Publically joinable Groups (#697)

* Add public field to AuthGroup * Add permission for users to join non-public groups By default this permission will be applied to the "Member" group to maintain the current behaviour. * Allow users to join public groups Users without the 'groupmanagement.request_groups' permission will be able to join groups marked as public but will not be able to see or join any other groups. * Prevent None state change from purging groups Currently when a user drops from Blue or Member state all groups and permissions are discarded. This softens that approach by not removing public groups and creates a distinction between the two activities. An argument could maybe be made for not removing permissions on a state change, but that is beyond the scope of this change. * Correct syntax for removing filtered groups * Add unit tests for disable user and member * Update services signals tests * Correct mocking call * Remove permissions checking from menu item
2025-07-09 20:40:17 +02:00 · 2017-02-12 13:03:39 +10:00 · 2017-02-12 13:03:39 +10:00 · 918ecf812c
commit 918ecf812c
parent b636262e0c
12 changed files with 244 additions and 56 deletions
--- a/authentication/tasks.py
+++ b/authentication/tasks.py
@ -20,7 +20,28 @@ def generate_alliance_group_name(alliancename):


 def disable_member(user):
+    """
+    Disable a member who is transitioning to a NONE state.
+    :param user: django.contrib.auth.models.User to disable
+    :return:
+    """
    logger.debug("Disabling member %s" % user)
+    if user.user_permissions.all().exists():
+        logger.info("Clearning user %s permission to deactivate user." % user)
+        user.user_permissions.clear()
+    if user.groups.all().exists():
+        logger.info("Clearing all non-public user %s groups to disable member." % user)
+        user.groups.remove(*user.groups.filter(authgroup__public=False))
+    validate_services(user, None)
+
+
+def disable_user(user):
+    """
+    Disable a user who is being set inactive or deleted
+    :param user: django.contrib.auth.models.User to disable
+    :return:
+    """
+    logger.debug("Disabling user %s" % user)
    if user.user_permissions.all().exists():
        logger.info("Clearning user %s permission to deactivate user." % user)
        user.user_permissions.clear()
--- a/authentication/tests.py
+++ b/authentication/tests.py
@ -1 +0,0 @@
-# Create your tests here.
--- a/authentication/tests/init.py
+++ b/authentication/tests/init.py
--- a/authentication/tests/test_tasks.py
+++ b/authentication/tests/test_tasks.py
@ -0,0 +1,84 @@
+from __future__ import unicode_literals
+
+try:
+    # Py3
+    from unittest import mock
+except ImportError:
+    # Py2
+    import mock
+
+from django.test import TestCase
+from django.contrib.auth.models import Group, Permission
+
+from alliance_auth.tests.auth_utils import AuthUtils
+
+from authentication.tasks import disable_member, disable_user
+
+
+class AuthenticationTasksTestCase(TestCase):
+    def setUp(self):
+        self.member = AuthUtils.create_member('auth_member')
+        self.none_user = AuthUtils.create_user('none_user', disconnect_signals=True)
+
+    @mock.patch('services.signals.transaction')
+    def test_disable_member(self, transaction):
+        # Inert signals action
+        transaction.on_commit.side_effect = lambda fn: fn()
+
+        # Add permission
+        perm = Permission.objects.create(codename='test_perm', name='test perm', content_type_id=1)
+
+        # Add public group
+        pub_group = Group.objects.create(name="A Public group")
+        pub_group.authgroup.internal = False
+        pub_group.authgroup.public = True
+        pub_group.save()
+
+        # Setup member
+        self.member.user_permissions.add(perm)
+        self.member.groups.add(pub_group)
+
+        # Pre assertion
+        self.assertIn(pub_group, self.member.groups.all())
+        self.assertGreater(len(self.member.groups.all()), 1)
+
+        # Act
+        disable_member(self.member)
+
+        # Assert
+        self.assertIn(pub_group, self.member.groups.all())
+        # Everything but the single public group wiped
+        self.assertEqual(len(self.member.groups.all()), 1)
+        # All permissions wiped
+        self.assertEqual(len(self.member.user_permissions.all()), 0)
+
+    @mock.patch('services.signals.transaction')
+    def test_disable_user(self, transaction):
+        # Inert signals action
+        transaction.on_commit.side_effect = lambda fn: fn()
+
+        # Add permission
+        perm = Permission.objects.create(codename='test_perm', name='test perm', content_type_id=1)
+
+        # Add public group
+        pub_group = Group.objects.create(name="A Public group")
+        pub_group.authgroup.internal = False
+        pub_group.authgroup.public = True
+        pub_group.save()
+
+        # Setup member
+        self.member.user_permissions.add(perm)
+        self.member.groups.add(pub_group)
+
+        # Pre assertion
+        self.assertIn(pub_group, self.member.groups.all())
+        self.assertGreater(len(self.member.groups.all()), 1)
+
+        # Act
+        disable_user(self.member)
+
+        # Assert
+        # All groups wiped
+        self.assertEqual(len(self.member.groups.all()), 0)
+        # All permissions wiped
+        self.assertEqual(len(self.member.user_permissions.all()), 0)
--- a/groupmanagement/migrations/0005_authgroup_public.py
+++ b/groupmanagement/migrations/0005_authgroup_public.py
@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.5 on 2017-02-04 06:11
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('groupmanagement', '0004_authgroup'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='authgroup',
+            name='public',
+            field=models.BooleanField(default=False, help_text='Group is public. Any registered user is able to join this group, with visibility based on the other options set for this group.<br> Auth will not remove users from this group automatically when they are no longer authenticated.'),
+        ),
+    ]
--- a/groupmanagement/migrations/0006_request_groups_perm.py
+++ b/groupmanagement/migrations/0006_request_groups_perm.py
@ -0,0 +1,44 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.5 on 2017-02-04 07:17
+from __future__ import unicode_literals
+
+from django.db import migrations
+from django.conf import settings
+from django.core.exceptions import ObjectDoesNotExist
+from django.contrib.auth.management import create_permissions
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def add_default_member_permission(apps, schema_editor):
+    for app_config in apps.get_app_configs():
+        app_config.models_module = True
+        create_permissions(app_config, apps=apps, verbosity=0)
+        app_config.models_module = None
+
+    Group = apps.get_model("auth", "Group")
+    Permission = apps.get_model("auth", "Permission")
+
+    try:
+        perm = Permission.objects.get(codename='request_groups', name='Can request non-public groups')
+        group = Group.objects.get(name=getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member'))
+        group.permissions.add(perm)
+    except ObjectDoesNotExist:
+        logger.warning('Failed to add default request_groups permission to Member group')
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('groupmanagement', '0005_authgroup_public'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='authgroup',
+            options={'permissions': (('request_groups', 'Can request non-public groups'),)},
+        ),
+        migrations.RunPython(add_default_member_permission),
+    ]
--- a/groupmanagement/models.py
+++ b/groupmanagement/models.py
@ -32,6 +32,10 @@ class AuthGroup(models.Model):
    Internal - not requestable by users, at all. Covers Corp_, Alliance_, Members etc groups.
    Groups are internal by default

+    Public - Other options are respected, but any user will be able to become and remain a member, even if they
+    have no API etc entered. Auth will not manage these groups automatically so user removal is up to
+    group managers/leaders.
+
    Not Internal and:
        Hidden - users cannot view, can request if they have the direct link.
        Not Hidden - Users can view and request the group
@ -49,6 +53,11 @@ class AuthGroup(models.Model):
    open = models.BooleanField(default=False,
                               help_text="Group is open and users will be automatically added upon request. <br>"
                                         "If the group is not open users will need their request manually approved.")
+    public = models.BooleanField(default=False,
+                                 help_text="Group is public. Any registered user is able to join this group, with "
+                                           "visibility based on the other options set for this group.<br> Auth will "
+                                           "not remove users from this group automatically when they are no longer "
+                                           "authenticated.")
    # Group leaders have management access to this group
    group_leaders = models.ManyToManyField(User, related_name='leads_groups', blank=True,
                                           help_text="Group leaders can process group requests for this group "
@ -60,6 +69,11 @@ class AuthGroup(models.Model):
    def __str__(self):
        return self.group.name

+    class Meta:
+        permissions = (
+            ("request_groups", u"Can request non-public groups"),
+        )
+

@receiver(post_save, sender=Group)
 def create_auth_group(sender, instance, created, **kwargs):
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@ -12,6 +12,7 @@ from django.http import Http404
 from groupmanagement.managers import GroupManager
 from groupmanagement.models import GroupRequest
 from authentication.models import AuthServicesInfo
+from authentication.managers import UserState
 from eveonline.managers import EveManager

 import logging
@ -270,7 +271,14 @@ def groups_view(request):
    logger.debug("groups_view called by user %s" % request.user)
    groups = []

-    for group in GroupManager.get_joinable_groups():
+    group_query = GroupManager.get_joinable_groups()
+
+    if not request.user.has_perm('groupmanagement.request_groups'):
+        # Filter down to public groups only for non-members
+        group_query = group_query.filter(authgroup__public=True)
+        logger.debug("Not a member, only public groups will be available")
+
+    for group in group_query:
        # Exclude hidden
        if not group.authgroup.hidden:
            group_request = GroupRequest.objects.filter(user=request.user).filter(group=group)
@ -290,6 +298,12 @@ def group_request_add(request, group_id):
                       (request.user, group_id))
        messages.warning(request, "You cannot join that group")
        return redirect('auth_groups')
+    if not request.user.has_perm('groupmanagement.request_groups') and not group.authgroup.public:
+        # Does not have the required permission, trying to join a non-public group
+        logger.warning("User %s attempted to join group id %s but it is not a public group" %
+                       (request.user, group_id))
+        messages.warning(request, "You cannot join that group")
+        return redirect('auth_groups')
    if group.authgroup.open:
        logger.info("%s joining %s as is an open group" % (request.user, group))
        request.user.groups.add(group)
--- a/services/signals.py
+++ b/services/signals.py
@ -10,7 +10,7 @@ from django.db.models.signals import pre_save
 from django.dispatch import receiver

 from alliance_auth.hooks import get_hooks
-from authentication.tasks import disable_member
+from authentication.tasks import disable_user
 from authentication.tasks import set_state

 logger = logging.getLogger(__name__)
@ -39,7 +39,7 @@ def m2m_changed_user_groups(sender, instance, action, *args, **kwargs):
@receiver(pre_delete, sender=User)
 def pre_delete_user(sender, instance, *args, **kwargs):
    logger.debug("Received pre_delete from %s" % instance)
-    disable_member(instance)
+    disable_user(instance)


@receiver(pre_save, sender=User)
@ -53,7 +53,7 @@ def pre_save_user(sender, instance, *args, **kwargs):
        old_instance = User.objects.get(pk=instance.pk)
        if old_instance.is_active and not instance.is_active:
            logger.info("Disabling services for inactivation of user %s" % instance)
-            disable_member(instance)
+            disable_user(instance)
        elif instance.is_active and not old_instance.is_active:
            logger.info("Assessing state of reactivated user %s" % instance)
            set_state(instance)
--- a/services/tests/test_signals.py
+++ b/services/tests/test_signals.py
@ -47,27 +47,27 @@ class ServicesSignalsTestCase(TestCase):
        args, kwargs = svc.update_groups.call_args
        self.assertEqual(self.member, args[0])

-    @mock.patch('services.signals.disable_member')
-    def test_pre_delete_user(self, disable_member):
+    @mock.patch('services.signals.disable_user')
+    def test_pre_delete_user(self, disable_user):
        """
        Test that disable_member is called when a user is deleted
        """
        self.none_user.delete()

-        self.assertTrue(disable_member.called)
-        args, kwargs = disable_member.call_args
+        self.assertTrue(disable_user.called)
+        args, kwargs = disable_user.call_args
        self.assertEqual(self.none_user, args[0])

-    @mock.patch('services.signals.disable_member')
-    def test_pre_save_user_inactivation(self, disable_member):
+    @mock.patch('services.signals.disable_user')
+    def test_pre_save_user_inactivation(self, disable_user):
        """
        Test a user set inactive has disable_member called
        """
        self.member.is_active = False
        self.member.save()  # Signal Trigger

-        self.assertTrue(disable_member.called)
-        args, kwargs = disable_member.call_args
+        self.assertTrue(disable_user.called)
+        args, kwargs = disable_user.call_args
        self.assertEqual(self.member, args[0])

    @mock.patch('services.signals.set_state')
--- a/stock/templates/public/base.html
+++ b/stock/templates/public/base.html
@ -106,15 +106,11 @@
                                <i class="fa fa-dashboard fa-fw grayiconecolor"></i>{% trans " Dashboard" %}
                            </a>
                        </li>
-
-                        {% if STATE == MEMBER_STATE or user.is_superuser %}
                        <li>
                            <a class="{% navactive request 'auth_groups' %}" href="{% url 'auth_groups' %}">
                                <i class="fa fa-cogs fa-fw fa-sitemap grayiconecolor"></i>{% trans " Groups" %}
                            </a>
                        </li>
-                        {% endif %}
-
                        <li>
                            <a class="{% navactive request 'auth_help' %}" href="{% url 'auth_help' %}">
                                <i class="fa fa-question fa-fw grayiconecolor"></i>{% trans " Help" %}
--- a/stock/templates/registered/groups.html
+++ b/stock/templates/registered/groups.html
@ -10,7 +10,6 @@
 {% block content %}
    <div class="col-lg-12">
        <h1 class="page-header text-center">{% trans "Available Groups" %}</h1>
-        {% if STATE == MEMBER_STATE or user.is_superuser %}
        {% if groups %}
        <table class="table">
            <tr>
@ -50,9 +49,6 @@
        {% else %}
        <div class="alert alert-warning text-center">No groups available.</div>
        {% endif %}
-        {% else %}
-            <div class="alert alert-danger" role="alert">{% trans "You are not a member." %}</div>
-        {% endif %}
    </div>

 {% endblock content %}