feat(account): Distinguish between staff and superuser

2025-01-28 08:54:48 +01:00 · 2025-01-28 08:54:48 +01:00 · 0e22a71df6
commit 0e22a71df6
parent 2b08dfa40e
3 changed files with 11 additions and 7 deletions
--- a/src/app/settings.py
+++ b/src/app/settings.py
@ -235,6 +235,9 @@ ACCOUNT_AUTHENTICATION_METHOD = "username"
 AUTH_PASSWORD_VALIDATORS = []
 AUTH_USER_MODEL = "dgsi.User"

+DGSI_STAFF_GROUP = credentials.get("STAFF_GROUP", "dgnum_admins@sso.dgnum.eu")
+DGSI_SUPERUSER_GROUP = credentials.get("SUPERUSER_GROUP", "dgnum_admins@sso.dgnum.eu")
+

 ###
 # Internationalization configuration
--- a/src/dgsi/models.py
+++ b/src/dgsi/models.py
@ -6,6 +6,7 @@ from typing import Optional, Self
 from aiohttp.client_exceptions import ClientConnectorError
 from allauth.socialaccount.models import SocialAccount
 from asgiref.sync import async_to_sync
+from django.conf import settings
 from django.contrib.auth.models import AbstractUser
 from django.core.files import storage
 from django.db import models
@ -18,8 +19,6 @@ from kanidm.models.person import Person

 from shared.kanidm import klient

-ADMIN_GROUP = "dgnum_admins@sso.dgnum.eu"
-

 class Service(models.Model):
    name = models.CharField(_("Nom du service proposé"), max_length=255)
@ -200,9 +199,10 @@ class User(AbstractUser):

    @property
    def is_admin(self) -> bool:
-        return (self.kanidm is not None) and (
-            ADMIN_GROUP in self.kanidm.person.memberof
-        )
+        return self.part_of(settings.DGSI_STAFF_GROUP)
+
+    def part_of(self, group: str) -> bool:
+        return (self.kanidm is not None) and group in self.kanidm.person.memberof

    def can_access_archive(self, archive: Archive) -> bool:
        # Prepare a more complex workflow
--- a/src/shared/account.py
+++ b/src/shared/account.py
@ -5,6 +5,7 @@ from typing import Optional
 from allauth.core.exceptions import ImmediateHttpResponse
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
 from allauth.socialaccount.models import SocialLogin
+from django.conf import settings
 from django.contrib import messages
 from django.http import HttpRequest, HttpResponseRedirect
 from django.urls import reverse
@ -91,8 +92,8 @@ class SharedAccountAdapter(DefaultSocialAccountAdapter):
        u.username = self._get_username(request, sociallogin)

        # Update the global permissions
-        u.is_staff = u.is_admin
-        u.is_superuser = u.is_admin
+        u.is_superuser = u.part_of(settings.DGSI_SUPERUSER_GROUP)
+        u.is_staff = u.is_superuser or u.part_of(settings.DGSI_STAFF_GROUP)

        # Save the updated user if needed
        if sociallogin.is_existing: