def test_should_not_disable_restrictions_when_restricted_content_owned_users(
self):
"""
User M User N User O User P
Admin Admin User |
\ / \ / |
\ / \ / |
Org A Org B Org C
/ \ / \ _____/
/ \ / \ /
Project X Project Y Project Z
"""
# Given
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=self.projects['Z'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
self.user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=self.user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
restrict_projects(self.user_n, self.user_p, [self.projects['Z']])
# When
self.org_b.enable_restrictions = False
with self.assertRaises(CannotDisableRestrictions):
self.org_b.save()
def test_admin_cannot_restrict_unmanageable_user(self):
Y = self.projects['Y']
with self.assertRaises(InvalidPermissionChange):
restrict_projects(self.user_m, self.user_o, [Y])
self.assertTrue(self.user_o.has_perm('rsr.view_project', Y))
def test_admin_employers_swapped_as_partners_retains_restrictions(self):
"""
User M User N User O User P
Admin Admin User |
\ / \ / |
\ / \ / |
Org A Org B Org C (content owned)
/ / \ |
/ / \ |
Project X Project Y Project Z |
| |
+-------------------------+
"""
Y = self.projects['Y']
Partnership.objects.get(organisation=self.org_a, project=Y).delete()
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=Y,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
restrict_projects(self.user_n, user_p, [Y])
Partnership.objects.get(organisation=self.org_b, project=Y).delete()
Partnership.objects.create(organisation=self.org_a, project=Y)
self.assertFalse(user_p.has_perm('rsr.view_project', Y))
def test_admin_cannot_restrict_inaccessible_projects_for_content_owned_user(
self):
"""
User M User N User O User P
Admin Admin User |
\ / \ / |
\ / \ / |
Org A Org B /--Org C
/ \ / \ /---- |
/ \ / \ --- |
Project X Project Y Project Z |
| |
+-------------------------+
"""
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=self.projects['Y'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=self.projects['Z'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
user = self.create_user('*****@*****.**')
Employment.objects.create(user=user,
organisation=org_content_owned,
group=self.users,
is_approved=True)
with self.assertRaises(InvalidPermissionChange):
restrict_projects(self.user_m, user, [self.projects['Z']])
def test_removing_partner_does_not_restore_access(self):
"""
User M User N User O User P
Admin Admin User |
\ / \ / |
\ / \ / |
Org A Org B Org C (content owned)
/ \ / \ |
/ \ / \ |
Project X Project Y Project Z |
| |
+-------------------------+
"""
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=self.projects['Y'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
restrict_projects(self.user_m, user_p, [self.projects['Y']])
Partnership.objects.get(organisation=self.org_a,
project=self.projects['Y']).delete()
self.assertFalse(
user_p.has_perm('rsr.view_project', self.projects['Y']))
def test_admin_cannot_restrict_other_admins(self):
with self.assertRaises(InvalidPermissionChange):
restrict_projects(self.user_m, self.user_n, [self.projects['Y']])
self.assertTrue(
self.user_n.has_perm('rsr.view_project', self.projects['Y']))
self.assertTrue(
self.user_n.has_perm('rsr.view_project', self.projects['Z']))
def test_admin_cannot_restrict_inaccessible_projects(self):
Z = self.projects['Z']
with self.assertRaises(InvalidPermissionChange):
restrict_projects(self.user_m, self.user_o, [Z])
self.assertTrue(
self.user_o.has_perm('rsr.view_project', self.projects['Z']))
def test_removing_and_adding_partnership_doesnot_change_permissions(self):
Z = self.projects['Z']
restrict_projects(self.user_n, self.user_o, [Z])
Partnership.objects.get(organisation=self.org_b, project=Z).delete()
Partnership.objects.create(organisation=self.org_b, project=Z)
self.assertFalse(self.user_o.has_perm('rsr.view_project', Z))
def test_endpoint_for_admin_and_user_having_same_org(self):
"""
/̶ o and \̶ o = project with restricted access for user_o
User M User N User O
Admin Admin User
\ \ /
\ \ /
Org A Org B
/ \ /̶ o \
/ \ /̶ o \
Project X Project Y Project Z
"""
# When
# Remove User N's employment with A
self.user_n.employers.filter(organisation=self.org_a).delete()
restrict_projects(self.user_n, self.user_o, [self.projects['Y']])
self.c.login(username=self.user_n.username, password=self.password_n)
response = self.c.get(
'/rest/v1/user_projects_access/{}/'.format(self.user_o.pk),
{'format': 'json'})
self.assertEqual(response.status_code, 200)
content = json.loads(response.content)
# organisation_groups = [
# {
# organisations: "B",
# projects: [
# {
# id: <self.projects['Z'].pk>,
# title: "Z",
# subtitle: "Z subtitle",
# access: True
# },
# {
# id: <self.projects['Y'].pk>,
# title: "Y",
# subtitle: "Y subtitle",
# access: False
# }
# ]
# }
# ]
org_groups = content['organisation_groups']
# Then
self.assertEqual(len(org_groups), 1)
self.assertEqual(org_groups[0]['organisations'], "B")
self.assertEqual(len(org_groups[0]['projects']), 2)
self.assertEqual(org_groups[0]['projects'][0]['id'],
self.projects['Z'].pk)
self.assertTrue(org_groups[0]['projects'][0]['access'])
self.assertEqual(org_groups[0]['projects'][1]['id'],
self.projects['Y'].pk)
self.assertFalse(org_groups[0]['projects'][1]['access'])
def test_new_projects_not_accessible_to_implementing_partners_not_content_owned_org_users(
self):
"""
---------------------------------------------+
/ |
User M User N User O User P |
Admin Admin User | |
\ / \ / | |
\ / \ / | |
Org A Org B --- Project W---Org C --+
/ \ / \ |
/ \ / \ |
Project X Project Y Project Z |
| |
+-------------------------------------+
"""
# Given
self.org_b.enable_restrictions = False
self.org_b.save()
implementing_partner = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=True,
enable_restrictions=True)
Partnership.objects.create(
organisation=implementing_partner,
project=self.projects['X'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
self.user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=self.user_p,
organisation=implementing_partner,
group=self.users,
is_approved=True)
Employment.objects.create(user=self.user_m,
organisation=implementing_partner,
group=self.admins,
is_approved=True)
restrict_projects(self.user_m, self.user_p, [self.projects['X']])
# When
self.projects['W'] = project = Project.objects.create(title='W')
# FIXME: Ideally, this call should be automatic, but is manual now.
Project.new_project_created(project.id, self.user_n)
Partnership.objects.create(
organisation=implementing_partner,
project=project,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
# Then
self.assertFalse(self.org_b.enable_restrictions)
self.assertTrue(implementing_partner.enable_restrictions)
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['X']))
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['Y']))
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['Z']))
self.assertFalse(self.user_p.has_perm('rsr.view_project', project))
def test_unrestrict_user_with_restricted_projects_from_other_org(self):
"""
User M User N User O User P
Admin Admin User |
\ \ / |
\ \ / |
Org A Org B Org C (content owned)
/ \ \ /̶ P |
/ \ \ /̶ P |
Project X Project Y Project Z |
| | |
+-----------+-------------+
Test that you can't unrestrict a user (set is_restricted to False) with restricted projects
that you don't control
"""
# When
Y, Z = self.projects['Y'], self.projects['Z']
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=Y,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=Z,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
Employment.objects.get(user=self.user_n,
organisation=self.org_a).delete()
Partnership.objects.get(organisation=self.org_b, project=Y).delete()
restrict_projects(self.user_n, user_p, [Z])
self.c.login(username=self.user_m.username, password=self.password_m)
data = json.dumps({
'user_projects': {
'is_restricted': False,
'projects': [Y.pk]
},
})
response = self.c.patch('/rest/v1/user_projects_access/{}/'.format(
user_p.pk),
data=data,
content_type='application/json')
# Then
self.assertEqual(response.status_code, 400)
self.assertEqual(response.data['non_field_errors'][0],
u'This user may not be unrestricted at this time.')
def test_can_add_new_restrictions(self):
restrict_projects(self.user_n, self.user_o, [self.projects['Z']])
restrict_projects(self.user_n, self.user_o, [self.projects['Y']])
self.assertFalse(
self.user_o.has_perm('rsr.view_project', self.projects['Z']))
self.assertFalse(
self.user_o.has_perm('rsr.view_project', self.projects['Y']))
def test_user_may_be_unrestricted_only_by_eligible_admin(self):
"""
User M User N User O User P
Admin Admin User |
\ \ / |
\ \ / |
Org A Org B Org C (content owned)
/ \ \ /̶ P |
/ \ \ /̶ P |
Project X Project Y Project Z |
| |
+-------------------------+
Check the may_unrestrict field on the UserProjectsSerializer
"""
# When
Y, Z = self.projects['Y'], self.projects['Z']
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=Y,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=Z,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
Employment.objects.get(user=self.user_n,
organisation=self.org_a).delete()
Partnership.objects.get(organisation=self.org_b, project=Y).delete()
restrict_projects(self.user_n, user_p, [Z])
self.c.login(username=self.user_m.username, password=self.password_m)
response_m = self.c.get('/rest/v1/user_projects_access/{}/'.format(
user_p.pk),
content_type='application/json')
self.c.login(username=self.user_n.username, password=self.password_n)
response_n = self.c.get('/rest/v1/user_projects_access/{}/'.format(
user_p.pk),
content_type='application/json')
# Then
may_unrestrict_m = response_m.data['user_projects']['may_unrestrict']
may_unrestrict_n = response_n.data['user_projects']['may_unrestrict']
self.assertFalse(may_unrestrict_m)
self.assertTrue(may_unrestrict_n)
def test_new_projects_are_not_accessible_to_restricted_users_if_enable_restrictions(
self):
restrict_projects(self.user_n, self.user_o, [self.projects['Z']])
project = Project.objects.create(title='W')
Project.new_project_created(project.id, self.user_n)
self.assertFalse(self.user_o.has_perm('rsr.view_project', project))
self.assertFalse(
self.user_o.has_perm('rsr.view_project', self.projects['Z']))
def test_admin_can_remove_restrictions(self):
user = self.create_user('*****@*****.**')
Employment.objects.create(user=user,
organisation=self.org_a,
group=self.users,
is_approved=True)
restrict_projects(self.user_m, user, [self.projects['X']])
unrestrict_projects(self.user_m, user, [self.projects['X']])
self.assertTrue(user.has_perm('rsr.view_project', self.projects['X']))
self.assertTrue(user.has_perm('rsr.view_project', self.projects['Y']))
def test_should_not_disable_restrictions_when_restricted_users(self):
# Given
self.assertTrue(self.org_b.enable_restrictions)
restrict_projects(self.user_n, self.user_o, [self.projects['Z']])
# When/Then
self.org_b.enable_restrictions = False
with self.assertRaises(CannotDisableRestrictions):
self.org_b.save()
# Then
org_b = Organisation.objects.get(pk=self.org_b.pk)
self.assertTrue(org_b.enable_restrictions)
def test_admin_cannot_remove_restrictions_from_non_manageable_user(self):
user = self.create_user('*****@*****.**')
Employment.objects.create(user=user,
organisation=self.org_b,
group=self.users,
is_approved=True)
restrict_projects(self.user_n, user, [self.projects['Y']])
with self.assertRaises(InvalidPermissionChange):
unrestrict_projects(self.user_m, user, [self.projects['Y']])
self.assertFalse(user.has_perm('rsr.view_project', self.projects['Y']))
self.assertTrue(user.has_perm('rsr.view_project', self.projects['Z']))
def test_admin_can_restrict_new_user(self):
user = self.create_user('*****@*****.**')
Employment.objects.create(user=user,
organisation=self.org_a,
group=self.users,
is_approved=True)
admin = self.user_m
project = self.projects['X']
restrict_projects(admin, user, [project])
self.assertFalse(user.has_perm('rsr.view_project', self.projects['X']))
self.assertTrue(user.has_perm('rsr.view_project', self.projects['Y']))
def update(self, user, validated_data):
""" Custom update method that adds and/or removes projects from the UserProjects.projects
list
"""
# Wrap in a transaction to make sure we don't "forget" the original list if there's a
# PermissionDenied error
with transaction.atomic():
user_projects_data = validated_data.get('user_projects', None)
if user_projects_data is not None:
admin = self.context['request'].user.user
# Check if we have a list of projects. These are all projects
# that the admin currently grants access to. The user may have access
# to other projects, which this admin cannot restrict/grant
# access to.
accessible_projects_by_admin = user_projects_data.get('projects', None)
accessible_projects_by_admin_pks = set(
p.pk for p in accessible_projects_by_admin or {}
)
# All projects currently accessible by the user
try:
projects = UserProjects.objects.get(user=user).projects.values_list('pk', flat=True)
except UserProjects.DoesNotExist:
projects = []
# All projects admin may grant/restrict access to
admin_associated_project_pks = admin.admin_projects().values_list('pk', flat=True)
# Currently accessible projects of the user, that admin may grant/restrict access to
currently_accessible_projects = set(projects) & set(admin_associated_project_pks)
# projects part of currently_accessible_projects but not part of
# accessible_projects_by_admin_pks should be restricted
restricted_projects = currently_accessible_projects - accessible_projects_by_admin_pks
user_projects = restrict_projects(
admin, user, Project.objects.filter(pk__in=restricted_projects)
)
# The projects where the admin has granted access by selecting
# previously unselected check boxes
unrestricted_projects = (
accessible_projects_by_admin_pks - set(
user_projects.projects.values_list('pk', flat=True)
)
)
user_projects = unrestrict_projects(
admin, user, Project.objects.filter(pk__in=unrestricted_projects)
)
# Finally set is_restricted
is_restricted = user_projects_data.get('is_restricted', None)
if is_restricted is not None:
user_projects.is_restricted = is_restricted
user_projects.save()
# For reasons I don't understand, on the original instance, user, the fields on
# UserProjects for the instance are not updated resulting in returning stale data if there
# have been changes. Fix by fetching a fresh instance of User.
return get_user_model().objects.get(pk=user.pk)
def test_access_for_restricted_user_of_new_project(self):
# When
self.c.login(username=self.user_n.username, password=self.password_n)
self.validation = ProjectEditorValidationSet.objects.create(
name='test')
restrict_projects(self.user_n, self.user_o, [self.projects['Y']])
response = self.c.post('/rest/v1/project/', {
'format': 'json',
'validations': [self.validation.pk]
})
# Then
project_id = response.data['id']
my_projects_list = self.user_o.my_projects().values_list('id',
flat=True)
self.assertTrue(project_id in my_projects_list)
def __init__(self, *args, **kwargs):
""" Delete the 'absolute_url' field added in BaseRSRSerializer.__init__().
It's neither correct nor do we want this data to be visible.
"""
super(UserProjectAccessSerializer, self).__init__(*args, **kwargs)
del self.fields['absolute_url']
user = self.instance
# for some reason the serializer is called three times when accessing the endpoint,
# therefore we check for the existence of a UserProjects object to not have to call
# restrict_projects more than once
try:
UserProjects.objects.get(user=user)
except UserProjects.DoesNotExist:
admin = self.context['request'].user
# Make sure we have a UserProjects object, but don't change an existing one
restrict_projects(admin, user, Project.objects.none())
def test_removing_one_role_of_partner_does_not_restore_access(self):
"""
User M User N User O
Admin Admin User
\ / \ /
\ / \ / Funding partner
Org A Org B-------+
/ \ / \ | (default partnership)
/ \ / \ |
Project X Project Y Project Z
"""
extra_partnership = Partnership.objects.create(
organisation=self.org_b,
project=self.projects['Z'],
iati_organisation_role=Partnership.IATI_FUNDING_PARTNER)
Z = self.projects['Z']
restrict_projects(self.user_n, self.user_o, [Z])
extra_partnership.delete()
self.assertFalse(self.user_o.has_perm('rsr.view_project', Z))
def test_user_can_be_restricted_by_multiple_admins(self):
Employment.objects.create(user=self.user_o,
organisation=self.org_a,
group=self.users,
is_approved=True)
X, Y, Z = (self.projects[name] for name in 'XYZ')
restrict_projects(self.user_m, self.user_o, [X])
restrict_projects(self.user_n, self.user_o, [Y])
restrict_projects(self.user_n, self.user_o, [Z])
self.assertFalse(self.user_o.has_perm('rsr.view_project', X))
self.assertFalse(self.user_o.has_perm('rsr.view_project', Y))
self.assertFalse(self.user_o.has_perm('rsr.view_project', Z))
def test_admin_can_restrict_user_with_restricted_projects_from_other_org(
self):
"""
User M User N User O User P
Admin Admin User |
\ \ / |
\ \ / |
Org A Org B Org C (content owned)
/ \ / \ /̶ P |
/ \ / \ /̶ P |
Project X Project Y Project W Project Z |
| | | |
+--------------+------------+-------------+
Test that you can restrict permissions for a user with restricted
projects that you don't control
"""
# Given
Y, Z = self.projects['Y'], self.projects['Z']
W = Project.objects.create(title='W')
Project.new_project_created(W.id, self.user_n)
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=Y,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=Z,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=W,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
Employment.objects.get(user=self.user_n,
organisation=self.org_a).delete()
Partnership.objects.get(organisation=self.org_b, project=Y).delete()
restrict_projects(self.user_n, user_p, [Z])
self.c.login(username=self.user_m.username, password=self.password_m)
data = json.dumps({
'user_projects': {
'is_restricted': True,
'projects': []
},
})
# When
response = self.c.patch('/rest/v1/user_projects_access/{}/'.format(
user_p.pk),
data=data,
content_type='application/json')
# Then
may_unrestrict_m = response.data['user_projects']['may_unrestrict']
self.assertFalse(may_unrestrict_m)
projects = response.data['user_projects']['projects']
self.assertEqual(projects, [W.id])
def test_new_projects_are_accessible_in_unrestricted_content_owner_orgs(
self):
"""
User M User N User O User P
Admin Admin User |
\ / \ / |
\ / \ / |
Org A Org B - -Project W- - Org C
/ \ / \ _____/ |
/ \ / \ / |
Project X Project Y Project Z |
| |
+-------------------------------------+
| |
Project U --------------------------------+
"""
# Given
self.org_b.enable_restrictions = False
self.org_b.save()
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=self.projects['X'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=self.projects['Z'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
self.user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=self.user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
restrict_projects(self.user_m, self.user_p, [self.projects['X']])
# When
self.projects['W'] = project = Project.objects.create(title='W')
# FIXME: Ideally, this call should be automatic, but is manual now.
Project.new_project_created(project.id, self.user_n)
Partnership.objects.create(
organisation=org_content_owned,
project=project,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
self.projects['U'] = project = Project.objects.create(title='U')
# FIXME: Ideally, this call should be automatic, but is manual now.
Project.new_project_created(project.id, self.user_m)
Partnership.objects.create(
organisation=org_content_owned,
project=project,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
# Then
self.assertFalse(self.org_b.enable_restrictions)
self.assertTrue(self.org_a.enable_restrictions)
self.assertTrue(org_content_owned.enable_restrictions)
self.assertTrue(
self.user_p.has_perm('rsr.view_project', self.projects['Z']))
self.assertTrue(
self.user_p.has_perm('rsr.view_project', self.projects['W']))
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['Y']))
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['U']))
def test_endpoint_for_admin_n_user_o_with_extra_employment(self):
"""
Test where user o has an employment in C too
/̶ o and \̶ o = project with restricted access for user_o
User M User N User O
Admin Admin User
\ / \ / \
\ / \ / \
Org A Org B Org C
/ \ /̶ o \ /
/ \ /̶ o \ /
Project X Project Y Project Z
"""
# When
self.org_c = Organisation.objects.create(name='C',
long_name='C',
can_create_projects=True)
Partnership.objects.create(organisation=self.org_c,
project=self.projects['Z'])
Employment.objects.create(user=self.user_o,
organisation=self.org_c,
group=self.users,
is_approved=True)
restrict_projects(self.user_n, self.user_o, [self.projects['Y']])
self.c.login(username=self.user_n.username, password=self.password_n)
response = self.c.get(
'/rest/v1/user_projects_access/{}/'.format(self.user_o.pk),
{'format': 'json'})
self.assertEqual(response.status_code, 200)
content = json.loads(response.content)
# [
# {
# organisations: "A, B",
# projects: [
# {
# id: <self.projects['Y'].pk>,
# title: "Y",
# subtitle: "Y subtitle",
# access: False
# }
# ]
# },
# {
# organisations: "B, C",
# projects: [
# {
# id: <self.projects['Z'].pk>,
# title: "Z",
# subtitle: "Z subtitle",
# access: True
# }
# ]
# }
# ]
# Then
org_groups = sorted(content['organisation_groups'],
key=lambda x: x['organisations'])
self.assertEqual(len(org_groups), 2)
self.assertEqual(org_groups[0]['organisations'], "A, B")
self.assertEqual(len(org_groups[0]['projects']), 1)
self.assertEqual(org_groups[0]['projects'][0]['id'],
self.projects['Y'].pk)
self.assertFalse(org_groups[0]['projects'][0]['access'])
self.assertEqual(org_groups[1]['organisations'], "B, C")
self.assertEqual(len(org_groups[1]['projects']), 1)
self.assertEqual(org_groups[1]['projects'][0]['id'],
self.projects['Z'].pk)
self.assertTrue(org_groups[1]['projects'][0]['access'])
def test_endpoint_for_admin_n_user_o(self):
"""
Test where admin is employed by two organisations
/̶ o and \̶ o = project with restricted access for user_o
User M User N User O
Admin Admin User
\ / \ /
\ / \ /
Org A Org B
/ \ /̶ o \
/ \ /̶ o \
Project X Project Y Project Z
"""
# When
restrict_projects(self.user_n, self.user_o, [self.projects['Y']])
self.c.login(username=self.user_n.username, password=self.password_n)
response = self.c.get(
'/rest/v1/user_projects_access/{}/'.format(self.user_o.pk),
{'format': 'json'})
self.assertEqual(response.status_code, 200)
content = json.loads(response.content)
# [
# {
# organisations: "A, B",
# projects: [
# {
# id: <self.projects['Y'].pk>,
# title: "Y",
# subtitle: "Y subtitle",
# access: False
# }
# ]
# },
# {
# organisations: "B",
# projects: [
# {
# id: <self.projects['Z'].pk>,
# title: "Z",
# subtitle: "Z subtitle",
# access: True
# }
# ]
# }
# ]
org_groups = sorted(content['organisation_groups'],
key=lambda x: x['organisations'])
# Then
self.assertEqual(len(org_groups), 2)
self.assertEqual(org_groups[0]['organisations'], "A, B")
self.assertEqual(len(org_groups[0]['projects']), 1)
self.assertEqual(org_groups[0]['projects'][0]['id'],
self.projects['Y'].pk)
self.assertFalse(org_groups[0]['projects'][0]['access'])
self.assertEqual(org_groups[1]['organisations'], "B")
self.assertEqual(len(org_groups[1]['projects']), 1)
self.assertEqual(org_groups[1]['projects'][0]['id'],
self.projects['Z'].pk)
self.assertTrue(org_groups[1]['projects'][0]['access'])
