Suppression de right et utilisation du système django

cotisations/acl.py

@@ -35,5 +35,5 @@ def can_view(user):
         A couple (allowed, msg) where allowed is a boolean which is True if
         viewing is granted and msg is a message (can be None).
     """
-    can = user.has_perms(('cableur',))
+    can = user.has_perm('cotisation.view_app_cotisation')
     return can, None if can else "Vous ne pouvez pas voir cette application."

logs/views.py

@@ -50,7 +50,6 @@ from reversion.models import Version, ContentType
 from users.models import (
     User,
     ServiceUser,
-    Right,
     School,
     ListRight,
     ListShell,
@@ -325,7 +324,6 @@ def stats_models(request):
             'clubs': [Club.PRETTY_NAME, Club.objects.count()],
             'serviceuser': [ServiceUser.PRETTY_NAME,
                             ServiceUser.objects.count()],
-            'right': [Right.PRETTY_NAME, Right.objects.count()],
             'school': [School.PRETTY_NAME, School.objects.count()],
             'listright': [ListRight.PRETTY_NAME, ListRight.objects.count()],
             'listshell': [ListShell.PRETTY_NAME, ListShell.objects.count()],

re2o/templatetags/acl.py

@@ -130,7 +130,6 @@ MODEL_NAME = {
     'Adherent' : users.models.Adherent,
     'Club' : users.models.Club,
     'ServiceUser' : users.models.ServiceUser,
-    'Right' : users.models.Right,
     'School' : users.models.School,
     'ListRight' : users.models.ListRight,
     'Ban' : users.models.Ban,

users/admin.py

@@ -32,7 +32,7 @@ from django.contrib.auth.models import Group
 from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
 from reversion.admin import VersionAdmin
 
-from .models import User, ServiceUser, School, Right, ListRight, ListShell
+from .models import User, ServiceUser, School, ListRight, ListShell
 from .models import Ban, Whitelist, Request, LdapUser, LdapServiceUser
 from .models import LdapServiceUserGroup, LdapUserGroup
 from .forms import UserChangeForm, UserCreationForm
@@ -86,7 +86,7 @@ class SchoolAdmin(VersionAdmin):
 class ListRightAdmin(VersionAdmin):
     """Gestion de la liste des droits existants
     Ne permet pas l'edition du gid (primarykey pour ldap)"""
-    list_display = ('listright',)
+    list_display = ('unix_name',)
 
 
 class ListShellAdmin(VersionAdmin):
@@ -94,11 +94,6 @@ class ListShellAdmin(VersionAdmin):
     pass
 
 
-class RightAdmin(VersionAdmin):
-    """Gestion de la liste des droits affectés"""
-    pass
-
-
 class RequestAdmin(admin.ModelAdmin):
     """Gestion des request objet, ticket pour lien de reinit mot de passe"""
     list_display = ('user', 'type', 'created_at', 'expires_at')
@@ -206,7 +201,6 @@ admin.site.register(LdapUserGroup, LdapUserGroupAdmin)
 admin.site.register(LdapServiceUser, LdapServiceUserAdmin)
 admin.site.register(LdapServiceUserGroup, LdapServiceUserGroupAdmin)
 admin.site.register(School, SchoolAdmin)
-admin.site.register(Right, RightAdmin)
 admin.site.register(ListRight, ListRightAdmin)
 admin.site.register(ListShell, ListShellAdmin)
 admin.site.register(Ban, BanAdmin)

users/forms.py

@@ -40,7 +40,7 @@ from django.core.validators import MinLengthValidator
 from django.utils import timezone
 
 from preferences.models import OptionalUser
-from .models import User, ServiceUser, Right, School, ListRight, Whitelist
+from .models import User, ServiceUser, School, ListRight, Whitelist
 from .models import Ban, Adherent, Club
 from re2o.utils import remove_user_room
 
@@ -426,12 +426,12 @@ class ListRightForm(ModelForm):
     Ne peremet pas d'editer le gid, car il sert de primary key"""
     class Meta:
         model = ListRight
-        fields = ['listright', 'details']
+        fields = ['name', 'unix_name', 'permissions', 'details']
 
     def __init__(self, *args, **kwargs):
         prefix = kwargs.pop('prefix', self.Meta.model.__name__)
         super(ListRightForm, self).__init__(*args, prefix=prefix, **kwargs)
-        self.fields['listright'].label = 'Nom du droit/groupe'
+        self.fields['unix_name'].label = 'Nom du droit/groupe'
 
 
 class NewListRightForm(ListRightForm):
@@ -457,9 +457,9 @@ class DelListRightForm(Form):
         instances = kwargs.pop('instances', None)
         super(DelListRightForm, self).__init__(*args, **kwargs)
         if instances:
-            self.fields['listrights'].queryset = instances
+            self.fields['unix_name'].queryset = instances
         else:
-            self.fields['listrights'].queryset = ListRight.objects.all()
+            self.fields['unix_name'].queryset = ListRight.objects.all()
 
 
 class DelSchoolForm(Form):
@@ -479,32 +479,6 @@ class DelSchoolForm(Form):
             self.fields['schools'].queryset = School.objects.all()
 
 
-class RightForm(ModelForm):
-    """Assignation d'un droit à un user"""
-    def __init__(self, *args, **kwargs):
-        prefix = kwargs.pop('prefix', self.Meta.model.__name__)
-        super(RightForm, self).__init__(*args, prefix=prefix, **kwargs)
-        self.fields['right'].label = 'Droit'
-        self.fields['right'].empty_label = "Choisir un nouveau droit"
-
-    class Meta:
-        model = Right
-        fields = ['right']
-
-
-class DelRightForm(Form):
-    """Suppression d'un droit d'un user"""
-    rights = forms.ModelMultipleChoiceField(
-        queryset=Right.objects.select_related('user'),
-        widget=forms.CheckboxSelectMultiple
-    )
-
-    def __init__(self, right, *args, **kwargs):
-        super(DelRightForm, self).__init__(*args, **kwargs)
-        self.fields['rights'].queryset = Right.objects.select_related('user')\
-        .select_related('right').filter(right=right)
-
-
 class BanForm(ModelForm):
     """Creation, edition d'un objet bannissement"""
     def __init__(self, *args, **kwargs):

users/migrations/0062_auto_20171231_0056.py

@@ -0,0 +1,45 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.7 on 2017-12-30 23:56
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('auth', '0008_alter_user_username_max_length'),
+        ('users', '0061_auto_20171230_2033'),
+    ]
+
+    def create_groups(apps, schema_editor):
+        group = apps.get_model("auth", "Group")
+        listrights = apps.get_model("users", "ListRight")
+        db_alias = schema_editor.connection.alias
+        for gr in listrights.objects.using(db_alias).all():
+            grp = group()
+            grp.name=gr.unix_name
+            grp.save()
+            gr.group_ptr=grp
+            gr.save()
+
+    def delete_groups(apps, schema_editor):
+        group = apps.get_model("auth", "Group")
+        db_alias = schema_editor.connection.alias 
+        group.objects.using(db_alias).all().delete()
+
+    operations = [
+        migrations.RenameField(
+            model_name='listright',
+            old_name='listright',
+            new_name='unix_name',
+        ),
+        migrations.AddField(
+            model_name='listright',
+            name='group_ptr',
+            field=models.OneToOneField(blank=True, null=True, auto_created=True, on_delete=django.db.models.deletion.CASCADE, serialize=False, to='auth.Group'),
+            preserve_default=False,
+        ),
+        migrations.RunPython(create_groups, delete_groups),
+    ]

users/migrations/0063_auto_20171231_0140.py

@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.7 on 2017-12-31 00:40
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0062_auto_20171231_0056'),
+    ]
+
+    def transfer_right(apps, schema_editor):
+        rights = apps.get_model("users", "Right")
+        db_alias = schema_editor.connection.alias
+        for rg in rights.objects.using(db_alias).all():
+            group = rg.right
+            u=rg.user
+            u.groups.add(group.group_ptr)
+            u.save()
+
+    def untransfer_right(apps, schema_editor):
+        return
+
+    operations = [
+    migrations.RunPython(transfer_right, untransfer_right),
+    ]

users/migrations/0064_auto_20171231_0150.py

@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.7 on 2017-12-31 00:50
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0063_auto_20171231_0140'),
+    ]
+
+    operations = [
+        migrations.AlterUniqueTogether(
+            name='right',
+            unique_together=set([]),
+        ),
+        migrations.RemoveField(
+            model_name='right',
+            name='right',
+        ),
+        migrations.RemoveField(
+            model_name='right',
+            name='user',
+        ),
+        migrations.DeleteModel(
+            name='Right',
+        ),
+        migrations.RemoveField(
+            model_name='listright',
+            name='id',
+        ),
+        migrations.AlterField(
+            model_name='listright',
+            name='group_ptr',
+            field=models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='auth.Group'),
+        ),
+
+    ]

users/models.py

@@ -63,7 +63,8 @@ from django.utils import timezone
 from django.contrib.auth.models import (
     AbstractBaseUser,
     BaseUserManager,
-    PermissionsMixin
+    PermissionsMixin,
+    Group
 )
 from django.core.validators import RegexValidator
 
@@ -128,18 +129,6 @@ def get_fresh_gid():
     return min(free_gids)
 
 
-def get_admin_right():
-    """ Renvoie l'instance droit admin. La crée si elle n'existe pas
-    Lui attribue un gid libre"""
-    try:
-        admin_right = ListRight.objects.get(listright="admin")
-    except ListRight.DoesNotExist:
-        admin_right = ListRight(listright="admin")
-        admin_right.gid = get_fresh_gid()
-        admin_right.save()
-    return admin_right
-
-
 class UserManager(BaseUserManager):
     """User manager basique de django"""
     def _create_user(
@@ -163,9 +152,9 @@ class UserManager(BaseUserManager):
         )
 
         user.set_password(password)
-        user.save(using=self._db)
         if su:
-            user.make_admin()
+            user.is_superuser=True
+        user.save(using=self._db)    
         return user
 
     def create_user(self, pseudo, surname, email, password=None):
@@ -479,23 +468,6 @@ class User(FieldPermissionModelMixin, AbstractBaseUser, PermissionsMixin):
         self.assign_ips()
         self.state = User.STATE_ACTIVE
 
-    def has_module_perms(self, app_label):
-        """True, a toutes les permissions de module"""
-        return True
-
-    def make_admin(self):
-        """ Make User admin """
-        user_admin_right = Right(user=self, right=get_admin_right())
-        user_admin_right.save()
-
-    def un_admin(self):
-        """Supprime les droits admin d'un user"""
-        try:
-            user_right = Right.objects.get(user=self, right=get_admin_right())
-        except Right.DoesNotExist:
-            return
-        user_right.delete()
-
     def ldap_sync(self, base=True, access_refresh=True, mac_refresh=True, group_refresh=False):
         """ Synchronisation du ldap. Synchronise dans le ldap les attributs de
         self
@@ -538,8 +510,9 @@ class User(FieldPermissionModelMixin, AbstractBaseUser, PermissionsMixin):
                 machine__user=self
             ).values_list('mac_address', flat=True).distinct()]
         if group_refresh:
-            for right in Right.objects.filter(user=self):
-                right.right.ldap_sync()
+            for group in self.groups.all():
+                if hasattr(group, 'listright'):
+                    group.listright.ldap_sync()
         user_ldap.save()
 
     def ldap_del(self):
@@ -1032,88 +1005,6 @@ def service_user_post_delete(sender, **kwargs):
     service_user.ldap_del()
 
 
-class Right(models.Model):
-    """ Couple droit/user. Peut-être aurait-on mieux fait ici d'utiliser un
-    manytomany
-    Ceci dit le résultat aurait été le même avec une table intermediaire"""
-    PRETTY_NAME = "Droits affectés à des users"
-
-    user = models.ForeignKey('User', on_delete=models.PROTECT)
-    right = models.ForeignKey('ListRight', on_delete=models.PROTECT)
-
-    class Meta:
-        unique_together = ("user", "right")
-
-    def get_instance(rightid, *args, **kwargs):
-        return Right.objects.get(pk=rightid)
-
-    def can_create(user_request, *args, **kwargs):
-        """Check if an user can create a Right object.
-
-        :param user_request: The user who wants to create an object.
-        :return: a message and a boolean which is True if the user can create.
-        """
-        return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit de\
-            créer des droits"
-
-    def can_edit(self, user_request, *args, **kwargs):
-        """Check if an user can edit a Right object.
-
-        :param self: The Right which is to be edited.
-        :param user_request: The user who requests to edit self.
-        :return: a message and a boolean which is True if edition is granted.
-        """
-        return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit\
-                d'éditer des droits."
-
-    def can_delete(self, user_request, *args, **kwargs):
-        """Check if an user can delete a Right object.
-
-        :param self: The Right which is to be deleted.
-        :param user_request: The user who requests deletion.
-        :return: True if deletion is granted, and a message.
-        """
-        return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit de\
-            supprimer des droits"
-
-    def can_view_all(user_request, *args, **kwargs):
-        """Check if an user can access to the list of every Right objects
-
-        :param user_request: The user who wants to view the list.
-        :return: True if the user can view the list and an explanation message.
-        """
-        return user_request.has_perms(('cableur',)), u"Vous ne pouvez pas voir\
-                la liste des droits."
-
-    def can_view(self, user_request, *args, **kwargs):
-        """Check if an user can view a Right object.
-
-        :param self: The targeted Right.
-        :param user_request: The user who ask for viewing the target.
-        :return: A boolean telling if the acces is granted and an explanation
-        text
-        """
-        return user_request.has_perms(('cableur',)), u"Vous ne pouvez pas voir\
-                ce droit."
-
-    def __str__(self):
-        return str(self.user)
-
-
-@receiver(post_save, sender=Right)
-def right_post_save(sender, **kwargs):
-    """ Synchronise les users ldap groups avec les groupes de droits"""
-    right = kwargs['instance'].right
-    right.ldap_sync()
-
-
-@receiver(post_delete, sender=Right)
-def right_post_delete(sender, **kwargs):
-    """ Supprime l'user du groupe"""
-    right = kwargs['instance'].right
-    right.ldap_sync()
-
-
 class School(models.Model):
     """ Etablissement d'enseignement"""
     PRETTY_NAME = "Etablissements enregistrés"
@@ -1176,7 +1067,7 @@ class School(models.Model):
         return self.name
 
 
-class ListRight(models.Model):
+class ListRight(Group):
     """ Ensemble des droits existants. Chaque droit crée un groupe
     ldap synchronisé, avec gid.
     Permet de gérer facilement les accès serveurs et autres
@@ -1184,7 +1075,7 @@ class ListRight(models.Model):
     il n'est plus modifiable après creation"""
     PRETTY_NAME = "Liste des droits existants"
 
-    listright = models.CharField(
+    unix_name = models.CharField(
         max_length=255,
         unique=True,
         validators=[RegexValidator(
@@ -1253,7 +1144,7 @@ class ListRight(models.Model):
             de voir les groupes de droits"
 
     def __str__(self):
-        return self.listright
+        return self.name
 
     def ldap_sync(self):
         """Sychronise les groups ldap avec le model listright coté django"""

users/templates/users/aff_listright.html

@@ -27,6 +27,8 @@ with this program; if not, write to the Free Software Foundation, Inc.,
             <tr>
                 <th>Droit</th>
                 <th>Gid</th>
+                <th>Permissions</th>
+                <th>Users</th>
                 <th>Details</th>
 		<th></th>
                 <th></th>
@@ -34,8 +36,10 @@ with this program; if not, write to the Free Software Foundation, Inc.,
         </thead>
         {% for listright in listright_list %}
         <tr>
-            <td>{{ listright.listright }}</td>
+            <td>{{ listright.name }}</td>
             <td>{{ listright.gid }}</td>
+            <td>{{ listright.permissions.all }}</td>
+            <td>{{ listright.user_set.all }}</td>
 	    <td>{{ listright.details }}</td>
             <td class="text-right">
                 {% include 'buttons/edit.html' with href='users:edit-listright' id=listright.id %}

users/templates/users/profil.html

@@ -42,10 +42,6 @@ with this program; if not, write to the Free Software Foundation, Inc.,
             <i class="glyphicon glyphicon-flash"></i>
             Changer le statut
         </a>
-        <a class="btn btn-primary btn-sm" role="button" href="{% url 'users:add-right' users.id %}">
-            <i class="glyphicon glyphicon-ok"></i>
-            Ajouter un droit
-        </a>
         <a class="btn btn-info btn-sm" role="button" href="{% url 'users:history' 'user' users.id %}">
             <i class="glyphicon glyphicon-time"></i>
             Historique

users/templates/users/sidebar.html

@@ -77,10 +77,6 @@ with this program; if not, write to the Free Software Foundation, Inc.,
             Gérer les service users
         </a>
     {% acl_end %}
-        <a class="list-group-item list-group-item-danger" href="{% url "users:del-right" %}">
-            <i class="glyphicon glyphicon-trash"></i>
-            Retirer un droit
-        </a>
     {% can_change User state %}
         <a class="list-group-item list-group-item-danger" href="{% url "users:mass-archive" %}">
             <i class="glyphicon glyphicon-book"></i>

users/urls.py

@@ -64,8 +64,6 @@ urlpatterns = [
         views.edit_whitelist,
         name='edit-whitelist'
     ),
-    url(r'^add_right/(?P<userid>[0-9]+)$', views.add_right, name='add-right'),
-    url(r'^del_right/$', views.del_right, name='del-right'),
     url(r'^add_school/$', views.add_school, name='add-school'),
     url(
         r'^edit_school/(?P<schoolid>[0-9]+)$',

users/views.py

@@ -55,7 +55,6 @@ from reversion import revisions as reversion
 from users.serializers import MailSerializer
 from users.models import (
     User,
-    Right,
     Ban,
     Whitelist,
     School,
@@ -66,14 +65,12 @@ from users.models import (
     Club,
 )
 from users.forms import (
-    DelRightForm,
     BanForm,
     WhitelistForm,
     DelSchoolForm,
     DelListRightForm,
     NewListRightForm,
     StateForm,
-    RightForm,
     SchoolForm,
     EditServiceUserForm,
     ServiceUserForm,
@@ -313,51 +310,6 @@ def del_serviceuser(request, user, userid):
     )
 
 
-@login_required
-@can_create(Right)
-@can_edit(User)
-def add_right(request, user, userid):
-    """ Ajout d'un droit à un user, need droit bureau """
-    right = RightForm(request.POST or None)
-    if right.is_valid():
-        right = right.save(commit=False)
-        right.user = user
-        try:
-            with transaction.atomic(), reversion.create_revision():
-                reversion.set_user(request.user)
-                reversion.set_comment("Ajout du droit %s" % right.right)
-                right.save()
-            messages.success(request, "Droit ajouté")
-        except IntegrityError:
-            pass
-        return redirect(reverse(
-            'users:profil',
-            kwargs={'userid':str(userid)}
-            ))
-    return form({'userform': right}, 'users/user.html', request)
-
-
-@login_required
-@permission_required('bureau')
-def del_right(request):
-    """ Supprimer un droit à un user, need droit bureau """
-    user_right_list = dict()
-    for right in ListRight.objects.all():
-        user_right_list[right] = DelRightForm(right, request.POST or None)
-    for _keys, right_item in user_right_list.items():
-        if right_item.is_valid():
-            right_del = right_item.cleaned_data['rights']
-            with transaction.atomic(), reversion.create_revision():
-                reversion.set_user(request.user)
-                reversion.set_comment("Retrait des droit %s" % ','.join(
-                    str(deleted_right) for deleted_right in right_del
-                ))
-                right_del.delete()
-            messages.success(request, "Droit retiré avec succès")
-            return redirect(reverse('users:index'))
-    return form({'userform': user_right_list}, 'users/del_right.html', request)
-
-
 @login_required
 @can_create(Ban)
 @can_edit(User)
@@ -731,7 +683,7 @@ def index_school(request):
 @can_view_all(ListRight)
 def index_listright(request):
     """ Affiche l'ensemble des droits , need droit cableur """
-    listright_list = ListRight.objects.order_by('listright')
+    listright_list = ListRight.objects.order_by('unix_name')
     return render(
         request,
         'users/index_listright.html',
@@ -796,7 +748,6 @@ def profil(request, users, userid):
         request.GET.get('order'),
         SortTable.USERS_INDEX_WHITE
     )
-    list_droits = Right.objects.filter(user=users)
     options, _created = OptionalUser.objects.get_or_create()
     user_solde = options.user_solde
     return render(
@@ -808,7 +759,6 @@ def profil(request, users, userid):
             'facture_list': factures,
             'ban_list': bans,
             'white_list': whitelists,
-            'list_droits': list_droits,
             'user_solde': user_solde,
         }
     )