class Meta(CustomResourceMeta):
authentication = RequirePermissionAuthentication(
Permissions.edit_commcare_users)
object_class = Group
list_allowed_methods = ['get']
detail_allowed_methods = ['get']
resource_name = 'group'
class Meta(CustomResourceMeta):
resource_name = 'ucr_data_source'
list_allowed_methods = ['get']
detail_allowed_methods = ['get', 'put']
always_return_data = True
paginator_class = DoesNothingPaginator
authentication = RequirePermissionAuthentication(Permissions.edit_ucrs)
class Meta(object):
resource_name = 'location'
detail_uri_name = 'location_id'
queryset = SQLLocation.objects.filter(is_archived=False).all()
authentication = RequirePermissionAuthentication(
Permissions.edit_locations)
allowed_methods = ['get']
fields = [
'id',
'name',
'domain',
'location_id',
'site_code',
'external_id',
'created_at',
'last_modified',
'latitude',
'longitude',
]
filtering = {
'domain': ['exact'],
'site_code': ['exact'],
'external_id': ['exact'],
'created_at': ALL,
'last_modified': ALL,
'latitude': ALL,
'longitude': ALL,
}
class Meta(object):
resource_name = 'domain_usernames'
authentication = RequirePermissionAuthentication(
Permissions.view_commcare_users)
object_class = User
include_resource_uri = False
allowed_methods = ['get']
class Meta(CustomResourceMeta):
authentication = RequirePermissionAuthentication(Permissions.edit_data)
object_class = ESXFormInstance
list_allowed_methods = ['get']
detail_allowed_methods = ['get']
resource_name = 'form'
ordering = ['received_on']
serializer = XFormInstanceSerializer(formats=['json'])
class Meta(object):
resource_name = 'domain_cases'
authentication = RequirePermissionAuthentication(Permissions.access_api)
object_class = CaseType
include_resource_uri = False
allowed_methods = ['get']
limit = 100
max_limit = 1000
class Meta:
queryset = StockTransaction.objects.all()
list_allowed_methods = ['get']
detail_allowed_methods = ['get']
resource_name = 'stock_transaction'
authentication = RequirePermissionAuthentication(Permissions.view_reports)
paginator_class = NoCountingPaginator
authorization = DomainAuthorization(domain_key='report__domain')
filtering = {
"case_id": ('exact',),
"section_id": ('exact'),
}
fields = ['case_id', 'product_id', 'type', 'section_id', 'quantity', 'stock_on_hand']
include_resource_uri = False
class Meta(object):
resource_name = 'location_type'
queryset = LocationType.objects.all()
authentication = RequirePermissionAuthentication(
Permissions.edit_locations)
fields = [
'id',
'domain',
'name',
'code',
'parent_type',
'administrative',
'shares_cases',
'view_descendants',
]
filtering = {
"domain": ('exact', ),
}
class Meta(object):
queryset = DeviceReportEntry.objects.all()
list_allowed_methods = ['get']
detail_allowed_methods = ['get']
resource_name = 'device-log'
authentication = RequirePermissionAuthentication(Permissions.edit_data)
authorization = DomainAuthorization()
paginator_class = NoCountingPaginator
filtering = {
# this is needed for the domain filtering but any values passed in via the URL get overridden
"domain": ('exact', ),
"date": ('exact', 'gt', 'gte', 'lt', 'lte', 'range'),
"user_id": ('exact', ),
"username": ('exact', ),
"type": ('exact', ),
"xform_id": ('exact', ),
"device_id": ('exact', ),
}
class Meta(object):
queryset = MessagingEvent.objects.all()
list_allowed_methods = ['get']
detail_allowed_methods = ['get']
resource_name = 'messaging-event'
authentication = RequirePermissionAuthentication(Permissions.edit_data)
authorization = DomainAuthorization()
paginator_class = NoCountingPaginator
filtering = {
# this is needed for the domain filtering but any values passed in via the URL get overridden
"domain": ('exact', ),
"date": ('exact', 'gt', 'gte', 'lt', 'lte', 'range'),
"source": ('exact', ),
"content_type": ('exact', ),
"status": ('exact', ),
}
ordering = [
'date',
]
class Meta(object):
authentication = RequirePermissionAuthentication(Permissions.edit_data)
resource_name = 'sms_user_registration_reinstall'
allowed_methods = ['post']
validation = UserSelfRegistrationReinstallValidation()
class Meta(CustomResourceMeta):
authentication = RequirePermissionAuthentication(Permissions.edit_apps)
object_class = Application
list_allowed_methods = ['get']
detail_allowed_methods = ['get']
resource_name = 'application'
class Meta(CustomResourceMeta):
authentication = RequirePermissionAuthentication(
Permissions.edit_apps, allow_session_auth=True)
object_class = FixtureDataItem
resource_name = 'fixture_internal'
limit = 0
class Meta(CustomResourceMeta):
authentication = RequirePermissionAuthentication(Permissions.edit_data)
object_class = CommCareCase
resource_name = 'case'
list_allowed_methods = ['get']
detail_allowed_methods = ['get']
class Meta(UserResource.Meta):
authentication = RequirePermissionAuthentication(
Permissions.edit_commcare_users)
object_class = CommCareUser
resource_name = 'user'
class Meta(UserResource.Meta):
authentication = RequirePermissionAuthentication(
Permissions.edit_web_users)
object_class = WebUser
resource_name = 'web-user'
class RequirePermissionAuthenticationTest(AuthenticationTestBase):
require_edit_data = RequirePermissionAuthentication(Permissions.edit_data)
@classmethod
def setUpClass(cls):
super().setUpClass()
cls.role_with_permission = UserRole.create(
cls.domain, 'edit-data', permissions=Permissions(edit_data=True))
cls.role_without_permission = UserRole.create(
cls.domain,
'no-edit-data',
permissions=Permissions(edit_data=False))
cls.role_with_permission_but_no_api_access = UserRole.create(
cls.domain,
'no-api-access',
permissions=Permissions(edit_data=True, access_api=False))
cls.domain_admin = WebUser.create(cls.domain,
'domain_admin',
cls.password,
None,
None,
is_admin=True)
cls.user_with_permission = WebUser.create(
cls.domain,
'permission',
cls.password,
None,
None,
role_id=cls.role_with_permission.get_id)
cls.user_without_permission = WebUser.create(
cls.domain,
'no-permission',
cls.password,
None,
None,
role_id=cls.role_without_permission.get_id)
cls.user_with_permission_but_no_api_access = WebUser.create(
cls.domain,
'no-api-access',
cls.password,
None,
None,
role_id=cls.role_with_permission_but_no_api_access.get_id,
)
def test_login_no_auth_no_domain(self):
self.assertAuthenticationFail(self.require_edit_data,
self._get_request())
def test_login_no_auth_with_domain(self):
self.assertAuthenticationFail(self.require_edit_data,
self._get_request(domain=self.domain))
def test_login_with_wrong_domain(self):
project = Domain.get_or_create_with_name('api-test-fail',
is_active=True)
self.addCleanup(project.delete)
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request_with_api_key(domain=project.name))
def test_login_with_domain_no_permissions(self):
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request_with_api_key(domain=self.domain))
def test_login_with_domain_admin_default(self):
api_key_with_default_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.domain_admin),
name='default',
)
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.domain_admin.username,
api_key_with_default_permissions)))
def test_domain_admin_with_explicit_roles(self):
api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.domain_admin),
name='explicit_with_permission',
role_id=self.role_with_permission.get_id,
)
api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.domain_admin),
name='explicit_without_permission',
role_id=self.role_without_permission.get_id,
)
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.domain_admin.username,
api_key_with_explicit_permissions)))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.domain_admin.username,
api_key_without_explicit_permissions)))
def test_login_with_explicit_permission_default(self):
api_key_with_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_with_permission))
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_with_permission.username,
api_key_with_permissions)))
def test_login_with_explicit_permission_and_roles(self):
api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_with_permission),
name='explicit_with_permission',
role_id=self.role_with_permission.get_id,
)
api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_with_permission),
name='explicit_without_permission',
role_id=self.role_without_permission.get_id,
)
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_with_permission.username,
api_key_with_explicit_permissions)))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_with_permission.username,
api_key_without_explicit_permissions)))
def test_login_with_no_api_access_default(self):
api_key_with_no_access, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(
self.user_with_permission_but_no_api_access))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_with_permission_but_no_api_access.username,
api_key_with_no_access,
)))
def test_login_with_wrong_permission(self):
api_key_without_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_without_permission))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_without_permission.username,
api_key_without_permissions)))
def test_login_with_wrong_permission_explicit_roles(self):
api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_without_permission),
name='explicit_with_permission',
role_id=self.role_with_permission.get_id,
)
api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_without_permission),
name='explicit_without_permission',
role_id=self.role_without_permission.get_id,
)
# both of these should fail since the user shouldn't be allowed API access
# to a role they don't have
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_without_permission.username,
api_key_with_explicit_permissions)))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_without_permission.username,
api_key_without_explicit_permissions)))
def test_explicit_role_wrong_domain(self):
project = Domain.get_or_create_with_name('api-test-fail-2',
is_active=True)
self.addCleanup(project.delete)
user = WebUser.create(self.domain,
'multi_domain_admin',
'***',
None,
None,
is_admin=True)
user.add_domain_membership(project.name, is_admin=True)
user.save()
self.addCleanup(user.delete, self.domain, deleted_by=None)
unscoped_api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(user),
name='unscoped',
)
# this key should only be able to access default project, not new one
scoped_api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(user),
name='explicit_with_permission_wrong_domain',
role_id=self.role_with_permission.get_id,
)
unscoped_auth_header = self._construct_api_auth_header(
user.username, unscoped_api_key)
scoped_auth_header = self._construct_api_auth_header(
user.username, scoped_api_key)
for domain in [self.domain, project.name]:
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(domain=domain,
HTTP_AUTHORIZATION=unscoped_auth_header))
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(domain=self.domain,
HTTP_AUTHORIZATION=scoped_auth_header))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(domain=project.name,
HTTP_AUTHORIZATION=scoped_auth_header))
def test_auth_type_basic(self):
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_basic_auth_header(
self.domain_admin.username, self.password)))
class Meta(CustomResourceMeta):
authentication = RequirePermissionAuthentication(
Permissions.view_reports, allow_session_auth=True)
list_allowed_methods = []
detail_allowed_methods = ["get"]
class Meta(CustomResourceMeta):
authentication = RequirePermissionAuthentication(Permissions.edit_apps)
object_class = FixtureDataItem
resource_name = 'fixture'
limit = 0
