def test_registrar_search_after_adding_new_ra_to_workgroup(self): self.logout() response = self.client.post(reverse('friendly_login'), {'username': '******', 'password': '******'}) steve_rogers = models.ObjectClass.objects.get(name="captainAmerica") self.assertFalse(perms.user_can_view(self.registrar,steve_rogers)) steve_rogers.readyToReview = True steve_rogers.save() self.assertFalse(perms.user_can_view(self.registrar,steve_rogers)) response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica") self.assertEqual(len(response.context['page'].object_list),0) # Adding the registrars Authorities to the managing authorities of the workgroup # should grant them access to see item in that workgroup now. self.avengers_wg.registrationAuthorities.add(self.ra) self.avengers_wg.save() self.assertTrue(perms.user_can_view(self.registrar,steve_rogers)) response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica") self.assertEqual(len(response.context['page'].object_list),0) # indexes are stale, so no results from django.core import management # Lets recache this workgroup management.call_command('recache_workgroup_item_visibility', wg=[self.avengers_wg.pk], verbosity=0) response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica") self.assertEqual(len(response.context['page'].object_list),1) self.assertEqual(response.context['page'].object_list[0].object.item,steve_rogers) self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def test_registrar_search(self): self.logout() response = self.client.post(reverse('django.contrib.auth.views.login'), {'username': '******', 'password': '******'}) self.assertEqual(response.status_code,302) # logged in self.assertTrue(perms.user_is_registrar(self.registrar,self.ra)) dp = models.ObjectClass.objects.create(name="deadpool", description="not really an xman, no matter how much he tries", workgroup=self.xmen_wg,readyToReview=False) dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache self.assertFalse(perms.user_can_view(self.registrar,dp)) self.assertFalse(dp.is_public()) response = self.client.get(reverse('aristotle:search')+"?q=xman") self.assertFalse(dp in [x.object for x in response.context['page'].object_list]) for i in response.context['page'].object_list: self.assertTrue(perms.user_can_view(self.registrar,i.object)) response = self.client.get(reverse('aristotle:search')+"?q=deadpool") self.assertEqual(len(response.context['page'].object_list),0) dp.readyToReview = True dp.save() dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache self.assertTrue(perms.user_can_view(self.registrar,dp)) # Stryker should be able to find items that are "ready for review" in his RA only. response = self.client.get(reverse('aristotle:search')+"?q=deadpool") self.assertEqual(len(response.context['page'].object_list),1) self.assertEqual(response.context['page'].object_list[0].object.item,dp) self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def test_bulk_review_request_on_forbidden_items(self): self.login_viewer() self.assertTrue(perms.user_can_view(self.viewer, self.item1)) self.assertTrue(perms.user_can_view(self.viewer, self.item4)) self.assertTrue(models.ReviewRequest.objects.count() == 0) response = self.client.post( reverse('aristotle:bulk_action'), { 'bulkaction': 'aristotle_mdr.contrib.reviews.forms.RequestReviewBulkActionForm', 'items': [self.item1.id, self.item4.id], }, follow=True ) from urllib.parse import urlencode params = {'items': [self.item1.id, self.item4.id]} url = "{}?{}".format( reverse("aristotle_reviews:review_create"), urlencode(params, True) ) self.assertRedirects(response, url) self.assertContains(response, "items when registering metadata") self.assertTrue(self.item1 in response.context['form']['concepts'].initial) self.assertTrue(self.item4 in response.context['form']['concepts'].initial) self.assertTrue(len(response.context['form']['concepts'].initial) == 2)
def test_registrar_search_after_adding_new_ra_to_workgroup(self): self.logout() response = self.client.post(reverse('django.contrib.auth.views.login'), {'username': '******', 'password': '******'}) steve_rogers = models.ObjectClass.objects.get(name="captainAmerica") self.assertFalse(perms.user_can_view(self.registrar,steve_rogers)) steve_rogers.readyToReview = True steve_rogers.save() self.assertFalse(perms.user_can_view(self.registrar,steve_rogers)) response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica") self.assertEqual(len(response.context['page'].object_list),0) # Adding the registrars Authorities to the managing authorities of the workgroup # should grant them access to see item in that workgroup now. self.avengers_wg.registrationAuthorities.add(self.ra) self.avengers_wg.save() self.assertTrue(perms.user_can_view(self.registrar,steve_rogers)) response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica") self.assertEqual(len(response.context['page'].object_list),1) self.assertEqual(response.context['page'].object_list[0].object.item,steve_rogers) self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def test_canViewProfile(self): u1 = User.objects.create_user('user1','','user1') u2 = User.objects.create_user('user2','','user2') self.assertFalse(perms.user_can_view(u1,u2)) self.assertFalse(perms.user_can_view(u2,u1)) self.assertTrue(perms.user_can_view(u1,u1)) self.assertTrue(perms.user_can_view(u2,u2))
def test_canViewProfile(self): u1 = get_user_model().objects.create_user('*****@*****.**','user1') u2 = get_user_model().objects.create_user('*****@*****.**','user2') self.assertFalse(perms.user_can_view(u1,u2)) self.assertFalse(perms.user_can_view(u2,u1)) self.assertTrue(perms.user_can_view(u1,u1)) self.assertTrue(perms.user_can_view(u2,u2))
def test_registrar_can_change_status(self): self.login_registrar() self.assertFalse(perms.user_can_view(self.registrar,self.item1)) self.item1.readyToReview = True self.item1.save() self.item1 = self.itemType.objects.get(pk=self.item1.pk) self.assertTrue(perms.user_can_view(self.registrar,self.item1)) self.assertTrue(perms.user_can_change_status(self.registrar,self.item1)) response = self.client.get(reverse('aristotle:changeStatus',args=[self.item1.id])) self.assertEqual(response.status_code,200) self.assertEqual(self.item1.statuses.count(),0) response = self.client.post(reverse('aristotle:changeStatus',args=[self.item1.id]), { 'registrationAuthorities': [str(self.ra.id)], 'state': self.ra.public_state, 'changeDetails': "testing", 'cascadeRegistration': 0, #no } ) self.assertRedirects(response,url_slugify_concept(self.item1)) self.item1 = self.itemType.objects.get(pk=self.item1.pk) self.assertEqual(self.item1.statuses.count(),1) self.assertTrue(self.item1.is_registered) self.assertTrue(self.item1.is_public())
def test_registrar_cannot_use_faulty_statuses(self): self.login_registrar() self.assertFalse(perms.user_can_view(self.registrar,self.item1)) self.item1.readyToReview = True self.item1.save() self.item1 = self.itemType.objects.get(pk=self.item1.pk) self.assertTrue(perms.user_can_view(self.registrar,self.item1)) self.assertTrue(perms.user_can_change_status(self.registrar,self.item1)) response = self.client.get(reverse('aristotle:changeStatus',args=[self.item1.id])) self.assertEqual(response.status_code,200) self.assertEqual(self.item1.statuses.count(),0) response = self.client.post(reverse('aristotle:changeStatus',args=[self.item1.id]), { 'registrationAuthorities': [str(self.ra.id)], 'state': "Not a number",#obviously wrong 'changeDetails': "testing", 'cascadeRegistration': 0, #no } ) self.assertFormError(response, 'form', 'state', 'Select a valid choice. Not a number is not one of the available choices.') response = self.client.post(reverse('aristotle:changeStatus',args=[self.item1.id]), { 'registrationAuthorities': [str(self.ra.id)], 'state': "343434", #also wrong 'changeDetails': "testing", 'cascadeRegistration': 0, #no } ) self.assertFormError(response, 'form', 'state', 'Select a valid choice. 343434 is not one of the available choices.')
def test_bulk_review_request_on_forbidden_items(self): self.login_viewer() self.assertTrue(perms.user_can_view(self.viewer, self.item1)) self.assertFalse(perms.user_can_view(self.viewer, self.item4)) self.assertTrue(models.ReviewRequest.objects.count() == 0) response = self.client.post( reverse('aristotle:bulk_action'), { 'bulkaction': 'request_review', 'state': 1, 'items': [self.item1.id, self.item4.id], 'registration_authority': self.ra.id, "message": "review these plz", 'confirmed': 'confirmed', } ) self.assertTrue(models.ReviewRequest.objects.count() == 1) review = models.ReviewRequest.objects.first() self.assertTrue(review.concepts.count() == 1) self.assertTrue(self.item1.concept in review.concepts.all()) self.assertFalse(self.item4.concept in review.concepts.all())
def resolver(cls, attname, default_value, root, info, **args): retval = getattr(root, attname, default_value) # If object is a django model if isinstance(retval, Model): if isinstance(retval, mdr_models._concept): # Use user_can_view to determine if we display if perms.user_can_view(info.context.user, retval): return retval else: return None if isinstance(retval, mdr_models.aristotleComponent): # Use user_can_view to determine if we display if perms.user_can_view(info.context.user, retval): return retval else: return None if isinstance(retval, mdr_models.RegistrationAuthority): if retval.is_visible: return retval else: return None return None elif isinstance(retval, Manager): # Need this for when related manager is returned when querying object.related_set # Can safely return restricted queryset queryset = retval.get_queryset() if queryset.model == slots_models.Slot: instance = getattr(retval, 'instance', None) if instance: return slots_models.Slot.objects.get_item_allowed(instance, info.context.user) else: return queryset.visible(info.context.user) if hasattr(queryset, 'visible'): return queryset.visible(info.context.user) if issubclass(queryset.model, mdr_models.aristotleComponent): return queryset return None elif isinstance(retval, QuerySet): # In case a queryset is returned if hasattr(retval, 'visible'): return retval.visible(info.context.user) if issubclass(retval.model, mdr_models.aristotleComponent): return retval return None return retval
def test_current_statuses_only_in_search_results_and_index(self): # See issue #327 self.logout() response = self.client.post(reverse('friendly_login'), {'username': '******', 'password': '******'}) self.assertEqual(response.status_code,302) # logged in self.assertTrue(perms.user_is_registrar(self.registrar,self.ra)) with reversion.create_revision(): dp = models.ObjectClass.objects.create(name="deadpool", definition="not really an xman, no matter how much he tries", workgroup=self.xmen_wg,readyToReview=True) dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache self.assertTrue(perms.user_can_view(self.registrar,dp)) self.assertFalse(dp.is_public()) from django.utils import timezone import datetime self.ra.register(dp,models.STATES.incomplete,self.registrar, registrationDate=timezone.now()+datetime.timedelta(days=-7) ) self.ra.register(dp,models.STATES.standard,self.registrar, registrationDate=timezone.now()+datetime.timedelta(days=-1) ) response = self.client.get(reverse('aristotle:search')+"?q=deadpool") self.assertEqual(len(response.context['page'].object_list),1) dp_result = response.context['page'].object_list[0] self.assertTrue(dp_result.object.name=="deadpool") self.assertTrue(len(dp_result.statuses) == 1) self.assertTrue(int(dp_result.statuses[0]) == int(models.STATES.standard))
def get_object(self): item = super(ConceptViewSet,self).get_object() request = self.request item = item.item if not perms.user_can_view(request.user, item): raise PermissionDenied else: return item
def removeDataElementFromDSS(request,de_id,dss_id): de = get_object_or_404(aristotle.models.DataElement,id=de_id) dss = get_object_or_404(aristotle_dse.models.DataSetSpecification,id=dss_id) if user_can_view(request.user,de) and user_can_edit(request.user,dss): dss.dataElements.filter(dataElement=de).delete() else: raise PermissionDenied return HttpResponseRedirect(reverse("aristotle_dse:%s"%dss.template_name(),args=[dss.id]))
def test_registrar_can_view(self): # make editor for wg1 r1 = User.objects.create_user("reggie", "", "reg") self.assertEqual(perms.user_can_view(r1, self.item), False) s = models.Status.objects.create( concept=self.item, registrationAuthority=self.ra, registrationDate=timezone.now(), state=self.ra.locked_state, ) self.assertEqual(perms.user_can_view(r1, self.item), False) # Caching issue, refresh from DB with correct permissions self.ra.giveRoleToUser("registrar", r1) r1 = User.objects.get(pk=r1.pk) self.assertEqual(perms.user_can_view(r1, self.item), True)
def clean_relatedItems(self): """ Attempting to add items you don't have permission to will silently fail. Its unlikely to happen in normal use. """ relatedItems = self.cleaned_data['relatedItems'] relatedItems = [i for i in relatedItems if user_can_view(self.user, i)] return relatedItems
def bulkFavourite(request,url="aristotle:userFavourites"): print request.GET.getlist('favourites',[]) for item in request.GET.getlist('favourites',[]): item = get_or_none(MDR.trebleObject,id=int(item)) if item and user_can_view(request.user,item): request.user.profile.favourites.add(item) getVars = request.GET.copy() if 'favourites' in getVars.keys(): getVars.pop('favourites') if 'addFavourites' in getVars.keys(): getVars.pop('addFavourites') return HttpResponseRedirect(reverse(url)+'?'+urllib.urlencode(getVars))
def make_review_request(self, item, user, requester=None): if not requester: requester = self.su self.assertFalse(perms.user_can_view(user,item)) item.save() item = item.__class__.objects.get(pk=item.pk) review = ReviewRequest.objects.create( requester=requester,registration_authority=self.ra, target_registration_state=self.ra.public_state, due_date=datetime.date(2010,1,1), registration_date=datetime.date(2010,1,1) ) review.concepts.add(item) self.assertTrue(perms.user_can_view(user,item)) self.assertTrue(perms.user_can_change_status(user,item)) return review
def test_registrar_search_after_adding_new_status_request(self): self.logout() response = self.client.post(reverse('friendly_login'), {'username': '******', 'password': '******'}) steve_rogers = models.ObjectClass.objects.get(name="captainAmerica") self.assertFalse(perms.user_can_view(self.registrar,steve_rogers)) with reversion.create_revision(): steve_rogers.save() self.make_review_request(steve_rogers, self.registrar) self.assertTrue(perms.user_can_view(self.registrar,steve_rogers)) response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica") self.assertEqual(len(response.context['page'].object_list),1) self.assertEqual(response.context['page'].object_list[0].object.item,steve_rogers) self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def toggleFavourite(request, iid): item = get_object_or_404(MDR._concept,pk=iid).item if not user_can_view(request.user, item): if request.user.is_anonymous(): return redirect(reverse('django.contrib.auth.views.login')+'?next=%s' % request.path) else: raise PermissionDenied request.user.profile.toggleFavourite(item) if request.GET.get('next',None): return redirect(request.GET.get('next')) return redirect(url_slugify_concept(item))
def has_object_permission(self, request, view, obj): # Safe methods are GET, HEAD and OPTIONS if request.method in SAFE_METHODS: return perms.user_can_view(request.user, obj) elif request.method in ['PUT', 'PATCH']: return perms.user_can_edit(request.user, obj) elif request.method == 'DELETE': return obj.can_delete(request.user) return False
def test_registrar_can_view(self): # set up ra = models.RegistrationAuthority.objects.create(name="Test RA") # make editor for wg1 r1 = User.objects.create_user('reg','','reg') self.assertEqual(perms.user_can_view(r1,self.item),False) s = models.Status.objects.create( concept=self.item, registrationAuthority=ra, registrationDate=timezone.now(), state=ra.locked_state ) self.assertEqual(perms.user_can_view(r1,self.item),False) # Caching issue, refresh from DB with correct permissions ra.giveRoleToUser('Registrar',r1) r1 = User.objects.get(pk=r1.pk) self.assertEqual(perms.user_can_view(r1,self.item),True)
def make_changes(self): items = self.cleaned_data.get('items') bad_items = [str(i.id) for i in items if not user_can_view(self.user, i)] items = items.visible(self.user) self.user.profile.favourites.add(*items) return _( "%(num_items)s items favourited. \n" "Some items failed, they had the id's: %(bad_ids)s" ) % { 'num_items': len(items), 'bad_ids': ",".join(bad_items) }
def test_registrar_search_after_adding_new_status_request(self): self.logout() response = self.client.post(reverse('friendly_login'), {'username': '******', 'password': '******'}) steve_rogers = models.ObjectClass.objects.get(name="captainAmerica") self.assertFalse(perms.user_can_view(self.registrar,steve_rogers)) review = models.ReviewRequest.objects.create(requester=self.su,registration_authority=self.ra) review.concepts.add(steve_rogers) with reversion.create_revision(): steve_rogers.save() review = models.ReviewRequest.objects.create(requester=self.su,registration_authority=self.ra) review.concepts.add(steve_rogers) self.assertTrue(perms.user_can_view(self.registrar,steve_rogers)) response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica") self.assertEqual(len(response.context['page'].object_list),1) self.assertEqual(response.context['page'].object_list[0].object.item,steve_rogers) self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def can_view(item, user): """ A filter that acts as a wrapper around ``aristotle_mdr.perms.user_can_view``. Returns true if the user has permission to view the item, otherwise it returns False. If calling ``user_can_view`` throws an exception it safely returns False. For example:: {% if myItem|can_view:request.user %} {{ item }} {% endif %} """ return perms.user_can_view(user, item)
def get_item(self, user): item_id = self.kwargs.get(self.item_id_arg, None) if item_id is None: raise Http404 try: item = _concept.objects.get(id=item_id) except _concept.DoesNotExist: raise Http404 if not user_can_view(user, item): raise PermissionDenied return item
def test_managersCanEditWorkgroups(self): wg = models.Workgroup.objects.create(name="Test WG 1") user1 = User.objects.create_user('manager','','manager') user2 = User.objects.create_user('viewer','','viewer') wg.managers.add(user1) wg.viewers.add(user2) wg.save() wg = models.Workgroup.objects.get(pk=wg.id) self.assertTrue(perms.user_in_workgroup(user1,wg)) self.assertTrue(perms.user_in_workgroup(user2,wg)) self.assertTrue(perms.user_can_view(user2,wg)) self.assertTrue(perms.user_can_view(user1,wg)) self.assertTrue(perms.user_can_edit(user1,wg)) self.assertFalse(perms.user_can_edit(user2,wg)) wg.removeUser(user1) wg.removeUser(user2) # Caching issue, refresh from DB with correct permissions user1 = User.objects.get(pk=user1.pk) user2 = User.objects.get(pk=user2.pk) self.assertFalse(perms.user_can_edit(user1,wg)) self.assertFalse(perms.user_can_edit(user2,wg))
def test_object_editor_can_view(self): # set up ra = models.RegistrationAuthority.objects.create(name="Test RA") # make editor for wg1 wg1 = models.Workgroup.objects.create(name="Test WG 1") e1 = User.objects.create_user('editor1','','editor1') wg1.giveRoleToUser('Editor',e1) # make editor for wg2 wg2 = models.Workgroup.objects.create(name="Test WG 2") e2 = User.objects.create_user('editor2','','editor2') wg2.giveRoleToUser('Editor',e2) # make an Object Class in wg1 oc = self.item self.item.workgroup = wg1 self.item.save() # test editor 1 can view, editor 2 cannot self.assertEqual(perms.user_can_view(e1,self.item),True) self.assertEqual(perms.user_can_view(e2,self.item),False) # move Object Class to wg2 self.item.workgroup = wg2 self.item.save() # test editor 2 can view, editor 1 cannot self.assertEqual(perms.user_can_view(e2,self.item),True) self.assertEqual(perms.user_can_view(e1,self.item),False) s = models.Status.objects.create( concept=self.item, registrationAuthority=ra, registrationDate=timezone.now(), state=ra.locked_state ) # Editor 2 can view. Editor 1 cannot self.assertEqual(perms.user_can_view(e2,self.item),True) self.assertEqual(perms.user_can_view(e1,self.item),False) # Set status to a public state s.state = ra.public_state s.save() # Both can view, neither can edit. self.assertEqual(perms.user_can_view(e1,self.item),True) self.assertEqual(perms.user_can_view(e2,self.item),True)
def test_visibility_restriction_facets(self): # See issue #351 self.logout() response = self.client.get(reverse('aristotle:search')+"?q=xman") self.assertTrue('Restriction' not in response.content) response = self.client.post(reverse('friendly_login'), {'username': '******', 'password': '******'}) self.assertEqual(response.status_code,302) # logged in self.assertTrue(perms.user_is_registrar(self.registrar,self.ra)) with reversion.create_revision(): dp = models.ObjectClass.objects.create(name="deadpool", definition="not really an xman, no matter how much he tries", workgroup=self.xmen_wg) review = models.ReviewRequest.objects.create(requester=self.su,registration_authority=self.ra) review.concepts.add(dp) dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache self.assertTrue(perms.user_can_view(self.registrar,dp)) self.assertFalse(dp.is_public()) from django.utils import timezone import datetime self.ra.register(dp,models.STATES.candidate,self.registrar, registrationDate=timezone.now()+datetime.timedelta(days=-7) ) response = self.client.get(reverse('aristotle:search')+"?q=xman") self.assertTrue('Restriction' in response.content) response = self.client.get(reverse('aristotle:search')+"?q=xman&res=1") self.assertTrue('Restriction' not in response.content) self.assertTrue('Item visibility state is Locked' in response.content) self.assertEqual(len(response.context['page'].object_list),1) dp_result = response.context['page'].object_list[0] self.assertTrue(dp_result.object.name=="deadpool") self.assertTrue(len(dp_result.statuses) == 1) self.assertTrue(dp_result.object.is_locked()) self.assertFalse(dp_result.object.is_public()) self.assertTrue(int(dp_result.statuses[0]) == int(models.STATES.candidate))
def perform_deletion(self): de_id = self.kwargs['de_id'] dss_id = self.kwargs['dss_id'] de = get_object_or_404(aristotle.models.DataElement, id=de_id) dss = get_object_or_404(aristotle_dse.models.DataSetSpecification, id=dss_id) if user_can_view(self.request.user, de) and user_can_edit(self.request.user, dss): dss.dssdeinclusion_set.filter(data_element=de).delete() messages.success( self.request, _('The Data Element "%(de_name)s" was removed from the dataset "%(dss_name)s".') % { "de_name": de.name, "dss_name": dss.name } ) else: raise PermissionDenied
def test_object_submitter_can_view(self): # make editor for wg1 wg1 = models.Workgroup.objects.create(name="Test WG 1") e1 = User.objects.create_user("editor1", "", "editor1") wg1.giveRoleToUser("submitter", e1) # make editor for wg2 wg2 = models.Workgroup.objects.create(name="Test WG 2") e2 = User.objects.create_user("editor2", "", "editor2") wg2.giveRoleToUser("submitter", e2) wg1.registrationAuthorities.add(self.ra) wg2.registrationAuthorities.add(self.ra) # ensure object is in wg1 self.item.workgroup = wg1 self.item.save() # test editor 1 can view, editor 2 cannot self.assertEqual(perms.user_can_view(e1, self.item), True) self.assertEqual(perms.user_can_view(e2, self.item), False) # move object to wg2 self.item.workgroup = wg2 self.item.save() # test editor 2 can view, editor 1 cannot self.assertEqual(perms.user_can_view(e2, self.item), True) self.assertEqual(perms.user_can_view(e1, self.item), False) s = models.Status.objects.create( concept=self.item, registrationAuthority=self.ra, registrationDate=timezone.now(), state=self.ra.locked_state, ) # Editor 2 can view. Editor 1 cannot self.assertEqual(perms.user_can_view(e2, self.item), True) self.assertEqual(perms.user_can_view(e1, self.item), False) # Set status to a public state s.state = self.ra.public_state s.save() # Both can view, neither can edit. self.assertEqual(perms.user_can_view(e1, self.item), True) self.assertEqual(perms.user_can_view(e2, self.item), True)
def perform_deletion(self): de_id = self.kwargs['de_id'] dss_id = self.kwargs['dss_id'] de = get_object_or_404(aristotle_models.DataElement, id=de_id) dss = get_object_or_404(models.DataSetSpecification, id=dss_id) if user_can_view(self.request.user, de) and user_can_edit( self.request.user, dss): with reversion.revisions.create_revision(): dss.dssdeinclusion_set.filter(data_element=de).delete() dss.save() reversion.set_comment('Removed {}'.format(de.name)) messages.success( self.request, _('The Data Element "%(de_name)s" was removed from the dataset "%(dss_name)s".' ) % { "de_name": de.name, "dss_name": dss.name }) else: raise PermissionDenied
def perform_deletion(self): cluster_id = self.kwargs['cluster_id'] dss_id = self.kwargs['dss_id'] cluster = get_object_or_404(models.DataSetSpecification, id=cluster_id) dss = get_object_or_404(models.DataSetSpecification, id=dss_id) if user_can_view(self.request.user, cluster) and user_can_edit( self.request.user, dss): with reversion.revisions.create_revision(): dss.dssclusterinclusion_set.filter(child=cluster).delete() dss.save() reversion.set_comment('Removed {}'.format(cluster.name)) messages.success( self.request, _('The cluster "%(cl_name)s" was removed from the dataset "%(dss_name)s".' ) % { "cl_name": cluster.name, "dss_name": dss.name }) else: raise PermissionDenied
def test_object_submitter_can_edit(self): registrar = User.objects.create_user('registrar', '', 'registrar') self.ra.registrars.add(registrar) # make editor for wg1 wg1 = models.Workgroup.objects.create(name="Test WG 1") e1 = User.objects.create_user('editor1', '', 'editor1') wg1.giveRoleToUser('submitter', e1) # make editor for wg2 wg2 = models.Workgroup.objects.create(name="Test WG 2") e2 = User.objects.create_user('editor2', '', 'editor2') wg2.giveRoleToUser('submitter', e2) wg1.registrationAuthorities.add(self.ra) wg2.registrationAuthorities.add(self.ra) # ensure object is in wg1 self.item.workgroup = wg1 self.item.save() # test editor 1 can edit, editor 2 cannot self.assertEqual(perms.user_can_edit(e1, self.item), True) self.assertEqual(perms.user_can_edit(e2, self.item), False) # move Object Class to wg2 self.item.workgroup = wg2 self.item.save() # test editor 2 can edit, editor 1 cannot self.assertEqual(perms.user_can_edit(e2, self.item), True) self.assertEqual(perms.user_can_edit(e1, self.item), False) # self.ra.register(self.item,self.ra.locked_state,registrar,timezone.now(),) s = models.Status.objects.create(concept=self.item, registrationAuthority=self.ra, registrationDate=timezone.now(), state=self.ra.locked_state) # Editor 2 can no longer edit. Neither can Editor 1 self.assertEqual(perms.user_can_edit(e2, self.item), False) self.assertEqual(perms.user_can_view(e1, self.item), False)
def test_current_statuses_only_in_search_results_and_index(self): # See issue #327 self.logout() response = self.client.post(reverse('friendly_login'), {'username': '******', 'password': '******'}) self.assertEqual(response.status_code,302) # logged in self.assertTrue(perms.user_is_registrar(self.registrar,self.ra)) with reversion.create_revision(): dp = models.ObjectClass.objects.create(name="deadpool", definition="not really an xman, no matter how much he tries", workgroup=self.xmen_wg) review = models.ReviewRequest.objects.create( requester=self.su,registration_authority=self.ra, state=self.ra.public_state, registration_date=datetime.date(2010,1,1) ) review.concepts.add(dp) dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache self.assertTrue(perms.user_can_view(self.registrar,dp)) self.assertFalse(dp.is_public()) self.ra.register(dp,models.STATES.incomplete,self.registrar, registrationDate=timezone.now()+datetime.timedelta(days=-7) ) self.ra.register(dp,models.STATES.standard,self.registrar, registrationDate=timezone.now()+datetime.timedelta(days=-1) ) response = self.client.get(reverse('aristotle:search')+"?q=deadpool") self.assertEqual(len(response.context['page'].object_list),1) dp_result = response.context['page'].object_list[0] self.assertTrue(dp_result.object.name=="deadpool") self.assertTrue(len(dp_result.statuses) == 1) self.assertTrue(int(dp_result.statuses[0]) == int(models.STATES.standard))
def make_changes(self): items = self.items_to_change items = items.visible(self.user) fav_tag, created = fav_models.Tag.objects.get_or_create( profile=self.user.profile, primary=True, ) num_items = 0 bad_items = [] for item in items: if not user_can_view(self.user, item): bad_items.append(str(item.id)) else: favourite, created = fav_models.Favourite.objects.get_or_create( tag=fav_tag, item=item) if created: num_items += 1 message_text = "{0} items favourited.".format(num_items) return _(message_text)
def test_can_view_cache(self): self.viewer = User.objects.create_user('vicky', '', 'viewer') # Don't need to assign any workgroups self.assertTrue(perms.user_can_view(self.submitter, self.item)) self.assertFalse(perms.user_can_view(self.viewer, self.item)) self.item.definition = "edit name, then quickly check permission" self.item.save() self.assertTrue(perms.user_can_view(self.submitter, self.item)) self.assertFalse(perms.user_can_view(self.viewer, self.item)) self.item.definition = "edit name, then wait 30 secs for 'recently edited to expire'" self.item.save() sleep(models.VERY_RECENTLY_SECONDS + 2) self.assertTrue(perms.user_can_view(self.submitter, self.item)) self.assertFalse(perms.user_can_view(self.viewer, self.item)) # register then immediately check the permissions to make sure the cache is ignored # technically we haven't edited the item yet, although ``concept.recache_states`` will be called. reg, c = models.Status.objects.get_or_create( concept=self.item, registrationAuthority=self.ra, registrationDate=datetime.date(2009, 04, 28), state=models.STATES.standard ) self.assertTrue(perms.user_can_view(self.submitter, self.item)) self.assertTrue(perms.user_can_view(self.viewer, self.item))
def resolver(cls, attname, default_value, root, info, **args): retval = getattr(root, attname, default_value) # If object is a django model if isinstance(retval, Model): if isinstance(retval, mdr_models._concept): # Use user_can_view to determine if we display if perms.user_can_view(info.context.user, retval): return retval return None elif isinstance(retval, Manager): # Need this for when related manager is returned when querying object.related_set # Can safely return restricted queryset queryset = retval.get_queryset() if queryset.model == slots_models.Slot: instance = getattr(retval, 'instance', None) if instance: return get_allowed_slots(instance, info.context.user) else: return filter_slot_perms(queryset, info.context.user) if hasattr(queryset, 'visible'): return queryset.visible(info.context.user) elif isinstance(retval, QuerySet): # In case a queryset is returned if hasattr(retval, 'visible'): return retval.visible(info.context.user) else: return retval return retval
def test_workgroup_member_search_has_valid_facets(self): self.logout() self.viewer = get_user_model().objects.create_user('charles.xavier','*****@*****.**','equalRightsForAll') response = self.client.post(reverse('friendly_login'), {'username': '******', 'password': '******'}) self.assertEqual(response.status_code,302) # logged in self.xmen_wg.giveRoleToUser('viewer',self.viewer) self.weaponx_wg = models.Workgroup.objects.create(name="WeaponX") response = self.client.post(reverse('friendly_login'), {'username': '******', 'password': '******'}) self.assertEqual(response.status_code,302) # logged in #Create Deadpool in Weapon X workgroup with reversion.create_revision(): dp = models.ObjectClass.objects.create(name="deadpool", definition="not really an xman, no matter how much he tries", workgroup=self.weaponx_wg) dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache self.assertFalse(perms.user_can_view(self.viewer,dp)) self.assertFalse(dp.is_public()) response = self.client.get(reverse('aristotle:search')+"?q=xman") self.assertEqual(response.status_code,200) facets = response.context['form'].facets['fields'] self.assertTrue('restriction' in facets.keys()) self.assertTrue('facet_model_ct' in facets.keys()) self.assertTrue('statuses' in facets.keys()) self.assertTrue('workgroup' in facets.keys()) for wg, count in facets['workgroup']: wg = models.Workgroup.objects.get(pk=wg) self.assertTrue(perms.user_in_workgroup(self.viewer,wg))
def resolver(cls, attname, default_value, root, info, **args): retval = getattr(root, attname, default_value) # If object is a django model if isinstance(retval, Model): # Use user_can_view to determine if we display if perms.user_can_view(info.context.user, retval): return retval else: return None elif isinstance(retval, Manager): # Need this for when related manager is returned when querying object.related_set # Can safely return restricted queryset return retval.get_queryset().visible(info.context.user) elif isinstance(retval, QuerySet): # In case a queryset is returned return retval.visible(info.context.user) return retval
def test_user_can_view_efficiency(self): # Currently 2 because of is_registrar check with self.assertNumQueries(2): perms.user_can_view(self.editor, self.oc)
def get(self, request, pk, format=None): relational_attr = self.get_object() seen_items_ids = set() # queue = collections.deque([relational_attr]) nodes = [] edges = [] source_item = ConceptSerializer(relational_attr).data source_item["type"] = self.split_camel_case(relational_attr.__class__.__name__) source_item["node_options"] = { "shape": "ellipse", "borderWidth": 2, "margin": 3, "font": {"size": 15} } nodes.append(source_item) if hasattr(relational_attr, 'relational_attributes'): for queryset in relational_attr.relational_attributes.values(): for related_concept in queryset['qs']: related_item = related_concept.item if perms.user_can_view(self.request.user, related_item): serialized_item = ConceptSerializer(related_item).data serialized_item["type"] = self.split_camel_case(related_item.__class__.__name__) if serialized_item["id"] not in seen_items_ids and len(nodes) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GRAPHS: nodes.append(serialized_item) if is_active_extension("comet"): from comet.models import Indicator, IndicatorSet # Change the direction of arrows from Indicator to Indicator Set: if isinstance(relational_attr, IndicatorSet) and isinstance(relational_attr, Indicator): edges.append(({"from": relational_attr.id, "to": serialized_item["id"]})) else: edges.append(({"from": serialized_item["id"], "to": relational_attr.id})) else: edges.append(({"from": serialized_item["id"], "to": relational_attr.id})) seen_items_ids.add(serialized_item["id"]) for field in relational_attr._meta.get_fields(): if field.is_relation and field.many_to_one and issubclass(field.related_model, concept): related_concept_instance = getattr(relational_attr, field.name) if related_concept_instance is not None: related_concept_instance = related_concept_instance.item if perms.user_can_view(self.request.user, related_concept_instance): serialised_concept = ConceptSerializer(related_concept_instance).data serialised_concept["type"] = self.split_camel_case(str(type(related_concept_instance))) if serialised_concept["id"] not in seen_items_ids and len(nodes) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GRAPHS: nodes.append(serialised_concept) edges.append({"from": relational_attr.id, "to": serialised_concept["id"]}) seen_items_ids.add(serialised_concept["id"]) if field.is_relation and field.one_to_many and issubclass(field.related_model, aristotleComponent): for aris_comp_field in field.related_model._meta.get_fields(): if aris_comp_field.is_relation and aris_comp_field.many_to_one and\ issubclass(aris_comp_field.related_model, concept) and aris_comp_field.related_model != type(relational_attr): queryset = getattr(relational_attr, field.get_accessor_name()).all() for component in queryset: component_instance = getattr(component, aris_comp_field.name) if component_instance is not None: serialised_concept_instance = ConceptSerializer(component_instance).data serialised_concept_instance["type"] = self.split_camel_case(component_instance.__class__.__name__) if serialised_concept_instance["id"] not in seen_items_ids and len(nodes) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GRAPHS: nodes.append(serialised_concept_instance) edges.append({"from": serialised_concept_instance["id"], "to": relational_attr.id}) seen_items_ids.add(serialised_concept_instance["id"]) json_response = {'nodes': nodes, 'edges': edges} return Response( json_response, status=status.HTTP_200_OK )
def get(self, request, pk, format=None): item = self.get_object() seen_items_ids = set() # queue = collections.deque([item]) nodes = [] edges = [] source_item = ConceptSerializer(item).data source_item["type"] = self.camel_case_split(item.__class__.__name__) source_item["node_options"] = { "shape": "ellipse", "borderWidth": 2, "margin": 3, "font": { "size": 15 } } nodes.append(source_item) if hasattr(item, 'relational_attributes'): for d in item.relational_attributes.values(): for rel_attr in d['qs']: if perms.user_can_view(self.request.user, rel_attr): serialised_rel_attr = ConceptSerializer(rel_attr).data serialised_rel_attr["type"] = self.camel_case_split( rel_attr.__class__.__name__) if serialised_rel_attr["id"] not in seen_items_ids and len( nodes ) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GENERAL_GRAPHICAL_REPRESENTATION: nodes.append(serialised_rel_attr) edges.append(({ "from": serialised_rel_attr["id"], "to": item.id })) seen_items_ids.add(serialised_rel_attr["id"]) for field in item._meta.get_fields(): if field.is_relation and field.many_to_one and issubclass( field.related_model, concept): related_concept_instance = getattr(item, field.name) if related_concept_instance is not None: if perms.user_can_view(self.request.user, related_concept_instance): serialised_concept = ConceptSerializer( related_concept_instance).data serialised_concept["type"] = self.camel_case_split( related_concept_instance.__class__.__name__) if serialised_concept["id"] not in seen_items_ids and len( nodes ) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GENERAL_GRAPHICAL_REPRESENTATION: nodes.append(serialised_concept) edges.append({ "from": item.id, "to": serialised_concept["id"] }) seen_items_ids.add(serialised_concept["id"]) if field.is_relation and field.one_to_many and issubclass( field.related_model, aristotleComponent): for aris_comp_field in field.related_model._meta.get_fields(): if aris_comp_field.is_relation and aris_comp_field.many_to_one and\ issubclass(aris_comp_field.related_model, concept) and aris_comp_field.related_model != type(item): queryset = getattr(item, field.get_accessor_name()).all() for component in queryset: component_instance = getattr( component, aris_comp_field.name) if component_instance is not None: serialised_concept_instance = ConceptSerializer( component_instance).data serialised_concept_instance[ "type"] = self.camel_case_split( component_instance.__class__.__name__) if serialised_concept_instance[ "id"] not in seen_items_ids and len( nodes ) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GENERAL_GRAPHICAL_REPRESENTATION: nodes.append(serialised_concept_instance) edges.append({ "from": serialised_concept_instance["id"], "to": item.id }) seen_items_ids.add( serialised_concept_instance["id"]) json_response = {'nodes': nodes, 'edges': edges} return Response(json_response, status=status.HTTP_200_OK)
def check_item(self, item): # Will 403 when user cant view the item return user_can_view(self.request.user, item)
def test_can_view(self): self.assertTrue(perms.user_can_view(self.su,None))
def get_object(self, queryset=None): item = super().get_object(queryset) if not user_can_view(self.request.user, item): raise PermissionDenied self.model = item.item.__class__ # Get the subclassed object return item
def get_object(self): id = self.kwargs[self.pk_url_kwarg] obj = get_object_or_404(self.model, pk=id).item if not perms.user_can_view(self.request.user, obj): raise PermissionDenied return obj
def get_object(self): item = super(ConceptViewSet, self).get_object().item if not perms.user_can_view(self.request.user, item): raise PermissionDenied else: return item
def has_object_permission(self, request, view, obj): if request.method in self.can_view_methods: return perms.user_can_view(request.user, obj) else: return perms.user_can_edit(request.user, obj)
def validate_issue(self, value): if not user_can_view(self.context['request'].user, value): raise serializers.ValidationError( 'You don\'t have permission to comment on this issue') return value
def check_object_permissions(self, request, obj): item = obj.item if not perms.user_can_view(request.user, item): raise PermissionDenied else: return obj
def clean_dataElements(self): dataElements = self.cleaned_data['dataElements'] cleaned = [de for de in dataElements if user_can_view(self.user, de)] return cleaned
def clean_dataElements(self): clusters = self.cleaned_data['clusters'] cleaned = [dss for dss in clusters if user_can_view(self.user, dss)] return cleaned
def test_workgroup_member_search(self): self.logout() self.viewer = User.objects.create_user( 'charles.xavier', '*****@*****.**', 'equalRightsForAll') self.weaponx_wg = models.Workgroup.objects.create(name="WeaponX") response = self.client.post(reverse('friendly_login'), { 'username': '******', 'password': '******' }) self.assertEqual(response.status_code, 302) # logged in #Charles is not in any workgroups self.assertFalse(perms.user_in_workgroup(self.viewer, self.xmen_wg)) self.assertFalse(perms.user_in_workgroup(self.viewer, self.weaponx_wg)) #Create Deadpool in Weapon X workgroup with reversion.create_revision(): dp = models.ObjectClass.objects.create( name="deadpool", definition="not really an xman, no matter how much he tries", workgroup=self.weaponx_wg, readyToReview=False) dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache self.assertFalse(perms.user_can_view(self.viewer, dp)) self.assertFalse(dp.is_public()) # Charles isn't a viewer of X-men yet, so no results. from aristotle_mdr.forms.search import PermissionSearchQuerySet psqs = PermissionSearchQuerySet() psqs = psqs.auto_query('deadpool').apply_permission_checks(self.viewer) self.assertEqual(len(psqs), 0) #response = self.client.get(reverse('aristotle:search')+"?q=deadpool") #self.assertEqual(len(response.context['page'].object_list),0) # Make viewer of XMen self.xmen_wg.giveRoleToUser('viewer', self.viewer) self.assertFalse(perms.user_can_view(self.viewer, dp)) # Deadpool isn't an Xman yet, still no results. psqs = PermissionSearchQuerySet() psqs = psqs.auto_query('deadpool').apply_permission_checks(self.viewer) self.assertEqual(len(psqs), 0) with reversion.create_revision(): dp.workgroup = self.xmen_wg dp.save() dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache # Charles is a viewer, Deadpool is in X-men, should have results now. psqs = PermissionSearchQuerySet() psqs = psqs.auto_query('deadpool').apply_permission_checks(self.viewer) self.assertEqual(len(psqs), 1) response = self.client.get(reverse('aristotle:search') + "?q=deadpool") self.assertTrue(perms.user_can_view(self.viewer, dp)) self.assertEqual(len(response.context['page'].object_list), 1) self.assertEqual(response.context['page'].object_list[0].object.item, dp) # Take away Charles viewing rights and no results again. self.xmen_wg.removeRoleFromUser('viewer', self.viewer) psqs = PermissionSearchQuerySet() psqs = psqs.auto_query('deadpool').apply_permission_checks(self.viewer) self.assertEqual(len(psqs), 0) response = self.client.get(reverse('aristotle:search') + "?q=deadpool") self.assertEqual(len(response.context['page'].object_list), 0)
def check_item(self, item): return user_can_view(self.request.user, item)
def get_if_user_can_view(objtype, user, iid): item = get_object_or_404(objtype, pk=iid) if user_can_view(user, item): return item else: return False
def resolver(cls, attname, default_value, root, info, **args): retval = getattr(root, attname, default_value) # If object is a django model if isinstance(retval, Model): if isinstance(retval, mdr_models._concept): # Use user_can_view to determine if we display if perms.user_can_view(info.context.user, retval): return retval else: return None if isinstance(retval, mdr_models.aristotleComponent): # Use user_can_view to determine if we display if perms.user_can_view(info.context.user, retval): return retval else: return None if isinstance(retval, mdr_models.RegistrationAuthority): if retval.is_visible: return retval else: return None if type(retval) in cls.allowed_models: return retval return None elif isinstance(retval, Manager): # Need this for when related manager is returned when querying object.related_set # Can safely return restricted queryset queryset = retval.get_queryset() # We need to check permissions for Organisations depending on the authentication of the user: if queryset.model == mdr_models.RecordRelation: return queryset if queryset.model == slots_models.Slot: instance = getattr(retval, 'instance', None) if instance: return slots_models.Slot.objects.get_item_allowed( instance, info.context.user) else: return queryset.visible(info.context.user) if queryset.model == cf_models.CustomValue: instance = getattr(retval, 'instance', None) if instance: return cf_models.CustomValue.objects.get_item_allowed( instance, info.context.user) else: return queryset.visible(info.context.user) if hasattr(queryset, 'visible'): return queryset.visible(info.context.user) if queryset.model in (link_models.Link, link_models.LinkEnd): return queryset if issubclass(queryset.model, mdr_models.aristotleComponent): return queryset return queryset.none() elif isinstance(retval, QuerySet): # In case a queryset is returned if hasattr(retval, 'visible'): return retval.visible(info.context.user) if issubclass(retval.model, mdr_models.aristotleComponent): return retval return retval.none() return retval
def validate_item(self, value): if not user_can_view(self.context['request'].user, value): raise serializers.ValidationError( 'You don\'t have permission to create an issue against this item' ) return value