Add realm user group membership change views

Author: np5

server/realms/forms.py

@@ -62,3 +62,19 @@ def get_queryset(self):
         if realm_group:
             qs = qs.filter(groups=realm_group)
         return qs
+
+
+class AddRealmUserToGroupForm(forms.Form):
+    realm_group = forms.ModelChoiceField(label="Realm Group", queryset=RealmGroup.objects.for_update(), required=True)
+
+    def __init__(self, *args, **kwargs):
+        self.realm_user = kwargs.pop("realm_user")
+        super().__init__(*args, **kwargs)
+        self.fields["realm_group"].queryset = self.fields["realm_group"].queryset.filter(
+          realm=self.realm_user.realm
+        ).exclude(
+          pk__in=[g.pk for g in self.realm_user.groups.all()]
+        ).order_by("display_name")
+
+    def save(self):
+        self.realm_user.groups.add(self.cleaned_data["realm_group"])

server/realms/models.py

@@ -105,10 +105,10 @@ def serialize_for_event(self, keys_only=False):
 
 class RealmGroupManager(models.Manager):
     def for_deletion(self):
-        return self.filter(scim_external_id__isnull=True)
+        return self.filter(scim_managed=False)
 
     def for_update(self):
-        return self.filter(scim_external_id__isnull=True)
+        return self.filter(scim_managed=False)
 
 
 class RealmGroup(models.Model):

server/realms/templates/realms/realmuser_add_to_group.html

@@ -0,0 +1,23 @@
+{% extends 'base.html' %}
+
+{% block content %}
+<ol class="breadcrumb">
+  <li class="breadcrumb-item"><a href="/">Home</a></li>
+  <li class="breadcrumb-item"><a href="{% url 'realms:index' %}">SSO</a></li>
+  <li class="breadcrumb-item"><a href="{% url 'realms:users' %}">Users</a></li>
+  <li class="breadcrumb-item"><a href="{{ realm_user.get_absolute_url }}">{{ realm_user }}</a></li>
+  <li class="breadcrumb-item active">add to group</li>
+</ol>
+
+<h2>Add <i>{{ realm_user }}</i> to group</h2>
+
+<form method="POST">{% csrf_token %}
+  {{ form }}
+  <p>
+    <a class="btn btn-outline-secondary" href="{{ realm_user.get_absolute_url }}">
+      Cancel
+    </a>
+    <button class="btn btn-primary" type="submit">Add</button>
+  </p>
+</form>
+{% endblock %}

server/realms/templates/realms/realmuser_detail.html

@@ -63,7 +63,14 @@ <h3 class="m-0 fs-5 text-secondary">Realm User</i></h3>
       </tr>
       {% with object.groups_with_types as groups_with_types %}
       <tr>
-        <td>Group{{ groups_with_types|length|pluralize }} ({{ groups_with_types|length }})</td>
+        <td>
+          Group{{ groups_with_types|length|pluralize }} ({{ groups_with_types|length }})
+          {% if not request.realm_authentication_session.is_remote  and perms.realms.change_realmgroup %}
+          <a class="btn btn-link" href="{% url 'realms:add_user_to_group' object.pk %}">
+            <i class="bi bi-plus-circle"></i>
+          </a>
+          {% endif %}
+        </td>
         <td>
           {% if groups_with_types %}
           <ul class="list-unstyled">
@@ -74,6 +81,11 @@ <h3 class="m-0 fs-5 text-secondary">Realm User</i></h3>
             {% else %}
             {{ group }} ({{ type }})
             {% endif %}
+            {% if not request.realm_authentication_session.is_remote and perms.realms.change_realmgroup and not group.scim_managed %}
+            <a class="btn btn-link" href="{% url 'realms:remove_user_from_group' object.pk group.pk %}">
+              <i class="bi bi-trash"></i>
+            </a>
+            {% endif %}
           </li>
           {% endfor %}
           </ul>

server/realms/templates/realms/realmuser_remove_from_group.html

@@ -0,0 +1,24 @@
+{% extends 'base.html' %}
+
+{% block content %}
+<ol class="breadcrumb">
+  <li class="breadcrumb-item"><a href="/">Home</a></li>
+  <li class="breadcrumb-item"><a href="{% url 'realms:index' %}">SSO</a></li>
+  <li class="breadcrumb-item"><a href="{% url 'realms:users' %}">Users</a></li>
+  <li class="breadcrumb-item"><a href="{{ realm_user.get_absolute_url }}">{{ realm_user }}</a></li>
+  <li class="breadcrumb-item active">remove from group</li>
+</ol>
+
+<h2>Remove <i>{{ realm_user }}</i> from group</h2>
+
+<form method="POST">{% csrf_token %}
+  <p>Do you really want to remove this user from the <i>{{ realm_group }}</i> group?</p>
+  <p>
+    <a class="btn btn-outline-secondary" href="{{ realm_user.get_absolute_url }}">
+      Cancel
+    </a>
+    <button class="btn btn-danger" type="submit">Remove</button>
+  </p>
+</form>
+
+{% endblock %}

server/realms/urls.py

@@ -10,6 +10,10 @@
     # users
     path('users/', views.RealmUserListView.as_view(), name='users'),
     path('users/<uuid:pk>/', views.RealmUserView.as_view(), name='user'),
+    path('users/<uuid:pk>/groups/add/', views.AddRealmUserToGroupView.as_view(),
+         name='add_user_to_group'),
+    path('users/<uuid:pk>/groups/<uuid:group_pk>/remove/', views.RemoveRealmUserFromGroupView.as_view(),
+         name='remove_user_from_group'),
 
     # groups
     path('groups/', views.RealmGroupListView.as_view(), name='groups'),

server/realms/views.py

@@ -8,11 +8,11 @@
 from django.http import Http404, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse, reverse_lazy
-from django.views.generic import CreateView, DeleteView, DetailView, ListView, TemplateView, UpdateView, View
+from django.views.generic import CreateView, DeleteView, DetailView, FormView, ListView, TemplateView, UpdateView, View
 from zentral.conf import settings as zentral_settings
 from zentral.utils.views import UserPaginationListView
 from .backends.registry import backend_classes
-from .forms import RealmGroupSearchForm, RealmUserSearchForm
+from .forms import AddRealmUserToGroupForm, RealmGroupSearchForm, RealmUserSearchForm
 from .models import (Realm, RealmAuthenticationSession,
                      RealmGroup, RealmGroupMapping, RoleMapping,
                      RealmUser, RealmUserGroupMembership,
@@ -273,6 +273,59 @@ def get_context_data(self, **kwargs):
         return ctx
 
 
+class AddRealmUserToGroupView(LocalUserRequiredMixin, PermissionRequiredMixin, FormView):
+    permission_required = "realms.change_realmgroup"
+    template_name = "realms/realmuser_add_to_group.html"
+    form_class = AddRealmUserToGroupForm
+
+    def get_object(self):
+        self.realm_user = get_object_or_404(RealmUser, pk=self.kwargs["pk"])
+
+    def get_context_data(self, **kwargs):
+        self.get_object()
+        ctx = super().get_context_data(**kwargs)
+        ctx["realm_user"] = self.realm_user
+        return ctx
+
+    def get_form_kwargs(self):
+        self.get_object()
+        kwargs = super().get_form_kwargs()
+        kwargs["realm_user"] = self.realm_user
+        return kwargs
+
+    def form_valid(self, form):
+        form.save()
+        realm_group_members_updated.send_robust(self.__class__, realm=self.realm_user.realm, request=self.request)
+        return redirect(self.realm_user)
+
+
+class RemoveRealmUserFromGroupView(LocalUserRequiredMixin, PermissionRequiredMixin, TemplateView):
+    permission_required = "realms.change_realmgroup"
+    template_name = "realms/realmuser_remove_from_group.html"
+
+    def get_objects(self):
+        self.realm_user = get_object_or_404(RealmUser, pk=self.kwargs["pk"])
+        self.realm_group = get_object_or_404(
+            RealmGroup,
+            pk=self.kwargs["group_pk"],
+            realm=self.realm_user.realm,
+            scim_managed=False,
+        )
+
+    def get_context_data(self, **kwargs):
+        self.get_objects()
+        ctx = super().get_context_data(**kwargs)
+        ctx["realm_user"] = self.realm_user
+        ctx["realm_group"] = self.realm_group
+        return ctx
+
+    def post(self, request, *args, **kwargs):
+        self.get_objects()
+        self.realm_user.groups.remove(self.realm_group)
+        realm_group_members_updated.send_robust(self.__class__, realm=self.realm_user.realm, request=self.request)
+        return redirect(self.realm_user)
+
+
 # realm group mappings
 
 

tests/server_realms/test_realm_views.py

@@ -1139,6 +1139,86 @@ def test_realm_user_one_zentral_no_user_link(self):
         self.assertNotContains(response, user.get_absolute_url())
         self.assertContains(response, "Zentral user (1)")
 
+    # add realm user to group
+
+    def test_add_realm_user_to_group_login_redirect(self):
+        _, user = force_realm_user()
+        self.login_redirect("add_user_to_group", user.pk)
+
+    def test_add_realm_user_to_group_permission_denied(self):
+        _, user = force_realm_user()
+        self.login("realms.view_realmuser")
+        response = self.client.get(reverse("realms:add_user_to_group", args=(user.pk,)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_add_realm_user_to_group_get(self):
+        existing_group = force_realm_group()
+        realm, user = force_realm_user(realm=existing_group.realm, group=existing_group)
+        available_group = force_realm_group(realm=realm)
+        scim_group = force_realm_group(realm=realm)
+        scim_group.scim_managed = True
+        scim_group.save()
+        other_group = force_realm_group()
+        self.login("realms.change_realmgroup")
+        response = self.client.get(reverse("realms:add_user_to_group", args=(user.pk,)))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, "realms/realmuser_add_to_group.html")
+        self.assertNotContains(response, existing_group.display_name)
+        self.assertContains(response, available_group.display_name)
+        self.assertNotContains(response, scim_group.display_name)
+        self.assertNotContains(response, other_group.display_name)
+
+    @patch("realms.views.realm_group_members_updated.send_robust")
+    def test_add_realm_user_to_group_post(self, send_robust):
+        scim_group = force_realm_group()
+        scim_group.scim_managed = True
+        scim_group.save()
+        realm, user = force_realm_user(realm=scim_group.realm, group=scim_group)
+        group = force_realm_group(realm=realm)
+        self.login("realms.change_realmgroup", "realms.view_realmuser")
+        response = self.client.post(reverse("realms:add_user_to_group", args=(user.pk,)),
+                                    {"realm_group": str(group.pk)},
+                                    follow=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, "realms/realmuser_detail.html")
+        self.assertNotContains(response, reverse("realms:remove_user_from_group", args=(user.pk, scim_group.pk)))
+        self.assertContains(response, reverse("realms:remove_user_from_group", args=(user.pk, group.pk)))
+        send_robust.assert_called_once()
+
+    # remove realm user from group
+
+    def test_remove_realm_user_from_group_redirect(self):
+        group = force_realm_group()
+        _, user = force_realm_user(realm=group.realm, group=group)
+        self.login_redirect("remove_user_from_group", user.pk, group.pk)
+
+    def test_remove_realm_user_from_group_permission_denied(self):
+        group = force_realm_group()
+        _, user = force_realm_user(realm=group.realm, group=group)
+        self.login("realms.view_realmuser")
+        response = self.client.get(reverse("realms:remove_user_from_group", args=(user.pk, group.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_remove_realm_user_from_group_get(self):
+        group = force_realm_group()
+        _, user = force_realm_user(realm=group.realm, group=group)
+        self.login("realms.change_realmgroup")
+        response = self.client.get(reverse("realms:remove_user_from_group", args=(user.pk, group.pk)))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, "realms/realmuser_remove_from_group.html")
+
+    @patch("realms.views.realm_group_members_updated.send_robust")
+    def test_remove_realm_user_from_group_post(self, send_robust):
+        group = force_realm_group()
+        _, user = force_realm_user(realm=group.realm, group=group)
+        self.login("realms.change_realmgroup", "realms.view_realmuser")
+        response = self.client.post(reverse("realms:remove_user_from_group", args=(user.pk, group.pk)),
+                                    follow=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, "realms/realmuser_detail.html")
+        self.assertNotContains(response, group.display_name)
+        send_robust.assert_called_once()
+
     # test realm
 
     def test_realm_permission_denied(self):