def setUpClass(cls):
super(TestUpdateRoles, cls).setUpClass()
cls.linked_app.save()
cls.role = UserRole(
domain=cls.domain,
name='test',
permissions=Permissions(
edit_data=True,
edit_reports=True,
view_report_list=[
'corehq.reports.DynamicReportmaster_report_id'
]),
is_non_admin_editable=True,
)
cls.role.save()
cls.other_role = UserRole(
domain=cls.domain,
name='other_test',
permissions=Permissions(
edit_web_users=True,
view_locations=True,
),
assignable_by=[cls.role.get_id],
)
cls.other_role.save()
def setUpClass(cls):
delete_all_users()
cls.client = Client()
cls.domain = DOMAIN
cls.domain_object = Domain(name=cls.domain, is_active=True)
cls.domain_object.save()
cls.reports_role = UserRole(
domain=cls.domain,
name='reports-role',
default_landing_page='reports',
permissions=Permissions(view_reports=True),
)
cls.reports_role.save()
cls.webapps_role = UserRole(
domain=cls.domain,
name='webapps-role',
default_landing_page='webapps',
permissions=Permissions(edit_data=True),
)
cls.webapps_role.save()
cls.global_password = '******'
# make an app because not having one changes the default dashboard redirect to the apps page
app = Application.new_app(domain=cls.domain, name='sympathy')
app.save()
def test_OR(self):
p1 = Permissions(
edit_web_users=True,
view_web_users=True,
view_roles=True,
view_reports=True,
view_report_list=['report1'],
)
p2 = Permissions(
edit_apps=True,
view_apps=True,
view_reports=True,
view_report_list=['report2'],
)
self.assertEqual(
p1 | p2,
Permissions(
edit_apps=True,
view_apps=True,
edit_web_users=True,
view_web_users=True,
view_roles=True,
view_reports=True,
view_report_list=['report1', 'report2'],
))
def _create_or_edit_facility_manager_role(domain):
facility_manager_role = UserRole.by_domain_and_name(domain, 'Facility manager')
reports_list = [
"corehq.apps.reports.standard.sms.MessageLogReport",
"custom.ewsghana.reports.specific_reports.dashboard_report.DashboardReport",
"custom.ewsghana.reports.specific_reports.stock_status_report.StockStatus",
"custom.ewsghana.reports.specific_reports.reporting_rates.ReportingRatesReport",
"custom.ewsghana.reports.maps.EWSMapReport"
]
if facility_manager_role:
permissions = Permissions(
edit_web_users=True,
edit_commcare_users=True,
view_reports=False,
view_report_list=reports_list
)
facility_manager_role[0].permissions = permissions
facility_manager_role[0].save()
else:
role = UserRole(
domain=domain,
permissions=Permissions(
view_reports=False,
edit_web_users=True,
edit_commcare_users=True,
view_report_list=reports_list
),
name='Facility manager'
)
role.save()
def _create_or_edit_administrator_role(domain):
administrator_role = UserRole.by_domain_and_name(domain, 'Administrator')
reports_list = [
"corehq.apps.reports.standard.sms.MessageLogReport",
"custom.ewsghana.reports.specific_reports.dashboard_report.DashboardReport",
"custom.ewsghana.reports.specific_reports.stock_status_report.StockStatus",
"custom.ewsghana.reports.specific_reports.reporting_rates.ReportingRatesReport",
"custom.ewsghana.reports.maps.EWSMapReport",
"custom.ewsghana.reports.email_reports.CMSRMSReport",
"custom.ewsghana.reports.email_reports.StockSummaryReport",
"custom.ewsghana.comparison_report.ProductsCompareReport",
"custom.ewsghana.comparison_report.LocationsCompareReport",
"custom.ewsghana.comparison_report.SupplyPointsCompareReport",
"custom.ewsghana.comparison_report.WebUsersCompareReport",
"custom.ewsghana.comparison_report.SMSUsersCompareReport"
]
if administrator_role:
permissions = Permissions(edit_web_users=True,
edit_commcare_users=True,
edit_locations=True,
view_reports=False,
view_report_list=reports_list)
administrator_role[0].permissions = permissions
administrator_role[0].save()
else:
role = UserRole(domain=domain,
permissions=Permissions(view_reports=False,
edit_web_users=True,
edit_commcare_users=True,
edit_locations=True,
view_report_list=reports_list),
name='Administrator')
role.save()
def test_dump_roles(self):
from corehq.apps.users.models import UserRole, Permissions, RoleAssignableBy, RolePermission
expected_object_counts = Counter({
UserRole: 2,
RolePermission: 11,
RoleAssignableBy: 1
})
role1 = UserRole.create(self.domain_name, 'role1')
role2 = UserRole.create(self.domain_name,
'role1',
permissions=Permissions(edit_web_users=True),
assignable_by=[role1.id])
self.addCleanup(role1.delete)
self.addCleanup(role2.delete)
self._dump_and_load(expected_object_counts)
role1_loaded = UserRole.objects.get(id=role1.id)
role2_loaded = UserRole.objects.get(id=role2.id)
self.assertEqual(role1_loaded.permissions.to_list(),
Permissions().to_list())
self.assertEqual(role1_loaded.assignable_by, [])
self.assertEqual(role2_loaded.permissions.to_list(),
Permissions(edit_web_users=True).to_list())
self.assertEqual(role2_loaded.assignable_by, [role1_loaded.get_id])
def test_has_permission_to_view_report_all(self):
self.assertFalse(
has_permission_to_view_report(self.web_user, self.domain,
ODATA_FEED_PERMISSION))
self.permissions = Permissions(view_reports=True)
self.assertTrue(
has_permission_to_view_report(self.web_user, self.domain,
ODATA_FEED_PERMISSION))
def test_parameterized_permission_covers_all():
list_names = set(PARAMETERIZED_PERMISSIONS.values())
list_properties = {
name
for name, type_ in Permissions.properties().items()
if isinstance(type_, ListProperty)
}
eq(list_names, list_properties)
parameterized_perms = set(PARAMETERIZED_PERMISSIONS.keys())
eq(set(), parameterized_perms - set(Permissions.properties()))
def test_deid_permission(self):
self.assertFalse(user_can_view_deid_exports(self.domain, self.web_user))
self.permissions = Permissions(view_report_list=[DEID_EXPORT_PERMISSION])
self.assertTrue(
self.permissions.has(get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION))
self.assertTrue(
self.web_user.has_permission(
self.domain, get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION)
)
self.assertTrue(user_can_view_deid_exports(self.domain, self.web_user))
def create(cls, domain, name, permissions=None, assignable_by=None, **kwargs):
from corehq.apps.users.models import Permissions
with transaction.atomic():
role = UserRole.objects.create(domain=domain, name=name, **kwargs)
if permissions is None:
# match couch functionality and set default permissions
permissions = Permissions()
role.set_permissions(permissions.to_list())
if assignable_by:
if not isinstance(assignable_by, list):
assignable_by = [assignable_by]
role.set_assignable_by(assignable_by)
return role
def setUpClass(cls):
super(TestUpdateRoles, cls).setUpClass()
permissions = Permissions(
edit_data=True,
edit_reports=True,
view_report_list=['corehq.reports.DynamicReportmaster_report_id'])
cls.role = UserRole.create(cls.domain,
'test',
permissions,
is_non_admin_editable=True)
cls.other_role = UserRole.create(
cls.domain, 'other_test',
Permissions(edit_web_users=True, view_locations=True))
cls.other_role.set_assignable_by([cls.role.id])
def setUpClass(cls):
super(TestAccessRestrictions, cls).setUpClass()
cls.suffolk_user = WebUser.create(cls.domain, 'suffolk-joe',
'password')
cls.suffolk_user.set_location(cls.domain,
cls.locations['Suffolk'].couch_location)
role = UserRole(
domain=cls.domain,
name='Regional Supervisor',
permissions=Permissions(access_all_locations=False,
edit_commcare_users=True),
)
role.save()
cls.suffolk_user.set_role(cls.domain, role.get_qualified_id())
cls.suffolk_user.save()
def make_mobile_worker(username, location):
worker = CommCareUser.create(cls.domain, username, '123')
worker.set_location(cls.locations[location])
UserESFake.save_doc(worker._doc)
return worker
cls.boston_worker = make_mobile_worker('boston_worker', 'Boston')
cls.cambridge_worker = make_mobile_worker('cambridge_worker',
'Cambridge')
def test_report_fixtures_provider_with_cloudcare(self):
"""
ReportFixturesProvider should iterate only allowed apps if sync is from cloudcare
"""
from corehq.apps.userreports.reports.data_source import ConfigurableReportDataSource
role = UserRole(
domain=self.domain,
permissions=Permissions(
view_web_apps=False,
view_web_apps_list=[self.app1._id]
),
name='WebApp Restricted'
)
role.save()
self.user._couch_user.set_role(self.domain, role.get_qualified_id())
with patch.object(ConfigurableReportDataSource, 'get_data') as get_data_mock:
get_data_mock.return_value = self.rows
with mock_sql_backend():
with mock_datasource_config():
fixtures = call_fixture_generator(
report_fixture_generator,
self.user,
device_id="WebAppsLogin|[email protected]"
)
reports = fixtures[0].findall('.//report')
self.assertEqual(len(reports), 1)
self.assertEqual(reports[0].attrib.get('id'), '123456')
def create_view(can_edit_reports):
rolename = 'edit_role' if can_edit_reports else 'view_role'
username = '******' if can_edit_reports else 'viewer'
toggles.USER_CONFIGURABLE_REPORTS.set(username, True,
toggles.NAMESPACE_USER)
# user_role should be deleted along with the domain.
user_role = UserRole.create(domain=domain.name,
name=rolename,
permissions=Permissions(
edit_commcare_users=True,
view_commcare_users=True,
edit_groups=True,
view_groups=True,
edit_locations=True,
view_locations=True,
access_all_locations=False,
edit_data=True,
edit_reports=can_edit_reports,
view_reports=True))
web_user = WebUser.create(domain.name, username, '***', None, None)
web_user.set_role(domain.name, user_role.get_qualified_id())
web_user.current_domain = domain.name
web_user.save()
self.addCleanup(web_user.delete, domain.name, deleted_by=None)
request = HttpRequest()
request.can_access_all_locations = True
request.user = web_user.get_django_user()
request.couch_user = web_user
request.session = {}
_, view = self._build_report_and_view(request=request)
return view
def test_static_role_admin(self):
static_admin_role = StaticRole.domain_admin(self.domain)
expected = self.expected_role_dict.copy()
expected["name"] = "Admin"
expected["permissions"] = Permissions.max().to_json()
self.assertDictEqual(expected, static_admin_role.to_json())
self.assertEqual(static_admin_role.get_qualified_id(), "admin")
def _master_role(cls):
return UserRole(domain='state',
permissions=Permissions(
view_web_users=True,
edit_web_users=False,
view_groups=True,
edit_groups=False,
))
def restrict_user_to_location(self, user):
role = UserRole(
domain=self.domain,
name='Regional Supervisor',
permissions=Permissions(access_all_locations=False),
)
role.save()
user.set_role(self.domain, role.get_qualified_id())
def setUpTestData(cls):
cls.domain = 'my-domain'
cls.domain_obj = create_domain(cls.domain)
cls.user = cls._create_user(cls.domain)
cls.test_role = UserRole.create(
cls.domain,
'test role',
permissions=Permissions(edit_web_users=True))
def _change_std_roles(self):
for u in self.user_roles:
user_role = UserRole.get(u.get_id)
user_role.permissions = Permissions(view_reports=True,
edit_commcare_users=True,
edit_apps=True,
edit_data=True)
user_role.save()
def make_role(self, name):
role = UserRole(
domain=self.domain,
name=name,
permissions=Permissions(),
)
role.save()
self.addCleanup(role.delete)
def setUpClass(cls):
cls.domain = 'export-permissions-test'
cls.web_user = WebUser(username='******',
domains=[cls.domain])
cls.web_user.domain_memberships = [
DomainMembership(domain=cls.domain, role_id='MYROLE')
]
cls.permissions = Permissions()
def setUpClass(cls):
super().setUpClass()
delete_all_users()
cls.domain_name = 'mydomain'
cls.domain = Domain.get_or_create_with_name(name=cls.domain_name)
permissions = Permissions(edit_apps=True, view_reports=True)
cls.role = UserRole.get_or_create_with_permissions(
cls.domain.name, permissions, 'edit-apps')
def setUpClass(cls):
super(AllCommCareUsersTest, cls).setUpClass()
delete_all_users()
hard_delete_deleted_users()
cls.ccdomain = Domain(name='cc_user_domain')
cls.ccdomain.save()
cls.other_domain = Domain(name='other_domain')
cls.other_domain.save()
UserRole.init_domain_with_presets(cls.ccdomain.name)
cls.user_roles = UserRole.by_domain(cls.ccdomain.name)
cls.custom_role = UserRole.get_or_create_with_permissions(
cls.ccdomain.name,
Permissions(
edit_apps=True,
edit_web_users=True,
view_web_users=True,
view_roles=True,
), "Custom Role")
cls.custom_role.save()
cls.ccuser_1 = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.ccuser_2 = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.ccuser_2.set_role(cls.ccdomain.name,
cls.custom_role.get_qualified_id())
cls.ccuser_2.save()
cls.web_user = WebUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.ccuser_other_domain = CommCareUser.create(
domain=cls.other_domain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.retired_user = CommCareUser.create(
domain=cls.ccdomain.name,
username='******',
password='******',
email='*****@*****.**',
)
cls.retired_user.retire()
def restrict_user_to_location(cls, user):
role = UserRole(
domain=cls.domain,
name='Regional Supervisor',
permissions=Permissions(edit_commcare_users=True,
access_all_locations=False),
)
role.save()
user.set_role(cls.domain, role.get_qualified_id())
user.save()
def _master_role(cls):
return UserRole(
domain='state',
permissions=Permissions(
view_web_users=True,
edit_web_users=False,
view_groups=True,
edit_groups=False,
edit_apps=True, # needed for InternalFixtureResource
))
def test_set_permissions_clear_prefetch_cache(self):
role = UserRole.create(domain=self.domain,
name="test-role",
permissions=Permissions())
self.assertEqual(set(role.get_permission_infos()),
set(Permissions().to_list()))
role_with_prefetch = UserRole.objects.prefetch_related(
"rolepermission_set").get(id=role.id)
new_permissions = {PermissionInfo(Permissions.access_api.name)}
role_with_prefetch.set_permissions(new_permissions)
self.assertEqual(set(role_with_prefetch.get_permission_infos()),
new_permissions)
role_with_prefetch = UserRole.objects.prefetch_related(
"rolepermission_set").get(id=role.id)
role_with_prefetch.set_permissions([])
self.assertEqual(list(role_with_prefetch.get_permission_infos()), [])
def _mock_user(domain, permission_name, permission_allow):
membership = DomainMembership(domain=domain)
permissions = []
if permission_allow is not None:
permissions = [PermissionInfo(permission_name, permission_allow)]
mock_role = Mock(permissions=Permissions.from_permission_list(permissions))
# prime membership.role memoize cache (avoids DB lookup)
setattr(membership, '_role_cache', {(): mock_role})
return WebUser(domain_memberships=[membership])
class ExportPermissionsTest(SimpleTestCase):
@classmethod
def setUpClass(cls):
super(ExportPermissionsTest, cls).setUpClass()
cls.domain = 'export-permissions-test'
cls.web_user = WebUser(username='******',
domains=[cls.domain])
cls.web_user.domain_memberships = [
DomainMembership(domain=cls.domain, role_id='MYROLE')
]
cls.permissions = Permissions()
def setUp(self):
super(ExportPermissionsTest, self).setUp()
test_self = self
def get_role(self):
return UserRole(domain=test_self.domain,
permissions=test_self.permissions)
patches = [
mock.patch.object(DomainMembership, 'role', property(get_role)),
mock.patch.object(
Memoized, '__call__',
lambda self, *args, **kwargs: self.func(*args, **kwargs))
]
for patch in patches:
patch.start()
self.addCleanup(patch.stop)
def tearDown(self):
self.permissions = Permissions()
super(ExportPermissionsTest, self).tearDown()
def test_deid_permission(self):
self.assertFalse(user_can_view_deid_exports(self.domain,
self.web_user))
self.permissions = Permissions(
view_report_list=[DEID_EXPORT_PERMISSION])
self.assertTrue(
self.permissions.has(get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION))
self.assertTrue(
self.web_user.has_permission(self.domain,
get_permission_name(
Permissions.view_report),
data=DEID_EXPORT_PERMISSION))
self.assertTrue(user_can_view_deid_exports(self.domain, self.web_user))
def test_view_reports(self):
self.assertFalse(self.web_user.can_view_reports(self.domain))
self.permissions = Permissions(view_reports=True)
self.assertTrue(self.web_user.can_view_reports(self.domain))
def __init__(self, domain, couch_user):
self.domain = domain
self.couch_user = couch_user
role = couch_user.get_role(domain, allow_enterprise=True)
self._permissions = role.permissions if role else Permissions()
self.manageable_slugs = set(
self._permissions.manage_data_registry_list)
self.can_manage_all = self._permissions.manage_data_registry
self.can_manage_some = self.can_manage_all or bool(
self.manageable_slugs)
def setUpClass(cls):
super(PermissionsHelpersTest, cls).setUpClass()
cls.domain = 'export-permissions-test'
cls.admin_domain = 'export-permissions-test-admin'
cls.web_user = WebUser(username='******',
domains=[cls.domain, cls.admin_domain])
cls.web_user.domain_memberships = [
DomainMembership(domain=cls.domain, role_id='MYROLE'),
DomainMembership(domain=cls.admin_domain, is_admin=True)
]
cls.permissions = Permissions()
def test_deid_permission(self):
self.assertFalse(user_can_view_deid_exports(self.domain, self.web_user))
self.permissions = Permissions(view_report_list=[DEID_EXPORT_PERMISSION])
self.assertTrue(
self.permissions.has(get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION))
self.assertTrue(
self.web_user.has_permission(
self.domain, get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION)
)
self.assertTrue(user_can_view_deid_exports(self.domain, self.web_user))
class ExportPermissionsTest(SimpleTestCase):
@classmethod
def setUpClass(cls):
super(ExportPermissionsTest, cls).setUpClass()
cls.domain = 'export-permissions-test'
cls.web_user = WebUser(username='******', domains=[cls.domain])
cls.web_user.domain_memberships = [DomainMembership(domain=cls.domain, role_id='MYROLE')]
cls.permissions = Permissions()
def setUp(self):
super(ExportPermissionsTest, self).setUp()
test_self = self
def get_role(self):
return UserRole(
domain=test_self.domain,
permissions=test_self.permissions
)
patches = [
mock.patch.object(DomainMembership, 'role', property(get_role)),
mock.patch.object(Memoized, '__call__',
lambda self, *args, **kwargs: self.func(*args, **kwargs))
]
for patch in patches:
patch.start()
self.addCleanup(patch.stop)
def tearDown(self):
self.permissions = Permissions()
super(ExportPermissionsTest, self).tearDown()
def test_deid_permission(self):
self.assertFalse(user_can_view_deid_exports(self.domain, self.web_user))
self.permissions = Permissions(view_report_list=[DEID_EXPORT_PERMISSION])
self.assertTrue(
self.permissions.has(get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION))
self.assertTrue(
self.web_user.has_permission(
self.domain, get_permission_name(Permissions.view_report),
data=DEID_EXPORT_PERMISSION)
)
self.assertTrue(user_can_view_deid_exports(self.domain, self.web_user))
def test_view_reports(self):
self.assertFalse(self.web_user.can_view_reports(self.domain))
self.permissions = Permissions(view_reports=True)
self.assertTrue(self.web_user.can_view_reports(self.domain))
def tearDown(self):
self.permissions = Permissions()
def tearDown(self):
self.permissions = Permissions()
super(ExportPermissionsTest, self).tearDown()
def test_view_reports(self):
self.assertFalse(self.web_user.can_view_reports(self.domain))
self.permissions = Permissions(view_reports=True)
self.assertTrue(self.web_user.can_view_reports(self.domain))
