From 90b55b6dc861556ea11acfa752cec1aa51cc01b9 Mon Sep 17 00:00:00 2001 From: Gabriel Detraz Date: Sun, 31 Dec 2017 13:24:18 +0100 Subject: [PATCH] =?UTF-8?q?Suppression=20de=20right=20et=20utilisation=20d?= =?UTF-8?q?u=20syst=C3=A8me=20django?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cotisations/acl.py | 2 +- logs/views.py | 2 - re2o/templatetags/acl.py | 1 - users/admin.py | 10 +- users/forms.py | 36 +----- users/migrations/0062_auto_20171231_0056.py | 45 +++++++ users/migrations/0063_auto_20171231_0140.py | 29 +++++ users/migrations/0064_auto_20171231_0150.py | 41 +++++++ users/models.py | 129 ++------------------ users/templates/users/aff_listright.html | 6 +- users/templates/users/profil.html | 4 - users/templates/users/sidebar.html | 4 - users/urls.py | 2 - users/views.py | 52 +------- 14 files changed, 139 insertions(+), 224 deletions(-) create mode 100644 users/migrations/0062_auto_20171231_0056.py create mode 100644 users/migrations/0063_auto_20171231_0140.py create mode 100644 users/migrations/0064_auto_20171231_0150.py diff --git a/cotisations/acl.py b/cotisations/acl.py index 1928bca3..091d2c26 100644 --- a/cotisations/acl.py +++ b/cotisations/acl.py @@ -35,5 +35,5 @@ def can_view(user): A couple (allowed, msg) where allowed is a boolean which is True if viewing is granted and msg is a message (can be None). """ - can = user.has_perms(('cableur',)) + can = user.has_perm('cotisation.view_app_cotisation') return can, None if can else "Vous ne pouvez pas voir cette application." diff --git a/logs/views.py b/logs/views.py index b2d36d2b..850790da 100644 --- a/logs/views.py +++ b/logs/views.py @@ -50,7 +50,6 @@ from reversion.models import Version, ContentType from users.models import ( User, ServiceUser, - Right, School, ListRight, ListShell, @@ -325,7 +324,6 @@ def stats_models(request): 'clubs': [Club.PRETTY_NAME, Club.objects.count()], 'serviceuser': [ServiceUser.PRETTY_NAME, ServiceUser.objects.count()], - 'right': [Right.PRETTY_NAME, Right.objects.count()], 'school': [School.PRETTY_NAME, School.objects.count()], 'listright': [ListRight.PRETTY_NAME, ListRight.objects.count()], 'listshell': [ListShell.PRETTY_NAME, ListShell.objects.count()], diff --git a/re2o/templatetags/acl.py b/re2o/templatetags/acl.py index c59e8bc7..4c2ea15d 100644 --- a/re2o/templatetags/acl.py +++ b/re2o/templatetags/acl.py @@ -130,7 +130,6 @@ MODEL_NAME = { 'Adherent' : users.models.Adherent, 'Club' : users.models.Club, 'ServiceUser' : users.models.ServiceUser, - 'Right' : users.models.Right, 'School' : users.models.School, 'ListRight' : users.models.ListRight, 'Ban' : users.models.Ban, diff --git a/users/admin.py b/users/admin.py index 488bf7bc..f8acb855 100644 --- a/users/admin.py +++ b/users/admin.py @@ -32,7 +32,7 @@ from django.contrib.auth.models import Group from django.contrib.auth.admin import UserAdmin as BaseUserAdmin from reversion.admin import VersionAdmin -from .models import User, ServiceUser, School, Right, ListRight, ListShell +from .models import User, ServiceUser, School, ListRight, ListShell from .models import Ban, Whitelist, Request, LdapUser, LdapServiceUser from .models import LdapServiceUserGroup, LdapUserGroup from .forms import UserChangeForm, UserCreationForm @@ -86,7 +86,7 @@ class SchoolAdmin(VersionAdmin): class ListRightAdmin(VersionAdmin): """Gestion de la liste des droits existants Ne permet pas l'edition du gid (primarykey pour ldap)""" - list_display = ('listright',) + list_display = ('unix_name',) class ListShellAdmin(VersionAdmin): @@ -94,11 +94,6 @@ class ListShellAdmin(VersionAdmin): pass -class RightAdmin(VersionAdmin): - """Gestion de la liste des droits affectés""" - pass - - class RequestAdmin(admin.ModelAdmin): """Gestion des request objet, ticket pour lien de reinit mot de passe""" list_display = ('user', 'type', 'created_at', 'expires_at') @@ -206,7 +201,6 @@ admin.site.register(LdapUserGroup, LdapUserGroupAdmin) admin.site.register(LdapServiceUser, LdapServiceUserAdmin) admin.site.register(LdapServiceUserGroup, LdapServiceUserGroupAdmin) admin.site.register(School, SchoolAdmin) -admin.site.register(Right, RightAdmin) admin.site.register(ListRight, ListRightAdmin) admin.site.register(ListShell, ListShellAdmin) admin.site.register(Ban, BanAdmin) diff --git a/users/forms.py b/users/forms.py index 82d36d90..31331051 100644 --- a/users/forms.py +++ b/users/forms.py @@ -40,7 +40,7 @@ from django.core.validators import MinLengthValidator from django.utils import timezone from preferences.models import OptionalUser -from .models import User, ServiceUser, Right, School, ListRight, Whitelist +from .models import User, ServiceUser, School, ListRight, Whitelist from .models import Ban, Adherent, Club from re2o.utils import remove_user_room @@ -426,12 +426,12 @@ class ListRightForm(ModelForm): Ne peremet pas d'editer le gid, car il sert de primary key""" class Meta: model = ListRight - fields = ['listright', 'details'] + fields = ['name', 'unix_name', 'permissions', 'details'] def __init__(self, *args, **kwargs): prefix = kwargs.pop('prefix', self.Meta.model.__name__) super(ListRightForm, self).__init__(*args, prefix=prefix, **kwargs) - self.fields['listright'].label = 'Nom du droit/groupe' + self.fields['unix_name'].label = 'Nom du droit/groupe' class NewListRightForm(ListRightForm): @@ -457,9 +457,9 @@ class DelListRightForm(Form): instances = kwargs.pop('instances', None) super(DelListRightForm, self).__init__(*args, **kwargs) if instances: - self.fields['listrights'].queryset = instances + self.fields['unix_name'].queryset = instances else: - self.fields['listrights'].queryset = ListRight.objects.all() + self.fields['unix_name'].queryset = ListRight.objects.all() class DelSchoolForm(Form): @@ -479,32 +479,6 @@ class DelSchoolForm(Form): self.fields['schools'].queryset = School.objects.all() -class RightForm(ModelForm): - """Assignation d'un droit à un user""" - def __init__(self, *args, **kwargs): - prefix = kwargs.pop('prefix', self.Meta.model.__name__) - super(RightForm, self).__init__(*args, prefix=prefix, **kwargs) - self.fields['right'].label = 'Droit' - self.fields['right'].empty_label = "Choisir un nouveau droit" - - class Meta: - model = Right - fields = ['right'] - - -class DelRightForm(Form): - """Suppression d'un droit d'un user""" - rights = forms.ModelMultipleChoiceField( - queryset=Right.objects.select_related('user'), - widget=forms.CheckboxSelectMultiple - ) - - def __init__(self, right, *args, **kwargs): - super(DelRightForm, self).__init__(*args, **kwargs) - self.fields['rights'].queryset = Right.objects.select_related('user')\ - .select_related('right').filter(right=right) - - class BanForm(ModelForm): """Creation, edition d'un objet bannissement""" def __init__(self, *args, **kwargs): diff --git a/users/migrations/0062_auto_20171231_0056.py b/users/migrations/0062_auto_20171231_0056.py new file mode 100644 index 00000000..2eaedb50 --- /dev/null +++ b/users/migrations/0062_auto_20171231_0056.py @@ -0,0 +1,45 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.7 on 2017-12-30 23:56 +from __future__ import unicode_literals + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('auth', '0008_alter_user_username_max_length'), + ('users', '0061_auto_20171230_2033'), + ] + + def create_groups(apps, schema_editor): + group = apps.get_model("auth", "Group") + listrights = apps.get_model("users", "ListRight") + db_alias = schema_editor.connection.alias + for gr in listrights.objects.using(db_alias).all(): + grp = group() + grp.name=gr.unix_name + grp.save() + gr.group_ptr=grp + gr.save() + + def delete_groups(apps, schema_editor): + group = apps.get_model("auth", "Group") + db_alias = schema_editor.connection.alias + group.objects.using(db_alias).all().delete() + + operations = [ + migrations.RenameField( + model_name='listright', + old_name='listright', + new_name='unix_name', + ), + migrations.AddField( + model_name='listright', + name='group_ptr', + field=models.OneToOneField(blank=True, null=True, auto_created=True, on_delete=django.db.models.deletion.CASCADE, serialize=False, to='auth.Group'), + preserve_default=False, + ), + migrations.RunPython(create_groups, delete_groups), + ] diff --git a/users/migrations/0063_auto_20171231_0140.py b/users/migrations/0063_auto_20171231_0140.py new file mode 100644 index 00000000..56762014 --- /dev/null +++ b/users/migrations/0063_auto_20171231_0140.py @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.7 on 2017-12-31 00:40 +from __future__ import unicode_literals + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('users', '0062_auto_20171231_0056'), + ] + + def transfer_right(apps, schema_editor): + rights = apps.get_model("users", "Right") + db_alias = schema_editor.connection.alias + for rg in rights.objects.using(db_alias).all(): + group = rg.right + u=rg.user + u.groups.add(group.group_ptr) + u.save() + + def untransfer_right(apps, schema_editor): + return + + operations = [ + migrations.RunPython(transfer_right, untransfer_right), + ] diff --git a/users/migrations/0064_auto_20171231_0150.py b/users/migrations/0064_auto_20171231_0150.py new file mode 100644 index 00000000..a08561eb --- /dev/null +++ b/users/migrations/0064_auto_20171231_0150.py @@ -0,0 +1,41 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.7 on 2017-12-31 00:50 +from __future__ import unicode_literals + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('users', '0063_auto_20171231_0140'), + ] + + operations = [ + migrations.AlterUniqueTogether( + name='right', + unique_together=set([]), + ), + migrations.RemoveField( + model_name='right', + name='right', + ), + migrations.RemoveField( + model_name='right', + name='user', + ), + migrations.DeleteModel( + name='Right', + ), + migrations.RemoveField( + model_name='listright', + name='id', + ), + migrations.AlterField( + model_name='listright', + name='group_ptr', + field=models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='auth.Group'), + ), + + ] diff --git a/users/models.py b/users/models.py index 32326e5a..254c6a26 100644 --- a/users/models.py +++ b/users/models.py @@ -63,7 +63,8 @@ from django.utils import timezone from django.contrib.auth.models import ( AbstractBaseUser, BaseUserManager, - PermissionsMixin + PermissionsMixin, + Group ) from django.core.validators import RegexValidator @@ -128,18 +129,6 @@ def get_fresh_gid(): return min(free_gids) -def get_admin_right(): - """ Renvoie l'instance droit admin. La crée si elle n'existe pas - Lui attribue un gid libre""" - try: - admin_right = ListRight.objects.get(listright="admin") - except ListRight.DoesNotExist: - admin_right = ListRight(listright="admin") - admin_right.gid = get_fresh_gid() - admin_right.save() - return admin_right - - class UserManager(BaseUserManager): """User manager basique de django""" def _create_user( @@ -163,9 +152,9 @@ class UserManager(BaseUserManager): ) user.set_password(password) - user.save(using=self._db) if su: - user.make_admin() + user.is_superuser=True + user.save(using=self._db) return user def create_user(self, pseudo, surname, email, password=None): @@ -479,23 +468,6 @@ class User(FieldPermissionModelMixin, AbstractBaseUser, PermissionsMixin): self.assign_ips() self.state = User.STATE_ACTIVE - def has_module_perms(self, app_label): - """True, a toutes les permissions de module""" - return True - - def make_admin(self): - """ Make User admin """ - user_admin_right = Right(user=self, right=get_admin_right()) - user_admin_right.save() - - def un_admin(self): - """Supprime les droits admin d'un user""" - try: - user_right = Right.objects.get(user=self, right=get_admin_right()) - except Right.DoesNotExist: - return - user_right.delete() - def ldap_sync(self, base=True, access_refresh=True, mac_refresh=True, group_refresh=False): """ Synchronisation du ldap. Synchronise dans le ldap les attributs de self @@ -538,8 +510,9 @@ class User(FieldPermissionModelMixin, AbstractBaseUser, PermissionsMixin): machine__user=self ).values_list('mac_address', flat=True).distinct()] if group_refresh: - for right in Right.objects.filter(user=self): - right.right.ldap_sync() + for group in self.groups.all(): + if hasattr(group, 'listright'): + group.listright.ldap_sync() user_ldap.save() def ldap_del(self): @@ -1032,88 +1005,6 @@ def service_user_post_delete(sender, **kwargs): service_user.ldap_del() -class Right(models.Model): - """ Couple droit/user. Peut-être aurait-on mieux fait ici d'utiliser un - manytomany - Ceci dit le résultat aurait été le même avec une table intermediaire""" - PRETTY_NAME = "Droits affectés à des users" - - user = models.ForeignKey('User', on_delete=models.PROTECT) - right = models.ForeignKey('ListRight', on_delete=models.PROTECT) - - class Meta: - unique_together = ("user", "right") - - def get_instance(rightid, *args, **kwargs): - return Right.objects.get(pk=rightid) - - def can_create(user_request, *args, **kwargs): - """Check if an user can create a Right object. - - :param user_request: The user who wants to create an object. - :return: a message and a boolean which is True if the user can create. - """ - return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit de\ - créer des droits" - - def can_edit(self, user_request, *args, **kwargs): - """Check if an user can edit a Right object. - - :param self: The Right which is to be edited. - :param user_request: The user who requests to edit self. - :return: a message and a boolean which is True if edition is granted. - """ - return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit\ - d'éditer des droits." - - def can_delete(self, user_request, *args, **kwargs): - """Check if an user can delete a Right object. - - :param self: The Right which is to be deleted. - :param user_request: The user who requests deletion. - :return: True if deletion is granted, and a message. - """ - return user_request.has_perms(('bureau',)), u"Vous n'avez pas le droit de\ - supprimer des droits" - - def can_view_all(user_request, *args, **kwargs): - """Check if an user can access to the list of every Right objects - - :param user_request: The user who wants to view the list. - :return: True if the user can view the list and an explanation message. - """ - return user_request.has_perms(('cableur',)), u"Vous ne pouvez pas voir\ - la liste des droits." - - def can_view(self, user_request, *args, **kwargs): - """Check if an user can view a Right object. - - :param self: The targeted Right. - :param user_request: The user who ask for viewing the target. - :return: A boolean telling if the acces is granted and an explanation - text - """ - return user_request.has_perms(('cableur',)), u"Vous ne pouvez pas voir\ - ce droit." - - def __str__(self): - return str(self.user) - - -@receiver(post_save, sender=Right) -def right_post_save(sender, **kwargs): - """ Synchronise les users ldap groups avec les groupes de droits""" - right = kwargs['instance'].right - right.ldap_sync() - - -@receiver(post_delete, sender=Right) -def right_post_delete(sender, **kwargs): - """ Supprime l'user du groupe""" - right = kwargs['instance'].right - right.ldap_sync() - - class School(models.Model): """ Etablissement d'enseignement""" PRETTY_NAME = "Etablissements enregistrés" @@ -1176,7 +1067,7 @@ class School(models.Model): return self.name -class ListRight(models.Model): +class ListRight(Group): """ Ensemble des droits existants. Chaque droit crée un groupe ldap synchronisé, avec gid. Permet de gérer facilement les accès serveurs et autres @@ -1184,7 +1075,7 @@ class ListRight(models.Model): il n'est plus modifiable après creation""" PRETTY_NAME = "Liste des droits existants" - listright = models.CharField( + unix_name = models.CharField( max_length=255, unique=True, validators=[RegexValidator( @@ -1253,7 +1144,7 @@ class ListRight(models.Model): de voir les groupes de droits" def __str__(self): - return self.listright + return self.name def ldap_sync(self): """Sychronise les groups ldap avec le model listright coté django""" diff --git a/users/templates/users/aff_listright.html b/users/templates/users/aff_listright.html index 90d71bfe..2ca41e09 100644 --- a/users/templates/users/aff_listright.html +++ b/users/templates/users/aff_listright.html @@ -27,6 +27,8 @@ with this program; if not, write to the Free Software Foundation, Inc., Droit Gid + Permissions + Users Details @@ -34,8 +36,10 @@ with this program; if not, write to the Free Software Foundation, Inc., {% for listright in listright_list %} - {{ listright.listright }} + {{ listright.name }} {{ listright.gid }} + {{ listright.permissions.all }} + {{ listright.user_set.all }} {{ listright.details }} {% include 'buttons/edit.html' with href='users:edit-listright' id=listright.id %} diff --git a/users/templates/users/profil.html b/users/templates/users/profil.html index 8cb52d8b..70a0fec8 100644 --- a/users/templates/users/profil.html +++ b/users/templates/users/profil.html @@ -42,10 +42,6 @@ with this program; if not, write to the Free Software Foundation, Inc., Changer le statut - - - Ajouter un droit - Historique diff --git a/users/templates/users/sidebar.html b/users/templates/users/sidebar.html index 74e8e020..03b9efa9 100644 --- a/users/templates/users/sidebar.html +++ b/users/templates/users/sidebar.html @@ -77,10 +77,6 @@ with this program; if not, write to the Free Software Foundation, Inc., Gérer les service users {% acl_end %} - - - Retirer un droit - {% can_change User state %} diff --git a/users/urls.py b/users/urls.py index 3b6a506f..2fa96133 100644 --- a/users/urls.py +++ b/users/urls.py @@ -64,8 +64,6 @@ urlpatterns = [ views.edit_whitelist, name='edit-whitelist' ), - url(r'^add_right/(?P[0-9]+)$', views.add_right, name='add-right'), - url(r'^del_right/$', views.del_right, name='del-right'), url(r'^add_school/$', views.add_school, name='add-school'), url( r'^edit_school/(?P[0-9]+)$', diff --git a/users/views.py b/users/views.py index c430bd1b..7f8363cd 100644 --- a/users/views.py +++ b/users/views.py @@ -55,7 +55,6 @@ from reversion import revisions as reversion from users.serializers import MailSerializer from users.models import ( User, - Right, Ban, Whitelist, School, @@ -66,14 +65,12 @@ from users.models import ( Club, ) from users.forms import ( - DelRightForm, BanForm, WhitelistForm, DelSchoolForm, DelListRightForm, NewListRightForm, StateForm, - RightForm, SchoolForm, EditServiceUserForm, ServiceUserForm, @@ -313,51 +310,6 @@ def del_serviceuser(request, user, userid): ) -@login_required -@can_create(Right) -@can_edit(User) -def add_right(request, user, userid): - """ Ajout d'un droit à un user, need droit bureau """ - right = RightForm(request.POST or None) - if right.is_valid(): - right = right.save(commit=False) - right.user = user - try: - with transaction.atomic(), reversion.create_revision(): - reversion.set_user(request.user) - reversion.set_comment("Ajout du droit %s" % right.right) - right.save() - messages.success(request, "Droit ajouté") - except IntegrityError: - pass - return redirect(reverse( - 'users:profil', - kwargs={'userid':str(userid)} - )) - return form({'userform': right}, 'users/user.html', request) - - -@login_required -@permission_required('bureau') -def del_right(request): - """ Supprimer un droit à un user, need droit bureau """ - user_right_list = dict() - for right in ListRight.objects.all(): - user_right_list[right] = DelRightForm(right, request.POST or None) - for _keys, right_item in user_right_list.items(): - if right_item.is_valid(): - right_del = right_item.cleaned_data['rights'] - with transaction.atomic(), reversion.create_revision(): - reversion.set_user(request.user) - reversion.set_comment("Retrait des droit %s" % ','.join( - str(deleted_right) for deleted_right in right_del - )) - right_del.delete() - messages.success(request, "Droit retiré avec succès") - return redirect(reverse('users:index')) - return form({'userform': user_right_list}, 'users/del_right.html', request) - - @login_required @can_create(Ban) @can_edit(User) @@ -731,7 +683,7 @@ def index_school(request): @can_view_all(ListRight) def index_listright(request): """ Affiche l'ensemble des droits , need droit cableur """ - listright_list = ListRight.objects.order_by('listright') + listright_list = ListRight.objects.order_by('unix_name') return render( request, 'users/index_listright.html', @@ -796,7 +748,6 @@ def profil(request, users, userid): request.GET.get('order'), SortTable.USERS_INDEX_WHITE ) - list_droits = Right.objects.filter(user=users) options, _created = OptionalUser.objects.get_or_create() user_solde = options.user_solde return render( @@ -808,7 +759,6 @@ def profil(request, users, userid): 'facture_list': factures, 'ban_list': bans, 'white_list': whitelists, - 'list_droits': list_droits, 'user_solde': user_solde, } )