def test_deid_permission(self): self.assertFalse(user_can_view_deid_exports(self.domain, self.web_user)) self.permissions = Permissions(view_report_list=[DEID_EXPORT_PERMISSION]) self.assertTrue( self.permissions.has(get_permission_name(Permissions.view_report), data=DEID_EXPORT_PERMISSION)) self.assertTrue( self.web_user.has_permission( self.domain, get_permission_name(Permissions.view_report), data=DEID_EXPORT_PERMISSION) ) self.assertTrue(user_can_view_deid_exports(self.domain, self.web_user))
def test_deid_permission(self): self.assertFalse(user_can_view_deid_exports(self.domain, self.web_user)) self.permissions = Permissions(view_report_list=[DEID_EXPORT_PERMISSION]) self.assertTrue( self.permissions.has(get_permission_name(Permissions.view_report), data=DEID_EXPORT_PERMISSION)) self.assertTrue( self.web_user.has_permission( self.domain, get_permission_name(Permissions.view_report), data=DEID_EXPORT_PERMISSION) ) self.assertTrue(user_can_view_deid_exports(self.domain, self.web_user))
def has_permission_to_view_report(couch_user, domain, report_to_check): from corehq.apps.users.decorators import get_permission_name from corehq.apps.users.models import Permissions return couch_user.has_permission(domain, get_permission_name( Permissions.view_report), data=report_to_check)
def user_can_view_deid_exports(domain, couch_user): return (domain_has_privilege(domain, privileges.DEIDENTIFIED_DATA) and couch_user.has_permission( domain, get_permission_name(Permissions.view_report), data=DEID_EXPORT_PERMISSION ))
def main_context(self): main_context = super(BillingModalsMixin, self).main_context if self.request.couch_user and self.request.couch_user.has_permission( self.domain, get_permission_name(Permissions.edit_billing)): main_context.update(self._downgrade_modal_context) main_context.update(self._low_credits_context) return main_context
def has_view_permissions(self): if self.form_or_case == "form": report_to_check = FORM_EXPORT_PERMISSION elif self.form_or_case == "case": report_to_check = CASE_EXPORT_PERMISSION return self.request.couch_user.can_view_reports() or self.request.couch_user.has_permission( self.domain, get_permission_name(Permissions.view_report), data=report_to_check )
def main_context(self): main_context = super(BillingModalsMixin, self).main_context if self.request.couch_user and self.request.couch_user.has_permission( self.domain, get_permission_name(Permissions.edit_billing) ): main_context.update(self._downgrade_modal_context) main_context.update(self._low_credits_context) return main_context
def _should_display_billing_modals(self): return ( self.request.couch_user and not self.request.couch_user.is_superuser and self.request.couch_user.has_permission( self.domain, get_permission_name(Permissions.edit_billing) ) )
def _can_manage_releases_for_all_apps(couch_user, domain): from corehq.apps.users.decorators import get_permission_name from corehq.apps.users.models import Permissions restricted_app_release = toggles.RESTRICT_APP_RELEASE.enabled(domain) if not restricted_app_release: return True return couch_user.has_permission(domain, get_permission_name( Permissions.manage_releases), restrict_global_admin=True)
def has_permission_to_view_report(couch_user, domain, report_to_check): from corehq.apps.users.decorators import get_permission_name from corehq.apps.users.models import Permissions return ( couch_user.can_view_reports(domain) or couch_user.has_permission( domain, get_permission_name(Permissions.view_report), data=report_to_check ) )
def can_manage_releases(couch_user, domain, app_id): from corehq.apps.users.decorators import get_permission_name from corehq.apps.users.models import Permissions restricted_app_release = toggles.RESTRICT_APP_RELEASE.enabled(domain) if not restricted_app_release: return True role = couch_user.get_role(domain) return (couch_user.has_permission(domain, get_permission_name( Permissions.manage_releases), restrict_global_admin=True) or app_id in role.permissions.manage_releases_list)
def can_manage_releases(couch_user, domain, app_id): from corehq.apps.users.decorators import get_permission_name from corehq.apps.users.models import Permissions restricted_app_release = toggles.RESTRICT_APP_RELEASE.enabled(domain) if not restricted_app_release: return True role = couch_user.get_role(domain) return ( couch_user.has_permission( domain, get_permission_name(Permissions.manage_releases), restrict_global_admin=True ) or app_id in role.permissions.manage_releases_list)
def get_users_without_permission(self, start_date, end_date): usernames = self.get_usernames(start_date, end_date) print(f'Filter {len(usernames)} users according to permission') permission_name = get_permission_name(Permissions.view_report) users_without_permission = [] for chunk in with_progress_bar(chunked(usernames, 100), prefix='\tProcessing'): users = [ CouchUser.wrap_correctly(doc) for doc in get_user_docs_by_username(chunk) ] for user in users: if not user.has_permission( DASHBOARD_DOMAIN, permission_name, data=PERMISSION): users_without_permission.append(user.username) return users_without_permission
def login_as_user_query(domain, couch_user, search_string, limit, offset, user_data_fields=None): ''' Takes in various parameters to determine which users to populate the login as screen. :param domain: String domain :param couch_user: The CouchUser that is using the Login As feature :param search_string: The query that filters the users returned. Filters based on the `search_fields` as well as any fields defined in `user_data_fields`. :param limit: The max amount of users returned. :param offset: From where to start the query. :param user_data_fields: A list of custom user data fields that should also be searched by the `search_string` :returns: An EsQuery instance. ''' search_fields = [ "base_username", "last_name", "first_name", "phone_numbers" ] should_criteria_query = [ queries.search_string_query(search_string, search_fields), ] if user_data_fields: or_criteria = [] for field in user_data_fields: or_criteria.append( filters.AND( filters.term('user_data_es.key', field), filters.term('user_data_es.value', search_string), ), ) should_criteria_query.append( queries.nested_filter('user_data_es', filters.OR(*or_criteria))) user_es = ( UserES().domain(domain).start(offset).size(limit). sort('username.exact').set_query( queries.BOOL_CLAUSE( queries.SHOULD_CLAUSE( should_criteria_query, # It should either match on the search fields like username or it # should match on the custom user data fields. If this were 2, then # it would require the search string to match both on the search fields and # the custom user data fields. minimum_should_match=1, ), ))) if not couch_user.has_permission(domain, 'access_all_locations'): loc_ids = SQLLocation.objects.accessible_to_user( domain, couch_user).location_ids() user_es = user_es.location(list(loc_ids)) if not couch_user.has_permission( domain, get_permission_name(Permissions.login_as_all_users)): user_es = user_es.filter( filters.nested( 'user_data_es', filters.AND( filters.term('user_data_es.key', 'login_as_user'), filters.term('user_data_es.value', couch_user.username), ))) return user_es.mobile_users()
def _limit_login_as(couch_user, domain): return (couch_user.has_permission( domain, get_permission_name(Permissions.limited_login_as)) and not couch_user.has_permission( domain, get_permission_name(Permissions.edit_commcare_users)))
def user_can_view_odata_feed(domain, couch_user): domain_can_view_odata = domain_has_privilege(domain, privileges.ODATA_FEED) return (domain_can_view_odata and couch_user.has_permission( domain, get_permission_name(Permissions.view_report), data=ODATA_FEED_PERMISSION))