From f98fbd144393e0cd28658741f9ff0b12f1986047 Mon Sep 17 00:00:00 2001
From: Emmanuel Viennet <emmanuel.viennet@gmail.com>
Date: Mon, 20 Jan 2025 21:21:36 +0100
Subject: [PATCH] =?UTF-8?q?User:=20autorise=20SuperAdmin=20a=20affecter=20?=
 =?UTF-8?q?=C3=A0=20tout=20dept.=20+=20modif.=20user=20par=20admin=20sous?=
 =?UTF-8?q?=20CAS?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/templates/auth/change_password.j2 |  2 ++
 app/templates/auth/user_info_page.j2  |  4 ++--
 app/views/users.py                    | 33 ++++++++++++++++++++-------
 3 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/app/templates/auth/change_password.j2 b/app/templates/auth/change_password.j2
index f4f4bc03..ec82dcce 100644
--- a/app/templates/auth/change_password.j2
+++ b/app/templates/auth/change_password.j2
@@ -34,8 +34,10 @@
 
     <table class="tf">
         <tbody>
+        {% if current_user.cas_allow_scodoc_login %}
             {{ render_field(form.old_password, size=14, auth_name=auth_username,
             style="padding:1px; margin-left: 1em; margin-top: 4px;") }}
+        {% endif %}
             <tr>
                 <td colspan="2">Vous pouvez changer le mot de passe et/ou l'adresse email.</td>
             </tr>
diff --git a/app/templates/auth/user_info_page.j2 b/app/templates/auth/user_info_page.j2
index 6327542a..01955929 100644
--- a/app/templates/auth/user_info_page.j2
+++ b/app/templates/auth/user_info_page.j2
@@ -10,14 +10,14 @@
     <b>Login :</b> {{user.user_name}}
     {% if ScoDocSiteConfig.is_cas_enabled() %}
     (connexion via ce login ScoDoc
-        {% if user.cas_allow_scodoc_login %}autorisée{% else %}<span class="fontred">interdite</span>
+        {% if user.can_login_using_scodoc() %}autorisée{% else %}<span class="fontred">interdite</span>
         {% endif %})
     {% endif -%}
     <br>
     <b>CAS id:</b> {{user.cas_id or "(aucun)"}}
     {% if ScoDocSiteConfig.is_cas_enabled() %}
         (CAS {{'autorisé' if user.cas_allow_login else 'interdit'}} pour cet utilisateur)
-        {% if user.cas_allow_scodoc_login %}
+        {% if user.can_login_using_scodoc() %}
             (connexion sans CAS autorisée)
         {% endif %}
     {% endif %}
diff --git a/app/views/users.py b/app/views/users.py
index 9dceb275..472f9bde 100644
--- a/app/views/users.py
+++ b/app/views/users.py
@@ -91,7 +91,7 @@ class ChangePasswordForm(FlaskForm):
     """formulaire changement mot de passe et mail"""
 
     user_name = HiddenField()
-    old_password = PasswordField(_l("Mot de passe actuel"))
+    old_password = PasswordField(_l("Votre mot de passe"))
     new_password = PasswordField(_l("Nouveau mot de passe de l'utilisateur"))
     bis_password = PasswordField(
         _l("Répéter"),
@@ -126,9 +126,13 @@ class ChangePasswordForm(FlaskForm):
             raise ValidationError("Mot de passe trop simple, recommencez")
 
     def validate_old_password(self, old_password):
-        "vérifie password actuel"
+        """vérifie password de l'utilisateur qui effectue la manip.
+        (sauf si CAS obligatoire)
+        """
+        if not getattr(current_user, "cas_allow_scodoc_login", True):
+            return  # admin local sans mot de passe
         if not current_user.check_password(old_password.data):
-            raise ValidationError("Mot de passe actuel incorrect, ré-essayez")
+            raise ValidationError("Votre mot de passe est incorrect, ré-essayez")
 
 
 class Mode(IntEnum):
@@ -538,7 +542,11 @@ def create_user_form(user_name=None, edit=0, all_roles=True):
             else (auth_dept or "")
         )
     if len(selectable_dept_acronyms) > 0:
-        selectable_dept_acronyms = sorted(list(selectable_dept_acronyms))
+        selectable_dept_labels = sorted(list(selectable_dept_acronyms))
+        selectable_dept_values = selectable_dept_labels[:]
+        if edit and (current_user.is_administrator() or the_user.dept is None):
+            selectable_dept_labels.append("*Tous*")
+            selectable_dept_values.append("")
         descr.append(
             (
                 "dept",
@@ -546,8 +554,8 @@ def create_user_form(user_name=None, edit=0, all_roles=True):
                     "title": "Département",
                     "input_type": "menu",
                     "explanation": """département de rattachement de l'utilisateur""",
-                    "labels": selectable_dept_acronyms,
-                    "allowed_values": selectable_dept_acronyms,
+                    "labels": selectable_dept_labels,
+                    "allowed_values": selectable_dept_values,
                     "default": default_dept,
                 },
             )
@@ -753,8 +761,17 @@ def create_user_form(user_name=None, edit=0, all_roles=True):
         if "status" in vals:
             vals["active"] = vals["status"] == ""
         # Département:
-        if ("dept" in vals) and (vals["dept"] not in selectable_dept_acronyms):
-            del vals["dept"]  # ne change pas de dept
+        if "dept" in vals:
+            if vals["dept"] not in selectable_dept_values:
+                del vals["dept"]  # ne change pas de dept
+            else:
+                vals["dept"] = vals["dept"] or None
+                if (
+                    vals["dept"] is None
+                    and the_user.dept is not None
+                    and not current_user.is_administrator()
+                ):
+                    del vals["dept"]  # seul super admin peut affecter à tous
         # Traitement des roles: ne doit pas affecter les rôles
         # que l'on en contrôle pas:
         for role in orig_roles_strings:  # { "Ens_RT", "Secr_CJ", ... }
-- 
GitLab