From f542dfb07c3f537b97529a907faf8301d3fb5f21 Mon Sep 17 00:00:00 2001
From: Michael Price <loneviking72@gmail.com>
Date: Sat, 17 Feb 2018 02:16:48 -0400
Subject: [PATCH] Update user management app user group view and add API to
 filter by group permission too. At the moment the group view permission is
 required to add a group to an existing user. This should be updated to a new
 specific group permission (ie: group_add, group_remove).

Signed-off-by: Michael Price <loneviking72@gmail.com>
---
 mayan/apps/user_management/api_views.py   | 15 +++++++++++++--
 mayan/apps/user_management/serializers.py | 15 ++++++++++++++-
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/mayan/apps/user_management/api_views.py b/mayan/apps/user_management/api_views.py
index e4963ee5c2..1e20502f64 100644
--- a/mayan/apps/user_management/api_views.py
+++ b/mayan/apps/user_management/api_views.py
@@ -217,10 +217,21 @@ class APIUserGroupList(generics.ListCreateAPIView):
         )
 
     def get_user(self):
-        return get_object_or_404(get_user_model(), pk=self.kwargs['pk'])
+        if self.request.method == 'GET':
+            permission = permission_user_view
+        else:
+            permission = permission_user_edit
+
+        user = get_object_or_404(get_user_model(), pk=self.kwargs['pk'])
+
+        AccessControlList.objects.check_access(
+            permissions=(permission,), user=self.request.user,
+            obj=user
+        )
+        return user
 
     def perform_create(self, serializer):
-        serializer.save(user=self.get_user())
+        serializer.save(user=self.get_user(), _user=self.request.user)
 
     def post(self, request, *args, **kwargs):
         """
diff --git a/mayan/apps/user_management/serializers.py b/mayan/apps/user_management/serializers.py
index 0ff353f775..10d20518cc 100644
--- a/mayan/apps/user_management/serializers.py
+++ b/mayan/apps/user_management/serializers.py
@@ -3,11 +3,16 @@ from __future__ import unicode_literals
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
 from django.contrib.auth.password_validation import validate_password
+from django.core.exceptions import PermissionDenied
 from django.utils.translation import ugettext_lazy as _
 
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
+from acls.models import AccessControlList
+
+from .permissions import permission_group_view
+
 
 class GroupSerializer(serializers.HyperlinkedModelSerializer):
     users_count = serializers.SerializerMethodField()
@@ -37,7 +42,15 @@ class UserGroupListSerializer(serializers.Serializer):
             pk_list = validated_data['group_pk_list'].split(',')
 
             for group in Group.objects.filter(pk__in=pk_list):
-                validated_data['user'].groups.add(group)
+                try:
+                    AccessControlList.objects.check_access(
+                        permissions=(permission_group_view,),
+                        user=self.context['request'].user, obj=group
+                    )
+                except PermissionDenied:
+                    pass
+                else:
+                    validated_data['user'].groups.add(group)
         except Exception as exception:
             raise ValidationError(exception)