[fix] Made requested changes

Author: pandafy

openwisp_radius/api/serializers.py

@@ -373,17 +373,19 @@ class Meta:
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
+        view = self.context.get("view")
         if (
-            self.context.get("view")
-            and getattr(self.context["view"], "get_parent_queryset", None)
-            and not getattr(self.context["view"], "swagger_fake_view", False)
+            view
+            and getattr(view, "get_parent_queryset", None)
+            and not getattr(view, "swagger_fake_view", False)
         ):
-            self._user = self.context["view"].get_parent_queryset().first()
+            self._user = view.get_parent_queryset().first()
         else:
             self._user = None
-        if self._user:
+        if self._user and view and getattr(view.request, "user", None):
+            orgs = view.request.user.organizations_managed
             self.fields["group"].queryset = self.fields["group"].queryset.filter(
-                organization_id__in=self._user.organizations_dict.keys()
+                organization__in=orgs
             )
         else:
             self.fields["group"].queryset = self.fields["group"].queryset.none()

openwisp_radius/tests/test_api/test_api.py

@@ -1495,6 +1495,21 @@ def test_radius_user_group_detail(self):
             self.assertEqual(rug.group, org1_power_users_group)
             self.assertEqual(rug.priority, 4)
 
+        with self.subTest("Org manager cannot assign group from another org"):
+            self._create_org_user(user=target_user, organization=org2)
+            org2_group = RadiusGroup.objects.get(organization=org2, name="org-2-users")
+            response = self.client.put(
+                url,
+                {"group": str(org2_group.pk), "priority": 8},
+                content_type="application/json",
+            )
+            self.assertEqual(
+                response.status_code,
+                status.HTTP_400_BAD_REQUEST,
+            )
+            rug.refresh_from_db()
+            self.assertEqual(rug.group, org1_power_users_group)
+
         with self.subTest("DELETE operation"):
             response = self.client.delete(url)
             self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)