def test_need_all_orgs_to_admin_user(user):
    '''
    Old behavior - org admin to ANY organization that a user is member of
        grants permission to admin that user
    New behavior enforced here - org admin to ALL organizations that a
        user is member of grants permission to admin that user
    '''
    org1 = Organization.objects.create(name='org1')
    org2 = Organization.objects.create(name='org2')

    org1_admin = user('org1-admin')
    org1.admin_role.members.add(org1_admin)

    org12_member = user('org12-member')
    org1.member_role.members.add(org12_member)
    org2.member_role.members.add(org12_member)

    user_access = UserAccess(org1_admin)
    assert not user_access.can_change(org12_member, {'last_name': 'Witzel'})

    role_access = RoleAccess(org1_admin)
    assert not role_access.can_attach(org1.admin_role, org12_member, 'members',
                                      None)
    assert not role_access.can_attach(org1.member_role, org12_member,
                                      'members', None)

    org2.admin_role.members.add(org1_admin)
    assert role_access.can_attach(org1.admin_role, org12_member, 'members',
                                  None)
    assert role_access.can_attach(org1.member_role, org12_member, 'members',
                                  None)
def test_org_object_role_not_sufficient(user, organization):
    member = user('amember')
    obj_admin = user('icontrolallworkflows')

    organization.member_role.members.add(member)
    organization.workflow_admin_role.members.add(obj_admin)

    user_access = UserAccess(obj_admin)
    assert not user_access.can_change(member, {'last_name': 'Witzel'})
Ejemplo n.º 3
0
def test_orphaned_user_allowed(org_admin, rando, organization):
    '''
    We still allow adoption of orphaned* users by assigning them to
    organization member role, but only in the situation where the
    org admin already posesses indirect access to all of the user's roles
    *orphaned means user is not a member of any organization
    '''
    role_access = RoleAccess(org_admin)
    assert role_access.can_attach(organization.member_role, rando, 'members', None)
    # Cannot edit the user directly without adding to org first
    user_access = UserAccess(org_admin)
    assert not user_access.can_change(rando, {'last_name': 'Witzel'})
Ejemplo n.º 4
0
def test_org_superuser_role_attach(admin_user, org_admin, organization):
    '''
    Ideally, you would not add superusers to roles (particularly member_role)
    but it has historically been possible
    this checks that the situation does not grant unexpected permissions
    '''
    organization.member_role.members.add(admin_user)

    role_access = RoleAccess(org_admin)
    assert not role_access.can_attach(organization.member_role, admin_user, 'members', None)
    assert not role_access.can_attach(organization.admin_role, admin_user, 'members', None)
    user_access = UserAccess(org_admin)
    assert not user_access.can_change(admin_user, {'last_name': 'Witzel'})
Ejemplo n.º 5
0
def test_orphaned_user_allowed(org_admin, rando, organization, org_credential):
    '''
    We still allow adoption of orphaned* users by assigning them to
    organization member role, but only in the situation where the
    org admin already posesses indirect access to all of the user's roles
    *orphaned means user is not a member of any organization
    '''
    # give a descendent role to rando, to trigger the conditional
    # where all ancestor roles of rando should be in the set of
    # org_admin roles.
    org_credential.admin_role.members.add(rando)
    role_access = RoleAccess(org_admin)
    org_access = OrganizationAccess(org_admin)
    assert role_access.can_attach(organization.member_role, rando, 'members',
                                  None)
    assert org_access.can_attach(organization, rando, 'member_role.members',
                                 None)
    # Cannot edit the user directly without adding to org first
    user_access = UserAccess(org_admin)
    assert not user_access.can_change(rando, {'last_name': 'Witzel'})
Ejemplo n.º 6
0
def test_system_auditor_can_modify_self(system_auditor):
    access = UserAccess(system_auditor)
    assert access.can_change(obj=system_auditor,
                             data=dict(is_system_auditor='true'))
Ejemplo n.º 7
0
def test_org_admin_edit_sys_auditor(org_admin, alice, organization):
    organization.member_role.members.add(alice)
    access = UserAccess(org_admin)
    assert not access.can_change(obj=alice,
                                 data=dict(is_system_auditor='true'))