From 879cde8837bddcb22d715108f856c99788d34a98 Mon Sep 17 00:00:00 2001
From: Martin Mares <mj@ucw.cz>
Date: Sun, 26 Sep 2021 19:30:09 +0200
Subject: [PATCH] =?UTF-8?q?P=C5=99id=C3=A1v=C3=A1n=C3=AD=20rol=C3=AD=20kon?=
 =?UTF-8?q?troluje=20p=C5=99=C3=ADpustnost=20kombinace=20role=20+=20level?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #242.
---
 mo/db.py            | 12 ++++++++++++
 mo/web/org_users.py |  4 ++++
 2 files changed, 16 insertions(+)

diff --git a/mo/db.py b/mo/db.py
index 000d01ca..0cf4efc9 100644
--- a/mo/db.py
+++ b/mo/db.py
@@ -548,6 +548,18 @@ class UserRole(Base):
                 and (self.category is None or cat is None or self.category == cat or (self.category == 'Z' and cat.startswith('Z')))
                 and (self.seq is None or seq is None or self.seq == seq))
 
+    def is_legal(self) -> bool:
+        # Některé role mají omezení na úroveň hierarchie.
+        level = self.place.level if self.place else -1
+        rt = self.role
+        if not (rt == RoleType.garant and level <= 0
+                or rt == RoleType.garant_kraj and level == 1
+                or rt == RoleType.garant_okres and level == 2
+                or rt == RoleType.garant_skola and level >= 3):
+            return False
+
+        return True
+
 
 class PaperType(MOEnum):
     solution = auto()
diff --git a/mo/web/org_users.py b/mo/web/org_users.py
index daeeb08c..b0913ee5 100644
--- a/mo/web/org_users.py
+++ b/mo/web/org_users.py
@@ -289,6 +289,10 @@ def org_org(id: int):
 
             ok = True
 
+            if not new_role.is_legal():
+                role_errors.append('Tato kombinace role a místa není povolena')
+                ok = False
+            elif not g.gatekeeper.can_set_role(new_role):
                 role_errors.append(f'Roli "{new_role}" nelze přidělit, není podmnožinou žádné vaší role')
                 ok = False
 
-- 
GitLab