backoffice: simplify ADMIN_FOR_ALL behaviour (#6726)

There was a workaround against the admin-permissions settings, temporarily adding all roles to the user, this is no longer necessary and ADMIN_FOR_ALL is now back to really give all administrative rights to all users.
2015-05-01 10:50:39 +02:00 · 2015-05-01 10:50:39 +02:00 · 89285fc21b
parent cd60fdfb5b
commit 89285fc21b
5 changed files with 21 additions and 14 deletions
--- a/help/fr/settings-permissions.page
+++ b/help/fr/settings-permissions.page
@ -61,12 +61,6 @@
     <file>ADMIN_FOR_ALL</file>.
   </p>

-   <p>
-     Pour un utilisateur correctement authentifié et disposant d'un accès
-     administrateur, ce mode permet également d'ignorer les restrictions de
-     rôles définies dans la page <gui>Permissions d'administration</gui>.
-   </p>
-
 </section>

 </page>
--- a/tests/test_admin_pages.py
+++ b/tests/test_admin_pages.py
@ -51,6 +51,8 @@ def create_superuser():
    pub.cfg['identification'] = {'methods': ['password']}
    pub.write_cfg()

+    return user1
+
 def create_role():
    Role.wipe()
    role = Role(name='foobar')
@ -78,6 +80,23 @@ def test_admin_redirect():
    app = login(get_app(pub))
    assert app.get('/admin/whatever', status=302).location == 'http://example.net/backoffice/whatever'

+def test_admin_for_all():
+    user = create_superuser()
+    role = create_role()
+
+    try:
+        open(os.path.join(pub.app_dir, 'ADMIN_FOR_ALL'), 'w').close()
+        resp = get_app(pub).get('/backoffice/settings/', status=200)
+
+        pub.cfg['admin-permissions'] = {'settings': [role.id]}
+        pub.write_cfg()
+        resp = get_app(pub).get('/backoffice/settings/', status=200)
+    finally:
+        del pub.cfg['admin-permissions']
+        pub.write_cfg()
+        os.unlink(os.path.join(pub.app_dir, 'ADMIN_FOR_ALL'))
+        role.remove_self()
+
 def test_forms():
    app = login(get_app(pub))
    resp = app.get('/admin/forms/')
--- a/wcs/backoffice/root.py
+++ b/wcs/backoffice/root.py
@ -279,12 +279,6 @@ class RootDirectory(BackofficeRootDirectory):

        if os.path.exists(os.path.join(get_publisher().app_dir, 'ADMIN_FOR_ALL')):
            get_response().filter['admin_for_all'] = True
-            if req.user and req.user.is_admin:
-                # if the user had access to the admin, ADMIN_FOR_ALL was
-                # certainly added because something wrong happened when setting
-                # fine-grained access permissions with roles; so we give the
-                # user all possible roles.
-                req.user.roles = [x.id for x in Role.select()]
            return

        if get_publisher().user_class.count() > 0:
--- a/wcs/qommon/admin/menu.py
+++ b/wcs/qommon/admin/menu.py
@ -184,6 +184,8 @@ def is_accessible(key):
    if not get_request().user:
        if get_publisher().user_class.count() == 0:
            return key in ('settings', 'users')
+        if getattr(get_response(), 'filter', {}) and get_response().filter.get('admin_for_all'):
+            return True
        return False

    user_roles = set(get_request().user.roles or [])
--- a/wcs/qommon/backoffice/root.py
+++ b/wcs/qommon/backoffice/root.py
@ -60,8 +60,6 @@ class BackofficeRootDirectory(AccessControlled, Directory):
    def _q_access(self):
        get_response().breadcrumb.append( ('backoffice/', _('Back Office')) )

-        if os.path.exists(os.path.join(get_publisher().app_dir, 'ADMIN_FOR_ALL')):
-            return
        user = get_request().user
        if not user and get_publisher().user_class.count() > 0:
            raise errors.AccessUnauthorizedError(