def test_manager_cant_access_director(method, app, db_session):
manager = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Manager))
director = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Director))
master = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Master))
flask.g.user = manager
assert not has_privilege(
method=method, resource="employee", employee_id=director.id)
assert has_privilege(method=method,
resource="employee",
employee_id=master.id)
def test_can_access_same_company_employees(app, db_session):
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
me = factories.EmployeeFactory(company=company, role=manager_role)
colleague = factories.EmployeeFactory(company=company, role=manager_role)
flask.g.user = me
assert has_privilege(
method=Method.READ, resource="employee", employee_id=colleague.id)
def test_can_access_his_profile(app):
flask.g.user = Employee(id=1, first_name="Alice", last_name="Cooper",
username="******", phone_number="1",
birth_date=datetime.utcnow(),
pin_code=2222,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
email="*****@*****.**", password="******")
assert has_privilege(method=Method.READ, resource="employee", employee_id=1)
def test_manager_cant_access_director(app, db_session):
"""
@todo #298:30min Add check that users with Manager role can only access or
modify employees that have role of master or interns. Then remove skip
annotation from this test.
"""
my_company = Company(id=1, name="Acme Inc.", code="code1", address="addr")
db_session.add(my_company)
manager_role = Role(name="Manager",
works_on_shifts=False,
company_id=my_company.id)
director_role = Role(name="Director",
works_on_shifts=False,
company_id=my_company.id)
me = Employee(id=1,
first_name="Alice",
last_name="Cooper",
username="******",
phone_number="1",
birth_date=datetime.utcnow(),
pin_code=7777,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=my_company.id,
email="*****@*****.**",
password="******",
role_id=manager_role.id)
db_session.add(me)
flask.g.user = me
other = Employee(id=2,
first_name="Bob",
last_name="Cooper",
username="******",
phone_number="1",
birth_date=datetime.utcnow(),
pin_code=6666,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=my_company.id,
email="*****@*****.**",
password="******",
role_id=director_role.id)
db_session.add(other)
db_session.commit()
assert not has_privilege(
method=Method.READ, resource="employee", employee_id=other.id)
def test_can_access_same_company_employees(app, db_session):
my_company = Company(id=1, name="Acme Inc.", code="code1", address="addr")
db_session.add(my_company)
manager_role = Role(name="Manager",
works_on_shifts=False,
company_id=my_company.id)
master_role = Role(name="Master",
works_on_shifts=False,
company_id=my_company.id)
me = Employee(id=1,
first_name="Alice",
last_name="Cooper",
username="******",
phone_number="1",
birth_date=datetime.utcnow(),
pin_code=7777,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=my_company.id,
email="*****@*****.**",
password="******",
role_id=manager_role.id)
db_session.add(me)
flask.g.user = me
other = Employee(id=2,
first_name="Bob",
last_name="Cooper",
username="******",
phone_number="1",
birth_date=datetime.utcnow(),
pin_code=6666,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=my_company.id,
email="*****@*****.**",
password="******",
role_id=master_role.id)
db_session.add(other)
db_session.commit()
assert has_privilege(method=Method.READ,
resource="employee",
employee_id=other.id)
def test_cant_access_other_company_employees(app, db_session):
my_company = Company(id=1, name="Foo Inc.", code="code1", address="addr")
db_session.add(my_company)
me = Employee(id=1,
first_name="Alice",
last_name="Cooper",
username="******",
phone_number="1",
birth_date=datetime.utcnow(),
pin_code=3333,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=my_company.id,
email="*****@*****.**",
password="******")
db_session.add(me)
flask.g.user = me
other_company = Company(id=2,
name="Bar Inc.",
code="code2",
address="addr")
db_session.add(other_company)
other = Employee(id=2,
first_name="Bob",
last_name="Cooper",
username="******",
phone_number="1",
birth_date=datetime.utcnow(),
pin_code=4444,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=other_company.id,
email="*****@*****.**",
password="******")
db_session.add(other)
db_session.commit()
assert not has_privilege(
method=Method.READ, resource="employee", employee_id=other.id)