def test_user_from_token_and_raise_fail(self):
# no cookie
with pytest.raises(Unauthorized, match="No token"):
resp = get_user_from_token_and_raise(request)
# set a fake cookie
self.client.set_cookie("/", "token", "fake token")
# fake request to set cookie
response = self.client.get(
url_for("gn_permissions_backoffice.filter_list", id_filter_type=4))
with pytest.raises(Unauthorized, match="Token corrupted") as exc_info:
resp = get_user_from_token_and_raise(request)
def __check_cruved_scope(*args, **kwargs):
user = get_user_from_token_and_raise(request, action,
redirect_on_expiration,
redirect_on_invalid_token)
# If user not a dict: its a token issue
# return the appropriate Response from get_user_from_token_and_raise
if not isinstance(user, dict):
return user
user_with_highter_perm = None
user_permissions = get_user_permissions(user, "SCOPE", action,
module_code, object_code)
user_cruved_obj = UserCruved()
user_with_highter_perm = user_cruved_obj.build_herited_user_cruved(
user_permissions, module_code, object_code)
# if get_role = True : set info_role as kwargs
if get_role:
kwargs["info_role"] = user_with_highter_perm
# if no perm or perm = 0 -> raise 403
if user_with_highter_perm is None or (
user_with_highter_perm is not None
and user_with_highter_perm.value_filter == "0"):
if object_code:
message = f"""User {user_with_highter_perm.id_role} cannot "{user_with_highter_perm.code_action}" {object_code}"""
else:
message = f"""User {user_with_highter_perm.id_role}" cannot "{user_with_highter_perm.code_action}" in {user_with_highter_perm.module_code}"""
raise InsufficientRightsError(message, 403)
g.user = user_with_highter_perm
return fn(*args, **kwargs)
def __check_cruved_scope(*args, **kwargs):
user = get_user_from_token_and_raise(request, action,
redirect_on_expiration,
redirect_on_invalid_token)
user_with_highter_perm = None
user_with_highter_perm = UserCruved(
id_role=user["id_role"],
code_filter_type="SCOPE",
module_code=module_code,
object_code=object_code,
).get_herited_user_cruved_by_action(action)
if user_with_highter_perm:
user_with_highter_perm = user_with_highter_perm[0]
# if get_role = True : set info_role as kwargs
if get_role:
kwargs["info_role"] = user_with_highter_perm
# if no perm or perm = 0 -> raise 403
if user_with_highter_perm is None or (
user_with_highter_perm is not None
and user_with_highter_perm.value_filter == "0"):
if object_code:
message = f"""User {user["id_role"]} cannot "{action}" {object_code}"""
else:
message = f"""User {user["id_role"]}" cannot "{action}" in {module_code}"""
raise InsufficientRightsError(message, 403)
g.user = user_with_highter_perm
return fn(*args, **kwargs)
def __check_cruved_scope(*args, **kwargs):
user = get_user_from_token_and_raise(request, action,
redirect_on_expiration,
redirect_on_invalid_token)
user_with_highter_perm = None
user_with_highter_perm = UserCruved(
id_role=user["id_role"],
code_filter_type="SCOPE",
module_code=module_code,
object_code=object_code,
).get_herited_user_cruved_by_action(action)
if user_with_highter_perm:
user_with_highter_perm = user_with_highter_perm[0]
# if no perm or perm = 0 -> raise 403
if user_with_highter_perm is None or user_with_highter_perm.value_filter == "0":
if object_code:
message = f"""User {user["id_role"]} cannot "{action}" in {module_code} on {object_code}"""
else:
message = f"""User {user["id_role"]} cannot "{action}" in {module_code}"""
raise Forbidden(description=message)
# if get_role = True : set info_role as kwargs
if get_role:
kwargs["info_role"] = user_with_highter_perm
if get_scope:
kwargs["scope"] = int(user_with_highter_perm.value_filter)
g.user = user_with_highter_perm
return fn(*args, **kwargs)
def cruved_scope_for_user_in_monitoring_module(module_code=None, object_code=None):
user = get_user_from_token_and_raise(request)
cruved_module = {"C": "0", "R": "0", "U": "0", "V": "0", "E": "0", "D": "0"}
# If user not a dict: its a token issue
# return the appropriate Response
if not isinstance(user, dict):
return user
# get_monitoring from route parameter monitoring_url
module = None
herited = False
if module_code and module_code != "null":
module = get_module("module_code", module_code)
module_code = module.module_code
append = {15: ["MONITORINGS", object_code], 25: ["MONITORINGS", "ALL"]}
else:
module_code = "MONITORINGS"
append = {}
cruved_module, herited = cruved_scope_for_user_in_module(
id_role=user["id_role"],
module_code=module_code,
object_code=object_code,
append_to_select=append,
)
return to_int_cruved(cruved_module)
def test_get_user_permissions(self):
# set a real cookie
token = get_token(self.client, login="******", password="******")
self.client.set_cookie("/", "token", token)
# fake request to set cookie
response = self.client.get(
url_for("gn_permissions_backoffice.filter_list", id_filter_type=4))
resp = get_user_from_token_and_raise(request)
assert isinstance(resp, dict)
def __check_cruved_scope(*args, **kwargs):
user = get_user_from_token_and_raise(request, action,
redirect_on_expiration,
redirect_on_invalid_token)
# If user not a dict: its a token issue
# return the appropriate Response from get_user_from_token_and_raise
if not isinstance(user, dict):
return user
user_with_highter_perm = None
user_permissions = get_user_permissions(user, action, "SCOPE",
module_code, object_code)
# if object_code no heritage
if object_code:
user_with_highter_perm = get_max_perm(user_permissions)
else:
# else
# loop on user permissions
# return the module permission if exist
# otherwise return GEONATURE permission
module_permissions = []
geonature_permission = []
# filter the GeoNature perm and the module perm in two
# arrays to make heritage
for user_permission in user_permissions:
if user_permission.module_code == module_code:
module_permissions.append(user_permission)
else:
geonature_permission.append(user_permission)
# take the max of the different permissions
# if no module permission take the max of GN perm
if len(module_permissions) == 0:
user_with_highter_perm = get_max_perm(geonature_permission)
# if at least one module perm: take the max of module perms
else:
user_with_highter_perm = get_max_perm(module_permissions)
# if get_role = True : set info_role as kwargs
if get_role:
kwargs["info_role"] = user_with_highter_perm
# if no perm or perm = 0 -> raise 403
if user_with_highter_perm is None or (
user_with_highter_perm is not None
and user_with_highter_perm.value_filter == "0"):
raise InsufficientRightsError(
('User "{}" cannot "{}" in {}').format(
user_with_highter_perm.id_role,
user_with_highter_perm.code_action,
user_with_highter_perm.module_code,
),
403,
)
g.user = user_with_highter_perm
return fn(*args, **kwargs)
def test_permission():
'''
tests sur les permissions
'''
user = get_user_from_token_and_raise(request)
id_role = user['id_role']
cruved_monitoring = cruved_scope_for_user_in_module(
id_role, MODULE_MONITORINGS_CODE, "ALL")
cruved_test = cruved_scope_for_user_in_module(id_role, 'TEST', "ALL")
return {
'cruved_test': cruved_test,
'cruved_monitoring': cruved_monitoring,
}
def test_get_user_permissions(self):
# set a real cookie
token = get_token(self.client, login="******", password="******")
self.client.set_cookie('/', 'token', token)
# fake request to set cookie
response = self.client.get(
url_for(
'gn_permissions_backoffice.filter_list',
id_filter_type=4,
)
)
resp = get_user_from_token_and_raise(request)
assert isinstance(resp, dict)
def __check_cruved_scope(*args, **kwargs):
user = get_user_from_token_and_raise(
request,
action,
redirect_on_expiration,
redirect_on_invalid_token,
)
# If user not a dict: its a token issue
# return the appropriate Response from get_user_from_token_and_raise
if not isinstance(user, dict):
return user
user_with_highter_perm = None
if get_role:
user_permissions = get_user_permissions(
user,
action,
'SCOPE',
module_code,
object_code
)
# if object_code no heritage
if object_code:
user_with_highter_perm = get_max_perm(user_permissions)
else:
# else
# loop on user permissions
# return the module permission if exist
# otherwise return GEONATURE permission
module_permissions = []
geonature_permission = []
# user_permissions is a array of at least 1 permission
# get the user from the first element of the array
for user_permission in user_permissions:
if user_permission.module_code == module_code:
module_permissions.append(user_permission)
else:
geonature_permission.append(user_permission)
# take the max of the different permissions
if len(module_permissions) == 0:
user_with_highter_perm = get_max_perm(geonature_permission)
else:
user_with_highter_perm = get_max_perm(module_permissions)
kwargs['info_role'] = user_with_highter_perm
g.user = user_with_highter_perm
return fn(*args, **kwargs)
def __check_cruved_scope(*args, **kwargs):
user = get_user_from_token_and_raise(
request,
action,
redirect_on_expiration,
redirect_on_invalid_token,
)
# If user not a dict: its a token issue
# return the appropriate Response from get_user_from_token_and_raise
if not isinstance(user, dict):
return user
user_with_highter_perm = None
if get_role:
user_permissions = get_user_permissions(
user,
action,
'SCOPE',
module_code,
object_code
)
# if object_code no heritage
if object_code:
user_with_highter_perm = get_max_perm(user_permissions)
else:
# else
# loop on user permissions
# return the module permission if exist
# otherwise return GEONATURE permission
module_permissions = []
geonature_permission = []
# user_permissions is a array of at least 1 permission
# get the user from the first element of the array
for user_permission in user_permissions:
if user_permission.module_code == module_code:
module_permissions.append(user_permission)
else:
geonature_permission.append(user_permission)
# take the max of the different permissions
if len(module_permissions) == 0:
user_with_highter_perm = get_max_perm(geonature_permission)
else:
user_with_highter_perm = get_max_perm(module_permissions)
kwargs['info_role'] = user_with_highter_perm
g.user = user_with_highter_perm
return fn(*args, **kwargs)
def __check_cruved_scope_monitoring(*args, **kwargs):
module_code = kwargs.get('module_code')
cruved = cruved_scope_for_user_in_monitoring_module(module_code)
user = get_user_from_token_and_raise(request)
permission = cruved[action]
if not permission or permission < droit_min:
raise InsufficientRightsError(
'''User {} with permission level {} for action {} \
is not allowed to use this route for module {}, \
min permission level is {}'''.format(user['id_role'], permission, action,
module_code or 'monitorings', droit_min),
403,
)
return fn(*args, **kwargs)
def cruved_scope_for_user_in_monitoring_module(module_code=None):
user = get_user_from_token_and_raise(request)
cruved_module = {
'C': '0',
'R': '0',
'U': '0',
'V': '0',
'E': '0',
'D': '0'
}
# If user not a dict: its a token issue
# return the appropriate Response
if not isinstance(user, dict):
return user
# get_monitoring from route parameter monitoring_url
module = None
herited = False
if module_code and module_code != 'null':
module = get_module('module_code', module_code)
if module:
cruved_module, herited = cruved_scope_for_user_in_module(
user['id_role'], module.module_code, 'ALL')
if not herited:
return to_int_cruved(cruved_module)
cruved_monitorings, herited = cruved_scope_for_user_in_module(
user['id_role'], 'MONITORINGS', 'ALL')
if not herited:
return to_int_cruved(cruved_monitorings)
# return cruved_0, user
return to_int_cruved(cruved_monitorings)
def test_user_from_token_and_raise_fail(self):
# set a fake cookie
self.client.set_cookie("/", "token", "fake cookie")
resp = get_user_from_token_and_raise(request)
assert isinstance(resp, Response)
assert resp.status_code == 403
def test_user_from_token_and_raise_fail(self):
# set a fake cookie
self.client.set_cookie('/', 'token', 'fake cookie')
resp = get_user_from_token_and_raise(request)
assert isinstance(resp, Response)
assert resp.status_code == 403
