diff options
Diffstat (limited to 'postgresqleu')
| -rw-r--r-- | postgresqleu/settings.py | 2 | ||||
| -rw-r--r-- | postgresqleu/util/apps.py | 23 | ||||
| -rw-r--r-- | postgresqleu/util/auth.py | 11 |
3 files changed, 35 insertions, 1 deletions
diff --git a/postgresqleu/settings.py b/postgresqleu/settings.py index 36c643c5..dd79a3c9 100644 --- a/postgresqleu/settings.py +++ b/postgresqleu/settings.py @@ -105,7 +105,7 @@ INSTALLED_APPS = [ 'postgresqleu.mailqueue', 'postgresqleu.invoices', 'postgresqleu.accounting', - 'postgresqleu.util', + 'postgresqleu.util.apps.UtilAppConfig', 'postgresqleu.trustlypayment', 'postgresqleu.braintreepayment', 'postgresqleu.transferwise', diff --git a/postgresqleu/util/apps.py b/postgresqleu/util/apps.py new file mode 100644 index 00000000..69d00264 --- /dev/null +++ b/postgresqleu/util/apps.py @@ -0,0 +1,23 @@ +from django.apps import AppConfig, apps +from django.db.models.signals import post_migrate +from django.db import transaction + +from .auth import PERMISSION_GROUPS + + +def handle_post_migrate(sender, **kwargs): + # Ensure all permissions groups exist + # (yes, we have a hardcoded list..) + with transaction.atomic(): + Group = apps.get_model('auth', 'Group') + for g in PERMISSION_GROUPS: + g, created = Group.objects.get_or_create(name=g) + if created: + print("Created access group {0}".format(g)) + + +class UtilAppConfig(AppConfig): + name = 'postgresqleu.util' + + def ready(self): + post_migrate.connect(handle_post_migrate, sender=self) diff --git a/postgresqleu/util/auth.py b/postgresqleu/util/auth.py index bdb5bd7d..d6a05eba 100644 --- a/postgresqleu/util/auth.py +++ b/postgresqleu/util/auth.py @@ -5,10 +5,21 @@ from django.conf import settings import urllib.parse +PERMISSION_GROUPS = ( + 'Invoice managers', + 'News administrators', + 'Membership administrators', + 'Election administrators', +) + + def authenticate_backend_group(request, groupname): if not request.user.is_authenticated: raise RedirectException("{0}?{1}".format(settings.LOGIN_URL, urllib.parse.urlencode({'next': request.build_absolute_uri()}))) + if groupname not in PERMISSION_GROUPS: + raise PermissionDenied("Group name not known") + if request.user.is_superuser: return if request.user.groups.filter(name=groupname).exists(): |