bundles/pretalx: add script to automatically set is_administrator and is_staff based on group membership

bundles/pretalx/files/cron-pretalx-administrators-from-group

@@ -0,0 +1,8 @@
+# CAUTION! This file is managed with bundlewrap.
+# Any manual edits will be lost!
+
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+MAILTO=${node.metadata.get('pretalx/mail_from')}
+
+*/10 * * * *    pretalx    /opt/pretalx/pretalx-administrators-from-group ${node.metadata.get('pretalx/administrators-from-group-id')}

bundles/pretalx/files/pretalx-administrators-from-group

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+
+import psycopg2
+from psycopg2.extras import LoggingConnection
+from configparser import ConfigParser
+from sys import argv, exit
+
+
+def main():
+    try:
+        group_id = int(argv[1])
+    except IndexError:
+        print(f'Usage: {argv[0]} <group_id>')
+        print()
+        print('Sets pretalx administrator permissions based on that group id')
+        exit(1)
+
+    config = ConfigParser()
+    config.read('/opt/pretalx/pretalx.cfg')
+
+    try:
+        db = psycopg2.connect(
+            dbname=config['database']['name'],
+            user=config['database']['user'],
+            password=config['database']['password'],
+        )
+        with db.cursor() as sel:
+            sel.execute(
+                'SELECT id, user_id FROM event_team_members WHERE team_id=%s ORDER BY user_id ASC;',
+                (group_id,),
+            )
+            admin_users = set()
+            for perm_id, user_id in sel.fetchall():
+                admin_users.add(user_id)
+
+        if not admin_users:
+            raise ValueError(f'There are no users in group {argv[1]}')
+
+        update_queries = []
+        with db.cursor() as sel:
+            sel.execute('SELECT id, name, email, is_administrator, is_staff FROM person_user ORDER BY name ASC;')
+            for uid, name, email, is_admin, is_staff in sel.fetchall():
+                should_admin = (uid in admin_users)
+
+                if not (
+                    should_admin == is_admin and
+                    should_admin == is_staff
+                ):
+                    print(f'Fixing user "{name}" ({email}) - is: {is_admin} {is_staff} - should: {should_admin}')
+                    update_queries.append({
+                        'admin': should_admin,
+                        'uid': uid,
+                    })
+
+        with db.cursor() as upd:
+            for query in update_queries:
+                upd.execute(
+                    'UPDATE person_user SET is_administrator=%(admin)s, is_staff=%(admin)s WHERE id=%(uid)s;',
+                    query,
+                )
+
+        db.commit()
+    finally:
+        db.close()
+
+
+if __name__ == '__main__':
+    main()

bundles/pretalx/items.py

@@ -129,6 +129,9 @@ files = {
             'svc_systemd:pretalx-worker:restart',
         },
     },
+    '/opt/pretalx/pretalx-administrators-from-group': {
+        'mode': '0755',
+    },
     '/etc/systemd/system/pretalx-runperiodic.timer': {
         'triggers': {
             'action:systemd-reload',
@@ -165,6 +168,16 @@ files = {
     },
 }
 
+if node.metadata.get('pretalx/administrators-from-group-id', None):
+    files['/etc/cron.d/pretalx-administrators-from-group'] = {
+        'source': 'cron-pretalx-administrators-from-group',
+        'content_type': 'mako',
+    }
+else:
+    files['/etc/cron.d/pretalx-administrators-from-group'] = {
+        'delete': True,
+    }
+
 # run `pip install` one after another due to concurrency issues
 last_action = 'action:pretalx_install'
 for plugin_name, plugin_config in node.metadata.get('pretalx/plugins', {}).items():

nodes/voc/pretalx.py

@@ -49,6 +49,7 @@ nodes['voc.pretalx'] = {
             'version': 'v2.2.0',
             'domain': 'pretalx.c3voc.de',
             'mail_from': 'pretalx@c3voc.de',
+            'administrators-from-group-id': 1,
             'plugins': {
                 'downstream': {
                     'repo': 'https://github.com/pretalx/pretalx-downstream.git',