Move more auth checking to auth.py, modify templates to use auth.py checks.
This commit is contained in:
parent
a68f64ec7f
commit
21229d6b9d
5 changed files with 194 additions and 95 deletions
|
@ -53,11 +53,93 @@ def isApproved(userName, groupName, g=None):
|
||||||
except:
|
except:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def canEditUser(userName, editUserName):
|
def canEditUser(userName, editUserName, g=None):
|
||||||
|
if not g:
|
||||||
|
g = Groups.byUserName(userName)
|
||||||
if userName == editUserName:
|
if userName == editUserName:
|
||||||
return True
|
return True
|
||||||
elif isAdmin(userName):
|
elif isAdmin(userName, g):
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
def canCreateGroup(userName, groupName, g=None):
|
||||||
|
if not g:
|
||||||
|
g = Groups.byUserName(userName)
|
||||||
|
if isAdmin(userName, g):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def canEditGroup(userName, groupName, g=None):
|
||||||
|
if not g:
|
||||||
|
g = Groups.byUserName(userName)
|
||||||
|
if canAdminGroup(userName, groupName):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def canApplyGroup(userName, groupName, applyUserName, g=None):
|
||||||
|
# This is where we could make groups depend on other ones.
|
||||||
|
if not g:
|
||||||
|
g = Groups.byUserName(userName)
|
||||||
|
# A user can apply themselves, and FAS admins can apply other people.
|
||||||
|
if (userName == applyUserName) or \
|
||||||
|
isAdmin(userName, g):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def canSponsorUser(userName, groupName, sponsorUserName, g=None):
|
||||||
|
if not g:
|
||||||
|
g = Groups.byUserName(userName)
|
||||||
|
# This is just here in case we want to add more complex checks in the future
|
||||||
|
if canSponsorGroup(userName, groupName, g):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def canRemoveUser(userName, groupName, removeUserName, g=None):
|
||||||
|
if not g:
|
||||||
|
g = Groups.byUserName(userName)
|
||||||
|
group = Groups.groups(groupName)[groupName]
|
||||||
|
# Only administrators can remove administrators.
|
||||||
|
if canAdminGroup(removeUserName, groupName) and \
|
||||||
|
not canAdminGroup(userName, groupName, g):
|
||||||
|
return False
|
||||||
|
# A user can remove themself from a group if fedoraGroupUserCanRemove is TRUE
|
||||||
|
# Otherwise, a sponsor can remove sponsors/users.
|
||||||
|
elif ((userName == removeUserName) and (group.fedoraGroupUserCanRemove.lower() == 'TRUE')) or \
|
||||||
|
canSponsorGroup(userName, groupName, g):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def canUpgradeUser(userName, groupName, sponsorUserName, g=None):
|
||||||
|
if not g:
|
||||||
|
g = Groups.byUserName(userName)
|
||||||
|
# Group admins can upgrade anybody (fasLDAP.py has the checks to prevent
|
||||||
|
# upgrading admins, etc.
|
||||||
|
if canAdminGroup(userName, groupName, g):
|
||||||
|
return True
|
||||||
|
# Sponsors can only upgrade non-sponsors (i.e. normal users) fasLDAP.py
|
||||||
|
# ensures that sponsorUserName is at least an approved user.
|
||||||
|
elif canSponsorGroup(userName, groupName, g) and \
|
||||||
|
not canSponsorGroup(sponsorUserName, groupName):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def canDowngradeUser(userName, groupName, sponsorUserName, g=None):
|
||||||
|
if not g:
|
||||||
|
g = Groups.byUserName(userName)
|
||||||
|
# Group admins can downgrade anybody.
|
||||||
|
if canAdminGroup(userName, groupName, g):
|
||||||
|
return True
|
||||||
|
# Sponsors can only downgrade sponsors. (fasLDAP.py won't let you
|
||||||
|
# downgrade a normal user already)
|
||||||
|
elif canSponsorGroup(userName, groupName, g) and \
|
||||||
|
not canAdminGroup(sponsorUserName, groupName):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
179
fas/fas/group.py
179
fas/fas/group.py
|
@ -10,7 +10,7 @@ from fas.fasLDAP import Person
|
||||||
from fas.fasLDAP import Groups
|
from fas.fasLDAP import Groups
|
||||||
from fas.fasLDAP import UserGroup
|
from fas.fasLDAP import UserGroup
|
||||||
|
|
||||||
from fas.auth import isAdmin, canAdminGroup, canSponsorGroup, canEditUser
|
from fas.auth import *
|
||||||
|
|
||||||
from fas.user import knownUser, userNameExists
|
from fas.user import knownUser, userNameExists
|
||||||
|
|
||||||
|
@ -102,7 +102,7 @@ class Group(controllers.Controller):
|
||||||
def new(self):
|
def new(self):
|
||||||
'''Display create group form'''
|
'''Display create group form'''
|
||||||
userName = turbogears.identity.current.user_name
|
userName = turbogears.identity.current.user_name
|
||||||
if not isAdmin(userName):
|
if not canCreateGroup(userName):
|
||||||
turbogears.flash(_('Only FAS adminstrators can create groups.'))
|
turbogears.flash(_('Only FAS adminstrators can create groups.'))
|
||||||
turbogears.redirect('/')
|
turbogears.redirect('/')
|
||||||
return dict()
|
return dict()
|
||||||
|
@ -114,7 +114,7 @@ class Group(controllers.Controller):
|
||||||
def create(self, groupName, fedoraGroupDesc, fedoraGroupOwner, fedoraGroupNeedsSponsor="FALSE", fedoraGroupUserCanRemove="FALSE", fedoraGroupJoinMsg=""):
|
def create(self, groupName, fedoraGroupDesc, fedoraGroupOwner, fedoraGroupNeedsSponsor="FALSE", fedoraGroupUserCanRemove="FALSE", fedoraGroupJoinMsg=""):
|
||||||
'''Create a group'''
|
'''Create a group'''
|
||||||
userName = turbogears.identity.current.user_name
|
userName = turbogears.identity.current.user_name
|
||||||
if not isAdmin(userName):
|
if not canCreateGroup(userName):
|
||||||
turbogears.flash(_('Only FAS adminstrators can create groups.'))
|
turbogears.flash(_('Only FAS adminstrators can create groups.'))
|
||||||
turbogears.redirect('/')
|
turbogears.redirect('/')
|
||||||
try:
|
try:
|
||||||
|
@ -168,24 +168,24 @@ class Group(controllers.Controller):
|
||||||
def save(self, groupName, fedoraGroupDesc, fedoraGroupOwner, fedoraGroupType=1, fedoraGroupNeedsSponsor="FALSE", fedoraGroupUserCanRemove="FALSE", fedoraGroupJoinMsg=""):
|
def save(self, groupName, fedoraGroupDesc, fedoraGroupOwner, fedoraGroupType=1, fedoraGroupNeedsSponsor="FALSE", fedoraGroupUserCanRemove="FALSE", fedoraGroupJoinMsg=""):
|
||||||
'''Edit a group'''
|
'''Edit a group'''
|
||||||
userName = turbogears.identity.current.user_name
|
userName = turbogears.identity.current.user_name
|
||||||
if not canAdminGroup(userName, groupName):
|
if not canEditGroup(userName, groupName):
|
||||||
turbogears.flash(_("You cannot edit '%s'.") % groupName)
|
turbogears.flash(_("You cannot edit '%s'.") % groupName)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
# TODO: This is kind of an ugly hack.
|
# TODO: This is kind of an ugly hack.
|
||||||
base = 'cn=%s,ou=FedoraGroups,dc=fedoraproject,dc=org' % groupName
|
|
||||||
try:
|
|
||||||
fas.fasLDAP.modify(base, 'fedoraGroupDesc', fedoraGroupDesc.encode('utf8'))
|
|
||||||
fas.fasLDAP.modify(base, 'fedoraGroupOwner', fedoraGroupOwner.encode('utf8'))
|
|
||||||
fas.fasLDAP.modify(base, 'fedoraGroupType', str(fedoraGroupType).encode('utf8'))
|
|
||||||
fas.fasLDAP.modify(base, 'fedoraGroupNeedsSponsor', fedoraGroupNeedsSponsor.encode('utf8'))
|
|
||||||
fas.fasLDAP.modify(base, 'fedoraGroupUserCanRemove', fedoraGroupUserCanRemove.encode('utf8'))
|
|
||||||
fas.fasLDAP.modify(base, 'fedoraGroupJoinMsg', fedoraGroupJoinMsg.encode('utf8'))
|
|
||||||
except:
|
|
||||||
turbogears.flash(_('The group details could not be saved.'))
|
|
||||||
return dict()
|
|
||||||
else:
|
else:
|
||||||
turbogears.flash(_('The group details have been saved.'))
|
base = 'cn=%s,ou=FedoraGroups,dc=fedoraproject,dc=org' % groupName
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
try:
|
||||||
|
fas.fasLDAP.modify(base, 'fedoraGroupDesc', fedoraGroupDesc.encode('utf8'))
|
||||||
|
fas.fasLDAP.modify(base, 'fedoraGroupOwner', fedoraGroupOwner.encode('utf8'))
|
||||||
|
fas.fasLDAP.modify(base, 'fedoraGroupType', str(fedoraGroupType).encode('utf8'))
|
||||||
|
fas.fasLDAP.modify(base, 'fedoraGroupNeedsSponsor', fedoraGroupNeedsSponsor.encode('utf8'))
|
||||||
|
fas.fasLDAP.modify(base, 'fedoraGroupUserCanRemove', fedoraGroupUserCanRemove.encode('utf8'))
|
||||||
|
fas.fasLDAP.modify(base, 'fedoraGroupJoinMsg', fedoraGroupJoinMsg.encode('utf8'))
|
||||||
|
except:
|
||||||
|
turbogears.flash(_('The group details could not be saved.'))
|
||||||
|
else:
|
||||||
|
turbogears.flash(_('The group details have been saved.'))
|
||||||
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
return dict()
|
return dict()
|
||||||
|
|
||||||
@expose(template="fas.templates.group.list")
|
@expose(template="fas.templates.group.list")
|
||||||
|
@ -205,16 +205,27 @@ class Group(controllers.Controller):
|
||||||
@error_handler(error)
|
@error_handler(error)
|
||||||
@expose(template='fas.templates.group.view')
|
@expose(template='fas.templates.group.view')
|
||||||
@identity.require(turbogears.identity.not_anonymous())
|
@identity.require(turbogears.identity.not_anonymous())
|
||||||
def apply(self, groupName, userName):
|
def apply(self, groupName, userName=None):
|
||||||
'''Apply to a group'''
|
'''Apply to a group'''
|
||||||
try:
|
applicant = turbogears.identity.current.user_name
|
||||||
Groups.apply(groupName, userName)
|
if not userName:
|
||||||
except ldap.ALREADY_EXISTS:
|
userName = applicant
|
||||||
turbogears.flash(_('%(user)s is already in %(group)s!') % {'user': userName, 'group': groupName})
|
if not canApplyGroup(applicant, groupName, userName):
|
||||||
|
turbogears.flash(_('You cannot apply %(user)s for %(group)s!') % \
|
||||||
|
{'user': userName, 'group': groupName})
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
|
return dict()
|
||||||
else:
|
else:
|
||||||
turbogears.flash(_('%(user)s has applied to %(group)s!') % {'user': userName, 'group': groupName})
|
try:
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
Groups.apply(groupName, userName)
|
||||||
|
except ldap.ALREADY_EXISTS:
|
||||||
|
turbogears.flash(_('%(user)s has already applied to %(group)s!') % \
|
||||||
|
{'user': userName, 'group': groupName})
|
||||||
|
else:
|
||||||
|
turbogears.flash(_('%(user)s has applied to %(group)s!') % \
|
||||||
|
{'user': userName, 'group': groupName})
|
||||||
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
|
return dict()
|
||||||
|
|
||||||
@validate(validators=userNameGroupNameExists())
|
@validate(validators=userNameGroupNameExists())
|
||||||
@error_handler(error)
|
@error_handler(error)
|
||||||
|
@ -223,21 +234,24 @@ class Group(controllers.Controller):
|
||||||
def sponsor(self, groupName, userName):
|
def sponsor(self, groupName, userName):
|
||||||
'''Sponsor user'''
|
'''Sponsor user'''
|
||||||
sponsor = turbogears.identity.current.user_name
|
sponsor = turbogears.identity.current.user_name
|
||||||
if not canSponsorGroup(sponsor, groupName):
|
if not canSponsorUser(sponsor, groupName, userName):
|
||||||
turbogears.flash(_("You are not a sponsor for '%s'") % groupName)
|
turbogears.flash(_("You cannot sponsor '%s'") % userName)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
try:
|
return dict()
|
||||||
group = Groups.groups(groupName)[groupName]
|
else:
|
||||||
except KeyError:
|
p = Person.byUserName(userName)
|
||||||
turbogears.flash(_('Group Error: %s does not exist.') % groupName)
|
# TODO: Check if the person actually applied to the group.
|
||||||
# The following line is kind of pointless- any suggestions?
|
# (or should this be done in auth.py or fasLDAP.py?)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
# this will probably give a 500 now if the user didn't apply
|
||||||
p = Person.byUserName(userName)
|
try:
|
||||||
g = Groups.byGroupName(groupName, includeUnapproved=True)
|
p.sponsor(groupName, sponsor)
|
||||||
# TODO: Check if the person actually applied to the group.
|
except:
|
||||||
p.sponsor(groupName, sponsor)
|
turbogears.flash(_("'%s' could not be sponsored!") % p.cn)
|
||||||
turbogears.flash(_('%s has been sponsored!') % p.cn)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
else:
|
||||||
|
turbogears.flash(_("'%s' has been sponsored!") % p.cn)
|
||||||
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
|
return dict()
|
||||||
|
|
||||||
@validate(validators=userNameGroupNameExists())
|
@validate(validators=userNameGroupNameExists())
|
||||||
@error_handler(error)
|
@error_handler(error)
|
||||||
|
@ -247,23 +261,22 @@ class Group(controllers.Controller):
|
||||||
'''Remove user from group'''
|
'''Remove user from group'''
|
||||||
# TODO: Add confirmation?
|
# TODO: Add confirmation?
|
||||||
sponsor = turbogears.identity.current.user_name
|
sponsor = turbogears.identity.current.user_name
|
||||||
if not canSponsorGroup(sponsor, groupName) \
|
if not canRemoveUser(sponsor, groupName, userName):
|
||||||
and sponsor != userName: # Users can remove themselves
|
turbogears.flash(_("You cannot remove '%s'.") % userName)
|
||||||
turbogears.flash(_("You are not a sponsor for '%s'") % groupName)
|
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
|
||||||
if canAdminGroup(userName, groupName) \
|
|
||||||
and (not canAdminGroup(sponsor, groupName)):
|
|
||||||
turbogears.flash(_('Sponsors cannot remove administrators.') % userName)
|
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
|
||||||
try:
|
|
||||||
Groups.remove(groupName, userName)
|
|
||||||
except TypeError:
|
|
||||||
turbogears.flash(_('%(name)s could not be removed from %(group)s!') % {'name': userName, 'group': groupName})
|
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
|
return dict()
|
||||||
else:
|
else:
|
||||||
turbogears.flash(_('%(name)s has been removed from %(group)s!') % {'name': userName, 'group': groupName})
|
try:
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
Groups.remove(groupName, userName)
|
||||||
return dict()
|
except:
|
||||||
|
turbogears.flash(_('%(name)s could not be removed from %(group)s!') % \
|
||||||
|
{'name': userName, 'group': groupName})
|
||||||
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
|
else:
|
||||||
|
turbogears.flash(_('%(name)s has been removed from %(group)s!') % \
|
||||||
|
{'name': userName, 'group': groupName})
|
||||||
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
|
return dict()
|
||||||
|
|
||||||
@validate(validators=userNameGroupNameExists())
|
@validate(validators=userNameGroupNameExists())
|
||||||
@error_handler(error)
|
@error_handler(error)
|
||||||
|
@ -272,25 +285,21 @@ class Group(controllers.Controller):
|
||||||
def upgrade(self, groupName, userName):
|
def upgrade(self, groupName, userName):
|
||||||
'''Upgrade user in group'''
|
'''Upgrade user in group'''
|
||||||
sponsor = turbogears.identity.current.user_name
|
sponsor = turbogears.identity.current.user_name
|
||||||
if not canSponsorGroup(sponsor, groupName):
|
if not canUpgradeUser(sponsor, groupName, userName):
|
||||||
turbogears.flash(_("You are not a sponsor for '%s'") % groupName)
|
turbogears.flash(_("You cannot upgrade '%s'") % userName)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
# This is already checked in fasLDAP.py
|
return dict()
|
||||||
#if canAdminGroup(userName, groupName):
|
else:
|
||||||
# turbogears.flash(_('Group administators cannot be upgraded any further.'))
|
p = Person.byUserName(userName)
|
||||||
# turbogears.redirect('/group/view/%s' % groupName)
|
try:
|
||||||
elif canSponsorGroup(userName, groupName) \
|
p.upgrade(groupName)
|
||||||
and (not canAdminGroup(sponsor, groupName)):
|
except:
|
||||||
turbogears.flash(_('Sponsors cannot upgrade other sponsors.') % userName)
|
turbogears.flash(_('%(name)s could not be upgraded!') % userName)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
p = Person.byUserName(userName)
|
else:
|
||||||
try:
|
turbogears.flash(_('%s has been upgraded!') % userName)
|
||||||
p.upgrade(groupName)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
except:
|
return dict()
|
||||||
turbogears.flash(_('%(name)s could not be upgraded!') % userName)
|
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
|
||||||
turbogears.flash(_('%s has been upgraded!') % userName)
|
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
|
||||||
|
|
||||||
@validate(validators=userNameGroupNameExists())
|
@validate(validators=userNameGroupNameExists())
|
||||||
@error_handler(error)
|
@error_handler(error)
|
||||||
|
@ -299,21 +308,21 @@ class Group(controllers.Controller):
|
||||||
def downgrade(self, groupName, userName):
|
def downgrade(self, groupName, userName):
|
||||||
'''Upgrade user in group'''
|
'''Upgrade user in group'''
|
||||||
sponsor = turbogears.identity.current.user_name
|
sponsor = turbogears.identity.current.user_name
|
||||||
if not canSponsorGroup(sponsor, groupName):
|
if not canDowngradeUser(sponsor, groupName, userName):
|
||||||
turbogears.flash(_("You are not a sponsor for '%s'") % groupName)
|
turbogears.flash(_("You cannot downgrade '%s'") % userName)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
if canAdminGroup(userName, groupName) \
|
return dict()
|
||||||
and (not canAdminGroup(sponsor, groupName)):
|
else:
|
||||||
turbogears.flash(_('Sponsors cannot downgrade group administrators.') % userName)
|
p = Person.byUserName(userName)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
try:
|
||||||
p = Person.byUserName(userName)
|
p.upgrade(groupName)
|
||||||
try:
|
except:
|
||||||
p.upgrade(groupName)
|
turbogears.flash(_('%(name)s could not be downgraded!') % userName)
|
||||||
except:
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
turbogears.flash(_('%(name)s could not be downgraded!') % userName)
|
else:
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
turbogears.flash(_('%s has been downgraded!') % p.cn)
|
||||||
turbogears.flash(_('%s has been downgraded!') % p.cn)
|
turbogears.redirect('/group/view/%s' % groupName)
|
||||||
turbogears.redirect('/group/view/%s' % groupName)
|
return dict()
|
||||||
|
|
||||||
@validate(validators=groupNameExists())
|
@validate(validators=groupNameExists())
|
||||||
@error_handler(error)
|
@error_handler(error)
|
||||||
|
|
|
@ -70,13 +70,21 @@
|
||||||
<!-- This section includes all action items -->
|
<!-- This section includes all action items -->
|
||||||
<td py:if="auth.canSponsorGroup(userName, group.cn)">
|
<td py:if="auth.canSponsorGroup(userName, group.cn)">
|
||||||
<ul>
|
<ul>
|
||||||
<li>
|
<li py:if="groups[user].fedoraRoleStatus.lower() != 'approved'">
|
||||||
<a py:if="group.fedoraGroupNeedsSponsor.upper() == 'TRUE'" href="${tg.url('/group/sponsor/%s/%s' % (groups[user].cn, user))}">Sponsor</a>
|
<a py:if="group.fedoraGroupNeedsSponsor.upper() == 'TRUE'"
|
||||||
<a py:if="not group.fedoraGroupNeedsSponsor.upper() == 'TRUE' and groups[user].fedoraRoleStatus.lower() != 'approved'" href="${tg.url('/group/sponsor/%s/%s' % (groups[user].cn, user))}">Approve</a>
|
href="${tg.url('/group/sponsor/%s/%s' % (groups[user].cn, user))}">Sponsor</a>
|
||||||
|
<a py:if="not group.fedoraGroupNeedsSponsor.upper() == 'TRUE'"
|
||||||
|
href="${tg.url('/group/sponsor/%s/%s' % (groups[user].cn, user))}">Approve</a>
|
||||||
|
</li>
|
||||||
|
<li py:if="auth.canRemoveUser(tg.identity.user.user_name, group.cn, userName)">
|
||||||
|
<a href="${tg.url('/group/remove/%s/%s' % (groups[user].cn, user))}">Remove</a>
|
||||||
|
</li>
|
||||||
|
<li py:if="auth.canUpgradeUser(tg.identity.user.user_name, group.cn, userName)">
|
||||||
|
<a href="${tg.url('/group/upgrade/%s/%s' % (groups[user].cn, user))}">Upgrade</a>
|
||||||
|
</li>
|
||||||
|
<li py:if="auth.canDowngradeUser(tg.identity.user.user_name, group.cn, userName)">
|
||||||
|
<a href="${tg.url('/group/downgrade/%s/%s' % (groups[user].cn, user))}">Downgrade</a>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="${tg.url('/group/remove/%s/%s' % (groups[user].cn, user))}">Delete</a></li>
|
|
||||||
<li><a href="${tg.url('/group/upgrade/%s/%s' % (groups[user].cn, user))}">Upgrade</a></li>
|
|
||||||
<li><a href="${tg.url('/group/downgrade/%s/%s' % (groups[user].cn, user))}">Downgrade</a></li>
|
|
||||||
</ul>
|
</ul>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
|
@ -51,7 +51,7 @@
|
||||||
<li><a href="/">Invite a New Member...</a></li>
|
<li><a href="/">Invite a New Member...</a></li>
|
||||||
<li py:if="auth.canSponsorGroup(user.cn, group)"><a href="${tg.url('/group/view/%s' % group)}">View All Pending Group Membership Requests...</a></li>
|
<li py:if="auth.canSponsorGroup(user.cn, group)"><a href="${tg.url('/group/view/%s' % group)}">View All Pending Group Membership Requests...</a></li>
|
||||||
<li><a href="${tg.url('/group/view/%s' % group)}">Manage Group Membership...</a></li>
|
<li><a href="${tg.url('/group/view/%s' % group)}">Manage Group Membership...</a></li>
|
||||||
<li py:if="auth.canAdminGroup(user.cn, group)"><a href="${tg.url('/group/edit/%s' % group)}">Manage Group Details...</a></li>
|
<li py:if="auth.canEditGroup(user.cn, group)"><a href="${tg.url('/group/edit/%s' % group)}">Manage Group Details...</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
</dd>
|
</dd>
|
||||||
<div py:if="auth.canSponsorGroup(user.cn, group)" py:strip="">
|
<div py:if="auth.canSponsorGroup(user.cn, group)" py:strip="">
|
||||||
|
|
|
@ -10,7 +10,7 @@ from fas.fasLDAP import Person
|
||||||
from fas.fasLDAP import Groups
|
from fas.fasLDAP import Groups
|
||||||
from fas.fasLDAP import UserGroup
|
from fas.fasLDAP import UserGroup
|
||||||
|
|
||||||
from fas.auth import isAdmin, canAdminGroup, canSponsorGroup, canEditUser
|
from fas.auth import *
|
||||||
|
|
||||||
class knownUser(validators.FancyValidator):
|
class knownUser(validators.FancyValidator):
|
||||||
'''Make sure that a user already exists'''
|
'''Make sure that a user already exists'''
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue