User: améliore détermination droit modif mot de passe + affichage

2025-01-17 20:06:20 +01:00 · 2025-01-17 20:06:20 +01:00 · 60d31a5e6f
commit 60d31a5e6f
parent 31c64ef2e7
4 changed files with 21 additions and 7 deletions
--- a/app/scodoc/sco_permissions_check.py
+++ b/app/scodoc/sco_permissions_check.py
@ -65,9 +65,9 @@ def check_access_diretud(formsemestre: FormSemestre):
    return True, ""


-def can_handle_passwd(user: User, allow_admindepts=False) -> bool:
+def can_handle_passwd(user: User, allow_admin_depts=False) -> bool:
    """True if the current user can see or change passwd info of user.
-    If allow_admindepts, allow Admin from all depts (so they can view users from other depts
+    If allow_admin_depts, allow Admin from all depts (so they can view users from other depts
    and add roles to them).
    user is a User instance.
    """
@ -81,9 +81,17 @@ def can_handle_passwd(user: User, allow_admindepts=False) -> bool:
    # If don't have permission in the current dept, abort
    if not current_user.has_permission(Permission.UsersAdmin, g.scodoc_dept):
        return False
+    # Si le compte est dans un département et que l'on est admin. user de ce dept:
+    if user.dept and current_user.has_permission(Permission.UsersAdmin, user.dept):
+        return True
    # Now check that current_user can manage users from this departement
    if not current_user.dept:
-        return True  # if no dept, can access users from all depts !
-    if (current_user.dept == user.dept) or allow_admindepts:
+        # if no dept, and perm. admin on g.scodoc_dept, can access users from all depts !
+        return True
+    if (
+        current_user.dept
+        and ((current_user.dept == user.dept) or allow_admin_depts)
+        and current_user.has_permission(Permission.UsersAdmin, current_user.dept)
+    ):
        return True
    return False
--- a/app/scodoc/sco_users.py
+++ b/app/scodoc/sco_users.py
@ -163,7 +163,7 @@ def list_users(
    rows = []
    for u in users:
        # Can current user modify this user ?
-        can_modify = can_handle_passwd(u, allow_admindepts=True)
+        can_modify = can_handle_passwd(u, allow_admin_depts=True)

        d = u.to_dict()
        rows.append(d)
--- a/app/templates/auth/user_info_page.j2
+++ b/app/templates/auth/user_info_page.j2
@ -7,7 +7,13 @@
 <div class="user_info">
 <h2>Utilisateur: {{user.user_name}} ({{'actif' if user.active else 'fermé'}})</h2>
 <div class="user_basics">
-    <b>Login :</b> {{user.user_name}}<br>
+    <b>Login :</b> {{user.user_name}}
+    {% if ScoDocSiteConfig.is_cas_enabled() %}
+    (connexion via ce login ScoDoc
+        {% if user.cas_allow_scodoc_login %}autorisée{% else %}<span class="fontred">interdite</span>
+        {% endif %})
+    {% endif -%}
+    <br>
    <b>CAS id:</b> {{user.cas_id or "(aucun)"}}
    {% if ScoDocSiteConfig.is_cas_enabled() %}
        (CAS {{'autorisé' if user.cas_allow_login else 'interdit'}} pour cet utilisateur)
--- a/app/views/users.py
+++ b/app/views/users.py
@ -986,7 +986,7 @@ def user_info_page(user_name=None):
    if user_name is not None:  # scodoc7func converti en int !
        user_name = str(user_name)
    # peut-on divulguer ces infos ?
-    if not can_handle_passwd(current_user, allow_admindepts=True):
+    if not can_handle_passwd(current_user, allow_admin_depts=True):
        raise AccessDenied("Vous n'avez pas la permission de voir cette page")

    dept = g.scodoc_dept