allow offsck to add members to office

2024-02-10 13:52:27 -05:00 · 2024-02-10 13:52:27 -05:00 · c8627ddef4
parent a4a4ef089c
commit c8627ddef4
1 changed files with 28 additions and 5 deletions
--- a/ceod/api/groups.py
+++ b/ceod/api/groups.py
@ -3,7 +3,8 @@ from flask.json import jsonify
 from zope import component

 from .utils import authz_restrict_to_syscom, is_truthy, \
-    create_streaming_response, development_only
+    create_streaming_response, development_only, requires_admin_creds, \
+    requires_authentication_no_realm, user_is_in_group
 from ceo_common.interfaces import ILDAPService
 from ceo_common.utils import fuzzy_result, fuzzy_match
 from ceod.transactions.groups import (
@ -52,9 +53,26 @@ def search_group(query, count):
    return jsonify(result)


+def may_add_user_to_group(auth_username: str, group_name: str) -> bool:
+    # (is syscom) OR (group is office AND client is offsck)
+    if user_is_in_group(auth_username, 'syscom'):
+        return True
+    if group_name == 'office':
+        ldap_srv = component.getUtility(ILDAPService)
+        auth_user = ldap_srv.get_user(auth_username)
+        if 'offsck' in auth_user.positions:
+            return True
+    return False
+
+
@bp.route('/<group_name>/members/<username>', methods=['POST'])
-@authz_restrict_to_syscom
-def add_member_to_group(group_name, username):
+@requires_admin_creds
+@requires_authentication_no_realm
+def add_member_to_group(auth_username: str, group_name: str, username: str):
+    # Admin creds are required because slapd does not support access control
+    # rules which use the client's attributes
+    if not may_add_user_to_group(auth_username, group_name):
+        return {'error': "not authorized to add user to group"}, 403
    subscribe_to_lists = is_truthy(
        request.args.get('subscribe_to_lists', 'true')
    )
@ -67,8 +85,13 @@ def add_member_to_group(group_name, username):


@bp.route('/<group_name>/members/<username>', methods=['DELETE'])
-@authz_restrict_to_syscom
-def remove_member_from_group(group_name, username):
+@requires_admin_creds
+@requires_authentication_no_realm
+def remove_member_from_group(auth_username: str, group_name: str, username: str):
+    # Admin creds are required because slapd does not support access control
+    # rules which use the client's attributes
+    if not may_add_user_to_group(auth_username, group_name):
+        return {'error': "not authorized to add user to group"}, 403
    unsubscribe_from_lists = is_truthy(
        request.args.get('unsubscribe_from_lists', 'true')
    )