fix: fix behavior when editing Roles for a User

per proper UUID fields i guess
2024-12-12 20:07:49 -06:00 · 2024-12-12 20:07:49 -06:00 · d72a2a15ec
parent e952e1031e
commit d72a2a15ec
4 changed files with 26 additions and 8 deletions
--- a/src/wuttaweb/forms/schema.py
+++ b/src/wuttaweb/forms/schema.py
@ -453,16 +453,24 @@ class RoleRefs(WuttaSet):
        if 'values' not in kwargs:
            model = self.app.model
            auth = self.app.get_auth_handler()
+
+            # avoid built-ins which cannot be assigned to users
            avoid = {
                auth.get_role_authenticated(self.session),
                auth.get_role_anonymous(self.session),
            }
            avoid = set([role.uuid for role in avoid])
+
+            # also avoid admin unless current user is root
+            if not self.request.is_root:
+                avoid.add(auth.get_role_administrator(self.session).uuid)
+
+            # everything else can be (un)assigned for users
            roles = self.session.query(model.Role)\
                                .filter(~model.Role.uuid.in_(avoid))\
                                .order_by(model.Role.name)\
                                .all()
-            values = [(role.uuid, role.name) for role in roles]
+            values = [(role.uuid.hex, role.name) for role in roles]
            kwargs['values'] = values

        return widgets.RoleRefsWidget(self.request, **kwargs)
--- a/src/wuttaweb/views/users.py
+++ b/src/wuttaweb/views/users.py
@ -134,9 +134,8 @@ class UserView(MasterView):
        # roles
        f.append('roles')
        f.set_node('roles', RoleRefs(self.request))
-
        if not self.creating:
-            f.set_default('roles', [role.uuid for role in user.roles])
+            f.set_default('roles', [role.uuid.hex for role in user.roles])

    def unique_username(self, node, value):
        """ """
--- a/tests/forms/test_schema.py
+++ b/tests/forms/test_schema.py
@ -332,13 +332,21 @@ class TestRoleRefs(DataTestCase):
        self.session.add(blokes)
        self.session.commit()

-        # default values for widget includes all but: authed, anon
+        # with root access, default values include: admin, blokes
+        self.request.is_root = True
        typ = mod.RoleRefs(self.request, session=self.session)
        widget = typ.widget_maker()
        self.assertEqual(len(widget.values), 2)
        self.assertEqual(widget.values[0][1], "Administrator")
        self.assertEqual(widget.values[1][1], "Blokes")

+        # without root, default values include: blokes
+        self.request.is_root = False
+        typ = mod.RoleRefs(self.request, session=self.session)
+        widget = typ.widget_maker()
+        self.assertEqual(len(widget.values), 1)
+        self.assertEqual(widget.values[0][1], "Blokes")
+

 class TestPermissions(DataTestCase):

--- a/tests/forms/test_widgets.py
+++ b/tests/forms/test_widgets.py
@ -210,14 +210,17 @@ class TestRoleRefsWidget(WebTestCase):

        # editable values list *excludes* admin (by default)
        html = widget.serialize(field, {admin.uuid, blokes.uuid})
-        self.assertNotIn(str(admin.uuid), html)
-        self.assertIn(str(blokes.uuid), html)
+        self.assertNotIn(str(admin.uuid.hex), html)
+        self.assertIn(str(blokes.uuid.hex), html)

        # but admin is included for root user
        self.request.is_root = True
+        node = colander.SchemaNode(RoleRefs(self.request, session=self.session))
+        field = self.make_field(node)
+        widget = field.widget
        html = widget.serialize(field, {admin.uuid, blokes.uuid})
-        self.assertIn(str(admin.uuid), html)
-        self.assertIn(str(blokes.uuid), html)
+        self.assertIn(str(admin.uuid.hex), html)
+        self.assertIn(str(blokes.uuid.hex), html)


 class TestUserRefsWidget(WebTestCase):