From 590c52c138995c4a0d2dcde84e3e437610e9aced Mon Sep 17 00:00:00 2001
From: Emmanuel Viennet <emmanuel.viennet@gmail.com>
Date: Mon, 21 Mar 2022 22:07:34 +0100
Subject: [PATCH] =?UTF-8?q?Ne=20r=C3=A9initialise=20pas=20syst=C3=A9matiqu?=
 =?UTF-8?q?ement=20les=20permissions=20des=20r=C3=B4les=20standards.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/__init__.py                  |  2 +-
 app/auth/models.py               | 24 +++++++++++++++++-------
 app/auth/routes.py               | 10 +++++++++-
 app/templates/configuration.html |  9 ++++++---
 app/views/users.py               |  2 +-
 tests/unit/test_users.py         |  2 +-
 6 files changed, 35 insertions(+), 14 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index 76760bd79..a1862aaa7 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -366,7 +366,7 @@ def user_db_init():
 
     current_app.logger.info("Init User's db")
     # Create roles:
-    Role.insert_roles()
+    Role.reset_standard_roles_permissions()
     current_app.logger.info("created initial roles")
     # Ensure that admin exists
     admin_mail = current_app.config.get("SCODOC_ADMIN_MAIL")
diff --git a/app/auth/models.py b/app/auth/models.py
index 544afc319..cfab21a9c 100644
--- a/app/auth/models.py
+++ b/app/auth/models.py
@@ -410,20 +410,30 @@ class Role(db.Model):
         return self.permissions & perm == perm
 
     @staticmethod
-    def insert_roles():
-        """Create default roles"""
+    def reset_standard_roles_permissions(reset_permissions=True):
+        """Create default roles if missing, then, if reset_permissions,
+        reset their permissions to default values.
+        """
         default_role = "Observateur"
         for role_name, permissions in SCO_ROLES_DEFAULTS.items():
             role = Role.query.filter_by(name=role_name).first()
             if role is None:
                 role = Role(name=role_name)
-            role.reset_permissions()
-            for perm in permissions:
-                role.add_permission(perm)
-            role.default = role.name == default_role
-            db.session.add(role)
+                role.default = role.name == default_role
+                db.session.add(role)
+            if reset_permissions:
+                role.reset_permissions()
+                for perm in permissions:
+                    role.add_permission(perm)
+                db.session.add(role)
+
         db.session.commit()
 
+    @staticmethod
+    def ensure_standard_roles():
+        """Create default roles if missing"""
+        Role.reset_standard_roles_permissions(reset_permissions=False)
+
     @staticmethod
     def get_named_role(name):
         """Returns existing role with given name, or None."""
diff --git a/app/auth/routes.py b/app/auth/routes.py
index df3401515..24daa8ca0 100644
--- a/app/auth/routes.py
+++ b/app/auth/routes.py
@@ -19,7 +19,7 @@ from app.auth.forms import (
     ResetPasswordForm,
     DeactivateUserForm,
 )
-from app.auth.models import Permission
+from app.auth.models import Role
 from app.auth.models import User
 from app.auth.email import send_password_reset_email
 from app.decorators import admin_required
@@ -121,3 +121,11 @@ def reset_password(token):
         flash(_("Votre mot de passe a été changé."))
         return redirect(url_for("auth.login"))
     return render_template("auth/reset_password.html", form=form, user=user)
+
+
+@bp.route("/reset_standard_roles_permissions", methods=["GET", "POST"])
+@admin_required
+def reset_standard_roles_permissions():
+    Role.reset_standard_roles_permissions()
+    flash("rôles standard réinitialisés !")
+    return redirect(url_for("scodoc.configuration"))
diff --git a/app/templates/configuration.html b/app/templates/configuration.html
index 823772de5..33912fbf9 100644
--- a/app/templates/configuration.html
+++ b/app/templates/configuration.html
@@ -36,12 +36,15 @@
     <h1>Gestion des images: logos, signatures, ...</h1>
         <div class="sco_help">Ces images peuvent être intégrées dans les documents 
         générés par ScoDoc: bulletins, PV, etc.</div>
-        <p><a href="{{url_for('scodoc.configure_logos')}}">configuration des images et logos</a>
+        <p><a class="stdlink" href="{{url_for('scodoc.configure_logos')}}">configuration des images et logos</a>
         </p>
 
     <h1>Exports Apogée</h1>
-        <p><a href="{{url_for('scodoc.config_codes_decisions')}}">configuration des codes de décision</a></p>
-        
+        <p><a class="stdlink" href="{{url_for('scodoc.config_codes_decisions')}}">configuration des codes de décision</a></p>
+    
+    <h1>Utilisateurs</h1>
+        <p><a class="stdlink" href="{{url_for('auth.reset_standard_roles_permissions')}}">remettre les permissions des 
+        rôles standards à leurs valeurs par défaut</a> (efface les modifications apportées)</p>
     </div>
 </form>
 
diff --git a/app/views/users.py b/app/views/users.py
index 06157cbce..10f1124dd 100644
--- a/app/views/users.py
+++ b/app/views/users.py
@@ -153,7 +153,7 @@ def create_user_form(user_name=None, edit=0, all_roles=False):
     "form. création ou édition utilisateur"
     if user_name is not None:  # scodoc7func converti en int !
         user_name = str(user_name)
-    Role.insert_roles()  # assure la mise à jour des rôles en base
+    Role.ensure_standard_roles()  # assure la présence des rôles en base
     auth_dept = current_user.dept
     from_mail = current_app.config["SCODOC_MAIL_FROM"]  # current_user.email
     initvalues = {}
diff --git a/tests/unit/test_users.py b/tests/unit/test_users.py
index 8c429386c..21b13fb42 100644
--- a/tests/unit/test_users.py
+++ b/tests/unit/test_users.py
@@ -40,7 +40,7 @@ def test_roles_permissions(test_client):
     role.remove_permission(perm)
     assert not role.has_permission(perm)
     # Default roles:
-    Role.insert_roles()
+    Role.reset_standard_roles_permissions()
     # Bien présents ?
     role_names = [r.name for r in Role.query.filter_by().all()]
     assert len(role_names) == len(SCO_ROLES_DEFAULTS)