From d2858c8c76e3cf121179036dfb389788b15ccd85 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <rpm@fthiessen.de>
Date: Sat, 24 Oct 2020 20:10:43 +0200
Subject: [PATCH] [Plugin] Users now allows setting the role of an user

---
 flaschengeist/modules/users/__init__.py | 30 +++++++++++++++++--------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/flaschengeist/modules/users/__init__.py b/flaschengeist/modules/users/__init__.py
index bba35f3..f48cfe5 100644
--- a/flaschengeist/modules/users/__init__.py
+++ b/flaschengeist/modules/users/__init__.py
@@ -8,12 +8,13 @@ from flaschengeist.system.controller import userController
 
 users_bp = Blueprint("users", __name__)
 _permission_edit = "users_edit_other"
+_permission_set_roles = "users_set_roles"
 _permission_delete = "users_delete_other"
 
 
 class UsersPlugin(Plugin):
     def __init__(self, config):
-        super().__init__(blueprint=users_bp, permissions=[_permission_edit, _permission_delete])
+        super().__init__(blueprint=users_bp, permissions=[_permission_edit, _permission_delete, _permission_set_roles])
 
     #################################################
     #                     Routes                    #
@@ -64,17 +65,28 @@ def __delete_user(uid, **kwargs):
 def __edit_user(uid, **kwargs):
     logger.debug("Modify information of user {{ {} }}".format(uid))
     user = userController.get_user(uid)
-
-    if uid != kwargs["access_token"].user.userid and user.has_permission(_permission_edit):
-        return Forbidden
-
     data = request.get_json()
-    if "password" not in data:
-        raise BadRequest("Password is missing")
+
+    password = None
+    new_password = data["new_password"] if "new_password" in data else None
+
+    if uid != kwargs["access_token"].user.userid:
+        if not user.has_permission(_permission_edit):
+            return Forbidden
+    else:
+        if "password" not in data:
+            raise BadRequest("Password is missing")
+        password = data["password"]
+
     for key in ["firstname", "lastname", "display_name", "mail"]:
         if key in data:
             setattr(user, key, data[key])
-    new_password = data["new_password"] if "new_password" in data else None
-    userController.modify_user(user, data["password"], new_password)
+
+    if "roles" in data:
+        if not user.has_permission(_permission_set_roles):
+            raise Forbidden
+        userController.set_roles(user, data["roles"])
+
+    userController.modify_user(user, password, new_password)
     userController.update_user(user)
     return jsonify({"ok": "ok"})