2023-12-21 11:55:37 +01:00
3 changed files with 43 additions and 1 deletions
--- a/src/authentic2/a2_rbac/management.py
+++ b/src/authentic2/a2_rbac/management.py
@ -19,7 +19,8 @@ from django.utils.text import slugify
 from django.utils.translation import gettext
 from django.utils.translation import gettext_lazy as _

-from authentic2.a2_rbac.models import OrganizationalUnit, Role
+from authentic2.a2_rbac.models import CHANGE_OP, OrganizationalUnit, Permission, Role
+from authentic2.a2_rbac.utils import get_operation
 from authentic2.utils.misc import get_fk_model

 from . import app_settings, utils
@ -56,6 +57,13 @@ def update_ou_admin_roles(ou):
        if info.get('must_view_user'):
            ou_ct_admin_role.permissions.add(utils.get_view_user_perm(ou))
        ou_ct_admin_role.permissions.add(utils.get_search_ou_perm(ou))
+        if info.get('scoped_grants_global_change_perm'):
+            ct_ct = ContentType.objects.get_for_model(ContentType)
+            operation = get_operation(CHANGE_OP)
+            perm, dummy = Permission.objects.get_or_create(
+                operation=operation, target_ct=ct_ct, target_id=ct.id, ou__isnull=True
+            )
+            ou_ct_admin_role.permissions.add(perm)


 def update_ous_admin_roles():
@ -94,6 +102,7 @@ MANAGED_CT = {
    ('authenticators', 'baseauthenticator'): {
        'name': _('Manager of authenticators'),
        'scoped_name': _('Authenticators - {ou}'),
+        'scoped_grants_global_change_perm': True,
    },
    ('authentic2', 'apiclient'): {
        'name': _('Manager of API clients'),
--- a/src/authentic2/apps/authenticators/views.py
+++ b/src/authentic2/apps/authenticators/views.py
@ -137,6 +137,7 @@ class AuthenticatorDeleteView(AuthenticatorsMixin, DeleteView):
    template_name = 'authentic2/authenticators/authenticator_delete_form.html'
    title = _('Delete authenticator')
    success_url = reverse_lazy('a2-manager-authenticators')
+    permissions = ['authenticators.delete_baseauthenticator']

    def dispatch(self, *args, **kwargs):
        if self.get_object().protected:
--- a/tests/test_manager_authenticators.py
+++ b/tests/test_manager_authenticators.py
@ -61,6 +61,38 @@ def test_authenticators_authorization(app, simple_user, simple_role, admin, supe
    assert 'Authenticators' in resp.text


+def test_scoped_authenticator_local_admin_access(app, simple_user, ou1):
+    authn_ou1 = Role.objects.get(slug='_a2-manager-of-authenticators-ou1')
+    simple_user.roles.add(authn_ou1)
+    simple_user.save()
+    login(app, simple_user, path='/manage/')
+    authn = OIDCProvider.objects.create(slug='idp2')
+
+    # access
+    app.get(f'/manage/authenticators/{authn.pk}/detail/', status=200)
+
+    # modification
+    resp = app.get(f'/manage/authenticators/{authn.pk}/edit/', status=200)
+    resp.form['name'] = 'Some name'
+    resp.form['slug'] = 'some-slug'
+    resp.form['button_description'] = 'Some description'
+    resp.form['button_label'] = 'Some label'
+    resp.form['issuer'] = 'example.com'
+    resp.form['client_id'] = 'abc'
+    resp.form['client_secret'] = 'def'
+    resp.form['authorization_endpoint'] = 'https://example.com/authz'
+    resp.form['token_endpoint'] = 'https://example.com/token'
+    resp.form['userinfo_endpoint'] = 'https://example.com/uinfo'
+    resp.form['idtoken_algo'] = '2'  # HMAC
+    resp.form['strategy'] = 'find-email'
+    resp.form.submit()
+    resp = app.get(f'/manage/authenticators/{authn.pk}/edit/', status=200)
+    assert 'Some description' in resp.text
+
+    # deletion not allowed by scoped admin
+    app.get(f'/manage/authenticators/{authn.pk}/delete/', status=403)
+
+
 def test_authenticators_password(app, superuser_or_admin, settings):
    resp = login(app, superuser_or_admin, path='/manage/authenticators/')
    # Password authenticator already exists