a2_rbac: grant adequate scoped permissions to authn local admins (#78919) #81
|
@ -19,7 +19,8 @@ from django.utils.text import slugify
|
|||
from django.utils.translation import gettext
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from authentic2.a2_rbac.models import OrganizationalUnit, Role
|
||||
from authentic2.a2_rbac.models import CHANGE_OP, OrganizationalUnit, Permission, Role
|
||||
from authentic2.a2_rbac.utils import get_operation
|
||||
from authentic2.utils.misc import get_fk_model
|
||||
|
||||
from . import app_settings, utils
|
||||
|
@ -56,6 +57,13 @@ def update_ou_admin_roles(ou):
|
|||
if info.get('must_view_user'):
|
||||
ou_ct_admin_role.permissions.add(utils.get_view_user_perm(ou))
|
||||
ou_ct_admin_role.permissions.add(utils.get_search_ou_perm(ou))
|
||||
if info.get('scoped_grants_global_change_perm'):
|
||||
ct_ct = ContentType.objects.get_for_model(ContentType)
|
||||
operation = get_operation(CHANGE_OP)
|
||||
perm, dummy = Permission.objects.get_or_create(
|
||||
operation=operation, target_ct=ct_ct, target_id=ct.id, ou__isnull=True
|
||||
)
|
||||
ou_ct_admin_role.permissions.add(perm)
|
||||
|
||||
|
||||
def update_ous_admin_roles():
|
||||
|
@ -94,6 +102,7 @@ MANAGED_CT = {
|
|||
('authenticators', 'baseauthenticator'): {
|
||||
'name': _('Manager of authenticators'),
|
||||
'scoped_name': _('Authenticators - {ou}'),
|
||||
'scoped_grants_global_change_perm': True,
|
||||
|
||||
},
|
||||
('authentic2', 'apiclient'): {
|
||||
'name': _('Manager of API clients'),
|
||||
|
|
|
@ -137,6 +137,7 @@ class AuthenticatorDeleteView(AuthenticatorsMixin, DeleteView):
|
|||
template_name = 'authentic2/authenticators/authenticator_delete_form.html'
|
||||
title = _('Delete authenticator')
|
||||
success_url = reverse_lazy('a2-manager-authenticators')
|
||||
permissions = ['authenticators.delete_baseauthenticator']
|
||||
|
||||
def dispatch(self, *args, **kwargs):
|
||||
if self.get_object().protected:
|
||||
|
|
|
@ -61,6 +61,38 @@ def test_authenticators_authorization(app, simple_user, simple_role, admin, supe
|
|||
assert 'Authenticators' in resp.text
|
||||
|
||||
|
||||
def test_scoped_authenticator_local_admin_access(app, simple_user, ou1):
|
||||
authn_ou1 = Role.objects.get(slug='_a2-manager-of-authenticators-ou1')
|
||||
simple_user.roles.add(authn_ou1)
|
||||
simple_user.save()
|
||||
login(app, simple_user, path='/manage/')
|
||||
authn = OIDCProvider.objects.create(slug='idp2')
|
||||
|
||||
# access
|
||||
app.get(f'/manage/authenticators/{authn.pk}/detail/', status=200)
|
||||
|
||||
# modification
|
||||
resp = app.get(f'/manage/authenticators/{authn.pk}/edit/', status=200)
|
||||
resp.form['name'] = 'Some name'
|
||||
resp.form['slug'] = 'some-slug'
|
||||
resp.form['button_description'] = 'Some description'
|
||||
resp.form['button_label'] = 'Some label'
|
||||
resp.form['issuer'] = 'example.com'
|
||||
resp.form['client_id'] = 'abc'
|
||||
resp.form['client_secret'] = 'def'
|
||||
resp.form['authorization_endpoint'] = 'https://example.com/authz'
|
||||
resp.form['token_endpoint'] = 'https://example.com/token'
|
||||
resp.form['userinfo_endpoint'] = 'https://example.com/uinfo'
|
||||
resp.form['idtoken_algo'] = '2' # HMAC
|
||||
resp.form['strategy'] = 'find-email'
|
||||
resp.form.submit()
|
||||
resp = app.get(f'/manage/authenticators/{authn.pk}/edit/', status=200)
|
||||
assert 'Some description' in resp.text
|
||||
|
||||
# deletion not allowed by scoped admin
|
||||
app.get(f'/manage/authenticators/{authn.pk}/delete/', status=403)
|
||||
|
||||
|
||||
def test_authenticators_password(app, superuser_or_admin, settings):
|
||||
resp = login(app, superuser_or_admin, path='/manage/authenticators/')
|
||||
# Password authenticator already exists
|
||||
|
|
Loading…
Reference in New Issue
Ne pas aller dans cette direction comme le dit Valentin, plutôt retirer tous les rôles d'administration des authentificateurs par OU.