def setup_user_role(user):
"""
Setup Administrator role for test user.
"""
role = Role.query.filter(
Role.name == SystemWideRoles.ADMINISTRATOR,
).first()
user_role = UserRole()
user_role.role = role
user_role.person = user
return user_role
def ensure_assignee_is_workflow_member(workflow, assignee):
"""Checks what role assignee has in the context of
a workflow. If he has none he gets the Workflow Member role."""
if not assignee:
return
# Check if assignee is mapped to the Workflow
workflow_people = models.WorkflowPerson.query.filter(
models.WorkflowPerson.workflow_id == workflow.id,
models.WorkflowPerson.person_id == assignee.id).all()
if not workflow_people:
workflow_person = models.WorkflowPerson(person=assignee,
workflow=workflow,
context=workflow.context)
db.session.add(workflow_person)
# Check if assignee has a role assignment
from ggrc_basic_permissions.models import UserRole
user_roles = UserRole.query.filter(
UserRole.context_id == workflow.context_id,
UserRole.person_id == assignee.id).all()
if not user_roles:
workflow_member_role = _find_role('WorkflowMember')
user_role = UserRole(
person=assignee,
role=workflow_member_role,
context=workflow.context,
modified_by=get_current_user(),
)
db.session.add(user_role)
def ensure_assignee_is_workflow_member(workflow, assignee, assignee_id=None):
"""Checks what role assignee has in the context of
a workflow. If he has none he gets the Workflow Member role."""
if not assignee and not assignee_id:
return
if assignee_id is None:
assignee_id = assignee.id
if assignee and assignee_id != assignee.id:
raise ValueError("Conflict value assignee and assignee_id")
if any(assignee_id == wp.person_id for wp in workflow.workflow_people):
return
# Check if assignee is mapped to the Workflow
workflow_people = models.WorkflowPerson.query.filter(
models.WorkflowPerson.workflow_id == workflow.id,
models.WorkflowPerson.person_id == assignee_id).count()
if not workflow_people:
models.WorkflowPerson(person=assignee,
person_id=assignee_id,
workflow=workflow,
context=workflow.context)
# Check if assignee has a role assignment
user_roles = UserRole.query.filter(
UserRole.context_id == workflow.context_id,
UserRole.person_id == assignee_id).count()
if not user_roles:
workflow_member_role = _find_role('WorkflowMember')
UserRole(
person=assignee,
person_id=assignee_id,
role=workflow_member_role,
context=workflow.context,
modified_by=get_current_user(),
)
def test_permissions_for_backlog_workflow(self, mock_get_current_user): # noqa # pylint: disable=invalid-name
"""Tests whether the creator has all the necessary permissions for
backlog workflow."""
my_person = Person(name="kekec", email="*****@*****.**")
creator_role = Role.query.filter(Role.name == "Creator").one()
user_role = UserRole(role=creator_role, person=my_person) # noqa # pylint: disable=unused-variable
mock_get_current_user.return_value = Person(name="Mojca",
email="*****@*****.**")
backlog_workflow = db.session\
.query(Workflow)\
.filter(Workflow.kind == "Backlog").one()
workflow_ctx = backlog_workflow.context.id
user_perms = load_permissions_for(my_person)
actions = ["read", "edit", "update"]
_types = ["Workflow", "Cycle", "CycleTaskGroup",
"CycleTaskGroupObjectTask", "TaskGroup"]
for action in actions:
for obj_type in _types:
self.assertTrue(workflow_ctx in
user_perms[action][obj_type]['contexts'])
ctgot_ctxs = user_perms['delete']['CycleTaskGroupObjectTask']['contexts']
self.assertTrue(workflow_ctx in ctgot_ctxs)
def add_creator_role(user):
user_creator_role = UserRole(
person=user,
role=basic_roles.creator(),
)
db.session.add(user_creator_role)
db.session.commit()
log_event(db.session, user_creator_role, user_creator_role.id)
def handle_program_post(sender, obj=None, src=None, service=None):
db.session.flush()
# get the personal context for this logged in user
user = get_current_user()
personal_context = _get_or_create_personal_context(user)
context = obj.build_object_context(
context=personal_context,
name='{object_type} Context {timestamp}'.format(
object_type=service.model.__name__,
timestamp=datetime.datetime.now()),
description='',
)
context.modified_by = get_current_user()
db.session.add(obj)
db.session.flush()
db.session.add(context)
db.session.flush()
obj.contexts.append(context)
obj.context = context
# add a user_roles mapping assigning the user creating the program
# the ProgramOwner role in the program's context.
program_owner_role = basic_roles.program_owner()
user_role = UserRole(
person=get_current_user(),
role=program_owner_role,
context=context,
modified_by=get_current_user())
# pass along a temporary attribute for logging the events.
user_role._display_related_title = obj.title
db.session.add(user_role)
db.session.flush()
# Create the context implication for Program roles to default context
db.session.add(ContextImplication(
source_context=context,
context=None,
source_context_scope='Program',
context_scope=None,
modified_by=get_current_user()))
if not src.get('private'):
# Add role implication - all users can read a public program
add_public_program_context_implication(context)
def handle_program_post(sender, obj=None, src=None, service=None):
db.session.flush()
# get the personal context for this logged in user
user = get_current_user()
personal_context = _get_or_create_personal_context(user)
context = obj.build_object_context(
context=personal_context,
name='{object_type} Context {timestamp}'.format(
object_type=service.model.__name__,
timestamp=datetime.datetime.now()),
description='',
)
context.modified_by = get_current_user()
db.session.add(obj)
db.session.flush()
db.session.add(context)
db.session.flush()
obj.contexts.append(context)
obj.context = context
# add a user_roles mapping assigning the user creating the program
# the ProgramOwner role in the program's context.
program_owner_role = basic_roles.program_owner()
user_role = UserRole(
person=get_current_user(),
role=program_owner_role,
context=context,
modified_by=get_current_user())
# pass along a temporary attribute for logging the events.
user_role._display_related_title = obj.title
db.session.add(user_role)
db.session.flush()
# Create the context implication for Program roles to default context
db.session.add(ContextImplication(
source_context=context,
context=None,
source_context_scope='Program',
context_scope=None,
modified_by=get_current_user()))
if not src.get('private'):
# Add role implication - all users can read a public program
add_public_program_context_implication(context)
def handle_workflow_person_post(sender, obj=None, src=None, service=None):
# add a user_roles mapping assigning the user creating the workflow
# the WorkflowOwner role in the workflow's context.
UserRole(
person=obj.person,
role=_find_role('WorkflowMember'),
context=obj.context,
modified_by=get_current_user(),
)
def add_creator_role(user):
"""Add createor role for sent user."""
user_creator_role = UserRole(
person=user,
role=basic_roles.creator(),
)
db.session.add(user_creator_role)
db.session.commit()
log_event(db.session, user_creator_role, user_creator_role.id)
def insert_object(self):
if self.dry_run or not self.value:
return
self.remove_current_roles()
for owner in self.value:
user_role = UserRole(role=self.role,
context=self.row_converter.obj.context,
person=owner)
db.session.add(user_role)
self.dry_run = True
def handle_workflow_person_post(sender, obj=None, src=None, service=None): # noqa pylint: disable=unused-argument
db.session.flush()
# add a user_roles mapping assigning the user creating the workflow
# the WorkflowOwner role in the workflow's context.
workflow_member_role = _find_role('WorkflowMember')
user_role = UserRole(
person=obj.person,
role=workflow_member_role,
context=obj.context,
modified_by=get_current_user(),
)
db.session.add(user_role)
def add_creator_role(user, **kwargs):
"""Add creator role for sent user."""
if not hasattr(flask.g, "user_creator_roles_cache"):
flask.g.user_creator_roles_cache = {}
if user.email in flask.g.user_creator_roles_cache:
# we have this role in the cache so no need to create it
return
user_creator_role = UserRole(person=user,
role=basic_roles.creator(),
**kwargs)
flask.g.user_creator_roles_cache[user.email] = user_creator_role
db.session.add(user_creator_role)
def insert_object(self):
if self.dry_run or not self.value:
return
self.remove_current_roles()
context = None
if self.value.name == "Administrator":
context = Context.query.filter_by(
name="System Administration").first()
user_role = UserRole(
role=self.value,
person=self.row_converter.obj,
context=context,
)
db.session.add(user_role)
self.dry_run = True
def insert_object(self):
if self.dry_run or not self.value:
return
super(AuditAuditorColumnHandler, self).insert_object()
user_roles = set(o.person_id for o in self.get_program_roles())
context = self.row_converter.obj.program.context
for auditor in self.value:
# Check if the role already exists in the database or in the session:
if auditor.id in user_roles or any(
o for o in db.session.new
if isinstance(o, UserRole) and o.context.id == context.id
and o.person.id == auditor.id):
continue
user_role = UserRole(role=self.reader,
context=context,
person=auditor)
db.session.add(user_role)
def _clone_auditors(self, audit):
"""Clone auditors of specified audit.
Args:
audit: Audit instance
"""
from ggrc_basic_permissions.models import Role, UserRole
role = Role.query.filter_by(name="Auditor").first()
auditors = [ur.person for ur in UserRole.query.filter_by(
role=role, context=audit.context).all()]
for auditor in auditors:
user_role = UserRole(
context=self.context,
person=auditor,
role=role
)
db.session.add(user_role)
db.session.flush()
def handle_workflow_post(sender, obj=None, src=None, service=None): # noqa pylint: disable=unused-argument
source_workflow = None
if src.get('clone'):
source_workflow_id = src.get('clone')
source_workflow = models.Workflow.query.filter_by(
id=source_workflow_id
).first()
source_workflow.copy(obj)
db.session.add(obj)
db.session.flush()
obj.title = source_workflow.title + ' (copy ' + str(obj.id) + ')'
db.session.flush()
# get the personal context for this logged in user
user = get_current_user()
personal_context = _get_or_create_personal_context(user)
context = obj.build_object_context(
context=personal_context,
name='{object_type} Context {timestamp}'.format(
object_type=service.model.__name__,
timestamp=datetime.now()),
description='',
)
context.modified_by = get_current_user()
db.session.add(obj)
db.session.flush()
db.session.add(context)
db.session.flush()
obj.contexts.append(context)
obj.context = context
# add a user_roles mapping assigning the user creating the workflow
# the WorkflowOwner role in the workflow's context.
workflow_owner_role = _find_role('WorkflowOwner')
user_role = UserRole(
person=user,
role=workflow_owner_role,
context=context,
modified_by=get_current_user(),
)
db.session.add(models.WorkflowPerson(
person=user,
workflow=obj,
context=context,
modified_by=get_current_user(),
))
# pass along a temporary attribute for logging the events.
user_role._display_related_title = obj.title
db.session.add(user_role)
db.session.flush()
# Create the context implication for Workflow roles to default context
db.session.add(ContextImplication(
source_context=context,
context=None,
source_context_scope='Workflow',
context_scope=None,
modified_by=get_current_user(),
))
if not src.get('private'):
# Add role implication - all users can read a public workflow
add_public_workflow_context_implication(context)
if src.get('clone'):
source_workflow.copy_task_groups(
obj,
clone_people=src.get('clone_people', False),
clone_tasks=src.get('clone_tasks', False),
clone_objects=src.get('clone_objects', False)
)
if src.get('clone_people'):
workflow_member_role = _find_role('WorkflowMember')
for authorization in source_workflow.context.user_roles:
# Current user has already been added as workflow owner
if authorization.person != user:
db.session.add(UserRole(
person=authorization.person,
role=workflow_member_role,
context=context,
modified_by=user))
for person in source_workflow.people:
if person != user:
db.session.add(models.WorkflowPerson(
person=person,
workflow=obj,
context=context))
def handle_workflow_post(sender, obj=None, src=None, service=None): # noqa pylint: disable=unused-argument
source_workflow = None
if src.get('clone'):
source_workflow_id = src.get('clone')
source_workflow = models.Workflow.query.filter_by(
id=source_workflow_id).first()
source_workflow.copy(obj)
db.session.add(obj)
db.session.flush()
obj.title = source_workflow.title + ' (copy ' + str(obj.id) + ')'
db.session.flush()
# get the personal context for this logged in user
user = get_current_user()
personal_context = _get_or_create_personal_context(user)
context = obj.build_object_context(
context=personal_context,
name='{object_type} Context {timestamp}'.format(
object_type=service.model.__name__, timestamp=datetime.now()),
description='',
)
context.modified_by = get_current_user()
db.session.add(obj)
db.session.flush()
db.session.add(context)
db.session.flush()
obj.contexts.append(context)
obj.context = context
# add a user_roles mapping assigning the user creating the workflow
# the WorkflowOwner role in the workflow's context.
workflow_owner_role = _find_role('WorkflowOwner')
user_role = UserRole(
person=user,
role=workflow_owner_role,
context=context,
modified_by=get_current_user(),
)
db.session.add(
models.WorkflowPerson(
person=user,
workflow=obj,
context=context,
modified_by=get_current_user(),
))
# pass along a temporary attribute for logging the events.
user_role._display_related_title = obj.title
db.session.add(user_role)
db.session.flush()
# Create the context implication for Workflow roles to default context
db.session.add(
ContextImplication(
source_context=context,
context=None,
source_context_scope='Workflow',
context_scope=None,
modified_by=get_current_user(),
))
if not src.get('private'):
# Add role implication - all users can read a public workflow
add_public_workflow_context_implication(context)
if src.get('clone'):
source_workflow.copy_task_groups(
obj,
clone_people=src.get('clone_people', False),
clone_tasks=src.get('clone_tasks', False),
clone_objects=src.get('clone_objects', False))
if src.get('clone_people'):
workflow_member_role = _find_role('WorkflowMember')
for authorization in source_workflow.context.user_roles:
# Current user has already been added as workflow owner
if authorization.person != user:
db.session.add(
UserRole(person=authorization.person,
role=workflow_member_role,
context=context,
modified_by=user))
for person in source_workflow.people:
if person != user:
db.session.add(
models.WorkflowPerson(person=person,
workflow=obj,
context=context))
def handle_workflow_post(sender, obj=None, src=None, service=None):
_validate_post_workflow_fields(obj)
source_workflow = None
if src.get('clone'):
source_workflow_id = src.get('clone')
source_workflow = models.Workflow.query.filter_by(
id=source_workflow_id
).first()
source_workflow.copy(obj)
obj.title = source_workflow.title + ' (copy ' + str(obj.id) + ')'
# get the personal context for this logged in user
user = get_current_user()
personal_context = user.get_or_create_object_context(context=1)
context = obj.get_or_create_object_context(personal_context)
obj.context = context
if not obj.workflow_people:
# add a user_roles mapping assigning the user creating the workflow
# the WorkflowOwner role in the workflow's context.
workflow_owner_role = _find_role('WorkflowOwner')
user_role = UserRole(
person=user,
role=workflow_owner_role,
context=context,
modified_by=get_current_user(),
)
models.WorkflowPerson(
person=user,
workflow=obj,
context=context,
modified_by=get_current_user(),
)
# pass along a temporary attribute for logging the events.
user_role._display_related_title = obj.title
# Create the context implication for Workflow roles to default context
ContextImplication(
source_context=context,
context=None,
source_context_scope='Workflow',
context_scope=None,
modified_by=get_current_user(),
)
if not src.get('private'):
# Add role implication - all users can read a public workflow
add_public_workflow_context_implication(context)
if src.get('clone'):
source_workflow.copy_task_groups(
obj,
clone_people=src.get('clone_people', False),
clone_tasks=src.get('clone_tasks', False),
clone_objects=src.get('clone_objects', False)
)
if src.get('clone_people'):
workflow_member_role = _find_role('WorkflowMember')
for authorization in source_workflow.context.user_roles:
# Current user has already been added as workflow owner
if authorization.person != user:
UserRole(
person=authorization.person,
role=workflow_member_role,
context=context,
modified_by=user)
for person in source_workflow.people:
if person != user:
models.WorkflowPerson(
person=person,
workflow=obj,
context=context)
