Grant service access by permissions (#692)

* Add service access permissions and migration `ENABLE_AUTH_<servicename> = True` will have the new permission applied to the settings configured `DEFAULT_AUTH_GROUP` group or `Member` if none is configured. `ENABLE_BLUE_<servicename> = True` will have the new permission applied to the settings configured `DEFAULT_BLUE_GROUP` group or `Blue` if none is configured. * Move views and hooks to permissions based access * Remove access restriction to services view Hypothetically non-member/blues could be granted permission to access services manually as desired now. A user that has no permissions to access any services will see a blank services list. * Remove obsolete service settings * Remove references to obsolete settings * Adjusted tests to support permissions based access * Fix incorrectly named permissions * Add simple get_services generator function * Added signals for user and groups perm changes * Update validate_services to support permissions deactivate_services removed as its surplus to requirements. * Removed state parameter from validate_services calls * Update tests to support signals changes * Fix incorrect call to validate_services task * Fix validate_services and test * Add validate_user to changed user groups signal * Added tests for new signals * Remove unnecessary post_add signals * Added documentation for service permissions * Added detection for members with service active If there are any service users in the Member or Blue groups active, then the permission will be added to the respective Member or Blue group. This means its no longer necessary to maintain the service enablesettings to migrate to permissions based service. Remove obsolete state based status checking
2026-02-07 07:36:20 +01:00 · 2017-02-12 13:51:30 +10:00
parent 58e121d10d
commit a33c8c14ee
80 changed files with 1192 additions and 496 deletions
--- a/services/modules/discourse/auth_hooks.py
+++ b/services/modules/discourse/auth_hooks.py
@@ -21,6 +21,7 @@ class DiscourseService(ServicesHook):
        self.urlpatterns = urlpatterns
        self.name = 'discourse'
        self.service_ctrl_template = 'registered/discourse_service_ctrl.html'
+        self.access_perm = 'discourse.access_discourse'

    def delete_user(self, user, notify_user=False):
        logger.debug('Deleting user %s %s account' % (user, self.name))
@@ -40,11 +41,8 @@ class DiscourseService(ServicesHook):
        logger.debug('Update all %s groups called' % self.name)
        DiscourseTasks.update_all_groups.delay()

-    def service_enabled_members(self):
-        return settings.ENABLE_AUTH_DISCOURSE or False
-
-    def service_enabled_blues(self):
-        return settings.ENABLE_BLUE_DISCOURSE or False
+    def service_active_for_user(self, user):
+        return user.has_perm(self.access_perm)

    def render_services_ctrl(self, request):
        return render_to_string(self.service_ctrl_template, {
--- a/services/modules/discourse/migrations/0002_service_permissions.py
+++ b/services/modules/discourse/migrations/0002_service_permissions.py
@@ -0,0 +1,62 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.5 on 2017-02-02 05:59
+from __future__ import unicode_literals
+
+from django.db import migrations
+from django.conf import settings
+from django.core.exceptions import ObjectDoesNotExist
+from django.contrib.auth.management import create_permissions
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def migrate_service_enabled(apps, schema_editor):
+    for app_config in apps.get_app_configs():
+        app_config.models_module = True
+        create_permissions(app_config, apps=apps, verbosity=0)
+        app_config.models_module = None
+
+    Group = apps.get_model("auth", "Group")
+    Permission = apps.get_model("auth", "Permission")
+    DiscourseUser = apps.get_model("discourse", "DiscourseUser")
+
+    perm = Permission.objects.get(codename='access_discourse')
+
+    member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member')
+    blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue')
+
+    # Migrate members
+    if DiscourseUser.objects.filter(user__groups__name=member_group_name).exists() or \
+            getattr(settings, str('ENABLE_AUTH_DISCOURSE'), False):
+        try:
+            group = Group.objects.get(name=member_group_name)
+            group.permissions.add(perm)
+        except ObjectDoesNotExist:
+            logger.warning('Failed to migrate ENABLE_AUTH_DISCOURSE setting')
+
+    # Migrate blues
+    if DiscourseUser.objects.filter(user__groups__name=blue_group_name).exists() or \
+            getattr(settings, str('ENABLE_BLUE_DISCOURSE'), False):
+        try:
+            group = Group.objects.get(name=blue_group_name)
+            group.permissions.add(perm)
+        except ObjectDoesNotExist:
+            logger.warning('Failed to migrate ENABLE_BLUE_DISCOURSE setting')
+
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('discourse', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='discourseuser',
+            options={'permissions': (('access_discourse', 'Can access the Discourse service'),)},
+        ),
+        migrations.RunPython(migrate_service_enabled),
+    ]
--- a/services/modules/discourse/models.py
+++ b/services/modules/discourse/models.py
@@ -4,6 +4,7 @@ from django.contrib.auth.models import User
 from django.db import models


+@python_2_unicode_compatible
 class DiscourseUser(models.Model):
    user = models.OneToOneField(User,
                                primary_key=True,
@@ -13,3 +14,8 @@ class DiscourseUser(models.Model):

    def __str__(self):
        return self.user.username
+
+    class Meta:
+        permissions = (
+            ("access_discourse", u"Can access the Discourse service"),
+        )
--- a/services/modules/discourse/tests.py
+++ b/services/modules/discourse/tests.py
@@ -9,7 +9,7 @@ except ImportError:

 from django.test import TestCase, RequestFactory
 from django.conf import settings
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, Group, Permission
 from django.core.exceptions import ObjectDoesNotExist

 from alliance_auth.tests.auth_utils import AuthUtils
@@ -21,6 +21,13 @@ from .tasks import DiscourseTasks
 MODULE_PATH = 'services.modules.discourse'


+def add_permissions():
+    permission = Permission.objects.get(codename='access_discourse')
+    members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP)
+    blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP)
+    AuthUtils.add_permissions_to_groups([permission], [members, blues])
+
+
 class DiscourseHooksTestCase(TestCase):
    def setUp(self):
        self.member = 'member_user'
@@ -32,6 +39,7 @@ class DiscourseHooksTestCase(TestCase):
        self.none_user = 'none_user'
        none_user = AuthUtils.create_user(self.none_user)
        self.service = DiscourseService
+        add_permissions()

    def test_has_account(self):
        member = User.objects.get(username=self.member)
@@ -46,11 +54,9 @@ class DiscourseHooksTestCase(TestCase):
        member = User.objects.get(username=self.member)
        blue = User.objects.get(username=self.blue)
        none_user = User.objects.get(username=self.none_user)
-        self.assertTrue(service.service_enabled_members())
-        self.assertTrue(service.service_enabled_blues())

-        self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_DISCOURSE)
-        self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_DISCOURSE)
+        self.assertTrue(service.service_active_for_user(member))
+        self.assertTrue(service.service_active_for_user(blue))
        self.assertFalse(service.service_active_for_user(none_user))

    @mock.patch(MODULE_PATH + '.tasks.DiscourseManager')
@@ -124,6 +130,7 @@ class DiscourseViewsTestCase(TestCase):
        self.member.set_password('password')
        self.member.save()
        AuthUtils.add_main_character(self.member, 'auth_member', '12345', corp_id='111', corp_name='Test Corporation')
+        add_permissions()

    @mock.patch(MODULE_PATH + '.tasks.DiscourseManager')
    def test_sso_member(self, manager):
--- a/services/modules/discourse/views.py
+++ b/services/modules/discourse/views.py
@@ -31,20 +31,16 @@ import logging
 logger = logging.getLogger(__name__)


+ACCESS_PERM = 'discourse.access_discourse'
+
+
@login_required
 def discourse_sso(request):

    ## Check if user has access

    auth = AuthServicesInfo.objects.get(user=request.user)
-    if not request.user.is_superuser:
-        if not settings.ENABLE_AUTH_DISCOURSE and auth.state == MEMBER_STATE:
-            messages.error(request, 'Members are not authorized to access Discourse.')
-            return redirect('auth_dashboard')
-        elif not settings.ENABLE_BLUE_DISCOURSE and auth.state == BLUE_STATE:
-            messages.error(request, 'Blues are not authorized to access Discourse.')
-            return redirect('auth_dashboard')
-        elif auth.state == NONE_STATE:
+    if not request.user.has_perm(ACCESS_PERM):
            messages.error(request, 'You are not authorized to access Discourse.')
            return redirect('auth_dashboard')