def test_archive_with_no_unarchive_permission(self):
additional_clauses = copy.deepcopy(clauses)
additional_clauses['clause'] += [
{
'effect': 'deny',
'object': ['resource/*/*/*'],
'action': ['resource.unarchive'],
},
]
policy = Policy.objects.create(
name='allow',
body=json.dumps(additional_clauses))
assign_user_policies(self.user, policy)
expected_success_url = reverse(
'resources:project_list',
kwargs={
'organization': self.project.organization.slug,
'project': self.project.slug,
}
)
response = self.request(user=self.user)
assert response.status_code == 302
assert response.location == expected_success_url
self.resource.refresh_from_db()
assert self.resource.archived is True
def run(verbose=True, force=False):
PERMISSIONS_DIR = settings.BASE_DIR + '/permissions/'
if force:
models.PermissionSet.objects.all().delete()
models.Role.objects.all().delete()
models.Policy.objects.all().delete()
pols = {}
for pol in ['default', 'superuser', 'org-admin', 'org-member',
'project-manager', 'data-collector', 'project-user']:
try:
pols[pol] = models.Policy.objects.get(name=pol)
pols[pol].body = open(PERMISSIONS_DIR + pol + '.json').read()
pols[pol].save()
except:
pols[pol] = models.Policy.objects.create(
name=pol,
body=open(PERMISSIONS_DIR + pol + '.json').read()
)
if not models.Role.objects.filter(name='superuser').exists():
models.Role.objects.create(
name='superuser',
policies=[pols['default'], pols['superuser']]
)
models.assign_user_policies(None, pols['default'])
def assign_policies(user):
clauses = {
'clause': [
{
"effect": "allow",
"object": ["*"],
"action": ["org.*"]
}, {
'effect': 'allow',
'object': ['organization/*'],
'action': ['org.*', "org.*.*"]
}, {
'effect': 'allow',
'object': ['project/*/*'],
'action': ['project.*', 'project.*.*', 'spatial.*']
}, {
'effect': 'allow',
'object': ['spatial/*/*/*'],
'action': ['spatial.*', 'spatial.resources.*']
}
]
}
policy = Policy.objects.create(
name='test-policy',
body=json.dumps(clauses))
assign_user_policies(user, policy)
def test_create_private_record_without_permission(self):
self.prj.access = 'private'
self.prj.save()
restricted_clauses = {
'clause': [
{
'effect': 'allow',
'object': ['project.list'],
'action': ['organization/*']
},
{
'effect': 'allow',
'object': ['project.view'],
'action': ['project/*/*']
}
]
}
restricted_policy = Policy.objects.create(
name='restricted',
body=json.dumps(restricted_clauses))
assign_user_policies(self.user, restricted_policy)
response = self.request(user=self.user, method='POST')
assert response.status_code == 403
assert PartyRelationship.objects.count() == 0
assert response.content['detail'] == PermissionDenied.default_detail
def test_login_redirect_from_project_dashboard_to_org_dashboard(self):
user = UserFactory.create()
assign_user_policies(user, *[])
project = ProjectFactory.create()
view = org_views.ProjectDashboard.as_view()
request = HttpRequest()
request.META['HTTP_REFERER'] = '/account/login/'
setattr(request, 'user', user)
setattr(request, 'method', 'GET')
setattr(request, 'session', 'session')
self.messages = FallbackStorage(request)
setattr(request, '_messages', self.messages)
kwargs = {
'organization': project.organization.slug,
'project': project.slug
}
def get_full_path():
return '/organizations/{}/projects/{}/'.format(
project.organization.slug,
project.slug
)
setattr(request, 'get_full_path', get_full_path)
exp_redirect = reverse('organization:dashboard', kwargs={
'slug': project.organization.slug})
response = view(request, **kwargs)
assert response.status_code == 302
assert exp_redirect == response['location']
def setup(datadir, db):
user1 = UserFactory.create(username='******')
user2 = UserFactory.create(username='******')
user3 = UserFactory.create(username='******')
user4 = UserFactory.create(username='******')
user5 = UserFactory.create(username='******')
PolicyFactory.set_directory(str(datadir))
def_pol = PolicyFactory.create(name='def', file='default-policy.json')
org_pol = PolicyFactory.create(name='org', file='org-policy.json')
prj_pol = PolicyFactory.create(name='prj', file='project-policy.json')
deny_pol = PolicyFactory.create(name='prj', file='deny-policy.json')
Action.register(['party.list', 'party.view', 'parcel.list', 'parcel.view',
'party.edit', 'parcel.edit'])
assign_user_policies(None, def_pol)
user1.assign_policies(def_pol)
user2.assign_policies(def_pol,
(org_pol, {'organisation': 'Cadasta'}))
user3.assign_policies(def_pol,
(org_pol, {'organisation': 'Cadasta'}),
(prj_pol, {'organisation': 'Cadasta',
'project': 'TestProj'}),
(deny_pol, {'organisation': 'Cadasta',
'project': 'Proj2'}))
user4.assign_policies(def_pol,
(org_pol, {'organisation': 'OtherOrg'}))
user5.assign_policies(def_pol,
(org_pol, {'organisation': 'Cadasta'}),
(prj_pol, {'organisation': 'Cadasta',
'project': 'TestProj2'}))
return (user1, user2, user3, user4, user5,
def_pol, org_pol, prj_pol, deny_pol)
def test_get_org_with_new_org(self):
new_org = OrganizationFactory.create()
assign_user_policies(self.user, self.policy)
response = self.request(user=self.user,
url_kwargs={'slug': new_org.slug})
assert response.status_code == 200
assert response.content == self.render_content(organization=new_org,
projects=[])
def assign_policies(user):
USER_CLAUSES = {
'clause': [
clause('allow', ['user.list']),
clause('allow', ['user.update'], ['user/*'])
]
}
policy = Policy.objects.create(name='allow', body=json.dumps(USER_CLAUSES))
assign_user_policies(user, policy)
def test_basic_anonymous(datadir, setup): # noqa
u1, u2, u3, u4, u5, def_pol, org_pol, prj_pol, deny_pol = setup
obj1 = Object('parcel/Cadasta/TestProj/123')
assert not AnonymousUser().has_perm('parcel.edit', obj1)
assign_user_policies(None,
def_pol,
(org_pol, {'organisation': 'Cadasta'}))
assert AnonymousUser().has_perm('parcel.edit', obj1)
def test_organizations_view_without_permission(self):
""" Unregistered users can see organizations."""
# again, not sure why you have to call this explicitly
assign_user_policies(None, Policy.objects.get(name='default'))
page = OrganizationListPage(self)
page.go_to()
organization_title = page.get_organization_title_in_table()
assert organization_title == 'Organization #0'
def assign_permissions(user, add_pols=None):
additional_clauses = copy.deepcopy(clauses)
if add_pols:
additional_clauses['clause'] += add_pols
policy = Policy.objects.create(
name='allow',
body=json.dumps(additional_clauses))
assign_user_policies(user, policy)
def assign_policies(user):
clauses = {
'clause': [
clause('allow', ['org.list']),
clause('allow', ['org.*', 'org.*.*'], ['organization/*'])
]
}
policy = Policy.objects.create(
name='allow',
body=json.dumps(clauses))
assign_user_policies(user, policy)
def setup_models(self):
clauses = {
'clause': [
clause('allow', ['org.create'])
]
}
self.policy = Policy.objects.create(
name='allow',
body=json.dumps(clauses))
self.user = UserFactory.create()
assign_user_policies(self.user, self.policy)
def setup_models(self):
clauses = {
'clause': [
clause('allow', ['user.list'])
]
}
policy = Policy.objects.create(
name='test-default',
body=json.dumps(clauses))
self.user = UserFactory.create()
assign_user_policies(self.user, policy)
def setup_models(self):
clauses = {
'clause': [
clause('allow', ['org.list']),
clause('allow', ['org.view'], ['organization/*'])
]
}
policy = Policy.objects.create(
name='test-policy',
body=json.dumps(clauses))
self.user = UserFactory.create()
assign_user_policies(self.user, policy)
def setUp(self):
super().setUp()
clauses = {
'clause': [
clause('allow', ['org.*']),
clause('allow', ['org.*'], ['organization/*'])
]
}
policy = Policy.objects.create(
name='test-policy-1',
body=json.dumps(clauses))
self.user = UserFactory.create()
assign_user_policies(self.user, policy)
def setup_models(self):
clauses = {
'clause': [
clause('allow', ['org.*']),
clause('allow', ['org.*'], ['organization/*'])
]
}
policy = Policy.objects.create(name='test-policy-1',
body=json.dumps(clauses))
self.user = UserFactory.create()
assign_user_policies(self.user, policy)
self.org = OrganizationFactory.create(name='Org', slug='org')
self.project = ProjectFactory.create(organization=self.org)
def test_get_organization_with_authorized_user(self):
clauses = {
'clause': [
clause('allow', ['org.*', 'org.*.*'], ['organization/*']),
]
}
policy = Policy.objects.create(name='test-policy-1',
body=json.dumps(clauses))
assign_user_policies(self.user, policy)
response = self.request(user=self.user)
assert response.status_code == 200
assert response.content['id'] == self.org.id
assert 'users' in response.content
def assign_policies(user):
clauses = {
'clause': [
{
'effect': 'allow',
'object': ['project/*/*'],
'action': ['project.view_private']
},
],
}
policy = Policy.objects.create(
name='allow',
body=json.dumps(clauses))
assign_user_policies(user, policy)
def test_archive_with_unauthorized_user(self):
clauses = {
'clause': [
clause('allow', ['org.update'], ['organization/*']),
clause('deny', ['org.archive'], ['organization/*'])
]
}
policy = Policy.objects.create(name='test-policy-1',
body=json.dumps(clauses))
assign_user_policies(self.user, policy)
data = {'archived': True}
response = self.request(method='PATCH', user=self.user, post_data=data)
assert response.status_code == 403
self.org.refresh_from_db()
assert self.org.archived is False
def setup_models(self):
clauses = {
'clause': [
clause('allow', ['org.*']),
clause('allow', ['org.*', 'org.*.*'], ['organization/*'])
]
}
policy = Policy.objects.create(
name='test-policy',
body=json.dumps(clauses))
self.user = UserFactory.create()
assign_user_policies(self.user, policy)
org_users = UserFactory.create_batch(2)
self.org = OrganizationFactory.create(slug='org', add_users=org_users)
def test_roles_creation(datadir, setup): # noqa
u1, u2, u3, u4, u5, def_pol, org_pol, prj_pol, deny_pol = setup
cadasta_org_role = Role.objects.create(
name='cadasta_org', policies=[def_pol, org_pol],
variables={'organisation': 'Cadasta'}
)
cadasta_org_role.save()
assert str(cadasta_org_role) == 'cadasta_org'
testproj_proj_role = Role.objects.create(
name='testproj_proj', policies=[def_pol, org_pol, prj_pol],
variables={'organisation': 'Cadasta', 'project': 'TestProj'}
)
testproj_proj_role.save()
proj2_proj_role = Role.objects.create(
name='proj2_proj', policies=[def_pol, org_pol, prj_pol],
variables={'organisation': 'Cadasta', 'project': 'Proj2'}
)
proj2_proj_role.save()
other_org_role = Role.objects.create(
name='other_org', policies=[def_pol, org_pol],
variables={'organisation': 'OtherOrg'}
)
other_org_role.save()
assign_user_policies(None, cadasta_org_role)
u1.assign_policies(def_pol)
u2.assign_policies(cadasta_org_role)
u3.assign_policies(testproj_proj_role,
(deny_pol, {'organisation': 'Cadasta',
'project': 'Proj2'}))
u4.assign_policies(other_org_role)
u5.assign_policies(proj2_proj_role)
obj1 = Object('parcel/Cadasta/TestProj/123')
assert not u1.has_perm('parcel.edit', obj1)
assert u2.has_perm('parcel.edit', obj1)
assert not u3.has_perm('parcel.edit', obj1)
obj2 = Object('parcel/Cadasta/Proj2/114')
assert not u1.has_perm('parcel.view', obj2)
assert u2.has_perm('parcel.view', obj2)
assert u3.has_perm('parcel.view', obj2)
obj3 = Object('parcel/SkunkWorks/SR-71/Area51')
assert not u1.has_perm('parcel.view', obj3)
assert not u2.has_perm('parcel.view', obj3)
assert not u3.has_perm('parcel.view', obj3)
def test_create_organization_with_unauthorized_user(self):
clauses = {
'clause': [
clause('allow', ['org.list']),
clause('allow', ['org.view'], ['organization/*'])
]
}
policy = Policy.objects.create(name='test-policy-2',
body=json.dumps(clauses))
assign_user_policies(self.user, policy)
data = {'name': 'new_org', 'description': 'Org description'}
response = self.request(method='POST', user=self.user, post_data=data)
assert response.status_code == 403
assert Organization.objects.count() == 0
assert response.content['detail'] == PermissionDenied.default_detail
def test_create_private_record_without_permission(self):
self.prj.access = "private"
self.prj.save()
restricted_clauses = {
"clause": [
{"effect": "allow", "object": ["project.list"], "action": ["organization/*"]},
{"effect": "allow", "object": ["project.view"], "action": ["project/*/*"]},
]
}
restricted_policy = Policy.objects.create(name="restricted", body=json.dumps(restricted_clauses))
assign_user_policies(self.user, restricted_policy)
response = self.request(user=self.user, method="POST")
assert response.status_code == 403
assert PartyRelationship.objects.count() == 0
assert response.content["detail"] == PermissionDenied.default_detail
def test_permission_filter(self):
clauses = {
'clause': [
clause('allow', ['org.list']),
clause('allow', ['org.view', 'project.create'],
['organization/*']),
clause('deny', ['project.create'],
['organization/unauthorized'])
]
}
policy = Policy.objects.create(name='deny', body=json.dumps(clauses))
assign_user_policies(self.user, policy)
OrganizationFactory.create_from_kwargs([{}, {'slug': 'unauthorized'}])
response = self.request(user=self.user,
get_data={'permissions': 'project.create'})
assert response.status_code == 200
assert len(response.content) == 1
assert response.content[0]['slug'] != 'unauthorized'
def test_list_only_one_organization_is_authorized(self):
"""
It should return all authorized organizations.
"""
clauses = {
'clause': [
clause('allow', ['org.list']),
clause('allow', ['org.view'], ['organization/*']),
clause('deny', ['org.view'], ['organization/unauthorized'])
]
}
policy = Policy.objects.create(name='deny', body=json.dumps(clauses))
assign_user_policies(self.user, policy)
OrganizationFactory.create_from_kwargs([{}, {'slug': 'unauthorized'}])
response = self.request(user=self.user)
assert response.status_code == 200
assert len(response.content) == 1
assert response.content[0]['slug'] != 'unauthorized'
def test_get_private_project_without_permission(self):
self.project.access = 'private'
self.project.save()
restricted_clauses = {
'clause': [
clause('allow', ['org.list']),
clause('allow', ['org.view'], ['organization/*']),
clause('allow', ['project.list'], ['organization/*']),
clause('allow', ['project.view'], ['project/*/*'])
]
}
restricted_policy = Policy.objects.create(
name='restricted',
body=json.dumps(restricted_clauses))
assign_user_policies(self.user, restricted_policy)
response = self.request(user=self.user)
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail
def test_lookup_user_policies_and_roles(datadir, setup): # noqa
users, pols, roles = setup
sys_admin_p, org_admin_p, proj_mgr_p = pols
(sys_admin_r,
org_admin_1_r, org_admin_2_r,
proj_mgr_1_r, proj_mgr_2_r) = roles
assert user_assigned_policies(None) == []
assign_user_policies(None, (org_admin_p, {'org': 'Sandbox'}))
assert user_assigned_policies(None) == [(org_admin_p, {'org': 'Sandbox'})]
assert users[0].assigned_policies() == []
assert users[1].assigned_policies() == [sys_admin_p]
assert users[2].assigned_policies() == [sys_admin_r]
assert users[3].assigned_policies() == [org_admin_1_r]
assert users[4].assigned_policies() == [org_admin_2_r]
assert users[5].assigned_policies() == [org_admin_1_r, org_admin_2_r]
assert users[6].assigned_policies() == [org_admin_1_r, proj_mgr_2_r]
assert users[7].assigned_policies() == [proj_mgr_1_r]
assert users[8].assigned_policies() == [(org_admin_p, {'org': 'Org3'})]
assert users[9].assigned_policies() == [(org_admin_p, {'org': 'Org3'}),
(proj_mgr_p, {'org': 'Org3',
'proj': 'Proj3'})]
def assign_policies(user):
clauses = {
'clause': [
{
'effect': 'allow',
'object': ['project/*/*'],
'action': ['spatial.*', 'tenure_rel.*']
},
{
'effect': 'allow',
'object': ['spatial/*/*/*'],
'action': ['spatial.*', 'spatial.resources.*']
},
{
'effect': 'allow',
'object': ['tenure_rel/*/*/*'],
'action': ['tenure_rel.*', 'tenure_rel.*.*']
}
]
}
policy = Policy.objects.create(
name='allow',
body=json.dumps(clauses))
assign_user_policies(user, policy)
def setup_models(self):
clauses = {'clause': [clause('allow', ['org.create'])]}
self.policy = Policy.objects.create(name='allow',
body=json.dumps(clauses))
self.user = UserFactory.create()
assign_user_policies(self.user, self.policy)
def test_nonloggedin_user(self):
"""Verify that a non-logged-in user can only see
pages of public projects and that project details are correct."""
assign_user_policies(None, Policy.objects.get(name='default'))
self.check_project_pages('nonloggedin', [])
def test_get_org_with_authorized_user(self):
assign_user_policies(self.user, self.policy)
response = self.request(user=self.user)
assert response.status_code == 200
assert response.content == self.render_content(
projects=sorted(self.projs, key=lambda p: p.slug))
def setup_models(self):
clauses = {'clause': [clause('allow', ['user.list'])]}
policy = Policy.objects.create(name='test-default',
body=json.dumps(clauses))
self.user = UserFactory.create()
assign_user_policies(self.user, policy)
def assign_policies(user):
clauses = {'clause': [clause('allow', ['project.*'], ['project/*/*'])]}
policy = Policy.objects.create(name='allow', body=json.dumps(clauses))
assign_user_policies(user, policy)
def test_get_org_with_authorized_user(self):
assign_user_policies(self.user, self.policy)
response = self.request(user=self.user)
assert response.status_code == 200
assert response.content == self.expected_content
user=u, policy=p, index=i,
organisation=org, project=proj
)
elif org is not None:
ups = UserPolicyAssignment.objects.create(
user=u, policy=p, index=i,
organisation=org
)
else:
ups = UserPolicyAssignment.objects.create(
user=u, policy=p, index=i
)
ups.save()
assign_user_policies(None, default_p)
parties = [(proj1, 'Jim Jones'),
(proj1, 'Sally Smith'),
(proj1, 'Bob Bennett'),
(proj2, 'Dave Dawkins'),
(proj2, 'Alex Adams'),
(proj3, 'Charlie Chapo')]
for p, n in parties:
party = Party(project=p, name=n)
party.save()
parcels = [(proj1, '1 Beach Terrace'),
(proj1, '5 Sandy Road'),
(proj2, '10 Chorley Street'),
