def test_command_remove_object_permissions_with_correct_arguments_output(
user, service):
group = GroupFactory(
name="{}Admin".format(ServiceType.BERTH.name.capitalize()))
user.groups.add(group)
assign_perm("can_view_profiles", group, service)
assign_perm("can_manage_profiles", group, service)
assert user.has_perm("can_view_profiles", service)
assert user.has_perm("can_manage_profiles", service)
out = StringIO()
args = [
ServiceType.BERTH.name,
"{}Admin".format(ServiceType.BERTH.name.capitalize()),
"can_view_profiles",
]
call_command("remove_object_permission", *args, stdout=out)
args = [
ServiceType.BERTH.name,
"{}Admin".format(ServiceType.BERTH.name.capitalize()),
"can_manage_profiles",
]
call_command("remove_object_permission", *args, stdout=out)
assert ("Permission can_view_profiles removed for {0}Admin on service {0}".
format(ServiceType.BERTH.name.capitalize()) in out.getvalue())
assert (
"Permission can_manage_profiles removed for {0}Admin on service {0}".
format(ServiceType.BERTH.name.capitalize()) in out.getvalue())
assert not user.has_perm("can_view_profiles", service)
assert not user.has_perm("can_manage_profiles", service)
def execute_query(self, user_gql_client, profile_input):
user = user_gql_client.user
group = GroupFactory()
service = ServiceFactory()
user.groups.add(group)
assign_perm("can_manage_profiles", group, service)
assign_perm("can_manage_sensitivedata", group, service)
assign_perm("can_view_sensitivedata", group, service)
mutation = """
mutation createProfile($profileInput: CreateProfileInput!) {
createProfile(
input: {
profile: $profileInput
}
) {
profile {
id
}
}
}
"""
variables = {"profileInput": profile_input}
return user_gql_client.execute(mutation,
service=service,
variables=variables)
def test_staff_user_cannot_create_a_profile_with_sensitive_data_without_sensitive_data_service_access(
user_gql_client, service_factory):
user = user_gql_client.user
entitled_service = service_factory()
entitled_group = GroupFactory(name="entitled_group")
assign_perm("can_manage_profiles", entitled_group, entitled_service)
assign_perm("can_manage_sensitivedata", entitled_group, entitled_service)
assign_perm("can_view_sensitivedata", entitled_group, entitled_service)
user.groups.add(entitled_group)
unentitled_service = service_factory()
unentitled_group = GroupFactory(name="unentitled_group")
assign_perm("can_manage_profiles", unentitled_group, unentitled_service)
user.groups.add(unentitled_group)
t = Template("""
mutation {
createProfile(
input: {
profile: {
firstName: "${first_name}",
sensitivedata: {
ssn: "${ssn}"
}
}
}
) {
profile {
firstName
sensitivedata {
ssn
}
}
}
}
""")
query = t.substitute(first_name="John", ssn="121282-123E")
executed = user_gql_client.execute(query, service=unentitled_service)
assert "errors" in executed
assert executed["errors"][0]["message"] == _(
"You do not have permission to perform this action.")
def test_command_add_object_permissions_throws_error_when_invalid_service_type_given(
user, service):
group = GroupFactory(
name="{}Admin".format(ServiceType.BERTH.name.capitalize()))
user.groups.add(group)
out = StringIO()
args = [
"BERTH_INVALID",
"{}Admin".format(ServiceType.BERTH.name.capitalize()),
"can_manage_profiles",
]
with pytest.raises(KeyError):
call_command("add_object_permission", *args, stdout=out)
assert not user.has_perm("can_manage_profiles", service)
def test_command_add_object_permissions_throws_error_when_invalid_group_name_given(
user, service):
group = GroupFactory(
name="{}Admin".format(ServiceType.BERTH.name.capitalize()))
user.groups.add(group)
out = StringIO()
args = [
ServiceType.BERTH.name,
"{}AdminInvalid".format(ServiceType.BERTH.name.capitalize()),
"can_manage_profiles",
]
call_command("add_object_permission", *args, stdout=out)
assert "Invalid group_name given" in out.getvalue()
assert not user.has_perm("can_manage_profiles", service)
def test_assign_permissions(times, user, service):
available_permissions = [item[0] for item in Service._meta.permissions]
# assign_permissions expects a Group and a Service exist with the same name.
group = GroupFactory(name=service.name)
user.groups.add(group)
for permission in available_permissions:
assert not user.has_perm(permission, service)
assert permission not in get_group_perms(group, service)
for i in range(times):
assign_permissions([group])
for permission in available_permissions:
assert user.has_perm(permission, service)
assert permission in get_group_perms(group, service)
def setup_profile_and_staff_user_to_service(profile,
user,
service,
can_view_sensitivedata=False,
can_manage_sensitivedata=False):
if profile:
ServiceConnectionFactory(profile=profile, service=service)
group = GroupFactory()
assign_perm("can_manage_profiles", group, service)
if can_view_sensitivedata:
assign_perm("can_view_sensitivedata", group, service)
if can_manage_sensitivedata:
assign_perm("can_manage_sensitivedata", group, service)
user.groups.add(group)
def test_generates_group_admins():
group = GroupFactory(name="group_name")
assert group.user_set.count() == 0
generate_group_admins([group], faker=Faker())
assert group.user_set.count() == 1
def group():
return GroupFactory()
def test_generates_group_admins():
group = GroupFactory(name=ServiceType.BERTH.value)
assert group.user_set.count() == 0
generate_group_admins([group], faker=Faker())
assert group.user_set.count() == 1