def test_user_from_token_and_raise_fail(self): # no cookie with pytest.raises(Unauthorized, match="No token"): resp = get_user_from_token_and_raise(request) # set a fake cookie self.client.set_cookie("/", "token", "fake token") # fake request to set cookie response = self.client.get( url_for("gn_permissions_backoffice.filter_list", id_filter_type=4)) with pytest.raises(Unauthorized, match="Token corrupted") as exc_info: resp = get_user_from_token_and_raise(request)
def __check_cruved_scope(*args, **kwargs): user = get_user_from_token_and_raise(request, action, redirect_on_expiration, redirect_on_invalid_token) # If user not a dict: its a token issue # return the appropriate Response from get_user_from_token_and_raise if not isinstance(user, dict): return user user_with_highter_perm = None user_permissions = get_user_permissions(user, "SCOPE", action, module_code, object_code) user_cruved_obj = UserCruved() user_with_highter_perm = user_cruved_obj.build_herited_user_cruved( user_permissions, module_code, object_code) # if get_role = True : set info_role as kwargs if get_role: kwargs["info_role"] = user_with_highter_perm # if no perm or perm = 0 -> raise 403 if user_with_highter_perm is None or ( user_with_highter_perm is not None and user_with_highter_perm.value_filter == "0"): if object_code: message = f"""User {user_with_highter_perm.id_role} cannot "{user_with_highter_perm.code_action}" {object_code}""" else: message = f"""User {user_with_highter_perm.id_role}" cannot "{user_with_highter_perm.code_action}" in {user_with_highter_perm.module_code}""" raise InsufficientRightsError(message, 403) g.user = user_with_highter_perm return fn(*args, **kwargs)
def __check_cruved_scope(*args, **kwargs): user = get_user_from_token_and_raise(request, action, redirect_on_expiration, redirect_on_invalid_token) user_with_highter_perm = None user_with_highter_perm = UserCruved( id_role=user["id_role"], code_filter_type="SCOPE", module_code=module_code, object_code=object_code, ).get_herited_user_cruved_by_action(action) if user_with_highter_perm: user_with_highter_perm = user_with_highter_perm[0] # if get_role = True : set info_role as kwargs if get_role: kwargs["info_role"] = user_with_highter_perm # if no perm or perm = 0 -> raise 403 if user_with_highter_perm is None or ( user_with_highter_perm is not None and user_with_highter_perm.value_filter == "0"): if object_code: message = f"""User {user["id_role"]} cannot "{action}" {object_code}""" else: message = f"""User {user["id_role"]}" cannot "{action}" in {module_code}""" raise InsufficientRightsError(message, 403) g.user = user_with_highter_perm return fn(*args, **kwargs)
def __check_cruved_scope(*args, **kwargs): user = get_user_from_token_and_raise(request, action, redirect_on_expiration, redirect_on_invalid_token) user_with_highter_perm = None user_with_highter_perm = UserCruved( id_role=user["id_role"], code_filter_type="SCOPE", module_code=module_code, object_code=object_code, ).get_herited_user_cruved_by_action(action) if user_with_highter_perm: user_with_highter_perm = user_with_highter_perm[0] # if no perm or perm = 0 -> raise 403 if user_with_highter_perm is None or user_with_highter_perm.value_filter == "0": if object_code: message = f"""User {user["id_role"]} cannot "{action}" in {module_code} on {object_code}""" else: message = f"""User {user["id_role"]} cannot "{action}" in {module_code}""" raise Forbidden(description=message) # if get_role = True : set info_role as kwargs if get_role: kwargs["info_role"] = user_with_highter_perm if get_scope: kwargs["scope"] = int(user_with_highter_perm.value_filter) g.user = user_with_highter_perm return fn(*args, **kwargs)
def cruved_scope_for_user_in_monitoring_module(module_code=None, object_code=None): user = get_user_from_token_and_raise(request) cruved_module = {"C": "0", "R": "0", "U": "0", "V": "0", "E": "0", "D": "0"} # If user not a dict: its a token issue # return the appropriate Response if not isinstance(user, dict): return user # get_monitoring from route parameter monitoring_url module = None herited = False if module_code and module_code != "null": module = get_module("module_code", module_code) module_code = module.module_code append = {15: ["MONITORINGS", object_code], 25: ["MONITORINGS", "ALL"]} else: module_code = "MONITORINGS" append = {} cruved_module, herited = cruved_scope_for_user_in_module( id_role=user["id_role"], module_code=module_code, object_code=object_code, append_to_select=append, ) return to_int_cruved(cruved_module)
def test_get_user_permissions(self): # set a real cookie token = get_token(self.client, login="******", password="******") self.client.set_cookie("/", "token", token) # fake request to set cookie response = self.client.get( url_for("gn_permissions_backoffice.filter_list", id_filter_type=4)) resp = get_user_from_token_and_raise(request) assert isinstance(resp, dict)
def __check_cruved_scope(*args, **kwargs): user = get_user_from_token_and_raise(request, action, redirect_on_expiration, redirect_on_invalid_token) # If user not a dict: its a token issue # return the appropriate Response from get_user_from_token_and_raise if not isinstance(user, dict): return user user_with_highter_perm = None user_permissions = get_user_permissions(user, action, "SCOPE", module_code, object_code) # if object_code no heritage if object_code: user_with_highter_perm = get_max_perm(user_permissions) else: # else # loop on user permissions # return the module permission if exist # otherwise return GEONATURE permission module_permissions = [] geonature_permission = [] # filter the GeoNature perm and the module perm in two # arrays to make heritage for user_permission in user_permissions: if user_permission.module_code == module_code: module_permissions.append(user_permission) else: geonature_permission.append(user_permission) # take the max of the different permissions # if no module permission take the max of GN perm if len(module_permissions) == 0: user_with_highter_perm = get_max_perm(geonature_permission) # if at least one module perm: take the max of module perms else: user_with_highter_perm = get_max_perm(module_permissions) # if get_role = True : set info_role as kwargs if get_role: kwargs["info_role"] = user_with_highter_perm # if no perm or perm = 0 -> raise 403 if user_with_highter_perm is None or ( user_with_highter_perm is not None and user_with_highter_perm.value_filter == "0"): raise InsufficientRightsError( ('User "{}" cannot "{}" in {}').format( user_with_highter_perm.id_role, user_with_highter_perm.code_action, user_with_highter_perm.module_code, ), 403, ) g.user = user_with_highter_perm return fn(*args, **kwargs)
def test_permission(): ''' tests sur les permissions ''' user = get_user_from_token_and_raise(request) id_role = user['id_role'] cruved_monitoring = cruved_scope_for_user_in_module( id_role, MODULE_MONITORINGS_CODE, "ALL") cruved_test = cruved_scope_for_user_in_module(id_role, 'TEST', "ALL") return { 'cruved_test': cruved_test, 'cruved_monitoring': cruved_monitoring, }
def test_get_user_permissions(self): # set a real cookie token = get_token(self.client, login="******", password="******") self.client.set_cookie('/', 'token', token) # fake request to set cookie response = self.client.get( url_for( 'gn_permissions_backoffice.filter_list', id_filter_type=4, ) ) resp = get_user_from_token_and_raise(request) assert isinstance(resp, dict)
def __check_cruved_scope(*args, **kwargs): user = get_user_from_token_and_raise( request, action, redirect_on_expiration, redirect_on_invalid_token, ) # If user not a dict: its a token issue # return the appropriate Response from get_user_from_token_and_raise if not isinstance(user, dict): return user user_with_highter_perm = None if get_role: user_permissions = get_user_permissions( user, action, 'SCOPE', module_code, object_code ) # if object_code no heritage if object_code: user_with_highter_perm = get_max_perm(user_permissions) else: # else # loop on user permissions # return the module permission if exist # otherwise return GEONATURE permission module_permissions = [] geonature_permission = [] # user_permissions is a array of at least 1 permission # get the user from the first element of the array for user_permission in user_permissions: if user_permission.module_code == module_code: module_permissions.append(user_permission) else: geonature_permission.append(user_permission) # take the max of the different permissions if len(module_permissions) == 0: user_with_highter_perm = get_max_perm(geonature_permission) else: user_with_highter_perm = get_max_perm(module_permissions) kwargs['info_role'] = user_with_highter_perm g.user = user_with_highter_perm return fn(*args, **kwargs)
def __check_cruved_scope(*args, **kwargs): user = get_user_from_token_and_raise( request, action, redirect_on_expiration, redirect_on_invalid_token, ) # If user not a dict: its a token issue # return the appropriate Response from get_user_from_token_and_raise if not isinstance(user, dict): return user user_with_highter_perm = None if get_role: user_permissions = get_user_permissions( user, action, 'SCOPE', module_code, object_code ) # if object_code no heritage if object_code: user_with_highter_perm = get_max_perm(user_permissions) else: # else # loop on user permissions # return the module permission if exist # otherwise return GEONATURE permission module_permissions = [] geonature_permission = [] # user_permissions is a array of at least 1 permission # get the user from the first element of the array for user_permission in user_permissions: if user_permission.module_code == module_code: module_permissions.append(user_permission) else: geonature_permission.append(user_permission) # take the max of the different permissions if len(module_permissions) == 0: user_with_highter_perm = get_max_perm(geonature_permission) else: user_with_highter_perm = get_max_perm(module_permissions) kwargs['info_role'] = user_with_highter_perm g.user = user_with_highter_perm return fn(*args, **kwargs)
def __check_cruved_scope_monitoring(*args, **kwargs): module_code = kwargs.get('module_code') cruved = cruved_scope_for_user_in_monitoring_module(module_code) user = get_user_from_token_and_raise(request) permission = cruved[action] if not permission or permission < droit_min: raise InsufficientRightsError( '''User {} with permission level {} for action {} \ is not allowed to use this route for module {}, \ min permission level is {}'''.format(user['id_role'], permission, action, module_code or 'monitorings', droit_min), 403, ) return fn(*args, **kwargs)
def cruved_scope_for_user_in_monitoring_module(module_code=None): user = get_user_from_token_and_raise(request) cruved_module = { 'C': '0', 'R': '0', 'U': '0', 'V': '0', 'E': '0', 'D': '0' } # If user not a dict: its a token issue # return the appropriate Response if not isinstance(user, dict): return user # get_monitoring from route parameter monitoring_url module = None herited = False if module_code and module_code != 'null': module = get_module('module_code', module_code) if module: cruved_module, herited = cruved_scope_for_user_in_module( user['id_role'], module.module_code, 'ALL') if not herited: return to_int_cruved(cruved_module) cruved_monitorings, herited = cruved_scope_for_user_in_module( user['id_role'], 'MONITORINGS', 'ALL') if not herited: return to_int_cruved(cruved_monitorings) # return cruved_0, user return to_int_cruved(cruved_monitorings)
def test_user_from_token_and_raise_fail(self): # set a fake cookie self.client.set_cookie("/", "token", "fake cookie") resp = get_user_from_token_and_raise(request) assert isinstance(resp, Response) assert resp.status_code == 403
def test_user_from_token_and_raise_fail(self): # set a fake cookie self.client.set_cookie('/', 'token', 'fake cookie') resp = get_user_from_token_and_raise(request) assert isinstance(resp, Response) assert resp.status_code == 403