def validate_headers_for_put_or_delete(self, obj):
"""Check ETAG for internal request and skip for external."""
if login.is_external_app_user():
return None
return super(
ExternalInternalResource, self
).validate_headers_for_put_or_delete(obj)
def validate_relation_by_type(cls, source_type, destination_type):
"""Checks if a mapping is allowed between given types."""
if is_external_app_user():
# external users can map and unmap scoping objects
return
from ggrc.models import all_models
scoping_models_names = all_models.get_scope_model_names()
# Check Regulation and Standard
if cls._check_relation_types_group(source_type, destination_type,
scoping_models_names,
("Regulation", "Standard")):
raise ValidationError(
u"You do not have the necessary permissions to map and unmap "
u"scoping objects to directives in this application. Please "
u"contact your administrator if you have any questions.")
# Check Control
control_external_only_mappings = set(scoping_models_names)
control_external_only_mappings.update(("Regulation", "Standard"))
if cls._check_relation_types_group(source_type, destination_type,
control_external_only_mappings,
("Control", )):
raise ValidationError(
u"You do not have the necessary permissions to map and unmap "
u"controls to scoping objects, standards and regulations in this "
u"application. Please contact your administrator "
u"if you have any questions.")
def update(self, obj, json_obj):
"""Update the state represented by ``obj`` to be equivalent to the state
represented by the JSON dictionary ``json_obj``.
"""
attrs = set(self._update_attrs)
is_external = is_external_app_user()
if isinstance(obj, Synchronizable):
sync_attrs = obj.get_sync_attrs()
attrs.update(sync_attrs)
if is_external and isinstance(obj, WithProtectedAttributes):
attrs.difference_update(obj.get_protected_attributes())
if not is_external and isinstance(obj, WithReadOnlyAccess):
# attribute 'readonly' have to be ignored for non-external users
if 'readonly' in json_obj:
logger.debug("'readonly=%r' is specified for non-external user in "
"json. Removing this attribute from json to "
"ensure that default value is used")
del json_obj['readonly']
if isinstance(obj, WithExtCustomAttrsSetter):
self._handle_cav_for_readonly(json_obj, attrs, is_external)
self.do_update_attrs(obj, json_obj, attrs)
def create(self, obj, json_obj):
"""Update the state of the new model object ``obj`` to be equivalent to the
state represented by the JSON dictionary ``json_obj``.
"""
attrs = set(self._create_attrs)
is_external = is_external_app_user()
if isinstance(obj, Synchronizable):
sync_attrs = obj.get_sync_attrs()
attrs.update(sync_attrs)
if not is_external and isinstance(obj, WithReadOnlyAccess):
# attribute 'readonly' have to be ignored for non-external users
if 'readonly' in json_obj:
logger.debug(
"'readonly=%r' is specified for non-external user in "
"json. Removing this attribute from json to "
"ensure that existing value is used")
del json_obj['readonly']
if isinstance(obj, WithExtCustomAttrsSetter):
self._handle_cav_for_readonly(json_obj, attrs, is_external)
self.do_update_attrs(obj, json_obj, attrs)
def test_anonymous_user(self, current_user_mock): """Currently logged in user is anonymous.""" user_mock = mock.MagicMock() user_mock.is_anonymous.return_value = True current_user_mock.return_value = user_mock self.assertFalse(login.is_external_app_user()) current_user_mock.assert_called_once_with() user_mock.is_anonymous.assert_called_once_with()
def dispatch_request(self, *args, **kwargs):
"""Handle validation errors."""
if not login.is_external_app_user():
raise exceptions.Forbidden()
try:
return super(UnmapObjectsView, self).dispatch_request(*args, **kwargs)
except ValueError as exc:
raise exceptions.BadRequest(exc.message)
def test_external_user(self, current_user_mock, is_external_email_mock):
"""Currently logged in user is external app."""
user_mock = mock.MagicMock()
user_mock.email = '*****@*****.**'
user_mock.is_anonymous.return_value = False
current_user_mock.return_value = user_mock
is_external_email_mock.return_value = True
self.assertTrue(login.is_external_app_user())
current_user_mock.assert_called_once_with()
user_mock.is_anonymous.assert_called_once_with()
is_external_email_mock.assert_called_once_with('*****@*****.**')
def post(self):
"""handler of POST method"""
if login.is_external_app_user():
raise exceptions.Forbidden()
is_modified = self._perform_request()
if is_modified:
# create revision and commit changes
log_event(db.session)
db.session.commit()
return "Success", 200
def load_external_app_permissions(permissions):
"""Adds external application permissions if user is EXTERNAL_APP_USER.
Args:
permissions (dict): dict where the permissions will be stored
Returns:
None
"""
# Add `ADMIN_PERMISSION` for "external application" users
if is_external_app_user():
admin_permissions = {
DefaultUserPermissions.ADMIN_PERMISSION.action: [
DefaultUserPermissions.ADMIN_PERMISSION.resource_type
]
}
collect_permissions(
admin_permissions,
DefaultUserPermissions.ADMIN_PERMISSION.context_id,
permissions)
def validate_definition_type_ggrcq(mapper, content, target):
"""Validate GGRCQ action for object with definition_type."""
from ggrc import login as login_module
from ggrc.models import get_model
from ggrc.models.mixins import synchronizable
model = get_model(target.definition_type)
user = login_module.get_current_user(False)
if not user or user.is_anonymous():
return
should_prevent = all([
issubclass(model, synchronizable.Synchronizable),
not login_module.is_external_app_user()
])
if should_prevent:
raise exceptions.MethodNotAllowed()
def delete(self, *args, **kwargs): # pylint:disable=arguments-differ
"""Prevent update of object for internal users."""
if not is_external_app_user():
raise Forbidden()
return super(ExternalResource, self).delete(*args, **kwargs)
def collection_post(self):
"""Prevent creation of object for internal users."""
if not is_external_app_user():
raise Forbidden()
return super(ExternalResource, self).collection_post()
def test_no_logged_in_user(self, current_user_mock): """No logged in user presented.""" current_user_mock.return_value = None self.assertFalse(login.is_external_app_user()) current_user_mock.assert_called_once_with()
def validate_headers_for_put_or_delete(self, obj):
"""Check ETAG for internal request and skip for external."""
if login.is_external_app_user():
return None
return super(ExternalInternalResource,
self).validate_headers_for_put_or_delete(obj)