From 86953e60bd33817bfaec4c8012d3af92b3a241e5 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Fri, 15 Oct 2021 20:03:15 +0200
Subject: [PATCH] bundles/pretalx: add script to automatically set
 is_administrator and is_staff based on group membership

---
 .../cron-pretalx-administrators-from-group    |  8 +++
 .../files/pretalx-administrators-from-group   | 68 +++++++++++++++++++
 bundles/pretalx/items.py                      | 13 ++++
 nodes/voc/pretalx.py                          |  1 +
 4 files changed, 90 insertions(+)
 create mode 100644 bundles/pretalx/files/cron-pretalx-administrators-from-group
 create mode 100644 bundles/pretalx/files/pretalx-administrators-from-group

diff --git a/bundles/pretalx/files/cron-pretalx-administrators-from-group b/bundles/pretalx/files/cron-pretalx-administrators-from-group
new file mode 100644
index 0000000..3de0ca5
--- /dev/null
+++ b/bundles/pretalx/files/cron-pretalx-administrators-from-group
@@ -0,0 +1,8 @@
+# CAUTION! This file is managed with bundlewrap.
+# Any manual edits will be lost!
+
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+MAILTO=${node.metadata.get('pretalx/mail_from')}
+
+*/10 * * * *    pretalx    /opt/pretalx/pretalx-administrators-from-group ${node.metadata.get('pretalx/administrators-from-group-id')}
diff --git a/bundles/pretalx/files/pretalx-administrators-from-group b/bundles/pretalx/files/pretalx-administrators-from-group
new file mode 100644
index 0000000..c6778c2
--- /dev/null
+++ b/bundles/pretalx/files/pretalx-administrators-from-group
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+
+import psycopg2
+from psycopg2.extras import LoggingConnection
+from configparser import ConfigParser
+from sys import argv, exit
+
+
+def main():
+    try:
+        group_id = int(argv[1])
+    except IndexError:
+        print(f'Usage: {argv[0]} <group_id>')
+        print()
+        print('Sets pretalx administrator permissions based on that group id')
+        exit(1)
+
+    config = ConfigParser()
+    config.read('/opt/pretalx/pretalx.cfg')
+
+    try:
+        db = psycopg2.connect(
+            dbname=config['database']['name'],
+            user=config['database']['user'],
+            password=config['database']['password'],
+        )
+        with db.cursor() as sel:
+            sel.execute(
+                'SELECT id, user_id FROM event_team_members WHERE team_id=%s ORDER BY user_id ASC;',
+                (group_id,),
+            )
+            admin_users = set()
+            for perm_id, user_id in sel.fetchall():
+                admin_users.add(user_id)
+
+        if not admin_users:
+            raise ValueError(f'There are no users in group {argv[1]}')
+
+        update_queries = []
+        with db.cursor() as sel:
+            sel.execute('SELECT id, name, email, is_administrator, is_staff FROM person_user ORDER BY name ASC;')
+            for uid, name, email, is_admin, is_staff in sel.fetchall():
+                should_admin = (uid in admin_users)
+
+                if not (
+                    should_admin == is_admin and
+                    should_admin == is_staff
+                ):
+                    print(f'Fixing user "{name}" ({email}) - is: {is_admin} {is_staff} - should: {should_admin}')
+                    update_queries.append({
+                        'admin': should_admin,
+                        'uid': uid,
+                    })
+
+        with db.cursor() as upd:
+            for query in update_queries:
+                upd.execute(
+                    'UPDATE person_user SET is_administrator=%(admin)s, is_staff=%(admin)s WHERE id=%(uid)s;',
+                    query,
+                )
+
+        db.commit()
+    finally:
+        db.close()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/bundles/pretalx/items.py b/bundles/pretalx/items.py
index 45a0489..a377d2d 100644
--- a/bundles/pretalx/items.py
+++ b/bundles/pretalx/items.py
@@ -129,6 +129,9 @@ files = {
             'svc_systemd:pretalx-worker:restart',
         },
     },
+    '/opt/pretalx/pretalx-administrators-from-group': {
+        'mode': '0755',
+    },
     '/etc/systemd/system/pretalx-runperiodic.timer': {
         'triggers': {
             'action:systemd-reload',
@@ -165,6 +168,16 @@ files = {
     },
 }
 
+if node.metadata.get('pretalx/administrators-from-group-id', None):
+    files['/etc/cron.d/pretalx-administrators-from-group'] = {
+        'source': 'cron-pretalx-administrators-from-group',
+        'content_type': 'mako',
+    }
+else:
+    files['/etc/cron.d/pretalx-administrators-from-group'] = {
+        'delete': True,
+    }
+
 # run `pip install` one after another due to concurrency issues
 last_action = 'action:pretalx_install'
 for plugin_name, plugin_config in node.metadata.get('pretalx/plugins', {}).items():
diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py
index c887a73..cbdc0c9 100644
--- a/nodes/voc/pretalx.py
+++ b/nodes/voc/pretalx.py
@@ -49,6 +49,7 @@ nodes['voc.pretalx'] = {
             'version': 'v2.2.0',
             'domain': 'pretalx.c3voc.de',
             'mail_from': 'pretalx@c3voc.de',
+            'administrators-from-group-id': 1,
             'plugins': {
                 'downstream': {
                     'repo': 'https://github.com/pretalx/pretalx-downstream.git',