def test_can_access_subalterns(method, app, db_session):
"""
A director of a company should be able to access
the profiles of employees with a lower role.
"""
company = factories.CompanyFactory()
director = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Director"))
master = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Master"))
manager = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Manager"))
intern = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Intern"))
flask.g.user = director
assert has_privilege(resource="employee", employee_id=manager.id)
assert has_privilege(resource="employee", employee_id=master.id)
assert has_privilege(resource="employee", employee_id=intern.id)
def test_can_access_his_profile(app):
flask.g.user = Employee(id=1, first_name="Alice", last_name="Cooper",
username="******", phone_number="1",
birth_date=datetime.utcnow(),
pin_code=9999,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
email="*****@*****.**", password="******")
assert has_privilege(method=Method.READ, resource="employee", employee_id=1)
def test_cannot_access_other_company_employees(method, app, db_session):
"""
Even though the authenticated user is a director, they cannot access a
manager's profile because the manager works for another company.
"""
director = factories.EmployeeFactory(
company=factories.CompanyFactory(),
role=factories.RoleFactory(name="Director"))
manager = factories.EmployeeFactory(
company=factories.CompanyFactory(),
role=factories.RoleFactory(name="Manager"))
flask.g.user = director
assert not has_privilege(
method=Method.READ, resource="employee", employee_id=manager.id)
def test_cant_access_other_company_employees(app, db_session):
mine_company = Company(id=1, name="Foo Inc.", code="code1", address="addr")
db_session.add(mine_company)
me = Employee(id=1,
first_name="Alice",
last_name="Cooper",
username="******",
phone_number="1",
birth_date=datetime.utcnow(),
pin_code=1234,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=2,
email="*****@*****.**",
password="******")
db_session.add(me)
flask.g.user = me
other_company = Company(id=2,
name="Bar Inc.",
code="code2",
address="addr")
db_session.add(other_company)
other = Employee(id=2,
first_name="Bob",
last_name="Cooper",
username="******",
phone_number="1",
birth_date=datetime.utcnow(),
pin_code=3454,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=1,
email="*****@*****.**",
password="******")
db_session.add(other)
db_session.commit()
assert not has_privilege(
method=Method.READ, resource="employee", employee_id=other.id)