def test_nested_permission(self):
clear_user_permissions_for_doctype("File")
delete_test_file_hierarchy() # delete already existing folders
from dataent.core.doctype.file.file import create_new_folder
dataent.set_user('Administrator')
create_new_folder('level1-A', 'Home')
create_new_folder('level2-A', 'Home/level1-A')
create_new_folder('level2-B', 'Home/level1-A')
create_new_folder('level3-A', 'Home/level1-A/level2-A')
create_new_folder('level1-B', 'Home')
create_new_folder('level2-A', 'Home/level1-B')
# user permission for only one root folder
add_user_permission('File', 'Home/level1-A', '*****@*****.**')
from dataent.core.page.permission_manager.permission_manager import update
update('File', 'All', 0, 'if_owner', 0) # to avoid if_owner filter
dataent.set_user('*****@*****.**')
data = DatabaseQuery("File").execute()
# children of root folder (for which we added user permission) should be accessible
self.assertTrue({"name": "Home/level1-A/level2-A"} in data)
self.assertTrue({"name": "Home/level1-A/level2-B"} in data)
self.assertTrue({"name": "Home/level1-A/level2-A/level3-A"} in data)
# other folders should not be accessible
self.assertFalse({"name": "Home/level1-B"} in data)
self.assertFalse({"name": "Home/level1-B/level2-B"} in data)
update('File', 'All', 0, 'if_owner', 1)
dataent.set_user('Administrator')
def test_build_match_conditions(self):
clear_user_permissions_for_doctype('Blog Post', '*****@*****.**')
test2user = dataent.get_doc('User', '*****@*****.**')
test2user.add_roles('Blogger')
dataent.set_user('*****@*****.**')
# this will get match conditions for Blog Post
build_match_conditions = DatabaseQuery(
'Blog Post').build_match_conditions
# Before any user permission is applied
# get as filters
self.assertEqual(build_match_conditions(as_condition=False), [])
# get as conditions
self.assertEqual(build_match_conditions(as_condition=True), "")
add_user_permission('Blog Post', '-test-blog-post',
'*****@*****.**', True)
add_user_permission('Blog Post', '-test-blog-post-1',
'*****@*****.**', True)
# After applying user permission
# get as filters
self.assertTrue(
{'Blog Post': ['-test-blog-post-1', '-test-blog-post']
} in build_match_conditions(as_condition=False))
# get as conditions
self.assertEqual(
build_match_conditions(as_condition=True),
"""(((ifnull(`tabBlog Post`.`name`, "")="" or `tabBlog Post`.`name` in ("-test-blog-post-1", "-test-blog-post"))))"""
)
dataent.set_user('Administrator')
def if_owner_setup(self):
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1", "*****@*****.**")
dataent.clear_cache(doctype="Blog Post")
def test_user_permissions_not_applied_if_user_can_edit_user_permissions(
self):
add_user_permission('Blogger', '_Test Blogger 1', '*****@*****.**')
# [email protected] has rights to create user permissions
# so it should not matter if explicit user permissions are not set
self.assertTrue(
dataent.get_doc('Blogger', '_Test Blogger').has_permission('read'))
def test_user_permissions_in_report(self):
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
dataent.set_user("*****@*****.**")
names = [
d.name for d in dataent.get_list("Blog Post",
fields=["name", "blog_category"])
]
self.assertTrue("-test-blog-post-1" in names)
self.assertFalse("-test-blog-post" in names)
def test_user_permissions_in_doc(self):
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
dataent.set_user("*****@*****.**")
post = dataent.get_doc("Blog Post", "-test-blog-post")
self.assertFalse(post.has_permission("read"))
self.assertFalse(get_doc_permissions(post).get("read"))
post1 = dataent.get_doc("Blog Post", "-test-blog-post-1")
self.assertTrue(post1.has_permission("read"))
self.assertTrue(get_doc_permissions(post1).get("read"))
def test_user_permissions_if_applied_on_doc_being_evaluated(self):
dataent.set_user("*****@*****.**")
doc = dataent.get_doc("Blog Post", "-test-blog-post-1")
self.assertTrue(doc.has_permission("read"))
dataent.set_user("*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post",
"*****@*****.**")
dataent.set_user("*****@*****.**")
doc = dataent.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
doc = dataent.get_doc("Blog Post", "-test-blog-post")
self.assertTrue(doc.has_permission("read"))
def test_user_permission_is_not_applied_if_user_roles_does_not_have_permission(
self):
add_user_permission('Blog Post', '-test-blog-post-1',
'*****@*****.**')
dataent.set_user("*****@*****.**")
doc = dataent.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
dataent.set_user("Administrator")
user = dataent.get_doc("User", "*****@*****.**")
user.add_roles("Blogger")
dataent.set_user("*****@*****.**")
self.assertTrue(doc.has_permission("read"))
dataent.set_user("Administrator")
user.remove_roles("Blogger")
def test_user_permission_doctypes(self):
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
add_user_permission("Blogger", "_Test Blogger 1", "*****@*****.**")
dataent.set_user("*****@*****.**")
dataent.clear_cache(doctype="Blog Post")
doc = dataent.get_doc("Blog Post", "-test-blog-post")
self.assertFalse(doc.has_permission("read"))
doc = dataent.get_doc("Blog Post", "-test-blog-post-2")
self.assertTrue(doc.has_permission("read"))
dataent.clear_cache(doctype="Blog Post")
def update_user_permissions(self):
if not self.create_user_permission: return
if not has_permission(
'User Permission', ptype='write', raise_exception=False):
return
employee_user_permission_exists = dataent.db.exists(
'User Permission', {
'allow': 'Employee',
'for_value': self.name,
'user': self.user_id
})
if employee_user_permission_exists: return
add_user_permission("Employee", self.name, self.user_id)
set_user_permission_if_allowed("Company", self.company, self.user_id)
def test_default_values(self):
doc = dataent.new_doc("Blog Post")
self.assertFalse(doc.get("blog_category"))
# Fetch default based on single user permission
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
dataent.set_user("*****@*****.**")
doc = dataent.new_doc("Blog Post")
self.assertEqual(doc.get("blog_category"), "_Test Blog Category 1")
# Don't fetch default if user permissions is more than 1
add_user_permission("Blog Category",
"_Test Blog Category",
"*****@*****.**",
ignore_permissions=True)
dataent.clear_cache()
doc = dataent.new_doc("Blog Post")
self.assertFalse(doc.get("blog_category"))
def test_contextual_user_permission(self):
# should be applicable for across all doctypes
add_user_permission('Blogger', '_Test Blogger', '*****@*****.**')
# should be applicable only while accessing Blog Post
add_user_permission('Blogger',
'_Test Blogger 1',
'*****@*****.**',
applicable_for='Blog Post')
# should be applicable only while accessing User
add_user_permission('Blogger',
'_Test Blogger 2',
'*****@*****.**',
applicable_for='User')
posts = dataent.get_all('Blog Post', fields=['name', 'blogger'])
# Get all posts for admin
self.assertEqual(len(posts), 4)
dataent.set_user('*****@*****.**')
posts = dataent.get_list('Blog Post', fields=['name', 'blogger'])
# Should get only posts with allowed blogger via user permission
# only '_Test Blogger', '_Test Blogger 1' are allowed in Blog Post
self.assertEqual(len(posts), 3)
for post in posts:
self.assertIn(
post.blogger, ['_Test Blogger', '_Test Blogger 1'],
'A post from {} is not expected.'.format(post.blogger))
def test_insert_if_owner_with_user_permissions(self):
"""If `If Owner` is checked for a Role, check if that document
is allowed to be read, updated, submitted, etc. except be created,
even if the document is restricted based on User Permissions."""
dataent.delete_doc('Blog Post', '-test-blog-post-title')
self.if_owner_setup()
dataent.set_user("*****@*****.**")
doc = dataent.get_doc({
"doctype": "Blog Post",
"blog_category": "_Test Blog Category",
"blogger": "_Test Blogger 1",
"title": "_Test Blog Post Title",
"content": "_Test Blog Post Content"
})
self.assertRaises(dataent.PermissionError, doc.insert)
dataent.set_user('*****@*****.**')
add_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
dataent.set_user("*****@*****.**")
doc.insert()
dataent.set_user("Administrator")
remove_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
dataent.set_user("*****@*****.**")
doc = dataent.get_doc(doc.doctype, doc.name)
self.assertTrue(doc.has_permission("read"))
self.assertTrue(doc.has_permission("write"))
self.assertFalse(doc.has_permission("create"))
# delete created record
dataent.set_user("Administrator")
dataent.delete_doc('Blog Post', '-test-blog-post-title')
def test_strict_user_permissions(self):
"""If `Strict User Permissions` is checked in System Settings,
show records even if User Permissions are missing for a linked
doctype"""
dataent.set_user('Administrator')
dataent.db.sql('delete from tabContact')
reset('Salutation')
reset('Contact')
make_test_records_for_doctype('Contact', force=True)
add_user_permission("Salutation", "Mr", "*****@*****.**")
self.set_strict_user_permissions(0)
allowed_contact = dataent.get_doc('Contact',
'_Test Contact for _Test Customer')
other_contact = dataent.get_doc('Contact',
'_Test Contact for _Test Supplier')
dataent.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertTrue(other_contact.has_permission('read'))
self.assertEqual(len(dataent.get_list("Contact")), 2)
dataent.set_user("Administrator")
self.set_strict_user_permissions(1)
dataent.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertFalse(other_contact.has_permission('read'))
self.assertTrue(len(dataent.get_list("Contact")), 1)
dataent.set_user("Administrator")
self.set_strict_user_permissions(0)
clear_user_permissions_for_doctype("Salutation")
clear_user_permissions_for_doctype("Contact")
def test_ignore_user_permissions_if_missing(self):
"""If there are no user permissions, then allow as per role"""
add_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
dataent.set_user("*****@*****.**")
doc = dataent.get_doc({
"doctype": "Blog Post",
"blog_category": "_Test Blog Category 2",
"blogger": "_Test Blogger 1",
"title": "_Test Blog Post Title",
"content": "_Test Blog Post Content"
})
self.assertFalse(doc.has_permission("write"))
dataent.set_user("Administrator")
remove_user_permission("Blog Category", "_Test Blog Category",
"*****@*****.**")
dataent.set_user("*****@*****.**")
self.assertTrue(doc.has_permission('write'))
def test_clear_user_permissions(self):
current_user = dataent.session.user
dataent.set_user('Administrator')
clear_user_permissions_for_doctype('Blog Category',
'*****@*****.**')
clear_user_permissions_for_doctype('Blog Post', '*****@*****.**')
add_user_permission('Blog Post', '-test-blog-post-1',
'*****@*****.**')
add_user_permission('Blog Post', '-test-blog-post-2',
'*****@*****.**')
add_user_permission("Blog Category", '_Test Blog Category 1',
'*****@*****.**')
deleted_user_permission_count = clear_user_permissions(
'*****@*****.**', 'Blog Post')
self.assertEqual(deleted_user_permission_count, 2)
blog_post_user_permission_count = dataent.db.count(
'User Permission',
filters={
'user': '******',
'allow': 'Blog Post'
})
self.assertEqual(blog_post_user_permission_count, 0)
blog_category_user_permission_count = dataent.db.count(
'User Permission',
filters={
'user': '******',
'allow': 'Blog Category'
})
self.assertEqual(blog_category_user_permission_count, 1)
# reset the user
dataent.set_user(current_user)
def test_warehouse_user(self):
add_user_permission("Warehouse", "_Test Warehouse 1 - _TC",
"*****@*****.**")
add_user_permission("Warehouse", "_Test Warehouse 2 - _TC1",
"*****@*****.**")
add_user_permission("Company", "_Test Company 1", "*****@*****.**")
test_user = dataent.get_doc("User", "*****@*****.**")
test_user.add_roles("Sales User", "Sales Manager", "Stock User")
test_user.remove_roles("Stock Manager", "System Manager")
dataent.get_doc("User", "*****@*****.**")\
.add_roles("Sales User", "Sales Manager", "Stock User", "Stock Manager")
st1 = dataent.copy_doc(test_records[0])
st1.company = "_Test Company 1"
set_perpetual_inventory(0, st1.company)
dataent.set_user("*****@*****.**")
st1.get("items")[0].t_warehouse = "_Test Warehouse 2 - _TC1"
self.assertRaises(dataent.PermissionError, st1.insert)
test_user.add_roles("System Manager")
dataent.set_user("*****@*****.**")
st1 = dataent.copy_doc(test_records[0])
st1.company = "_Test Company 1"
st1.get("items")[0].t_warehouse = "_Test Warehouse 2 - _TC1"
st1.get("items")[0].expense_account = "Stock Adjustment - _TC1"
st1.get("items")[0].cost_center = "Main - _TC1"
st1.insert()
st1.submit()
dataent.set_user("Administrator")
remove_user_permission("Warehouse", "_Test Warehouse 1 - _TC",
"*****@*****.**")
remove_user_permission("Warehouse", "_Test Warehouse 2 - _TC1",
"*****@*****.**")
remove_user_permission("Company", "_Test Company 1",
"*****@*****.**")
def test_set_user_permissions(self):
dataent.set_user("*****@*****.**")
add_user_permission("Blog Post", "-test-blog-post",
"*****@*****.**")