Checks access in workspaces administration page

tracim/tracim/controllers/admin/workspace.py

         user = tmpl_context.current_user
         workspace_api_controller = WorkspaceApi(user)
 
-        workspaces = workspace_api_controller.get_all()
+        workspaces = workspace_api_controller.get_all_manageable_for_user(user)
 
         current_user_content = Context(CTX.CURRENT_USER).toDict(user)
         fake_api = Context(CTX.ADMIN_WORKSPACE).toDict({'current_user': current_user_content})

tracim/tracim/lib/workspace.py

 
 from sqlalchemy.orm import Query
 from tg.i18n import ugettext as _
+from typing import List
 
 from tracim.lib.userworkspace import RoleApi
 from tracim.model.auth import Group
         workspaces.sort(key=lambda workspace: workspace.label.lower())
         return workspaces
 
+    def get_all_manageable_for_user(self, user: User) -> List[Workspace]:
+        """Get all workspaces the given user has manager rights on."""
+        workspaces = []
+        if user.profile.id == Group.TIM_ADMIN:
+            workspaces = self._base_query().order_by(Workspace.label).all()
+        elif user.profile.id == Group.TIM_MANAGER:
+            workspaces = self._base_query() \
+                .filter(
+                    UserRoleInWorkspace.role ==
+                    UserRoleInWorkspace.WORKSPACE_MANAGER
+                ) \
+                .order_by(Workspace.label) \
+                .all()
+        return workspaces
+
     def disable_notifications(self, user: User, workspace: Workspace):
         for role in user.roles:
             if role.workspace==workspace:

tracim/tracim/tests/library/test_workspace.py

 from nose.tools import eq_
 
 from tracim.lib.content import ContentApi
+from tracim.lib.group import GroupApi
 from tracim.lib.user import UserApi
 from tracim.lib.userworkspace import RoleApi
 from tracim.lib.workspace import WorkspaceApi
 from tracim.model import Content
 from tracim.model import DBSession
 from tracim.model import User
+from tracim.model.auth import Group
 from tracim.model.data import UserRoleInWorkspace
 from tracim.model.data import Workspace
 from tracim.tests import BaseTestThread
         eq_([r, ], wapi.get_notifiable_roles(workspace=w))
         u.is_active = False
         eq_([], wapi.get_notifiable_roles(workspace=w))
+
+    def test_unit__get_all_admin_for_user(self):
+        admin = DBSession.query(User) \
+            .filter(User.email == 'admin@admin.admin').one()
+        uapi = UserApi(admin)
+        # Checks a case without workspaces.
+        wapi = WorkspaceApi(current_user=admin)
+        eq_([], wapi.get_all_manageable_for_user(user=admin))
+        # Checks an admin gets all workspaces.
+        w4 = wapi.create_workspace(label='w4')
+        w3 = wapi.create_workspace(label='w3')
+        w2 = wapi.create_workspace(label='w2')
+        w1 = wapi.create_workspace(label='w1')
+        eq_([w1, w2, w3, w4], wapi.get_all_manageable_for_user(user=admin))
+        # Checks a regular user gets none workspace.
+        gapi = GroupApi(None)
+        u = uapi.create_user('u.s@e.r', [gapi.get_one(Group.TIM_USER)], True)
+        wapi = WorkspaceApi(current_user=u)
+        rapi = RoleApi(current_user=u)
+        off = 'off'
+        rapi.create_one(u, w4, UserRoleInWorkspace.READER, off)
+        rapi.create_one(u, w3, UserRoleInWorkspace.CONTRIBUTOR, off)
+        rapi.create_one(u, w2, UserRoleInWorkspace.CONTENT_MANAGER, off)
+        rapi.create_one(u, w1, UserRoleInWorkspace.WORKSPACE_MANAGER, off)
+        eq_([], wapi.get_all_manageable_for_user(user=u))
+        # Checks a manager gets only its own workspaces.
+        u.groups.append(gapi.get_one(Group.TIM_MANAGER))
+        rapi.delete_one(u.user_id, w2.workspace_id)
+        rapi.create_one(u, w2, UserRoleInWorkspace.WORKSPACE_MANAGER, off)
+        eq_([w1, w2], wapi.get_all_manageable_for_user(user=u))