Attachment #8867 for bug #44350




# Univention Management Console module:
#   Administration of groups
#
# Copyright 2012-2017 Univention GmbH
#
# http://www.univention.de/
#

			result['classes'] = [{'id': class_.dn, 'label': class_.get_relative_name()} for class_ in classes]
			self.finished(request.id, [result])
			return
		result['members'] = self._filter_members(request, group, result.pop('users', []), ldap_user_read)

		self.finished(request.id, [result, ])

	@staticmethod
	def _filter_members(request, group, users, ldap_user_read=None):
		members = []
		for member_dn in users:
			try:
				user = User.from_dn(member_dn, None, ldap_user_read)
			except udm_exceptions.noObject:
				MODULE.process('Could not open (foreign) user %r: no permissions/does not exists/not a user' % (member_dn,))
				continue
			if not user.schools or not set(user.schools) & {group.school}:
				continue
			if request.flavor == 'class' and not user.is_teacher(ldap_user_read):
				continue  # only display teachers

			elif request.flavor == 'workgroup-admin' and not user.is_student(ldap_user_read) and not user.is_administrator(ldap_user_read) and not user.is_staff(ldap_user_read) and not user.is_teacher(ldap_user_read):
				continue  # only display school users
			members.append({'id': user.dn, 'label': Display.user(user.get_udm_object(ldap_user_read))})
		return members

		self.finished(request.id, [result, ])

	@sanitize(DictSanitizer(dict(object=DictSanitizer({}, required=True))))
	@LDAP_Connection(USER_READ, MACHINE_WRITE)

			return self.add_teacher_to_classes(request)

		klass = get_group_class(request)
		for group_from_umc in request.options:
			group_from_umc = group_from_umc['object']
			group_from_umc_dn = group_from_umc['$dn$']
			break

		try:
			group_from_ldap = klass.from_dn(group_from_umc_dn, None, ldap_machine_write)
		except udm_exceptions.noObject:
			raise UMC_Error('unknown group object')

		old_members = self._filter_members(request, group_from_ldap, group_from_ldap.users, ldap_user_read)
		removed_members = set(o['id'] for o in old_members) - set(group_from_umc['members'])

		MODULE.info('Modifying group "%s" with members: %s' % (group_from_ldap.dn, group_from_ldap.users))
		MODULE.info('New members: %s' % group_from_umc['members'])
		MODULE.info('Removed members: %s' % (removed_members,))

		if request.flavor == 'workgroup-admin':
			# do not allow groups to be renamed in order to avoid conflicts with shares
			# grp.name = '%(school)s-%(name)s' % group
			group_from_ldap.description = group_from_umc['description']

		# Workgroup admin view → update teachers, admins, students, (staff)
		# Class view → update only the group's teachers (keep all non teachers)


		users = []
		# keep specific users from the group
		for userdn in group_from_ldap.users:
			try:
				user = User.from_dn(userdn, None, ldap_machine_write)
			except udm_exceptions.noObject:  # no permissions/is not a user/does not exists → keep the old value
				users.append(userdn)
				continue
			if not user.schools or not set(user.schools) & set([group_from_ldap.school]):
				users.append(userdn)
				continue
			if (request.flavor == 'class' and not user.is_teacher(ldap_machine_write)) or (request.flavor == 'workgroup' and not user.is_student(ldap_machine_write)) or request.flavor == 'workgroup-admin':
				users.append(userdn)

		# add only certain users to the group
		for userdn in group_from_umc['members']:
			try:
				user = User.from_dn(userdn, None, ldap_machine_write)
			except udm_exceptions.noObject as exc:
				MODULE.error('Not adding not existing user %r to group: %r.' % (userdn, exc))
				continue
			if not user.schools or not set(user.schools) & set([group_from_ldap.school]):
				raise UMC_Error(_('User %s does not belong to school %r.') % (Display.user(user.get_udm_object(ldap_machine_write)), group_from_ldap.school))
			if request.flavor == 'workgroup-admin' and not user.is_student(ldap_machine_write) and not user.is_administrator(ldap_machine_write) and not user.is_staff(ldap_machine_write) and not user.is_teacher(ldap_machine_write):
				raise UMC_Error(_('User %s does not belong to school %r.') % (Display.user(user.get_udm_object(ldap_machine_write)), group_from_ldap.school))
			if request.flavor == 'class' and not user.is_teacher(ldap_machine_write):
				raise UMC_Error(_('User %s is not a teacher.') % (Display.user(user.get_udm_object(ldap_machine_write)),))
			if request.flavor == 'workgroup' and not user.is_student(ldap_machine_write):
				raise UMC_Error(_('User %s is not a student.') % (Display.user(user.get_udm_object(ldap_machine_write)),))
			users.append(user.dn)

		group_from_ldap.users = list(set(users) - removed_members)
		try:
			success = group_from_ldap.modify(ldap_machine_write)
			MODULE.info('Modified, group has now members: %s' % (group_from_ldap.users,))
		except udm_exceptions.base as exc:
			MODULE.process('An error occurred while modifying "%s": %s' % (group_from_umc['$dn$'], exc.message))
			raise UMC_Error(_('Failed to modify group (%s).') % exc.message)

		self.finished(request.id, success)

Return to bug 44350

Lines 4-10 Link Here

(-)a/ucs-school-umc-groups/umc/python/schoolgroups/__init__.py (-23 / +30 lines)
4	# Univention Management Console module:	4	# Univention Management Console module:
5	# Administration of groups	5	# Administration of groups
6	#	6	#
7	# Copyright 2012-2016 Univention GmbH	7	# Copyright 2012-2017 Univention GmbH
8	#	8	#
9	# http://www.univention.de/	9	# http://www.univention.de/
10	#	10	#
Lines 119-133 def get(self, request, ldap_user_read=None, ldap_position=None): Link Here
119	result['classes'] = [{'id': class_.dn, 'label': class_.get_relative_name()} for class_ in classes]	119	result['classes'] = [{'id': class_.dn, 'label': class_.get_relative_name()} for class_ in classes]
120	self.finished(request.id, [result])	120	self.finished(request.id, [result])
121	return	121	return
		122	result['members'] = self._filter_members(request, group, result.pop('users', []), ldap_user_read)
122		123
		124	self.finished(request.id, [result, ])
		125
		126	@staticmethod
		127	def _filter_members(request, group, users, ldap_user_read=None):
123	members = []	128	members = []
124	for member_dn in result.pop('users', []):	129	for member_dn in users:
125	try:	130	try:
126	user = User.from_dn(member_dn, None, ldap_user_read)	131	user = User.from_dn(member_dn, None, ldap_user_read)
127	except udm_exceptions.noObject:	132	except udm_exceptions.noObject:
128	MODULE.process('Could not open (foreign) user %r: no permissions/does not exists/not a user' % (member_dn,))	133	MODULE.process('Could not open (foreign) user %r: no permissions/does not exists/not a user' % (member_dn,))
129	continue	134	continue
130	if not user.schools or not set(user.schools) & set([group.school]):	135	if not user.schools or not set(user.schools) & {group.school}:
131	continue	136	continue
132	if request.flavor == 'class' and not user.is_teacher(ldap_user_read):	137	if request.flavor == 'class' and not user.is_teacher(ldap_user_read):
133	continue # only display teachers	138	continue # only display teachers
Lines 136-144 def get(self, request, ldap_user_read=None, ldap_position=None): Link Here
136	elif request.flavor == 'workgroup-admin' and not user.is_student(ldap_user_read) and not user.is_administrator(ldap_user_read) and not user.is_staff(ldap_user_read) and not user.is_teacher(ldap_user_read):	141	elif request.flavor == 'workgroup-admin' and not user.is_student(ldap_user_read) and not user.is_administrator(ldap_user_read) and not user.is_staff(ldap_user_read) and not user.is_teacher(ldap_user_read):
137	continue # only display school users	142	continue # only display school users
138	members.append({'id': user.dn, 'label': Display.user(user.get_udm_object(ldap_user_read))})	143	members.append({'id': user.dn, 'label': Display.user(user.get_udm_object(ldap_user_read))})
139	result['members'] = members	144	return members
140
141	self.finished(request.id, [result, ])
142		145
143	@sanitize(DictSanitizer(dict(object=DictSanitizer({}, required=True))))	146	@sanitize(DictSanitizer(dict(object=DictSanitizer({}, required=True))))
144	@LDAP_Connection(USER_READ, MACHINE_WRITE)	147	@LDAP_Connection(USER_READ, MACHINE_WRITE)
Lines 155-177 def put(self, request, ldap_machine_write=None, ldap_user_read=None, ldap_positi Link Here
155	return self.add_teacher_to_classes(request)	158	return self.add_teacher_to_classes(request)
156		159
157	klass = get_group_class(request)	160	klass = get_group_class(request)
158	for group in request.options:	161	for group_from_umc in request.options:
159	group = group['object']	162	group_from_umc = group_from_umc['object']
160	group_dn = group['$dn$']	163	group_from_umc_dn = group_from_umc['$dn$']
161	break	164	break
162		165
163	try:	166	try:
164	grp = klass.from_dn(group_dn, None, ldap_machine_write)	167	group_from_ldap = klass.from_dn(group_from_umc_dn, None, ldap_machine_write)
165	except udm_exceptions.noObject:	168	except udm_exceptions.noObject:
166	raise UMC_Error('unknown group object')	169	raise UMC_Error('unknown group object')
167		170
168	MODULE.info('Modifying group "%s" with members: %s' % (grp.dn, grp.users))	171	old_members = self._filter_members(request, group_from_ldap, group_from_ldap.users, ldap_user_read)
169	MODULE.info('New members: %s' % group['members'])	172	removed_members = set(o['id'] for o in old_members) - set(group_from_umc['members'])
		173
		174	MODULE.info('Modifying group "%s" with members: %s' % (group_from_ldap.dn, group_from_ldap.users))
		175	MODULE.info('New members: %s' % group_from_umc['members'])
		176	MODULE.info('Removed members: %s' % (removed_members,))
170		177
171	if request.flavor == 'workgroup-admin':	178	if request.flavor == 'workgroup-admin':
172	# do not allow groups to be renamed in order to avoid conflicts with shares	179	# do not allow groups to be renamed in order to avoid conflicts with shares
173	# grp.name = '%(school)s-%(name)s' % group	180	# grp.name = '%(school)s-%(name)s' % group
174	grp.description = group['description']	181	group_from_ldap.description = group_from_umc['description']
175		182
176	# Workgroup admin view → update teachers, admins, students, (staff)	183	# Workgroup admin view → update teachers, admins, students, (staff)
177	# Class view → update only the group's teachers (keep all non teachers)	184	# Class view → update only the group's teachers (keep all non teachers)
Lines 179-219 def put(self, request, ldap_machine_write=None, ldap_user_read=None, ldap_positi Link Here
179		186
180	users = []	187	users = []
181	# keep specific users from the group	188	# keep specific users from the group
182	for userdn in grp.users:	189	for userdn in group_from_ldap.users:
183	try:	190	try:
184	user = User.from_dn(userdn, None, ldap_machine_write)	191	user = User.from_dn(userdn, None, ldap_machine_write)
185	except udm_exceptions.noObject: # no permissions/is not a user/does not exists → keep the old value	192	except udm_exceptions.noObject: # no permissions/is not a user/does not exists → keep the old value
186	users.append(userdn)	193	users.append(userdn)
187	continue	194	continue
188	if not user.schools or not set(user.schools) & set([grp.school]):	195	if not user.schools or not set(user.schools) & set([group_from_ldap.school]):
189	users.append(userdn)	196	users.append(userdn)
190	continue	197	continue
191	if (request.flavor == 'class' and not user.is_teacher(ldap_machine_write)) or (request.flavor == 'workgroup' and not user.is_student(ldap_machine_write)) or request.flavor == 'workgroup-admin':	198	if (request.flavor == 'class' and not user.is_teacher(ldap_machine_write)) or (request.flavor == 'workgroup' and not user.is_student(ldap_machine_write)) or request.flavor == 'workgroup-admin':
192	users.append(userdn)	199	users.append(userdn)
193		200
194	# add only certain users to the group	201	# add only certain users to the group
195	for userdn in group['members']:	202	for userdn in group_from_umc['members']:
196	try:	203	try:
197	user = User.from_dn(userdn, None, ldap_machine_write)	204	user = User.from_dn(userdn, None, ldap_machine_write)
198	except udm_exceptions.noObject as exc:	205	except udm_exceptions.noObject as exc:
199	MODULE.error('Not adding not existing user %r to group: %r.' % (userdn, exc))	206	MODULE.error('Not adding not existing user %r to group: %r.' % (userdn, exc))
200	continue	207	continue
201	if not user.schools or not set(user.schools) & set([grp.school]):	208	if not user.schools or not set(user.schools) & set([group_from_ldap.school]):
202	raise UMC_Error(_('User %s does not belong to school %r.') % (Display.user(user.get_udm_object(ldap_machine_write)), grp.school))	209	raise UMC_Error(_('User %s does not belong to school %r.') % (Display.user(user.get_udm_object(ldap_machine_write)), group_from_ldap.school))
203	if request.flavor == 'workgroup-admin' and not user.is_student(ldap_machine_write) and not user.is_administrator(ldap_machine_write) and not user.is_staff(ldap_machine_write) and not user.is_teacher(ldap_machine_write):	210	if request.flavor == 'workgroup-admin' and not user.is_student(ldap_machine_write) and not user.is_administrator(ldap_machine_write) and not user.is_staff(ldap_machine_write) and not user.is_teacher(ldap_machine_write):
204	raise UMC_Error(_('User %s does not belong to school %r.') % (Display.user(user.get_udm_object(ldap_machine_write)), grp.school))	211	raise UMC_Error(_('User %s does not belong to school %r.') % (Display.user(user.get_udm_object(ldap_machine_write)), group_from_ldap.school))
205	if request.flavor == 'class' and not user.is_teacher(ldap_machine_write):	212	if request.flavor == 'class' and not user.is_teacher(ldap_machine_write):
206	raise UMC_Error(_('User %s is not a teacher.') % (Display.user(user.get_udm_object(ldap_machine_write)),))	213	raise UMC_Error(_('User %s is not a teacher.') % (Display.user(user.get_udm_object(ldap_machine_write)),))
207	if request.flavor == 'workgroup' and not user.is_student(ldap_machine_write):	214	if request.flavor == 'workgroup' and not user.is_student(ldap_machine_write):
208	raise UMC_Error(_('User %s is not a student.') % (Display.user(user.get_udm_object(ldap_machine_write)),))	215	raise UMC_Error(_('User %s is not a student.') % (Display.user(user.get_udm_object(ldap_machine_write)),))
209	users.append(user.dn)	216	users.append(user.dn)
210		217
211	grp.users = list(set(users))	218	group_from_ldap.users = list(set(users) - removed_members)
212	try:	219	try:
213	success = grp.modify(ldap_machine_write)	220	success = group_from_ldap.modify(ldap_machine_write)
214	MODULE.info('Modified, group has now members: %s' % (grp.users,))	221	MODULE.info('Modified, group has now members: %s' % (group_from_ldap.users,))
215	except udm_exceptions.base as exc:	222	except udm_exceptions.base as exc:
216	MODULE.process('An error occurred while modifying "%s": %s' % (group['$dn$'], exc.message))	223	MODULE.process('An error occurred while modifying "%s": %s' % (group_from_umc['$dn$'], exc.message))
217	raise UMC_Error(_('Failed to modify group (%s).') % exc.message)	224	raise UMC_Error(_('Failed to modify group (%s).') % exc.message)
218		225
219	self.finished(request.id, success)	226	self.finished(request.id, success)