def test_manageable_objects_orgs_is_admin_can_manage_all(self):
Organisation.objects.create(name='Other org', long_name='Other org')
manageables = manageable_objects(self.user1)
self.assertEqual(len(manageables['organisations']), 2)
self.assertTrue(
manageables['organisations'][0] in Organisation.objects.all())
self.assertTrue(
manageables['organisations'][1] in Organisation.objects.all())
def test_manageable_objects_orgs_org_admin_can_manage_own(self):
Employment.objects.create(user=self.user3,
organisation=self.org,
group=self.admin_group,
is_approved=True)
Organisation.objects.create(name='Other org', long_name='Other org')
manageables = manageable_objects(self.user3)
self.assertEqual(len(manageables['organisations']), 1)
self.assertEqual(manageables['organisations'][0],
Organisation.objects.get(name='akvo'))
def get_queryset(self):
""" Filter the query set to include only users that the current user may manage.
If a non-manageable user is accessed the response will be a 404 because we're lifting it
out of the available objects. There might be a way to implement this better, so that a 403
would be returned instead. This serves the purpose though, of not being able to change
objects you don't have access to.
"""
queryset = super(UserProjectsAccessViewSet, self).get_queryset()
manageables = manageable_objects(self.request.user)
manageable_users = manageables['employments'].users()
return queryset.filter(id__in=manageable_users).select_related(
'user_projects').prefetch_related('user_projects__projects')
def test_manageable_objects_employments_is_admin_can_manage_all(self):
# Given a user that is_admin
# When employments for two different organisations exist
other_org = Organisation.objects.create(name='Other org', long_name='Other org')
Employment.objects.create(user=self.user1, organisation=self.org, group=self.admin_group)
Employment.objects.create(user=self.user2, organisation=self.org, group=self.user_group)
Employment.objects.create(user=self.user3, organisation=other_org, group=self.user_group)
# Then the is_admin user can manage all employments
manageables = manageable_objects(self.user1)
self.assertEqual(len(manageables['employments']), 3)
self.assertTrue(manageables['employments'][0] in Employment.objects.all())
self.assertTrue(manageables['employments'][1] in Employment.objects.all())
self.assertTrue(manageables['employments'][2] in Employment.objects.all())
def get_queryset(self):
""" Filter the query set to include only users that the current user may manage.
If a non-manageable user is accessed the response will be a 404 because we're lifting it
out of the available objects. There might be a way to implement this better, so that a 403
would be returned instead. This serves the purpose though, of not being able to change
objects you don't have access to.
"""
queryset = super(UserProjectsAccessViewSet, self).get_queryset()
manageables = manageable_objects(self.request.user)
manageable_users = manageables['employments'].users()
return queryset.filter(id__in=manageable_users).select_related(
'user_projects'
).prefetch_related(
'user_projects__projects'
)
def test_manageable_objects_employments_org_admin_can_manage_own(self):
# Given a user that is "org admin", i.e. part of the 'Admins' group
Employment.objects.create(user=self.user3, organisation=self.org, group=self.admin_group, is_approved=True)
# When employments for two different organisations exist
user4 = self._create_user('*****@*****.**', self.password)
user5 = self._create_user('*****@*****.**', self.password)
user6 = self._create_user('*****@*****.**', self.password)
other_org = Organisation.objects.create(name='Other org', long_name='Other org')
Employment.objects.create(user=user4, organisation=self.org, group=self.user_group, is_approved=True)
Employment.objects.create(user=user5, organisation=self.org, group=self.user_group)
Employment.objects.create(user=user6, organisation=other_org, group=self.user_group)
# Then the "Admins" user can only manage employments of the same organisation
manageables = manageable_objects(self.user3)
self.assertEqual(len(manageables['employments']), 3)
self.assertTrue(manageables['employments'][0] in Employment.objects.filter(organisation=self.org))
self.assertTrue(manageables['employments'][1] in Employment.objects.filter(organisation=self.org))
self.assertTrue(manageables['employments'][2] in Employment.objects.filter(organisation=self.org))
def test_manageable_objects_employments_org_admin_can_manage_own(self):
# Given a user that is "org admin", i.e. part of the 'Admins' group
Employment.objects.create(user=self.user3,
organisation=self.org,
group=self.admin_group,
is_approved=True)
# When employments for two different organisations exist
user4 = self._create_user('*****@*****.**', self.password)
user5 = self._create_user('*****@*****.**', self.password)
user6 = self._create_user('*****@*****.**', self.password)
other_org = Organisation.objects.create(name='Other org',
long_name='Other org')
Employment.objects.create(user=user4,
organisation=self.org,
group=self.user_group,
is_approved=True)
Employment.objects.create(user=user5,
organisation=self.org,
group=self.user_group)
Employment.objects.create(user=user6,
organisation=other_org,
group=self.user_group)
# Then the "Admins" user can only manage employments of the same organisation
manageables = manageable_objects(self.user3)
self.assertEqual(len(manageables['employments']), 3)
self.assertTrue(
manageables['employments'][0] in Employment.objects.filter(
organisation=self.org))
self.assertTrue(
manageables['employments'][1] in Employment.objects.filter(
organisation=self.org))
self.assertTrue(
manageables['employments'][2] in Employment.objects.filter(
organisation=self.org))
def test_manageable_objects_employments_is_admin_can_manage_all(self):
# Given a user that is_admin
# When employments for two different organisations exist
other_org = Organisation.objects.create(name='Other org',
long_name='Other org')
Employment.objects.create(user=self.user1,
organisation=self.org,
group=self.admin_group)
Employment.objects.create(user=self.user2,
organisation=self.org,
group=self.user_group)
Employment.objects.create(user=self.user3,
organisation=other_org,
group=self.user_group)
# Then the is_admin user can manage all employments
manageables = manageable_objects(self.user1)
self.assertEqual(len(manageables['employments']), 3)
self.assertTrue(
manageables['employments'][0] in Employment.objects.all())
self.assertTrue(
manageables['employments'][1] in Employment.objects.all())
self.assertTrue(
manageables['employments'][2] in Employment.objects.all())
def test_manageable_objects_orgs_org_admin_can_manage_own(self):
Employment.objects.create(user=self.user3, organisation=self.org, group=self.admin_group, is_approved=True)
Organisation.objects.create(name='Other org', long_name='Other org')
manageables = manageable_objects(self.user3)
self.assertEqual(len(manageables['organisations']), 1)
self.assertEqual(manageables['organisations'][0], Organisation.objects.get(name='akvo'))
def test_manageable_objects_orgs_is_admin_can_manage_all(self):
Organisation.objects.create(name='Other org', long_name='Other org')
manageables = manageable_objects(self.user1)
self.assertEqual(len(manageables['organisations']), 2)
self.assertTrue(manageables['organisations'][0] in Organisation.objects.all())
self.assertTrue(manageables['organisations'][1] in Organisation.objects.all())