def test_set_user_folder_permissions_does_not_affect_permissions_for_other_services(
client,
sample_user,
sample_service,
):
tf1 = create_template_folder(sample_service)
tf2 = create_template_folder(sample_service)
service_2 = create_service(sample_user, service_name='other service')
tf3 = create_template_folder(service_2)
sample_service_user = dao_get_service_user(sample_user.id,
sample_service.id)
sample_service_user.folders = [tf1]
dao_update_service_user(sample_service_user)
service_2_user = dao_get_service_user(sample_user.id, service_2.id)
service_2_user.folders = [tf3]
dao_update_service_user(service_2_user)
data = json.dumps({'permissions': [], 'folder_permissions': [str(tf2.id)]})
response = client.post(url_for('user.set_permissions',
user_id=str(sample_user.id),
service_id=str(sample_service.id)),
headers=[('Content-Type', 'application/json'),
create_authorization_header()],
data=data)
assert response.status_code == 204
assert sample_service_user.folders == [tf2]
assert service_2_user.folders == [tf3]
def set_permissions(user_id, service_id):
# TODO fix security hole, how do we verify that the user
# who is making this request has permission to make the request.
service_user = dao_get_service_user(user_id, service_id)
user = service_user.user
service = dao_fetch_service_by_id(service_id=service_id)
data = request.get_json()
validate(data, post_set_permissions_schema)
permission_list = [
Permission(service_id=service_id, user_id=user_id, permission=p['permission'])
for p in data['permissions']
]
service_key = "service_id_{}".format(service_id)
change_dict = {service_key: service_id, "permissions": permission_list}
try:
_update_alert(user, change_dict)
except Exception as e:
current_app.logger.error(e)
permission_dao.set_user_service_permission(user, service, permission_list, _commit=True, replace=True)
if 'folder_permissions' in data:
folders = [
dao_get_template_folder_by_id_and_service_id(folder_id, service_id)
for folder_id in data['folder_permissions']
]
service_user.folders = folders
dao_update_service_user(service_user)
return jsonify({}), 204
def test_update_user_folder_permissions(client, sample_user, sample_service):
tf1 = create_template_folder(sample_service)
tf2 = create_template_folder(sample_service)
tf3 = create_template_folder(sample_service)
service_user = dao_get_service_user(sample_user.id, sample_service.id)
service_user.folders = [tf1, tf2]
dao_update_service_user(service_user)
data = json.dumps({
'permissions': [],
'folder_permissions': [str(tf2.id), str(tf3.id)]
})
response = client.post(url_for('user.set_permissions',
user_id=str(sample_user.id),
service_id=str(sample_service.id)),
headers=[('Content-Type', 'application/json'),
create_authorization_header()],
data=data)
assert response.status_code == 204
assert len(service_user.folders) == 2
assert tf2 in service_user.folders
assert tf3 in service_user.folders
def set_permissions(user_id, service_id):
# TODO fix security hole, how do we verify that the user
# who is making this request has permission to make the request.
service_user = dao_get_service_user(user_id, service_id)
user = service_user.user
service = dao_fetch_service_by_id(service_id=service_id)
data = request.get_json()
validate(data, post_set_permissions_schema)
permission_list = [
Permission(service_id=service_id,
user_id=user_id,
permission=p['permission']) for p in data['permissions']
]
permission_dao.set_user_service_permission(user,
service,
permission_list,
_commit=True,
replace=True)
if 'folder_permissions' in data:
folders = [
dao_get_template_folder_by_id_and_service_id(
folder_id, service_id)
for folder_id in data['folder_permissions']
]
service_user.folders = folders
dao_update_service_user(service_user)
return jsonify({}), 204
def dao_add_user_to_service(service,
user,
permissions=None,
folder_permissions=None):
permissions = permissions or []
folder_permissions = folder_permissions or []
try:
from app.dao.permissions_dao import permission_dao
service.users.append(user)
permission_dao.set_user_service_permission(user,
service,
permissions,
_commit=False)
db.session.add(service)
service_user = dao_get_service_user(user.id, service.id)
valid_template_folders = dao_get_valid_template_folders_by_id(
folder_permissions)
service_user.folders = valid_template_folders
db.session.add(service_user)
except Exception as e:
db.session.rollback()
raise e
else:
db.session.commit()
def test_create_template_folder_sets_user_permissions(admin_request,
sample_service,
has_parent):
user_1 = create_user(email='*****@*****.**')
user_2 = create_user(email='*****@*****.**')
user_3 = create_user(email='*****@*****.**', state='pending')
existing_folder = create_template_folder(sample_service)
sample_service.users = [user_1, user_2, user_3]
service_user_1 = dao_get_service_user(user_1.id, sample_service.id)
service_user_1.folders = [existing_folder]
parent_id = str(existing_folder.id) if has_parent else None
resp = admin_request.post('template_folder.create_template_folder',
service_id=sample_service.id,
_data={
'name': 'foo',
'parent_id': parent_id
},
_expected_status=201)
assert resp['data']['name'] == 'foo'
assert resp['data']['service_id'] == str(sample_service.id)
assert resp['data']['parent_id'] == parent_id
if has_parent:
assert resp['data']['users_with_permission'] == [str(user_1.id)]
else:
assert sorted(resp['data']['users_with_permission']) == sorted(
[str(user_1.id), str(user_2.id)])
def test_create_template_folder_sets_user_permissions(admin_request,
sample_service,
has_parent):
user_1 = create_user(email="*****@*****.**")
user_2 = create_user(email="*****@*****.**")
user_3 = create_user(email="*****@*****.**", state="pending")
existing_folder = create_template_folder(sample_service)
sample_service.users = [user_1, user_2, user_3]
service_user_1 = dao_get_service_user(user_1.id, sample_service.id)
service_user_1.folders = [existing_folder]
parent_id = str(existing_folder.id) if has_parent else None
resp = admin_request.post(
"template_folder.create_template_folder",
service_id=sample_service.id,
_data={
"name": "foo",
"parent_id": parent_id
},
_expected_status=201,
)
assert resp["data"]["name"] == "foo"
assert resp["data"]["service_id"] == str(sample_service.id)
assert resp["data"]["parent_id"] == parent_id
if has_parent:
assert resp["data"]["users_with_permission"] == [str(user_1.id)]
else:
assert sorted(resp["data"]["users_with_permission"]) == sorted(
[str(user_1.id), str(user_2.id)])
def test_dao_delete_template_folder_deletes_user_folder_permissions(sample_user, sample_service):
folder = create_template_folder(sample_service)
service_user = dao_get_service_user(sample_user.id, sample_service.id)
folder.users = [service_user]
dao_update_template_folder(folder)
dao_delete_template_folder(folder)
assert db.session.query(user_folder_permissions).all() == []
def test_removing_a_user_from_a_service_deletes_their_folder_permissions_for_that_service(sample_user, sample_service):
tf1 = create_template_folder(sample_service)
tf2 = create_template_folder(sample_service)
service_2 = create_service(sample_user, service_name='other service')
tf3 = create_template_folder(service_2)
service_user = dao_get_service_user(sample_user.id, sample_service.id)
service_user.folders = [tf1, tf2]
dao_update_service_user(service_user)
service_2_user = dao_get_service_user(sample_user.id, service_2.id)
service_2_user.folders = [tf3]
dao_update_service_user(service_2_user)
dao_remove_user_from_service(sample_service, sample_user)
user_folder_permission = db.session.query(user_folder_permissions).one()
assert user_folder_permission.user_id == service_2_user.user_id
assert user_folder_permission.service_id == service_2_user.service_id
assert user_folder_permission.template_folder_id == tf3.id
def dao_remove_user_from_service(service, user):
try:
from app.dao.permissions_dao import permission_dao
permission_dao.remove_user_service_permissions(user, service)
service_user = dao_get_service_user(user.id, service.id)
db.session.delete(service_user)
except Exception as e:
db.session.rollback()
raise e
else:
db.session.commit()
def test_dao_add_user_to_service_ignores_folders_which_do_not_exist_when_setting_permissions(
sample_user, sample_service, fake_uuid):
valid_folder = create_template_folder(sample_service)
folder_permissions = [fake_uuid, str(valid_folder.id)]
dao_add_user_to_service(sample_service,
sample_user,
folder_permissions=folder_permissions)
service_user = dao_get_service_user(sample_user.id, sample_service.id)
assert service_user.folders == [valid_folder]
def test_dao_add_user_to_service_sets_folder_permissions(sample_user, sample_service):
folder_1 = create_template_folder(sample_service)
folder_2 = create_template_folder(sample_service)
assert not folder_1.users
assert not folder_2.users
folder_permissions = [str(folder_1.id), str(folder_2.id)]
dao_add_user_to_service(sample_service, sample_user, folder_permissions=folder_permissions)
service_user = dao_get_service_user(user_id=sample_user.id, service_id=sample_service.id)
assert len(service_user.folders) == 2
assert folder_1 in service_user.folders
assert folder_2 in service_user.folders
def test_get_folders_returns_users_with_permission(admin_request,
sample_service):
user_1 = create_user(email='*****@*****.**')
user_2 = create_user(email='*****@*****.**')
user_3 = create_user(email='*****@*****.**')
template_folder = create_template_folder(sample_service)
sample_service.users = [user_1, user_2, user_3]
service_user_1 = dao_get_service_user(user_1.id, sample_service.id)
service_user_2 = dao_get_service_user(user_2.id, sample_service.id)
service_user_1.folders = [template_folder]
service_user_2.folders = [template_folder]
resp = admin_request.get(
'template_folder.get_template_folders_for_service',
service_id=sample_service.id)
users_with_permission = resp['template_folders'][0][
'users_with_permission']
assert len(users_with_permission) == 2
assert str(user_1.id) in users_with_permission
assert str(user_2.id) in users_with_permission
def update_template_folder(service_id, template_folder_id):
data = request.get_json()
validate(data, post_update_template_folder_schema)
template_folder = dao_get_template_folder_by_id_and_service_id(
template_folder_id, service_id)
template_folder.name = data['name']
if 'users_with_permission' in data:
template_folder.users = [
dao_get_service_user(user_id, service_id)
for user_id in data['users_with_permission']
]
dao_update_template_folder(template_folder)
return jsonify(data=template_folder.serialize()), 200
def test_dao_archive_user(sample_user, sample_organisation, fake_uuid):
sample_user.current_session_id = fake_uuid
# create 2 services for sample_user to be a member of (each with another active user)
service_1 = create_service(service_name='Service 1')
service_1_user = create_user(email='*****@*****.**')
service_1.users = [sample_user, service_1_user]
create_permissions(sample_user, service_1, 'manage_settings')
create_permissions(service_1_user, service_1, 'manage_settings',
'view_activity')
service_2 = create_service(service_name='Service 2')
service_2_user = create_user(email='*****@*****.**')
service_2.users = [sample_user, service_2_user]
create_permissions(sample_user, service_2, 'view_activity')
create_permissions(service_2_user, service_2, 'manage_settings')
# make sample_user an org member
sample_organisation.users = [sample_user]
# give sample_user folder permissions for a service_1 folder
folder = create_template_folder(service_1)
service_user = dao_get_service_user(sample_user.id, service_1.id)
service_user.folders = [folder]
dao_update_service_user(service_user)
dao_archive_user(sample_user)
assert sample_user.get_permissions() == {}
assert sample_user.services == []
assert sample_user.organisations == []
assert sample_user.auth_type == EMAIL_AUTH_TYPE
assert sample_user.email_address == '*****@*****.**'
assert sample_user.mobile_number is None
assert sample_user.current_session_id == uuid.UUID(
'00000000-0000-0000-0000-000000000000')
assert sample_user.state == 'inactive'
assert not sample_user.check_password('password')
