def test_get_object_users_with_permission(self): alice = self._create_user('alice', 'alice') org_user = tools.create_organization("modilabs", alice).user self._publish_transportation_form() EditorRole.add(org_user, self.xform) users_with_perms = get_object_users_with_permissions(self.xform) self.assertFalse(org_user in [d['user'] for d in users_with_perms])
def test_get_object_users_with_permission(self): alice = self._create_user('alice', 'alice') org_user = tools.create_organization("modilabs", alice).user self._publish_transportation_form() EditorRole.add(org_user, self.xform) users_with_perms = get_object_users_with_permissions(self.xform) self.assertTrue(org_user in [d['user'] for d in users_with_perms]) self.assertIn('first_name', users_with_perms[0].keys()) self.assertIn('last_name', users_with_perms[0].keys()) self.assertIn('user', users_with_perms[0].keys()) self.assertIn('role', users_with_perms[0].keys()) self.assertIn('gravatar', users_with_perms[0].keys()) self.assertIn('metadata', users_with_perms[0].keys()) self.assertIn('is_org', users_with_perms[0].keys())
def test_reassign_role_owner_to_editor(self): self._publish_transportation_form() alice = self._create_user('alice', 'alice') self.assertFalse(OwnerRole.has_role(alice, self.xform)) OwnerRole.add(alice, self.xform) self.assertTrue(OwnerRole.has_role(alice, self.xform)) EditorRole.add(alice, self.xform) self.assertFalse(OwnerRole.has_role(alice, self.xform)) self.assertTrue(EditorRole.has_role(alice, self.xform))
def test_submission_review_permission(self): """ Test that submission review access to unauthorized users """ data = self._create_submission_review() form = Instance.objects.get(id=data['instance']).xform self._create_user_and_login('dave', '1234') extra = {'HTTP_AUTHORIZATION': 'Token %s' % self.user.auth_token} # Editors should not be able to create, update, delete # reviews. Only Admins and Managers should have these permissions EditorRole.add(self.user, form) view = SubmissionReviewViewSet.as_view({ 'post': 'create', 'get': 'list', 'patch': 'partial_update', 'delete': 'destroy' }) # `dave` user should not be able to create reviews on # an xform where he/she has no Admin privileges review = { 'note': "Hey there!", 'status': SubmissionReview.APPROVED, 'instance': data['instance'] } request = self.factory.post('/', data=review, **extra) response = view(request=request) self.assertEqual(403, response.status_code) # `dave` user should not be able to update reviews on # an xform where he/she has no Admin privileges new_data = {'note': "Hey there!", 'status': SubmissionReview.APPROVED} request = self.factory.patch('/', data=new_data, **extra) response = view(request=request, pk=data['id']) self.assertEqual(403, response.status_code) # `dave` user should not be able to delete reviews on # an xform they have no Admin Privileges on request = self.factory.delete('/', **extra) response = view(request=request, pk=data['id']) self.assertEqual(403, response.status_code)
def test_role_update_xform_meta_perms(self): alice_data = {'username': '******', 'email': '*****@*****.**'} alice_profile = self._create_user_profile(alice_data) EditorRole.add(alice_profile.user, self.xform) view = MetaDataViewSet.as_view({ 'post': 'create', 'put': 'update' }) data = { 'data_type': XFORM_META_PERMS, 'data_value': 'editor-minor|dataentry', 'xform': self.xform.pk } request = self.factory.post('/', data, **self.extra) response = view(request) self.assertEqual(response.status_code, 201) self.assertFalse( EditorRole.user_has_role(alice_profile.user, self.xform)) self.assertTrue( EditorMinorRole.user_has_role(alice_profile.user, self.xform)) meta = MetaData.xform_meta_permission(self.xform) DataEntryRole.add(alice_profile.user, self.xform) data = { 'data_type': XFORM_META_PERMS, 'data_value': 'editor|dataentry-only', 'xform': self.xform.pk } request = self.factory.put('/', data, **self.extra) response = view(request, pk=meta.pk) self.assertEqual(response.status_code, 200) self.assertFalse( DataEntryRole.user_has_role(alice_profile.user, self.xform)) self.assertTrue( DataEntryOnlyRole.user_has_role(alice_profile.user, self.xform))
def test_reassign_role_owner_to_editor(self): self._publish_transportation_form() alice = self._create_user('alice', 'alice') self.assertFalse(OwnerRole.user_has_role(alice, self.xform)) OwnerRole.add(alice, self.xform) self.assertTrue(OwnerRole.user_has_role(alice, self.xform)) self.assertTrue( OwnerRole.has_role(perms_for(alice, self.xform), self.xform)) EditorRole.add(alice, self.xform) self.assertFalse(OwnerRole.user_has_role(alice, self.xform)) self.assertTrue(EditorRole.user_has_role(alice, self.xform)) self.assertFalse( OwnerRole.has_role(perms_for(alice, self.xform), self.xform)) self.assertTrue( EditorRole.has_role(perms_for(alice, self.xform), self.xform))
def test_reassign_role_owner_to_editor(self): """ Test role reassignment owner to editor. """ self._publish_transportation_form() alice = self._create_user('alice', 'alice') self.assertFalse(OwnerRole.user_has_role(alice, self.xform)) OwnerRole.add(alice, self.xform) self.assertTrue(OwnerRole.user_has_role(alice, self.xform)) self.assertTrue( OwnerRole.has_role(perms_for(alice, self.xform), self.xform)) EditorRole.add(alice, self.xform) self.assertFalse(OwnerRole.user_has_role(alice, self.xform)) self.assertTrue(EditorRole.user_has_role(alice, self.xform)) self.assertFalse( OwnerRole.has_role(perms_for(alice, self.xform), self.xform)) self.assertTrue( EditorRole.has_role(perms_for(alice, self.xform), self.xform))
def test_get_object_users_with_permission(self): """ Test get_object_users_with_permissions() """ alice = self._create_user('alice', 'alice') UserProfile.objects.get_or_create(user=alice) org_user = tools.create_organization("modilabs", alice).user demo_grp = Group.objects.create(name='demo') alice.groups.add(demo_grp) self._publish_transportation_form() EditorRole.add(org_user, self.xform) EditorRole.add(demo_grp, self.xform) users_with_perms = get_object_users_with_permissions( self.xform, with_group_users=True) self.assertTrue(org_user in [d['user'] for d in users_with_perms]) self.assertTrue(alice in [d['user'] for d in users_with_perms]) users_with_perms_first_keys = list(users_with_perms[0]) self.assertIn('first_name', users_with_perms_first_keys) self.assertIn('last_name', users_with_perms_first_keys) self.assertIn('user', users_with_perms_first_keys) self.assertIn('role', users_with_perms_first_keys) self.assertIn('gravatar', users_with_perms_first_keys) self.assertIn('metadata', users_with_perms_first_keys) self.assertIn('is_org', users_with_perms_first_keys)