def test_delete_draft_registration(self):
assert_equal(1, DraftRegistration.find().count())
url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id)
res = self.app.delete(url, auth=self.user.auth)
assert_equal(res.status_code, http.NO_CONTENT)
assert_equal(0, DraftRegistration.find().count())
def test_delete_draft_registration_non_admin(self):
assert_equal(1, DraftRegistration.find().count())
url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id)
res = self.app.delete(url, auth=self.non_admin.auth, expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
assert_equal(1, DraftRegistration.find().count())
def test_delete_draft_registration(self):
assert_equal(1, DraftRegistration.find().count())
url = self.node.api_url_for('delete_draft_registration',
draft_id=self.draft._id)
res = self.app.delete(url, auth=self.user.auth)
assert_equal(res.status_code, http.NO_CONTENT)
assert_equal(0, DraftRegistration.find().count())
def test_only_admin_can_delete_registration(self):
non_admin = AuthUserFactory()
assert_equal(1, DraftRegistration.find().count())
url = self.node.api_url_for('delete_draft_registration',
draft_id=self.draft._id)
res = self.app.delete(url, auth=non_admin.auth, expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
assert_equal(1, DraftRegistration.find().count())
def test_delete_draft_registration_approved_and_registration_deleted(self, mock_register_draft):
self.draft.register(auth=self.auth, save=True)
self.draft.registered_node.is_deleted = True
self.draft.registered_node.save()
assert_equal(1, DraftRegistration.find().count())
url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id)
res = self.app.delete(url, auth=self.user.auth)
assert_equal(res.status_code, http.NO_CONTENT)
assert_equal(0, DraftRegistration.find().count())
def test_delete_draft_registration_approved_and_registration_deleted(
self, mock_register_draft):
self.draft.register(auth=self.auth, save=True)
self.draft.registered_node.is_deleted = True
self.draft.registered_node.save()
assert_equal(1, DraftRegistration.find().count())
url = self.node.api_url_for('delete_draft_registration',
draft_id=self.draft._id)
res = self.app.delete(url, auth=self.user.auth)
assert_equal(res.status_code, http.NO_CONTENT)
assert_equal(0, DraftRegistration.find().count())
def check_access(node, auth, action, cas_resp):
"""Verify that user can perform requested action on resource. Raise appropriate
error code if action cannot proceed.
"""
permission = permission_map.get(action, None)
if permission is None:
raise HTTPError(httplib.BAD_REQUEST)
if cas_resp:
if permission == 'read':
if node.is_public:
return True
required_scope = oauth_scopes.CoreScopes.NODE_FILE_READ
else:
required_scope = oauth_scopes.CoreScopes.NODE_FILE_WRITE
if not cas_resp.authenticated \
or required_scope not in oauth_scopes.normalize_scopes(cas_resp.attributes['accessTokenScope']):
raise HTTPError(httplib.FORBIDDEN)
if permission == 'read':
if node.can_view(auth):
return True
# The user may have admin privileges on a parent node, in which
# case they should have read permissions
if node.is_registration and node.registered_from.can_view(auth):
return True
if permission == 'write' and node.can_edit(auth):
return True
# Users attempting to register projects with components might not have
# `write` permissions for all components. This will result in a 403 for
# all `copyto` actions as well as `copyfrom` actions if the component
# in question is not public. To get around this, we have to recursively
# check the node's parent node to determine if they have `write`
# permissions up the stack.
# TODO(hrybacki): is there a way to tell if this is for a registration?
# All nodes being registered that receive the `copyto` action will have
# `node.is_registration` == True. However, we have no way of telling if
# `copyfrom` actions are originating from a node being registered.
# TODO This is raise UNAUTHORIZED for registrations that have not been archived yet
if action == 'copyfrom' or (action == 'copyto' and node.is_registration):
parent = node.parent_node
while parent:
if parent.can_edit(auth):
return True
parent = parent.parent_node
# Users with the PREREG_ADMIN_TAG should be allowed to download files
# from prereg challenge draft registrations.
try:
prereg_schema = MetaSchema.find_one(
Q('name', 'eq', 'Prereg Challenge') &
Q('schema_version', 'eq', 2)
)
allowed_nodes = [node] + node.parents
prereg_draft_registration = DraftRegistration.find(
Q('branched_from', 'in', [n for n in allowed_nodes]) &
Q('registration_schema', 'eq', prereg_schema)
)
if action == 'download' and \
auth.user is not None and \
prereg_draft_registration.count() > 0 and \
settings.PREREG_ADMIN_TAG in auth.user.system_tags:
return True
except NoResultsFound:
pass
raise HTTPError(httplib.FORBIDDEN if auth.user else httplib.UNAUTHORIZED)
def check_access(node, auth, action, cas_resp):
"""Verify that user can perform requested action on resource. Raise appropriate
error code if action cannot proceed.
"""
permission = permission_map.get(action, None)
if permission is None:
raise HTTPError(httplib.BAD_REQUEST)
if cas_resp:
if permission == 'read':
if node.is_public:
return True
required_scope = oauth_scopes.CoreScopes.NODE_FILE_READ
else:
required_scope = oauth_scopes.CoreScopes.NODE_FILE_WRITE
if not cas_resp.authenticated \
or required_scope not in oauth_scopes.normalize_scopes(cas_resp.attributes['accessTokenScope']):
raise HTTPError(httplib.FORBIDDEN)
if permission == 'read':
if node.can_view(auth):
return True
# The user may have admin privileges on a parent node, in which
# case they should have read permissions
if node.is_registration and node.registered_from.can_view(auth):
return True
if permission == 'write' and node.can_edit(auth):
return True
# Users attempting to register projects with components might not have
# `write` permissions for all components. This will result in a 403 for
# all `copyto` actions as well as `copyfrom` actions if the component
# in question is not public. To get around this, we have to recursively
# check the node's parent node to determine if they have `write`
# permissions up the stack.
# TODO(hrybacki): is there a way to tell if this is for a registration?
# All nodes being registered that receive the `copyto` action will have
# `node.is_registration` == True. However, we have no way of telling if
# `copyfrom` actions are originating from a node being registered.
# TODO This is raise UNAUTHORIZED for registrations that have not been archived yet
if action == 'copyfrom' or (action == 'copyto' and node.is_registration):
parent = node.parent_node
while parent:
if parent.can_edit(auth):
return True
parent = parent.parent_node
# Users with the PREREG_ADMIN_TAG should be allowed to download files
# from prereg challenge draft registrations.
try:
prereg_schema = MetaSchema.find_one(
Q('name', 'eq', 'Prereg Challenge') & Q('schema_version', 'eq', 2))
allowed_nodes = [node] + node.parents
prereg_draft_registration = DraftRegistration.find(
Q('branched_from', 'in', [n for n in allowed_nodes])
& Q('registration_schema', 'eq', prereg_schema))
if action == 'download' and \
auth.user is not None and \
prereg_draft_registration.count() > 0 and \
settings.PREREG_ADMIN_TAG in auth.user.system_tags:
return True
except NoResultsFound:
pass
raise HTTPError(httplib.FORBIDDEN if auth.user else httplib.UNAUTHORIZED)
