From a5013920daa26da6dedb9b0ffb593eef98e255cf Mon Sep 17 00:00:00 2001
From: Hugo LEVY-FALK <hugo.levy--falk@supelec.fr>
Date: Thu, 3 May 2018 14:22:52 +0200
Subject: [PATCH] ACL

---
 users/forms.py  |  5 +++--
 users/models.py | 12 ++++++++++++
 users/views.py  |  4 ++--
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/users/forms.py b/users/forms.py
index 17170058..23617c53 100644
--- a/users/forms.py
+++ b/users/forms.py
@@ -447,7 +447,7 @@ class StateForm(FormRevMixin, ModelForm):
         super(StateForm, self).__init__(*args, prefix=prefix, **kwargs)
 
 
-class GroupForm(FormRevMixin, ModelForm):
+class GroupForm(FieldPermissionFormMixin, FormRevMixin, ModelForm):
     """ Gestion des groupes d'un user"""
     groups = forms.ModelMultipleChoiceField(
         Group.objects.all(),
@@ -462,7 +462,8 @@ class GroupForm(FormRevMixin, ModelForm):
     def __init__(self, *args, **kwargs):
         prefix = kwargs.pop('prefix', self.Meta.model.__name__)
         super(GroupForm, self).__init__(*args, prefix=prefix, **kwargs)
-        self.fields['is_superuser'].label = "Superuser"
+        if 'is_superuser' in self.fields:
+            self.fields['is_superuser'].label = "Superuser"
 
 
 class SchoolForm(FormRevMixin, ModelForm):
diff --git a/users/models.py b/users/models.py
index f7bfc128..156c26ba 100644
--- a/users/models.py
+++ b/users/models.py
@@ -812,6 +812,18 @@ class User(RevMixin, FieldPermissionModelMixin, AbstractBaseUser,
             "Droit requis pour éditer les groupes de l'user"
         )
 
+    @staticmethod
+    def can_change_is_superuser(user_request, *_args, **_kwargs):
+        """ Check if an user can change a is_superuser flag
+
+        :param user_request: The user who request
+        :returns: a message and a boolean which is True if permission is granted.
+        """
+        return (
+            user_request.is_superuser,
+            "Droit superuser requis pour éditer le flag superuser"
+        )
+
     def can_view(self, user_request, *_args, **_kwargs):
         """Check if an user can view an user object.
 
diff --git a/users/views.py b/users/views.py
index 2ed4f3fb..1b65a923 100644
--- a/users/views.py
+++ b/users/views.py
@@ -246,7 +246,7 @@ def state(request, user, userid):
 @can_edit(User, 'groups')
 def groups(request, user, userid):
     """ View to edit the groups of a user """
-    group_form = GroupForm(request.POST or None, instance=user)
+    group_form = GroupForm(request.POST or None, instance=user, user=request.user)
     if group_form.is_valid():
         if group_form.changed_data:
             group_form.save()
@@ -295,7 +295,7 @@ def del_group(request, user, listrightid, **_kwargs):
 
 
 @login_required
-@can_edit(User, 'groups')
+@can_edit(User, 'is_superuser')
 def del_superuser(request, user, **_kwargs):
     """Remove the superuser right of an user."""
     user.is_superuser = False