Add RolesMixin to group view set

re #9604
pulp · Dec 9, 2021 · 1e8203f · 1e8203f
1 parent eff385d
commit 1e8203f
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 2 deletions.
diff --git a/CHANGES/9604.feature b/CHANGES/9604.feature
@@ -0,0 +1 @@
+Added object specific endpoints ``{list,add}_roles``, ``remove_roles`` and ``my_permissions`` to tasks and groups viewsets.
diff --git a/pulpcore/app/migrations/0083_alter_group_options.py b/pulpcore/app/migrations/0083_alter_group_options.py
@@ -0,0 +1,17 @@
+# Generated by Django 3.2.9 on 2021-12-06 16:28
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0082_add_manage_roles_permissions'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='group',
+            options={'permissions': [('manage_roles_group', 'Can manage role assignments on group')]},
+        ),
+    ]
diff --git a/pulpcore/app/models/access_policy.py b/pulpcore/app/models/access_policy.py
@@ -307,3 +307,6 @@ class Group(LifecycleModelMixin, BaseGroup, AutoAddObjPermsMixin):
 
     class Meta:
         proxy = True
+        permissions = [
+            ("manage_roles_group", "Can manage role assignments on group"),
+        ]
diff --git a/pulpcore/app/viewsets/user.py b/pulpcore/app/viewsets/user.py
@@ -19,7 +19,7 @@
 
 from pulpcore.app.models import Group
 from pulpcore.app.models.role import GroupRole, Role, UserRole
-from pulpcore.app.viewsets import BaseFilterSet, NamedModelViewSet, NAME_FILTER_OPTIONS
+from pulpcore.app.viewsets import BaseFilterSet, NamedModelViewSet, RolesMixin, NAME_FILTER_OPTIONS
 from pulpcore.app.serializers import (
     GroupSerializer,
     GroupUserSerializer,
@@ -107,6 +107,7 @@ class GroupViewSet(
     mixins.RetrieveModelMixin,
     mixins.ListModelMixin,
     mixins.DestroyModelMixin,
+    RolesMixin,
 ):
     """
     ViewSet for Group.
@@ -138,7 +139,7 @@ class GroupViewSet(
                 "condition": "has_model_perms:core.add_group",
             },
             {
-                "action": ["retrieve"],
+                "action": ["retrieve", "my_permissions"],
                 "principal": "authenticated",
                 "effect": "allow",
                 "condition": "has_model_or_obj_perms:core.view_group",
@@ -155,6 +156,12 @@ class GroupViewSet(
                 "effect": "allow",
                 "condition": "has_model_or_obj_perms:core.delete_group",
             },
+            {
+                "action": ["list_roles", "add_role", "remove_role"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": ["has_model_or_obj_perms:auth.manage_roles_group"],
+            },
         ],
         "creation_hooks": [
             {
@@ -172,6 +179,7 @@ class GroupViewSet(
             "core.view_group",
             "core.change_group",
             "core.delete_group",
+            "core.manage_roles_group",
         ],
         "core.group_viewer": [
             "core.view_group",