task/TUP-511: Use a specific Impersonator group to manage impersonati…

…on permissions. (#244) * only allow impersonation if users belong to the Impersonator group * handle case where user doesn't exist --------- Co-authored-by: Jake Rosenberg <[email protected]> Co-authored-by: Wesley B <[email protected]>
TACC · Jun 15, 2023 · 19e87bf · 19e87bf
1 parent 59214c5
commit 19e87bf
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/apps/tup-cms/src/apps/portal/views.py b/apps/tup-cms/src/apps/portal/views.py
@@ -34,7 +34,11 @@ def LogoutView(request):
 
 def ImpersonateView(request):
     resp = HttpResponseRedirect("/portal/dashboard")
-    if not request.user.is_superuser:
+
+    if not request.user:
+        return resp
+
+    if not request.user.groups.filter(name='Impersonator').exists():
         return resp
 
     headers = {"x-tup-token": settings.TUP_SERVICES_ADMIN_JWT}

diff --git a/apps/tup-cms/src/apps/portal_nav/templates/portal_nav/nav_portal.raw.html b/apps/tup-cms/src/apps/portal_nav/templates/portal_nav/nav_portal.raw.html
@@ -39,7 +39,7 @@
     <a class="dropdown-item" href="/portal/account">
       <i class="icon icon-user"></i> Manage Account
     </a>
-    {% if user.is_superuser %}
+    {% if show_impersonation %}
     <a class="dropdown-item" href="/portal/impersonation">
       <i class="icon icon-user"></i> Impersonate User
     </a>

diff --git a/apps/tup-cms/src/apps/portal_nav/views.py b/apps/tup-cms/src/apps/portal_nav/views.py
@@ -5,6 +5,9 @@
 
 def PortalNavView(request):
     user = authenticate(request)
-    context = {'user': user}
+    is_impersonator = False
+    if user:
+        is_impersonator = user.groups.filter(name='Impersonator').exists()
+    context = {'user': user, 'show_impersonation': is_impersonator}
     template = loader.get_template('portal_nav/nav_portal.raw.html')
     return HttpResponse(template.render(context, request))