def response_role_based_access(domain, new_plan_version): """ Perform Role Based Access Upgrade - Un-archive custom roles. """ UserRole.unarchive_roles_for_domain(domain.name) return True
def update_user_roles(domain_link): if domain_link.is_remote: master_results = remote_get_user_roles(domain_link) else: master_results = local_get_user_roles(domain_link.master_domain) _convert_web_apps_permissions(domain_link, master_results) _convert_reports_permissions(domain_link, master_results) local_roles = UserRole.view( 'users/roles_by_domain', startkey=[domain_link.linked_domain], endkey=[domain_link.linked_domain, {}], include_docs=True, reduce=False, ) local_roles_by_name = {role.name: role for role in local_roles} for role_def in master_results: role = local_roles_by_name.get(role_def['name']) if role: role_json = role.to_json() else: role_json = {'domain': domain_link.linked_domain} role_json.update(role_def) UserRole.wrap(role_json).save()
def test_report_fixtures_provider_with_cloudcare(self): """ ReportFixturesProvider should iterate only allowed apps if sync is from cloudcare """ from corehq.apps.userreports.reports.data_source import ConfigurableReportDataSource role = UserRole( domain=self.domain, permissions=Permissions( view_web_apps=False, view_web_apps_list=[self.app1._id] ), name='WebApp Restricted' ) role.save() self.user._couch_user.set_role(self.domain, role.get_qualified_id()) with patch.object(ConfigurableReportDataSource, 'get_data') as get_data_mock: get_data_mock.return_value = self.rows with mock_datasource_config(): fixtures = call_fixture_generator( report_fixture_generator, self.user, device_id="WebAppsLogin|[email protected]" ) reports = fixtures[0].findall('.//report') self.assertEqual(len(reports), 1) self.assertEqual(reports[0].attrib.get('id'), '123456')
def _handle_user_form(request, domain, couch_user=None): context = {} if couch_user: create_user = False else: create_user = True can_change_admin_status = ( request.user.is_superuser or request.couch_user.can_edit_web_users(domain=domain) ) and request.couch_user.user_id != couch_user.user_id if couch_user.is_commcare_user(): role_choices = UserRole.commcareuser_role_choices(domain) else: role_choices = UserRole.role_choices(domain) if request.method == "POST" and request.POST["form_type"] == "basic-info": form = UserForm(request.POST, role_choices=role_choices) if form.is_valid(): if create_user: django_user = User() django_user.username = form.cleaned_data["email"] django_user.save() couch_user = CouchUser.from_django_user(django_user) couch_user.first_name = form.cleaned_data["first_name"] couch_user.last_name = form.cleaned_data["last_name"] couch_user.email = form.cleaned_data["email"] couch_user.language = form.cleaned_data["language"] if can_change_admin_status: role = form.cleaned_data["role"] if role: couch_user.set_role(domain, role) couch_user.save() if request.couch_user.get_id == couch_user.get_id and couch_user.language: # update local language in the session request.session["django_language"] = couch_user.language messages.success(request, 'Changes saved for user "%s"' % couch_user.username) else: form = UserForm(role_choices=role_choices) if not create_user: form.initial["first_name"] = couch_user.first_name form.initial["last_name"] = couch_user.last_name form.initial["email"] = couch_user.email form.initial["language"] = couch_user.language if can_change_admin_status: if couch_user.is_commcare_user(): role = couch_user.get_role(domain) if role is None: initial = "none" else: initial = role.get_qualified_id() form.initial["role"] = initial else: form.initial["role"] = couch_user.get_role(domain, include_teams=False).get_qualified_id() or "" if not can_change_admin_status: del form.fields["role"] context.update({"form": form}) return context
def setUp(self): super(TestUserRoleSubscriptionChanges, self).setUp() self.domain = generator.arbitrary_domain() UserRole.init_domain_with_presets(self.domain.name) self.user_roles = UserRole.by_domain(self.domain.name) self.custom_role = UserRole.get_or_create_with_permissions( self.domain.name, Permissions(edit_apps=True, edit_web_users=True), "Custom Role" ) self.custom_role.save() self.read_only_role = UserRole.get_read_only_role_by_domain(self.domain.name) self.admin_user = generator.arbitrary_web_user() self.admin_user.add_domain_membership(self.domain.name, is_admin=True) self.admin_user.save() self.web_users = [] self.commcare_users = [] for role in [self.custom_role] + self.user_roles: web_user = generator.arbitrary_web_user() web_user.add_domain_membership(self.domain.name, role_id=role.get_id) web_user.save() self.web_users.append(web_user) commcare_user = generator.arbitrary_commcare_user( domain=self.domain.name) commcare_user.set_role(self.domain.name, role.get_qualified_id()) commcare_user.save() self.commcare_users.append(commcare_user) self.account = BillingAccount.get_or_create_account_by_domain( self.domain.name,created_by=self.admin_user.username)[0] self.advanced_plan = DefaultProductPlan.get_default_plan_by_domain( self.domain.name,edition=SoftwarePlanEdition.ADVANCED)
def response_role_based_access(domain, new_plan_version): """ Perform Role Based Access Downgrade - Archive custom roles. - Set user roles using custom roles to Read Only. - Reset initial roles to standard permissions. """ custom_roles = [r.get_id for r in UserRole.get_custom_roles_by_domain(domain.name)] if not custom_roles: return True # temporarily disable this part of the downgrade until we # have a better user experience for notifying the downgraded user # read_only_role = UserRole.get_read_only_role_by_domain(self.domain.name) # web_users = WebUser.by_domain(self.domain.name) # for web_user in web_users: # if web_user.get_domain_membership(self.domain.name).role_id in custom_roles: # web_user.set_role(self.domain.name, read_only_role.get_qualified_id()) # web_user.save() # for cc_user in CommCareUser.by_domain(self.domain.name): # if cc_user.get_domain_membership(self.domain.name).role_id in custom_roles: # cc_user.set_role(self.domain.name, 'none') # cc_user.save() UserRole.archive_custom_roles_for_domain(domain.name) UserRole.reset_initial_roles_for_domain(domain.name) return True
def handle(self, *args, **options): for domain in Domain.get_all(): UserRole.get_or_create_with_permissions( domain.name, UserRolePresets.get_permissions(UserRolePresets.BILLING_ADMIN), UserRolePresets.BILLING_ADMIN )
def test_resubscription(self): subscription = Subscription.new_domain_subscription( self.account, self.domain.name, self.advanced_plan, web_user=self.admin_user.username ) self._change_std_roles() subscription.cancel_subscription(web_user=self.admin_user.username) custom_role = UserRole.get(self.custom_role.get_id) self.assertTrue(custom_role.is_archived) subscription = Subscription.new_domain_subscription( self.account, self.domain.name, self.advanced_plan, web_user=self.admin_user.username ) custom_role = UserRole.get(self.custom_role.get_id) self.assertFalse(custom_role.is_archived) # disable this part of the test until we improve the UX for notifying # downgraded users of their privilege changes # custom_web_user = WebUser.get(self.web_users[0].get_id) # custom_commcare_user = CommCareUser.get(self.commcare_users[0].get_id) # self.assertEqual( # custom_web_user.get_domain_membership(self.domain.name).role_id, # self.read_only_role.get_id # ) # self.assertIsNone( # custom_commcare_user.get_domain_membership(self.domain.name).role_id # ) self.assertInitialRoles() self.assertStdUsers() subscription.cancel_subscription(web_user=self.admin_user.username)
def handle(self, **options): roles = UserRole.view( 'users/roles_by_domain', include_docs=False, reduce=False ).all() for role_doc in iter_docs(UserRole.get_db(), [r['id'] for r in roles]): role = UserRole.wrap(role_doc) save_role = False if role.permissions.edit_web_users: role.permissions.view_web_users = True role.permissions.view_roles = True save_role = True if role.permissions.edit_commcare_users: role.permissions.view_commcare_users = True role.permissions.edit_groups = True role.permissions.view_groups = True save_role = True if role.permissions.edit_locations: role.permissions.view_locations = True save_role = True if save_role: role.save()
def _create_or_edit_facility_manager_role(self): facility_manager_role = UserRole.by_domain_and_name(self.domain, 'Facility manager') reports_list = [ "corehq.apps.reports.standard.sms.MessageLogReport", "custom.ewsghana.reports.specific_reports.dashboard_report.DashboardReport", "custom.ewsghana.reports.specific_reports.stock_status_report.StockStatus", "custom.ewsghana.reports.specific_reports.reporting_rates.ReportingRatesReport", "custom.ewsghana.reports.maps.EWSMapReport" ] if facility_manager_role: permissions = Permissions( edit_web_users=True, edit_commcare_users=True, view_reports=False, view_report_list=reports_list ) facility_manager_role[0].permissions = permissions facility_manager_role[0].save() else: role = UserRole( domain=self.domain, permissions=Permissions( view_reports=False, edit_web_users=True, edit_commcare_users=True, view_report_list=reports_list ), name='Facility manager' ) role.save()
def web_user_sync(self, ews_webuser): username = ews_webuser.email.lower() if not username: try: validate_email(ews_webuser.username) username = ews_webuser.username except ValidationError: return None user = WebUser.get_by_username(username) user_dict = { 'first_name': ews_webuser.first_name, 'last_name': ews_webuser.last_name, 'is_active': ews_webuser.is_active, 'last_login': force_to_datetime(ews_webuser.last_login), 'date_joined': force_to_datetime(ews_webuser.date_joined), 'password_hashed': True, } location_id = None if ews_webuser.location: try: location = SQLLocation.objects.get(domain=self.domain, external_id=ews_webuser.location) location_id = location.location_id except SQLLocation.DoesNotExist: pass if user is None: try: user = WebUser.create(domain=None, username=username, password=ews_webuser.password, email=ews_webuser.email, **user_dict) user.add_domain_membership(self.domain, location_id=location_id) except Exception as e: logging.error(e) else: if self.domain not in user.get_domains(): user.add_domain_membership(self.domain, location_id=location_id) ews_webuser_extension(user, ews_webuser) dm = user.get_domain_membership(self.domain) if dm.location_id != location_id: dm.location_id = location_id if ews_webuser.is_superuser: dm.role_id = UserRole.by_domain_and_name(self.domain, 'Administrator')[0].get_id elif ews_webuser.groups and ews_webuser.groups[0].name == 'facility_manager': dm.role_id = UserRole.by_domain_and_name(self.domain, 'Facility manager')[0].get_id else: if ews_webuser.supply_point: supply_point = get_supply_point_case_by_domain_external_id(self.domain, ews_webuser.supply_point) if supply_point: dm.location_id = supply_point.location_id dm.role_id = UserRole.by_domain_and_name(self.domain, 'Web Reporter')[0].get_id else: dm.role_id = UserRole.get_read_only_role_by_domain(self.domain).get_id else: dm.role_id = UserRole.get_read_only_role_by_domain(self.domain).get_id user.save() return user
def _handle_user_form(request, domain, couch_user=None): from corehq.apps.reports.util import get_possible_reports context = {} if couch_user: create_user = False else: create_user = True can_change_admin_status = \ (request.user.is_superuser or request.couch_user.can_edit_web_users(domain=domain))\ and request.couch_user.user_id != couch_user.user_id if couch_user.is_commcare_user(): role_choices = UserRole.commcareuser_role_choices(domain) else: role_choices = UserRole.role_choices(domain) if request.method == "POST" and request.POST['form_type'] == "basic-info": form = UserForm(request.POST, role_choices=role_choices) if form.is_valid(): if create_user: django_user = User() django_user.username = form.cleaned_data['email'] django_user.save() couch_user = CouchUser.from_django_user(django_user) couch_user.first_name = form.cleaned_data['first_name'] couch_user.last_name = form.cleaned_data['last_name'] couch_user.email = form.cleaned_data['email'] couch_user.language = form.cleaned_data['language'] if can_change_admin_status: role = form.cleaned_data['role'] if role: couch_user.set_role(domain, role) couch_user.save() messages.success(request, 'Changes saved for user "%s"' % couch_user.username) else: form = UserForm(role_choices=role_choices) if not create_user: form.initial['first_name'] = couch_user.first_name form.initial['last_name'] = couch_user.last_name form.initial['email'] = couch_user.email form.initial['language'] = couch_user.language if can_change_admin_status: if couch_user.is_commcare_user(): role = couch_user.get_role(domain) if role is None: initial = "none" else: initial = role.get_qualified_id() form.initial['role'] = initial else: form.initial['role'] = couch_user.get_role(domain).get_qualified_id() or '' if not can_change_admin_status: del form.fields['role'] context.update({"form": form}) return context
def setUpClass(cls): super(AllCommCareUsersTest, cls).setUpClass() delete_all_users() hard_delete_deleted_users() cls.ccdomain = Domain(name='cc_user_domain') cls.ccdomain.save() cls.other_domain = Domain(name='other_domain') cls.other_domain.save() UserRole.init_domain_with_presets(cls.ccdomain.name) cls.user_roles = UserRole.by_domain(cls.ccdomain.name) cls.custom_role = UserRole.get_or_create_with_permissions( cls.ccdomain.name, Permissions( edit_apps=True, edit_web_users=True, view_web_users=True, view_roles=True, ), "Custom Role" ) cls.custom_role.save() cls.ccuser_1 = CommCareUser.create( domain=cls.ccdomain.name, username='******', password='******', email='*****@*****.**', ) cls.ccuser_2 = CommCareUser.create( domain=cls.ccdomain.name, username='******', password='******', email='*****@*****.**', ) cls.ccuser_2.set_role(cls.ccdomain.name, cls.custom_role.get_qualified_id()) cls.ccuser_2.save() cls.web_user = WebUser.create( domain=cls.ccdomain.name, username='******', password='******', email='*****@*****.**', ) cls.ccuser_other_domain = CommCareUser.create( domain=cls.other_domain.name, username='******', password='******', email='*****@*****.**', ) cls.retired_user = CommCareUser.create( domain=cls.ccdomain.name, username='******', password='******', email='*****@*****.**', ) cls.retired_user.retire()
def web_users(request, domain, template="users/web_users.html"): context = _users_context(request, domain) user_roles = [AdminUserRole(domain=domain)] user_roles.extend(sorted(UserRole.by_domain(domain), key=lambda role: role.name if role.name else u'\uFFFF')) context.update({ 'user_roles': user_roles, 'default_role': UserRole.get_default(), 'report_list': get_possible_reports(domain), }) return render_to_response(request, template, context)
def post_user_role(request, domain): role_data = json.loads(request.raw_post_data) role_data = dict([(p, role_data[p]) for p in set(UserRole.properties().keys() + ['_id', '_rev']) if p in role_data]) role = UserRole.wrap(role_data) role.domain = domain if role.get_id: old_role = UserRole.get(role.get_id) assert(old_role.doc_type == UserRole.__name__) role.save() return json_response(role)
def restrict_user_to_assigned_locations(cls, user): role = UserRole( domain=cls.domain, name='Regional Supervisor', permissions=Permissions(edit_commcare_users=True, access_all_locations=False), ) role.save() user.set_role(cls.domain, role.get_qualified_id()) user.save()
def test_update_web_apps_list(self): self.assertEqual([], UserRole.by_domain(self.linked_domain)) report_mapping = {'master_report_id': 'linked_report_id'} with patch('corehq.apps.linked_domain.updates.get_static_report_mapping', return_value=report_mapping): update_user_roles(self.domain_link) roles = UserRole.by_domain(self.linked_domain) self.assertEqual(1, len(roles)) self.assertEqual(roles[0].permissions.view_web_apps_list, [self.linked_app._id]) self.assertEqual(roles[0].permissions.view_report_list, [get_ucr_class_name('linked_report_id')])
def _set_role_for_bundle(kwargs, bundle): # check for roles associated with the domain domain_roles = UserRole.by_domain_and_name(kwargs['domain'], bundle.data.get('role')) if domain_roles: qualified_role_id = domain_roles[0].get_qualified_id() bundle.obj.set_role(kwargs['domain'], qualified_role_id) else: # check for preset roles and now create them for the domain permission_preset_name = UserRole.get_preset_permission_by_name(bundle.data.get('role')) if permission_preset_name: bundle.obj.set_role(kwargs['domain'], permission_preset_name)
def test_get_doc_ids_in_domain_by_class(self): user_role = UserRole(domain=self.domain) group = Group(domain=self.domain) xform = XFormInstance(domain=self.domain) user_role.save() group.save() xform.save() self.addCleanup(user_role.delete) self.addCleanup(group.delete) self.addCleanup(xform.delete) [doc_id] = get_doc_ids_in_domain_by_class(self.domain, UserRole) self.assertEqual(doc_id, user_role.get_id)
def response_role_based_access(self): """ Perform Role Based Access Upgrade - Un-archive custom roles. """ if self.verbose: num_archived_roles = len(UserRole.by_domain(self.domain.name, is_archived=True)) if num_archived_roles: print "Re-Activating %d archived roles." % num_archived_roles UserRole.unarchive_roles_for_domain(self.domain.name) return True
def _create_or_edit_administrator_role(domain): administrator_role = UserRole.by_domain_and_name(domain, 'Administrator') reports_list = [ "corehq.apps.reports.standard.sms.MessageLogReport", "custom.ewsghana.reports.specific_reports.dashboard_report.DashboardReport", "custom.ewsghana.reports.specific_reports.stock_status_report.StockStatus", "custom.ewsghana.reports.specific_reports.reporting_rates.ReportingRatesReport", "custom.ewsghana.reports.maps.EWSMapReport", "custom.ewsghana.reports.email_reports.CMSRMSReport", "custom.ewsghana.reports.email_reports.StockSummaryReport", "custom.ewsghana.comparison_report.ProductsCompareReport", "custom.ewsghana.comparison_report.LocationsCompareReport", "custom.ewsghana.comparison_report.SupplyPointsCompareReport", "custom.ewsghana.comparison_report.WebUsersCompareReport", "custom.ewsghana.comparison_report.SMSUsersCompareReport" ] if administrator_role: permissions = Permissions( edit_web_users=True, view_web_users=True, view_roles=True, edit_commcare_users=True, view_commcare_users=True, edit_groups=True, view_groups=True, edit_locations=True, view_locations=True, view_reports=False, view_report_list=reports_list ) administrator_role[0].permissions = permissions administrator_role[0].save() else: role = UserRole( domain=domain, permissions=Permissions( view_reports=False, edit_web_users=True, view_web_users=True, view_roles=True, edit_commcare_users=True, view_commcare_users=True, edit_groups=True, view_groups=True, edit_locations=True, view_locations=True, view_report_list=reports_list ), name='Administrator' ) role.save()
def post_user_role(request, domain): if not domain_has_privilege(domain, privileges.ROLE_BASED_ACCESS): return json_response({}) role_data = json.loads(request.raw_post_data) role_data = dict([(p, role_data[p]) for p in set(UserRole.properties().keys() + ['_id', '_rev']) if p in role_data]) role = UserRole.wrap(role_data) role.domain = domain if role.get_id: old_role = UserRole.get(role.get_id) assert(old_role.doc_type == UserRole.__name__) assert(old_role.domain == domain) role.save() return json_response(role)
def post_user_role(request, domain): if not domain_has_privilege(domain, privileges.ROLE_BASED_ACCESS): return json_response({}) role_data = json.loads(request.body) role_data = dict([(p, role_data[p]) for p in set(UserRole.properties().keys() + ["_id", "_rev"]) if p in role_data]) role = UserRole.wrap(role_data) role.domain = domain if role.get_id: old_role = UserRole.get(role.get_id) assert old_role.doc_type == UserRole.__name__ assert old_role.domain == domain role.save() role.__setattr__("hasUsersAssigned", True if len(role.ids_of_assigned_users) > 0 else False) return json_response(role)
def apply(self, domain): if not self.has_migrated_permissions: logging.info("Applying permissions migration to domain %s" % domain.name) from corehq.apps.users.models import UserRole, WebUser UserRole.init_domain_with_presets(domain.name) for web_user in WebUser.by_domain(domain.name): try: web_user.save() except ResourceConflict: # web_user has already been saved by another thread in the last few seconds pass self.has_migrated_permissions = True domain.save()
def restrict_user_by_location(domain, user): role = UserRole( domain=domain, name='Regional Supervisor', permissions=Permissions(edit_commcare_users=True, view_commcare_users=True, edit_groups=True, view_groups=True, edit_locations=True, view_locations=True, access_all_locations=False), ) role.save() user.set_role(domain, role.get_qualified_id()) user.save()
def invite_web_user(request, domain, template="users/invite_web_user.html"): role_choices = UserRole.role_choices(domain) if request.method == "POST": current_users = [user.username for user in WebUser.by_domain(domain)] pending_invites = [di.email for di in DomainInvitation.by_domain(domain)] form = AdminInvitesUserForm(request.POST, excluded_emails= current_users + pending_invites, role_choices=role_choices ) if form.is_valid(): data = form.cleaned_data # create invitation record data["invited_by"] = request.couch_user.user_id data["invited_on"] = datetime.utcnow() data["domain"] = domain invite = DomainInvitation(**data) invite.save() invite.send_activation_email() messages.success(request, "Invitation sent to %s" % invite.email) return HttpResponseRedirect(reverse("web_users", args=[domain])) else: form = AdminInvitesUserForm(role_choices=role_choices) context = _users_context(request, domain) context.update( registration_form=form ) return render(request, template, context)
def orgs_team_members(request, org, team_id, template="orgs/orgs_team_members.html"): class TeamMembersNotification(Notification): doc_type = 'OrgTeamMembersNotification' def template(self): return 'orgs/partials/team_members_notification.html' MainNotification.display_if_needed(messages, request, ctxt={"org": request.organization}) TeamMembersNotification.display_if_needed(messages, request) ctxt = base_context(request, request.organization) ctxt["tab"] = "teams" try: team = Team.get(team_id) except ResourceNotFound: raise Http404("Team %s does not exist" % team_id) team_members = team.get_members() team_members.sort(key=lambda user: user.username) #inspect the domains of the team domain_names = team.get_domains() team_domains = list() for name in domain_names: team_domains.append([Domain.get_by_name(name), team.role_label(domain=name), UserRole.by_domain(name)]) nonmembers = filter(lambda m: m.username not in [tm.username for tm in team_members], ctxt["members"]) nondomains = filter(lambda d: d.name not in [td[0].name for td in team_domains], ctxt["domains"]) ctxt.update(dict(team=team, team_members=team_members, nonmembers=nonmembers, team_domains=team_domains, nondomains=nondomains)) return render(request, template, ctxt)
def __init__(self, *args, **kwargs): self.domain = kwargs.pop('domain') super(CommCareUserFilterForm, self).__init__(*args, **kwargs) roles = UserRole.by_domain(self.domain) self.fields['role_id'].choices = [('', _('All Roles'))] + [ (role._id, role.name or _('(No Name)')) for role in roles] self.helper = FormHelper() self.helper.form_method = 'GET' self.helper.form_id = 'user-filters' self.helper.form_class = 'form-horizontal' self.helper.form_action = reverse('download_commcare_users', args=[self.domain]) self.helper.label_class = 'col-sm-3 col-md-2' self.helper.field_class = 'col-sm-9 col-md-8 col-lg-6' self.helper.form_text_inline = True self.helper.layout = crispy.Layout( crispy.Fieldset( _("Filter and Download Users"), crispy.Field('role_id'), crispy.Field('search_string'), ), hqcrispy.FormActions( twbscrispy.StrictButton( _("Download All Users"), type="submit", css_class="btn btn-primary submit_button", ) ), )
def assertInitialRoles(self): for u in self.user_roles: user_role = UserRole.get(u.get_id) self.assertEqual( user_role.permissions, UserRolePresets.get_permissions(user_role.name) )
def clean_role_id(self): role_id = self.cleaned_data['role_id'] if not role_id: return None if not UserRole.get(role_id).domain == self.domain: raise forms.ValidationError(_("Invalid Role")) return role_id
def create_or_update_users_and_groups(domain, user_specs, group_specs, task=None): from corehq.apps.users.views.mobile.custom_data_fields import UserFieldsView custom_data_validator = UserFieldsView.get_validator(domain) ret = {"errors": [], "rows": []} total = len(user_specs) + len(group_specs) def _set_progress(progress): if task is not None: DownloadBase.set_progress(task, progress, total) group_memoizer = create_or_update_groups(domain, group_specs, log=ret) current = len(group_specs) usernames = set() user_ids = set() allowed_groups = set(group_memoizer.groups) allowed_group_names = [group.name for group in allowed_groups] allowed_roles = UserRole.by_domain(domain) roles_by_name = {role.name: role for role in allowed_roles} can_assign_locations = domain_has_privilege(domain, privileges.LOCATIONS) # ToDo: We need more speccing on what/how locations can be assigned if location-restrictions is enabled # For now, don't support bulk assigning if location-restrictions are enabled can_assign_locations = can_assign_locations and not toggles.RESTRICT_WEB_USERS_BY_LOCATION.enabled( domain) if can_assign_locations: location_cache = SiteCodeToLocationCache(domain) project = Domain.get_by_name(domain) usernames_with_dupe_passwords = users_with_duplicate_passwords(user_specs) try: for row in user_specs: _set_progress(current) current += 1 data = row.get('data') email = row.get('email') group_names = map(unicode, row.get('group') or []) language = row.get('language') name = row.get('name') password = row.get('password') phone_number = row.get('phone-number') uncategorized_data = row.get('uncategorized_data') user_id = row.get('user_id') username = row.get('username') location_codes = row.get('location_code') or [] if location_codes and not isinstance(location_codes, list): location_codes = [location_codes] # ignore empty location_codes = [code for code in location_codes if code] role = row.get('role', '') if password: password = unicode(password) try: username = normalize_username(str(username), domain) except TypeError: username = None except ValidationError: ret['rows'].append({ 'username': username, 'row': row, 'flag': _('username cannot contain spaces or symbols'), }) continue status_row = { 'username': raw_username(username) if username else None, 'row': row, } is_active = row.get('is_active') if isinstance(is_active, basestring): try: is_active = string_to_boolean( is_active) if is_active else None except ValueError: ret['rows'].append({ 'username': username, 'row': row, 'flag': _("'is_active' column can only contain 'true' or 'false'" ), }) continue if username in usernames or user_id in user_ids: status_row['flag'] = 'repeat' elif not username and not user_id: status_row['flag'] = 'missing-data' else: try: if username: usernames.add(username) if user_id: user_ids.add(user_id) if user_id: user = CommCareUser.get_by_user_id(user_id, domain) else: user = CommCareUser.get_by_username(username) if project.strong_mobile_passwords and is_password( password): if raw_username( username) in usernames_with_dupe_passwords: raise UserUploadError( _("Provide a unique password for each mobile worker" )) try: clean_password(password) except forms.ValidationError: if settings.ENABLE_DRACONIAN_SECURITY_FEATURES: msg = _( "Mobile Worker passwords must be 8 " "characters long with at least 1 capital " "letter, 1 special character and 1 number") else: msg = _("Please provide a stronger password") raise UserUploadError(msg) if user: if user.domain != domain: raise UserUploadError( _('User with username %(username)r is ' 'somehow in domain %(domain)r') % { 'username': user.username, 'domain': user.domain }) if username and user.username != username: raise UserUploadError( _('Changing usernames is not supported: %(username)r to %(new_username)r' ) % { 'username': user.username, 'new_username': username }) if is_password(password): user.set_password(password) status_row['flag'] = 'updated' else: max_username_length = get_mobile_worker_max_username_length( domain) if len(raw_username(username)) > max_username_length: ret['rows'].append({ 'username': username, 'row': row, 'flag': _("username cannot contain greater than %d characters" % max_username_length) }) continue if not is_password(password): raise UserUploadError( _("Cannot create a new user with a blank password" )) user = CommCareUser.create(domain, username, password, commit=False) status_row['flag'] = 'created' if phone_number: user.add_phone_number(_fmt_phone(phone_number), default=True) if name: user.set_full_name(unicode(name)) if data: error = custom_data_validator(data) if error: raise UserUploadError(error) user.user_data.update(data) if uncategorized_data: user.user_data.update(uncategorized_data) if language: user.language = language if email: try: validate_email(email) except ValidationError: raise UserUploadError( _("User has an invalid email address")) user.email = email.lower() if is_active is not None: user.is_active = is_active if can_assign_locations: # Do this here so that we validate the location code before we # save any other information to the user, this way either all of # the user's information is updated, or none of it location_ids = [] for code in location_codes: loc = get_location_from_site_code( code, location_cache) location_ids.append(loc.location_id) if role: if role in roles_by_name: user.set_role( domain, roles_by_name[role].get_qualified_id()) else: raise UserUploadError( _("Role '%s' does not exist") % role) # following blocks require user doc id, so it needs to be saved if new user user.save() if can_assign_locations: locations_updated = set( user.assigned_location_ids) != set(location_ids) primary_location_removed = ( user.location_id and not location_ids or user.location_id not in location_ids) if primary_location_removed: user.unset_location() if locations_updated: user.reset_locations(location_ids) if is_password(password): # Without this line, digest auth doesn't work. # With this line, digest auth works. # Other than that, I'm not sure what's going on user.get_django_user().check_password(password) for group_id in Group.by_user(user, wrap=False): group = group_memoizer.get(group_id) if group.name not in group_names: group.remove_user(user) for group_name in group_names: if group_name not in allowed_group_names: raise UserUploadError( _("Can't add to group '%s' " "(try adding it to your spreadsheet)") % group_name) group_memoizer.by_name(group_name).add_user(user, save=False) except (UserUploadError, CouchUser.Inconsistent) as e: status_row['flag'] = unicode(e) ret["rows"].append(status_row) finally: try: group_memoizer.save_all() except BulkSaveError as e: _error_message = ( "Oops! We were not able to save some of your group changes. " "Please make sure no one else is editing your groups " "and try again.") logging.exception(('BulkSaveError saving groups. ' 'User saw error message "%s". Errors: %s') % (_error_message, e.errors)) ret['errors'].append(_error_message) _set_progress(total) return ret
def setUpClass(cls): super(TestInputStockView, cls).setUpClass() cls.domain = initial_bootstrap(TEST_DOMAIN) db = get_db() if db.doc_exist(DOMAIN_MODULE_KEY): module_config = db.open_doc(DOMAIN_MODULE_KEY) module_map = module_config.get('module_map') if module_map: module_map[TEST_DOMAIN] = 'custom.ewsghana' else: module_config['module_map'][TEST_DOMAIN] = 'custom.ewsghana' else: module_config = db.save_doc({ '_id': DOMAIN_MODULE_KEY, 'module_map': { 'ewsghana-test-input-stock': 'custom.ewsghana' } }) db.save_doc(module_config) cls.setup_subscription(TEST_DOMAIN, SoftwarePlanEdition.ENTERPRISE) test_utils.prepare_commtrack_config(TEST_DOMAIN) test_utils.prepare_custom_fields(TEST_DOMAIN) test_utils.create_or_edit_roles(TEST_DOMAIN) test_utils.create_test_products(TEST_DOMAIN) test_utils.create_test_locations(TEST_DOMAIN) cls.test_facility3 = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='tsactive') cls.testregion2 = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='testregion2') cls.rsp = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='rsp') cls.test_district = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='testdistrict') cls.username1 = 'ews_user1' cls.password1 = 'dummy' cls.web_user1 = WebUser.create(TEST_DOMAIN, cls.username1, cls.password1) cls.web_user1.eula.signed = True cls.web_user1.save() cls.username2 = 'ews_user2' cls.password2 = 'dummy' cls.web_user2 = WebUser.create(TEST_DOMAIN, cls.username2, cls.password2) cls.web_user2.get_domain_membership( TEST_DOMAIN).location_id = cls.test_facility3.location_id cls.web_user2.eula.signed = True cls.web_user2.save() cls.username3 = 'ews_user3' cls.password3 = 'dummy' cls.web_user3 = WebUser.create(TEST_DOMAIN, cls.username3, cls.password3) cls.web_user3.get_domain_membership( TEST_DOMAIN).location_id = cls.testregion2.location_id cls.web_user3.eula.signed = True cls.web_user3.save() cls.username4 = 'ews_user4' cls.password4 = 'dummy' cls.web_user4 = WebUser.create(TEST_DOMAIN, cls.username4, cls.password4) cls.web_user4.get_domain_membership( TEST_DOMAIN).location_id = cls.rsp.location_id cls.web_user4.eula.signed = True cls.web_user4.save() cls.username5 = 'ews_user5' cls.password5 = 'dummy' cls.web_user5 = WebUser.create(TEST_DOMAIN, cls.username5, cls.password5, first_name='test', last_name='test2') cls.web_user5.set_default_phone_number('1111') cls.web_user5.save() domain_membership = cls.web_user5.get_domain_membership(TEST_DOMAIN) domain_membership.location_id = cls.test_district.location_id domain_membership.role_id = UserRole.get_read_only_role_by_domain( cls.domain.name).get_id cls.web_user5.eula.signed = True cls.web_user5.save() cls.username6 = 'ews_user6' cls.password6 = 'dummy' cls.web_user6 = WebUser.create(TEST_DOMAIN, cls.username6, cls.password6) domain_membership = cls.web_user6.get_domain_membership(TEST_DOMAIN) domain_membership.role_id = UserRole.get_read_only_role_by_domain( cls.domain.name).get_id cls.web_user6.eula.signed = True cls.web_user6.save() cls.admin_username = '******' cls.admin_password = '******' cls.admin = WebUser.create(TEST_DOMAIN, cls.admin_username, cls.admin_password) domain_membership = cls.admin.get_domain_membership(TEST_DOMAIN) domain_membership.role_id = UserRole.by_domain_and_name( cls.domain.name, 'Administrator')[0].get_id cls.admin.eula.signed = True cls.admin.save() EWSExtension.objects.create(user_id=cls.web_user6.get_id, domain=TEST_DOMAIN, location_id=cls.test_facility3.get_id) cls.ad = SQLProduct.objects.get(domain=TEST_DOMAIN, code='ad') cls.al = SQLProduct.objects.get(domain=TEST_DOMAIN, code='al') cls.backend, cls.mapping = setup_default_sms_test_backend() cls.client = Client()
def get_user_roles(domain): def _to_json(role): return _clean_json(role.to_json()) return [_to_json(role) for role in UserRole.by_domain(domain)]
def web_user_sync(self, ews_webuser): username = ews_webuser.email.lower() if not username: try: validate_email(ews_webuser.username) username = ews_webuser.username except ValidationError: return None user = WebUser.get_by_username(username) user_dict = { 'first_name': ews_webuser.first_name, 'last_name': ews_webuser.last_name, 'is_active': ews_webuser.is_active, 'last_login': force_to_datetime(ews_webuser.last_login), 'date_joined': force_to_datetime(ews_webuser.date_joined), 'password_hashed': True, } location_id = None if ews_webuser.location: try: location = SQLLocation.objects.get( domain=self.domain, external_id=ews_webuser.location) location_id = location.location_id except SQLLocation.DoesNotExist: pass if user is None: try: user = WebUser.create(domain=None, username=username, password=ews_webuser.password, email=ews_webuser.email, **user_dict) user.add_domain_membership(self.domain, location_id=location_id) except Exception as e: logging.error(e) else: if self.domain not in user.get_domains(): user.add_domain_membership(self.domain, location_id=location_id) ews_webuser_extension(user, ews_webuser) dm = user.get_domain_membership(self.domain) if dm.location_id != location_id: dm.location_id = location_id if ews_webuser.is_superuser: dm.role_id = UserRole.by_domain_and_name(self.domain, 'Administrator')[0].get_id elif ews_webuser.groups and ews_webuser.groups[ 0].name == 'facility_manager': dm.role_id = UserRole.by_domain_and_name( self.domain, 'Facility manager')[0].get_id else: if ews_webuser.supply_point: supply_point = get_supply_point_case_by_domain_external_id( self.domain, ews_webuser.supply_point) if supply_point: dm.location_id = supply_point.location_id dm.role_id = UserRole.by_domain_and_name( self.domain, 'Web Reporter')[0].get_id else: dm.role_id = UserRole.get_read_only_role_by_domain( self.domain).get_id else: dm.role_id = UserRole.get_read_only_role_by_domain( self.domain).get_id user.save() return user
def request_new_domain(request, form, is_new_user=True): now = datetime.utcnow() current_user = CouchUser.from_django_user(request.user, strict=True) dom_req = RegistrationRequest() if is_new_user: dom_req.request_time = now dom_req.request_ip = get_ip(request) dom_req.activation_guid = uuid.uuid1().hex project_name = form.cleaned_data.get('hr_name') or form.cleaned_data.get( 'project_name') name = name_to_url(project_name, "project") with CriticalSection(['request_domain_name_{}'.format(name)]): name = Domain.generate_name(name) new_domain = Domain(name=name, hr_name=project_name, is_active=False, date_created=datetime.utcnow(), creating_user=current_user.username, secure_submissions=True, use_sql_backend=True, first_domain_for_user=is_new_user) # Avoid projects created by dimagi.com staff members as self started new_domain.internal.self_started = not current_user.is_dimagi if form.cleaned_data.get('domain_timezone'): new_domain.default_timezone = form.cleaned_data['domain_timezone'] if not is_new_user: new_domain.is_active = True # ensure no duplicate domain documents get created on cloudant new_domain.save(**get_safe_write_kwargs()) if not new_domain.name: new_domain.name = new_domain._id new_domain.save() # we need to get the name from the _id dom_req.domain = new_domain.name if not settings.ENTERPRISE_MODE: _setup_subscription(new_domain.name, current_user) UserRole.init_domain_with_presets(new_domain.name) if request.user.is_authenticated: if not current_user: current_user = WebUser() current_user.sync_from_django_user(request.user) current_user.save() current_user.add_domain_membership(new_domain.name, is_admin=True) current_user.save() dom_req.requesting_user_username = request.user.username dom_req.new_user_username = request.user.username elif is_new_user: _soft_assert_registration_issues( f"A new user {request.user.username} was not added to their domain " f"{new_domain.name} during registration") if is_new_user: dom_req.save() if settings.IS_SAAS_ENVIRONMENT: # Load template apps to the user's new domain in parallel from corehq.apps.app_manager.tasks import load_appcues_template_app header = [ load_appcues_template_app.si(new_domain.name, current_user.username, slug) for slug in APPCUES_APP_SLUGS ] callback = send_domain_registration_email.si( request.user.email, dom_req.domain, dom_req.activation_guid, request.user.get_full_name(), request.user.first_name) chord(header)(callback) else: send_domain_registration_email(request.user.email, dom_req.domain, dom_req.activation_guid, request.user.get_full_name(), request.user.first_name) send_new_request_update_email(request.user, get_ip(request), new_domain.name, is_new_user=is_new_user) send_hubspot_form(HUBSPOT_CREATED_NEW_PROJECT_SPACE_FORM_ID, request) return new_domain.name
def get_role(self): return UserRole(domain=test_self.domain, permissions=test_self.permissions)
def update_role(role_doc): role = UserRole.wrap(role_doc) # Currently we just use `edit_commcare_users` for both, so for existing # roles, let's default to that behavior role.permissions.edit_locations = role.permissions.edit_commcare_users return DocUpdate(role.to_json())
class TestRolePermissionsModel(TestCase): domain = "user-role-test" def setUp(self): self.role1 = UserRole(domain=self.domain, name="role1") self.role1.save() self.addCleanup(self.role1.delete) def _test_allow_check_constraint(self, name, allow_all, allowed_items): self.role1.rolepermission_set.set([ RolePermission(permission=name, allow_all=allow_all, allowed_items=allowed_items) ], bulk=False) def test_allow_check_constraint_allow_all_params_none(self): self._test_allow_check_constraint(Permissions.view_reports.name, True, None) def test_allow_check_constraint_allow_all_params_empty(self): self._test_allow_check_constraint(Permissions.view_reports.name, True, []) def test_allow_check_constraint_params_list(self): self._test_allow_check_constraint(Permissions.view_reports.name, False, ['report1']) @atomic def test_allow_check_constraint_fail(self): constraint_name = "users_rolepermission_valid_allow" with self.assertRaisesMessage(IntegrityError, constraint_name): self.role1.rolepermission_set.set([ RolePermission(permission=Permissions.view_reports.name, allow_all=True, allowed_items=['report1']), ], bulk=False) def test_unique_constraint_ok(self): """different roles can have the same permission""" self.role1.rolepermission_set.set([ RolePermission(permission=Permissions.edit_data.name, allow_all=True), ], bulk=False) role2 = UserRole(domain=self.domain, name="role2") role2.save() self.addCleanup(role2.delete) role2.rolepermission_set.set([ RolePermission(permission=Permissions.edit_data.name, allow_all=True), ], bulk=False) @atomic def test_unique_constraint_fail(self): """the same role can not have duplicate permissions""" sql_role = UserRole(domain=self.domain, name="role1") sql_role.save() self.addCleanup(sql_role.delete) constraint_name = "users_rolepermission_role_id_permission_fk_id_bc5f84db_uniq" with self.assertRaisesMessage(IntegrityError, constraint_name): sql_role.rolepermission_set.set([ RolePermission(permission=Permissions.edit_data.name, allow_all=True), RolePermission(permission=Permissions.edit_data.name, allow_all=False), ], bulk=False)
def request_new_domain(request, form, is_new_user=True): now = datetime.utcnow() current_user = CouchUser.from_django_user(request.user) dom_req = RegistrationRequest() if is_new_user: dom_req.request_time = now dom_req.request_ip = get_ip(request) dom_req.activation_guid = uuid.uuid1().hex project_name = form.cleaned_data.get('hr_name') or form.cleaned_data.get('project_name') name = name_to_url(project_name, "project") with CriticalSection(['request_domain_name_{}'.format(name)]): name = Domain.generate_name(name) new_domain = Domain( name=name, hr_name=project_name, is_active=False, date_created=datetime.utcnow(), creating_user=current_user.username, secure_submissions=True, use_sql_backend=True ) if form.cleaned_data.get('domain_timezone'): new_domain.default_timezone = form.cleaned_data['domain_timezone'] if not is_new_user: new_domain.is_active = True # ensure no duplicate domain documents get created on cloudant new_domain.save(**get_safe_write_kwargs()) if not new_domain.name: new_domain.name = new_domain._id new_domain.save() # we need to get the name from the _id if is_new_user: # Only new-user domains are eligible for Advanced trial # domains with no subscription are equivalent to be on free Community plan create_30_day_advanced_trial(new_domain) else: ensure_explicit_community_subscription(new_domain.name, date.today()) UserRole.init_domain_with_presets(new_domain.name) dom_req.domain = new_domain.name if request.user.is_authenticated(): if not current_user: current_user = WebUser() current_user.sync_from_django_user(request.user) current_user.save() current_user.add_domain_membership(new_domain.name, is_admin=True) current_user.save() dom_req.requesting_user_username = request.user.username dom_req.new_user_username = request.user.username if is_new_user: dom_req.save() send_domain_registration_email(request.user.email, dom_req.domain, dom_req.activation_guid, request.user.get_full_name()) send_new_request_update_email(request.user, get_ip(request), new_domain.name, is_new_user=is_new_user) meta = get_meta(request) track_created_new_project_space_on_hubspot.delay(current_user, request.COOKIES, meta) return new_domain.name
def _invalid_user_role(self, request, details): return details.get( 'role') not in UserRole.preset_and_domain_role_names( request.domain)
def _assertInitialRoles(self): for u in self.user_roles: user_role = UserRole.get(u.get_id) self.assertEqual(user_role.permissions, UserRolePresets.get_permissions(user_role.name))
def tearDown(self): for role in UserRole.by_domain(self.linked_domain): role.delete() super(TestUpdateRoles, self).tearDown()
def get_domain_info(domain, upload_domain, user_specs, domain_info_by_domain, upload_user=None, group_memoizer=None, is_web_upload=False): from corehq.apps.users.views.mobile.custom_data_fields import UserFieldsView domain_info = domain_info_by_domain.get(domain) if domain_info: return domain_info if domain == upload_domain: domain_group_memoizer = group_memoizer or GroupMemoizer(domain) else: domain_group_memoizer = GroupMemoizer(domain) domain_group_memoizer.load_all() can_assign_locations = domain_has_privilege(domain, privileges.LOCATIONS) location_cache = None if can_assign_locations: location_cache = SiteCodeToLocationCache(domain) domain_obj = Domain.get_by_name(domain) allowed_group_names = [ group.name for group in domain_group_memoizer.groups ] profiles_by_name = {} domain_user_specs = [ spec for spec in user_specs if spec.get('domain', upload_domain) == domain ] if is_web_upload: roles_by_name = { role[1]: role[0] for role in get_editable_role_choices( domain, upload_user, allow_admin_role=True) } validators = get_user_import_validators( Domain.get_by_name(domain), domain_user_specs, True, allowed_roles=list(roles_by_name), upload_domain=upload_domain, ) else: roles_by_name = { role.name: role for role in UserRole.by_domain(domain) } validators = get_user_import_validators(domain_obj, domain_user_specs, False, allowed_group_names, list(roles_by_name), list(profiles_by_name), upload_domain) definition = CustomDataFieldsDefinition.get(domain, UserFieldsView.field_type) if definition: profiles_by_name = { profile.name: profile for profile in definition.get_profiles() } domain_info = DomainInfo(validators, can_assign_locations, location_cache, roles_by_name, profiles_by_name, domain_group_memoizer) domain_info_by_domain[domain] = domain_info return domain_info
def create_or_update_users_and_groups(domain, user_specs, group_memoizer=None, update_progress=None): ret = {"errors": [], "rows": []} group_memoizer = group_memoizer or GroupMemoizer(domain) group_memoizer.load_all() current = 0 can_assign_locations = domain_has_privilege(domain, privileges.LOCATIONS) if can_assign_locations: location_cache = SiteCodeToLocationCache(domain) domain_obj = Domain.get_by_name(domain) allowed_group_names = [group.name for group in group_memoizer.groups] roles_by_name = {role.name: role for role in UserRole.by_domain(domain)} validators = get_user_import_validators(domain_obj, user_specs, allowed_group_names, list(roles_by_name)) try: for row in user_specs: if update_progress: update_progress(current) current += 1 username = row.get('username') status_row = { 'username': username, 'row': row, } try: for validator in validators: validator(row) except UserUploadError as e: status_row['flag'] = str(e) ret['rows'].append(status_row) continue data = row.get('data') email = row.get('email') group_names = list(map(str, row.get('group') or [])) language = row.get('language') name = row.get('name') password = row.get('password') phone_number = row.get('phone-number') uncategorized_data = row.get('uncategorized_data') user_id = row.get('user_id') location_codes = row.get('location_code') or [] if location_codes and not isinstance(location_codes, list): location_codes = [location_codes] # ignore empty location_codes = [code for code in location_codes if code] role = row.get('role', '') try: username = normalize_username(str(username), domain) if username else None password = str(password) if password else None is_active = row.get('is_active') or None if is_active and isinstance(is_active, str): is_active = string_to_boolean(is_active) if user_id: user = CommCareUser.get_by_user_id(user_id, domain) if not user: raise UserUploadError( _("User with ID '{user_id}' not found").format( user_id=user_id, domain=domain)) if username and user.username != username: raise UserUploadError( _('Changing usernames is not supported: %(username)r to %(new_username)r' ) % { 'username': user.username, 'new_username': username }) if is_password(password): user.set_password(password) status_row['flag'] = 'updated' else: user = CommCareUser.create(domain, username, password, commit=False) status_row['flag'] = 'created' if phone_number: user.add_phone_number(_fmt_phone(phone_number), default=True) if name: user.set_full_name(str(name)) if data: user.user_data.update(data) if uncategorized_data: user.user_data.update(uncategorized_data) if language: user.language = language if email: user.email = email.lower() if is_active is not None: user.is_active = is_active if can_assign_locations: # Do this here so that we validate the location code before we # save any other information to the user, this way either all of # the user's information is updated, or none of it location_ids = [] for code in location_codes: loc = get_location_from_site_code(code, location_cache) location_ids.append(loc.location_id) locations_updated = set( user.assigned_location_ids) != set(location_ids) primary_location_removed = ( user.location_id and not location_ids or user.location_id not in location_ids) if primary_location_removed: user.unset_location(commit=False) if locations_updated: user.reset_locations(location_ids, commit=False) if role: user.set_role(domain, roles_by_name[role].get_qualified_id()) user.save() if is_password(password): # Without this line, digest auth doesn't work. # With this line, digest auth works. # Other than that, I'm not sure what's going on # Passing use_primary_db=True because of https://dimagi-dev.atlassian.net/browse/ICDS-465 user.get_django_user( use_primary_db=True).check_password(password) for group in group_memoizer.by_user_id(user.user_id): if group.name not in group_names: group.remove_user(user) for group_name in group_names: group_memoizer.by_name(group_name).add_user(user, save=False) except (UserUploadError, CouchUser.Inconsistent) as e: status_row['flag'] = str(e) ret["rows"].append(status_row) finally: try: group_memoizer.save_all() except BulkSaveError as e: _error_message = ( "Oops! We were not able to save some of your group changes. " "Please make sure no one else is editing your groups " "and try again.") logging.exception(('BulkSaveError saving groups. ' 'User saw error message "%s". Errors: %s') % (_error_message, e.errors)) ret['errors'].append(_error_message) return ret
def setUp(self): self.role1 = UserRole(domain=self.domain, name="role1") self.role1.save() self.addCleanup(self.role1.delete)
def request_new_domain(request, form, is_new_user=True): now = datetime.utcnow() current_user = CouchUser.from_django_user(request.user, strict=True) dom_req = RegistrationRequest() if is_new_user: dom_req.request_time = now dom_req.request_ip = get_ip(request) dom_req.activation_guid = uuid.uuid1().hex project_name = form.cleaned_data.get('hr_name') or form.cleaned_data.get( 'project_name') name = name_to_url(project_name, "project") with CriticalSection(['request_domain_name_{}'.format(name)]): name = Domain.generate_name(name) new_domain = Domain(name=name, hr_name=project_name, is_active=False, date_created=datetime.utcnow(), creating_user=current_user.username, secure_submissions=True, use_sql_backend=True, first_domain_for_user=is_new_user) # Avoid projects created by dimagi.com staff members as self started new_domain.internal.self_started = not current_user.is_dimagi if form.cleaned_data.get('domain_timezone'): new_domain.default_timezone = form.cleaned_data['domain_timezone'] if not is_new_user: new_domain.is_active = True # ensure no duplicate domain documents get created on cloudant new_domain.save(**get_safe_write_kwargs()) if not new_domain.name: new_domain.name = new_domain._id new_domain.save() # we need to get the name from the _id with transaction.atomic(): if is_new_user: # Only new-user domains are eligible for Advanced trial # domains with no subscription are equivalent to be on free Community plan create_30_day_advanced_trial(new_domain, current_user.username) else: ensure_explicit_community_subscription( new_domain.name, date.today(), SubscriptionAdjustmentMethod.USER, web_user=current_user.username, ) UserRole.init_domain_with_presets(new_domain.name) # add user's email as contact email for billing account for the domain account = BillingAccount.get_account_by_domain(new_domain.name) billing_contact, _ = BillingContactInfo.objects.get_or_create( account=account) billing_contact.email_list = [current_user.email] billing_contact.save() dom_req.domain = new_domain.name if request.user.is_authenticated: if not current_user: current_user = WebUser() current_user.sync_from_django_user(request.user) current_user.save() current_user.add_domain_membership(new_domain.name, is_admin=True) current_user.save() dom_req.requesting_user_username = request.user.username dom_req.new_user_username = request.user.username if is_new_user: dom_req.save() if settings.IS_SAAS_ENVIRONMENT: # Load template apps to the user's new domain in parallel from corehq.apps.app_manager.tasks import load_appcues_template_app header = [ load_appcues_template_app.si(new_domain.name, current_user.username, slug) for slug in APPCUES_APP_SLUGS ] callback = send_domain_registration_email.si( request.user.email, dom_req.domain, dom_req.activation_guid, request.user.get_full_name(), request.user.first_name) chord(header)(callback) else: send_domain_registration_email(request.user.email, dom_req.domain, dom_req.activation_guid, request.user.get_full_name(), request.user.first_name) send_new_request_update_email(request.user, get_ip(request), new_domain.name, is_new_user=is_new_user) send_hubspot_form(HUBSPOT_CREATED_NEW_PROJECT_SPACE_FORM_ID, request) return new_domain.name
def handle(self, **options): for domain_obj in Domain.get_all(): UserRole.get_or_create_with_permissions( domain_obj.name, UserRolePresets.get_permissions(UserRolePresets.BILLING_ADMIN), UserRolePresets.BILLING_ADMIN)
def setUpClass(cls): super(TestMprAsrLocationFilter, cls).setUpClass() cls.domain = create_domain('icds-location-test') domain_name = cls.domain.name cls.domain_name = domain_name location_types = [ 'state', 'district', 'block', 'supervisor', 'awc' ] previous_parent = None for location_type in location_types: previous_parent = LocationType.objects.create( domain=domain_name, name=location_type, parent_type=previous_parent ) cls.state = SQLLocation.objects.create( name='Test State', domain=domain_name, location_type=LocationType.objects.get(domain=domain_name, name='state') ) cls.state2 = SQLLocation.objects.create( name='Test State2', domain=domain_name, location_type=LocationType.objects.get(domain=domain_name, name='state') ) cls.district = SQLLocation.objects.create( name='Test District', domain=domain_name, location_type=LocationType.objects.get(domain=domain_name, name='district'), parent=cls.state, ) cls.block = SQLLocation.objects.create( name='Test Block', domain=domain_name, location_type=LocationType.objects.get(domain=domain_name, name='block'), parent=cls.district ) cls.supervisor = SQLLocation.objects.create( name='Test Supervisor', domain=domain_name, location_type=LocationType.objects.get(domain=domain_name, name='supervisor'), parent=cls.block ) cls.awc = SQLLocation.objects.create( name='Test AWC', domain=domain_name, location_type=LocationType.objects.get(domain=domain_name, name='awc'), parent=cls.supervisor ) cls.role = UserRole(domain=domain_name, name='demo', permissions=Permissions(access_all_locations=False)) cls.role.save() cls.mobile_user = CommCareUser.create(domain_name, 'test_user', 'test_password', None, None) cls.mobile_user.set_location(cls.block) cls.mobile_user.set_role(domain_name, cls.role.get_qualified_id()) cls.mobile_user.save() cls.national_user = CommCareUser.create(domain_name, 'test_user_national', 'test_password', None, None) cls.national_user.save()
def update_all_roles(): all_role_ids = get_doc_ids_by_class(UserRole) iter_update(UserRole.get_db(), update_role, with_progress_bar(all_role_ids), verbose=True)
def num_location_restricted_roles(domain): roles = [r for r in UserRole.by_domain(domain) if not r.permissions.access_all_locations] return len(roles)
def num_custom_roles(domain): custom_roles = [r for r in UserRole.get_custom_roles_by_domain(domain) if not r.is_archived] return len(custom_roles)
def setUpClass(cls): cls.domain = initial_bootstrap(TEST_DOMAIN) db = get_db() if db.doc_exist(DOMAIN_MODULE_KEY): module_config = db.open_doc(DOMAIN_MODULE_KEY) module_map = module_config.get('module_map') if module_map: module_map[TEST_DOMAIN] = 'custom.ewsghana' else: module_config['module_map'][TEST_DOMAIN] = 'custom.ewsghana' else: module_config = db.save_doc({ '_id': DOMAIN_MODULE_KEY, 'module_map': { 'ewsghana-test-input-stock': 'custom.ewsghana' } }) db.save_doc(module_config) generator.instantiate_accounting_for_tests() account = BillingAccount.get_or_create_account_by_domain( cls.domain.name, created_by="automated-test", )[0] plan = DefaultProductPlan.get_default_plan_by_domain( cls.domain, edition=SoftwarePlanEdition.ENTERPRISE) subscription = Subscription.new_domain_subscription( account, cls.domain.name, plan) subscription.is_active = True subscription.save() cls.endpoint = MockEndpoint('http://test-api.com/', 'dummy', 'dummy') cls.api_object = EWSApi(TEST_DOMAIN, cls.endpoint) cls.api_object.prepare_commtrack_config() cls.api_object.prepare_custom_fields() cls.datapath = os.path.join(os.path.dirname(__file__), 'data') with open(os.path.join(cls.datapath, 'sample_products.json')) as f: for p in json.loads(f.read()): cls.api_object.product_sync(Product(p)) with open(os.path.join(cls.datapath, 'sample_locations.json')) as f: for loc in json.loads(f.read()): cls.api_object.location_sync(Location(loc)) cls.test_facility3 = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='tsactive') cls.testregion2 = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='testregion2') cls.rsp = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='rsp') cls.test_district = SQLLocation.objects.get(domain=TEST_DOMAIN, site_code='testdistrict') cls.username1 = 'ews_user1' cls.password1 = 'dummy' cls.web_user1 = WebUser.create(TEST_DOMAIN, cls.username1, cls.password1) cls.web_user1.eula.signed = True cls.web_user1.save() cls.username2 = 'ews_user2' cls.password2 = 'dummy' cls.web_user2 = WebUser.create(TEST_DOMAIN, cls.username2, cls.password2) cls.web_user2.get_domain_membership( TEST_DOMAIN).location_id = cls.test_facility3.location_id cls.web_user2.eula.signed = True cls.web_user2.save() cls.username3 = 'ews_user3' cls.password3 = 'dummy' cls.web_user3 = WebUser.create(TEST_DOMAIN, cls.username3, cls.password3) cls.web_user3.get_domain_membership( TEST_DOMAIN).location_id = cls.testregion2.location_id cls.web_user3.eula.signed = True cls.web_user3.save() cls.username4 = 'ews_user4' cls.password4 = 'dummy' cls.web_user4 = WebUser.create(TEST_DOMAIN, cls.username4, cls.password4) cls.web_user4.get_domain_membership( TEST_DOMAIN).location_id = cls.rsp.location_id cls.web_user4.eula.signed = True cls.web_user4.save() cls.username5 = 'ews_user5' cls.password5 = 'dummy' cls.web_user5 = WebUser.create(TEST_DOMAIN, cls.username5, cls.password5) domain_membership = cls.web_user5.get_domain_membership(TEST_DOMAIN) domain_membership.location_id = cls.test_district.location_id domain_membership.role_id = UserRole.get_read_only_role_by_domain( cls.domain.name).get_id cls.web_user5.eula.signed = True cls.web_user5.save() cls.ad = SQLProduct.objects.get(domain=TEST_DOMAIN, code='ad') cls.al = SQLProduct.objects.get(domain=TEST_DOMAIN, code='al') cls.client = Client()
def main_context(self): contacts = CommCareUser.by_domain(self.domain, reduce=True) web_users = WebUser.by_domain(self.domain) web_users_admins = web_users_read_only = 0 facilities = SQLLocation.objects.filter( domain=self.domain, location_type__name__iexact='FACILITY') admin_role_list = UserRole.by_domain_and_name(self.domain, 'Administrator') if admin_role_list: admin_role = admin_role_list[0] else: admin_role = None for web_user in web_users: dm = web_user.get_domain_membership(self.domain) if admin_role and dm.role_id == admin_role.get_id: web_users_admins += 1 else: web_users_read_only += 1 main_context = super(GlobalStats, self).main_context entities_reported_stock = SQLLocation.objects.filter( domain=self.domain, location_type__administrative=False).count() context = { 'root_name': self.root_name, 'country': SQLLocation.objects.filter( domain=self.domain, location_type__name__iexact=self.root_name).count(), 'region': SQLLocation.objects.filter( domain=self.domain, location_type__name__iexact='region').count(), 'district': SQLLocation.objects.filter( domain=self.domain, location_type__name__iexact='district').count(), 'entities_reported_stock': entities_reported_stock, 'facilities': len(facilities), 'contacts': contacts[0]['value'] if contacts else 0, 'web_users': len(web_users), 'web_users_admins': web_users_admins, 'web_users_read_only': web_users_read_only, 'products': SQLProduct.objects.filter(domain=self.domain, is_archived=False).count(), 'product_stocks': StockState.objects.filter(sql_product__domain=self.domain).count(), 'stock_transactions': StockTransaction.objects.filter( report__domain=self.domain).count(), 'inbound_messages': SMS.count_by_domain(self.domain, direction=INCOMING), 'outbound_messages': SMS.count_by_domain(self.domain, direction=OUTGOING), } if self.show_supply_point_types: counts = SQLLocation.objects.values('location_type__name').filter( domain=self.domain).annotate( Count('location_type')).order_by('location_type__name') context['location_types'] = counts main_context.update(context) return main_context
def _handle_user_form(request, domain, couch_user=None): context = {} if couch_user: create_user = False else: create_user = True can_change_admin_status = ( (request.user.is_superuser or request.couch_user.can_edit_web_users(domain=domain)) and request.couch_user.user_id != couch_user.user_id) if couch_user.is_commcare_user(): role_choices = UserRole.commcareuser_role_choices(domain) else: role_choices = UserRole.role_choices(domain) results = get_db().view('languages/list', startkey=[domain], endkey=[domain, {}], group='true').all() language_choices = [] if results: for result in results: lang_code = result['key'][1] label = result['key'][1] long_form = langcodes.get_name(lang_code) if long_form: label += " (" + langcodes.get_name(lang_code) + ")" language_choices.append((lang_code, label)) else: language_choices = langcodes.get_all_langs_for_select() if request.method == "POST" and request.POST['form_type'] == "basic-info": if couch_user.is_commcare_user(): form = UserForm(request.POST, role_choices=role_choices, language_choices=language_choices) else: form = WebUserForm(request.POST, role_choices=role_choices, language_choices=language_choices) if form.is_valid(): if create_user: django_user = User() django_user.username = form.cleaned_data['email'] django_user.save() couch_user = CouchUser.from_django_user(django_user) if couch_user.is_current_web_user( request) or couch_user.is_commcare_user(): couch_user.first_name = form.cleaned_data['first_name'] couch_user.last_name = form.cleaned_data['last_name'] couch_user.email = form.cleaned_data['email'] if not couch_user.is_commcare_user(): couch_user.email_opt_in = form.cleaned_data['email_opt_in'] couch_user.language = form.cleaned_data['language'] if can_change_admin_status: role = form.cleaned_data['role'] if role: couch_user.set_role(domain, role) couch_user.save() if request.couch_user.get_id == couch_user.get_id and couch_user.language: # update local language in the session request.session['django_language'] = couch_user.language messages.success( request, 'Changes saved for user "%s"' % couch_user.username) else: form = UserForm(role_choices=role_choices, language_choices=language_choices) if couch_user.is_commcare_user(): form = UserForm(role_choices=role_choices, language_choices=language_choices) else: form = WebUserForm(role_choices=role_choices, language_choices=language_choices) if not create_user: form.initial['first_name'] = couch_user.first_name form.initial['last_name'] = couch_user.last_name form.initial['email'] = couch_user.email form.initial['email_opt_in'] = couch_user.email_opt_in form.initial['language'] = couch_user.language if can_change_admin_status: if couch_user.is_commcare_user(): role = couch_user.get_role(domain) if role is None: initial = "none" else: initial = role.get_qualified_id() form.initial['role'] = initial else: form.initial['role'] = couch_user.get_role( domain, include_teams=False).get_qualified_id() or '' if not can_change_admin_status: del form.fields['role'] context.update({ "form": form, "current_users_page": couch_user.is_current_web_user(request) }) return context
def user_role_choices(self): return UserRole.role_choices(self.domain)
def setUpClass(cls): super(AllCommCareUsersTest, cls).setUpClass() delete_all_users() hard_delete_deleted_users() cls.ccdomain = Domain(name='cc_user_domain') cls.ccdomain.save() cls.other_domain = Domain(name='other_domain') cls.other_domain.save() bootstrap_location_types(cls.ccdomain.name) UserRole.init_domain_with_presets(cls.ccdomain.name) cls.user_roles = UserRole.by_domain(cls.ccdomain.name) cls.custom_role = UserRole.get_or_create_with_permissions( cls.ccdomain.name, Permissions( edit_apps=True, edit_web_users=True, view_web_users=True, view_roles=True, ), "Custom Role") cls.custom_role.save() cls.loc1 = make_loc('spain', domain=cls.ccdomain.name, type="district") cls.loc2 = make_loc('madagascar', domain=cls.ccdomain.name, type="district") cls.ccuser_1 = CommCareUser.create( domain=cls.ccdomain.name, username='******', password='******', created_by=None, created_via=None, email='*****@*****.**', ) cls.ccuser_1.set_location(cls.loc1) cls.ccuser_1.save() cls.ccuser_2 = CommCareUser.create( domain=cls.ccdomain.name, username='******', password='******', created_by=None, created_via=None, email='*****@*****.**', ) cls.ccuser_2.set_role(cls.ccdomain.name, cls.custom_role.get_qualified_id()) cls.ccuser_2.set_location(cls.loc2) cls.ccuser_2.save() cls.web_user = WebUser.create( domain=cls.ccdomain.name, username='******', password='******', created_by=None, created_via=None, email='*****@*****.**', ) cls.ccuser_other_domain = CommCareUser.create( domain=cls.other_domain.name, username='******', password='******', created_by=None, created_via=None, email='*****@*****.**', ) cls.retired_user = CommCareUser.create( domain=cls.ccdomain.name, username='******', password='******', created_by=None, created_via=None, email='*****@*****.**', ) cls.retired_user.retire()
def user_role_choices(self): return UserRole.commcareuser_role_choices(self.domain)
def initialize_domain_with_default_roles(domain): """Outside of tests this is only called when creating a new domain""" for role_name in UserRolePresets.INITIAL_ROLES: UserRole.create(domain, role_name, permissions=UserRolePresets.get_permissions(role_name))
include_docs=True, wrapper=wrap_user, ).all() role_ids = set([]) for user in filter(lambda u: u is not None, users): # if we use bulk save, django user doesn't get sync'd domain_membership = user.get_domain_membership(domain.name) if domain_membership and domain_membership.role_id: role_ids.add(user.domain_membership.role_id) user.save(force_update=True) print 'copying %s roles' % len(role_ids) for i, subset in enumerate(chunked(role_ids, CHUNK_SIZE)): roles = [ UserRole.wrap(role['doc']) for role in sourcedb.all_docs( keys=list(subset), include_docs=True, ) ] self.lenient_bulk_save(UserRole, roles) if options['include_sync_logs']: print 'copying sync logs' for user_id in user_ids: log_ids = [ res['id'] for res in sourcedb.view("phone/sync_logs_by_user", startkey=[user_id, {}], endkey=[user_id], descending=True,
def setUpTestData(cls): cls.role = UserRole( domain=cls.domain, name="role1", ) cls.role.save()