#4969: Remove user and group assignment from SecretRole

2024-05-10 07:54:54 +00:00 · 2020-08-07 16:19:18 -04:00
parent aca3ca9d65
commit e6bc55af85
13 changed files with 93 additions and 117 deletions
--- a/netbox/users/migrations/0009_replicate_permissions.py
+++ b/netbox/users/migrations/0009_replicate_permissions.py
@ -1,5 +1,5 @@
 from django.db import migrations
-
+from django.db.models import Q

 ACTIONS = ['view', 'add', 'change', 'delete']

@ -10,6 +10,7 @@ def replicate_permissions(apps, schema_editor):
    """
    Permission = apps.get_model('auth', 'Permission')
    ObjectPermission = apps.get_model('users', 'ObjectPermission')
+    SecretRole = apps.get_model('secrets', 'SecretRole')

    # TODO: Optimize this iteration so that ObjectPermissions with identical sets of users and groups
    # are combined into a single ObjectPermission instance.
@ -24,17 +25,39 @@ def replicate_permissions(apps, schema_editor):
            action = perm.codename

        if perm.group_set.exists() or perm.user_set.exists():
-            obj_perm = ObjectPermission(
-                # Copy name from original Permission object
-                name=f'{perm.content_type.app_label}.{perm.codename}'[:100],
-                actions=[action]
-            )
-            obj_perm.save()
-            obj_perm.object_types.add(perm.content_type)
-            if perm.group_set.exists():
-                obj_perm.groups.add(*list(perm.group_set.all()))
-            if perm.user_set.exists():
-                obj_perm.users.add(*list(perm.user_set.all()))
+
+            # Handle replication of SecretRole user/group assignments for Secrets
+            if perm.codename == 'view_secret':
+                for secretrole in SecretRole.objects.prefetch_related('users', 'groups'):
+                    obj_perm = ObjectPermission(
+                        name=f'{perm.content_type.app_label}.{perm.codename} ({secretrole.name})'[:100],
+                        actions=[action],
+                        constraints={'role__name': secretrole.name}
+                    )
+                    obj_perm.save()
+                    obj_perm.object_types.add(perm.content_type)
+                    # Assign only users/groups who both a) are assigned to the SecretRole and b) have the view_secret
+                    # permission
+                    obj_perm.groups.add(
+                        *list(secretrole.groups.filter(permissions=perm))
+                    )
+                    obj_perm.users.add(*list(secretrole.users.filter(
+                        Q(user_permissions=perm) | Q(groups__permissions=perm)
+                    )))
+
+            else:
+                obj_perm = ObjectPermission(
+                    # Copy name from original Permission object
+                    name=f'{perm.content_type.app_label}.{perm.codename}'[:100],
+                    actions=[action]
+                )
+                obj_perm.save()
+                obj_perm.object_types.add(perm.content_type)
+
+                if perm.group_set.exists():
+                    obj_perm.groups.add(*list(perm.group_set.all()))
+                if perm.user_set.exists():
+                    obj_perm.users.add(*list(perm.user_set.all()))


 class Migration(migrations.Migration):