diff --git a/alliance_auth/settings.py.example b/alliance_auth/settings.py.example index 981a3200..dcd269a5 100644 --- a/alliance_auth/settings.py.example +++ b/alliance_auth/settings.py.example @@ -283,58 +283,6 @@ MEMBER_ALLIANCE_GROUPS = 'True' == os.environ.get('AA_MEMBER_ALLIANCE_GROUPS', ' BLUE_CORP_GROUPS = 'True' == os.environ.get('AA_BLUE_CORP_GROUPS', 'False') BLUE_ALLIANCE_GROUPS = 'True' == os.environ.get('AA_BLUE_ALLIANCE_GROUPS', 'False') -######################### -# Alliance Service Setup -######################### -# ENABLE_AUTH_FORUM - Enable forum support in the auth for auth'd members -# ENABLE_AUTH_JABBER - Enable jabber support in the auth for auth'd members -# ENABLE_AUTH_MUMBLE - Enable mumble support in the auth for auth'd members -# ENABLE_AUTH_IPBOARD - Enable IPBoard forum support in the auth for auth'd members -# ENABLE_AUTH_DISCORD - Enable Discord support in the auth for auth'd members -# ENABLE_AUTH_DISCOURSE - Enable Discourse support in the auth for auth'd members -# ENABLE_AUTH_IPS4 - Enable IPS4 support in the auth for auth'd members -# ENABLE_AUTH_SMF - Enable SMF forum support in the auth for auth'd members -# ENABLE_AUTH_MARKET = Enable Alliance Market support in auth for auth'd members -# ENABLE_AUTH_XENFORO = Enable XenForo forums support in the auth for auth'd members -######################### -ENABLE_AUTH_FORUM = 'True' == os.environ.get('AA_ENABLE_AUTH_FORUM', 'False') -ENABLE_AUTH_JABBER = 'True' == os.environ.get('AA_ENABLE_AUTH_JABBER', 'False') -ENABLE_AUTH_MUMBLE = 'True' == os.environ.get('AA_ENABLE_AUTH_MUMBLE', 'False') -ENABLE_AUTH_IPBOARD = 'True' == os.environ.get('AA_ENABLE_AUTH_IPBOARD', 'False') -ENABLE_AUTH_TEAMSPEAK3 = 'True' == os.environ.get('AA_ENABLE_AUTH_TEAMSPEAK3', 'False') -ENABLE_AUTH_DISCORD = 'True' == os.environ.get('AA_ENABLE_AUTH_DISCORD', 'False') -ENABLE_AUTH_DISCOURSE = 'True' == os.environ.get('AA_ENABLE_AUTH_DISCOURSE', 'False') -ENABLE_AUTH_IPS4 = 'True' == os.environ.get('AA_ENABLE_AUTH_IPS4', 'False') -ENABLE_AUTH_SMF = 'True' == os.environ.get('AA_ENABLE_AUTH_SMF', 'False') -ENABLE_AUTH_MARKET = 'True' == os.environ.get('AA_ENABLE_AUTH_MARKET', 'False') -ENABLE_AUTH_XENFORO = 'True' == os.environ.get('AA_ENABLE_AUTH_XENFORO', 'False') - -##################### -# Blue service Setup -##################### -# ENABLE_BLUE_FORUM - Enable forum support in the auth for blues -# ENABLE_BLUE_JABBER - Enable jabber support in the auth for blues -# ENABLE_BLUE_MUMBLE - Enable mumble support in the auth for blues -# ENABLE_BLUE_IPBOARD - Enable IPBoard forum support in the auth for blues -# ENABLE_BLUE_DISCORD - Enable Discord support in the auth for blues -# ENABLE_BLUE_DISCOURSE - Enable Discord support in the auth for blues -# ENABLE_BLUE_IPS4 - Enable IPS4 forum support in the auth for blues -# ENABLE_BLUE_SMF - Enable SMF forum support in the auth for blues -# ENABLE_BLUE_MARKET - Enable Alliance Market in the auth for blues -# ENABLE_BLUE_XENFORO = Enable XenForo forum support in the auth for blue -##################### -ENABLE_BLUE_FORUM = 'True' == os.environ.get('AA_ENABLE_BLUE_FORUM', 'False') -ENABLE_BLUE_JABBER = 'True' == os.environ.get('AA_ENABLE_BLUE_JABBER', 'False') -ENABLE_BLUE_MUMBLE = 'True' == os.environ.get('AA_ENABLE_BLUE_MUMBLE', 'False') -ENABLE_BLUE_IPBOARD = 'True' == os.environ.get('AA_ENABLE_BLUE_IPBOARD', 'False') -ENABLE_BLUE_TEAMSPEAK3 = 'True' == os.environ.get('AA_ENABLE_BLUE_TEAMSPEAK3', 'False') -ENABLE_BLUE_DISCORD = 'True' == os.environ.get('AA_ENABLE_BLUE_DISCORD', 'False') -ENABLE_BLUE_DISCOURSE = 'True' == os.environ.get('AA_ENABLE_BLUE_DISCOURSE', 'False') -ENABLE_BLUE_IPS4 = 'True' == os.environ.get('AA_ENABLE_BLUE_IPS4', 'False') -ENABLE_BLUE_SMF = 'True' == os.environ.get('AA_ENABLE_BLUE_SMF', 'False') -ENABLE_BLUE_MARKET = 'True' == os.environ.get('AA_ENABLE_BLUE_MARKET', 'False') -ENABLE_BLUE_XENFORO = 'True' == os.environ.get('AA_ENABLE_BLUE_XENFORO', 'False') - ######################### # Tenant Configuration ######################### @@ -702,13 +650,13 @@ LOGGING = { } # Conditionally add databases only if configured -if ENABLE_AUTH_FORUM or ENABLE_BLUE_FORUM: +if 'services.modules.phpbb3' in INSTALLED_APPS: DATABASES['phpbb3'] = PHPBB3_DB -if ENABLE_AUTH_SMF or ENABLE_BLUE_SMF: +if 'services.modules.smf' in INSTALLED_APPS: DATABASES['smf'] = SMF_DB -if ENABLE_AUTH_MARKET or ENABLE_BLUE_MARKET: +if 'services.modules.market' in INSTALLED_APPS: DATABASES['market'] = MARKET_DB -if ENABLE_AUTH_IPS4 or ENABLE_BLUE_IPS4: +if 'services.modules.ips4' in INSTALLED_APPS: DATABASES['ips4'] = IPS4_DB # Ensure corp/alliance IDs are expected types diff --git a/alliance_auth/tests/auth_utils.py b/alliance_auth/tests/auth_utils.py index 090f678a..7bb6e3a6 100644 --- a/alliance_auth/tests/auth_utils.py +++ b/alliance_auth/tests/auth_utils.py @@ -1,9 +1,10 @@ from __future__ import unicode_literals from django.db.models.signals import m2m_changed, pre_save -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from services.signals import m2m_changed_user_groups, pre_save_user +from services.signals import m2m_changed_group_permissions, m2m_changed_user_permissions from authentication.signals import pre_save_auth_state from authentication.tasks import make_member, make_blue @@ -55,12 +56,16 @@ class AuthUtils: @classmethod def disconnect_signals(cls): m2m_changed.disconnect(m2m_changed_user_groups, sender=User.groups.through) + m2m_changed.disconnect(m2m_changed_group_permissions, sender=Group.permissions.through) + m2m_changed.disconnect(m2m_changed_user_permissions, sender=User.user_permissions.through) pre_save.disconnect(pre_save_user, sender=User) pre_save.disconnect(pre_save_auth_state, sender=AuthServicesInfo) @classmethod def connect_signals(cls): m2m_changed.connect(m2m_changed_user_groups, sender=User.groups.through) + m2m_changed.connect(m2m_changed_group_permissions, sender=Group.permissions.through) + m2m_changed.connect(m2m_changed_user_permissions, sender=User.user_permissions.through) pre_save.connect(pre_save_user, sender=User) pre_save.connect(pre_save_auth_state, sender=AuthServicesInfo) diff --git a/alliance_auth/tests/test_settings.py b/alliance_auth/tests/test_settings.py index 1d600e08..d4720472 100644 --- a/alliance_auth/tests/test_settings.py +++ b/alliance_auth/tests/test_settings.py @@ -247,62 +247,6 @@ MEMBER_ALLIANCE_GROUPS = 'True' == os.environ.get('AA_MEMBER_ALLIANCE_GROUPS', ' BLUE_CORP_GROUPS = 'True' == os.environ.get('AA_BLUE_CORP_GROUPS', 'False') BLUE_ALLIANCE_GROUPS = 'True' == os.environ.get('AA_BLUE_ALLIANCE_GROUPS', 'False') -######################### -# Alliance Service Setup -######################### -# ENABLE_AUTH_FORUM - Enable forum support in the auth for auth'd members -# ENABLE_AUTH_JABBER - Enable jabber support in the auth for auth'd members -# ENABLE_AUTH_MUMBLE - Enable mumble support in the auth for auth'd members -# ENABLE_AUTH_IPBOARD - Enable IPBoard forum support in the auth for auth'd members -# ENABLE_AUTH_DISCORD - Enable Discord support in the auth for auth'd members -# ENABLE_AUTH_DISCOURSE - Enable Discourse support in the auth for auth'd members -# ENABLE_AUTH_IPS4 - Enable IPS4 support in the auth for auth'd members -# ENABLE_AUTH_SMF - Enable SMF forum support in the auth for auth'd members -# ENABLE_AUTH_MARKET = Enable Alliance Market support in auth for auth'd members -# ENABLE_AUTH_PATHFINDER = Enable Alliance Pathfinder suppor in auth for auth'd members -# ENABLE_AUTH_XENFORO = Enable XenForo forums support in the auth for auth'd members -######################### -ENABLE_AUTH_FORUM = 'True' == os.environ.get('AA_ENABLE_AUTH_FORUM', 'True') -ENABLE_AUTH_JABBER = 'True' == os.environ.get('AA_ENABLE_AUTH_JABBER', 'True') -ENABLE_AUTH_MUMBLE = 'True' == os.environ.get('AA_ENABLE_AUTH_MUMBLE', 'True') -ENABLE_AUTH_IPBOARD = 'True' == os.environ.get('AA_ENABLE_AUTH_IPBOARD', 'True') -ENABLE_AUTH_TEAMSPEAK3 = 'True' == os.environ.get('AA_ENABLE_AUTH_TEAMSPEAK3', 'True') -ENABLE_AUTH_DISCORD = 'True' == os.environ.get('AA_ENABLE_AUTH_DISCORD', 'True') -ENABLE_AUTH_DISCOURSE = 'True' == os.environ.get('AA_ENABLE_AUTH_DISCOURSE', 'True') -ENABLE_AUTH_IPS4 = 'True' == os.environ.get('AA_ENABLE_AUTH_IPS4', 'True') -ENABLE_AUTH_SMF = 'True' == os.environ.get('AA_ENABLE_AUTH_SMF', 'True') -ENABLE_AUTH_MARKET = 'True' == os.environ.get('AA_ENABLE_AUTH_MARKET', 'True') -ENABLE_AUTH_XENFORO = 'True' == os.environ.get('AA_ENABLE_AUTH_XENFORO', 'True') - -##################### -# Blue service Setup -##################### -# BLUE_STANDING - The default lowest standings setting to consider blue -# ENABLE_BLUE_FORUM - Enable forum support in the auth for blues -# ENABLE_BLUE_JABBER - Enable jabber support in the auth for blues -# ENABLE_BLUE_MUMBLE - Enable mumble support in the auth for blues -# ENABLE_BLUE_IPBOARD - Enable IPBoard forum support in the auth for blues -# ENABLE_BLUE_DISCORD - Enable Discord support in the auth for blues -# ENABLE_BLUE_DISCOURSE - Enable Discord support in the auth for blues -# ENABLE_BLUE_IPS4 - Enable IPS4 forum support in the auth for blues -# ENABLE_BLUE_SMF - Enable SMF forum support in the auth for blues -# ENABLE_BLUE_MARKET - Enable Alliance Market in the auth for blues -# ENABLE_BLUE_PATHFINDER = Enable Pathfinder support in the auth for blues -# ENABLE_BLUE_XENFORO = Enable XenForo forum support in the auth for blue -##################### -BLUE_STANDING = float(os.environ.get('AA_BLUE_STANDING', '5.0')) -ENABLE_BLUE_FORUM = 'True' == os.environ.get('AA_ENABLE_BLUE_FORUM', 'True') -ENABLE_BLUE_JABBER = 'True' == os.environ.get('AA_ENABLE_BLUE_JABBER', 'True') -ENABLE_BLUE_MUMBLE = 'True' == os.environ.get('AA_ENABLE_BLUE_MUMBLE', 'True') -ENABLE_BLUE_IPBOARD = 'True' == os.environ.get('AA_ENABLE_BLUE_IPBOARD', 'True') -ENABLE_BLUE_TEAMSPEAK3 = 'True' == os.environ.get('AA_ENABLE_BLUE_TEAMSPEAK3', 'True') -ENABLE_BLUE_DISCORD = 'True' == os.environ.get('AA_ENABLE_BLUE_DISCORD', 'True') -ENABLE_BLUE_DISCOURSE = 'True' == os.environ.get('AA_ENABLE_BLUE_DISCOURSE', 'True') -ENABLE_BLUE_IPS4 = 'True' == os.environ.get('AA_ENABLE_BLUE_IPS4', 'True') -ENABLE_BLUE_SMF = 'True' == os.environ.get('AA_ENABLE_BLUE_SMF', 'True') -ENABLE_BLUE_MARKET = 'True' == os.environ.get('AA_ENABLE_BLUE_MARKET', 'True') -ENABLE_BLUE_XENFORO = 'True' == os.environ.get('AA_ENABLE_BLUE_XENFORO', 'True') - ######################### # Corp Configuration ######################### diff --git a/authentication/signals.py b/authentication/signals.py index 30524931..1d7025b8 100644 --- a/authentication/signals.py +++ b/authentication/signals.py @@ -23,7 +23,7 @@ def pre_save_auth_state(sender, instance, *args, **kwargs): make_blue(instance) else: disable_member(instance.user) - validate_services(instance.user, instance.state) + validate_services.apply(args=(instance.user,)) @receiver(post_save, sender=User) diff --git a/authentication/tasks.py b/authentication/tasks.py index ef323dc4..2810f782 100644 --- a/authentication/tasks.py +++ b/authentication/tasks.py @@ -32,7 +32,7 @@ def disable_member(user): if user.groups.all().exists(): logger.info("Clearing all non-public user %s groups to disable member." % user) user.groups.remove(*user.groups.filter(authgroup__public=False)) - validate_services(user, None) + validate_services.apply(args=(user,)) def disable_user(user): @@ -48,7 +48,7 @@ def disable_user(user): if user.groups.all().exists(): logger.info("Clearing user %s groups to deactivate user." % user) user.groups.clear() - validate_services(user, None) + validate_services.apply(args=(user,)) def make_member(auth): diff --git a/docs/installation/auth/settings.md b/docs/installation/auth/settings.md index 89faed63..8347660f 100644 --- a/docs/installation/auth/settings.md +++ b/docs/installation/auth/settings.md @@ -47,34 +47,6 @@ When changing these booleans, edit the setting within the brackets (eg `('AA_MEM - OAuth callback URL. Should be `https://mydomain.com/sso/callback` ## Services -### Member Services -After installing services, enable specific services for members by setting the following to `True` -- [ENABLE_AUTH_FORUM](#enable-auth-forum) -- [ENABLE_AUTH_JABBER](#enable-auth-jabber) -- [ENABLE_AUTH_MUMBLE](#enable-auth-mumble) -- [ENABLE_AUTH_IPBOARD](#enable-auth-ipboard) -- [ENABLE_AUTH_TEAMSPEAK3](#enable-auth-teamspeak3) -- [ENABLE_AUTH_DISCORD](#enable-auth-discord) -- [ENABLE_AUTH_DISCOURSE](#enable-auth-discourse) -- [ENABLE_AUTH_IPS4](#enable-auth-ips4) -- [ENABLE_AUTH_SMF](#enable-auth-smf) -- [ENABLE_AUTH_MARKET](#enable-auth-market) -- [ENABLE_AUTH_XENFORO](#enable-auth-xenforo) - -### Blue Services -After installing services, enable specific services for blues by setting the following to `True` -- [ENABLE_BLUE_FORUM](#enable-blue-forum) -- [ENABLE_BLUE_JABBER](#enable-blue-jabber) -- [ENABLE_BLUE_MUMBLE](#enable-blue-mumble) -- [ENABLE_BLUE_IPBOARD](#enable-blue-ipboard) -- [ENABLE_BLUE_TEAMSPEAK3](#enable-blue-teamspeak3) -- [ENABLE_BLUE_DISCORD](#enable-blue-discord) -- [ENABLE_BLUE_DISCOURSE](#enable-blue-discourse) -- [ENABLE_BLUE_IPS4](#enable-blue-ips4) -- [ENABLE_BLUE_SMF](#enable-blue-smf) -- [ENABLE_BLUE_MARKET](#enable-blue-market) -- [ENABLE_BLUE_XENFORO](#enable-blue-xenforo) - ### IPBoard If using IPBoard, the following need to be set in accordance with the [install instructions](../services/ipboard3.md) - [IPBOARD_ENDPOINT](#ipboard-endpoint) diff --git a/docs/installation/services/index.md b/docs/installation/services/index.md index b35bfe50..2791990a 100644 --- a/docs/installation/services/index.md +++ b/docs/installation/services/index.md @@ -3,6 +3,7 @@ ```eval_rst .. toctree:: + permissions market discord discourse diff --git a/docs/installation/services/permissions.md b/docs/installation/services/permissions.md new file mode 100644 index 00000000..9778c7e7 --- /dev/null +++ b/docs/installation/services/permissions.md @@ -0,0 +1,37 @@ +# Service Permissions +```eval_rst +.. note:: + New in 1.15 +``` + +In the past, access to services was dictated by a list of settings in `settings.py`, granting access to each particular service for Members and/or Blues. This meant that granting access to a service was very broad and rigidly structured around these two states. + +## Permissions based access + +Instead of granting access to services by the previous rigid structure, access to services is now granted by the built in Django permissions system. This means that service access can be more granular, allowing only certain groups, for instance Corp CEOs, or even individual user access to each enabled service. + +```eval_rst +.. important:: + If you grant access to an individual user, they will have access to that service regardless of whether or not they are a member. +``` + +Each service has an access permission defined, named like `Can access the service`. + +To mimick the old behaviour of enabling services for all members, you would select the `Member` group from the admin panel, add the required service permission to the group and save. Likewise for Blues, select the `Blue` group and add the required permission. + +A user can be granted the same permission from multiple sources. e.g. they may have it granted by several groups and directly granted on their account as well. Auth will not remove their account until all instances of the permission for that service have been revoked. + +## Removing access + +```eval_rst +.. danger:: + Access removal is processed immediately after removing a permission from a user or group. If you remove access from a large group, such as Member, it will immediately remove all users from that service. +``` + +When you remove a service permission from a user, a signal is triggered which will activate an immediate permission check. For users this will trigger an access check for all services. For groups, due to the potential extra load, only the services whose permissions have changed will be verified, and only the users in that group. + +If a user no longer has permission to access the service when this permissions check is triggered, that service will be immediately disabled for them. + +### Disabling user accounts + +When you unset a user as active in the admin panel, all of that users service accounts will be immediately disabled or removed. This is due to the built in behaviour of Djangos permissions system, which will return False for all permissions if a users account is disabled, regardless of their actual permissions state. diff --git a/services/hooks.py b/services/hooks.py index 921cb3ab..babef75e 100644 --- a/services/hooks.py +++ b/services/hooks.py @@ -3,6 +3,7 @@ from __future__ import unicode_literals from django.template.loader import render_to_string from django.utils.safestring import mark_safe +from alliance_auth.hooks import get_hooks from authentication.states import MEMBER_STATE, BLUE_STATE from authentication.models import AuthServicesInfo @@ -18,6 +19,7 @@ class ServicesHook: self.name = 'Undefined' self.urlpatterns = [] self.service_ctrl_template = 'registered/services_ctrl.html' + self.access_perm = None @property def title(self): @@ -67,26 +69,8 @@ class ServicesHook: """ pass - def service_enabled_members(self): - """ - Return setting config for service enabled for members - :return: bool True if enabled - """ - return False - - def service_enabled_blues(self): - """ - Return setting config for service enabled for Blues - :return: bool True if enabled - """ - return False - def service_active_for_user(self, user): - state = AuthServicesInfo.objects.get(user=user).state - return ( - (state == MEMBER_STATE and self.service_enabled_members()) or - (state == BLUE_STATE and self.service_enabled_blues()) - ) + pass def show_service_ctrl(self, user, state): """ @@ -97,9 +81,7 @@ class ServicesHook: :param state: auth user state :return: bool True if the service should be shown """ - return (self.service_enabled_members() and ( - state == MEMBER_STATE or user.is_superuser)) or ( - self.service_enabled_blues() and (state == BLUE_STATE or user.is_superuser)) + return self.service_active_for_user(user) or user.is_superuser def render_services_ctrl(self, request): """ @@ -119,6 +101,11 @@ class ServicesHook: self.auth_reset_password = '' self.auth_deactivate = '' + @staticmethod + def get_services(): + for fn in get_hooks('services_hook'): + yield fn() + class MenuItemHook: def __init__(self, text, classes, url_name, order=None): diff --git a/services/modules/discord/auth_hooks.py b/services/modules/discord/auth_hooks.py index b1738073..b123e868 100644 --- a/services/modules/discord/auth_hooks.py +++ b/services/modules/discord/auth_hooks.py @@ -19,6 +19,7 @@ class DiscordService(ServicesHook): self.urlpatterns = urlpatterns self.name = 'discord' self.service_ctrl_template = 'registered/discord_service_ctrl.html' + self.access_perm = 'discord.access_discord' def delete_user(self, user, notify_user=False): logger.debug('Deleting user %s %s account' % (user, self.name)) @@ -42,11 +43,8 @@ class DiscordService(ServicesHook): logger.debug('Update all %s groups called' % self.name) DiscordTasks.update_all_groups.delay() - def service_enabled_members(self): - return settings.ENABLE_AUTH_DISCORD or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_DISCORD or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): return render_to_string(self.service_ctrl_template, { diff --git a/services/modules/discord/migrations/0002_service_permissions.py b/services/modules/discord/migrations/0002_service_permissions.py new file mode 100644 index 00000000..39a2ff2c --- /dev/null +++ b/services/modules/discord/migrations/0002_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + DiscordUser = apps.get_model("discord", "DiscordUser") + + perm = Permission.objects.get(codename='access_discord') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if DiscordUser.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_DISCORD'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_DISCORD setting') + + # Migrate blues + if DiscordUser.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_DISCORD'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_DISCORD setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('discord', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='discorduser', + options={'permissions': (('access_discord', 'Can access the Discord service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/discord/models.py b/services/modules/discord/models.py index cfe38358..5bcd4ef5 100644 --- a/services/modules/discord/models.py +++ b/services/modules/discord/models.py @@ -4,6 +4,7 @@ from django.contrib.auth.models import User from django.db import models +@python_2_unicode_compatible class DiscordUser(models.Model): user = models.OneToOneField(User, primary_key=True, @@ -13,3 +14,8 @@ class DiscordUser(models.Model): def __str__(self): return "{} - {}".format(self.user.username, self.uid) + + class Meta: + permissions = ( + ("access_discord", u"Can access the Discord service"), + ) diff --git a/services/modules/discord/tasks.py b/services/modules/discord/tasks.py index 8f639430..0e502d63 100644 --- a/services/modules/discord/tasks.py +++ b/services/modules/discord/tasks.py @@ -122,10 +122,4 @@ class DiscordTasks: @classmethod def disable(cls): - if settings.ENABLE_AUTH_DISCORD: - logger.warn( - "ENABLE_AUTH_DISCORD still True, after disabling users will still be able to link Discord accounts") - if settings.ENABLE_BLUE_DISCORD: - logger.warn( - "ENABLE_BLUE_DISCORD still True, after disabling blues will still be able to link Discord accounts") DiscordUser.objects.all().delete() diff --git a/services/modules/discord/tests.py b/services/modules/discord/tests.py index 3ac9b27e..a6775ede 100644 --- a/services/modules/discord/tests.py +++ b/services/modules/discord/tests.py @@ -9,7 +9,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -21,6 +21,13 @@ from .tasks import DiscordTasks MODULE_PATH = 'services.modules.discord' +def add_permissions(): + permission = Permission.objects.get(codename='access_discord') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class DiscordHooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -32,6 +39,7 @@ class DiscordHooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = DiscordService + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -46,8 +54,6 @@ class DiscordHooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) self.assertTrue(service.service_active_for_user(member)) self.assertTrue(service.service_active_for_user(blue)) @@ -147,6 +153,7 @@ class DiscordViewsTestCase(TestCase): self.member = AuthUtils.create_member('auth_member') self.member.set_password('password') self.member.save() + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/discord/views.py b/services/modules/discord/views.py index 3223c5b9..5a907071 100644 --- a/services/modules/discord/views.py +++ b/services/modules/discord/views.py @@ -5,9 +5,9 @@ import logging from django.contrib import messages from django.contrib.auth.decorators import login_required from django.contrib.auth.decorators import user_passes_test +from django.contrib.auth.decorators import permission_required from django.shortcuts import redirect -from authentication.decorators import members_and_blues from .manager import DiscordOAuthManager from .tasks import DiscordTasks from services.views import superuser_test @@ -15,9 +15,11 @@ from services.views import superuser_test logger = logging.getLogger(__name__) +ACCESS_PERM = 'discord.access_discord' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_discord(request): logger.debug("deactivate_discord called by user %s" % request.user) if DiscordTasks.delete_user(request.user): @@ -30,7 +32,7 @@ def deactivate_discord(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_discord(request): logger.debug("reset_discord called by user %s" % request.user) if DiscordTasks.delete_user(request.user): @@ -42,14 +44,14 @@ def reset_discord(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_discord(request): logger.debug("activate_discord called by user %s" % request.user) return redirect(DiscordOAuthManager.generate_oauth_redirect_url()) @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def discord_callback(request): logger.debug("Received Discord callback for activation of user %s" % request.user) code = request.GET.get('code', None) diff --git a/services/modules/discourse/auth_hooks.py b/services/modules/discourse/auth_hooks.py index 3af0276f..c8126676 100644 --- a/services/modules/discourse/auth_hooks.py +++ b/services/modules/discourse/auth_hooks.py @@ -21,6 +21,7 @@ class DiscourseService(ServicesHook): self.urlpatterns = urlpatterns self.name = 'discourse' self.service_ctrl_template = 'registered/discourse_service_ctrl.html' + self.access_perm = 'discourse.access_discourse' def delete_user(self, user, notify_user=False): logger.debug('Deleting user %s %s account' % (user, self.name)) @@ -40,11 +41,8 @@ class DiscourseService(ServicesHook): logger.debug('Update all %s groups called' % self.name) DiscourseTasks.update_all_groups.delay() - def service_enabled_members(self): - return settings.ENABLE_AUTH_DISCOURSE or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_DISCOURSE or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): return render_to_string(self.service_ctrl_template, { diff --git a/services/modules/discourse/migrations/0002_service_permissions.py b/services/modules/discourse/migrations/0002_service_permissions.py new file mode 100644 index 00000000..14947733 --- /dev/null +++ b/services/modules/discourse/migrations/0002_service_permissions.py @@ -0,0 +1,62 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + DiscourseUser = apps.get_model("discourse", "DiscourseUser") + + perm = Permission.objects.get(codename='access_discourse') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if DiscourseUser.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_DISCOURSE'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_DISCOURSE setting') + + # Migrate blues + if DiscourseUser.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_DISCOURSE'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_DISCOURSE setting') + + + +class Migration(migrations.Migration): + + dependencies = [ + ('discourse', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='discourseuser', + options={'permissions': (('access_discourse', 'Can access the Discourse service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/discourse/models.py b/services/modules/discourse/models.py index 3b2c6a8c..9b72ea90 100644 --- a/services/modules/discourse/models.py +++ b/services/modules/discourse/models.py @@ -4,6 +4,7 @@ from django.contrib.auth.models import User from django.db import models +@python_2_unicode_compatible class DiscourseUser(models.Model): user = models.OneToOneField(User, primary_key=True, @@ -13,3 +14,8 @@ class DiscourseUser(models.Model): def __str__(self): return self.user.username + + class Meta: + permissions = ( + ("access_discourse", u"Can access the Discourse service"), + ) diff --git a/services/modules/discourse/tests.py b/services/modules/discourse/tests.py index ade9f3e6..d7cd89e1 100644 --- a/services/modules/discourse/tests.py +++ b/services/modules/discourse/tests.py @@ -9,7 +9,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -21,6 +21,13 @@ from .tasks import DiscourseTasks MODULE_PATH = 'services.modules.discourse' +def add_permissions(): + permission = Permission.objects.get(codename='access_discourse') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class DiscourseHooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -32,6 +39,7 @@ class DiscourseHooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = DiscourseService + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -46,11 +54,9 @@ class DiscourseHooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_DISCOURSE) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_DISCOURSE) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.DiscourseManager') @@ -124,6 +130,7 @@ class DiscourseViewsTestCase(TestCase): self.member.set_password('password') self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation') + add_permissions() @mock.patch(MODULE_PATH + '.tasks.DiscourseManager') def test_sso_member(self, manager): diff --git a/services/modules/discourse/views.py b/services/modules/discourse/views.py index 670c4154..cc44dab8 100644 --- a/services/modules/discourse/views.py +++ b/services/modules/discourse/views.py @@ -31,20 +31,16 @@ import logging logger = logging.getLogger(__name__) +ACCESS_PERM = 'discourse.access_discourse' + + @login_required def discourse_sso(request): ## Check if user has access auth = AuthServicesInfo.objects.get(user=request.user) - if not request.user.is_superuser: - if not settings.ENABLE_AUTH_DISCOURSE and auth.state == MEMBER_STATE: - messages.error(request, 'Members are not authorized to access Discourse.') - return redirect('auth_dashboard') - elif not settings.ENABLE_BLUE_DISCOURSE and auth.state == BLUE_STATE: - messages.error(request, 'Blues are not authorized to access Discourse.') - return redirect('auth_dashboard') - elif auth.state == NONE_STATE: + if not request.user.has_perm(ACCESS_PERM): messages.error(request, 'You are not authorized to access Discourse.') return redirect('auth_dashboard') diff --git a/services/modules/ipboard/auth_hooks.py b/services/modules/ipboard/auth_hooks.py index 7bbf095c..40164365 100644 --- a/services/modules/ipboard/auth_hooks.py +++ b/services/modules/ipboard/auth_hooks.py @@ -20,6 +20,7 @@ class IpboardService(ServicesHook): self.name = 'ipboard' self.service_url = settings.IPBOARD_ENDPOINT self.urlpatterns = urlpatterns + self.access_perm = 'ipboard.access_ipboard' @property def title(self): @@ -43,11 +44,8 @@ class IpboardService(ServicesHook): logger.debug('Update all %s groups called' % self.name) IpboardTasks.update_all_groups.delay() - def service_enabled_members(self): - return settings.ENABLE_AUTH_IPBOARD or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_IPBOARD or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): urls = self.Urls() diff --git a/services/modules/ipboard/migrations/0002_service_permissions.py b/services/modules/ipboard/migrations/0002_service_permissions.py new file mode 100644 index 00000000..49f78e64 --- /dev/null +++ b/services/modules/ipboard/migrations/0002_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + IpboardUser = apps.get_model("ipboard", "IpboardUser") + + perm = Permission.objects.get(codename='access_ipboard') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if IpboardUser.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_IPBOARD'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_IPBOARD setting') + + # Migrate blues + if IpboardUser.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_IPBOARD'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_IPBOARD setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('ipboard', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='ipboarduser', + options={'permissions': (('access_ipboard', 'Can access the IPBoard service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/ipboard/models.py b/services/modules/ipboard/models.py index 8cb0cb4c..456ddb18 100644 --- a/services/modules/ipboard/models.py +++ b/services/modules/ipboard/models.py @@ -14,3 +14,8 @@ class IpboardUser(models.Model): def __str__(self): return self.username + + class Meta: + permissions = ( + ("access_ipboard", u"Can access the IPBoard service"), + ) diff --git a/services/modules/ipboard/tasks.py b/services/modules/ipboard/tasks.py index b00f2639..1d31681a 100644 --- a/services/modules/ipboard/tasks.py +++ b/services/modules/ipboard/tasks.py @@ -62,11 +62,5 @@ class IpboardTasks: @staticmethod def disable(): - if settings.ENABLE_AUTH_IPBOARD: - logger.warn( - "ENABLE_AUTH_IPBOARD still True, after disabling users will still be able to create IPBoard accounts") - if settings.ENABLE_BLUE_IPBOARD: - logger.warn( - "ENABLE_BLUE_IPBOARD still True, after disabling blues will still be able to create IPBoard accounts") logger.debug("Deleting all Ipboard Users") IpboardUser.objects.all().delete() diff --git a/services/modules/ipboard/tests.py b/services/modules/ipboard/tests.py index cb3b127d..8d4e0438 100644 --- a/services/modules/ipboard/tests.py +++ b/services/modules/ipboard/tests.py @@ -9,7 +9,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django import urls from django.core.exceptions import ObjectDoesNotExist @@ -23,6 +23,13 @@ from .manager import IPBoardManager MODULE_PATH = 'services.modules.ipboard' +def add_permissions(): + permission = Permission.objects.get(codename='access_ipboard') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class IpboardHooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -34,6 +41,7 @@ class IpboardHooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = IpboardService + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -48,11 +56,9 @@ class IpboardHooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_IPBOARD) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_IPBOARD) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.IPBoardManager') @@ -133,6 +139,7 @@ class IpboardViewsTestCase(TestCase): self.member.email = 'auth_member@example.com' self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation') + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/ipboard/views.py b/services/modules/ipboard/views.py index 6033ebf8..89d2550d 100644 --- a/services/modules/ipboard/views.py +++ b/services/modules/ipboard/views.py @@ -1,10 +1,9 @@ from __future__ import unicode_literals from django.contrib import messages -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.shortcuts import render, redirect -from authentication.decorators import members_and_blues from services.forms import ServicePasswordForm from eveonline.managers import EveManager @@ -16,9 +15,11 @@ import logging logger = logging.getLogger(__name__) +ACCESS_PERM = 'ipboard.access_ipboard' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_ipboard_forum(request): logger.debug("activate_ipboard_forum called by user %s" % request.user) character = EveManager.get_main_character(request.user) @@ -46,7 +47,7 @@ def activate_ipboard_forum(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_ipboard_forum(request): logger.debug("deactivate_ipboard_forum called by user %s" % request.user) # false we failed @@ -60,7 +61,7 @@ def deactivate_ipboard_forum(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def set_ipboard_password(request): logger.debug("set_ipboard_password called by user %s" % request.user) error = None @@ -90,7 +91,7 @@ def set_ipboard_password(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_ipboard_password(request): logger.debug("reset_ipboard_password called by user %s" % request.user) if IpboardTasks.has_account(request.user): diff --git a/services/modules/ips4/auth_hooks.py b/services/modules/ips4/auth_hooks.py index a29b4c55..561d883b 100644 --- a/services/modules/ips4/auth_hooks.py +++ b/services/modules/ips4/auth_hooks.py @@ -16,16 +16,14 @@ class Ips4Service(ServicesHook): self.name = 'ips4' self.urlpatterns = urlpatterns self.service_url = settings.IPS4_URL + self.access_perm = 'ips4.access_ips4' @property def title(self): return 'IPS4' - def service_enabled_members(self): - return settings.ENABLE_AUTH_IPS4 or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_IPS4 or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): """ diff --git a/services/modules/ips4/migrations/0002_service_permissions.py b/services/modules/ips4/migrations/0002_service_permissions.py new file mode 100644 index 00000000..ff69462b --- /dev/null +++ b/services/modules/ips4/migrations/0002_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + Ips4User = apps.get_model("ips4", "Ips4User") + + perm = Permission.objects.get(codename='access_ips4') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if Ips4User.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_IPS4'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_IPS4 setting') + + # Migrate blues + if Ips4User.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_IPS4'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_IPS4 setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('ips4', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='ips4user', + options={'permissions': (('access_ips4', 'Can access the IPS4 service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/ips4/models.py b/services/modules/ips4/models.py index 445ec19a..a664a90f 100644 --- a/services/modules/ips4/models.py +++ b/services/modules/ips4/models.py @@ -15,3 +15,8 @@ class Ips4User(models.Model): def __str__(self): return self.username + + class Meta: + permissions = ( + ("access_ips4", u"Can access the IPS4 service"), + ) diff --git a/services/modules/ips4/tasks.py b/services/modules/ips4/tasks.py index 73fb6aa8..bd02a234 100644 --- a/services/modules/ips4/tasks.py +++ b/services/modules/ips4/tasks.py @@ -33,11 +33,5 @@ class Ips4Tasks: @staticmethod def disable(): - if settings.ENABLE_AUTH_IPS4: - logger.warn( - "ENABLE_AUTH_IPS4 still True, after disabling users will still be able to create IPS4 accounts") - if settings.ENABLE_BLUE_IPS4: - logger.warn( - "ENABLE_BLUE_IPS4 still True, after disabling blues will still be able to create IPS4 accounts") logging.debug("Deleting all IPS4 users") Ips4User.objects.all().delete() diff --git a/services/modules/ips4/tests.py b/services/modules/ips4/tests.py index aafe1781..628d9ca9 100644 --- a/services/modules/ips4/tests.py +++ b/services/modules/ips4/tests.py @@ -10,7 +10,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings from django import urls -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -22,6 +22,13 @@ from .tasks import Ips4Tasks MODULE_PATH = 'services.modules.ips4' +def add_permissions(): + permission = Permission.objects.get(codename='access_ips4') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class Ips4HooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -33,6 +40,7 @@ class Ips4HooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = Ips4Service + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -47,11 +55,9 @@ class Ips4HooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_IPS4) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_IPS4) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) def test_render_services_ctrl(self): @@ -81,6 +87,7 @@ class Ips4ViewsTestCase(TestCase): self.member.email = 'auth_member@example.com' self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation') + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/ips4/views.py b/services/modules/ips4/views.py index a1d862d8..9117f932 100644 --- a/services/modules/ips4/views.py +++ b/services/modules/ips4/views.py @@ -1,7 +1,7 @@ from __future__ import unicode_literals from django.contrib import messages -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.shortcuts import render, redirect from authentication.decorators import members_and_blues @@ -16,9 +16,11 @@ import logging logger = logging.getLogger(__name__) +ACCESS_PERM = 'ips4.access_ips4' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_ips4(request): logger.debug("activate_ips4 called by user %s" % request.user) character = EveManager.get_main_character(request.user) @@ -44,7 +46,7 @@ def activate_ips4(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_ips4_password(request): logger.debug("reset_ips4_password called by user %s" % request.user) if Ips4Tasks.has_account(request.user): @@ -66,7 +68,7 @@ def reset_ips4_password(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def set_ips4_password(request): logger.debug("set_ips4_password called by user %s" % request.user) if request.method == 'POST': @@ -94,7 +96,7 @@ def set_ips4_password(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_ips4(request): logger.debug("deactivate_ips4 called by user %s" % request.user) if Ips4Tasks.delete_user(request.user): diff --git a/services/modules/market/auth_hooks.py b/services/modules/market/auth_hooks.py index 8a680e2b..28fd6be5 100644 --- a/services/modules/market/auth_hooks.py +++ b/services/modules/market/auth_hooks.py @@ -20,6 +20,7 @@ class MarketService(ServicesHook): self.name = 'market' self.urlpatterns = urlpatterns self.service_url = settings.MARKET_URL + self.access_perm = 'market.access_market' @property def title(self): @@ -31,14 +32,11 @@ class MarketService(ServicesHook): def validate_user(self, user): logger.debug('Validating user %s %s account' % (user, self.name)) - if MarketTasks.has_account(user) and self.service_active_for_user(user): + if MarketTasks.has_account(user) and not self.service_active_for_user(user): self.delete_user(user) - def service_enabled_members(self): - return settings.ENABLE_AUTH_MARKET or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_MARKET or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): urls = self.Urls() diff --git a/services/modules/market/migrations/0002_service_permissions.py b/services/modules/market/migrations/0002_service_permissions.py new file mode 100644 index 00000000..c15a5cad --- /dev/null +++ b/services/modules/market/migrations/0002_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + MarketUser = apps.get_model("market", "MarketUser") + + perm = Permission.objects.get(codename='access_market') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if MarketUser.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_MARKET'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_MARKET setting') + + # Migrate blues + if MarketUser.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_MARKET'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_MARKET setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('market', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='marketuser', + options={'permissions': (('access_market', 'Can access the Evernus Market service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/market/models.py b/services/modules/market/models.py index 1edba722..945fb52e 100644 --- a/services/modules/market/models.py +++ b/services/modules/market/models.py @@ -14,3 +14,8 @@ class MarketUser(models.Model): def __str__(self): return self.username + + class Meta: + permissions = ( + ("access_market", u"Can access the Evernus Market service"), + ) diff --git a/services/modules/market/tasks.py b/services/modules/market/tasks.py index adb1160b..8fc029ec 100644 --- a/services/modules/market/tasks.py +++ b/services/modules/market/tasks.py @@ -37,8 +37,4 @@ class MarketTasks: @staticmethod def disable(): - if settings.ENABLE_AUTH_MARKET: - logger.warn("ENABLE_AUTH_MARKET still True, after disabling users will still be able to activate Market accounts") - if settings.ENABLE_BLUE_MARKET: - logger.warn("ENABLE_BLUE_MARKET still True, after disabling blues will still be able to activate Market accounts") MarketUser.objects.all().delete() diff --git a/services/modules/market/tests.py b/services/modules/market/tests.py index 70c75d10..9e148a23 100644 --- a/services/modules/market/tests.py +++ b/services/modules/market/tests.py @@ -10,7 +10,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings from django import urls -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -22,6 +22,13 @@ from .tasks import MarketTasks MODULE_PATH = 'services.modules.market' +def add_permissions(): + permission = Permission.objects.get(codename='access_market') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class MarketHooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -33,6 +40,7 @@ class MarketHooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = MarketService + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -47,11 +55,9 @@ class MarketHooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_MARKET) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_MARKET) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.MarketManager') @@ -66,6 +72,22 @@ class MarketHooksTestCase(TestCase): with self.assertRaises(ObjectDoesNotExist): market_user = User.objects.get(username=self.member).market + @mock.patch(MODULE_PATH + '.tasks.MarketManager') + def test_validate_user(self, manager): + service = self.service() + # Test member is not deleted + member = User.objects.get(username=self.member) + service.validate_user(member) + self.assertTrue(User.objects.get(username=self.member).market) + + # Test none user is deleted + none_user = User.objects.get(username=self.none_user) + MarketUser.objects.create(user=none_user, username='abc123') + service.validate_user(none_user) + self.assertTrue(manager.disable_user.called) + with self.assertRaises(ObjectDoesNotExist): + none_svc = User.objects.get(username=self.none_user).market + def test_render_services_ctrl(self): service = self.service() member = User.objects.get(username=self.member) @@ -93,6 +115,7 @@ class MarketViewsTestCase(TestCase): self.member.email = 'auth_member@example.com' self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation') + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/market/views.py b/services/modules/market/views.py index 706bf5c0..7c4b2248 100644 --- a/services/modules/market/views.py +++ b/services/modules/market/views.py @@ -1,10 +1,9 @@ from __future__ import unicode_literals from django.contrib import messages -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.shortcuts import render, redirect -from authentication.decorators import members_and_blues from services.forms import ServicePasswordForm from eveonline.managers import EveManager @@ -16,9 +15,11 @@ import logging logger = logging.getLogger(__name__) +ACCESS_PERM = 'market.access_market' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_market(request): logger.debug("activate_market called by user %s" % request.user) character = EveManager.get_main_character(request.user) @@ -44,7 +45,7 @@ def activate_market(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_market(request): logger.debug("deactivate_market called by user %s" % request.user) # false we failed @@ -58,7 +59,7 @@ def deactivate_market(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_market_password(request): logger.debug("reset_market_password called by user %s" % request.user) if MarketTasks.has_account(request.user): @@ -80,7 +81,7 @@ def reset_market_password(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def set_market_password(request): logger.debug("set_market_password called by user %s" % request.user) if request.method == 'POST': diff --git a/services/modules/mumble/auth_hooks.py b/services/modules/mumble/auth_hooks.py index c191b01a..4585744f 100644 --- a/services/modules/mumble/auth_hooks.py +++ b/services/modules/mumble/auth_hooks.py @@ -20,6 +20,7 @@ class MumbleService(ServicesHook): self.name = 'mumble' self.urlpatterns = urlpatterns self.service_url = settings.MUMBLE_URL + self.access_perm = 'mumble.access_mumble' def delete_user(self, user, notify_user=False): logging.debug("Deleting user %s %s account" % (user, self.name)) @@ -42,11 +43,8 @@ class MumbleService(ServicesHook): logger.debug("Updating all %s groups" % self.name) MumbleTasks.update_all_groups.delay() - def service_enabled_members(self): - return settings.ENABLE_AUTH_MUMBLE or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_MUMBLE or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): urls = self.Urls() diff --git a/services/modules/mumble/migrations/0006_service_permissions.py b/services/modules/mumble/migrations/0006_service_permissions.py new file mode 100644 index 00000000..8e576e17 --- /dev/null +++ b/services/modules/mumble/migrations/0006_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + MumbleUser = apps.get_model("mumble", "MumbleUser") + + perm = Permission.objects.get(codename='access_mumble') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if MumbleUser.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_MUMBLE'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_MUMBLE setting') + + # Migrate blues + if MumbleUser.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_MUMBLE'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_MUMBLE setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('mumble', '0005_mumbleuser_hashfn'), + ] + + operations = [ + migrations.AlterModelOptions( + name='mumbleuser', + options={'permissions': (('access_mumble', 'Can access the Mumble service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/mumble/models.py b/services/modules/mumble/models.py index b711790b..160c4212 100644 --- a/services/modules/mumble/models.py +++ b/services/modules/mumble/models.py @@ -13,3 +13,8 @@ class MumbleUser(models.Model): def __str__(self): return self.username + + class Meta: + permissions = ( + ("access_mumble", u"Can access the Mumble service"), + ) diff --git a/services/modules/mumble/tasks.py b/services/modules/mumble/tasks.py index 61a5caf1..46e9cad8 100644 --- a/services/modules/mumble/tasks.py +++ b/services/modules/mumble/tasks.py @@ -26,10 +26,6 @@ class MumbleTasks: @staticmethod def disable_mumble(): - if settings.ENABLE_AUTH_MUMBLE: - logger.warn("ENABLE_AUTH_MUMBLE still True, after disabling users will still be able to create mumble accounts") - if settings.ENABLE_BLUE_MUMBLE: - logger.warn("ENABLE_BLUE_MUMBLE still True, after disabling blues will still be able to create mumble accounts") logger.info("Deleting all MumbleUser models") MumbleUser.objects.all().delete() diff --git a/services/modules/mumble/tests.py b/services/modules/mumble/tests.py index 6b6e7db9..1e0b9fd2 100644 --- a/services/modules/mumble/tests.py +++ b/services/modules/mumble/tests.py @@ -10,7 +10,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings from django import urls -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -22,6 +22,13 @@ from .tasks import MumbleTasks MODULE_PATH = 'services.modules.mumble' +def add_permissions(): + permission = Permission.objects.get(codename='access_mumble') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class MumbleHooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -33,6 +40,7 @@ class MumbleHooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = MumbleService + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -47,11 +55,9 @@ class MumbleHooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_MUMBLE) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_MUMBLE) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.MumbleManager') @@ -133,6 +139,7 @@ class MumbleViewsTestCase(TestCase): self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation', corp_ticker='TESTR') + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/mumble/views.py b/services/modules/mumble/views.py index b3a76c5a..cffda36d 100644 --- a/services/modules/mumble/views.py +++ b/services/modules/mumble/views.py @@ -1,9 +1,8 @@ from __future__ import unicode_literals -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.shortcuts import render, redirect from django.contrib import messages -from authentication.decorators import members_and_blues from eveonline.managers import EveManager from eveonline.models import EveAllianceInfo from authentication.states import MEMBER_STATE, BLUE_STATE, NONE_STATE @@ -19,9 +18,11 @@ import logging logger = logging.getLogger(__name__) +ACCESS_PERM = 'mumble.access_mumble' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_mumble(request): logger.debug("activate_mumble called by user %s" % request.user) authinfo = AuthServicesInfo.objects.get(user=request.user) @@ -57,7 +58,7 @@ def activate_mumble(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_mumble(request): logger.debug("deactivate_mumble called by user %s" % request.user) # if we successfully remove the user or the user is already removed @@ -71,7 +72,7 @@ def deactivate_mumble(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_mumble_password(request): logger.debug("reset_mumble_password called by user %s" % request.user) result = MumbleManager.update_user_password(request.user) @@ -93,7 +94,7 @@ def reset_mumble_password(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def set_mumble_password(request): logger.debug("set_mumble_password called by user %s" % request.user) if request.method == 'POST': diff --git a/services/modules/openfire/auth_hooks.py b/services/modules/openfire/auth_hooks.py index ab0b8b2a..5989769e 100644 --- a/services/modules/openfire/auth_hooks.py +++ b/services/modules/openfire/auth_hooks.py @@ -20,6 +20,7 @@ class OpenfireService(ServicesHook): self.name = 'openfire' self.urlpatterns = urlpatterns self.service_url = settings.JABBER_URL + self.access_perm = 'openfire.access_openfire' @property def title(self): @@ -43,11 +44,8 @@ class OpenfireService(ServicesHook): logger.debug('Update all %s groups called' % self.name) OpenfireTasks.update_all_groups.delay() - def service_enabled_members(self): - return settings.ENABLE_AUTH_JABBER or False # TODO: Rename this setting - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_JABBER or False # TODO: Rename this setting + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): """ diff --git a/services/modules/openfire/migrations/0002_service_permissions.py b/services/modules/openfire/migrations/0002_service_permissions.py new file mode 100644 index 00000000..100ad4b0 --- /dev/null +++ b/services/modules/openfire/migrations/0002_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + OpenfireUser = apps.get_model("openfire", "OpenfireUser") + + perm = Permission.objects.get(codename='access_openfire') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if OpenfireUser.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_JABBER'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_JABBER setting') + + # Migrate blues + if OpenfireUser.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_JABBER'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_JABBER setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('openfire', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='openfireuser', + options={'permissions': (('access_openfire', 'Can access the Openfire service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/openfire/models.py b/services/modules/openfire/models.py index dca95993..1e07bc98 100644 --- a/services/modules/openfire/models.py +++ b/services/modules/openfire/models.py @@ -13,3 +13,8 @@ class OpenfireUser(models.Model): def __str__(self): return self.username + + class Meta: + permissions = ( + ("access_openfire", u"Can access the Openfire service"), + ) diff --git a/services/modules/openfire/tasks.py b/services/modules/openfire/tasks.py index 9fd00094..632ced5e 100644 --- a/services/modules/openfire/tasks.py +++ b/services/modules/openfire/tasks.py @@ -39,10 +39,6 @@ class OpenfireTasks: @staticmethod def disable_jabber(): - if settings.ENABLE_AUTH_JABBER: - logger.warn("ENABLE_AUTH_JABBER still True, after disabling users will still be able to create jabber accounts") - if settings.ENABLE_BLUE_JABBER: - logger.warn("ENABLE_BLUE_JABBER still True, after disabling blues will still be able to create jabber accounts") logging.debug("Deleting all Openfire users") OpenfireUser.objects.all().delete() diff --git a/services/modules/openfire/tests.py b/services/modules/openfire/tests.py index c6ce71f6..2ce4a31b 100644 --- a/services/modules/openfire/tests.py +++ b/services/modules/openfire/tests.py @@ -10,7 +10,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings from django import urls -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -22,6 +22,13 @@ from .tasks import OpenfireTasks MODULE_PATH = 'services.modules.openfire' +def add_permissions(): + permission = Permission.objects.get(codename='access_openfire') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class OpenfireHooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -33,6 +40,7 @@ class OpenfireHooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = OpenfireService + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -47,11 +55,9 @@ class OpenfireHooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_JABBER) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_JABBER) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.OpenfireManager') @@ -136,6 +142,7 @@ class OpenfireViewsTestCase(TestCase): self.member.email = 'auth_member@example.com' self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation') + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/openfire/views.py b/services/modules/openfire/views.py index 90ff272f..bebb3309 100644 --- a/services/modules/openfire/views.py +++ b/services/modules/openfire/views.py @@ -21,9 +21,11 @@ import logging logger = logging.getLogger(__name__) +ACCESS_PERM = 'openfire.access_openfire' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_jabber(request): logger.debug("activate_jabber called by user %s" % request.user) character = EveManager.get_main_character(request.user) @@ -49,7 +51,7 @@ def activate_jabber(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_jabber(request): logger.debug("deactivate_jabber called by user %s" % request.user) if OpenfireTasks.has_account(request.user) and OpenfireTasks.delete_user(request.user): @@ -62,7 +64,7 @@ def deactivate_jabber(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_jabber_password(request): logger.debug("reset_jabber_password called by user %s" % request.user) if OpenfireTasks.has_account(request.user): @@ -133,7 +135,7 @@ def jabber_broadcast_view(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def set_jabber_password(request): logger.debug("set_jabber_password called by user %s" % request.user) if request.method == 'POST': diff --git a/services/modules/phpbb3/auth_hooks.py b/services/modules/phpbb3/auth_hooks.py index df698103..384e1e19 100644 --- a/services/modules/phpbb3/auth_hooks.py +++ b/services/modules/phpbb3/auth_hooks.py @@ -20,6 +20,7 @@ class Phpbb3Service(ServicesHook): self.name = 'phpbb3' self.urlpatterns = urlpatterns self.service_url = settings.FORUM_URL # TODO: This needs to be renamed at some point... + self.access_perm = 'phpbb3.access_phpbb3' @property def title(self): @@ -43,11 +44,8 @@ class Phpbb3Service(ServicesHook): logger.debug('Update all %s groups called' % self.name) Phpbb3Tasks.update_all_groups.delay() - def service_enabled_members(self): - return settings.ENABLE_AUTH_FORUM or False # TODO: Rename this setting - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_FORUM or False # TODO: Rename this setting + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): urls = self.Urls() diff --git a/services/modules/phpbb3/migrations/0002_service_permissions.py b/services/modules/phpbb3/migrations/0002_service_permissions.py new file mode 100644 index 00000000..5cb3106a --- /dev/null +++ b/services/modules/phpbb3/migrations/0002_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + Phpbb3User = apps.get_model("phpbb3", "Phpbb3User") + + perm = Permission.objects.get(codename='access_phpbb3') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if Phpbb3User.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_FORUM'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_FORUM setting') + + # Migrate blues + if Phpbb3User.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_FORUM'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_FORUM setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('phpbb3', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='phpbb3user', + options={'permissions': (('access_phpbb3', 'Can access the phpBB3 service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/phpbb3/models.py b/services/modules/phpbb3/models.py index 05cfebf5..d19f7ad7 100644 --- a/services/modules/phpbb3/models.py +++ b/services/modules/phpbb3/models.py @@ -13,3 +13,8 @@ class Phpbb3User(models.Model): def __str__(self): return self.username + + class Meta: + permissions = ( + ("access_phpbb3", u"Can access the phpBB3 service"), + ) diff --git a/services/modules/phpbb3/tasks.py b/services/modules/phpbb3/tasks.py index 90d3b446..126f239e 100644 --- a/services/modules/phpbb3/tasks.py +++ b/services/modules/phpbb3/tasks.py @@ -66,8 +66,4 @@ class Phpbb3Tasks: @staticmethod def disable(): - if settings.ENABLE_AUTH_FORUM: - logger.warn("ENABLE_AUTH_FORUM still True, after disabling users will still be able to create forum accounts") - if settings.ENABLE_BLUE_FORUM: - logger.warn("ENABLE_BLUE_FORUM still True, after disabling blues will still be able to create forum accounts") Phpbb3User.objects.all().delete() diff --git a/services/modules/phpbb3/tests.py b/services/modules/phpbb3/tests.py index 4ee24c60..d254508f 100644 --- a/services/modules/phpbb3/tests.py +++ b/services/modules/phpbb3/tests.py @@ -10,7 +10,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings from django import urls -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -22,6 +22,13 @@ from .tasks import Phpbb3Tasks MODULE_PATH = 'services.modules.phpbb3' +def add_permissions(): + permission = Permission.objects.get(codename='access_phpbb3') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class Phpbb3HooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -33,6 +40,7 @@ class Phpbb3HooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = Phpbb3Service + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -47,11 +55,9 @@ class Phpbb3HooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_FORUM) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_FORUM) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.Phpbb3Manager') @@ -136,6 +142,7 @@ class Phpbb3ViewsTestCase(TestCase): self.member.email = 'auth_member@example.com' self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation') + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/phpbb3/views.py b/services/modules/phpbb3/views.py index 2c1b21db..34bc7963 100644 --- a/services/modules/phpbb3/views.py +++ b/services/modules/phpbb3/views.py @@ -1,7 +1,7 @@ from __future__ import unicode_literals from django.contrib import messages -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.shortcuts import render, redirect from authentication.decorators import members_and_blues @@ -16,9 +16,11 @@ import logging logger = logging.getLogger(__name__) +ACCESS_PERM = 'phpbb3.access_phpbb3' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_forum(request): logger.debug("activate_forum called by user %s" % request.user) # Valid now we get the main characters @@ -46,7 +48,7 @@ def activate_forum(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_forum(request): logger.debug("deactivate_forum called by user %s" % request.user) # false we failed @@ -60,7 +62,7 @@ def deactivate_forum(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_forum_password(request): logger.debug("reset_forum_password called by user %s" % request.user) if Phpbb3Tasks.has_account(request.user): @@ -83,7 +85,7 @@ def reset_forum_password(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def set_forum_password(request): logger.debug("set_forum_password called by user %s" % request.user) if request.method == 'POST': diff --git a/services/modules/smf/auth_hooks.py b/services/modules/smf/auth_hooks.py index b6e30652..47471326 100644 --- a/services/modules/smf/auth_hooks.py +++ b/services/modules/smf/auth_hooks.py @@ -20,6 +20,7 @@ class SmfService(ServicesHook): self.name = 'smf' self.urlpatterns = urlpatterns self.service_url = settings.SMF_URL + self.access_perm = 'smf.access_smf' @property def title(self): @@ -43,11 +44,8 @@ class SmfService(ServicesHook): logger.debug('Update all %s groups called' % self.name) SmfTasks.update_all_groups.delay() - def service_enabled_members(self): - return settings.ENABLE_AUTH_SMF or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_SMF or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): urls = self.Urls() diff --git a/services/modules/smf/migrations/0002_service_permissions.py b/services/modules/smf/migrations/0002_service_permissions.py new file mode 100644 index 00000000..e7557f1d --- /dev/null +++ b/services/modules/smf/migrations/0002_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + SmfUser = apps.get_model("smf", "SmfUser") + + perm = Permission.objects.get(codename='access_smf') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if SmfUser.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_SMF'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_SMF setting') + + # Migrate blues + if SmfUser.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_SMF'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_SMF setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('smf', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='smfuser', + options={'permissions': (('access_smf', 'Can access the SMF service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/smf/models.py b/services/modules/smf/models.py index 726476a5..1e05456f 100644 --- a/services/modules/smf/models.py +++ b/services/modules/smf/models.py @@ -13,3 +13,8 @@ class SmfUser(models.Model): def __str__(self): return self.username + + class Meta: + permissions = ( + ("access_smf", u"Can access the SMF service"), + ) diff --git a/services/modules/smf/tasks.py b/services/modules/smf/tasks.py index 9b9c8f72..fceb905f 100644 --- a/services/modules/smf/tasks.py +++ b/services/modules/smf/tasks.py @@ -38,12 +38,6 @@ class SmfTasks: @classmethod def disable(cls): - if settings.ENABLE_AUTH_SMF: - logger.warn( - "ENABLE_AUTH_SMF still True, after disabling users will still be able to link smf accounts") - if settings.ENABLE_BLUE_SMF: - logger.warn( - "ENABLE_BLUE_SMF still True, after disabling blues will still be able to link smf accounts") SmfUser.objects.all().delete() @staticmethod diff --git a/services/modules/smf/tests.py b/services/modules/smf/tests.py index bace9368..25720b82 100644 --- a/services/modules/smf/tests.py +++ b/services/modules/smf/tests.py @@ -10,7 +10,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings from django import urls -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -22,6 +22,13 @@ from .tasks import SmfTasks MODULE_PATH = 'services.modules.smf' +def add_permissions(): + permission = Permission.objects.get(codename='access_smf') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class SmfHooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -33,6 +40,7 @@ class SmfHooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = SmfService + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -47,11 +55,9 @@ class SmfHooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_SMF) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_SMF) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.SmfManager') @@ -136,6 +142,7 @@ class SmfViewsTestCase(TestCase): self.member.email = 'auth_member@example.com' self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation') + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/smf/views.py b/services/modules/smf/views.py index fbe58c86..a5ce14e5 100644 --- a/services/modules/smf/views.py +++ b/services/modules/smf/views.py @@ -1,10 +1,9 @@ from __future__ import unicode_literals from django.contrib import messages -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.shortcuts import render, redirect -from authentication.decorators import members_and_blues from eveonline.managers import EveManager from services.forms import ServicePasswordForm @@ -16,9 +15,11 @@ import logging logger = logging.getLogger(__name__) +ACCESS_PERM = 'smf.access_smf' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_smf(request): logger.debug("activate_smf called by user %s" % request.user) # Valid now we get the main characters @@ -45,7 +46,7 @@ def activate_smf(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_smf(request): logger.debug("deactivate_smf called by user %s" % request.user) result = SmfTasks.delete_user(request.user) @@ -60,7 +61,7 @@ def deactivate_smf(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_smf_password(request): logger.debug("reset_smf_password called by user %s" % request.user) character = EveManager.get_main_character(request.user) @@ -82,7 +83,7 @@ def reset_smf_password(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def set_smf_password(request): logger.debug("set_smf_password called by user %s" % request.user) if request.method == 'POST': diff --git a/services/modules/teamspeak3/auth_hooks.py b/services/modules/teamspeak3/auth_hooks.py index b740b90f..0cb20a56 100644 --- a/services/modules/teamspeak3/auth_hooks.py +++ b/services/modules/teamspeak3/auth_hooks.py @@ -20,6 +20,7 @@ class Teamspeak3Service(ServicesHook): self.name = 'teamspeak3' self.urlpatterns = urlpatterns self.service_ctrl_template = 'registered/teamspeak3_service_ctrl.html' + self.access_perm = 'teamspeak3.access_teamspeak3' def delete_user(self, user, notify_user=False): logger.debug('Deleting user %s %s account' % (user, self.name)) @@ -38,11 +39,8 @@ class Teamspeak3Service(ServicesHook): logger.debug('Update all %s groups called' % self.name) Teamspeak3Tasks.update_all_groups.delay() - def service_enabled_members(self): - return settings.ENABLE_AUTH_TEAMSPEAK3 or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_TEAMSPEAK3 or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): authinfo = {'teamspeak3_uid': '', diff --git a/services/modules/teamspeak3/migrations/0004_service_permissions.py b/services/modules/teamspeak3/migrations/0004_service_permissions.py new file mode 100644 index 00000000..5f8b27db --- /dev/null +++ b/services/modules/teamspeak3/migrations/0004_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + Teamspeak3User = apps.get_model("teamspeak3", "Teamspeak3User") + + perm = Permission.objects.get(codename='access_teamspeak3') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if Teamspeak3User.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_TEAMSPEAK3'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_TEAMSPEAK3 setting') + + # Migrate blues + if Teamspeak3User.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_TEAMSPEAK3'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_TEAMSPEAK3 setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('teamspeak3', '0003_teamspeak3user'), + ] + + operations = [ + migrations.AlterModelOptions( + name='teamspeak3user', + options={'permissions': (('access_teamspeak3', 'Can access the Teamspeak3 service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/teamspeak3/models.py b/services/modules/teamspeak3/models.py index 6e0aeaf3..17a3c9aa 100644 --- a/services/modules/teamspeak3/models.py +++ b/services/modules/teamspeak3/models.py @@ -15,6 +15,11 @@ class Teamspeak3User(models.Model): def __str__(self): return self.uid + class Meta: + permissions = ( + ("access_teamspeak3", u"Can access the Teamspeak3 service"), + ) + @python_2_unicode_compatible class TSgroup(models.Model): diff --git a/services/modules/teamspeak3/tasks.py b/services/modules/teamspeak3/tasks.py index a25eb363..4643449f 100644 --- a/services/modules/teamspeak3/tasks.py +++ b/services/modules/teamspeak3/tasks.py @@ -42,18 +42,11 @@ class Teamspeak3Tasks: @staticmethod @app.task() def run_ts3_group_update(): - if settings.ENABLE_AUTH_TEAMSPEAK3 or settings.ENABLE_BLUE_TEAMSPEAK3: - logger.debug("TS3 installed. Syncing local group objects.") - Teamspeak3Manager._sync_ts_group_db() + logger.debug("TS3 installed. Syncing local group objects.") + Teamspeak3Manager._sync_ts_group_db() @staticmethod def disable(): - if settings.ENABLE_AUTH_TEAMSPEAK3: - logger.warn( - "ENABLE_AUTH_TEAMSPEAK3 still True, after disabling users will still be able to create teamspeak accounts") - if settings.ENABLE_BLUE_TEAMSPEAK3: - logger.warn( - "ENABLE_BLUE_TEAMSPEAK3 still True, after disabling blues will still be able to create teamspeak accounts") logger.info("Deleting all Teamspeak3Users") Teamspeak3User.objects.all().delete() logger.info("Deleting all UserTSgroup models") diff --git a/services/modules/teamspeak3/tests.py b/services/modules/teamspeak3/tests.py index ba8e166c..bb190e2d 100644 --- a/services/modules/teamspeak3/tests.py +++ b/services/modules/teamspeak3/tests.py @@ -10,7 +10,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings from django import urls -from django.contrib.auth.models import User, Group +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from django.db.models import signals @@ -24,6 +24,13 @@ from .signals import m2m_changed_authts_group, post_save_authts, post_delete_aut MODULE_PATH = 'services.modules.teamspeak3' +def add_permissions(): + permission = Permission.objects.get(codename='access_teamspeak3') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class Teamspeak3HooksTestCase(TestCase): def setUp(self): # Inert signals before setup begins @@ -46,6 +53,7 @@ class Teamspeak3HooksTestCase(TestCase): m2m_blue_group.ts_group.add(ts_blue_group) m2m_blue_group.save() self.service = Teamspeak3Service + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -60,11 +68,9 @@ class Teamspeak3HooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_TEAMSPEAK3) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_TEAMSPEAK3) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.Teamspeak3Manager') @@ -164,6 +170,7 @@ class Teamspeak3ViewsTestCase(TestCase): m2m_blue = AuthTS.objects.create(auth_group=Group.objects.get(name='Blue')) m2m_blue.ts_group.add(ts_blue_group) m2m_blue.save() + add_permissions() def login(self, user=None, password=None): if user is None: diff --git a/services/modules/teamspeak3/views.py b/services/modules/teamspeak3/views.py index b13e48cf..4eee0799 100644 --- a/services/modules/teamspeak3/views.py +++ b/services/modules/teamspeak3/views.py @@ -1,10 +1,9 @@ import logging from django.contrib import messages -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.shortcuts import render, redirect -from authentication.decorators import members_and_blues from authentication.states import BLUE_STATE from authentication.models import AuthServicesInfo from eveonline.managers import EveManager @@ -18,9 +17,11 @@ from .models import Teamspeak3User logger = logging.getLogger(__name__) +ACCESS_PERM = 'teamspeak3.access_teamspeak3' + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_teamspeak3(request): logger.debug("activate_teamspeak3 called by user %s" % request.user) @@ -52,7 +53,7 @@ def activate_teamspeak3(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def verify_teamspeak3(request): logger.debug("verify_teamspeak3 called by user %s" % request.user) if not Teamspeak3Tasks.has_account(request.user): @@ -75,7 +76,7 @@ def verify_teamspeak3(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_teamspeak3(request): logger.debug("deactivate_teamspeak3 called by user %s" % request.user) if Teamspeak3Tasks.has_account(request.user) and Teamspeak3Tasks.delete_user(request.user): @@ -87,7 +88,7 @@ def deactivate_teamspeak3(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_teamspeak3_perm(request): logger.debug("reset_teamspeak3_perm called by user %s" % request.user) if not Teamspeak3Tasks.has_account(request.user): diff --git a/services/modules/xenforo/auth_hooks.py b/services/modules/xenforo/auth_hooks.py index 6309d029..19d1347c 100644 --- a/services/modules/xenforo/auth_hooks.py +++ b/services/modules/xenforo/auth_hooks.py @@ -19,6 +19,7 @@ class XenforoService(ServicesHook): ServicesHook.__init__(self) self.name = 'xenforo' self.urlpatterns = urlpatterns + self.access_perm = 'xenforo.access_xenforo' @property def title(self): @@ -33,11 +34,8 @@ class XenforoService(ServicesHook): if XenforoTasks.has_account(user) and not self.service_active_for_user(user): self.delete_user(user, notify_user=True) - def service_enabled_members(self): - return settings.ENABLE_AUTH_XENFORO or False - - def service_enabled_blues(self): - return settings.ENABLE_BLUE_XENFORO or False + def service_active_for_user(self, user): + return user.has_perm(self.access_perm) def render_services_ctrl(self, request): urls = self.Urls() diff --git a/services/modules/xenforo/migrations/0002_service_permissions.py b/services/modules/xenforo/migrations/0002_service_permissions.py new file mode 100644 index 00000000..a9b20a5b --- /dev/null +++ b/services/modules/xenforo/migrations/0002_service_permissions.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.5 on 2017-02-02 05:59 +from __future__ import unicode_literals + +from django.db import migrations +from django.conf import settings +from django.core.exceptions import ObjectDoesNotExist +from django.contrib.auth.management import create_permissions + +import logging + +logger = logging.getLogger(__name__) + + +def migrate_service_enabled(apps, schema_editor): + for app_config in apps.get_app_configs(): + app_config.models_module = True + create_permissions(app_config, apps=apps, verbosity=0) + app_config.models_module = None + + Group = apps.get_model("auth", "Group") + Permission = apps.get_model("auth", "Permission") + XenforoUser = apps.get_model("xenforo", "XenforoUser") + + perm = Permission.objects.get(codename='access_xenforo') + + member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member') + blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue') + + # Migrate members + if XenforoUser.objects.filter(user__groups__name=member_group_name).exists() or \ + getattr(settings, str('ENABLE_AUTH_XENFORO'), False): + try: + group = Group.objects.get(name=member_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_AUTH_XENFORO setting') + + # Migrate blues + if XenforoUser.objects.filter(user__groups__name=blue_group_name).exists() or \ + getattr(settings, str('ENABLE_BLUE_XENFORO'), False): + try: + group = Group.objects.get(name=blue_group_name) + group.permissions.add(perm) + except ObjectDoesNotExist: + logger.warning('Failed to migrate ENABLE_BLUE_XENFORO setting') + + +class Migration(migrations.Migration): + + dependencies = [ + ('xenforo', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='xenforouser', + options={'permissions': (('access_xenforo', 'Can access the XenForo service'),)}, + ), + migrations.RunPython(migrate_service_enabled), + ] diff --git a/services/modules/xenforo/models.py b/services/modules/xenforo/models.py index de9e864c..a4da6bf7 100644 --- a/services/modules/xenforo/models.py +++ b/services/modules/xenforo/models.py @@ -13,3 +13,8 @@ class XenforoUser(models.Model): def __str__(self): return self.username + + class Meta: + permissions = ( + ("access_xenforo", u"Can access the XenForo service"), + ) diff --git a/services/modules/xenforo/tasks.py b/services/modules/xenforo/tasks.py index d3bf9642..b8acccd5 100644 --- a/services/modules/xenforo/tasks.py +++ b/services/modules/xenforo/tasks.py @@ -36,11 +36,5 @@ class XenforoTasks: @classmethod def disable(cls): - if settings.ENABLE_AUTH_XENFORO: - logger.warn( - "ENABLE_AUTH_XENFORO still True, after disabling users will still be able to link XenForo accounts") - if settings.ENABLE_BLUE_XENFORO: - logger.warn( - "ENABLE_BLUE_XENFORO still True, after disabling blues will still be able to link XenForo accounts") logger.debug("Deleting ALL XenForo users") XenforoUser.objects.all().delete() diff --git a/services/modules/xenforo/tests.py b/services/modules/xenforo/tests.py index 7b8c65f2..5e0bc398 100644 --- a/services/modules/xenforo/tests.py +++ b/services/modules/xenforo/tests.py @@ -10,7 +10,7 @@ except ImportError: from django.test import TestCase, RequestFactory from django.conf import settings from django import urls -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.core.exceptions import ObjectDoesNotExist from alliance_auth.tests.auth_utils import AuthUtils @@ -22,6 +22,13 @@ from .tasks import XenforoTasks MODULE_PATH = 'services.modules.xenforo' +def add_permissions(): + permission = Permission.objects.get(codename='access_xenforo') + members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP) + blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP) + AuthUtils.add_permissions_to_groups([permission], [members, blues]) + + class XenforoHooksTestCase(TestCase): def setUp(self): self.member = 'member_user' @@ -33,6 +40,7 @@ class XenforoHooksTestCase(TestCase): self.none_user = 'none_user' none_user = AuthUtils.create_user(self.none_user) self.service = XenforoService + add_permissions() def test_has_account(self): member = User.objects.get(username=self.member) @@ -47,11 +55,9 @@ class XenforoHooksTestCase(TestCase): member = User.objects.get(username=self.member) blue = User.objects.get(username=self.blue) none_user = User.objects.get(username=self.none_user) - self.assertTrue(service.service_enabled_members()) - self.assertTrue(service.service_enabled_blues()) - self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_XENFORO) - self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_XENFORO) + self.assertTrue(service.service_active_for_user(member)) + self.assertTrue(service.service_active_for_user(blue)) self.assertFalse(service.service_active_for_user(none_user)) @mock.patch(MODULE_PATH + '.tasks.XenForoManager') @@ -112,6 +118,7 @@ class XenforoViewsTestCase(TestCase): self.member.email = 'auth_member@example.com' self.member.save() AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation') + add_permissions() def login(self): self.client.login(username=self.member.username, password='password') diff --git a/services/modules/xenforo/views.py b/services/modules/xenforo/views.py index 6fe79362..0e8587e5 100644 --- a/services/modules/xenforo/views.py +++ b/services/modules/xenforo/views.py @@ -3,10 +3,9 @@ from __future__ import unicode_literals import logging from django.contrib import messages -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.shortcuts import render, redirect -from authentication.decorators import members_and_blues from eveonline.managers import EveManager from services.forms import ServicePasswordForm from .manager import XenForoManager @@ -15,8 +14,11 @@ from .tasks import XenforoTasks logger = logging.getLogger(__name__) +ACCESS_PERM = 'xenforo.access_xenforo' + + @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def activate_xenforo_forum(request): logger.debug("activate_xenforo_forum called by user %s" % request.user) character = EveManager.get_main_character(request.user) @@ -41,7 +43,7 @@ def activate_xenforo_forum(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def deactivate_xenforo_forum(request): logger.debug("deactivate_xenforo_forum called by user %s" % request.user) if XenforoTasks.delete_user(request.user): @@ -53,7 +55,7 @@ def deactivate_xenforo_forum(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def reset_xenforo_password(request): logger.debug("reset_xenforo_password called by user %s" % request.user) if XenforoTasks.has_account(request.user): @@ -74,7 +76,7 @@ def reset_xenforo_password(request): @login_required -@members_and_blues() +@permission_required(ACCESS_PERM) def set_xenforo_password(request): logger.debug("set_xenforo_password called by user %s" % request.user) if request.method == 'POST': diff --git a/services/signals.py b/services/signals.py index dce877a8..69512573 100644 --- a/services/signals.py +++ b/services/signals.py @@ -2,15 +2,17 @@ from __future__ import unicode_literals import logging -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group, Permission from django.db import transaction from django.db.models.signals import m2m_changed from django.db.models.signals import pre_delete from django.db.models.signals import pre_save from django.dispatch import receiver +from services.hooks import ServicesHook from alliance_auth.hooks import get_hooks from authentication.tasks import disable_user +from authentication.tasks import disable_member from authentication.tasks import set_state logger = logging.getLogger(__name__) @@ -23,10 +25,9 @@ def m2m_changed_user_groups(sender, instance, action, *args, **kwargs): def trigger_service_group_update(): logger.debug("Triggering service group update for %s" % instance) # Iterate through Service hooks - services = get_hooks('services_hook') - for fn in services: - svc = fn() + for svc in ServicesHook.get_services(): try: + svc.validate_user(instance) svc.update_groups(instance) except: logger.exception('Exception running update_groups for services module %s on user %s' % (svc, instance)) @@ -36,6 +37,60 @@ def m2m_changed_user_groups(sender, instance, action, *args, **kwargs): transaction.on_commit(trigger_service_group_update) +@receiver(m2m_changed, sender=User.user_permissions.through) +def m2m_changed_user_permissions(sender, instance, action, *args, **kwargs): + logger.debug("Received m2m_changed from user %s permissions with action %s" % (instance, action)) + logger.debug('sender: %s' % sender) + if instance.pk and (action == "post_remove" or action == "post_clear"): + logger.debug("Permissions changed for user {}, re-validating services".format(instance)) + # Checking permissions for a single user is quite fast, so we don't need to validate + # That the permissions is a service permission, unlike groups. + + def validate_all_services(): + logger.debug("Validating all services for user {}".format(instance)) + for svc in ServicesHook.get_services(): + try: + svc.validate_user(instance) + except: + logger.exception( + 'Exception running validate_user for services module {} on user {}'.format(svc, user)) + + transaction.on_commit(lambda: validate_all_services()) + + +@receiver(m2m_changed, sender=Group.permissions.through) +def m2m_changed_group_permissions(sender, instance, action, pk_set, *args, **kwargs): + logger.debug("Received m2m_changed from group %s permissions with action %s" % (instance, action)) + if instance.pk and (action == "post_remove" or action == "post_clear"): + logger.debug("Checking if service permission changed for group {}".format(instance)) + # As validating an entire groups service could lead to many thousands of permission checks + # first we check that one of the permissions changed is, in fact, a service permission. + perms = Permission.objects.filter(pk__in=pk_set) + got_change = False + service_perms = [svc.access_perm for svc in ServicesHook.get_services()] + for perm in perms: + natural_key = perm.natural_key() + path_perm = "{}.{}".format(natural_key[1], natural_key[0]) + if path_perm not in service_perms: + # Not a service permission, keep searching + continue + for svc in ServicesHook.get_services(): + if svc.access_perm == path_perm: + logger.debug("Permissions changed for group {} on " + "service {}, re-validating services for groups users".format(instance, svc)) + + def validate_all_groups_users_for_service(): + logger.debug("Performing validation for service {}".format(svc)) + for user in instance.user_set.all(): + svc.validate_user(user) + + transaction.on_commit(validate_all_groups_users_for_service) + got_change = True + break # Found service, break out of services iteration and go back to permission iteration + if not got_change: + logger.debug("Permission change for group {} was not service permission, ignoring".format(instance)) + + @receiver(pre_delete, sender=User) def pre_delete_user(sender, instance, *args, **kwargs): logger.debug("Received pre_delete from %s" % instance) diff --git a/services/tasks.py b/services/tasks.py index dbd609a3..ac0f8896 100644 --- a/services/tasks.py +++ b/services/tasks.py @@ -2,11 +2,9 @@ from __future__ import unicode_literals import logging -from celery import task +from alliance_auth.celeryapp import app -from alliance_auth.hooks import get_hooks -from authentication.states import MEMBER_STATE, BLUE_STATE -from notifications import notify +from services.hooks import ServicesHook import redis REDIS_CLIENT = redis.Redis() @@ -41,34 +39,11 @@ def only_one(function=None, key="", timeout=None): return _dec(function) if function is not None else _dec -def deactivate_services(user): - change = False - logger.debug("Deactivating services for user %s" % user) - # Iterate through service hooks and disable users - for fn in get_hooks('services_hook'): - svc = fn() - try: - if svc.delete_user(user): - change = True - except: - logger.exception('Exception running delete_user for services module %s on user %s' % (svc, user)) - if change: - notify(user, "Services Disabled", message="Your services accounts have been disabled.", level="danger") - - -@task(bind=True) -def validate_services(self, user, state): - if state == MEMBER_STATE: - setting_string = 'AUTH' - elif state == BLUE_STATE: - setting_string = 'BLUE' - else: - deactivate_services(user) - return - logger.debug('Ensuring user %s services are available to state %s' % (user, state)) +@app.task(bind=True) +def validate_services(self, user): + logger.debug('Ensuring user %s has permissions for active services'.format(user)) # Iterate through services hooks and have them check the validity of the user - for fn in get_hooks('services_hook'): - svc = fn() + for svc in ServicesHook.get_services(): try: svc.validate_user(user) except: diff --git a/services/tests/test_signals.py b/services/tests/test_signals.py index 0c1c1a9b..4099ce88 100644 --- a/services/tests/test_signals.py +++ b/services/tests/test_signals.py @@ -8,7 +8,7 @@ except ImportError: import mock from django.test import TestCase -from django.contrib.auth.models import Group +from django.contrib.auth.models import Group, Permission from alliance_auth.tests.auth_utils import AuthUtils @@ -19,15 +19,16 @@ class ServicesSignalsTestCase(TestCase): self.none_user = AuthUtils.create_user('none_user', disconnect_signals=True) @mock.patch('services.signals.transaction') - @mock.patch('services.signals.get_hooks') - def test_m2m_changed_user_groups(self, get_hooks, transaction): + @mock.patch('services.signals.ServicesHook') + def test_m2m_changed_user_groups(self, services_hook, transaction): """ Test that update_groups hook function is called on user groups change """ svc = mock.Mock() svc.update_groups.return_value = None + svc.validate_user.return_value = None - get_hooks.return_value = [lambda: svc] + services_hook.get_services.return_value = [svc] # Overload transaction.on_commit so everything happens synchronously transaction.on_commit = lambda fn: fn() @@ -39,16 +40,20 @@ class ServicesSignalsTestCase(TestCase): self.member.save() # Assert - self.assertTrue(get_hooks.called) - args, kwargs = get_hooks.call_args - self.assertEqual('services_hook', args[0]) + self.assertTrue(services_hook.get_services.called) self.assertTrue(svc.update_groups.called) args, kwargs = svc.update_groups.call_args self.assertEqual(self.member, args[0]) + self.assertTrue(svc.validate_user.called) + args, kwargs = svc.validate_user.call_args + self.assertEqual(self.member, args[0]) + + @mock.patch('services.signals.disable_user') def test_pre_delete_user(self, disable_user): + """ Test that disable_member is called when a user is deleted """ @@ -89,3 +94,62 @@ class ServicesSignalsTestCase(TestCase): self.assertTrue(set_state.called) args, kwargs = set_state.call_args self.assertEqual(self.member, args[0]) + + @mock.patch('services.signals.transaction') + @mock.patch('services.signals.ServicesHook') + def test_m2m_changed_group_permissions(self, services_hook, transaction): + from django.contrib.contenttypes.models import ContentType + svc = mock.Mock() + svc.validate_user.return_value = None + svc.access_perm = 'auth.access_testsvc' + + services_hook.get_services.return_value = [svc] + + # Overload transaction.on_commit so everything happens synchronously + transaction.on_commit = lambda fn: fn() + + test_group = Group.objects.create(name="Test group") + AuthUtils.disconnect_signals() + self.member.groups.add(test_group) + AuthUtils.connect_signals() + + ct = ContentType.objects.get(app_label='auth', model='permission') + perm = Permission.objects.create(name="Test perm", codename="access_testsvc", content_type=ct) + test_group.permissions.add(perm) + + # Act, should trigger m2m change + test_group.permissions.remove(perm) + + # Assert + self.assertTrue(services_hook.get_services.called) + + self.assertTrue(svc.validate_user.called) + args, kwargs = svc.validate_user.call_args + self.assertEqual(self.member, args[0]) + + @mock.patch('services.signals.transaction') + @mock.patch('services.signals.ServicesHook') + def test_m2m_changed_user_permissions(self, services_hook, transaction): + from django.contrib.contenttypes.models import ContentType + svc = mock.Mock() + svc.validate_user.return_value = None + svc.access_perm = 'auth.access_testsvc' + + services_hook.get_services.return_value = [svc] + + # Overload transaction.on_commit so everything happens synchronously + transaction.on_commit = lambda fn: fn() + + ct = ContentType.objects.get(app_label='auth', model='permission') + perm = Permission.objects.create(name="Test perm", codename="access_testsvc", content_type=ct) + self.member.user_permissions.add(perm) + + # Act, should trigger m2m change + self.member.user_permissions.remove(perm) + + # Assert + self.assertTrue(services_hook.get_services.called) + + self.assertTrue(svc.validate_user.called) + args, kwargs = svc.validate_user.call_args + self.assertEqual(self.member, args[0]) diff --git a/services/tests/test_tasks.py b/services/tests/test_tasks.py index bb307d0a..f4458111 100644 --- a/services/tests/test_tasks.py +++ b/services/tests/test_tasks.py @@ -9,10 +9,9 @@ except ImportError: from django.test import TestCase -from authentication.states import MEMBER_STATE, BLUE_STATE, NONE_STATE from alliance_auth.tests.auth_utils import AuthUtils -from services.tasks import deactivate_services, validate_services +from services.tasks import validate_services class ServicesTasksTestCase(TestCase): @@ -20,62 +19,16 @@ class ServicesTasksTestCase(TestCase): self.member = AuthUtils.create_member('auth_member') self.none_user = AuthUtils.create_user('none_user', disconnect_signals=True) - @mock.patch('services.tasks.get_hooks') - @mock.patch('services.tasks.deactivate_services') - def test_validate_services_deactivate(self, deactivate_services, get_hooks): - """ - Test validate services will call deactivate on a None state user - """ - - validate_services.delay(user=self.none_user, state=NONE_STATE) - - self.assertTrue(deactivate_services.called) - args, kwargs = deactivate_services.call_args - self.assertEqual(self.none_user, args[0]) # Assert correct user is passed - self.assertFalse(get_hooks.called) - - @mock.patch('services.tasks.get_hooks') - @mock.patch('services.tasks.deactivate_services') - def test_validate_services_valid_member(self, deactivate_services, get_hooks): - """ - Test that validate_services is called for a valid member - """ + @mock.patch('services.tasks.ServicesHook') + def test_validate_services(self, services_hook): svc = mock.Mock() svc.validate_user.return_value = None - get_hooks.return_value = [lambda: svc] + services_hook.get_services.return_value = [svc] - validate_services.delay(user=self.member, state=MEMBER_STATE) + validate_services.delay(user=self.member) - self.assertTrue(get_hooks.called) - args, kwargs = get_hooks.call_args - self.assertEqual('services_hook', args[0]) + self.assertTrue(services_hook.get_services.called) self.assertTrue(svc.validate_user.called) args, kwargs = svc.validate_user.call_args self.assertEqual(self.member, args[0]) # Assert correct user is passed to service hook function - self.assertFalse(deactivate_services.called) - - @mock.patch('services.tasks.notify') - @mock.patch('services.tasks.get_hooks') - def test_deactivate_services(self, get_hooks, notify): - """ - Test that hooks delete_user function is called by deactivate_services - """ - svc = mock.Mock() - svc.delete_user.return_value = True - - get_hooks.return_value = [lambda: svc] - - deactivate_services(self.member) - - self.assertTrue(get_hooks.called) - args, kwargs = get_hooks.call_args - self.assertEqual('services_hook', args[0]) - self.assertTrue(svc.delete_user.called) - args, kwargs = svc.delete_user.call_args - self.assertEqual(self.member, args[0]) # Assert correct user is passed to service hook function - self.assertTrue(notify.called) - args, kwargs = notify.call_args - self.assertEqual(self.member, args[0]) # Assert user is passed to the notification system - self.assertEqual("Services Disabled", args[1]) - self.assertEqual("danger", kwargs['level']) diff --git a/services/views.py b/services/views.py index 7f891530..7cfd3833 100755 --- a/services/views.py +++ b/services/views.py @@ -46,7 +46,6 @@ def fleet_formatter_view(request): @login_required -@members_and_blues() def services_view(request): logger.debug("services_view called by user %s" % request.user) auth = AuthServicesInfo.objects.get(user=request.user) diff --git a/stock/templates/public/base.html b/stock/templates/public/base.html index af8c5a00..c6db7eb3 100755 --- a/stock/templates/public/base.html +++ b/stock/templates/public/base.html @@ -104,13 +104,11 @@
  • {% trans "Aux Navigation" %}
    • - {% if STATE in MEMBER_BLUE_STATE or user.is_superuser %} -
  • - - {% trans " Services" %} - -
    • - {% endif %} +
  • + + {% trans " Services" %} + +
    • {% if not STATE == MEMBER_STATE or perms.auth.human_resources %}