diff --git a/mo/db.py b/mo/db.py index 000d01ca6fd196edc465f7d3a1afa00177514c47..0cf4efc9ce22904f9cc0e437aeb182105657f779 100644 --- a/mo/db.py +++ b/mo/db.py @@ -548,6 +548,18 @@ class UserRole(Base): and (self.category is None or cat is None or self.category == cat or (self.category == 'Z' and cat.startswith('Z'))) and (self.seq is None or seq is None or self.seq == seq)) + def is_legal(self) -> bool: + # Některé role mají omezení na úroveň hierarchie. + level = self.place.level if self.place else -1 + rt = self.role + if not (rt == RoleType.garant and level <= 0 + or rt == RoleType.garant_kraj and level == 1 + or rt == RoleType.garant_okres and level == 2 + or rt == RoleType.garant_skola and level >= 3): + return False + + return True + class PaperType(MOEnum): solution = auto() diff --git a/mo/web/org_users.py b/mo/web/org_users.py index daeeb08c19f99787239535f808d0c4d838a99c1b..b0913ee593bf2de41ade61e4483270aa83d3054e 100644 --- a/mo/web/org_users.py +++ b/mo/web/org_users.py @@ -289,6 +289,10 @@ def org_org(id: int): ok = True + if not new_role.is_legal(): + role_errors.append('Tato kombinace role a místa není povolena') + ok = False + elif not g.gatekeeper.can_set_role(new_role): role_errors.append(f'Roli "{new_role}" nelze přidělit, není podmnožinou žádné vaší role') ok = False