def migrate_mirrors(apps, schema_editor):
from corehq.apps.enterprise.models import EnterprisePermissions
DomainPermissionsMirror = apps.get_model('users',
'DomainPermissionsMirror')
sources = {o.source for o in DomainPermissionsMirror.objects.all()}
for source in sources:
account = BillingAccount.get_account_by_domain(source)
account_domains = set(account.get_domains())
mirror_domains = {
o.mirror
for o in DomainPermissionsMirror.objects.filter(source=source)
}
if EnterprisePermissions.objects.filter(account=account).exists():
print(f"""
Found a pre-existing enterprise permissions configuration for account {account.id}.
Enterprise permissions no longer supports multiple configurations in the same account.
Please delete one of the DomainPermissionsMirror source domains in this account.
""")
sys.exit(1)
EnterprisePermissions(
account=account,
is_enabled=True,
source_domain=source,
domains=list(account_domains & mirror_domains - {source}),
).save()
def domain(domain, allow_enterprise=False):
domain_list = [domain]
if allow_enterprise:
from corehq.apps.enterprise.models import EnterprisePermissions
config = EnterprisePermissions.get_by_domain(domain)
if config.is_enabled and domain in config.domains:
domain_list.append(config.source_domain)
return domains(domain_list)
def disable_enterprise_permissions(request, domain):
config = EnterprisePermissions.get_by_domain(domain)
config.is_enabled = False
config.source_domain = None
config.save()
clear_enterprise_permissions_cache_for_all_users.delay(config.id)
redirect = reverse("enterprise_permissions", args=[domain])
messages.success(request, _('Enterprise permissions have been disabled.'))
return HttpResponseRedirect(redirect)
def get_enterprise_links_for_dropdown(couch_user, view_name="domain_homepage"):
# Returns dicts with keys 'name', 'display_name', and 'url'
from corehq.apps.enterprise.models import EnterprisePermissions
domain_links_by_name = {
d['name']: d
for d in get_domain_links_for_dropdown(couch_user)
}
subdomain_objects_by_name = {}
for domain_name in domain_links_by_name:
for subdomain in EnterprisePermissions.get_domains(domain_name):
if subdomain not in domain_links_by_name:
subdomain_objects_by_name[subdomain] = Domain.get_by_name(
subdomain)
return _domains_to_links(subdomain_objects_by_name.values(), view_name)
def _get_relevant_domains(cls, couch_user, domain=None):
domains = set()
# Include current domain, which user may not be a member of
if domain:
domains.add(domain)
if not couch_user:
return domains
domains = domains | set(couch_user.get_domains())
from corehq.apps.enterprise.models import EnterprisePermissions
subdomains = set()
for domain in domains:
subdomains = subdomains | set(
EnterprisePermissions.get_domains(domain))
return domains | subdomains
def remove_enterprise_permissions_domain(request, domain, target_domain):
config = EnterprisePermissions.get_by_domain(domain)
redirect = reverse("enterprise_permissions", args=[domain])
if target_domain not in config.account.get_domains(
) or target_domain not in config.domains:
messages.error(request,
_("Could not remove {}.").format(target_domain))
return HttpResponseRedirect(redirect)
if target_domain in config.domains:
config.domains.remove(target_domain)
config.save()
if config.source_domain:
clear_enterprise_permissions_cache_for_all_users.delay(
config.id, config.source_domain)
messages.success(
request,
_('{} is now excluded from enterprise permissions.').format(
target_domain))
return HttpResponseRedirect(redirect)
def enterprise_permissions(request, domain):
config = EnterprisePermissions.get_by_domain(domain)
if not config.id:
config.save()
all_domains = set(config.account.get_domains())
ignored_domains = all_domains - set(
config.domains) - {config.source_domain}
context = {
'domain': domain,
'all_domains': sorted(all_domains),
'is_enabled': config.is_enabled,
'source_domain': config.source_domain,
'ignored_domains': sorted(list(ignored_domains)),
'controlled_domains': sorted(config.domains),
'current_page': {
'page_name': _('Enterprise Permissions'),
'title': _('Enterprise Permissions'),
}
}
return render(request, "enterprise/enterprise_permissions.html", context)
def do_import(spreadsheet,
config,
domain,
task=None,
record_form_callback=None):
has_domain_column = 'domain' in [
c.lower() for c in spreadsheet.get_header_columns()
]
if has_domain_column and DOMAIN_PERMISSIONS_MIRROR.enabled(domain):
allowed_domains = EnterprisePermissions.get_domains(domain)
sub_domains = set()
import_results = _ImportResults()
for row_num, row in enumerate(spreadsheet.iter_row_dicts(), start=1):
if row_num == 1:
continue # skip first row (header row)
sheet_domain = row.get('domain')
if sheet_domain != domain and sheet_domain not in allowed_domains:
err = exceptions.CaseRowError(column_name='domain')
err.title = _('Invalid domain')
err.message = _(
'Following rows contain invalid value for domain column.')
import_results.add_error(row_num, err)
else:
sub_domains.add(sheet_domain)
for sub_domain in sub_domains:
importer = _TimedAndThrottledImporter(sub_domain,
config,
task,
record_form_callback,
import_results,
multi_domain=True)
importer.do_import(spreadsheet)
return import_results.to_json()
else:
importer = _TimedAndThrottledImporter(domain,
config,
task,
record_form_callback,
multi_domain=False)
return importer.do_import(spreadsheet)
def create_enterprise_permissions(email,
source_domain,
domains=None,
other_domains=None):
"""
Creates an account using the given email address and sets up enterprise permissions
with the given source domain. Both `domains` and `other_domains` are added to the new account,
but only `domains` are controlled by enterprise permissions.
All given domains must exist.
"""
account = generator.billing_account(email, email, is_customer_account=True)
plan_version = generator.subscribable_plan_version(
edition=SoftwarePlanEdition.ENTERPRISE)
start_date = datetime.now().date()
end_date = start_date + timedelta(days=365)
subscriptions = []
all_domains = [source_domain]
if domains:
all_domains.extend(domains)
if other_domains:
all_domains.extend(other_domains)
for domain in all_domains:
subscriptions.append(
generator.generate_domain_subscription(
account,
Domain.get_by_name(domain),
date_start=start_date,
date_end=end_date,
plan_version=plan_version,
is_active=True,
))
EnterprisePermissions(
account=account,
is_enabled=True,
source_domain=source_domain,
domains=domains,
).save()
def update_enterprise_permissions_source_domain(request, domain):
source_domain = request.POST.get('source_domain')
redirect = reverse("enterprise_permissions", args=[domain])
config = EnterprisePermissions.get_by_domain(domain)
if source_domain not in config.account.get_domains():
messages.error(request, _("Please select a project."))
return HttpResponseRedirect(redirect)
config.is_enabled = True
old_domain = config.source_domain
config.source_domain = source_domain
if source_domain in config.domains:
config.domains.remove(source_domain)
config.save()
clear_enterprise_permissions_cache_for_all_users.delay(
config.id, config.source_domain)
clear_enterprise_permissions_cache_for_all_users.delay(
config.id, old_domain)
messages.success(request,
_('Controlling domain set to {}.').format(source_domain))
return HttpResponseRedirect(redirect)
def _base_user_es_query(cls, domain, request_user):
if not request_user.has_permission(domain, 'access_all_locations'):
return super()._base_user_es_query(domain, request_user)
domains = list(set(EnterprisePermissions.get_domains(domain)) | {domain})
return user_es.UserES().domains(domains)
def __init__(self, request, domain, search):
super().__init__(request, domain, search, False)
# this will include all domains in the enterprise only if the current domain
# is the 'source'
self.enterprise_domains = list(
set(EnterprisePermissions.get_domains(domain)) | {domain})
def post(self, request, *args, **kwargs):
try:
data = json.loads(request.body.decode('utf-8'))
except ValueError:
return HttpResponseBadRequest()
if not data or not isinstance(data, dict):
return HttpResponseBadRequest()
session_id = data.get('sessionId', None)
if not session_id:
return HttpResponseBadRequest()
session = get_session(session_id)
user = get_django_user_from_session(session)
if user:
couch_user = CouchUser.get_by_username(user.username)
if not couch_user:
raise Http404
else:
raise Http404
domain = data.get('domain')
if domain and toggles.DISABLE_WEB_APPS.enabled(domain):
return HttpResponse('Service Temporarily Unavailable',
content_type='text/plain',
status=503)
# reset the session's expiry if there's some formplayer activity
secure_session = session.get('secure_session')
TimeoutMiddleware.update_secure_session(session,
secure_session,
couch_user,
domain=domain)
session.save()
domains = set()
for member_domain in couch_user.domains:
domains.add(member_domain)
domains.update(EnterprisePermissions.get_domains(member_domain))
enabled_toggles = toggles_enabled_for_user(
user.username) | toggles_enabled_for_domain(domain)
return JsonResponse({
'username':
user.username,
'djangoUserId':
user.pk,
'superUser':
user.is_superuser,
'authToken':
None,
'domains':
list(domains),
'anonymous':
False,
'enabled_toggles':
list(enabled_toggles),
'enabled_previews':
list(previews_enabled_for_domain(domain))
})
def validate_spec(self, spec):
target_domain = spec.get('domain')
if target_domain and target_domain != self.domain:
if target_domain not in EnterprisePermissions.get_domains(
self.domain):
return self.error_message.format(target_domain, self.domain)