Merge pull request #333 from tracim/fix/328/admin_workspaces_access

tracim/tracim/controllers/admin/workspace.py

@@ -157,17 +157,21 @@ class WorkspaceRestController(TIMRestController, BaseController):
 
     @tg.expose('tracim.templates.admin.workspace_getall')
     def get_all(self, *args, **kw):
-
         user = tmpl_context.current_user
         workspace_api_controller = WorkspaceApi(user)
-
-        workspaces = workspace_api_controller.get_all()
-
+        workspaces = workspace_api_controller.get_all_manageable()
         current_user_content = Context(CTX.CURRENT_USER).toDict(user)
-        fake_api = Context(CTX.ADMIN_WORKSPACE).toDict({'current_user': current_user_content})
-
-        dictified_workspaces = Context(CTX.ADMIN_WORKSPACES).toDict(workspaces, 'workspaces', 'workspace_nb')
-        return DictLikeClass(result = dictified_workspaces, fake_api=fake_api)
+        fake_api = Context(CTX.ADMIN_WORKSPACE) \
+            .toDict(
+                {'current_user': current_user_content}
+            )
+        dictified_workspaces = Context(CTX.ADMIN_WORKSPACES) \
+            .toDict(
+                workspaces,
+                'workspaces',
+                'workspace_nb',
+            )
+        return DictLikeClass(result=dictified_workspaces, fake_api=fake_api)
 
     @tg.expose('tracim.templates.admin.workspace_getone')
     def get_one(self, workspace_id):

tracim/tracim/lib/workspace.py

@@ -1,15 +1,16 @@
 # -*- coding: utf-8 -*-
-import transaction
+import typing
 
 from sqlalchemy.orm import Query
 from tg.i18n import ugettext as _
+import transaction
 
 from tracim.lib.userworkspace import RoleApi
+from tracim.model import DBSession
 from tracim.model.auth import Group
 from tracim.model.auth import User
-from tracim.model.data import Workspace
 from tracim.model.data import UserRoleInWorkspace
-from tracim.model import DBSession
+from tracim.model.data import Workspace
 
 __author__ = 'damien'
 
@@ -101,6 +102,21 @@ class WorkspaceApi(object):
         workspaces.sort(key=lambda workspace: workspace.label.lower())
         return workspaces
 
+    def get_all_manageable(self) -> typing.List[Workspace]:
+        """Get all workspaces the current user has manager rights on."""
+        workspaces = []  # type: typing.List[Workspace]
+        if self._user.profile.id == Group.TIM_ADMIN:
+            workspaces = self._base_query().order_by(Workspace.label).all()
+        elif self._user.profile.id == Group.TIM_MANAGER:
+            workspaces = self._base_query() \
+                .filter(
+                    UserRoleInWorkspace.role ==
+                    UserRoleInWorkspace.WORKSPACE_MANAGER
+                ) \
+                .order_by(Workspace.label) \
+                .all()
+        return workspaces
+
     def disable_notifications(self, user: User, workspace: Workspace):
         for role in user.roles:
             if role.workspace==workspace:

tracim/tracim/tests/library/test_workspace.py

@@ -2,12 +2,14 @@
 from nose.tools import eq_
 
 from tracim.lib.content import ContentApi
+from tracim.lib.group import GroupApi
 from tracim.lib.user import UserApi
 from tracim.lib.userworkspace import RoleApi
 from tracim.lib.workspace import WorkspaceApi
 from tracim.model import Content
 from tracim.model import DBSession
 from tracim.model import User
+from tracim.model.auth import Group
 from tracim.model.data import UserRoleInWorkspace
 from tracim.model.data import Workspace
 from tracim.tests import BaseTestThread
@@ -41,3 +43,33 @@ class TestThread(BaseTestThread, TestStandard):
         eq_([r, ], wapi.get_notifiable_roles(workspace=w))
         u.is_active = False
         eq_([], wapi.get_notifiable_roles(workspace=w))
+
+    def test_unit__get_all_manageable(self):
+        admin = DBSession.query(User) \
+            .filter(User.email == 'admin@admin.admin').one()
+        uapi = UserApi(admin)
+        # Checks a case without workspaces.
+        wapi = WorkspaceApi(current_user=admin)
+        eq_([], wapi.get_all_manageable())
+        # Checks an admin gets all workspaces.
+        w4 = wapi.create_workspace(label='w4')
+        w3 = wapi.create_workspace(label='w3')
+        w2 = wapi.create_workspace(label='w2')
+        w1 = wapi.create_workspace(label='w1')
+        eq_([w1, w2, w3, w4], wapi.get_all_manageable())
+        # Checks a regular user gets none workspace.
+        gapi = GroupApi(None)
+        u = uapi.create_user('u.s@e.r', [gapi.get_one(Group.TIM_USER)], True)
+        wapi = WorkspaceApi(current_user=u)
+        rapi = RoleApi(current_user=u)
+        off = 'off'
+        rapi.create_one(u, w4, UserRoleInWorkspace.READER, off)
+        rapi.create_one(u, w3, UserRoleInWorkspace.CONTRIBUTOR, off)
+        rapi.create_one(u, w2, UserRoleInWorkspace.CONTENT_MANAGER, off)
+        rapi.create_one(u, w1, UserRoleInWorkspace.WORKSPACE_MANAGER, off)
+        eq_([], wapi.get_all_manageable())
+        # Checks a manager gets only its own workspaces.
+        u.groups.append(gapi.get_one(Group.TIM_MANAGER))
+        rapi.delete_one(u.user_id, w2.workspace_id)
+        rapi.create_one(u, w2, UserRoleInWorkspace.WORKSPACE_MANAGER, off)
+        eq_([w1, w2], wapi.get_all_manageable())