From 79fd900a0c2a61a620a6d966b0ad10610de373a3 Mon Sep 17 00:00:00 2001
From: Andrew Williams <andy@tensixtyone.com>
Date: Wed, 25 May 2011 13:33:05 +0100
Subject: [PATCH] Use permissions instead of is_staff

---
 app/sso/models.py |  9 +++++++++
 app/sso/views.py  | 11 +++++------
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/app/sso/models.py b/app/sso/models.py
index 906f406..ad6f7db 100644
--- a/app/sso/models.py
+++ b/app/sso/models.py
@@ -43,6 +43,15 @@ class SSOUser(models.Model):
         if created:
             profile, created = SSOUser.objects.get_or_create(user=instance)
 
+    class Meta:
+        permissions = (
+            ("can_view_users", "Can view any user's profile"),
+            ("can_view_users_restricted", "Can view a restricted user profile"),
+            ("can_search_users", "Can use the user search function"),
+            ("can_refresh_users", "Can refresh a user's access"),
+        )
+
+
 signals.post_save.connect(SSOUser.create_user_profile, sender=User)
 
 
diff --git a/app/sso/views.py b/app/sso/views.py
index 3766bad..0b979f7 100644
--- a/app/sso/views.py
+++ b/app/sso/views.py
@@ -155,7 +155,7 @@ def service_reset(request, serviceid=0):
 def user_view(request, username=None):
     """ View a user's profile as a admin """
 
-    if not request.user.is_staff:
+    if not request.user.has_perm('sso.can_view_users') and not request.user.has_perm('sso.can_view_users_restricted'):
         return redirect('sso.views.profile')
 
     if username:
@@ -167,9 +167,8 @@ def user_view(request, username=None):
         return redirect('sso.views.user_lookup')
 
     profile = user.get_profile()
-    is_admin = request.user.is_staff
-    if is_admin:
-        if installed('hr'):
+    if installed('hr'):
+        if request.user.has_perm('hr.add_blacklist'):
             from hr.utils import blacklist_values
             blacklisted = len(blacklist_values(user))
         services = ServiceAccount.objects.select_related('service').filter(user=user).only('service__name', 'service_uid', 'active')
@@ -184,7 +183,7 @@ def user_lookup(request):
 
     form = UserLookupForm()
 
-    if not request.user.is_staff:
+    if not request.user.has_perm('sso.can_search_users'):
         return redirect('sso.views.profile')
 
     if request.method == 'POST':
@@ -247,7 +246,7 @@ def set_apipasswd(request):
 def refresh_access(request, userid=0):
     """ Refreshes the user's access """
 
-    if userid > 0 and request.user.is_staff:
+    if userid > 0 and request.user.has_perm('sso.can_refresh_users'):
         update_user_access(userid)
     elif request.user:
         update_user_access(request.user.id)