def test_list(self): # check that the user1 can't list network context elements result_auth_u1 = sriutils.authorize_list_module( self.user1, self.network_ctxt) self.assertFalse(result_auth_u1) # check that the user1 can list community context elements result_auth_u2 = sriutils.authorize_list_module( self.user2, self.community_ctxt) self.assertTrue(result_auth_u2) # check that the user1 can list contracts context elements result_auth_u3 = sriutils.authorize_list_module( self.user3, self.contracts_ctxt) self.assertTrue(result_auth_u3)
def resolve_checkExistentOrganizationId(self, info, **kwargs): ret = False if info.context and info.context.user.is_authenticated: # well use the community context to check if the user # can read the rolegroup list community_context = sriutils.get_community_context() authorized = sriutils.authorize_list_module( info.context.user, community_context) if authorized: id = kwargs.get('id', None) handle_id = None if id: _type, handle_id = relay.Node.from_global_id(id) organization_id = kwargs.get('organization_id') ret = nc.models.OrganizationModel \ .check_existent_organization_id( organization_id, handle_id, nc.graphdb.manager) else: raise GraphQLAuthException() return ret
def resolve_context_activity(self, info, **kwargs): ''' Connection resolver for the activity log, filtered by module name. Actions are filtered to only show what the user has rights to list/read ''' qs = ActionModel.objects.none() if info.context and info.context.user.is_authenticated: user = info.context.user filter = kwargs.get('filter') order_by = kwargs.get('orderBy') if ContextModel.objects.filter(name=filter.context).exists(): # check list permission for this module/context context = ContextModel.objects.get(name=filter.context) authorized = sriutils.authorize_list_module(user, context) if authorized: # get readable handle_ids readable_ids = sriutils.get_ids_user_canread(user) qs = context_feed(filter.context, user) if order_by: if order_by == ActionOrderBy.timestamp_ASC: qs = qs.order_by('timestamp') elif order_by == ActionOrderBy.timestamp_DESC: qs = qs.order_by('-timestamp') else: qs = qs.order_by('-timestamp') else: raise GraphQLAuthException() return qs
def resolve_getAvailableRoleGroups(self, info, **kwargs): ret = [] if info.context and info.context.user.is_authenticated: # well use the community context to check if the user # can read the rolegroup list community_context = sriutils.get_community_context() authorized = sriutils.authorize_list_module( info.context.user, community_context) if authorized: ret = RoleGroupModel.objects.all() else: #401 raise GraphQLAuthException() return ret
def resolve_getRolesFromRoleGroup(self, info, **kwargs): ret = [] name = kwargs.get('name', DEFAULT_ROLEGROUP_NAME) if info.context and info.context.user.is_authenticated: # well use the community context to check if the user # can read the rolegroup list community_context = sriutils.get_community_context() authorized = sriutils.authorize_list_module( info.context.user, community_context) if authorized: role_group = RoleGroupModel.objects.get(name=name) ret = RoleModel.objects.filter(role_group=role_group) else: #401 raise GraphQLAuthException() return ret
def resolve_roles(self, info, **kwargs): qs = RoleModel.objects.none() if info.context and info.context.user.is_authenticated: context = sriutils.get_community_context() authorized = sriutils.authorize_list_module( info.context.user, context) if authorized: filter = kwargs.get('filter') order_by = kwargs.get('orderBy') qs = RoleModel.objects.all() if order_by: if order_by == RoleOrderBy.handle_id_ASC: qs = qs.order_by('handle_id') elif order_by == RoleOrderBy.handle_id_DESC: qs = qs.order_by('-handle_id') elif order_by == RoleOrderBy.name_ASC: qs = qs.order_by('name') elif order_by == RoleOrderBy.name_DESC: qs = qs.order_by('-name') if filter: if filter.id: handle_id = relay.Node.from_global_id(filter.id)[1] qs = qs.filter(handle_id=handle_id) if filter.name: qs = qs.filter(name=filter.name) return qs else: #403 return qs else: # 401 raise GraphQLAuthException()
def test_grant_user_permissions(self): # only run mutations if we have set this value if not hasattr(self, 'test_type'): return another_user_id = self.another_user.id other_user_id = self.other_user.id for user in [self.another_user, self.other_user]: # first query another_user permissions user_id = user.id query = """ {{ getUserById(ID: {user_id}){{ id username user_permissions{{ community{{ read list write admin }} network{{ read list write admin }} contracts{{ read list write admin }} }} }} }} """.format(user_id=user_id) result = schema.execute(query, context=self.context) assert not result.errors, pformat(result.errors, indent=1) expected = { 'getUserById': { 'id': str(user_id), 'user_permissions': { 'community': { 'admin': False, 'list': False, 'read': False, 'write': False }, 'contracts': { 'admin': False, 'list': False, 'read': False, 'write': False }, 'network': { 'admin': False, 'list': False, 'read': False, 'write': False } }, 'username': user.username } } # they must be blank as we didn't set anything yet self.assert_correct(result, expected) # add read, list and write permissions over our module query_t = """ mutation{{ grant_users_permissions(input:{{ users_ids:[ {users_ids} ] context: "{context_name}" read: {read} list: {list} write: {write} {admin} }}){{ results{{ success errors{{ field messages }} user{{ id username user_permissions{{ network{{ read list write admin }} }} }} }} }} }} """ # check the user permissions query net_ctxt = sriutils.get_network_context() context_name = net_ctxt.name read = str(True).lower() list = str(True).lower() write = str(True).lower() users_ids = ", ".join(['"{}"'.format(x) \ for x in [other_user_id, another_user_id]]) query = query_t.format(users_ids=users_ids, context_name=context_name, read=read, list=list, write=write, admin="") # test vakt functions before for user in [self.other_user, self.another_user]: can_read = sriutils.authorize_read_module(user, net_ctxt) can_list = sriutils.authorize_list_module(user, net_ctxt) can_write = sriutils.authorize_create_resource(user, net_ctxt) self.assertFalse(can_read) self.assertFalse(can_list) self.assertFalse(can_write) # run mutation and check response result = schema.execute(query, context=self.context) assert not result.errors, pformat(result.errors, indent=1) expected = OrderedDict([('grant_users_permissions', { 'results': [{ 'errors': None, 'success': True, 'user': { 'id': str(other_user_id), 'user_permissions': { 'network': { 'admin': False, 'list': True, 'read': True, 'write': True } }, 'username': self.other_user.username } }, { 'errors': None, 'success': True, 'user': { 'id': str(another_user_id), 'user_permissions': { 'network': { 'admin': False, 'list': True, 'read': True, 'write': True } }, 'username': self.another_user.username } }] })]) self.assert_correct(result, expected) # after for user in [self.other_user, self.another_user]: can_read = sriutils.authorize_read_module(user, net_ctxt) can_list = sriutils.authorize_list_module(user, net_ctxt) can_write = sriutils.authorize_create_resource(user, net_ctxt) self.assertTrue(can_read) self.assertTrue(can_list) self.assertTrue(can_write) # revoke write permission write = str(False).lower() query = query_t.format(users_ids=users_ids, context_name=context_name, read=read, list=list, write=write, admin="") result = schema.execute(query, context=self.context) assert not result.errors, pformat(result.errors, indent=1) expected = OrderedDict([('grant_users_permissions', { 'results': [{ 'errors': None, 'success': True, 'user': { 'id': str(other_user_id), 'user_permissions': { 'network': { 'admin': False, 'list': True, 'read': True, 'write': False } }, 'username': self.other_user.username } }, { 'errors': None, 'success': True, 'user': { 'id': str(another_user_id), 'user_permissions': { 'network': { 'admin': False, 'list': True, 'read': True, 'write': False } }, 'username': self.another_user.username } }] })]) # check the user permissions query self.assert_correct(result, expected) # test vakt functions for user in [self.other_user, self.another_user]: can_write = sriutils.authorize_create_resource(user, net_ctxt) self.assertFalse(can_write) # grand admin rights admin = "admin: true" query = query_t.format(users_ids=users_ids, context_name=context_name, read=read, list=list, write=write, admin=admin) result = schema.execute(query, context=self.context) assert not result.errors, pformat(result.errors, indent=1) expected = None if self.test_type == "admin": # if it's not check the error expected = OrderedDict([('grant_users_permissions', { 'results': [{ 'errors': [{ 'field': '_', 'messages': ['Only superadmins can ' 'grant admin rights'] }], 'success': False, 'user': { 'id': str(other_user_id), 'user_permissions': { 'network': { 'admin': False, 'list': True, 'read': True, 'write': False } }, 'username': self.other_user.username } }, { 'errors': [{ 'field': '_', 'messages': ['Only superadmins can ' 'grant admin rights'] }], 'success': False, 'user': { 'id': str(another_user_id), 'user_permissions': { 'network': { 'admin': False, 'list': True, 'read': True, 'write': False } }, 'username': self.another_user.username } }] })]) elif self.test_type == "superadmin": # if it's superadmin test it should be possible expected = OrderedDict([('grant_users_permissions', { 'results': [{ 'errors': None, 'success': True, 'user': { 'id': str(other_user_id), 'user_permissions': { 'network': { 'admin': True, 'list': True, 'read': True, 'write': False } }, 'username': self.other_user.username } }, { 'errors': None, 'success': True, 'user': { 'id': str(another_user_id), 'user_permissions': { 'network': { 'admin': True, 'list': True, 'read': True, 'write': False } }, 'username': self.another_user.username } }] })]) self.assert_correct(result, expected)