def response_role_based_access(domain, new_plan_version):
"""
Perform Role Based Access Upgrade
- Un-archive custom roles.
"""
UserRole.unarchive_roles_for_domain(domain.name)
return True
def update_user_roles(domain_link):
if domain_link.is_remote:
master_results = remote_get_user_roles(domain_link)
else:
master_results = local_get_user_roles(domain_link.master_domain)
_convert_web_apps_permissions(domain_link, master_results)
_convert_reports_permissions(domain_link, master_results)
local_roles = UserRole.view(
'users/roles_by_domain',
startkey=[domain_link.linked_domain],
endkey=[domain_link.linked_domain, {}],
include_docs=True,
reduce=False,
)
local_roles_by_name = {role.name: role for role in local_roles}
for role_def in master_results:
role = local_roles_by_name.get(role_def['name'])
if role:
role_json = role.to_json()
else:
role_json = {'domain': domain_link.linked_domain}
role_json.update(role_def)
UserRole.wrap(role_json).save()
def test_report_fixtures_provider_with_cloudcare(self):
"""
ReportFixturesProvider should iterate only allowed apps if sync is from cloudcare
"""
from corehq.apps.userreports.reports.data_source import ConfigurableReportDataSource
role = UserRole(
domain=self.domain,
permissions=Permissions(
view_web_apps=False,
view_web_apps_list=[self.app1._id]
),
name='WebApp Restricted'
)
role.save()
self.user._couch_user.set_role(self.domain, role.get_qualified_id())
with patch.object(ConfigurableReportDataSource, 'get_data') as get_data_mock:
get_data_mock.return_value = self.rows
with mock_datasource_config():
fixtures = call_fixture_generator(
report_fixture_generator,
self.user,
device_id="WebAppsLogin|[email protected]"
)
reports = fixtures[0].findall('.//report')
self.assertEqual(len(reports), 1)
self.assertEqual(reports[0].attrib.get('id'), '123456')
def _handle_user_form(request, domain, couch_user=None):
context = {}
if couch_user:
create_user = False
else:
create_user = True
can_change_admin_status = (
request.user.is_superuser or request.couch_user.can_edit_web_users(domain=domain)
) and request.couch_user.user_id != couch_user.user_id
if couch_user.is_commcare_user():
role_choices = UserRole.commcareuser_role_choices(domain)
else:
role_choices = UserRole.role_choices(domain)
if request.method == "POST" and request.POST["form_type"] == "basic-info":
form = UserForm(request.POST, role_choices=role_choices)
if form.is_valid():
if create_user:
django_user = User()
django_user.username = form.cleaned_data["email"]
django_user.save()
couch_user = CouchUser.from_django_user(django_user)
couch_user.first_name = form.cleaned_data["first_name"]
couch_user.last_name = form.cleaned_data["last_name"]
couch_user.email = form.cleaned_data["email"]
couch_user.language = form.cleaned_data["language"]
if can_change_admin_status:
role = form.cleaned_data["role"]
if role:
couch_user.set_role(domain, role)
couch_user.save()
if request.couch_user.get_id == couch_user.get_id and couch_user.language:
# update local language in the session
request.session["django_language"] = couch_user.language
messages.success(request, 'Changes saved for user "%s"' % couch_user.username)
else:
form = UserForm(role_choices=role_choices)
if not create_user:
form.initial["first_name"] = couch_user.first_name
form.initial["last_name"] = couch_user.last_name
form.initial["email"] = couch_user.email
form.initial["language"] = couch_user.language
if can_change_admin_status:
if couch_user.is_commcare_user():
role = couch_user.get_role(domain)
if role is None:
initial = "none"
else:
initial = role.get_qualified_id()
form.initial["role"] = initial
else:
form.initial["role"] = couch_user.get_role(domain, include_teams=False).get_qualified_id() or ""
if not can_change_admin_status:
del form.fields["role"]
context.update({"form": form})
return context
def setUp(self):
super(TestUserRoleSubscriptionChanges, self).setUp()
self.domain = generator.arbitrary_domain()
UserRole.init_domain_with_presets(self.domain.name)
self.user_roles = UserRole.by_domain(self.domain.name)
self.custom_role = UserRole.get_or_create_with_permissions(
self.domain.name,
Permissions(edit_apps=True, edit_web_users=True),
"Custom Role"
)
self.custom_role.save()
self.read_only_role = UserRole.get_read_only_role_by_domain(self.domain.name)
self.admin_user = generator.arbitrary_web_user()
self.admin_user.add_domain_membership(self.domain.name, is_admin=True)
self.admin_user.save()
self.web_users = []
self.commcare_users = []
for role in [self.custom_role] + self.user_roles:
web_user = generator.arbitrary_web_user()
web_user.add_domain_membership(self.domain.name, role_id=role.get_id)
web_user.save()
self.web_users.append(web_user)
commcare_user = generator.arbitrary_commcare_user(
domain=self.domain.name)
commcare_user.set_role(self.domain.name, role.get_qualified_id())
commcare_user.save()
self.commcare_users.append(commcare_user)
self.account = BillingAccount.get_or_create_account_by_domain(
self.domain.name,created_by=self.admin_user.username)[0]
self.advanced_plan = DefaultProductPlan.get_default_plan_by_domain(
self.domain.name,edition=SoftwarePlanEdition.ADVANCED)
def response_role_based_access(domain, new_plan_version):
"""
Perform Role Based Access Downgrade
- Archive custom roles.
- Set user roles using custom roles to Read Only.
- Reset initial roles to standard permissions.
"""
custom_roles = [r.get_id for r in UserRole.get_custom_roles_by_domain(domain.name)]
if not custom_roles:
return True
# temporarily disable this part of the downgrade until we
# have a better user experience for notifying the downgraded user
# read_only_role = UserRole.get_read_only_role_by_domain(self.domain.name)
# web_users = WebUser.by_domain(self.domain.name)
# for web_user in web_users:
# if web_user.get_domain_membership(self.domain.name).role_id in custom_roles:
# web_user.set_role(self.domain.name, read_only_role.get_qualified_id())
# web_user.save()
# for cc_user in CommCareUser.by_domain(self.domain.name):
# if cc_user.get_domain_membership(self.domain.name).role_id in custom_roles:
# cc_user.set_role(self.domain.name, 'none')
# cc_user.save()
UserRole.archive_custom_roles_for_domain(domain.name)
UserRole.reset_initial_roles_for_domain(domain.name)
return True
def handle(self, *args, **options):
for domain in Domain.get_all():
UserRole.get_or_create_with_permissions(
domain.name,
UserRolePresets.get_permissions(UserRolePresets.BILLING_ADMIN),
UserRolePresets.BILLING_ADMIN
)
def test_resubscription(self):
subscription = Subscription.new_domain_subscription(
self.account, self.domain.name, self.advanced_plan,
web_user=self.admin_user.username
)
self._change_std_roles()
subscription.cancel_subscription(web_user=self.admin_user.username)
custom_role = UserRole.get(self.custom_role.get_id)
self.assertTrue(custom_role.is_archived)
subscription = Subscription.new_domain_subscription(
self.account, self.domain.name, self.advanced_plan,
web_user=self.admin_user.username
)
custom_role = UserRole.get(self.custom_role.get_id)
self.assertFalse(custom_role.is_archived)
# disable this part of the test until we improve the UX for notifying
# downgraded users of their privilege changes
# custom_web_user = WebUser.get(self.web_users[0].get_id)
# custom_commcare_user = CommCareUser.get(self.commcare_users[0].get_id)
# self.assertEqual(
# custom_web_user.get_domain_membership(self.domain.name).role_id,
# self.read_only_role.get_id
# )
# self.assertIsNone(
# custom_commcare_user.get_domain_membership(self.domain.name).role_id
# )
self.assertInitialRoles()
self.assertStdUsers()
subscription.cancel_subscription(web_user=self.admin_user.username)
def handle(self, **options):
roles = UserRole.view(
'users/roles_by_domain',
include_docs=False,
reduce=False
).all()
for role_doc in iter_docs(UserRole.get_db(), [r['id'] for r in roles]):
role = UserRole.wrap(role_doc)
save_role = False
if role.permissions.edit_web_users:
role.permissions.view_web_users = True
role.permissions.view_roles = True
save_role = True
if role.permissions.edit_commcare_users:
role.permissions.view_commcare_users = True
role.permissions.edit_groups = True
role.permissions.view_groups = True
save_role = True
if role.permissions.edit_locations:
role.permissions.view_locations = True
save_role = True
if save_role:
role.save()
def _create_or_edit_facility_manager_role(self):
facility_manager_role = UserRole.by_domain_and_name(self.domain, 'Facility manager')
reports_list = [
"corehq.apps.reports.standard.sms.MessageLogReport",
"custom.ewsghana.reports.specific_reports.dashboard_report.DashboardReport",
"custom.ewsghana.reports.specific_reports.stock_status_report.StockStatus",
"custom.ewsghana.reports.specific_reports.reporting_rates.ReportingRatesReport",
"custom.ewsghana.reports.maps.EWSMapReport"
]
if facility_manager_role:
permissions = Permissions(
edit_web_users=True,
edit_commcare_users=True,
view_reports=False,
view_report_list=reports_list
)
facility_manager_role[0].permissions = permissions
facility_manager_role[0].save()
else:
role = UserRole(
domain=self.domain,
permissions=Permissions(
view_reports=False,
edit_web_users=True,
edit_commcare_users=True,
view_report_list=reports_list
),
name='Facility manager'
)
role.save()
def web_user_sync(self, ews_webuser):
username = ews_webuser.email.lower()
if not username:
try:
validate_email(ews_webuser.username)
username = ews_webuser.username
except ValidationError:
return None
user = WebUser.get_by_username(username)
user_dict = {
'first_name': ews_webuser.first_name,
'last_name': ews_webuser.last_name,
'is_active': ews_webuser.is_active,
'last_login': force_to_datetime(ews_webuser.last_login),
'date_joined': force_to_datetime(ews_webuser.date_joined),
'password_hashed': True,
}
location_id = None
if ews_webuser.location:
try:
location = SQLLocation.objects.get(domain=self.domain, external_id=ews_webuser.location)
location_id = location.location_id
except SQLLocation.DoesNotExist:
pass
if user is None:
try:
user = WebUser.create(domain=None, username=username,
password=ews_webuser.password, email=ews_webuser.email,
**user_dict)
user.add_domain_membership(self.domain, location_id=location_id)
except Exception as e:
logging.error(e)
else:
if self.domain not in user.get_domains():
user.add_domain_membership(self.domain, location_id=location_id)
ews_webuser_extension(user, ews_webuser)
dm = user.get_domain_membership(self.domain)
if dm.location_id != location_id:
dm.location_id = location_id
if ews_webuser.is_superuser:
dm.role_id = UserRole.by_domain_and_name(self.domain, 'Administrator')[0].get_id
elif ews_webuser.groups and ews_webuser.groups[0].name == 'facility_manager':
dm.role_id = UserRole.by_domain_and_name(self.domain, 'Facility manager')[0].get_id
else:
if ews_webuser.supply_point:
supply_point = get_supply_point_case_by_domain_external_id(self.domain, ews_webuser.supply_point)
if supply_point:
dm.location_id = supply_point.location_id
dm.role_id = UserRole.by_domain_and_name(self.domain, 'Web Reporter')[0].get_id
else:
dm.role_id = UserRole.get_read_only_role_by_domain(self.domain).get_id
else:
dm.role_id = UserRole.get_read_only_role_by_domain(self.domain).get_id
user.save()
return user
def _handle_user_form(request, domain, couch_user=None):
from corehq.apps.reports.util import get_possible_reports
context = {}
if couch_user:
create_user = False
else:
create_user = True
can_change_admin_status = \
(request.user.is_superuser or request.couch_user.can_edit_web_users(domain=domain))\
and request.couch_user.user_id != couch_user.user_id
if couch_user.is_commcare_user():
role_choices = UserRole.commcareuser_role_choices(domain)
else:
role_choices = UserRole.role_choices(domain)
if request.method == "POST" and request.POST['form_type'] == "basic-info":
form = UserForm(request.POST, role_choices=role_choices)
if form.is_valid():
if create_user:
django_user = User()
django_user.username = form.cleaned_data['email']
django_user.save()
couch_user = CouchUser.from_django_user(django_user)
couch_user.first_name = form.cleaned_data['first_name']
couch_user.last_name = form.cleaned_data['last_name']
couch_user.email = form.cleaned_data['email']
couch_user.language = form.cleaned_data['language']
if can_change_admin_status:
role = form.cleaned_data['role']
if role:
couch_user.set_role(domain, role)
couch_user.save()
messages.success(request, 'Changes saved for user "%s"' % couch_user.username)
else:
form = UserForm(role_choices=role_choices)
if not create_user:
form.initial['first_name'] = couch_user.first_name
form.initial['last_name'] = couch_user.last_name
form.initial['email'] = couch_user.email
form.initial['language'] = couch_user.language
if can_change_admin_status:
if couch_user.is_commcare_user():
role = couch_user.get_role(domain)
if role is None:
initial = "none"
else:
initial = role.get_qualified_id()
form.initial['role'] = initial
else:
form.initial['role'] = couch_user.get_role(domain).get_qualified_id() or ''
if not can_change_admin_status:
del form.fields['role']
context.update({"form": form})
return context
def setUpClass(cls):
super(AllCommCareUsersTest, cls).setUpClass()
delete_all_users()
hard_delete_deleted_users()
cls.ccdomain = Domain(name='cc_user_domain')
cls.ccdomain.save()
cls.other_domain = Domain(name='other_domain')
cls.other_domain.save()
UserRole.init_domain_with_presets(cls.ccdomain.name)
cls.user_roles = UserRole.by_domain(cls.ccdomain.name)
cls.custom_role = UserRole.get_or_create_with_permissions(
cls.ccdomain.name,
Permissions(
edit_apps=True,
edit_web_users=True,
view_web_users=True,
view_roles=True,
),
"Custom Role"
)
cls.custom_role.save()
cls.ccuser_1 = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.ccuser_2 = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.ccuser_2.set_role(cls.ccdomain.name, cls.custom_role.get_qualified_id())
cls.ccuser_2.save()
cls.web_user = WebUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.ccuser_other_domain = CommCareUser.create(
domain=cls.other_domain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.retired_user = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.retired_user.retire()
def web_users(request, domain, template="users/web_users.html"):
context = _users_context(request, domain)
user_roles = [AdminUserRole(domain=domain)]
user_roles.extend(sorted(UserRole.by_domain(domain), key=lambda role: role.name if role.name else u'\uFFFF'))
context.update({
'user_roles': user_roles,
'default_role': UserRole.get_default(),
'report_list': get_possible_reports(domain),
})
return render_to_response(request, template, context)
def post_user_role(request, domain):
role_data = json.loads(request.raw_post_data)
role_data = dict([(p, role_data[p]) for p in set(UserRole.properties().keys() + ['_id', '_rev']) if p in role_data])
role = UserRole.wrap(role_data)
role.domain = domain
if role.get_id:
old_role = UserRole.get(role.get_id)
assert(old_role.doc_type == UserRole.__name__)
role.save()
return json_response(role)
def restrict_user_to_assigned_locations(cls, user):
role = UserRole(
domain=cls.domain,
name='Regional Supervisor',
permissions=Permissions(edit_commcare_users=True,
access_all_locations=False),
)
role.save()
user.set_role(cls.domain, role.get_qualified_id())
user.save()
def test_update_web_apps_list(self):
self.assertEqual([], UserRole.by_domain(self.linked_domain))
report_mapping = {'master_report_id': 'linked_report_id'}
with patch('corehq.apps.linked_domain.updates.get_static_report_mapping', return_value=report_mapping):
update_user_roles(self.domain_link)
roles = UserRole.by_domain(self.linked_domain)
self.assertEqual(1, len(roles))
self.assertEqual(roles[0].permissions.view_web_apps_list, [self.linked_app._id])
self.assertEqual(roles[0].permissions.view_report_list, [get_ucr_class_name('linked_report_id')])
def _set_role_for_bundle(kwargs, bundle):
# check for roles associated with the domain
domain_roles = UserRole.by_domain_and_name(kwargs['domain'], bundle.data.get('role'))
if domain_roles:
qualified_role_id = domain_roles[0].get_qualified_id()
bundle.obj.set_role(kwargs['domain'], qualified_role_id)
else:
# check for preset roles and now create them for the domain
permission_preset_name = UserRole.get_preset_permission_by_name(bundle.data.get('role'))
if permission_preset_name:
bundle.obj.set_role(kwargs['domain'], permission_preset_name)
def test_get_doc_ids_in_domain_by_class(self):
user_role = UserRole(domain=self.domain)
group = Group(domain=self.domain)
xform = XFormInstance(domain=self.domain)
user_role.save()
group.save()
xform.save()
self.addCleanup(user_role.delete)
self.addCleanup(group.delete)
self.addCleanup(xform.delete)
[doc_id] = get_doc_ids_in_domain_by_class(self.domain, UserRole)
self.assertEqual(doc_id, user_role.get_id)
def response_role_based_access(self):
"""
Perform Role Based Access Upgrade
- Un-archive custom roles.
"""
if self.verbose:
num_archived_roles = len(UserRole.by_domain(self.domain.name,
is_archived=True))
if num_archived_roles:
print "Re-Activating %d archived roles." % num_archived_roles
UserRole.unarchive_roles_for_domain(self.domain.name)
return True
def _create_or_edit_administrator_role(domain):
administrator_role = UserRole.by_domain_and_name(domain, 'Administrator')
reports_list = [
"corehq.apps.reports.standard.sms.MessageLogReport",
"custom.ewsghana.reports.specific_reports.dashboard_report.DashboardReport",
"custom.ewsghana.reports.specific_reports.stock_status_report.StockStatus",
"custom.ewsghana.reports.specific_reports.reporting_rates.ReportingRatesReport",
"custom.ewsghana.reports.maps.EWSMapReport",
"custom.ewsghana.reports.email_reports.CMSRMSReport",
"custom.ewsghana.reports.email_reports.StockSummaryReport",
"custom.ewsghana.comparison_report.ProductsCompareReport",
"custom.ewsghana.comparison_report.LocationsCompareReport",
"custom.ewsghana.comparison_report.SupplyPointsCompareReport",
"custom.ewsghana.comparison_report.WebUsersCompareReport",
"custom.ewsghana.comparison_report.SMSUsersCompareReport"
]
if administrator_role:
permissions = Permissions(
edit_web_users=True,
view_web_users=True,
view_roles=True,
edit_commcare_users=True,
view_commcare_users=True,
edit_groups=True,
view_groups=True,
edit_locations=True,
view_locations=True,
view_reports=False,
view_report_list=reports_list
)
administrator_role[0].permissions = permissions
administrator_role[0].save()
else:
role = UserRole(
domain=domain,
permissions=Permissions(
view_reports=False,
edit_web_users=True,
view_web_users=True,
view_roles=True,
edit_commcare_users=True,
view_commcare_users=True,
edit_groups=True,
view_groups=True,
edit_locations=True,
view_locations=True,
view_report_list=reports_list
),
name='Administrator'
)
role.save()
def post_user_role(request, domain):
if not domain_has_privilege(domain, privileges.ROLE_BASED_ACCESS):
return json_response({})
role_data = json.loads(request.raw_post_data)
role_data = dict([(p, role_data[p]) for p in set(UserRole.properties().keys() + ['_id', '_rev']) if p in role_data])
role = UserRole.wrap(role_data)
role.domain = domain
if role.get_id:
old_role = UserRole.get(role.get_id)
assert(old_role.doc_type == UserRole.__name__)
assert(old_role.domain == domain)
role.save()
return json_response(role)
def post_user_role(request, domain):
if not domain_has_privilege(domain, privileges.ROLE_BASED_ACCESS):
return json_response({})
role_data = json.loads(request.body)
role_data = dict([(p, role_data[p]) for p in set(UserRole.properties().keys() + ["_id", "_rev"]) if p in role_data])
role = UserRole.wrap(role_data)
role.domain = domain
if role.get_id:
old_role = UserRole.get(role.get_id)
assert old_role.doc_type == UserRole.__name__
assert old_role.domain == domain
role.save()
role.__setattr__("hasUsersAssigned", True if len(role.ids_of_assigned_users) > 0 else False)
return json_response(role)
def apply(self, domain):
if not self.has_migrated_permissions:
logging.info("Applying permissions migration to domain %s" % domain.name)
from corehq.apps.users.models import UserRole, WebUser
UserRole.init_domain_with_presets(domain.name)
for web_user in WebUser.by_domain(domain.name):
try:
web_user.save()
except ResourceConflict:
# web_user has already been saved by another thread in the last few seconds
pass
self.has_migrated_permissions = True
domain.save()
def restrict_user_by_location(domain, user):
role = UserRole(
domain=domain,
name='Regional Supervisor',
permissions=Permissions(edit_commcare_users=True,
view_commcare_users=True,
edit_groups=True,
view_groups=True,
edit_locations=True,
view_locations=True,
access_all_locations=False),
)
role.save()
user.set_role(domain, role.get_qualified_id())
user.save()
def invite_web_user(request, domain, template="users/invite_web_user.html"):
role_choices = UserRole.role_choices(domain)
if request.method == "POST":
current_users = [user.username for user in WebUser.by_domain(domain)]
pending_invites = [di.email for di in DomainInvitation.by_domain(domain)]
form = AdminInvitesUserForm(request.POST,
excluded_emails= current_users + pending_invites,
role_choices=role_choices
)
if form.is_valid():
data = form.cleaned_data
# create invitation record
data["invited_by"] = request.couch_user.user_id
data["invited_on"] = datetime.utcnow()
data["domain"] = domain
invite = DomainInvitation(**data)
invite.save()
invite.send_activation_email()
messages.success(request, "Invitation sent to %s" % invite.email)
return HttpResponseRedirect(reverse("web_users", args=[domain]))
else:
form = AdminInvitesUserForm(role_choices=role_choices)
context = _users_context(request, domain)
context.update(
registration_form=form
)
return render(request, template, context)
def orgs_team_members(request, org, team_id, template="orgs/orgs_team_members.html"):
class TeamMembersNotification(Notification):
doc_type = 'OrgTeamMembersNotification'
def template(self):
return 'orgs/partials/team_members_notification.html'
MainNotification.display_if_needed(messages, request, ctxt={"org": request.organization})
TeamMembersNotification.display_if_needed(messages, request)
ctxt = base_context(request, request.organization)
ctxt["tab"] = "teams"
try:
team = Team.get(team_id)
except ResourceNotFound:
raise Http404("Team %s does not exist" % team_id)
team_members = team.get_members()
team_members.sort(key=lambda user: user.username)
#inspect the domains of the team
domain_names = team.get_domains()
team_domains = list()
for name in domain_names:
team_domains.append([Domain.get_by_name(name), team.role_label(domain=name), UserRole.by_domain(name)])
nonmembers = filter(lambda m: m.username not in [tm.username for tm in team_members], ctxt["members"])
nondomains = filter(lambda d: d.name not in [td[0].name for td in team_domains], ctxt["domains"])
ctxt.update(dict(team=team, team_members=team_members, nonmembers=nonmembers,
team_domains=team_domains, nondomains=nondomains))
return render(request, template, ctxt)
def __init__(self, *args, **kwargs):
self.domain = kwargs.pop('domain')
super(CommCareUserFilterForm, self).__init__(*args, **kwargs)
roles = UserRole.by_domain(self.domain)
self.fields['role_id'].choices = [('', _('All Roles'))] + [
(role._id, role.name or _('(No Name)')) for role in roles]
self.helper = FormHelper()
self.helper.form_method = 'GET'
self.helper.form_id = 'user-filters'
self.helper.form_class = 'form-horizontal'
self.helper.form_action = reverse('download_commcare_users', args=[self.domain])
self.helper.label_class = 'col-sm-3 col-md-2'
self.helper.field_class = 'col-sm-9 col-md-8 col-lg-6'
self.helper.form_text_inline = True
self.helper.layout = crispy.Layout(
crispy.Fieldset(
_("Filter and Download Users"),
crispy.Field('role_id'),
crispy.Field('search_string'),
),
hqcrispy.FormActions(
twbscrispy.StrictButton(
_("Download All Users"),
type="submit",
css_class="btn btn-primary submit_button",
)
),
)
def assertInitialRoles(self):
for u in self.user_roles:
user_role = UserRole.get(u.get_id)
self.assertEqual(
user_role.permissions,
UserRolePresets.get_permissions(user_role.name)
)
def clean_role_id(self):
role_id = self.cleaned_data['role_id']
if not role_id:
return None
if not UserRole.get(role_id).domain == self.domain:
raise forms.ValidationError(_("Invalid Role"))
return role_id
def create_or_update_users_and_groups(domain,
user_specs,
group_specs,
task=None):
from corehq.apps.users.views.mobile.custom_data_fields import UserFieldsView
custom_data_validator = UserFieldsView.get_validator(domain)
ret = {"errors": [], "rows": []}
total = len(user_specs) + len(group_specs)
def _set_progress(progress):
if task is not None:
DownloadBase.set_progress(task, progress, total)
group_memoizer = create_or_update_groups(domain, group_specs, log=ret)
current = len(group_specs)
usernames = set()
user_ids = set()
allowed_groups = set(group_memoizer.groups)
allowed_group_names = [group.name for group in allowed_groups]
allowed_roles = UserRole.by_domain(domain)
roles_by_name = {role.name: role for role in allowed_roles}
can_assign_locations = domain_has_privilege(domain, privileges.LOCATIONS)
# ToDo: We need more speccing on what/how locations can be assigned if location-restrictions is enabled
# For now, don't support bulk assigning if location-restrictions are enabled
can_assign_locations = can_assign_locations and not toggles.RESTRICT_WEB_USERS_BY_LOCATION.enabled(
domain)
if can_assign_locations:
location_cache = SiteCodeToLocationCache(domain)
project = Domain.get_by_name(domain)
usernames_with_dupe_passwords = users_with_duplicate_passwords(user_specs)
try:
for row in user_specs:
_set_progress(current)
current += 1
data = row.get('data')
email = row.get('email')
group_names = map(unicode, row.get('group') or [])
language = row.get('language')
name = row.get('name')
password = row.get('password')
phone_number = row.get('phone-number')
uncategorized_data = row.get('uncategorized_data')
user_id = row.get('user_id')
username = row.get('username')
location_codes = row.get('location_code') or []
if location_codes and not isinstance(location_codes, list):
location_codes = [location_codes]
# ignore empty
location_codes = [code for code in location_codes if code]
role = row.get('role', '')
if password:
password = unicode(password)
try:
username = normalize_username(str(username), domain)
except TypeError:
username = None
except ValidationError:
ret['rows'].append({
'username':
username,
'row':
row,
'flag':
_('username cannot contain spaces or symbols'),
})
continue
status_row = {
'username': raw_username(username) if username else None,
'row': row,
}
is_active = row.get('is_active')
if isinstance(is_active, basestring):
try:
is_active = string_to_boolean(
is_active) if is_active else None
except ValueError:
ret['rows'].append({
'username':
username,
'row':
row,
'flag':
_("'is_active' column can only contain 'true' or 'false'"
),
})
continue
if username in usernames or user_id in user_ids:
status_row['flag'] = 'repeat'
elif not username and not user_id:
status_row['flag'] = 'missing-data'
else:
try:
if username:
usernames.add(username)
if user_id:
user_ids.add(user_id)
if user_id:
user = CommCareUser.get_by_user_id(user_id, domain)
else:
user = CommCareUser.get_by_username(username)
if project.strong_mobile_passwords and is_password(
password):
if raw_username(
username) in usernames_with_dupe_passwords:
raise UserUploadError(
_("Provide a unique password for each mobile worker"
))
try:
clean_password(password)
except forms.ValidationError:
if settings.ENABLE_DRACONIAN_SECURITY_FEATURES:
msg = _(
"Mobile Worker passwords must be 8 "
"characters long with at least 1 capital "
"letter, 1 special character and 1 number")
else:
msg = _("Please provide a stronger password")
raise UserUploadError(msg)
if user:
if user.domain != domain:
raise UserUploadError(
_('User with username %(username)r is '
'somehow in domain %(domain)r') % {
'username': user.username,
'domain': user.domain
})
if username and user.username != username:
raise UserUploadError(
_('Changing usernames is not supported: %(username)r to %(new_username)r'
) % {
'username': user.username,
'new_username': username
})
if is_password(password):
user.set_password(password)
status_row['flag'] = 'updated'
else:
max_username_length = get_mobile_worker_max_username_length(
domain)
if len(raw_username(username)) > max_username_length:
ret['rows'].append({
'username':
username,
'row':
row,
'flag':
_("username cannot contain greater than %d characters"
% max_username_length)
})
continue
if not is_password(password):
raise UserUploadError(
_("Cannot create a new user with a blank password"
))
user = CommCareUser.create(domain,
username,
password,
commit=False)
status_row['flag'] = 'created'
if phone_number:
user.add_phone_number(_fmt_phone(phone_number),
default=True)
if name:
user.set_full_name(unicode(name))
if data:
error = custom_data_validator(data)
if error:
raise UserUploadError(error)
user.user_data.update(data)
if uncategorized_data:
user.user_data.update(uncategorized_data)
if language:
user.language = language
if email:
try:
validate_email(email)
except ValidationError:
raise UserUploadError(
_("User has an invalid email address"))
user.email = email.lower()
if is_active is not None:
user.is_active = is_active
if can_assign_locations:
# Do this here so that we validate the location code before we
# save any other information to the user, this way either all of
# the user's information is updated, or none of it
location_ids = []
for code in location_codes:
loc = get_location_from_site_code(
code, location_cache)
location_ids.append(loc.location_id)
if role:
if role in roles_by_name:
user.set_role(
domain, roles_by_name[role].get_qualified_id())
else:
raise UserUploadError(
_("Role '%s' does not exist") % role)
# following blocks require user doc id, so it needs to be saved if new user
user.save()
if can_assign_locations:
locations_updated = set(
user.assigned_location_ids) != set(location_ids)
primary_location_removed = (
user.location_id and not location_ids
or user.location_id not in location_ids)
if primary_location_removed:
user.unset_location()
if locations_updated:
user.reset_locations(location_ids)
if is_password(password):
# Without this line, digest auth doesn't work.
# With this line, digest auth works.
# Other than that, I'm not sure what's going on
user.get_django_user().check_password(password)
for group_id in Group.by_user(user, wrap=False):
group = group_memoizer.get(group_id)
if group.name not in group_names:
group.remove_user(user)
for group_name in group_names:
if group_name not in allowed_group_names:
raise UserUploadError(
_("Can't add to group '%s' "
"(try adding it to your spreadsheet)") %
group_name)
group_memoizer.by_name(group_name).add_user(user,
save=False)
except (UserUploadError, CouchUser.Inconsistent) as e:
status_row['flag'] = unicode(e)
ret["rows"].append(status_row)
finally:
try:
group_memoizer.save_all()
except BulkSaveError as e:
_error_message = (
"Oops! We were not able to save some of your group changes. "
"Please make sure no one else is editing your groups "
"and try again.")
logging.exception(('BulkSaveError saving groups. '
'User saw error message "%s". Errors: %s') %
(_error_message, e.errors))
ret['errors'].append(_error_message)
_set_progress(total)
return ret
def setUpClass(cls):
super(TestInputStockView, cls).setUpClass()
cls.domain = initial_bootstrap(TEST_DOMAIN)
db = get_db()
if db.doc_exist(DOMAIN_MODULE_KEY):
module_config = db.open_doc(DOMAIN_MODULE_KEY)
module_map = module_config.get('module_map')
if module_map:
module_map[TEST_DOMAIN] = 'custom.ewsghana'
else:
module_config['module_map'][TEST_DOMAIN] = 'custom.ewsghana'
else:
module_config = db.save_doc({
'_id': DOMAIN_MODULE_KEY,
'module_map': {
'ewsghana-test-input-stock': 'custom.ewsghana'
}
})
db.save_doc(module_config)
cls.setup_subscription(TEST_DOMAIN, SoftwarePlanEdition.ENTERPRISE)
test_utils.prepare_commtrack_config(TEST_DOMAIN)
test_utils.prepare_custom_fields(TEST_DOMAIN)
test_utils.create_or_edit_roles(TEST_DOMAIN)
test_utils.create_test_products(TEST_DOMAIN)
test_utils.create_test_locations(TEST_DOMAIN)
cls.test_facility3 = SQLLocation.objects.get(domain=TEST_DOMAIN,
site_code='tsactive')
cls.testregion2 = SQLLocation.objects.get(domain=TEST_DOMAIN,
site_code='testregion2')
cls.rsp = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='rsp')
cls.test_district = SQLLocation.objects.get(domain=TEST_DOMAIN,
site_code='testdistrict')
cls.username1 = 'ews_user1'
cls.password1 = 'dummy'
cls.web_user1 = WebUser.create(TEST_DOMAIN, cls.username1,
cls.password1)
cls.web_user1.eula.signed = True
cls.web_user1.save()
cls.username2 = 'ews_user2'
cls.password2 = 'dummy'
cls.web_user2 = WebUser.create(TEST_DOMAIN, cls.username2,
cls.password2)
cls.web_user2.get_domain_membership(
TEST_DOMAIN).location_id = cls.test_facility3.location_id
cls.web_user2.eula.signed = True
cls.web_user2.save()
cls.username3 = 'ews_user3'
cls.password3 = 'dummy'
cls.web_user3 = WebUser.create(TEST_DOMAIN, cls.username3,
cls.password3)
cls.web_user3.get_domain_membership(
TEST_DOMAIN).location_id = cls.testregion2.location_id
cls.web_user3.eula.signed = True
cls.web_user3.save()
cls.username4 = 'ews_user4'
cls.password4 = 'dummy'
cls.web_user4 = WebUser.create(TEST_DOMAIN, cls.username4,
cls.password4)
cls.web_user4.get_domain_membership(
TEST_DOMAIN).location_id = cls.rsp.location_id
cls.web_user4.eula.signed = True
cls.web_user4.save()
cls.username5 = 'ews_user5'
cls.password5 = 'dummy'
cls.web_user5 = WebUser.create(TEST_DOMAIN,
cls.username5,
cls.password5,
first_name='test',
last_name='test2')
cls.web_user5.set_default_phone_number('1111')
cls.web_user5.save()
domain_membership = cls.web_user5.get_domain_membership(TEST_DOMAIN)
domain_membership.location_id = cls.test_district.location_id
domain_membership.role_id = UserRole.get_read_only_role_by_domain(
cls.domain.name).get_id
cls.web_user5.eula.signed = True
cls.web_user5.save()
cls.username6 = 'ews_user6'
cls.password6 = 'dummy'
cls.web_user6 = WebUser.create(TEST_DOMAIN, cls.username6,
cls.password6)
domain_membership = cls.web_user6.get_domain_membership(TEST_DOMAIN)
domain_membership.role_id = UserRole.get_read_only_role_by_domain(
cls.domain.name).get_id
cls.web_user6.eula.signed = True
cls.web_user6.save()
cls.admin_username = '******'
cls.admin_password = '******'
cls.admin = WebUser.create(TEST_DOMAIN, cls.admin_username,
cls.admin_password)
domain_membership = cls.admin.get_domain_membership(TEST_DOMAIN)
domain_membership.role_id = UserRole.by_domain_and_name(
cls.domain.name, 'Administrator')[0].get_id
cls.admin.eula.signed = True
cls.admin.save()
EWSExtension.objects.create(user_id=cls.web_user6.get_id,
domain=TEST_DOMAIN,
location_id=cls.test_facility3.get_id)
cls.ad = SQLProduct.objects.get(domain=TEST_DOMAIN, code='ad')
cls.al = SQLProduct.objects.get(domain=TEST_DOMAIN, code='al')
cls.backend, cls.mapping = setup_default_sms_test_backend()
cls.client = Client()
def get_user_roles(domain):
def _to_json(role):
return _clean_json(role.to_json())
return [_to_json(role) for role in UserRole.by_domain(domain)]
def web_user_sync(self, ews_webuser):
username = ews_webuser.email.lower()
if not username:
try:
validate_email(ews_webuser.username)
username = ews_webuser.username
except ValidationError:
return None
user = WebUser.get_by_username(username)
user_dict = {
'first_name': ews_webuser.first_name,
'last_name': ews_webuser.last_name,
'is_active': ews_webuser.is_active,
'last_login': force_to_datetime(ews_webuser.last_login),
'date_joined': force_to_datetime(ews_webuser.date_joined),
'password_hashed': True,
}
location_id = None
if ews_webuser.location:
try:
location = SQLLocation.objects.get(
domain=self.domain, external_id=ews_webuser.location)
location_id = location.location_id
except SQLLocation.DoesNotExist:
pass
if user is None:
try:
user = WebUser.create(domain=None,
username=username,
password=ews_webuser.password,
email=ews_webuser.email,
**user_dict)
user.add_domain_membership(self.domain,
location_id=location_id)
except Exception as e:
logging.error(e)
else:
if self.domain not in user.get_domains():
user.add_domain_membership(self.domain,
location_id=location_id)
ews_webuser_extension(user, ews_webuser)
dm = user.get_domain_membership(self.domain)
if dm.location_id != location_id:
dm.location_id = location_id
if ews_webuser.is_superuser:
dm.role_id = UserRole.by_domain_and_name(self.domain,
'Administrator')[0].get_id
elif ews_webuser.groups and ews_webuser.groups[
0].name == 'facility_manager':
dm.role_id = UserRole.by_domain_and_name(
self.domain, 'Facility manager')[0].get_id
else:
if ews_webuser.supply_point:
supply_point = get_supply_point_case_by_domain_external_id(
self.domain, ews_webuser.supply_point)
if supply_point:
dm.location_id = supply_point.location_id
dm.role_id = UserRole.by_domain_and_name(
self.domain, 'Web Reporter')[0].get_id
else:
dm.role_id = UserRole.get_read_only_role_by_domain(
self.domain).get_id
else:
dm.role_id = UserRole.get_read_only_role_by_domain(
self.domain).get_id
user.save()
return user
def request_new_domain(request, form, is_new_user=True):
now = datetime.utcnow()
current_user = CouchUser.from_django_user(request.user, strict=True)
dom_req = RegistrationRequest()
if is_new_user:
dom_req.request_time = now
dom_req.request_ip = get_ip(request)
dom_req.activation_guid = uuid.uuid1().hex
project_name = form.cleaned_data.get('hr_name') or form.cleaned_data.get(
'project_name')
name = name_to_url(project_name, "project")
with CriticalSection(['request_domain_name_{}'.format(name)]):
name = Domain.generate_name(name)
new_domain = Domain(name=name,
hr_name=project_name,
is_active=False,
date_created=datetime.utcnow(),
creating_user=current_user.username,
secure_submissions=True,
use_sql_backend=True,
first_domain_for_user=is_new_user)
# Avoid projects created by dimagi.com staff members as self started
new_domain.internal.self_started = not current_user.is_dimagi
if form.cleaned_data.get('domain_timezone'):
new_domain.default_timezone = form.cleaned_data['domain_timezone']
if not is_new_user:
new_domain.is_active = True
# ensure no duplicate domain documents get created on cloudant
new_domain.save(**get_safe_write_kwargs())
if not new_domain.name:
new_domain.name = new_domain._id
new_domain.save() # we need to get the name from the _id
dom_req.domain = new_domain.name
if not settings.ENTERPRISE_MODE:
_setup_subscription(new_domain.name, current_user)
UserRole.init_domain_with_presets(new_domain.name)
if request.user.is_authenticated:
if not current_user:
current_user = WebUser()
current_user.sync_from_django_user(request.user)
current_user.save()
current_user.add_domain_membership(new_domain.name, is_admin=True)
current_user.save()
dom_req.requesting_user_username = request.user.username
dom_req.new_user_username = request.user.username
elif is_new_user:
_soft_assert_registration_issues(
f"A new user {request.user.username} was not added to their domain "
f"{new_domain.name} during registration")
if is_new_user:
dom_req.save()
if settings.IS_SAAS_ENVIRONMENT:
# Load template apps to the user's new domain in parallel
from corehq.apps.app_manager.tasks import load_appcues_template_app
header = [
load_appcues_template_app.si(new_domain.name,
current_user.username, slug)
for slug in APPCUES_APP_SLUGS
]
callback = send_domain_registration_email.si(
request.user.email, dom_req.domain, dom_req.activation_guid,
request.user.get_full_name(), request.user.first_name)
chord(header)(callback)
else:
send_domain_registration_email(request.user.email, dom_req.domain,
dom_req.activation_guid,
request.user.get_full_name(),
request.user.first_name)
send_new_request_update_email(request.user,
get_ip(request),
new_domain.name,
is_new_user=is_new_user)
send_hubspot_form(HUBSPOT_CREATED_NEW_PROJECT_SPACE_FORM_ID, request)
return new_domain.name
def get_role(self):
return UserRole(domain=test_self.domain,
permissions=test_self.permissions)
def update_role(role_doc):
role = UserRole.wrap(role_doc)
# Currently we just use `edit_commcare_users` for both, so for existing
# roles, let's default to that behavior
role.permissions.edit_locations = role.permissions.edit_commcare_users
return DocUpdate(role.to_json())
class TestRolePermissionsModel(TestCase):
domain = "user-role-test"
def setUp(self):
self.role1 = UserRole(domain=self.domain, name="role1")
self.role1.save()
self.addCleanup(self.role1.delete)
def _test_allow_check_constraint(self, name, allow_all, allowed_items):
self.role1.rolepermission_set.set([
RolePermission(permission=name,
allow_all=allow_all,
allowed_items=allowed_items)
],
bulk=False)
def test_allow_check_constraint_allow_all_params_none(self):
self._test_allow_check_constraint(Permissions.view_reports.name, True,
None)
def test_allow_check_constraint_allow_all_params_empty(self):
self._test_allow_check_constraint(Permissions.view_reports.name, True,
[])
def test_allow_check_constraint_params_list(self):
self._test_allow_check_constraint(Permissions.view_reports.name, False,
['report1'])
@atomic
def test_allow_check_constraint_fail(self):
constraint_name = "users_rolepermission_valid_allow"
with self.assertRaisesMessage(IntegrityError, constraint_name):
self.role1.rolepermission_set.set([
RolePermission(permission=Permissions.view_reports.name,
allow_all=True,
allowed_items=['report1']),
],
bulk=False)
def test_unique_constraint_ok(self):
"""different roles can have the same permission"""
self.role1.rolepermission_set.set([
RolePermission(permission=Permissions.edit_data.name,
allow_all=True),
],
bulk=False)
role2 = UserRole(domain=self.domain, name="role2")
role2.save()
self.addCleanup(role2.delete)
role2.rolepermission_set.set([
RolePermission(permission=Permissions.edit_data.name,
allow_all=True),
],
bulk=False)
@atomic
def test_unique_constraint_fail(self):
"""the same role can not have duplicate permissions"""
sql_role = UserRole(domain=self.domain, name="role1")
sql_role.save()
self.addCleanup(sql_role.delete)
constraint_name = "users_rolepermission_role_id_permission_fk_id_bc5f84db_uniq"
with self.assertRaisesMessage(IntegrityError, constraint_name):
sql_role.rolepermission_set.set([
RolePermission(permission=Permissions.edit_data.name,
allow_all=True),
RolePermission(permission=Permissions.edit_data.name,
allow_all=False),
],
bulk=False)
def request_new_domain(request, form, is_new_user=True):
now = datetime.utcnow()
current_user = CouchUser.from_django_user(request.user)
dom_req = RegistrationRequest()
if is_new_user:
dom_req.request_time = now
dom_req.request_ip = get_ip(request)
dom_req.activation_guid = uuid.uuid1().hex
project_name = form.cleaned_data.get('hr_name') or form.cleaned_data.get('project_name')
name = name_to_url(project_name, "project")
with CriticalSection(['request_domain_name_{}'.format(name)]):
name = Domain.generate_name(name)
new_domain = Domain(
name=name,
hr_name=project_name,
is_active=False,
date_created=datetime.utcnow(),
creating_user=current_user.username,
secure_submissions=True,
use_sql_backend=True
)
if form.cleaned_data.get('domain_timezone'):
new_domain.default_timezone = form.cleaned_data['domain_timezone']
if not is_new_user:
new_domain.is_active = True
# ensure no duplicate domain documents get created on cloudant
new_domain.save(**get_safe_write_kwargs())
if not new_domain.name:
new_domain.name = new_domain._id
new_domain.save() # we need to get the name from the _id
if is_new_user:
# Only new-user domains are eligible for Advanced trial
# domains with no subscription are equivalent to be on free Community plan
create_30_day_advanced_trial(new_domain)
else:
ensure_explicit_community_subscription(new_domain.name, date.today())
UserRole.init_domain_with_presets(new_domain.name)
dom_req.domain = new_domain.name
if request.user.is_authenticated():
if not current_user:
current_user = WebUser()
current_user.sync_from_django_user(request.user)
current_user.save()
current_user.add_domain_membership(new_domain.name, is_admin=True)
current_user.save()
dom_req.requesting_user_username = request.user.username
dom_req.new_user_username = request.user.username
if is_new_user:
dom_req.save()
send_domain_registration_email(request.user.email,
dom_req.domain,
dom_req.activation_guid,
request.user.get_full_name())
send_new_request_update_email(request.user, get_ip(request), new_domain.name, is_new_user=is_new_user)
meta = get_meta(request)
track_created_new_project_space_on_hubspot.delay(current_user, request.COOKIES, meta)
return new_domain.name
def _invalid_user_role(self, request, details):
return details.get(
'role') not in UserRole.preset_and_domain_role_names(
request.domain)
def _assertInitialRoles(self):
for u in self.user_roles:
user_role = UserRole.get(u.get_id)
self.assertEqual(user_role.permissions,
UserRolePresets.get_permissions(user_role.name))
def tearDown(self):
for role in UserRole.by_domain(self.linked_domain):
role.delete()
super(TestUpdateRoles, self).tearDown()
def get_domain_info(domain,
upload_domain,
user_specs,
domain_info_by_domain,
upload_user=None,
group_memoizer=None,
is_web_upload=False):
from corehq.apps.users.views.mobile.custom_data_fields import UserFieldsView
domain_info = domain_info_by_domain.get(domain)
if domain_info:
return domain_info
if domain == upload_domain:
domain_group_memoizer = group_memoizer or GroupMemoizer(domain)
else:
domain_group_memoizer = GroupMemoizer(domain)
domain_group_memoizer.load_all()
can_assign_locations = domain_has_privilege(domain, privileges.LOCATIONS)
location_cache = None
if can_assign_locations:
location_cache = SiteCodeToLocationCache(domain)
domain_obj = Domain.get_by_name(domain)
allowed_group_names = [
group.name for group in domain_group_memoizer.groups
]
profiles_by_name = {}
domain_user_specs = [
spec for spec in user_specs
if spec.get('domain', upload_domain) == domain
]
if is_web_upload:
roles_by_name = {
role[1]: role[0]
for role in get_editable_role_choices(
domain, upload_user, allow_admin_role=True)
}
validators = get_user_import_validators(
Domain.get_by_name(domain),
domain_user_specs,
True,
allowed_roles=list(roles_by_name),
upload_domain=upload_domain,
)
else:
roles_by_name = {
role.name: role
for role in UserRole.by_domain(domain)
}
validators = get_user_import_validators(domain_obj, domain_user_specs,
False, allowed_group_names,
list(roles_by_name),
list(profiles_by_name),
upload_domain)
definition = CustomDataFieldsDefinition.get(domain,
UserFieldsView.field_type)
if definition:
profiles_by_name = {
profile.name: profile
for profile in definition.get_profiles()
}
domain_info = DomainInfo(validators, can_assign_locations, location_cache,
roles_by_name, profiles_by_name,
domain_group_memoizer)
domain_info_by_domain[domain] = domain_info
return domain_info
def create_or_update_users_and_groups(domain,
user_specs,
group_memoizer=None,
update_progress=None):
ret = {"errors": [], "rows": []}
group_memoizer = group_memoizer or GroupMemoizer(domain)
group_memoizer.load_all()
current = 0
can_assign_locations = domain_has_privilege(domain, privileges.LOCATIONS)
if can_assign_locations:
location_cache = SiteCodeToLocationCache(domain)
domain_obj = Domain.get_by_name(domain)
allowed_group_names = [group.name for group in group_memoizer.groups]
roles_by_name = {role.name: role for role in UserRole.by_domain(domain)}
validators = get_user_import_validators(domain_obj, user_specs,
allowed_group_names,
list(roles_by_name))
try:
for row in user_specs:
if update_progress:
update_progress(current)
current += 1
username = row.get('username')
status_row = {
'username': username,
'row': row,
}
try:
for validator in validators:
validator(row)
except UserUploadError as e:
status_row['flag'] = str(e)
ret['rows'].append(status_row)
continue
data = row.get('data')
email = row.get('email')
group_names = list(map(str, row.get('group') or []))
language = row.get('language')
name = row.get('name')
password = row.get('password')
phone_number = row.get('phone-number')
uncategorized_data = row.get('uncategorized_data')
user_id = row.get('user_id')
location_codes = row.get('location_code') or []
if location_codes and not isinstance(location_codes, list):
location_codes = [location_codes]
# ignore empty
location_codes = [code for code in location_codes if code]
role = row.get('role', '')
try:
username = normalize_username(str(username),
domain) if username else None
password = str(password) if password else None
is_active = row.get('is_active') or None
if is_active and isinstance(is_active, str):
is_active = string_to_boolean(is_active)
if user_id:
user = CommCareUser.get_by_user_id(user_id, domain)
if not user:
raise UserUploadError(
_("User with ID '{user_id}' not found").format(
user_id=user_id, domain=domain))
if username and user.username != username:
raise UserUploadError(
_('Changing usernames is not supported: %(username)r to %(new_username)r'
) % {
'username': user.username,
'new_username': username
})
if is_password(password):
user.set_password(password)
status_row['flag'] = 'updated'
else:
user = CommCareUser.create(domain,
username,
password,
commit=False)
status_row['flag'] = 'created'
if phone_number:
user.add_phone_number(_fmt_phone(phone_number),
default=True)
if name:
user.set_full_name(str(name))
if data:
user.user_data.update(data)
if uncategorized_data:
user.user_data.update(uncategorized_data)
if language:
user.language = language
if email:
user.email = email.lower()
if is_active is not None:
user.is_active = is_active
if can_assign_locations:
# Do this here so that we validate the location code before we
# save any other information to the user, this way either all of
# the user's information is updated, or none of it
location_ids = []
for code in location_codes:
loc = get_location_from_site_code(code, location_cache)
location_ids.append(loc.location_id)
locations_updated = set(
user.assigned_location_ids) != set(location_ids)
primary_location_removed = (
user.location_id and not location_ids
or user.location_id not in location_ids)
if primary_location_removed:
user.unset_location(commit=False)
if locations_updated:
user.reset_locations(location_ids, commit=False)
if role:
user.set_role(domain,
roles_by_name[role].get_qualified_id())
user.save()
if is_password(password):
# Without this line, digest auth doesn't work.
# With this line, digest auth works.
# Other than that, I'm not sure what's going on
# Passing use_primary_db=True because of https://dimagi-dev.atlassian.net/browse/ICDS-465
user.get_django_user(
use_primary_db=True).check_password(password)
for group in group_memoizer.by_user_id(user.user_id):
if group.name not in group_names:
group.remove_user(user)
for group_name in group_names:
group_memoizer.by_name(group_name).add_user(user,
save=False)
except (UserUploadError, CouchUser.Inconsistent) as e:
status_row['flag'] = str(e)
ret["rows"].append(status_row)
finally:
try:
group_memoizer.save_all()
except BulkSaveError as e:
_error_message = (
"Oops! We were not able to save some of your group changes. "
"Please make sure no one else is editing your groups "
"and try again.")
logging.exception(('BulkSaveError saving groups. '
'User saw error message "%s". Errors: %s') %
(_error_message, e.errors))
ret['errors'].append(_error_message)
return ret
def setUp(self):
self.role1 = UserRole(domain=self.domain, name="role1")
self.role1.save()
self.addCleanup(self.role1.delete)
def request_new_domain(request, form, is_new_user=True):
now = datetime.utcnow()
current_user = CouchUser.from_django_user(request.user, strict=True)
dom_req = RegistrationRequest()
if is_new_user:
dom_req.request_time = now
dom_req.request_ip = get_ip(request)
dom_req.activation_guid = uuid.uuid1().hex
project_name = form.cleaned_data.get('hr_name') or form.cleaned_data.get(
'project_name')
name = name_to_url(project_name, "project")
with CriticalSection(['request_domain_name_{}'.format(name)]):
name = Domain.generate_name(name)
new_domain = Domain(name=name,
hr_name=project_name,
is_active=False,
date_created=datetime.utcnow(),
creating_user=current_user.username,
secure_submissions=True,
use_sql_backend=True,
first_domain_for_user=is_new_user)
# Avoid projects created by dimagi.com staff members as self started
new_domain.internal.self_started = not current_user.is_dimagi
if form.cleaned_data.get('domain_timezone'):
new_domain.default_timezone = form.cleaned_data['domain_timezone']
if not is_new_user:
new_domain.is_active = True
# ensure no duplicate domain documents get created on cloudant
new_domain.save(**get_safe_write_kwargs())
if not new_domain.name:
new_domain.name = new_domain._id
new_domain.save() # we need to get the name from the _id
with transaction.atomic():
if is_new_user:
# Only new-user domains are eligible for Advanced trial
# domains with no subscription are equivalent to be on free Community plan
create_30_day_advanced_trial(new_domain, current_user.username)
else:
ensure_explicit_community_subscription(
new_domain.name,
date.today(),
SubscriptionAdjustmentMethod.USER,
web_user=current_user.username,
)
UserRole.init_domain_with_presets(new_domain.name)
# add user's email as contact email for billing account for the domain
account = BillingAccount.get_account_by_domain(new_domain.name)
billing_contact, _ = BillingContactInfo.objects.get_or_create(
account=account)
billing_contact.email_list = [current_user.email]
billing_contact.save()
dom_req.domain = new_domain.name
if request.user.is_authenticated:
if not current_user:
current_user = WebUser()
current_user.sync_from_django_user(request.user)
current_user.save()
current_user.add_domain_membership(new_domain.name, is_admin=True)
current_user.save()
dom_req.requesting_user_username = request.user.username
dom_req.new_user_username = request.user.username
if is_new_user:
dom_req.save()
if settings.IS_SAAS_ENVIRONMENT:
# Load template apps to the user's new domain in parallel
from corehq.apps.app_manager.tasks import load_appcues_template_app
header = [
load_appcues_template_app.si(new_domain.name,
current_user.username, slug)
for slug in APPCUES_APP_SLUGS
]
callback = send_domain_registration_email.si(
request.user.email, dom_req.domain, dom_req.activation_guid,
request.user.get_full_name(), request.user.first_name)
chord(header)(callback)
else:
send_domain_registration_email(request.user.email, dom_req.domain,
dom_req.activation_guid,
request.user.get_full_name(),
request.user.first_name)
send_new_request_update_email(request.user,
get_ip(request),
new_domain.name,
is_new_user=is_new_user)
send_hubspot_form(HUBSPOT_CREATED_NEW_PROJECT_SPACE_FORM_ID, request)
return new_domain.name
def handle(self, **options):
for domain_obj in Domain.get_all():
UserRole.get_or_create_with_permissions(
domain_obj.name,
UserRolePresets.get_permissions(UserRolePresets.BILLING_ADMIN),
UserRolePresets.BILLING_ADMIN)
def setUpClass(cls):
super(TestMprAsrLocationFilter, cls).setUpClass()
cls.domain = create_domain('icds-location-test')
domain_name = cls.domain.name
cls.domain_name = domain_name
location_types = [
'state',
'district',
'block',
'supervisor',
'awc'
]
previous_parent = None
for location_type in location_types:
previous_parent = LocationType.objects.create(
domain=domain_name,
name=location_type,
parent_type=previous_parent
)
cls.state = SQLLocation.objects.create(
name='Test State',
domain=domain_name,
location_type=LocationType.objects.get(domain=domain_name, name='state')
)
cls.state2 = SQLLocation.objects.create(
name='Test State2',
domain=domain_name,
location_type=LocationType.objects.get(domain=domain_name, name='state')
)
cls.district = SQLLocation.objects.create(
name='Test District',
domain=domain_name,
location_type=LocationType.objects.get(domain=domain_name, name='district'),
parent=cls.state,
)
cls.block = SQLLocation.objects.create(
name='Test Block',
domain=domain_name,
location_type=LocationType.objects.get(domain=domain_name, name='block'),
parent=cls.district
)
cls.supervisor = SQLLocation.objects.create(
name='Test Supervisor',
domain=domain_name,
location_type=LocationType.objects.get(domain=domain_name, name='supervisor'),
parent=cls.block
)
cls.awc = SQLLocation.objects.create(
name='Test AWC',
domain=domain_name,
location_type=LocationType.objects.get(domain=domain_name, name='awc'),
parent=cls.supervisor
)
cls.role = UserRole(domain=domain_name, name='demo', permissions=Permissions(access_all_locations=False))
cls.role.save()
cls.mobile_user = CommCareUser.create(domain_name, 'test_user', 'test_password', None, None)
cls.mobile_user.set_location(cls.block)
cls.mobile_user.set_role(domain_name, cls.role.get_qualified_id())
cls.mobile_user.save()
cls.national_user = CommCareUser.create(domain_name, 'test_user_national', 'test_password', None, None)
cls.national_user.save()
def update_all_roles():
all_role_ids = get_doc_ids_by_class(UserRole)
iter_update(UserRole.get_db(), update_role, with_progress_bar(all_role_ids), verbose=True)
def num_location_restricted_roles(domain):
roles = [r for r in UserRole.by_domain(domain)
if not r.permissions.access_all_locations]
return len(roles)
def num_custom_roles(domain):
custom_roles = [r for r in UserRole.get_custom_roles_by_domain(domain) if not r.is_archived]
return len(custom_roles)
def setUpClass(cls):
cls.domain = initial_bootstrap(TEST_DOMAIN)
db = get_db()
if db.doc_exist(DOMAIN_MODULE_KEY):
module_config = db.open_doc(DOMAIN_MODULE_KEY)
module_map = module_config.get('module_map')
if module_map:
module_map[TEST_DOMAIN] = 'custom.ewsghana'
else:
module_config['module_map'][TEST_DOMAIN] = 'custom.ewsghana'
else:
module_config = db.save_doc({
'_id': DOMAIN_MODULE_KEY,
'module_map': {
'ewsghana-test-input-stock': 'custom.ewsghana'
}
})
db.save_doc(module_config)
generator.instantiate_accounting_for_tests()
account = BillingAccount.get_or_create_account_by_domain(
cls.domain.name,
created_by="automated-test",
)[0]
plan = DefaultProductPlan.get_default_plan_by_domain(
cls.domain, edition=SoftwarePlanEdition.ENTERPRISE)
subscription = Subscription.new_domain_subscription(
account, cls.domain.name, plan)
subscription.is_active = True
subscription.save()
cls.endpoint = MockEndpoint('http://test-api.com/', 'dummy', 'dummy')
cls.api_object = EWSApi(TEST_DOMAIN, cls.endpoint)
cls.api_object.prepare_commtrack_config()
cls.api_object.prepare_custom_fields()
cls.datapath = os.path.join(os.path.dirname(__file__), 'data')
with open(os.path.join(cls.datapath, 'sample_products.json')) as f:
for p in json.loads(f.read()):
cls.api_object.product_sync(Product(p))
with open(os.path.join(cls.datapath, 'sample_locations.json')) as f:
for loc in json.loads(f.read()):
cls.api_object.location_sync(Location(loc))
cls.test_facility3 = SQLLocation.objects.get(domain=TEST_DOMAIN,
site_code='tsactive')
cls.testregion2 = SQLLocation.objects.get(domain=TEST_DOMAIN,
site_code='testregion2')
cls.rsp = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='rsp')
cls.test_district = SQLLocation.objects.get(domain=TEST_DOMAIN,
site_code='testdistrict')
cls.username1 = 'ews_user1'
cls.password1 = 'dummy'
cls.web_user1 = WebUser.create(TEST_DOMAIN, cls.username1,
cls.password1)
cls.web_user1.eula.signed = True
cls.web_user1.save()
cls.username2 = 'ews_user2'
cls.password2 = 'dummy'
cls.web_user2 = WebUser.create(TEST_DOMAIN, cls.username2,
cls.password2)
cls.web_user2.get_domain_membership(
TEST_DOMAIN).location_id = cls.test_facility3.location_id
cls.web_user2.eula.signed = True
cls.web_user2.save()
cls.username3 = 'ews_user3'
cls.password3 = 'dummy'
cls.web_user3 = WebUser.create(TEST_DOMAIN, cls.username3,
cls.password3)
cls.web_user3.get_domain_membership(
TEST_DOMAIN).location_id = cls.testregion2.location_id
cls.web_user3.eula.signed = True
cls.web_user3.save()
cls.username4 = 'ews_user4'
cls.password4 = 'dummy'
cls.web_user4 = WebUser.create(TEST_DOMAIN, cls.username4,
cls.password4)
cls.web_user4.get_domain_membership(
TEST_DOMAIN).location_id = cls.rsp.location_id
cls.web_user4.eula.signed = True
cls.web_user4.save()
cls.username5 = 'ews_user5'
cls.password5 = 'dummy'
cls.web_user5 = WebUser.create(TEST_DOMAIN, cls.username5,
cls.password5)
domain_membership = cls.web_user5.get_domain_membership(TEST_DOMAIN)
domain_membership.location_id = cls.test_district.location_id
domain_membership.role_id = UserRole.get_read_only_role_by_domain(
cls.domain.name).get_id
cls.web_user5.eula.signed = True
cls.web_user5.save()
cls.ad = SQLProduct.objects.get(domain=TEST_DOMAIN, code='ad')
cls.al = SQLProduct.objects.get(domain=TEST_DOMAIN, code='al')
cls.client = Client()
def main_context(self):
contacts = CommCareUser.by_domain(self.domain, reduce=True)
web_users = WebUser.by_domain(self.domain)
web_users_admins = web_users_read_only = 0
facilities = SQLLocation.objects.filter(
domain=self.domain, location_type__name__iexact='FACILITY')
admin_role_list = UserRole.by_domain_and_name(self.domain,
'Administrator')
if admin_role_list:
admin_role = admin_role_list[0]
else:
admin_role = None
for web_user in web_users:
dm = web_user.get_domain_membership(self.domain)
if admin_role and dm.role_id == admin_role.get_id:
web_users_admins += 1
else:
web_users_read_only += 1
main_context = super(GlobalStats, self).main_context
entities_reported_stock = SQLLocation.objects.filter(
domain=self.domain, location_type__administrative=False).count()
context = {
'root_name':
self.root_name,
'country':
SQLLocation.objects.filter(
domain=self.domain,
location_type__name__iexact=self.root_name).count(),
'region':
SQLLocation.objects.filter(
domain=self.domain,
location_type__name__iexact='region').count(),
'district':
SQLLocation.objects.filter(
domain=self.domain,
location_type__name__iexact='district').count(),
'entities_reported_stock':
entities_reported_stock,
'facilities':
len(facilities),
'contacts':
contacts[0]['value'] if contacts else 0,
'web_users':
len(web_users),
'web_users_admins':
web_users_admins,
'web_users_read_only':
web_users_read_only,
'products':
SQLProduct.objects.filter(domain=self.domain,
is_archived=False).count(),
'product_stocks':
StockState.objects.filter(sql_product__domain=self.domain).count(),
'stock_transactions':
StockTransaction.objects.filter(
report__domain=self.domain).count(),
'inbound_messages':
SMS.count_by_domain(self.domain, direction=INCOMING),
'outbound_messages':
SMS.count_by_domain(self.domain, direction=OUTGOING),
}
if self.show_supply_point_types:
counts = SQLLocation.objects.values('location_type__name').filter(
domain=self.domain).annotate(
Count('location_type')).order_by('location_type__name')
context['location_types'] = counts
main_context.update(context)
return main_context
def _handle_user_form(request, domain, couch_user=None):
context = {}
if couch_user:
create_user = False
else:
create_user = True
can_change_admin_status = (
(request.user.is_superuser
or request.couch_user.can_edit_web_users(domain=domain))
and request.couch_user.user_id != couch_user.user_id)
if couch_user.is_commcare_user():
role_choices = UserRole.commcareuser_role_choices(domain)
else:
role_choices = UserRole.role_choices(domain)
results = get_db().view('languages/list',
startkey=[domain],
endkey=[domain, {}],
group='true').all()
language_choices = []
if results:
for result in results:
lang_code = result['key'][1]
label = result['key'][1]
long_form = langcodes.get_name(lang_code)
if long_form:
label += " (" + langcodes.get_name(lang_code) + ")"
language_choices.append((lang_code, label))
else:
language_choices = langcodes.get_all_langs_for_select()
if request.method == "POST" and request.POST['form_type'] == "basic-info":
if couch_user.is_commcare_user():
form = UserForm(request.POST,
role_choices=role_choices,
language_choices=language_choices)
else:
form = WebUserForm(request.POST,
role_choices=role_choices,
language_choices=language_choices)
if form.is_valid():
if create_user:
django_user = User()
django_user.username = form.cleaned_data['email']
django_user.save()
couch_user = CouchUser.from_django_user(django_user)
if couch_user.is_current_web_user(
request) or couch_user.is_commcare_user():
couch_user.first_name = form.cleaned_data['first_name']
couch_user.last_name = form.cleaned_data['last_name']
couch_user.email = form.cleaned_data['email']
if not couch_user.is_commcare_user():
couch_user.email_opt_in = form.cleaned_data['email_opt_in']
couch_user.language = form.cleaned_data['language']
if can_change_admin_status:
role = form.cleaned_data['role']
if role:
couch_user.set_role(domain, role)
couch_user.save()
if request.couch_user.get_id == couch_user.get_id and couch_user.language:
# update local language in the session
request.session['django_language'] = couch_user.language
messages.success(
request, 'Changes saved for user "%s"' % couch_user.username)
else:
form = UserForm(role_choices=role_choices,
language_choices=language_choices)
if couch_user.is_commcare_user():
form = UserForm(role_choices=role_choices,
language_choices=language_choices)
else:
form = WebUserForm(role_choices=role_choices,
language_choices=language_choices)
if not create_user:
form.initial['first_name'] = couch_user.first_name
form.initial['last_name'] = couch_user.last_name
form.initial['email'] = couch_user.email
form.initial['email_opt_in'] = couch_user.email_opt_in
form.initial['language'] = couch_user.language
if can_change_admin_status:
if couch_user.is_commcare_user():
role = couch_user.get_role(domain)
if role is None:
initial = "none"
else:
initial = role.get_qualified_id()
form.initial['role'] = initial
else:
form.initial['role'] = couch_user.get_role(
domain, include_teams=False).get_qualified_id() or ''
if not can_change_admin_status:
del form.fields['role']
context.update({
"form":
form,
"current_users_page":
couch_user.is_current_web_user(request)
})
return context
def user_role_choices(self):
return UserRole.role_choices(self.domain)
def setUpClass(cls):
super(AllCommCareUsersTest, cls).setUpClass()
delete_all_users()
hard_delete_deleted_users()
cls.ccdomain = Domain(name='cc_user_domain')
cls.ccdomain.save()
cls.other_domain = Domain(name='other_domain')
cls.other_domain.save()
bootstrap_location_types(cls.ccdomain.name)
UserRole.init_domain_with_presets(cls.ccdomain.name)
cls.user_roles = UserRole.by_domain(cls.ccdomain.name)
cls.custom_role = UserRole.get_or_create_with_permissions(
cls.ccdomain.name,
Permissions(
edit_apps=True,
edit_web_users=True,
view_web_users=True,
view_roles=True,
), "Custom Role")
cls.custom_role.save()
cls.loc1 = make_loc('spain', domain=cls.ccdomain.name, type="district")
cls.loc2 = make_loc('madagascar',
domain=cls.ccdomain.name,
type="district")
cls.ccuser_1 = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
created_by=None,
created_via=None,
email='*****@*****.**',
)
cls.ccuser_1.set_location(cls.loc1)
cls.ccuser_1.save()
cls.ccuser_2 = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
created_by=None,
created_via=None,
email='*****@*****.**',
)
cls.ccuser_2.set_role(cls.ccdomain.name,
cls.custom_role.get_qualified_id())
cls.ccuser_2.set_location(cls.loc2)
cls.ccuser_2.save()
cls.web_user = WebUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
created_by=None,
created_via=None,
email='*****@*****.**',
)
cls.ccuser_other_domain = CommCareUser.create(
domain=cls.other_domain.name,
username='******',
password='******',
created_by=None,
created_via=None,
email='*****@*****.**',
)
cls.retired_user = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
created_by=None,
created_via=None,
email='*****@*****.**',
)
cls.retired_user.retire()
def user_role_choices(self):
return UserRole.commcareuser_role_choices(self.domain)
def initialize_domain_with_default_roles(domain):
"""Outside of tests this is only called when creating a new domain"""
for role_name in UserRolePresets.INITIAL_ROLES:
UserRole.create(domain, role_name, permissions=UserRolePresets.get_permissions(role_name))
include_docs=True,
wrapper=wrap_user,
).all()
role_ids = set([])
for user in filter(lambda u: u is not None, users):
# if we use bulk save, django user doesn't get sync'd
domain_membership = user.get_domain_membership(domain.name)
if domain_membership and domain_membership.role_id:
role_ids.add(user.domain_membership.role_id)
user.save(force_update=True)
print 'copying %s roles' % len(role_ids)
for i, subset in enumerate(chunked(role_ids, CHUNK_SIZE)):
roles = [
UserRole.wrap(role['doc']) for role in sourcedb.all_docs(
keys=list(subset),
include_docs=True,
)
]
self.lenient_bulk_save(UserRole, roles)
if options['include_sync_logs']:
print 'copying sync logs'
for user_id in user_ids:
log_ids = [
res['id']
for res in sourcedb.view("phone/sync_logs_by_user",
startkey=[user_id, {}],
endkey=[user_id],
descending=True,
def setUpTestData(cls):
cls.role = UserRole(
domain=cls.domain,
name="role1",
)
cls.role.save()
