ACL group filter can be simple group name instead of full dn

canaille/backends/ldap/ldapobject.py

@@ -200,7 +200,11 @@ class LDAPObject(metaclass=LDAPObjectMetaclass):
 
     @property
     def dn(self):
-        return f"{self.rdn_attribute}={ldap.dn.escape_dn_chars(self.rdn_value)},{self.base},{self.root_dn}"
+        return self.dn_for(self.rdn_value)
+
+    @classmethod
+    def dn_for(cls, rdn):
+        return f"{cls.rdn_attribute}={ldap.dn.escape_dn_chars(rdn)},{cls.base},{cls.root_dn}"
 
     @classmethod
     def may(cls):

canaille/conf/config.sample.toml

@@ -104,8 +104,8 @@ GROUP_BASE = "ou=groups,dc=mydomain,dc=tld"
 # Here are some examples
 #     FILTER = {user_name = 'admin'}
 #     FILTER =
-#       - {groups = 'cn=admins,ou=groups,dc=mydomain,dc=tld'}
+#       - {groups = 'admins}
-#       - {groups = 'cn=moderators,ou=groups,dc=mydomain,dc=tld'}
+#       - {groups = 'moderators'}
 #
 # The 'PERMISSIONS' parameter that is an list of items the users in the access
 # control will be able to manage. 'PERMISSIONS' is optionnal. Values can be:
@@ -145,7 +145,7 @@ WRITE = [
 ]
 
 [ACL.ADMIN]
-FILTER = {groups = "cn=admins,ou=groups,dc=mydomain,dc=tld"}
+FILTER = {groups = "admins"}
 PERMISSIONS = [
     "manage_users",
     "manage_groups",

canaille/core/models.py

@@ -65,6 +65,10 @@ class User(LDAPObject):
     @classmethod
     def acl_filter_to_ldap_filter(cls, filter_):
         if isinstance(filter_, dict):
+            # not super generic, but how can we improve this? ¯\_(ツ)_/¯
+            if "groups" in filter_ and "=" not in filter_.get("groups"):
+                filter_["groups"] = Group.dn_for(filter_["groups"])
+
             base = "".join(
                 f"({cls.attribute_table.get(key, key)}={value})"
                 for key, value in filter_.items()

demo/conf-docker/canaille.toml

@@ -105,8 +105,8 @@ GROUP_BASE = "ou=groups,dc=mydomain,dc=tld"
 # Here are some examples
 #     FILTER = {user_name = 'admin'}
 #     FILTER =
-#       - {groups = 'cn=admins,ou=groups,dc=mydomain,dc=tld'}
+#       - {groups = 'admins'}
-#       - {groups = 'cn=moderators,ou=groups,dc=mydomain,dc=tld'}
+#       - {groups = 'moderators'}
 #
 # The 'PERMISSIONS' parameter that is an list of items the users in the access
 # control will be able to manage. 'PERMISSIONS' is optionnal. Values can be:
@@ -146,7 +146,7 @@ WRITE = [
 ]
 
 [ACL.ADMIN]
-FILTER = {groups = "cn=admins,ou=groups,dc=mydomain,dc=tld"}
+FILTER = {groups = "admins"}
 PERMISSIONS = [
     "manage_users",
     "manage_groups",

demo/conf/canaille.toml

@@ -105,8 +105,8 @@ GROUP_BASE = "ou=groups,dc=mydomain,dc=tld"
 # Here are some examples
 #     FILTER = {user_name = 'admin'}
 #     FILTER =
-#       - {groups = 'cn=admins,ou=groups,dc=mydomain,dc=tld'}
+#       - {groups = 'admins'}
-#       - {groups = 'cn=moderators,ou=groups,dc=mydomain,dc=tld'}
+#       - {groups = 'moderators'}
 #
 # The 'PERMISSIONS' parameter that is an list of items the users in the access
 # control will be able to manage. 'PERMISSIONS' is optionnal. Values can be:
@@ -146,7 +146,7 @@ WRITE = [
 ]
 
 [ACL.ADMIN]
-FILTER = {groups = "cn=admins,ou=groups,dc=mydomain,dc=tld"}
+FILTER = {groups = "admins"}
 PERMISSIONS = [
     "manage_users",
     "manage_groups",

tests/core/test_permissions.py

@@ -1,7 +1,16 @@
-def test_group_permissions(testclient, user, foo_group):
+def test_group_permissions_by_id(testclient, user, foo_group):
     assert not user.can_manage_users
 
     testclient.app.config["ACL"]["ADMIN"]["FILTER"] = {"groups": foo_group.id}
     user.reload()
 
     assert user.can_manage_users
+
+
+def test_group_permissions_by_display_name(testclient, user, foo_group):
+    assert not user.can_manage_users
+
+    testclient.app.config["ACL"]["ADMIN"]["FILTER"] = {"groups": foo_group.display_name}
+    user.reload()
+
+    assert user.can_manage_users