allow offsck to add members to office
This commit is contained in:
parent
a4a4ef089c
commit
c8627ddef4
|
@ -3,7 +3,8 @@ from flask.json import jsonify
|
|||
from zope import component
|
||||
|
||||
from .utils import authz_restrict_to_syscom, is_truthy, \
|
||||
create_streaming_response, development_only
|
||||
create_streaming_response, development_only, requires_admin_creds, \
|
||||
requires_authentication_no_realm, user_is_in_group
|
||||
from ceo_common.interfaces import ILDAPService
|
||||
from ceo_common.utils import fuzzy_result, fuzzy_match
|
||||
from ceod.transactions.groups import (
|
||||
|
@ -52,9 +53,26 @@ def search_group(query, count):
|
|||
return jsonify(result)
|
||||
|
||||
|
||||
def may_add_user_to_group(auth_username: str, group_name: str) -> bool:
|
||||
# (is syscom) OR (group is office AND client is offsck)
|
||||
if user_is_in_group(auth_username, 'syscom'):
|
||||
return True
|
||||
if group_name == 'office':
|
||||
ldap_srv = component.getUtility(ILDAPService)
|
||||
auth_user = ldap_srv.get_user(auth_username)
|
||||
if 'offsck' in auth_user.positions:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
@bp.route('/<group_name>/members/<username>', methods=['POST'])
|
||||
@authz_restrict_to_syscom
|
||||
def add_member_to_group(group_name, username):
|
||||
@requires_admin_creds
|
||||
@requires_authentication_no_realm
|
||||
def add_member_to_group(auth_username: str, group_name: str, username: str):
|
||||
# Admin creds are required because slapd does not support access control
|
||||
# rules which use the client's attributes
|
||||
if not may_add_user_to_group(auth_username, group_name):
|
||||
return {'error': "not authorized to add user to group"}, 403
|
||||
subscribe_to_lists = is_truthy(
|
||||
request.args.get('subscribe_to_lists', 'true')
|
||||
)
|
||||
|
@ -67,8 +85,13 @@ def add_member_to_group(group_name, username):
|
|||
|
||||
|
||||
@bp.route('/<group_name>/members/<username>', methods=['DELETE'])
|
||||
@authz_restrict_to_syscom
|
||||
def remove_member_from_group(group_name, username):
|
||||
@requires_admin_creds
|
||||
@requires_authentication_no_realm
|
||||
def remove_member_from_group(auth_username: str, group_name: str, username: str):
|
||||
# Admin creds are required because slapd does not support access control
|
||||
# rules which use the client's attributes
|
||||
if not may_add_user_to_group(auth_username, group_name):
|
||||
return {'error': "not authorized to add user to group"}, 403
|
||||
unsubscribe_from_lists = is_truthy(
|
||||
request.args.get('unsubscribe_from_lists', 'true')
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue