diff --git a/canaille/account.py b/canaille/account.py index 24fa3115..beaf7bf8 100644 --- a/canaille/account.py +++ b/canaille/account.py @@ -366,7 +366,7 @@ def registration(data, hash): def profile_create(current_app, form): user = User() for attribute in form: - if attribute.name in user.may + user.must: + if attribute.name in user.may() + user.must(): if isinstance(attribute.data, FileStorage): data = attribute.data.stream.read() else: @@ -477,7 +477,7 @@ def profile_edit(editor, username): else: for attribute in form: if ( - attribute.name in user.may + user.must + attribute.name in user.may() + user.must() and attribute.name in editor.write ): if isinstance(attribute.data, FileStorage): diff --git a/canaille/ldap_backend/ldapobject.py b/canaille/ldap_backend/ldapobject.py index 146ce3a7..637d5fa2 100644 --- a/canaille/ldap_backend/ldapobject.py +++ b/canaille/ldap_backend/ldapobject.py @@ -9,8 +9,8 @@ from .utils import python_to_ldap class LDAPObject: _object_class_by_name = None _attribute_type_by_name = None - may = None - must = None + _may = None + _must = None base = None root_dn = None rdn = None @@ -25,9 +25,6 @@ class LDAPObject: for name, value in kwargs.items(): setattr(self, name, value) - if not self.may and not self.must: - self.update_ldap_attributes() - def __repr__(self): rdn = getattr(self, self.rdn, "?") return f"<{self.__class__.__name__} {self.rdn}={rdn}>" @@ -35,11 +32,11 @@ class LDAPObject: def __eq__(self, other): return ( isinstance(other, self.__class__) - and self.may == other.may - and self.must == other.must + and self.may() == other.may() + and self.must() == other.must() and all( getattr(self, attr) == getattr(other, attr) - for attr in self.may + self.must + for attr in self.may() + self.must() if hasattr(self, attr) and hasattr(other, attr) ) ) @@ -88,6 +85,16 @@ class LDAPObject: rdn = self.attrs[self.rdn][0] return f"{self.rdn}={ldap.dn.escape_dn_chars(rdn.strip())},{self.base},{self.root_dn}" + def may(self): + if not self._may: + self.update_ldap_attributes() + return self._may + + def must(self): + if not self._must: + self.update_ldap_attributes() + return self._must + @classmethod def ldap_connection(cls): return g.ldap_connection @@ -246,8 +253,8 @@ class LDAPObject: this_object_classes = {all_object_classes[name] for name in cls.object_class} done = set() - cls.may = [] - cls.must = [] + cls._may = [] + cls._must = [] while len(this_object_classes) > 0: object_class = this_object_classes.pop() done.add(object_class) @@ -256,11 +263,11 @@ class LDAPObject: for ocsup in object_class.sup if ocsup not in done } - cls.may.extend(object_class.may) - cls.must.extend(object_class.must) + cls._may.extend(object_class.may) + cls._must.extend(object_class.must) - cls.may = list(set(cls.may)) - cls.must = list(set(cls.must)) + cls._may = list(set(cls._may)) + cls._must = list(set(cls._must)) def reload(self, conn=None): conn = conn or self.ldap_connection() @@ -325,6 +332,6 @@ class LDAPObject: conn.delete_s(self.dn) def keys(self): - ldap_keys = self.must + self.may + ldap_keys = self.must() + self.may() inverted_table = {value: key for key, value in self.attribute_table.items()} return [inverted_table.get(key, key) for key in ldap_keys] diff --git a/canaille/templates/oidc/admin/authorization_view.html b/canaille/templates/oidc/admin/authorization_view.html index 048e6be0..b0fc4c91 100644 --- a/canaille/templates/oidc/admin/authorization_view.html +++ b/canaille/templates/oidc/admin/authorization_view.html @@ -9,10 +9,10 @@