Update user management app user group view and add API to filter

by group permission too. At the moment the group view permission is required to add a group to an existing user. This should be updated to a new specific group permission (ie: group_add, group_remove). Signed-off-by: Michael Price <loneviking72@gmail.com>
2018-02-17 02:16:48 -04:00
parent c604ec9c6d
commit f542dfb07c
2 changed files with 27 additions and 3 deletions
--- a/mayan/apps/user_management/api_views.py
+++ b/mayan/apps/user_management/api_views.py
@@ -217,10 +217,21 @@ class APIUserGroupList(generics.ListCreateAPIView):
        )

    def get_user(self):
-        return get_object_or_404(get_user_model(), pk=self.kwargs['pk'])
+        if self.request.method == 'GET':
+            permission = permission_user_view
+        else:
+            permission = permission_user_edit
+
+        user = get_object_or_404(get_user_model(), pk=self.kwargs['pk'])
+
+        AccessControlList.objects.check_access(
+            permissions=(permission,), user=self.request.user,
+            obj=user
+        )
+        return user

    def perform_create(self, serializer):
-        serializer.save(user=self.get_user())
+        serializer.save(user=self.get_user(), _user=self.request.user)

    def post(self, request, *args, **kwargs):
        """
--- a/mayan/apps/user_management/serializers.py
+++ b/mayan/apps/user_management/serializers.py
@@ -3,11 +3,16 @@ from __future__ import unicode_literals
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
 from django.contrib.auth.password_validation import validate_password
+from django.core.exceptions import PermissionDenied
 from django.utils.translation import ugettext_lazy as _

 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError

+from acls.models import AccessControlList
+
+from .permissions import permission_group_view
+

 class GroupSerializer(serializers.HyperlinkedModelSerializer):
    users_count = serializers.SerializerMethodField()
@@ -37,7 +42,15 @@ class UserGroupListSerializer(serializers.Serializer):
            pk_list = validated_data['group_pk_list'].split(',')

            for group in Group.objects.filter(pk__in=pk_list):
-                validated_data['user'].groups.add(group)
+                try:
+                    AccessControlList.objects.check_access(
+                        permissions=(permission_group_view,),
+                        user=self.context['request'].user, obj=group
+                    )
+                except PermissionDenied:
+                    pass
+                else:
+                    validated_data['user'].groups.add(group)
        except Exception as exception:
            raise ValidationError(exception)