def set_user_permission_doctypes(doctype, role, apply_user_permissions, user_permission_doctypes): user_permission_doctypes = None if not user_permission_doctypes else json.dumps(user_permission_doctypes) update(doctype, role, 0, 'apply_user_permissions', 1) update(doctype, role, 0, 'user_permission_doctypes', user_permission_doctypes) frappe.clear_cache(doctype=doctype)
def test_nested_permission(self):
clear_user_permissions_for_doctype("File")
delete_test_file_hierarchy() # delete already existing folders
from frappe.core.doctype.file.file import create_new_folder
frappe.set_user('Administrator')
create_new_folder('level1-A', 'Home')
create_new_folder('level2-A', 'Home/level1-A')
create_new_folder('level2-B', 'Home/level1-A')
create_new_folder('level3-A', 'Home/level1-A/level2-A')
create_new_folder('level1-B', 'Home')
create_new_folder('level2-A', 'Home/level1-B')
# user permission for only one root folder
add_user_permission('File', 'Home/level1-A', '*****@*****.**')
from frappe.core.page.permission_manager.permission_manager import update
update('File', 'All', 0, 'if_owner', 0) # to avoid if_owner filter
frappe.set_user('*****@*****.**')
data = DatabaseQuery("File").execute()
# children of root folder (for which we added user permission) should be accessible
self.assertTrue({"name": "Home/level1-A/level2-A"} in data)
self.assertTrue({"name": "Home/level1-A/level2-B"} in data)
self.assertTrue({"name": "Home/level1-A/level2-A/level3-A"} in data)
# other folders should not be accessible
self.assertFalse({"name": "Home/level1-B"} in data)
self.assertFalse({"name": "Home/level1-B/level2-B"} in data)
update('File', 'All', 0, 'if_owner', 1)
frappe.set_user('Administrator')
def if_owner_setup(self):
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1",
"*****@*****.**")
frappe.clear_cache(doctype="Blog Post")
def if_owner_setup(self):
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1",
"*****@*****.**")
update('Blog Post', 'Blogger', 0, 'user_permission_doctypes', json.dumps(["Blog Category"]))
frappe.model.meta.clear_cache("Blog Post")
def if_owner_setup(self):
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1",
"*****@*****.**")
update('Blog Post', 'Blogger', 0, 'user_permission_doctypes', json.dumps(["Blog Category"]))
frappe.model.meta.clear_cache("Blog Post")
def test_fieldlevel_permissions_in_load(self):
user = frappe.get_doc('User', '*****@*****.**')
user.remove_roles('Website Manager')
user.add_roles('Blogger')
reset('Blog Post')
frappe.db.set_value('DocField', {
'fieldname': 'published',
'parent': 'Blog Post'
}, 'permlevel', 1)
update('Blog Post', 'Website Manager', 0, 'permlevel', 1)
frappe.set_user(user.name)
# print frappe.as_json(get_valid_perms('Blog Post'))
frappe.clear_cache(doctype='Blog Post')
blog = frappe.db.get_value('Blog Post', {'title': '_Test Blog Post'})
getdoc('Blog Post', blog)
checked = False
for doc in frappe.response.docs:
if doc.name == blog:
self.assertEqual(doc.published, None)
checked = True
self.assertTrue(checked, True)
frappe.db.set_value('DocField', {
'fieldname': 'published',
'parent': 'Blog Post'
}, 'permlevel', 0)
reset('Blog Post')
frappe.clear_cache(doctype='Blog Post')
frappe.response.docs = []
getdoc('Blog Post', blog)
checked = False
for doc in frappe.response.docs:
if doc.name == blog:
self.assertEqual(doc.published, 1)
checked = True
self.assertTrue(checked, True)
frappe.set_user('Administrator')
def set_user_permission_doctypes(doctypes, role, apply_user_permissions, user_permission_doctypes): user_permission_doctypes = None if not user_permission_doctypes else json.dumps(user_permission_doctypes) if isinstance(doctypes, string_types): doctypes = [doctypes] for doctype in doctypes: update(doctype, role, 0, 'apply_user_permissions', 1) update(doctype, role, 0, 'user_permission_doctypes', user_permission_doctypes) frappe.clear_cache(doctype=doctype)
def set_user_permission_doctypes(doctypes, role, apply_user_permissions, user_permission_doctypes): user_permission_doctypes = None if not user_permission_doctypes else json.dumps(user_permission_doctypes) if isinstance(doctypes, string_types): doctypes = [doctypes] for doctype in doctypes: update(doctype, role, 0, 'apply_user_permissions', 1) update(doctype, role, 0, 'user_permission_doctypes', user_permission_doctypes) frappe.clear_cache(doctype=doctype)
def test_fieldlevel_permissions_in_load(self):
user = frappe.get_doc('User', '*****@*****.**')
user.remove_roles('Website Manager')
user.add_roles('Blogger')
reset('Blog Post')
frappe.db.sql('update tabDocField set permlevel=1 where fieldname="published" and parent="Blog Post"')
update('Blog Post', 'Website Manager', 0, 'permlevel', 1)
frappe.set_user(user.name)
# print frappe.as_json(get_valid_perms('Blog Post'))
frappe.clear_cache(doctype='Blog Post')
blog = frappe.db.get_value('Blog Post', {'title': '_Test Blog Post'})
getdoc('Blog Post', blog)
checked = False
for doc in frappe.response.docs:
if doc.name == blog:
self.assertEquals(doc.published, None)
checked = True
self.assertTrue(checked, True)
frappe.db.sql('update tabDocField set permlevel=0 where fieldname="published" and parent="Blog Post"')
reset('Blog Post')
frappe.clear_cache(doctype='Blog Post')
frappe.response.docs = []
getdoc('Blog Post', blog)
checked = False
for doc in frappe.response.docs:
if doc.name == blog:
self.assertEquals(doc.published, 1)
checked = True
self.assertTrue(checked, True)
frappe.set_user('Administrator')
def test_fieldlevel_permissions_in_load_for_child_table(self):
contact = frappe.new_doc("Contact")
contact.first_name = "_Test Contact 1"
contact.append("phone_nos", {"phone": "123456"})
contact.insert()
user = frappe.get_doc("User", "*****@*****.**")
user_roles = frappe.get_roles()
user.remove_roles(*user_roles)
user.add_roles("Accounts User")
make_property_setter("Contact Phone", "phone", "permlevel", 1, "Int")
reset("Contact Phone")
add("Contact", "Sales User", 1)
update("Contact", "Sales User", 1, "write", 1)
frappe.set_user(user.name)
contact = frappe.get_doc("Contact", "_Test Contact 1")
contact.phone_nos[0].phone = "654321"
contact.save()
self.assertEqual(contact.phone_nos[0].phone, "123456")
frappe.set_user("Administrator")
user.add_roles("Sales User")
frappe.set_user(user.name)
contact.phone_nos[0].phone = "654321"
contact.save()
contact = frappe.get_doc("Contact", "_Test Contact 1")
self.assertEqual(contact.phone_nos[0].phone, "654321")
frappe.set_user("Administrator")
# reset user roles
user.remove_roles("Accounts User", "Sales User")
user.add_roles(*user_roles)
contact.delete()
def test_if_owner_permission_overrides_properly(self):
# check if user is not granted access if the user is not the owner of the doc
# Blogger has only read access on the blog post unless he is the owner of the blog
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
update('Blog Post', 'Blogger', 0, 'read', 1)
update('Blog Post', 'Blogger', 0, 'write', 1)
update('Blog Post', 'Blogger', 0, 'delete', 1)
# currently test2 user has not created any document
# still he should be able to do get_list query which should
# not raise permission error but simply return empty list
frappe.set_user("*****@*****.**")
self.assertEqual(frappe.get_list('Blog Post'), [])
frappe.set_user("Administrator")
# creates a custom docperm with just read access
# now any user can read any blog post (but other rights are limited to the blog post owner)
add_permission('Blog Post', 'Blogger')
frappe.clear_cache(doctype="Blog Post")
frappe.delete_doc('Blog Post', '-test-blog-post-title')
frappe.set_user("*****@*****.**")
doc = frappe.get_doc({
"doctype": "Blog Post",
"blog_category": "_Test Blog Category",
"blogger": "_Test Blogger 1",
"title": "_Test Blog Post Title",
"content": "_Test Blog Post Content"
})
doc.insert()
frappe.set_user("*****@*****.**")
doc = frappe.get_doc(doc.doctype, doc.name)
self.assertTrue(doc.has_permission("read"))
self.assertFalse(doc.has_permission("write"))
self.assertFalse(doc.has_permission("delete"))
# check if owner of the doc has the access that is available only for the owner of the doc
frappe.set_user("*****@*****.**")
doc = frappe.get_doc(doc.doctype, doc.name)
self.assertTrue(doc.has_permission("read"))
self.assertTrue(doc.has_permission("write"))
self.assertTrue(doc.has_permission("delete"))
# delete the created doc
frappe.delete_doc('Blog Post', '-test-blog-post-title')
