diff --git a/HISTORY.rst b/HISTORY.rst index ba2790de20..6645e10ed4 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -222,6 +222,8 @@ filtering in Python. The refactor added cascading access checking in preparation for nested cabinet access control and the removal of the permission proxy support which is now redundant. +- Remove the permissions to grant or revoke a permission to a role. + The instead the role edit permission is used. 3.1.9 (2018-11-01) ================== diff --git a/mayan/apps/permissions/apps.py b/mayan/apps/permissions/apps.py index 00612df967..34ca946cbd 100644 --- a/mayan/apps/permissions/apps.py +++ b/mayan/apps/permissions/apps.py @@ -22,7 +22,6 @@ from .links import ( link_role_list, link_role_permissions ) from .permissions import ( - permission_permission_grant, permission_permission_revoke, permission_role_delete, permission_role_edit, permission_role_view ) from .search import * # NOQA @@ -45,7 +44,6 @@ class PermissionsApp(MayanAppConfig): ModelPermission.register( model=Role, permissions=( permission_acl_edit, permission_acl_view, - permission_permission_grant, permission_permission_revoke, permission_role_delete, permission_role_edit, permission_role_view ) diff --git a/mayan/apps/permissions/links.py b/mayan/apps/permissions/links.py index c883137b79..1ee11c45b1 100644 --- a/mayan/apps/permissions/links.py +++ b/mayan/apps/permissions/links.py @@ -10,49 +10,48 @@ from .icons import ( icon_role_list, icon_role_permissions ) from .permissions import ( - permission_permission_grant, permission_permission_revoke, permission_role_create, permission_role_delete, permission_role_edit, permission_role_view ) link_group_roles = Link( icon_class=icon_role_list, kwargs={'group_id': 'object.id'}, - permissions=(permission_group_edit,), text=_('Roles'), + permission=permission_group_edit, text=_('Roles'), view='permissions:group_roles', ) link_permission_grant = Link( - permissions=(permission_permission_grant,), text=_('Grant'), + permission=permission_role_edit, text=_('Grant'), view='permissions:permission_multiple_grant' ) link_permission_revoke = Link( - permissions=(permission_permission_revoke,), text=_('Revoke'), + permission=permission_role_edit, text=_('Revoke'), view='permissions:permission_multiple_revoke' ) link_role_create = Link( - icon_class=icon_role_create, permissions=(permission_role_create,), + icon_class=icon_role_create, permission=permission_role_create, text=_('Create new role'), view='permissions:role_create' ) link_role_delete = Link( icon_class=icon_role_delete, kwargs={'role_id': 'object.id'}, - permissions=(permission_role_delete,), tags='dangerous', text=_('Delete'), + permission=permission_role_delete, tags='dangerous', text=_('Delete'), view='permissions:role_delete', ) link_role_edit = Link( icon_class=icon_role_edit, kwargs={'role_id': 'object.id'}, - permissions=(permission_role_edit,), text=_('Edit'), + permission=permission_role_edit, text=_('Edit'), view='permissions:role_edit', ) link_role_list = Link( - icon_class=icon_role_list, permissions=(permission_role_view,), + icon_class=icon_role_list, permission=permission_role_view, text=_('Roles'), view='permissions:role_list' ) link_role_groups = Link( icon_class=icon_role_groups, kwargs={'role_id': 'object.id'}, - permissions=(permission_role_edit,), text=_('Groups'), + permission=permission_role_edit, text=_('Groups'), view='permissions:role_groups', ) link_role_permissions = Link( icon_class=icon_role_permissions, kwargs={'role_id': 'object.id'}, - permissions=(permission_permission_grant, permission_permission_revoke), - text=_('Role permissions'), view='permissions:role_permissions', + permission=permission_role_edit, text=_('Role permissions'), + view='permissions:role_permissions', ) diff --git a/mayan/apps/permissions/permissions.py b/mayan/apps/permissions/permissions.py index 4411ca53ad..986b5b5485 100644 --- a/mayan/apps/permissions/permissions.py +++ b/mayan/apps/permissions/permissions.py @@ -6,12 +6,6 @@ from . import PermissionNamespace namespace = PermissionNamespace(label=_('Permissions'), name='permissions') -permission_permission_grant = namespace.add_permission( - label=_('Grant permissions'), name='permission_grant' -) -permission_permission_revoke = namespace.add_permission( - label=_('Revoke permissions'), name='permission_revoke' -) permission_role_create = namespace.add_permission( label=_('Create roles'), name='role_create' ) diff --git a/mayan/apps/permissions/tests/test_views.py b/mayan/apps/permissions/tests/test_views.py index c4c28c7fd0..2ec8ecfe2a 100644 --- a/mayan/apps/permissions/tests/test_views.py +++ b/mayan/apps/permissions/tests/test_views.py @@ -6,7 +6,6 @@ from mayan.apps.user_management.tests import GroupTestMixin from ..models import Role from ..permissions import ( - permission_permission_grant, permission_permission_revoke, permission_role_create, permission_role_delete, permission_role_edit, permission_role_view ) @@ -123,23 +122,15 @@ class PermissionsViewsTestCase(GroupTestMixin, RoleTestMixin, GenericViewTestCas kwargs={'role_id': self.test_role.pk} ) - def test_role_permissions_view_no_access(self): + def test_role_permissions_view_no_permission(self): self._create_test_role() response = self._request_role_permissions_view() self.assertEqual(response.status_code, 403) - def test_role_permissions_view_with_permission_grant(self): + def test_role_permissions_view_with_access(self): self._create_test_role() self.grant_access( - permission=permission_permission_grant, obj=self.test_role - ) - response = self._request_role_permissions_view() - self.assertEqual(response.status_code, 200) - - def test_role_permissions_view_with_permission_revoke(self): - self._create_test_role() - self.grant_access( - permission=permission_permission_revoke, obj=self.test_role + permission=permission_permission_view, obj=self.test_role ) response = self._request_role_permissions_view() self.assertEqual(response.status_code, 200) diff --git a/mayan/apps/permissions/views.py b/mayan/apps/permissions/views.py index 127312fe9a..db89b01d23 100644 --- a/mayan/apps/permissions/views.py +++ b/mayan/apps/permissions/views.py @@ -21,7 +21,6 @@ from .icons import icon_role_list from .links import link_role_create from .models import Role, StoredPermission from .permissions import ( - permission_permission_grant, permission_permission_revoke, permission_role_create, permission_role_delete, permission_role_edit, permission_role_view ) @@ -147,6 +146,7 @@ class RoleListView(SingleObjectListView): class RolePermissionsView(AssignRemoveView): grouped = True left_list_title = _('Available permissions') + object_permission = permission_role_edit right_list_title = _('Granted permissions') @staticmethod @@ -171,19 +171,9 @@ class RolePermissionsView(AssignRemoveView): return results def add(self, item): - Permission.check_permissions( - self.request.user, permissions=(permission_permission_grant,) - ) permission = get_object_or_404(klass=StoredPermission, pk=item) self.get_object().permissions.add(permission) - def dispatch(self, request, *args, **kwargs): - AccessControlList.objects.check_access( - permissions=(permission_permission_grant, permission_permission_revoke), - user=self.request.user, obj=self.get_object() - ) - return super(RolePermissionsView, self).dispatch(request, *args, **kwargs) - def get_extra_context(self): return { 'object': self.get_object(), @@ -207,9 +197,6 @@ class RolePermissionsView(AssignRemoveView): ) def remove(self, item): - Permission.check_permissions( - self.request.user, permissions=(permission_permission_revoke,) - ) permission = get_object_or_404(klass=StoredPermission, pk=item) self.get_object().permissions.remove(permission)