diff --git a/acs/acs_administration_views.py b/acs/acs_administration_views.py index f084108..323c76b 100644 --- a/acs/acs_administration_views.py +++ b/acs/acs_administration_views.py @@ -37,7 +37,8 @@ from decorators import prevent_access_to_not_policy_root_administrators from models import UserAlias, Role, AcsObject, View, Action, Activity, \ Namespace, AcsPermission -from forms import AddRoleForm, AddViewForm, RoleChangeForm, ViewChangeForm +from forms import AddRoleForm, AddViewForm, RoleChangeForm, ViewChangeForm, \ + AdminViewChangeForm from views import return_add_any, return_list_any, return_mod_any, \ return_add_permission_form @@ -178,9 +179,6 @@ def add_admin_role(request): if form.is_valid(): role = form.save() logger.debug('add_admin_role: admin role %s created' %role) - role.namespace = Namespace.objects.get(name='Default') - role.save() - logger.debug('add_admin_role: Namespace changed: %s' %role) policy.admin_roles.add(role) logger.debug('add_admin_role: role added to %s' \ %policy.admin_roles) @@ -189,10 +187,7 @@ def add_admin_role(request): %policy.admin_view) messages.add_message(request, messages.INFO, _('Administration role %s added') %role) - else: - messages.add_message(request, messages.ERROR, - _('Invalid form. Role not created.')) - return HttpResponseRedirect('mod_policy?id=' + str(policy.id)) + return HttpResponseRedirect('mod_policy?id=' + str(policy.id)) else: form = AddRoleForm() title = _('Add a new administration role in %s' %policy) @@ -212,9 +207,6 @@ def add_admin_view(request): if form.is_valid(): view = form.save() logger.debug('add_admin_view: admin view %s created' %view) - view.namespace = Namespace.objects.get(name='Default') - view.save() - logger.debug('add_admin_view: Namespace changed: %s' %view) policy.admin_views.add(view) logger.debug('add_admin_role: view added to %s' \ %policy.admin_views) @@ -223,10 +215,7 @@ def add_admin_view(request): %policy.admin_view) messages.add_message(request, messages.INFO, _('Administration view %s added') %view) - else: - messages.add_message(request, messages.ERROR, - _('Invalid form. View not created.')) - return HttpResponseRedirect('mod_policy?id=' + str(policy.id)) + return HttpResponseRedirect('mod_policy?id=' + str(policy.id)) else: form = AddViewForm() title = _('Add a new administration view in %s' %policy) @@ -341,11 +330,6 @@ def mod_admin_role(request): form.fields["roles"].queryset = policy.admin_roles.all() if form.is_valid(): - if form.cleaned_data['namespace'] \ - != Namespace.objects.get(name='Default'): - messages.add_message(request, messages.ERROR, - _('%s must stay in the Default policy') %role) - return HttpResponseRedirect('/list_admin_roles') '''Processing users modifications''' users_registered = [] users_new = [] @@ -384,11 +368,6 @@ def mod_admin_role(request): form.save() messages.add_message(request, messages.INFO, _('Role %s modified') %role) - else: - logger.error('mod_admin_role: form error in %s' %form) - messages.add_message(request, messages.ERROR, - _('Invalid form for %s') %role) - return HttpResponseRedirect('/list_admin_roles') else: messages.add_message(request, messages.ERROR, @@ -449,7 +428,7 @@ def mod_admin_view(request): messages.add_message(request, messages.ERROR, _('%s is not an administration view of %s') %(view, policy)) return HttpResponseRedirect('/list_admin_roles') - form = ViewChangeForm(instance=view) + form = AdminViewChangeForm(instance=view) form.fields["users"].queryset = \ UserAlias.objects.filter(namespace=policy.namespace) form.fields["roles"].queryset = \ @@ -484,7 +463,7 @@ def mod_admin_view(request): _('%s is not an administration view of %s') %(view, policy)) return HttpResponseRedirect('/list_admin_roles') - form = ViewChangeForm(request.POST, instance=view) + form = AdminViewChangeForm(request.POST, instance=view) form.fields["users"].queryset = \ UserAlias.objects.filter(namespace=policy.namespace) form.fields["roles"].queryset = \ @@ -496,11 +475,6 @@ def mod_admin_view(request): Activity.objects.filter(namespace=policy.namespace) if form.is_valid(): - if form.cleaned_data['namespace'] \ - != Namespace.objects.get(name='Default'): - messages.add_message(request, messages.ERROR, - _('%s must stay in the Default policy') %view) - return HttpResponseRedirect('/list_admin_roles') '''Processing users modifications''' users_registered = [] users_new = [] @@ -605,11 +579,6 @@ def mod_admin_view(request): form.save() messages.add_message(request, messages.INFO, _('View %s modified') %view) - else: - logger.error('mod_admin_view: form error in %s' %form) - messages.add_message(request, messages.ERROR, - _('Invalid form for %s') %view) - return HttpResponseRedirect('/list_admin_views') else: messages.add_message(request, messages.ERROR, diff --git a/acs/forms.py b/acs/forms.py index b2cdd5e..b3732bf 100644 --- a/acs/forms.py +++ b/acs/forms.py @@ -16,6 +16,7 @@ You should have received a copy of the GNU Affero General Public License along with this program. If not, see . ''' +import logging from django import forms from django.utils.translation import ugettext_lazy as _ @@ -23,10 +24,12 @@ from django.forms.widgets import CheckboxSelectMultiple from django.contrib.auth.models import User from registration.forms import RegistrationForm -from models import Action, Activity, AcsObject, Role, View +from models import Action, Activity, AcsObject, Role, View, Namespace from abac.models import Source, LdapSource +logger = logging.getLogger('acs') + attrs_dict = {'class': 'required'} @@ -111,14 +114,14 @@ class AddRoleForm(forms.ModelForm): model = Role fields = ("name",) - def clean_name(self): - name = self.cleaned_data["name"] + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + try: - Role.objects.get(name=name) - except Role.DoesNotExist: - return name - raise forms.ValidationError(\ - _("A role with that name already exists.")) + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) def save(self, commit=True): role = super(AddRoleForm, self).save(commit=False) @@ -139,16 +142,16 @@ class AddObjectForm(forms.ModelForm): class Meta: model = AcsObject - fields = ("name",) + fields = ("name", "regex",) -# def clean_name(self): -# name = self.cleaned_data["name"] -# try: -# AcsObject.objects.get(name=name) -# except AcsObject.DoesNotExist: -# return name -# raise forms.ValidationError(\ -# _("An object with that name already exists.")) + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + + try: + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) def save(self, commit=True): acs_object = super(AddObjectForm, self).save(commit=False) @@ -170,14 +173,15 @@ class AddViewForm(forms.ModelForm): model = View fields = ("name",) - def clean_name(self): - name = self.cleaned_data["name"] + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + try: - View.objects.get(name=name) - except View.DoesNotExist: - return name - raise forms.ValidationError(\ - _("A view with that name already exists.")) + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) + def save(self, commit=True): view = super(AddViewForm, self).save(commit=False) @@ -199,14 +203,15 @@ class AddActionForm(forms.ModelForm): model = Action fields = ("name",) - def clean_name(self): - name = self.cleaned_data["name"] + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + try: - Action.objects.get(name=name) - except Action.DoesNotExist: - return name - raise forms.ValidationError(\ - _("An action with that name already exists.")) + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) + def save(self, commit=True): action = super(AddActionForm, self).save(commit=False) @@ -228,14 +233,15 @@ class AddActivityForm(forms.ModelForm): model = Activity fields = ("name",) - def clean_name(self): - name = self.cleaned_data["name"] + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + try: - Activity.objects.get(name=name) - except Activity.DoesNotExist: - return name - raise forms.ValidationError(\ - _("An activity with that name already exists.")) + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) + def save(self, commit=True): activity = super(AddActivityForm, self).save(commit=False) @@ -244,6 +250,121 @@ class AddActivityForm(forms.ModelForm): return activity +class RoleChangeForm(forms.ModelForm): + name = forms.RegexField(label=_("name"), + max_length=30, regex=r'^[\w.@+-]+$', + help_text = \ + _("30 characters or fewer. Letters, digits and @/./+/-/_ only."), + error_messages = \ + {'invalid': _("This value may contain only letters, \ + numbers and @/./+/-/_ characters.")}) + + def __init__(self, *args, **kwargs): + super(RoleChangeForm, self).__init__(*args, **kwargs) + self.fields["users"].widget = CheckboxSelectMultiple() + self.fields["users"].help_text = None + self.fields["roles"].widget = CheckboxSelectMultiple() + self.fields["roles"].help_text = None + + class Meta: + model = Role + fields = ("name", "users", "roles") + + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + + try: + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) + + +class ViewChangeForm(forms.ModelForm): + + def __init__(self, *args, **kwargs): + super(ViewChangeForm, self).__init__(*args, **kwargs) + self.fields["acs_objects"].widget = CheckboxSelectMultiple() + self.fields["acs_objects"].help_text = None + self.fields["views"].widget = CheckboxSelectMultiple() + self.fields["views"].help_text = None + + class Meta: + model = View + fields = ("name", "acs_objects", "views") + + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + + try: + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) + + +class AdminViewChangeForm(forms.ModelForm): + + def __init__(self, *args, **kwargs): + super(AdminViewChangeForm, self).__init__(*args, **kwargs) + self.fields["acs_objects"].widget = CheckboxSelectMultiple() + self.fields["acs_objects"].help_text = None + self.fields["views"].widget = CheckboxSelectMultiple() + self.fields["views"].help_text = None + self.fields["users"].widget = CheckboxSelectMultiple() + self.fields["users"].help_text = None + self.fields["roles"].widget = CheckboxSelectMultiple() + self.fields["roles"].help_text = None + self.fields["actions"].widget = CheckboxSelectMultiple() + self.fields["actions"].help_text = None + self.fields["activities"].widget = CheckboxSelectMultiple() + self.fields["activities"].help_text = None + + class Meta: + model = View + fields = ("name", "acs_objects", "views", "users", "roles", + "actions", "activities") + + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + + try: + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) + + def save(self, *args, **kwargs): + super(AdminViewChangeForm, self).save(*args, **kwargs) + self.instance.users = self.cleaned_data.get('users') + if len(args) > 0 and isinstance(args[0], User): + self.instance.users.add(args[0]) + self.instance.save() + + +class ActivityChangeForm(forms.ModelForm): + + def __init__(self, *args, **kwargs): + super(ActivityChangeForm, self).__init__(*args, **kwargs) + self.fields["actions"].widget = CheckboxSelectMultiple() + self.fields["actions"].help_text = None + self.fields["activities"].widget = CheckboxSelectMultiple() + self.fields["activities"].help_text = None + + class Meta: + model = Activity + fields = ("name", "actions", "activities") + + def validate_unique(self): + exclude = self._get_validation_exclusions() + exclude.remove('namespace') # allow checking against the missing attribute + + try: + self.instance.validate_unique(exclude=exclude) + except forms.ValidationError, e: + self._update_errors(e.message_dict) + + class AddSourceForm(forms.ModelForm): name = forms.RegexField(label=_("name"), max_length=30, regex=r'^[\w.@+-]+$', @@ -257,15 +378,6 @@ class AddSourceForm(forms.ModelForm): model = Source fields = ("name",) - def clean_name(self): - name = self.cleaned_data["name"] - try: - Source.objects.get(name=name) - except Source.DoesNotExist: - return name - raise forms.ValidationError(\ - _("A source with that name already exists.")) - def save(self, commit=True): source = super(AddSourceForm, self).save(commit=False) if commit: @@ -327,69 +439,3 @@ _("Provide a user account if it is necessary to authenticate for binding."), if commit: source.save() return source - - -class RoleChangeForm(forms.ModelForm): - - def __init__(self, *args, **kwargs): - super(RoleChangeForm, self).__init__(*args, **kwargs) - self.fields["users"].widget = CheckboxSelectMultiple() - self.fields["users"].help_text = None - self.fields["roles"].widget = CheckboxSelectMultiple() - self.fields["roles"].help_text = None - - class Meta: - model = Role - - -class AcsObjectChangeForm(forms.ModelForm): - - class Meta: - model = AcsObject - - -class ViewChangeForm(forms.ModelForm): - - def __init__(self, *args, **kwargs): - super(ViewChangeForm, self).__init__(*args, **kwargs) - self.fields["acs_objects"].widget = CheckboxSelectMultiple() - self.fields["acs_objects"].help_text = None - self.fields["views"].widget = CheckboxSelectMultiple() - self.fields["views"].help_text = None - self.fields["users"].widget = CheckboxSelectMultiple() - self.fields["users"].help_text = None - self.fields["roles"].widget = CheckboxSelectMultiple() - self.fields["roles"].help_text = None - self.fields["actions"].widget = CheckboxSelectMultiple() - self.fields["actions"].help_text = None - self.fields["activities"].widget = CheckboxSelectMultiple() - self.fields["activities"].help_text = None - - class Meta: - model = View - - def save(self, *args, **kwargs): - super(ViewChangeForm, self).save(*args, **kwargs) - self.instance.users = self.cleaned_data.get('users') - if len(args) > 0 and isinstance(args[0], User): - self.instance.users.add(args[0]) - self.instance.save() - - -class ActionChangeForm(forms.ModelForm): - - class Meta: - model = Action - - -class ActivityChangeForm(forms.ModelForm): - - def __init__(self, *args, **kwargs): - super(ActivityChangeForm, self).__init__(*args, **kwargs) - self.fields["actions"].widget = CheckboxSelectMultiple() - self.fields["actions"].help_text = None - self.fields["activities"].widget = CheckboxSelectMultiple() - self.fields["activities"].help_text = None - - class Meta: - model = Activity diff --git a/acs/main_views.py b/acs/main_views.py index 62bc87c..8704a03 100644 --- a/acs/main_views.py +++ b/acs/main_views.py @@ -165,8 +165,8 @@ def index(request): 'add_abac_ldap_source': "Add a LDAP source of attributes"} sources = Source.objects.all() if sources: - list_power_services['Generic user management']['list_abac_sources'] = \ - 'Modify a source of attributes' + list_power_services['Generic user management']\ + ['list_abac_sources'] = 'Modify a source of attributes' if policies or sources: list_user_mgmt_services['list_users_for_aliases'] = \ 'Manage user aliases or \ @@ -200,11 +200,14 @@ def index(request): tpl_parameters['exploitation_services'] = list_exploitation_services tpl_parameters['username'] = request.user.username if is_root_administrator(request.user): - tpl_parameters['special_role'] = _('You are a root administrator of A.C.S.') + tpl_parameters['special_role'] = \ + _('You are a root administrator of A.C.S.') elif is_user_administrator(request.user): - tpl_parameters['special_role'] = _('You are a user administrator of A.C.S.') + tpl_parameters['special_role'] = \ + _('You are a user administrator of A.C.S.') elif is_abac_administrator(request.user): - tpl_parameters['special_role'] = _('You are an abac administrator of A.C.S.') + tpl_parameters['special_role'] = \ + _('You are an abac administrator of A.C.S.') return render_to_response('index.html', tpl_parameters, context_instance=RequestContext(request)) @@ -341,7 +344,6 @@ def mod_policy(request): '''Not just a self admin''' list_user_services = {} - list_abac_services = {} list_object_services = {} list_action_services = {} list_services = {} @@ -358,8 +360,8 @@ def mod_policy(request): list_user_services['all_users_self_admin'] = \ "All users in this policy are set self administrators" list_user_services['add_role'] = "Add a role" - list_other_services['graph?type_graph=whole_policy'] = \ - "Display the whole policy" +# list_other_services['graph?type_graph=whole_policy'] = \ +# "Display the whole policy" if at_least_one_role_to_admin(request.user, policy): list_user_services['list_roles'] = "Modify or delete a role" @@ -369,7 +371,7 @@ def mod_policy(request): list_object_services['add_view'] = "Add a view" if at_least_one_object_to_admin(request.user, policy): list_object_services['list_objects'] = \ - "Rename or delete an object" + "Modify or delete an object" if at_least_one_view_to_admin(request.user, policy): list_object_services['list_views'] = "Modify or delete a view" @@ -472,13 +474,17 @@ def mod_policy(request): else: l = [] if is_policy_user_administrator(request.user, policy): - l.append(_('User and Roles administrator of this policy.')) + l.append(\ + _('User and Roles administrator of this policy.')) if is_policy_abac_administrator(request.user, policy): - l.append(_('ABAC administrator of this policy.')) + l.append(\ + _('ABAC administrator of this policy.')) if is_policy_object_creator(request.user, policy): - l.append(_('Objects and Views administrator of this policy.')) + l.append(\ + _('Objects and Views administrator of this policy.')) if is_policy_action_creator(request.user, policy): - l.append(_('Actions and Activities administrator of this policy.')) + l.append(\ + _('Actions and Activities administrator of this policy.')) if l: tpl_parameters['special_roles'] = l diff --git a/acs/models.py b/acs/models.py index 2bd41a7..c9fa4a7 100644 --- a/acs/models.py +++ b/acs/models.py @@ -48,6 +48,7 @@ class UserAlias(models.Model): class Meta: verbose_name = _('alias') verbose_name_plural = _('aliases') + unique_together = ("alias", "namespace") def __unicode__(self): if self.user: @@ -71,7 +72,7 @@ class Role(models.Model): class Meta: verbose_name = _('role') verbose_name_plural = _('roles') - unique_together = (("name", "namespace")) + unique_together = ("name", "namespace") def __unicode__(self): return '%s in %s' %(self.name, self.namespace.name) @@ -86,7 +87,7 @@ class Action(models.Model): class Meta: verbose_name = _('action') verbose_name_plural = _('actions') - unique_together = (("name", "namespace")) + unique_together = ("name", "namespace") def __unicode__(self): return '%s in %s' %(self.name, self.namespace.name) @@ -106,7 +107,7 @@ class Activity(models.Model): class Meta: verbose_name = _('activity') verbose_name_plural = _('activities') - unique_together = (("name", "namespace")) + unique_together = ("name", "namespace") def __unicode__(self): return '%s in %s' %(self.name, self.namespace.name) @@ -131,7 +132,7 @@ class AcsObject(models.Model): class Meta: verbose_name = _('object') verbose_name_plural = _('objects') - unique_together = (("name", "namespace")) + unique_together = ("name", "namespace") def __unicode__(self): if self.regex: @@ -166,7 +167,7 @@ class View(models.Model): class Meta: verbose_name = _('view') verbose_name_plural = _('views') - unique_together = (("name", "namespace")) + unique_together = ("name", "namespace") def __unicode__(self): return '%s in %s' %(self.name, self.namespace.name) diff --git a/acs/templates/add_alias_only.html b/acs/templates/add_alias_only.html index 80d8f59..f69c087 100644 --- a/acs/templates/add_alias_only.html +++ b/acs/templates/add_alias_only.html @@ -21,6 +21,7 @@

{% trans "Alias" %}:

+
diff --git a/acs/templates/list_abac_permissions.html b/acs/templates/list_abac_permissions.html index a936ada..227e694 100644 --- a/acs/templates/list_abac_permissions.html +++ b/acs/templates/list_abac_permissions.html @@ -21,7 +21,7 @@ {% if list_any %}