def _validate_user_roles(self): id_manager = user_store.IdentityManager() user = self._get_target_user() project = id_manager.get_project(self.project_id) # user roles current_roles = id_manager.get_roles(user, project) current_role_names = {role.name for role in current_roles} # NOTE(adriant): Only allow someone to edit roles if all roles from # the target user can be managed by editor. can_manage_roles = user_store.get_managable_roles( self.action.task.keystone_user['roles']) if not set(can_manage_roles).issuperset(current_role_names): self.add_note('Not all target user roles are manageable.') return False if self.remove: remaining = set(current_role_names) & set(self.roles) if not remaining: self.action.state = "complete" self.add_note("User doesn't have roles to remove.") else: self.roles = list(remaining) self.add_note('User has roles to remove.') else: missing = set(self.roles) - set(current_role_names) if not missing: self.action.state = "complete" self.add_note('User already has roles.') else: self.roles = list(missing) self.add_note('User user missing roles.') # All paths are valid here # We've just set state and roles that need to be changed. return True
def are_roles_managable(self, user_roles=[], requested_roles=[]): requested_roles = set(requested_roles) # blacklist checks blacklist_roles = set(['admin']) if len(blacklist_roles & requested_roles) > 0: return False # user managable role managable_roles = user_store.get_managable_roles(user_roles) intersection = set(managable_roles) & requested_roles # if all requested roles match, we can proceed return intersection == requested_roles
def get(self, request): """Returns a list of roles that may be managed for this project""" # get roles for this user on the project user_roles = request.keystone_user['roles'] managable_role_names = user_store.get_managable_roles(user_roles) id_manager = user_store.IdentityManager() # look up role names and form output dict of valid roles managable_roles = [] for role_name in managable_role_names: role = id_manager.find_role(role_name) if role: managable_roles.append(role.to_dict()) return Response({'roles': managable_roles})
def get(self, request): """Get a list of all users who have been added to a project""" class_conf = settings.TASK_SETTINGS.get('edit_user', settings.DEFAULT_TASK_SETTINGS) role_blacklist = class_conf.get('role_blacklist', []) user_list = [] id_manager = user_store.IdentityManager() project_id = request.keystone_user['project_id'] project = id_manager.get_project(project_id) can_manage_roles = user_store.get_managable_roles( request.keystone_user['roles']) active_emails = set() for user in id_manager.list_users(project): skip = False roles = [] for role in user.roles: if role.name in role_blacklist: skip = True continue roles.append(role.name) if skip: continue email = getattr(user, 'email', '') enabled = getattr(user, 'enabled') user_status = 'Active' if enabled else 'Account Disabled' active_emails.add(email) user_list.append({ 'id': user.id, 'name': user.name, 'email': email, 'roles': roles, 'cohort': 'Member', 'status': user_status, 'manageable': set(can_manage_roles).issuperset(roles), }) # Get my active tasks for this project: project_tasks = models.Task.objects.filter(project_id=project_id, task_type="invite_user", completed=0, cancelled=0) registrations = [] for task in project_tasks: status = "Invited" for token in task.tokens: if token.expired: status = "Expired" for notification in task.notifications: if notification.error: status = "Failed" task_data = {} for action in task.actions: task_data.update(action.action_data) registrations.append({ 'uuid': task.uuid, 'task_data': task_data, 'status': status }) for task in registrations: # NOTE(adriant): commenting out for now as it causes more confusion # than it helps. May uncomment once different duplication checking # measures are in place. # if task['task_data']['email'] not in active_emails: user = { 'id': task['uuid'], 'name': task['task_data']['email'], 'email': task['task_data']['email'], 'roles': task['task_data']['roles'], 'cohort': 'Invited', 'status': task['status'] } if not settings.USERNAME_IS_EMAIL: user['name'] = task['task_data']['username'] user_list.append(user) return Response({'users': user_list})