diff --git a/cotisations/acl.py b/cotisations/acl.py index 1928bca3..091d2c26 100644 --- a/cotisations/acl.py +++ b/cotisations/acl.py @@ -35,5 +35,5 @@ def can_view(user): A couple (allowed, msg) where allowed is a boolean which is True if viewing is granted and msg is a message (can be None). """ - can = user.has_perms(('cableur',)) + can = user.has_perm('cotisation.view_app_cotisation') return can, None if can else "Vous ne pouvez pas voir cette application." diff --git a/logs/views.py b/logs/views.py index b2d36d2b..850790da 100644 --- a/logs/views.py +++ b/logs/views.py @@ -50,7 +50,6 @@ from reversion.models import Version, ContentType from users.models import ( User, ServiceUser, - Right, School, ListRight, ListShell, @@ -325,7 +324,6 @@ def stats_models(request): 'clubs': [Club.PRETTY_NAME, Club.objects.count()], 'serviceuser': [ServiceUser.PRETTY_NAME, ServiceUser.objects.count()], - 'right': [Right.PRETTY_NAME, Right.objects.count()], 'school': [School.PRETTY_NAME, School.objects.count()], 'listright': [ListRight.PRETTY_NAME, ListRight.objects.count()], 'listshell': [ListShell.PRETTY_NAME, ListShell.objects.count()], diff --git a/re2o/templatetags/acl.py b/re2o/templatetags/acl.py index c59e8bc7..4c2ea15d 100644 --- a/re2o/templatetags/acl.py +++ b/re2o/templatetags/acl.py @@ -130,7 +130,6 @@ MODEL_NAME = { 'Adherent' : users.models.Adherent, 'Club' : users.models.Club, 'ServiceUser' : users.models.ServiceUser, - 'Right' : users.models.Right, 'School' : users.models.School, 'ListRight' : users.models.ListRight, 'Ban' : users.models.Ban, diff --git a/users/admin.py b/users/admin.py index 488bf7bc..f8acb855 100644 --- a/users/admin.py +++ b/users/admin.py @@ -32,7 +32,7 @@ from django.contrib.auth.models import Group from django.contrib.auth.admin import UserAdmin as BaseUserAdmin from reversion.admin import VersionAdmin -from .models import User, ServiceUser, School, Right, ListRight, ListShell +from .models import User, ServiceUser, School, ListRight, ListShell from .models import Ban, Whitelist, Request, LdapUser, LdapServiceUser from .models import LdapServiceUserGroup, LdapUserGroup from .forms import UserChangeForm, UserCreationForm @@ -86,7 +86,7 @@ class SchoolAdmin(VersionAdmin): class ListRightAdmin(VersionAdmin): """Gestion de la liste des droits existants Ne permet pas l'edition du gid (primarykey pour ldap)""" - list_display = ('listright',) + list_display = ('unix_name',) class ListShellAdmin(VersionAdmin): @@ -94,11 +94,6 @@ class ListShellAdmin(VersionAdmin): pass -class RightAdmin(VersionAdmin): - """Gestion de la liste des droits affectés""" - pass - - class RequestAdmin(admin.ModelAdmin): """Gestion des request objet, ticket pour lien de reinit mot de passe""" list_display = ('user', 'type', 'created_at', 'expires_at') @@ -206,7 +201,6 @@ admin.site.register(LdapUserGroup, LdapUserGroupAdmin) admin.site.register(LdapServiceUser, LdapServiceUserAdmin) admin.site.register(LdapServiceUserGroup, LdapServiceUserGroupAdmin) admin.site.register(School, SchoolAdmin) -admin.site.register(Right, RightAdmin) admin.site.register(ListRight, ListRightAdmin) admin.site.register(ListShell, ListShellAdmin) admin.site.register(Ban, BanAdmin) diff --git a/users/forms.py b/users/forms.py index 82d36d90..31331051 100644 --- a/users/forms.py +++ b/users/forms.py @@ -40,7 +40,7 @@ from django.core.validators import MinLengthValidator from django.utils import timezone from preferences.models import OptionalUser -from .models import User, ServiceUser, Right, School, ListRight, Whitelist +from .models import User, ServiceUser, School, ListRight, Whitelist from .models import Ban, Adherent, Club from re2o.utils import remove_user_room @@ -426,12 +426,12 @@ class ListRightForm(ModelForm): Ne peremet pas d'editer le gid, car il sert de primary key""" class Meta: model = ListRight - fields = ['listright', 'details'] + fields = ['name', 'unix_name', 'permissions', 'details'] def __init__(self, *args, **kwargs): prefix = kwargs.pop('prefix', self.Meta.model.__name__) super(ListRightForm, self).__init__(*args, prefix=prefix, **kwargs) - self.fields['listright'].label = 'Nom du droit/groupe' + self.fields['unix_name'].label = 'Nom du droit/groupe' class NewListRightForm(ListRightForm): @@ -457,9 +457,9 @@ class DelListRightForm(Form): instances = kwargs.pop('instances', None) super(DelListRightForm, self).__init__(*args, **kwargs) if instances: - self.fields['listrights'].queryset = instances + self.fields['unix_name'].queryset = instances else: - self.fields['listrights'].queryset = ListRight.objects.all() + self.fields['unix_name'].queryset = ListRight.objects.all() class DelSchoolForm(Form): @@ -479,32 +479,6 @@ class DelSchoolForm(Form): self.fields['schools'].queryset = School.objects.all() -class RightForm(ModelForm): - """Assignation d'un droit à un user""" - def __init__(self, *args, **kwargs): - prefix = kwargs.pop('prefix', self.Meta.model.__name__) - super(RightForm, self).__init__(*args, prefix=prefix, **kwargs) - self.fields['right'].label = 'Droit' - self.fields['right'].empty_label = "Choisir un nouveau droit" - - class Meta: - model = Right - fields = ['right'] - - -class DelRightForm(Form): - """Suppression d'un droit d'un user""" - rights = forms.ModelMultipleChoiceField( - queryset=Right.objects.select_related('user'), - widget=forms.CheckboxSelectMultiple - ) - - def __init__(self, right, *args, **kwargs): - super(DelRightForm, self).__init__(*args, **kwargs) - self.fields['rights'].queryset = Right.objects.select_related('user')\ - .select_related('right').filter(right=right) - - class BanForm(ModelForm): """Creation, edition d'un objet bannissement""" def __init__(self, *args, **kwargs): diff --git a/users/migrations/0062_auto_20171231_0056.py b/users/migrations/0062_auto_20171231_0056.py new file mode 100644 index 00000000..2eaedb50 --- /dev/null +++ b/users/migrations/0062_auto_20171231_0056.py @@ -0,0 +1,45 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.7 on 2017-12-30 23:56 +from __future__ import unicode_literals + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('auth', '0008_alter_user_username_max_length'), + ('users', '0061_auto_20171230_2033'), + ] + + def create_groups(apps, schema_editor): + group = apps.get_model("auth", "Group") + listrights = apps.get_model("users", "ListRight") + db_alias = schema_editor.connection.alias + for gr in listrights.objects.using(db_alias).all(): + grp = group() + grp.name=gr.unix_name + grp.save() + gr.group_ptr=grp + gr.save() + + def delete_groups(apps, schema_editor): + group = apps.get_model("auth", "Group") + db_alias = schema_editor.connection.alias + group.objects.using(db_alias).all().delete() + + operations = [ + migrations.RenameField( + model_name='listright', + old_name='listright', + new_name='unix_name', + ), + migrations.AddField( + model_name='listright', + name='group_ptr', + field=models.OneToOneField(blank=True, null=True, auto_created=True, on_delete=django.db.models.deletion.CASCADE, serialize=False, to='auth.Group'), + preserve_default=False, + ), + migrations.RunPython(create_groups, delete_groups), + ] diff --git a/users/migrations/0063_auto_20171231_0140.py b/users/migrations/0063_auto_20171231_0140.py new file mode 100644 index 00000000..56762014 --- /dev/null +++ b/users/migrations/0063_auto_20171231_0140.py @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.7 on 2017-12-31 00:40 +from __future__ import unicode_literals + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('users', '0062_auto_20171231_0056'), + ] + + def transfer_right(apps, schema_editor): + rights = apps.get_model("users", "Right") + db_alias = schema_editor.connection.alias + for rg in rights.objects.using(db_alias).all(): + group = rg.right + u=rg.user + u.groups.add(group.group_ptr) + u.save() + + def untransfer_right(apps, schema_editor): + return + + operations = [ + migrations.RunPython(transfer_right, untransfer_right), + ] diff --git a/users/migrations/0064_auto_20171231_0150.py b/users/migrations/0064_auto_20171231_0150.py new file mode 100644 index 00000000..a08561eb --- /dev/null +++ b/users/migrations/0064_auto_20171231_0150.py @@ -0,0 +1,41 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.7 on 2017-12-31 00:50 +from __future__ import unicode_literals + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('users', '0063_auto_20171231_0140'), + ] + + operations = [ + migrations.AlterUniqueTogether( + name='right', + unique_together=set([]), + ), + migrations.RemoveField( + model_name='right', + name='right', + ), + migrations.RemoveField( + model_name='right', + name='user', + ), + migrations.DeleteModel( + name='Right', + ), + migrations.RemoveField( + model_name='listright', + name='id', + ), + migrations.AlterField( + model_name='listright', + name='group_ptr', + field=models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='auth.Group'), + ), + + ] diff --git a/users/models.py b/users/models.py index 32326e5a..254c6a26 100644 --- a/users/models.py +++ b/users/models.py @@ -63,7 +63,8 @@ from django.utils import timezone from django.contrib.auth.models import ( AbstractBaseUser, BaseUserManager, - PermissionsMixin + PermissionsMixin, + Group ) from django.core.validators import RegexValidator @@ -128,18 +129,6 @@ def get_fresh_gid(): return min(free_gids) -def get_admin_right(): - """ Renvoie l'instance droit admin. La crée si elle n'existe pas - Lui attribue un gid libre""" - try: - admin_right = ListRight.objects.get(listright="admin") - except ListRight.DoesNotExist: - admin_right = ListRight(listright="admin") - admin_right.gid = get_fresh_gid() - admin_right.save() - return admin_right - - class UserManager(BaseUserManager): """User manager basique de django""" def _create_user( @@ -163,9 +152,9 @@ class UserManager(BaseUserManager): ) user.set_password(password) - user.save(using=self._db) if su: - user.make_admin() + user.is_superuser=True + user.save(using=self._db) return user def create_user(self, pseudo, surname, email, password=None): @@ -479,23 +468,6 @@ class User(FieldPermissionModelMixin, AbstractBaseUser, PermissionsMixin): self.assign_ips() self.state = User.STATE_ACTIVE - def has_module_perms(self, app_label): - """True, a toutes les permissions de module""" - return True - - def make_admin(self): - """ Make User admin """ - user_admin_right = Right(user=self, right=get_admin_right()) - user_admin_right.save() - - def un_admin(self): - """Supprime les droits admin d'un user""" - try: - user_right = Right.objects.get(user=self, right=get_admin_right()) - except Right.DoesNotExist: - return - user_right.delete() - def ldap_sync(self, base=True, access_refresh=True, mac_refresh=True, group_refresh=False): """ Synchronisation du ldap. Synchronise dans le ldap les attributs de self @@ -538,8 +510,9 @@ class User(FieldPermissionModelMixin, AbstractBaseUser, PermissionsMixin): machine__user=self ).values_list('mac_address', flat=True).distinct()] if group_refresh: - for right in Right.objects.filter(user=self): - right.right.ldap_sync() + for group in self.groups.all(): + if hasattr(group, 'listright'): + group.listright.ldap_sync() user_ldap.save() def ldap_del(self): @@ -1032,88 +1005,6 @@ def service_user_post_delete(sender, **kwargs): service_user.ldap_del() -class Right(models.Model): - """ Couple droit/user. Peut-être aurait-on mieux fait ici d'utiliser un - manytomany - Ceci dit le résultat aurait été le même avec une table intermediaire""" - PRETTY_NAME = "Droits affectés à des users" - - user = models.ForeignKey('User', on_delete=models.PROTECT) - right = models.ForeignKey('ListRight', on_delete=models.PROTECT) - - class Meta: - unique_together = ("user", "right") - - def get_instance(rightid, *args, **kwargs): - return Right.objects.get(pk=rightid) - - def can_create(user_request, *args, **kwargs): - """Check if an user can create a Right object. - - :param user_request: The user who wants to create an object. - :return: a message and a boolean which is True if the user can create. - """ - return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit de\ - créer des droits" - - def can_edit(self, user_request, *args, **kwargs): - """Check if an user can edit a Right object. - - :param self: The Right which is to be edited. - :param user_request: The user who requests to edit self. - :return: a message and a boolean which is True if edition is granted. - """ - return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit\ - d'éditer des droits." - - def can_delete(self, user_request, *args, **kwargs): - """Check if an user can delete a Right object. - - :param self: The Right which is to be deleted. - :param user_request: The user who requests deletion. - :return: True if deletion is granted, and a message. - """ - return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit de\ - supprimer des droits" - - def can_view_all(user_request, *args, **kwargs): - """Check if an user can access to the list of every Right objects - - :param user_request: The user who wants to view the list. - :return: True if the user can view the list and an explanation message. - """ - return user_request.has_perms(('cableur',)), u"Vous ne pouvez pas voir\ - la liste des droits." - - def can_view(self, user_request, *args, **kwargs): - """Check if an user can view a Right object. - - :param self: The targeted Right. - :param user_request: The user who ask for viewing the target. - :return: A boolean telling if the acces is granted and an explanation - text - """ - return user_request.has_perms(('cableur',)), u"Vous ne pouvez pas voir\ - ce droit." - - def __str__(self): - return str(self.user) - - -@receiver(post_save, sender=Right) -def right_post_save(sender, **kwargs): - """ Synchronise les users ldap groups avec les groupes de droits""" - right = kwargs['instance'].right - right.ldap_sync() - - -@receiver(post_delete, sender=Right) -def right_post_delete(sender, **kwargs): - """ Supprime l'user du groupe""" - right = kwargs['instance'].right - right.ldap_sync() - - class School(models.Model): """ Etablissement d'enseignement""" PRETTY_NAME = "Etablissements enregistrés" @@ -1176,7 +1067,7 @@ class School(models.Model): return self.name -class ListRight(models.Model): +class ListRight(Group): """ Ensemble des droits existants. Chaque droit crée un groupe ldap synchronisé, avec gid. Permet de gérer facilement les accès serveurs et autres @@ -1184,7 +1075,7 @@ class ListRight(models.Model): il n'est plus modifiable après creation""" PRETTY_NAME = "Liste des droits existants" - listright = models.CharField( + unix_name = models.CharField( max_length=255, unique=True, validators=[RegexValidator( @@ -1253,7 +1144,7 @@ class ListRight(models.Model): de voir les groupes de droits" def __str__(self): - return self.listright + return self.name def ldap_sync(self): """Sychronise les groups ldap avec le model listright coté django""" diff --git a/users/templates/users/aff_listright.html b/users/templates/users/aff_listright.html index 90d71bfe..2ca41e09 100644 --- a/users/templates/users/aff_listright.html +++ b/users/templates/users/aff_listright.html @@ -27,6 +27,8 @@ with this program; if not, write to the Free Software Foundation, Inc.,