def test_request_user_has_no_implicit_access_when_jwt_absent(self):
"""
Helper function should return False when JWT is absent
"""
toy_decoded_jwt = None
assert not request_user_has_implicit_access_via_jwt(
toy_decoded_jwt,
'superuser-access',
)
def request_user_has_implicit_access(user, context): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to `ENTERPRISE_COUPON_ADMIN_ROLE` feature role.
Returns:
boolean: whether the request user has access or not
"""
request = crum.get_current_request()
decoded_jwt = get_decoded_jwt(request) or get_decoded_jwt_from_auth(request)
if not context:
return False
return request_user_has_implicit_access_via_jwt(decoded_jwt, ENTERPRISE_COUPON_ADMIN_ROLE, context)
def has_implicit_access_to_enrollment_api(user, obj): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to `ENTERPRISE_ENROLLMENT_API_ADMIN_ROLE` feature role.
Returns:
boolean: whether the request user has access or not
"""
request = crum.get_current_request()
decoded_jwt = get_decoded_jwt(request) or get_decoded_jwt_from_auth(
request)
return request_user_has_implicit_access_via_jwt(
decoded_jwt, ENTERPRISE_ENROLLMENT_API_ADMIN_ROLE, obj)
def request_user_has_implicit_access(user): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to `ORDER_MANAGER_ROLE` feature role.
Returns:
boolean: whether the request user has access or not
"""
request = crum.get_current_request()
decoded_jwt = get_decoded_jwt(request) or get_decoded_jwt_from_auth(
request)
return request_user_has_implicit_access_via_jwt(decoded_jwt,
ORDER_MANAGER_ROLE)
def has_implicit_access_to_catalog_learner(user, context): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to `ENTERPRISE_CATALOG_LEARNER_ROLE` role.
Returns:
boolean: whether the request user has access or not
"""
if not context:
return False
request = crum.get_current_request()
decoded_jwt = get_decoded_jwt(request) or get_decoded_jwt_from_auth(
request)
return request_user_has_implicit_access_via_jwt(
decoded_jwt, ENTERPRISE_CATALOG_LEARNER_ROLE, context)
def test_request_user_has_implicit_access_via_jwt(self):
"""
Helper function should discern what roles user has based on role data
in jwt, and then return true if any of those match the role we're
asking about
"""
toy_decoded_jwt = {
"roles": [
"coupon-manager:some_context"
]
}
assert request_user_has_implicit_access_via_jwt(
toy_decoded_jwt,
'coupon-management',
)
def request_user_has_implicit_access(*args, **kwargs): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to `ENTERPRISE_DATA_ADMIN_ROLE` feature role.
Returns:
boolean: whether the request user has access or not
"""
request = crum.get_current_request()
__, __, request_kwargs = resolve(request.path)
enterprise_id_in_request = request_kwargs.get('enterprise_id')
decoded_jwt = get_decoded_jwt(request) or get_decoded_jwt_from_auth(
request)
return request_user_has_implicit_access_via_jwt(
decoded_jwt, ENTERPRISE_DATA_ADMIN_ROLE, enterprise_id_in_request)
def request_user_has_implicit_access(user, context): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to `ENTERPRISE_COUPON_ADMIN_ROLE` feature role.
Returns:
boolean: whether the request user has access or not
"""
if not waffle.switch_is_active(USE_ROLE_BASED_ACCESS_CONTROL):
return True
request = get_request_or_stub()
decoded_jwt = get_decoded_jwt_from_request(request)
if not context:
return False
return request_user_has_implicit_access_via_jwt(
decoded_jwt, ENTERPRISE_COUPON_ADMIN_ROLE, context
) if decoded_jwt else False
def has_implicit_access_to_enrollment_api(user, obj): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to `ENTERPRISE_ENROLLMENT_API_ADMIN_ROLE` feature role.
Params:
user: An ``auth.User`` instance.
obj: The string version of an ``EnterpriseCustomer.uuid``.
Returns:
boolean: whether the request user has access or not
"""
request = crum.get_current_request()
decoded_jwt = get_decoded_jwt(request) or get_decoded_jwt_from_auth(
request)
return request_user_has_implicit_access_via_jwt(
decoded_jwt, ENTERPRISE_ENROLLMENT_API_ADMIN_ROLE, obj)
def has_implicit_access_to_subscriptions_learner(user, subscription_plan): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to the given SubscriptionPlan for the
`SUBSCRIPTIONS_LEARNER_ROLE` feature role.
Returns:
boolean: whether the request user has access.
"""
if not subscription_plan:
return False
return request_user_has_implicit_access_via_jwt(
get_decoded_jwt(crum.get_current_request()),
constants.SUBSCRIPTIONS_LEARNER_ROLE,
str(subscription_plan.enterprise_customer_uuid),
)
def test_request_user_has_no_implicit_access_via_jwt_with_context(self):
"""
Helper function should discern what roles user has based on role data
in jwt, and then return true if any of those match the role we're
asking about. This case handles checking if the context matches.
"""
toy_decoded_jwt = {
"roles": [
"coupon-manager:some_context"
]
}
assert not request_user_has_implicit_access_via_jwt(
toy_decoded_jwt,
'coupon-management',
'not_the_right_context'
)
def test_request_user_has_implicit_access_via_jwt_with_all_acess_context(self):
"""
Helper function should discern what roles user has based on role data
in jwt, and then return true if user role matches with a system wide
role and context matches with `ALL_ACCESS_CONTEXT`.
"""
toy_decoded_jwt = {
'roles': [
'enterprise_openedx_operator:*'
]
}
assert request_user_has_implicit_access_via_jwt(
toy_decoded_jwt,
'enterprise_data_admin',
'some_context'
)
def has_implicit_access_to_subscriptions_admin(user, enterprise_customer_uuid): # pylint: disable=unused-argument
"""
Check that if request user has implicit access to the given enterprise UUID for the
`SUBSCRIPTIONS_ADMIN_ROLE` feature role.
Returns:
boolean: whether the request user has access.
"""
if not enterprise_customer_uuid:
return False
return request_user_has_implicit_access_via_jwt(
get_decoded_jwt(crum.get_current_request()),
constants.SUBSCRIPTIONS_ADMIN_ROLE,
str(enterprise_customer_uuid),
)
def has_implicit_access_to_classroom_admin(user, school_uuid): # pylint: disable=unused-argument
"""
Check that if request has implicit access to the given enterprise UUID
for the `CLASSROOM` feature role.
Returns:
boolean: whether the request user has access.
"""
if not school_uuid:
return False
return request_user_has_implicit_access_via_jwt(
current_decoded_jwt(),
constants.CLASSROOM_TEACHER_ROLE,
str(school_uuid),
)
def has_implicit_admin_access_to_user(requesting_user, user_obj):
"""
Returns True if the requesting user is the same as the ``user_obj`` access
is being requested for, or if the requesting user has an admin
role on the account of the ``user_obj``.
"""
log.info('\nThe current decoded JWT: \n{}\n'.format(current_decoded_jwt()))
if not user_obj:
return False
if not user_obj.account:
return False
has_admin_jwt_access = request_user_has_implicit_access_via_jwt(
current_decoded_jwt(),
constants.ENTERPRISE_ACCOUNT_ADMIN_FEATURE_ROLE,
str(user_obj.account.uuid),
)
if has_admin_jwt_access:
log.info(
'\nAccess allowed, because you are granted an admin system role in your JWT.\n'
)
return has_admin_jwt_access
