backoffice: simplify ADMIN_FOR_ALL behaviour (#6726)
There was a workaround against the admin-permissions settings, temporarily adding all roles to the user, this is no longer necessary and ADMIN_FOR_ALL is now back to really give all administrative rights to all users.
This commit is contained in:
parent
cd60fdfb5b
commit
89285fc21b
|
@ -61,12 +61,6 @@
|
|||
<file>ADMIN_FOR_ALL</file>.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Pour un utilisateur correctement authentifié et disposant d'un accès
|
||||
administrateur, ce mode permet également d'ignorer les restrictions de
|
||||
rôles définies dans la page <gui>Permissions d'administration</gui>.
|
||||
</p>
|
||||
|
||||
</section>
|
||||
|
||||
</page>
|
||||
|
|
|
@ -51,6 +51,8 @@ def create_superuser():
|
|||
pub.cfg['identification'] = {'methods': ['password']}
|
||||
pub.write_cfg()
|
||||
|
||||
return user1
|
||||
|
||||
def create_role():
|
||||
Role.wipe()
|
||||
role = Role(name='foobar')
|
||||
|
@ -78,6 +80,23 @@ def test_admin_redirect():
|
|||
app = login(get_app(pub))
|
||||
assert app.get('/admin/whatever', status=302).location == 'http://example.net/backoffice/whatever'
|
||||
|
||||
def test_admin_for_all():
|
||||
user = create_superuser()
|
||||
role = create_role()
|
||||
|
||||
try:
|
||||
open(os.path.join(pub.app_dir, 'ADMIN_FOR_ALL'), 'w').close()
|
||||
resp = get_app(pub).get('/backoffice/settings/', status=200)
|
||||
|
||||
pub.cfg['admin-permissions'] = {'settings': [role.id]}
|
||||
pub.write_cfg()
|
||||
resp = get_app(pub).get('/backoffice/settings/', status=200)
|
||||
finally:
|
||||
del pub.cfg['admin-permissions']
|
||||
pub.write_cfg()
|
||||
os.unlink(os.path.join(pub.app_dir, 'ADMIN_FOR_ALL'))
|
||||
role.remove_self()
|
||||
|
||||
def test_forms():
|
||||
app = login(get_app(pub))
|
||||
resp = app.get('/admin/forms/')
|
||||
|
|
|
@ -279,12 +279,6 @@ class RootDirectory(BackofficeRootDirectory):
|
|||
|
||||
if os.path.exists(os.path.join(get_publisher().app_dir, 'ADMIN_FOR_ALL')):
|
||||
get_response().filter['admin_for_all'] = True
|
||||
if req.user and req.user.is_admin:
|
||||
# if the user had access to the admin, ADMIN_FOR_ALL was
|
||||
# certainly added because something wrong happened when setting
|
||||
# fine-grained access permissions with roles; so we give the
|
||||
# user all possible roles.
|
||||
req.user.roles = [x.id for x in Role.select()]
|
||||
return
|
||||
|
||||
if get_publisher().user_class.count() > 0:
|
||||
|
|
|
@ -184,6 +184,8 @@ def is_accessible(key):
|
|||
if not get_request().user:
|
||||
if get_publisher().user_class.count() == 0:
|
||||
return key in ('settings', 'users')
|
||||
if getattr(get_response(), 'filter', {}) and get_response().filter.get('admin_for_all'):
|
||||
return True
|
||||
return False
|
||||
|
||||
user_roles = set(get_request().user.roles or [])
|
||||
|
|
|
@ -60,8 +60,6 @@ class BackofficeRootDirectory(AccessControlled, Directory):
|
|||
def _q_access(self):
|
||||
get_response().breadcrumb.append( ('backoffice/', _('Back Office')) )
|
||||
|
||||
if os.path.exists(os.path.join(get_publisher().app_dir, 'ADMIN_FOR_ALL')):
|
||||
return
|
||||
user = get_request().user
|
||||
if not user and get_publisher().user_class.count() > 0:
|
||||
raise errors.AccessUnauthorizedError(
|
||||
|
|
Loading…
Reference in New Issue