Require special privileges (controlled by canViewGroup) to view groups matched by privileged_view_groups in app.cfg (ex. ^cla_.*).

2007-09-07 21:13:18 -07:00 · 2007-09-07 21:13:18 -07:00 · c71113d07d
commit c71113d07d
parent be7a9278f0
4 changed files with 53 additions and 20 deletions
--- a/fas/fas/auth.py
+++ b/fas/fas/auth.py
@ -5,6 +5,8 @@ from fas.fasLDAP import Person
 from fas.fasLDAP import Groups
 from fas.fasLDAP import UserGroup

+import re
+
 ADMINGROUP = config.get('admingroup')

 def isAdmin(userName, g=None):
@ -79,6 +81,20 @@ def canEditGroup(userName, groupName, g=None):
    else:
        return False

+def canViewGroup(userName, groupName, g=None):
+    # If the group matched by privileged_view_groups, then
+    # only people that can admin the group can view it
+    privilegedViewGroups = config.get('privileged_view_groups')
+    if re.compile(privilegedViewGroups).match(groupName):
+        if not g:
+            g = Groups.byUserName(userName)
+        if canAdminGroup(userName, groupName):
+            return True
+        else:
+            return False
+    else:
+        return True
+
 def canApplyGroup(userName, groupName, applyUserName, g=None):
    # This is where we could make groups depend on other ones.
    if not g:
--- a/fas/fas/config/app.cfg
+++ b/fas/fas/config/app.cfg
@ -130,6 +130,8 @@ identity.provider='safas2'

 # identity.soprovider.encryption_algorithm=None

+privileged_view_groups = "(^cla_.*)"
+
 # compress the data sends to the web browser
 # [/] 
 # gzip_filter.on = True
--- a/fas/fas/group.py
+++ b/fas/fas/group.py
@ -83,24 +83,30 @@ class Group(controllers.Controller):
    @identity.require(turbogears.identity.not_anonymous())
    def view(self, groupName):
        '''View group'''
-        groups = Groups.byGroupName(groupName, includeUnapproved=True)
-        group = Groups.groups(groupName)[groupName]
        userName = turbogears.identity.current.user_name
-        try:
-            myStatus = groups[userName].fedoraRoleStatus
-        except KeyError:
-            # Not in group
-            myStatus = 'Not a Member' # This _has_ to stay 'Not a Member'
-        except TypeError:
-            groups = {}
-        try:
-            me = groups[userName]
-        except:
-            me = UserGroup()
-        #searchUserForm.groupName.display('group')
-        #findUser.groupName.display(value='fff')
-        value = {'groupName': groupName}
-        return dict(userName=userName, groups=groups, group=group, me=me, value=value)
+        if not canViewGroup(userName, groupName):
+            turbogears.flash(_("You cannot view '%s'") % groupName)
+            turbogears.redirect('/group/list')
+            return dict()
+        else:
+            groups = Groups.byGroupName(groupName, includeUnapproved=True)
+            group = Groups.groups(groupName)[groupName]
+            userName = turbogears.identity.current.user_name
+            try:
+                myStatus = groups[userName].fedoraRoleStatus
+            except KeyError:
+                # Not in group
+                myStatus = 'Not a Member' # This _has_ to stay 'Not a Member'
+            except TypeError:
+                groups = {}
+            try:
+                me = groups[userName]
+            except:
+                me = UserGroup()
+            #searchUserForm.groupName.display('group')
+            #findUser.groupName.display(value='fff')
+            value = {'groupName': groupName}
+            return dict(userName=userName, groups=groups, group=group, me=me, value=value)

    @expose(template="fas.templates.group.new")
    @identity.require(turbogears.identity.not_anonymous())
@ -341,7 +347,13 @@ class Group(controllers.Controller):
    @error_handler(error)
    @expose(template="genshi-text:fas.templates.group.dump", format="text", content_type='text/plain; charset=utf-8')
    @identity.require(turbogears.identity.not_anonymous())
-    def dump(self, groupName=None):
-        groups = Groups.byGroupName(groupName)
-        return dict(groups=groups, Person=Person)
+    def dump(self, groupName):
+        userName = turbogears.identity.current.user_name
+        if not canViewGroup(userName, groupName):
+            turbogears.flash(_("You cannot view '%s'") % groupName)
+            turbogears.redirect('/group/list')
+            return dict()
+        else:
+            groups = Groups.byGroupName(groupName)
+            return dict(groups=groups, Person=Person)

--- a/fas/fas/templates/group/list.html
+++ b/fas/fas/templates/group/list.html
@ -7,6 +7,7 @@
    <title>Groups List</title>
  </head>
  <body>
+    <?python from fas import auth ?>
    <h2>List (${search})</h2>
    <h3>Search Groups</h3>
    <form method="get" action="${tg.url('/group/list')}">
@ -28,6 +29,7 @@
      </thead>
      <tbody>
        <tr py:for="group in sorted(groups.keys())">
+        <div py:if="auth.canViewGroup(tg.identity.user.user_name, groups[group].cn)" py:strip="">
          <td><a href="${tg.url('/group/view/%s' % groups[group].cn)}">${groups[group].cn}</a></td>
          <td>${groups[group].fedoraGroupDesc}</td>
          <td>
@ -37,6 +39,7 @@
            </a>
            <a py:if="groups[group].cn not in myGroups" href="${tg.url('/group/apply/%s/%s' % (groups[group].cn, tg.identity.user.user_name))}"><span>Apply</span></a>
          </td>
+        </div>
        </tr>
      </tbody>
    </table>