||||
permissions = ['authenticators.admin_baseauthenticator']
|
||||
permission_model = BaseAuthenticator
|
||||
permission_pk_url_kwarg = 'authenticator_pk'
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
self.authenticator = get_object_or_404(
|
||||
|
|
|
@ -393,6 +393,29 @@ def test_authenticators_oidc_import_errors(app, superuser, simple_role):
|
|||
assert escape("Role not found: {'slug': 'xxx'}.") in resp.text
|
||||
|
||||
|
||||
def test_authenticators_oidc_related_objects_permissions(app, simple_user, simple_role):
|
||||
authenticator = OIDCProvider.objects.create(slug='idp1', order=42, ou=get_default_ou(), enabled=True)
|
||||
authenticator.save()
|
||||
mapping = OIDCClaimMapping.objects.create(authenticator=authenticator, claim='test', attribute='hop')
|
||||
action = AddRoleAction.objects.create(authenticator=authenticator, role=simple_role)
|
||||
simple_user.roles.add(simple_role.get_admin_role()) # grant user access to /manage/
|
||||
|
||||
role = Role.objects.get(name='Manager of authenticators')
|
||||
|
||||
login(app, simple_user, path='/')
|
||||
app.get(authenticator.get_absolute_url(), status=403)
|
||||
app.get(f'/manage/authenticators/{authenticator.pk}/oidcclaimmapping/{mapping.pk}/edit/', status=403)
|
||||
app.get(f'/manage/authenticators/{authenticator.pk}/addroleaction/{action.pk}/delete/', status=403)
|
||||
app.get(f'/manage/authenticators/{authenticator.pk}/addroleaction/add/', status=403)
|
||||
|
||||
simple_user.roles.add(role)
|
||||
|
||||
app.get(authenticator.get_absolute_url())
|
||||
app.get(f'/manage/authenticators/{authenticator.pk}/oidcclaimmapping/{mapping.pk}/edit/')
|
||||
app.get(f'/manage/authenticators/{authenticator.pk}/addroleaction/{action.pk}/delete/')
|
||||
app.get(f'/manage/authenticators/{authenticator.pk}/addroleaction/add/')
|
||||
|
||||
|
||||
def test_authenticators_fc(app, superuser):
|
||||
resp = login(app, superuser, path='/manage/authenticators/')
|
||||
|
||||
|
|
Loading…
Reference in New Issue