def test_deid_permission(self):
self.assertFalse(user_can_view_deid_exports(self.domain, self.web_user))
self.permissions = Permissions(view_report_list=[DEID_EXPORT_PERMISSION])
self.assertTrue(
self.permissions.has(get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION))
self.assertTrue(
self.web_user.has_permission(
self.domain, get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION)
)
self.assertTrue(user_can_view_deid_exports(self.domain, self.web_user))
def test_deid_permission(self):
self.assertFalse(user_can_view_deid_exports(self.domain, self.web_user))
self.permissions = Permissions(view_report_list=[DEID_EXPORT_PERMISSION])
self.assertTrue(
self.permissions.has(get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION))
self.assertTrue(
self.web_user.has_permission(
self.domain, get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION)
)
self.assertTrue(user_can_view_deid_exports(self.domain, self.web_user))
def has_permission_to_view_report(couch_user, domain, report_to_check):
from corehq.apps.users.decorators import get_permission_name
from corehq.apps.users.models import Permissions
return couch_user.has_permission(domain,
get_permission_name(
Permissions.view_report),
data=report_to_check)
def user_can_view_deid_exports(domain, couch_user):
return (domain_has_privilege(domain, privileges.DEIDENTIFIED_DATA)
and couch_user.has_permission(
domain,
get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION
))
def main_context(self):
main_context = super(BillingModalsMixin, self).main_context
if self.request.couch_user and self.request.couch_user.has_permission(
self.domain, get_permission_name(Permissions.edit_billing)):
main_context.update(self._downgrade_modal_context)
main_context.update(self._low_credits_context)
return main_context
def has_view_permissions(self):
if self.form_or_case == "form":
report_to_check = FORM_EXPORT_PERMISSION
elif self.form_or_case == "case":
report_to_check = CASE_EXPORT_PERMISSION
return self.request.couch_user.can_view_reports() or self.request.couch_user.has_permission(
self.domain, get_permission_name(Permissions.view_report), data=report_to_check
)
def main_context(self):
main_context = super(BillingModalsMixin, self).main_context
if self.request.couch_user and self.request.couch_user.has_permission(
self.domain,
get_permission_name(Permissions.edit_billing)
):
main_context.update(self._downgrade_modal_context)
main_context.update(self._low_credits_context)
return main_context
def _should_display_billing_modals(self):
return (
self.request.couch_user
and not self.request.couch_user.is_superuser
and self.request.couch_user.has_permission(
self.domain,
get_permission_name(Permissions.edit_billing)
)
)
def _can_manage_releases_for_all_apps(couch_user, domain):
from corehq.apps.users.decorators import get_permission_name
from corehq.apps.users.models import Permissions
restricted_app_release = toggles.RESTRICT_APP_RELEASE.enabled(domain)
if not restricted_app_release:
return True
return couch_user.has_permission(domain,
get_permission_name(
Permissions.manage_releases),
restrict_global_admin=True)
def has_permission_to_view_report(couch_user, domain, report_to_check):
from corehq.apps.users.decorators import get_permission_name
from corehq.apps.users.models import Permissions
return (
couch_user.can_view_reports(domain) or
couch_user.has_permission(
domain,
get_permission_name(Permissions.view_report),
data=report_to_check
)
)
def can_manage_releases(couch_user, domain, app_id):
from corehq.apps.users.decorators import get_permission_name
from corehq.apps.users.models import Permissions
restricted_app_release = toggles.RESTRICT_APP_RELEASE.enabled(domain)
if not restricted_app_release:
return True
role = couch_user.get_role(domain)
return (couch_user.has_permission(domain,
get_permission_name(
Permissions.manage_releases),
restrict_global_admin=True)
or app_id in role.permissions.manage_releases_list)
def can_manage_releases(couch_user, domain, app_id):
from corehq.apps.users.decorators import get_permission_name
from corehq.apps.users.models import Permissions
restricted_app_release = toggles.RESTRICT_APP_RELEASE.enabled(domain)
if not restricted_app_release:
return True
role = couch_user.get_role(domain)
return (
couch_user.has_permission(
domain, get_permission_name(Permissions.manage_releases),
restrict_global_admin=True
) or
app_id in role.permissions.manage_releases_list)
def get_users_without_permission(self, start_date, end_date):
usernames = self.get_usernames(start_date, end_date)
print(f'Filter {len(usernames)} users according to permission')
permission_name = get_permission_name(Permissions.view_report)
users_without_permission = []
for chunk in with_progress_bar(chunked(usernames, 100),
prefix='\tProcessing'):
users = [
CouchUser.wrap_correctly(doc)
for doc in get_user_docs_by_username(chunk)
]
for user in users:
if not user.has_permission(
DASHBOARD_DOMAIN, permission_name, data=PERMISSION):
users_without_permission.append(user.username)
return users_without_permission
def login_as_user_query(domain,
couch_user,
search_string,
limit,
offset,
user_data_fields=None):
'''
Takes in various parameters to determine which users to populate the login as screen.
:param domain: String domain
:param couch_user: The CouchUser that is using the Login As feature
:param search_string: The query that filters the users returned. Filters based on the
`search_fields` as well as any fields defined in `user_data_fields`.
:param limit: The max amount of users returned.
:param offset: From where to start the query.
:param user_data_fields: A list of custom user data fields that should also be searched
by the `search_string`
:returns: An EsQuery instance.
'''
search_fields = [
"base_username", "last_name", "first_name", "phone_numbers"
]
should_criteria_query = [
queries.search_string_query(search_string, search_fields),
]
if user_data_fields:
or_criteria = []
for field in user_data_fields:
or_criteria.append(
filters.AND(
filters.term('user_data_es.key', field),
filters.term('user_data_es.value', search_string),
), )
should_criteria_query.append(
queries.nested_filter('user_data_es', filters.OR(*or_criteria)))
user_es = (
UserES().domain(domain).start(offset).size(limit).
sort('username.exact').set_query(
queries.BOOL_CLAUSE(
queries.SHOULD_CLAUSE(
should_criteria_query,
# It should either match on the search fields like username or it
# should match on the custom user data fields. If this were 2, then
# it would require the search string to match both on the search fields and
# the custom user data fields.
minimum_should_match=1,
), )))
if not couch_user.has_permission(domain, 'access_all_locations'):
loc_ids = SQLLocation.objects.accessible_to_user(
domain, couch_user).location_ids()
user_es = user_es.location(list(loc_ids))
if not couch_user.has_permission(
domain, get_permission_name(Permissions.login_as_all_users)):
user_es = user_es.filter(
filters.nested(
'user_data_es',
filters.AND(
filters.term('user_data_es.key', 'login_as_user'),
filters.term('user_data_es.value', couch_user.username),
)))
return user_es.mobile_users()
def _limit_login_as(couch_user, domain):
return (couch_user.has_permission(
domain, get_permission_name(Permissions.limited_login_as))
and not couch_user.has_permission(
domain, get_permission_name(Permissions.edit_commcare_users)))
def user_can_view_odata_feed(domain, couch_user):
domain_can_view_odata = domain_has_privilege(domain, privileges.ODATA_FEED)
return (domain_can_view_odata and couch_user.has_permission(
domain,
get_permission_name(Permissions.view_report),
data=ODATA_FEED_PERMISSION))
