Skip to content

Commit cc2c9c4

Browse files
committed
Merge branch 'develop' into 'main'
chore: Add member activation check for enterprise and group password permissions See merge request locker/api-core!621
2 parents 0219f0f + 475a5da commit cc2c9c4

2 files changed

Lines changed: 14 additions & 1 deletion

File tree

locker_server/api/permissions/locker_permissions/enterprise_permissions/enterprise_pwd_permission.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,8 @@
22

33
from locker_server.api.permissions.app import APIPermission
44
from locker_server.core.exceptions.enterprise_member_exception import EnterpriseMemberDoesNotExistException
5-
from locker_server.shared.constants.enterprise_members import E_MEMBER_ROLE_PRIMARY_ADMIN, E_MEMBER_ROLE_ADMIN
5+
from locker_server.shared.constants.enterprise_members import E_MEMBER_ROLE_PRIMARY_ADMIN, E_MEMBER_ROLE_ADMIN, \
6+
E_MEMBER_STATUS_CONFIRMED
67
from locker_server.containers.containers import enterprise_member_service
78

89

@@ -40,3 +41,8 @@ def get_enterprise_member(user, obj):
4041
return enterprise_member
4142
except EnterpriseMemberDoesNotExistException:
4243
raise PermissionDenied
44+
45+
@staticmethod
46+
def is_activated_member(member):
47+
# An active, fully-joined member: confirmed invitation and not deactivated/suspended.
48+
return member.status == E_MEMBER_STATUS_CONFIRMED and member.is_activated

locker_server/api/permissions/locker_permissions/enterprise_permissions/group_pwd_permission.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
from rest_framework.permissions import SAFE_METHODS
2+
13
from locker_server.api.permissions.locker_permissions.enterprise_permissions.enterprise_pwd_permission import \
24
EnterprisePwdPermission
35
from locker_server.shared.constants.enterprise_members import E_MEMBER_ROLE_PRIMARY_ADMIN, E_MEMBER_ROLE_ADMIN, \
@@ -16,6 +18,11 @@ def has_object_permission(self, request, view, obj):
1618
member = self.get_enterprise_member(user=request.user, obj=obj)
1719
role = member.role
1820
role_name = role.name
21+
# Write actions (members PUT, create/update/destroy) require an active, confirmed member:
22+
# a deactivated or still-pending admin must not be able to change group membership or
23+
# silently grant/revoke shared-vault access.
24+
if request.method not in SAFE_METHODS and not self.is_activated_member(member):
25+
return False
1926
if view.action in ["members_list"]:
2027
return role_name in [E_MEMBER_ROLE_PRIMARY_ADMIN, E_MEMBER_ROLE_ADMIN, E_MEMBER_ROLE_MEMBER]
2128
return role_name in [E_MEMBER_ROLE_PRIMARY_ADMIN, E_MEMBER_ROLE_ADMIN]

0 commit comments

Comments
 (0)