def test_nested_permission(self):
frappe.set_user('Administrator')
create_nested_doctype()
create_nested_doctype_records()
clear_user_permissions_for_doctype('Nested DocType')
# user permission for only one root folder
add_user_permission('Nested DocType', 'Level 1 A', '*****@*****.**')
from frappe.core.page.permission_manager.permission_manager import update
# to avoid if_owner filter
update('Nested DocType', 'All', 0, 'if_owner', 0)
frappe.set_user('*****@*****.**')
data = DatabaseQuery('Nested DocType').execute()
# children of root folder (for which we added user permission) should be accessible
self.assertTrue({'name': 'Level 2 A'} in data)
self.assertTrue({'name': 'Level 2 A'} in data)
# other folders should not be accessible
self.assertFalse({'name': 'Level 1 B'} in data)
self.assertFalse({'name': 'Level 2 B'} in data)
update('Nested DocType', 'All', 0, 'if_owner', 1)
frappe.set_user('Administrator')
def test_build_match_conditions(self):
clear_user_permissions_for_doctype('Blog Post', '*****@*****.**')
test2user = frappe.get_doc('User', '*****@*****.**')
test2user.add_roles('Blogger')
frappe.set_user('*****@*****.**')
# this will get match conditions for Blog Post
build_match_conditions = DatabaseQuery(
'Blog Post').build_match_conditions
# Before any user permission is applied
# get as filters
self.assertEqual(build_match_conditions(as_condition=False), [])
# get as conditions
self.assertEqual(build_match_conditions(as_condition=True), "")
add_user_permission('Blog Post', '-test-blog-post',
'*****@*****.**', True)
add_user_permission('Blog Post', '-test-blog-post-1',
'*****@*****.**', True)
# After applying user permission
# get as filters
self.assertTrue(
{'Blog Post': ['-test-blog-post-1', '-test-blog-post']
} in build_match_conditions(as_condition=False))
# get as conditions
self.assertEqual(
build_match_conditions(as_condition=True),
"""(((ifnull(`tabBlog Post`.`name`, '')='' or `tabBlog Post`.`name` in ('-test-blog-post-1', '-test-blog-post'))))"""
)
frappe.set_user('Administrator')
def test_nested_permission(self):
clear_user_permissions_for_doctype("File")
delete_test_file_hierarchy() # delete already existing folders
from frappe.core.doctype.file.file import create_new_folder
frappe.set_user('Administrator')
create_new_folder('level1-A', 'Home')
create_new_folder('level2-A', 'Home/level1-A')
create_new_folder('level2-B', 'Home/level1-A')
create_new_folder('level3-A', 'Home/level1-A/level2-A')
create_new_folder('level1-B', 'Home')
create_new_folder('level2-A', 'Home/level1-B')
# user permission for only one root folder
add_user_permission('File', 'Home/level1-A', '*****@*****.**')
from frappe.core.page.permission_manager.permission_manager import update
update('File', 'All', 0, 'if_owner', 0) # to avoid if_owner filter
frappe.set_user('*****@*****.**')
data = DatabaseQuery("File").execute()
# children of root folder (for which we added user permission) should be accessible
self.assertTrue({"name": "Home/level1-A/level2-A"} in data)
self.assertTrue({"name": "Home/level1-A/level2-B"} in data)
self.assertTrue({"name": "Home/level1-A/level2-A/level3-A"} in data)
# other folders should not be accessible
self.assertFalse({"name": "Home/level1-B"} in data)
self.assertFalse({"name": "Home/level1-B/level2-B"} in data)
update('File', 'All', 0, 'if_owner', 1)
frappe.set_user('Administrator')
def apply_permissions_for_non_standard_user_type(doc, method=None):
'''Create user permission for the non standard user type'''
if not frappe.db.table_exists('User Type'):
return
user_types = frappe.cache().get_value('non_standard_user_types')
if not user_types:
user_types = get_non_standard_user_type_details()
if not user_types:
return
for user_type, data in user_types.items():
if (not doc.get(data[1]) or doc.doctype != data[0]):
continue
if frappe.get_cached_value('User', doc.get(data[1]), 'user_type') != user_type:
return
if (doc.get(data[1]) and (not doc._doc_before_save or doc.get(data[1]) != doc._doc_before_save.get(data[1])
or not frappe.db.get_value('User Permission',
{'user': doc.get(data[1]), 'allow': data[0], 'for_value': doc.name}, 'name'))):
perm_data = frappe.db.get_value('User Permission',
{'allow': doc.doctype, 'for_value': doc.name}, ['name', 'user'])
if not perm_data:
user_doc = frappe.get_cached_doc('User', doc.get(data[1]))
user_doc.set_roles_and_modules_based_on_user_type()
user_doc.update_children()
add_user_permission(doc.doctype, doc.name, doc.get(data[1]))
else:
frappe.db.set_value('User Permission', perm_data[0], 'user', doc.get(data[1]))
def update_user_permissions(self):
if not self.create_user_permission: return
if not has_permission(
'User Permission', ptype='write', raise_exception=False):
return
employee_user_permission_exists = frappe.db.exists(
'User Permission', {
'allow': 'Employee',
'for_value': self.name,
'user': self.user_id
})
if employee_user_permission_exists: return
employee_user_permission_exists = frappe.db.exists(
'User Permission', {
'allow': 'Employee',
'for_value': self.name,
'user': self.user_id
})
if employee_user_permission_exists: return
add_user_permission("Employee", self.name, self.user_id)
set_user_permission_if_allowed("Company", self.company, self.user_id)
def test_automatic_apply_user_permissions(self):
'''Test user permissions are automatically applied when a user permission
is created'''
# create a user
frappe.get_doc(dict(doctype='User', email='*****@*****.**',
first_name='tester')).insert(ignore_if_duplicate=True)
frappe.get_doc(dict(doctype='Role', role_name='Test Role User Perm')
).insert(ignore_if_duplicate=True)
# add a permission for event
add_permission('DocType', 'Test Role User Perm')
frappe.get_doc('User', '*****@*****.**').add_roles('Test Role User Perm')
# add user permission
add_user_permission('Module Def', 'Core', '*****@*****.**', True)
# check if user permission is applied in the new role
_perm = None
for perm in get_valid_perms('DocType', '*****@*****.**'):
if perm.role == 'Test Role User Perm':
_perm = perm
self.assertEqual(_perm.apply_user_permissions, 1)
# restrict by module
self.assertTrue('Module Def' in json.loads(_perm.user_permission_doctypes))
def test_nested_permission(self):
frappe.set_user("Administrator")
create_nested_doctype()
create_nested_doctype_records()
clear_user_permissions_for_doctype("Nested DocType")
# user permission for only one root folder
add_user_permission("Nested DocType", "Level 1 A", "*****@*****.**")
from frappe.core.page.permission_manager.permission_manager import update
# to avoid if_owner filter
update("Nested DocType", "All", 0, "if_owner", 0)
frappe.set_user("*****@*****.**")
data = DatabaseQuery("Nested DocType").execute()
# children of root folder (for which we added user permission) should be accessible
self.assertTrue({"name": "Level 2 A"} in data)
self.assertTrue({"name": "Level 2 A"} in data)
# other folders should not be accessible
self.assertFalse({"name": "Level 1 B"} in data)
self.assertFalse({"name": "Level 2 B"} in data)
update("Nested DocType", "All", 0, "if_owner", 1)
frappe.set_user("Administrator")
def test_strict_user_permissions(self):
"""If `Strict User Permissions` is checked in System Settings,
show records even if User Permissions are missing for a linked
doctype"""
frappe.set_user("Administrator")
frappe.db.sql('delete from tabContact')
make_test_records_for_doctype('Contact', force=True)
set_user_permission_doctypes("Contact", role="Sales User",
apply_user_permissions=1, user_permission_doctypes=['Salutation'])
set_user_permission_doctypes("Salutation", role="All",
apply_user_permissions=1, user_permission_doctypes=['Salutation'])
add_user_permission("Salutation", "Mr", "*****@*****.**")
self.set_strict_user_permissions(0)
frappe.set_user("*****@*****.**")
self.assertEquals(len(frappe.get_list("Contact")), 2)
frappe.set_user("Administrator")
self.set_strict_user_permissions(1)
frappe.set_user("*****@*****.**")
self.assertTrue(len(frappe.get_list("Contact")), 1)
frappe.set_user("Administrator")
self.set_strict_user_permissions(0)
def add(user, defkey, defvalue):
if not can_set_user_permissions(defkey, defvalue):
frappe.throw(
_("Cannot set permission for DocType: {0} and Name: {1}").format(
defkey, defvalue), frappe.PermissionError)
add_user_permission(defkey, defvalue, user, with_message=True)
def test_build_match_conditions(self):
clear_user_permissions_for_doctype('Blog Post', '*****@*****.**')
test2user = frappe.get_doc('User', '*****@*****.**')
test2user.add_roles('Blogger')
frappe.set_user('*****@*****.**')
# this will get match conditions for Blog Post
build_match_conditions = DatabaseQuery('Blog Post').build_match_conditions
# Before any user permission is applied
# get as filters
self.assertEqual(build_match_conditions(as_condition=False), [])
# get as conditions
self.assertEqual(build_match_conditions(as_condition=True), "")
add_user_permission('Blog Post', '-test-blog-post', '*****@*****.**', True)
add_user_permission('Blog Post', '-test-blog-post-1', '*****@*****.**', True)
# After applying user permission
# get as filters
self.assertTrue({'Blog Post': ['-test-blog-post-1', '-test-blog-post']} in build_match_conditions(as_condition=False))
# get as conditions
self.assertEqual(build_match_conditions(as_condition=True),
"""(((ifnull(`tabBlog Post`.`name`, "")="" or `tabBlog Post`.`name` in ("-test-blog-post-1", "-test-blog-post"))))""")
frappe.set_user('Administrator')
def test_strict_user_permissions(self):
"""If `Strict User Permissions` is checked in System Settings,
show records even if User Permissions are missing for a linked
doctype"""
frappe.set_user("Administrator")
frappe.db.sql('delete from tabContact')
make_test_records_for_doctype('Contact', force=True)
set_user_permission_doctypes("Contact", role="Sales User",
apply_user_permissions=1, user_permission_doctypes=['Salutation'])
set_user_permission_doctypes("Salutation", role="All",
apply_user_permissions=1, user_permission_doctypes=['Salutation'])
add_user_permission("Salutation", "Mr", "*****@*****.**")
self.set_strict_user_permissions(0)
frappe.set_user("*****@*****.**")
self.assertEquals(len(frappe.get_list("Contact")), 2)
frappe.set_user("Administrator")
self.set_strict_user_permissions(1)
frappe.set_user("*****@*****.**")
self.assertTrue(len(frappe.get_list("Contact")), 1)
frappe.set_user("Administrator")
self.set_strict_user_permissions(0)
def test_automatic_apply_user_permissions(self):
'''Test user permissions are automatically applied when a user permission
is created'''
# create a user
frappe.get_doc(dict(doctype='User', email='*****@*****.**',
first_name='tester')).insert(ignore_if_duplicate=True)
frappe.get_doc(dict(doctype='Role', role_name='Test Role User Perm')
).insert(ignore_if_duplicate=True)
# add a permission for event
add_permission('DocType', 'Test Role User Perm')
frappe.get_doc('User', '*****@*****.**').add_roles('Test Role User Perm')
# add user permission
add_user_permission('Module Def', 'Core', '*****@*****.**', True)
# check if user permission is applied in the new role
_perm = None
for perm in get_valid_perms('DocType', '*****@*****.**'):
if perm.role == 'Test Role User Perm':
_perm = perm
self.assertEqual(_perm.apply_user_permissions, 1)
# restrict by module
self.assertTrue('Module Def' in json.loads(_perm.user_permission_doctypes))
def test_insert_if_owner_with_user_permissions(self):
"""If `If Owner` is checked for a Role, check if that document is allowed to be read, updated, submitted, etc. except be created, even if the document is restricted based on User Permissions."""
frappe.delete_doc('Blog Post', '-test-blog-post-title')
self.set_user_permission_doctypes(["Blog Category"])
self.if_owner_setup()
frappe.set_user("*****@*****.**")
doc = frappe.get_doc({
"doctype": "Blog Post",
"blog_category": "_Test Blog Category",
"blogger": "_Test Blogger 1",
"title": "_Test Blog Post Title",
"content": "_Test Blog Post Content"
})
self.assertRaises(frappe.PermissionError, doc.insert)
frappe.set_user("Administrator")
add_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
frappe.set_user("*****@*****.**")
doc.insert()
frappe.set_user("Administrator")
frappe.permissions.remove_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.get_doc(doc.doctype, doc.name)
self.assertTrue(doc.has_permission("read"))
self.assertTrue(doc.has_permission("write"))
self.assertFalse(doc.has_permission("create"))
def test_insert_if_owner_with_user_permissions(self):
"""If `If Owner` is checked for a Role, check if that document is allowed to be read, updated, submitted, etc. except be created, even if the document is restricted based on User Permissions."""
frappe.delete_doc('Blog Post', '-test-blog-post-title')
self.set_user_permission_doctypes(["Blog Category"])
self.if_owner_setup()
frappe.set_user("*****@*****.**")
doc = frappe.get_doc({
"doctype": "Blog Post",
"blog_category": "_Test Blog Category",
"blogger": "_Test Blogger 1",
"title": "_Test Blog Post Title",
"content": "_Test Blog Post Content"
})
self.assertRaises(frappe.PermissionError, doc.insert)
frappe.set_user("Administrator")
add_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
frappe.set_user("*****@*****.**")
doc.insert()
frappe.set_user("Administrator")
frappe.permissions.remove_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.get_doc(doc.doctype, doc.name)
self.assertTrue(doc.has_permission("read"))
self.assertTrue(doc.has_permission("write"))
self.assertFalse(doc.has_permission("create"))
def if_owner_setup(self):
update("Blog Post", "Blogger", 0, "if_owner", 1)
add_user_permission("Blog Category", "-test-blog-category-1", "*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1", "*****@*****.**")
frappe.clear_cache(doctype="Blog Post")
def test_default_values(self):
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.new_doc("Blog Post")
self.assertEqual(doc.get("blog_category"), "_Test Blog Category 1")
def test_nested_permission(self):
clear_user_permissions_for_doctype("File")
delete_test_file_hierarchy() # delete already existing folders
from frappe.core.doctype.file.file import create_new_folder
frappe.set_user('Administrator')
create_new_folder('level1-A', 'Home')
create_new_folder('level2-A', 'Home/level1-A')
create_new_folder('level2-B', 'Home/level1-A')
create_new_folder('level3-A', 'Home/level1-A/level2-A')
create_new_folder('level1-B', 'Home')
create_new_folder('level2-A', 'Home/level1-B')
# user permission for only one root folder
add_user_permission('File', 'Home/level1-A', '*****@*****.**')
from frappe.core.page.permission_manager.permission_manager import update
update('File', 'All', 0, 'if_owner', 0) # to avoid if_owner filter
frappe.set_user('*****@*****.**')
data = DatabaseQuery("File").execute()
# children of root folder (for which we added user permission) should be accessible
self.assertTrue({"name": "Home/level1-A/level2-A"} in data)
self.assertTrue({"name": "Home/level1-A/level2-B"} in data)
self.assertTrue({"name": "Home/level1-A/level2-A/level3-A"} in data)
# other folders should not be accessible
self.assertFalse({"name": "Home/level1-B"} in data)
self.assertFalse({"name": "Home/level1-B/level2-B"} in data)
update('File', 'All', 0, 'if_owner', 1)
frappe.set_user('Administrator')
def test_user_permissions_in_report(self):
add_user_permission("Blog Category", "-test-blog-category-1", "*****@*****.**")
frappe.set_user("*****@*****.**")
names = [d.name for d in frappe.get_list("Blog Post", fields=["name", "blog_category"])]
self.assertTrue("-test-blog-post-1" in names)
self.assertFalse("-test-blog-post" in names)
def test_user_permissions_in_report(self):
add_user_permission("Blog Category", "_Test Blog Category 1", "*****@*****.**")
frappe.set_user("*****@*****.**")
names = [d.name for d in frappe.get_list("Blog Post", fields=["name", "blog_category"])]
self.assertTrue("-test-blog-post-1" in names)
self.assertFalse("-test-blog-post" in names)
def if_owner_setup(self):
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1", "*****@*****.**")
frappe.clear_cache(doctype="Blog Post")
def test_user_permissions_not_applied_if_user_can_edit_user_permissions(
self):
add_user_permission('Blogger', '_Test Blogger 1', '*****@*****.**')
# [email protected] has rights to create user permissions
# so it should not matter if explicit user permissions are not set
self.assertTrue(
frappe.get_doc('Blogger', '_Test Blogger').has_permission('read'))
def if_owner_setup(self):
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1",
"*****@*****.**")
frappe.clear_cache(doctype="Blog Post")
def import_user_permissions():
frappe.only_for("System Manager")
rows = read_csv_content_from_uploaded_file(ignore_encoding=True)
clear_default(parenttype="User Permission")
if rows[0][0]!="User Permissions" and rows[1][0] != "User":
frappe.throw(frappe._("Please upload using the same template as download."))
for row in rows[2:]:
add_user_permission(row[1], row[2], row[0])
def if_owner_setup(self):
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1",
"*****@*****.**")
update('Blog Post', 'Blogger', 0, 'user_permission_doctypes', json.dumps(["Blog Category"]))
frappe.model.meta.clear_cache("Blog Post")
def if_owner_setup(self):
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1",
"*****@*****.**")
update('Blog Post', 'Blogger', 0, 'user_permission_doctypes', json.dumps(["Blog Category"]))
frappe.model.meta.clear_cache("Blog Post")
def test_user_permissions_in_doc(self):
add_user_permission("Blog Category", "-test-blog-category-1", "*****@*****.**")
frappe.set_user("*****@*****.**")
post = frappe.get_doc("Blog Post", "-test-blog-post")
self.assertFalse(post.has_permission("read"))
self.assertFalse(get_doc_permissions(post).get("read"))
post1 = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertTrue(post1.has_permission("read"))
self.assertTrue(get_doc_permissions(post1).get("read"))
def test_user_permissions_in_doc(self):
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
frappe.set_user("*****@*****.**")
post = frappe.get_doc("Blog Post", "-test-blog-post")
self.assertFalse(post.has_permission("read"))
self.assertFalse(get_doc_permissions(post).get("read"))
post1 = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertTrue(post1.has_permission("read"))
self.assertTrue(get_doc_permissions(post1).get("read"))
def test_user_permissions_if_applied_on_doc_being_evaluated(self):
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertTrue(doc.has_permission("read"))
frappe.set_user("*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post", "*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
doc = frappe.get_doc("Blog Post", "-test-blog-post")
self.assertTrue(doc.has_permission("read"))
def test_user_permission_is_not_applied_if_user_roles_does_not_have_permission(self):
add_user_permission("Blog Post", "-test-blog-post-1", "*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
frappe.set_user("Administrator")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Blogger")
frappe.set_user("*****@*****.**")
self.assertTrue(doc.has_permission("read"))
frappe.set_user("Administrator")
user.remove_roles("Blogger")
def update_user_permissions(self):
if not self.create_user_permission: return
if not has_permission('User Permission', ptype='write', raise_exception=False): return
employee_user_permission_exists = frappe.db.exists('User Permission', {
'allow': 'Employee',
'for_value': self.name,
'user': self.user_id
})
if employee_user_permission_exists: return
add_user_permission("Employee", self.name, self.user_id)
set_user_permission_if_allowed("Company", self.company, self.user_id)
def test_user_permissions_if_applied_on_doc_being_evaluated(self):
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertTrue(doc.has_permission("read"))
frappe.set_user("*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post", "*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
doc = frappe.get_doc("Blog Post", "-test-blog-post")
self.assertTrue(doc.has_permission("read"))
def test_user_permission_is_not_applied_if_user_roles_does_not_have_permission(self):
add_user_permission('Blog Post', '-test-blog-post-1', '*****@*****.**')
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
frappe.set_user("Administrator")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Blogger")
frappe.set_user("*****@*****.**")
self.assertTrue(doc.has_permission("read"))
frappe.set_user("Administrator")
user.remove_roles("Blogger")
def test_user_permission_doctypes(self):
add_user_permission("Blog Category", "-test-blog-category-1", "*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1", "*****@*****.**")
frappe.set_user("*****@*****.**")
frappe.clear_cache(doctype="Blog Post")
doc = frappe.get_doc("Blog Post", "-test-blog-post")
self.assertFalse(doc.has_permission("read"))
doc = frappe.get_doc("Blog Post", "-test-blog-post-2")
self.assertTrue(doc.has_permission("read"))
frappe.clear_cache(doctype="Blog Post")
def test_default_values(self):
doc = frappe.new_doc("Blog Post")
self.assertFalse(doc.get("blog_category"))
# Fetch default based on single user permission
add_user_permission("Blog Category", "_Test Blog Category 1", "*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.new_doc("Blog Post")
self.assertEqual(doc.get("blog_category"), "_Test Blog Category 1")
# Don't fetch default if user permissions is more than 1
add_user_permission("Blog Category", "_Test Blog Category", "*****@*****.**", ignore_permissions=True)
frappe.clear_cache()
doc = frappe.new_doc("Blog Post")
self.assertFalse(doc.get("blog_category"))
def test_user_permissions_based_on_blogger(self):
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertTrue(doc.has_permission("read"))
self.set_user_permission_doctypes(["Blog Post"])
frappe.set_user("*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post", "*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
doc = frappe.get_doc("Blog Post", "-test-blog-post")
self.assertTrue(doc.has_permission("read"))
def test_user_permissions_based_on_blogger(self):
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertTrue(doc.has_permission("read"))
self.set_user_permission_doctypes(["Blog Post"])
frappe.set_user("*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post", "*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
doc = frappe.get_doc("Blog Post", "-test-blog-post")
self.assertTrue(doc.has_permission("read"))
def test_user_permission_doctypes(self):
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1",
"*****@*****.**")
frappe.set_user("*****@*****.**")
frappe.clear_cache(doctype="Blog Post")
doc = frappe.get_doc("Blog Post", "-test-blog-post")
self.assertFalse(doc.has_permission("read"))
doc = frappe.get_doc("Blog Post", "-test-blog-post-2")
self.assertTrue(doc.has_permission("read"))
frappe.clear_cache(doctype="Blog Post")
def apply_permissions_for_non_standard_user_type(doc, method=None):
"""Create user permission for the non standard user type"""
if not frappe.db.table_exists("User Type"):
return
user_types = frappe.cache().get_value("non_standard_user_types")
if not user_types:
user_types = get_non_standard_user_type_details()
if not user_types:
return
for user_type, data in iteritems(user_types):
if not doc.get(data[1]) or doc.doctype != data[0]:
continue
if frappe.get_cached_value("User", doc.get(data[1]),
"user_type") != user_type:
return
if doc.get(data[1]) and (
not doc._doc_before_save
or doc.get(data[1]) != doc._doc_before_save.get(data[1])
or not frappe.db.get_value("User Permission", {
"user": doc.get(data[1]),
"allow": data[0],
"for_value": doc.name
}, "name")):
perm_data = frappe.db.get_value("User Permission", {
"allow": doc.doctype,
"for_value": doc.name
}, ["name", "user"])
if not perm_data:
user_doc = frappe.get_cached_doc("User", doc.get(data[1]))
user_doc.set_roles_and_modules_based_on_user_type()
user_doc.update_children()
add_user_permission(doc.doctype, doc.name, doc.get(data[1]))
else:
frappe.db.set_value("User Permission", perm_data[0], "user",
doc.get(data[1]))
def update_user_permissions(self):
if not self.create_user_permission:
return
if not has_permission(
"User Permission", ptype="write", raise_exception=False):
return
employee_user_permission_exists = frappe.db.exists(
"User Permission", {
"allow": "Employee",
"for_value": self.name,
"user": self.user_id
})
if employee_user_permission_exists:
return
add_user_permission("Employee", self.name, self.user_id)
set_user_permission_if_allowed("Company", self.company, self.user_id)
def test_default_values(self):
doc = frappe.new_doc("Blog Post")
self.assertFalse(doc.get("blog_category"))
# Fetch default based on single user permission
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.new_doc("Blog Post")
self.assertEqual(doc.get("blog_category"), "_Test Blog Category 1")
# Don't fetch default if user permissions is more than 1
add_user_permission("Blog Category",
"_Test Blog Category",
"*****@*****.**",
ignore_permissions=True)
frappe.clear_cache()
doc = frappe.new_doc("Blog Post")
self.assertFalse(doc.get("blog_category"))
def test_strict_user_permissions(self):
"""If `Strict User Permissions` is checked in System Settings,
show records even if User Permissions are missing for a linked
doctype"""
frappe.set_user('Administrator')
frappe.db.sql('DELETE FROM `tabContact`')
frappe.db.sql('DELETE FROM `tabContact Email`')
frappe.db.sql('DELETE FROM `tabContact Phone`')
reset('Salutation')
reset('Contact')
make_test_records_for_doctype('Contact', force=True)
add_user_permission("Salutation", "Mr", "*****@*****.**")
self.set_strict_user_permissions(0)
allowed_contact = frappe.get_doc('Contact',
'_Test Contact For _Test Customer')
other_contact = frappe.get_doc('Contact',
'_Test Contact For _Test Supplier')
frappe.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertTrue(other_contact.has_permission('read'))
self.assertEqual(len(frappe.get_list("Contact")), 2)
frappe.set_user("Administrator")
self.set_strict_user_permissions(1)
frappe.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertFalse(other_contact.has_permission('read'))
self.assertTrue(len(frappe.get_list("Contact")), 1)
frappe.set_user("Administrator")
self.set_strict_user_permissions(0)
clear_user_permissions_for_doctype("Salutation")
clear_user_permissions_for_doctype("Contact")
def test_warehouse_user(self):
add_user_permission("Warehouse", "_Test Warehouse 1 - _TC", "*****@*****.**")
add_user_permission("Warehouse", "_Test Warehouse 2 - _TC1", "*****@*****.**")
add_user_permission("Company", "_Test Company 1", "*****@*****.**")
test_user = frappe.get_doc("User", "*****@*****.**")
test_user.add_roles("Sales User", "Sales Manager", "Stock User")
test_user.remove_roles("Stock Manager", "System Manager")
frappe.get_doc("User", "*****@*****.**")\
.add_roles("Sales User", "Sales Manager", "Stock User", "Stock Manager")
st1 = frappe.copy_doc(test_records[0])
st1.company = "_Test Company 1"
frappe.set_user("*****@*****.**")
st1.get("items")[0].t_warehouse="_Test Warehouse 2 - _TC1"
self.assertRaises(frappe.PermissionError, st1.insert)
test_user.add_roles("System Manager")
frappe.set_user("*****@*****.**")
st1 = frappe.copy_doc(test_records[0])
st1.company = "_Test Company 1"
st1.get("items")[0].t_warehouse="_Test Warehouse 2 - _TC1"
st1.get("items")[0].expense_account = "Stock Adjustment - _TC1"
st1.get("items")[0].cost_center = "Main - _TC1"
st1.set_stock_entry_type()
st1.insert()
st1.submit()
frappe.set_user("Administrator")
remove_user_permission("Warehouse", "_Test Warehouse 1 - _TC", "*****@*****.**")
remove_user_permission("Warehouse", "_Test Warehouse 2 - _TC1", "*****@*****.**")
remove_user_permission("Company", "_Test Company 1", "*****@*****.**")
def test_contextual_user_permission(self):
# should be applicable for across all doctypes
add_user_permission('Blogger', '_Test Blogger', '*****@*****.**')
# should be applicable only while accessing Blog Post
add_user_permission('Blogger',
'_Test Blogger 1',
'*****@*****.**',
applicable_for='Blog Post')
# should be applicable only while accessing User
add_user_permission('Blogger',
'_Test Blogger 2',
'*****@*****.**',
applicable_for='User')
posts = frappe.get_all('Blog Post', fields=['name', 'blogger'])
# Get all posts for admin
self.assertEqual(len(posts), 4)
frappe.set_user('*****@*****.**')
posts = frappe.get_list('Blog Post', fields=['name', 'blogger'])
# Should get only posts with allowed blogger via user permission
# only '_Test Blogger', '_Test Blogger 1' are allowed in Blog Post
self.assertEqual(len(posts), 3)
for post in posts:
self.assertIn(
post.blogger, ['_Test Blogger', '_Test Blogger 1'],
'A post from {} is not expected.'.format(post.blogger))
def test_clear_user_permissions(self):
current_user = frappe.session.user
frappe.set_user('Administrator')
clear_user_permissions_for_doctype('Blog Category', '*****@*****.**')
clear_user_permissions_for_doctype('Blog Post', '*****@*****.**')
add_user_permission('Blog Post', '-test-blog-post-1', '*****@*****.**')
add_user_permission('Blog Post', '-test-blog-post-2', '*****@*****.**')
add_user_permission("Blog Category", '_Test Blog Category 1', '*****@*****.**')
deleted_user_permission_count = clear_user_permissions('*****@*****.**', 'Blog Post')
self.assertEqual(deleted_user_permission_count, 2)
blog_post_user_permission_count = frappe.db.count('User Permission', filters={
'user': '******',
'allow': 'Blog Post'
})
self.assertEqual(blog_post_user_permission_count, 0)
blog_category_user_permission_count = frappe.db.count('User Permission', filters={
'user': '******',
'allow': 'Blog Category'
})
self.assertEqual(blog_category_user_permission_count, 1)
# reset the user
frappe.set_user(current_user)
def test_clear_user_permissions(self):
current_user = frappe.session.user
frappe.set_user("Administrator")
clear_user_permissions_for_doctype("Blog Category", "*****@*****.**")
clear_user_permissions_for_doctype("Blog Post", "*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post-1", "*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post-2", "*****@*****.**")
add_user_permission("Blog Category", "-test-blog-category-1", "*****@*****.**")
deleted_user_permission_count = clear_user_permissions("*****@*****.**", "Blog Post")
self.assertEqual(deleted_user_permission_count, 2)
blog_post_user_permission_count = frappe.db.count(
"User Permission", filters={"user": "******", "allow": "Blog Post"}
)
self.assertEqual(blog_post_user_permission_count, 0)
blog_category_user_permission_count = frappe.db.count(
"User Permission", filters={"user": "******", "allow": "Blog Category"}
)
self.assertEqual(blog_category_user_permission_count, 1)
# reset the user
frappe.set_user(current_user)
def test_contextual_user_permission(self):
# should be applicable for across all doctypes
add_user_permission("Blogger", "_Test Blogger", "*****@*****.**")
# should be applicable only while accessing Blog Post
add_user_permission(
"Blogger", "_Test Blogger 1", "*****@*****.**", applicable_for="Blog Post"
)
# should be applicable only while accessing User
add_user_permission("Blogger", "_Test Blogger 2", "*****@*****.**", applicable_for="User")
posts = frappe.get_all("Blog Post", fields=["name", "blogger"])
# Get all posts for admin
self.assertEqual(len(posts), 4)
frappe.set_user("*****@*****.**")
posts = frappe.get_list("Blog Post", fields=["name", "blogger"])
# Should get only posts with allowed blogger via user permission
# only '_Test Blogger', '_Test Blogger 1' are allowed in Blog Post
self.assertEqual(len(posts), 3)
for post in posts:
self.assertIn(
post.blogger,
["_Test Blogger", "_Test Blogger 1"],
"A post from {} is not expected.".format(post.blogger),
)
def test_ignore_user_permissions_if_missing(self):
"""If there are no user permissions, then allow as per role"""
add_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.get_doc({
"doctype": "Blog Post",
"blog_category": "_Test Blog Category 2",
"blogger": "_Test Blogger 1",
"title": "_Test Blog Post Title",
"content": "_Test Blog Post Content"
})
self.assertFalse(doc.has_permission("write"))
frappe.set_user("Administrator")
remove_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
frappe.set_user("*****@*****.**")
self.assertTrue(doc.has_permission('write'))
def test_strict_user_permissions(self):
"""If `Strict User Permissions` is checked in System Settings,
show records even if User Permissions are missing for a linked
doctype"""
frappe.set_user('Administrator')
frappe.db.sql('delete from tabContact')
reset('Salutation')
reset('Contact')
make_test_records_for_doctype('Contact', force=True)
add_user_permission("Salutation", "Mr", "*****@*****.**")
self.set_strict_user_permissions(0)
allowed_contact = frappe.get_doc('Contact', '_Test Contact for _Test Customer')
other_contact = frappe.get_doc('Contact', '_Test Contact for _Test Supplier')
frappe.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertTrue(other_contact.has_permission('read'))
self.assertEqual(len(frappe.get_list("Contact")), 2)
frappe.set_user("Administrator")
self.set_strict_user_permissions(1)
frappe.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertFalse(other_contact.has_permission('read'))
self.assertTrue(len(frappe.get_list("Contact")), 1)
frappe.set_user("Administrator")
self.set_strict_user_permissions(0)
clear_user_permissions_for_doctype("Salutation")
clear_user_permissions_for_doctype("Contact")
def test_contextual_user_permission(self):
# should be applicable for across all doctypes
add_user_permission('Blogger', '_Test Blogger', '*****@*****.**')
# should be applicable only while accessing Blog Post
add_user_permission('Blogger', '_Test Blogger 1', '*****@*****.**', applicable_for='Blog Post')
# should be applicable only while accessing User
add_user_permission('Blogger', '_Test Blogger 2', '*****@*****.**', applicable_for='User')
posts = frappe.get_all('Blog Post', fields=['name', 'blogger'])
# Get all posts for admin
self.assertEqual(len(posts), 4)
frappe.set_user('*****@*****.**')
posts = frappe.get_list('Blog Post', fields=['name', 'blogger'])
# Should get only posts with allowed blogger via user permission
# only '_Test Blogger', '_Test Blogger 1' are allowed in Blog Post
self.assertEqual(len(posts), 3)
for post in posts:
self.assertIn(post.blogger, ['_Test Blogger', '_Test Blogger 1'], 'A post from {} is not expected.'.format(post.blogger))
def test_set_user_permissions(self):
frappe.set_user("*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post", "*****@*****.**")
def test_default_values(self):
add_user_permission("Blog Category", "_Test Blog Category 1", "*****@*****.**")
frappe.set_user("*****@*****.**")
doc = frappe.new_doc("Blog Post")
self.assertEquals(doc.get("blog_category"), "_Test Blog Category 1")
def update_user_permissions(self):
if not self.create_user_permission: return
if not has_permission('User Permission', ptype='write'): return
add_user_permission("Employee", self.name, self.user_id)
set_user_permission_if_allowed("Company", self.company, self.user_id)
def test_user_permissions_not_applied_if_user_can_edit_user_permissions(self):
add_user_permission('Blogger', '_Test Blogger 1', '*****@*****.**')
# [email protected] has rights to create user permissions
# so it should not matter if explicit user permissions are not set
self.assertTrue(frappe.get_doc('Blogger', '_Test Blogger').has_permission('read'))
