def test_contextual_user_permission(self):
# should be applicable for across all doctypes
add_user_permission('Blogger', '_Test Blogger', '*****@*****.**')
# should be applicable only while accessing Blog Post
add_user_permission('Blogger',
'_Test Blogger 1',
'*****@*****.**',
applicable_for='Blog Post')
# should be applicable only while accessing User
add_user_permission('Blogger',
'_Test Blogger 2',
'*****@*****.**',
applicable_for='User')
posts = dataent.get_all('Blog Post', fields=['name', 'blogger'])
# Get all posts for admin
self.assertEqual(len(posts), 4)
dataent.set_user('*****@*****.**')
posts = dataent.get_list('Blog Post', fields=['name', 'blogger'])
# Should get only posts with allowed blogger via user permission
# only '_Test Blogger', '_Test Blogger 1' are allowed in Blog Post
self.assertEqual(len(posts), 3)
for post in posts:
self.assertIn(
post.blogger, ['_Test Blogger', '_Test Blogger 1'],
'A post from {} is not expected.'.format(post.blogger))
def test_employee_salary_slip_read_permission(self):
make_employee("*****@*****.**")
salary_slip_test_employee = make_employee_salary_slip(
"*****@*****.**", "Monthly")
dataent.set_user("*****@*****.**")
self.assertTrue(salary_slip_test_employee.has_permission("read"))
def send(self):
# send email only to enabled users
valid_users = [
p[0] for p in dataent.db.sql("""select name from `tabUser`
where enabled=1""")
]
recipients = list(
filter(lambda r: r in valid_users,
self.recipient_list.split("\n")))
original_user = dataent.session.user
if recipients:
for user_id in recipients:
dataent.set_user(user_id)
dataent.set_user_lang(user_id)
msg_for_this_recipient = self.get_msg_html()
if msg_for_this_recipient:
dataent.sendmail(recipients=user_id,
subject=_("{0} Digest").format(
self.frequency),
message=msg_for_this_recipient,
reference_doctype=self.doctype,
reference_name=self.name,
unsubscribe_message=_(
"Unsubscribe from this Email Digest"))
dataent.set_user(original_user)
dataent.set_user_lang(original_user)
def validate_oauth():
from dataent.oauth import get_url_delimiter
form_dict = dataent.local.form_dict
authorization_header = dataent.get_request_header("Authorization").split(
" ") if dataent.get_request_header("Authorization") else None
if authorization_header and authorization_header[0].lower() == "bearer":
from dataent.integrations.oauth2 import get_oauth_server
token = authorization_header[1]
r = dataent.request
parsed_url = urlparse(r.url)
access_token = {"access_token": token}
uri = parsed_url.scheme + "://" + parsed_url.netloc + parsed_url.path + "?" + urlencode(
access_token)
http_method = r.method
body = r.get_data()
headers = r.headers
required_scopes = dataent.db.get_value(
"OAuth Bearer Token", token, "scopes").split(get_url_delimiter())
valid, oauthlib_request = get_oauth_server().verify_request(
uri, http_method, body, headers, required_scopes)
if valid:
dataent.set_user(
dataent.db.get_value("OAuth Bearer Token", token, "user"))
dataent.local.form_dict = form_dict
def test_alert_disabled_on_wrong_field(self):
dataent.set_user('Administrator')
notification = dataent.get_doc({
"doctype":
"Notification",
"subject":
"_Test Notification for wrong field",
"document_type":
"Event",
"event":
"Value Change",
"attach_print":
0,
"value_changed":
"description1",
"message":
"Description changed",
"recipients": [{
"email_by_document_field": "owner"
}]
}).insert()
event = dataent.new_doc("Event")
event.subject = "test-2",
event.event_type = "Private"
event.starts_on = "2014-06-06 12:00:00"
event.insert()
event.subject = "test 1"
event.save()
# verify that notification is disabled
notification.reload()
self.assertEqual(notification.enabled, 0)
notification.delete()
event.delete()
def test_overlap_with_half_day_3(self):
self._clear_roles()
self._clear_applications()
from dataent.utils.user import add_role
add_role("*****@*****.**", "Employee")
dataent.set_user("*****@*****.**")
make_allocation_record()
# leave from 1-5, half day on 5th
application = self.get_application(_test_records[0])
application.half_day = 1
application.half_day_date = "2013-01-05"
application.insert()
# Apply leave from 4-7, half day on 5th
application = self.get_application(_test_records[0])
application.from_date = "2013-01-04"
application.to_date = "2013-01-07"
application.half_day = 1
application.half_day_date = "2013-01-05"
self.assertRaises(OverlapError, application.insert)
# Apply leave from 5-7, half day on 5th
application = self.get_application(_test_records[0])
application.from_date = "2013-01-05"
application.to_date = "2013-01-07"
application.half_day = 1
application.half_day_date = "2013-01-05"
application.insert()
def test_build_match_conditions(self):
clear_user_permissions_for_doctype('Blog Post', '*****@*****.**')
test2user = dataent.get_doc('User', '*****@*****.**')
test2user.add_roles('Blogger')
dataent.set_user('*****@*****.**')
# this will get match conditions for Blog Post
build_match_conditions = DatabaseQuery(
'Blog Post').build_match_conditions
# Before any user permission is applied
# get as filters
self.assertEqual(build_match_conditions(as_condition=False), [])
# get as conditions
self.assertEqual(build_match_conditions(as_condition=True), "")
add_user_permission('Blog Post', '-test-blog-post',
'*****@*****.**', True)
add_user_permission('Blog Post', '-test-blog-post-1',
'*****@*****.**', True)
# After applying user permission
# get as filters
self.assertTrue(
{'Blog Post': ['-test-blog-post-1', '-test-blog-post']
} in build_match_conditions(as_condition=False))
# get as conditions
self.assertEqual(
build_match_conditions(as_condition=True),
"""(((ifnull(`tabBlog Post`.`name`, "")="" or `tabBlog Post`.`name` in ("-test-blog-post-1", "-test-blog-post"))))"""
)
dataent.set_user('Administrator')
def tearDown(self):
dataent.set_user("Administrator")
dataent.db.set_value("Blogger", "_Test Blogger 1", "user", None)
clear_user_permissions_for_doctype("Blog Category")
clear_user_permissions_for_doctype("Blog Post")
clear_user_permissions_for_doctype("Blogger")
def test_not_allowed_to_remove_user_permissions(self):
self.test_set_user_permissions()
dataent.set_user("*****@*****.**")
# user cannot remove their own user permissions
self.assertRaises(dataent.PermissionError, remove_user_permission,
"Blog Post", "-test-blog-post", "*****@*****.**")
def test_newsletter_context(self):
context = dataent._dict()
newsletter_name = self.send_newsletter(1)
dataent.set_user("*****@*****.**")
doc = dataent.get_doc("Newsletter", newsletter_name)
doc.get_context(context)
self.assertEqual(context.no_cache, 1)
self.assertTrue("attachments" not in list(context))
def test_get_applicable_block_dates_for_allowed_user(self):
dataent.set_user("*****@*****.**")
dataent.db.set_value("Department", "_Test Department 1 - _TC",
"leave_block_list", "_Test Leave Block List")
self.assertEqual([], [
d.block_date
for d in get_applicable_block_dates("2013-01-01", "2013-01-03")
])
def set_as_paid(self):
if dataent.session.user == "Guest":
dataent.set_user("Administrator")
payment_entry = self.create_payment_entry()
self.make_invoice()
return payment_entry
def test_allowed_private_if_in_event_user(self):
name = dataent.db.get_value("Event", {"subject": "_Test Event 3"})
dataent.share.add("Event", name, self.test_user, "read")
dataent.set_user(self.test_user)
doc = dataent.get_doc("Event", name)
self.assertTrue(dataent.has_permission("Event", doc=doc))
dataent.set_user("Administrator")
dataent.share.remove("Event", name, self.test_user)
def work():
dataent.set_user(dataent.db.get_global('demo_manufacturing_user'))
make_purchase_receipt()
make_delivery_note()
make_stock_reconciliation()
submit_draft_stock_entries()
make_sales_return_records()
make_purchase_return_records()
def test_get_applicable_block_dates_all_lists(self):
dataent.set_user("*****@*****.**")
dataent.db.set_value("Department", "_Test Department 1 - _TC",
"leave_block_list", "_Test Leave Block List")
self.assertTrue(
getdate("2013-01-02") in [
d.block_date for d in get_applicable_block_dates(
"2013-01-01", "2013-01-03", all_lists=True)
])
def test_ignore_permissions_for_get_filters_cond(self):
dataent.set_user('*****@*****.**')
self.assertRaises(dataent.PermissionError, get_filters_cond, 'DocType',
dict(istable=1), [])
self.assertTrue(
get_filters_cond('DocType',
dict(istable=1), [],
ignore_permissions=True))
dataent.set_user('Administrator')
def setUp(self):
dataent.set_user("Administrator")
dataent.db.sql('delete from `tabEmail Group Member`')
for email in emails:
dataent.get_doc({
"doctype": "Email Group Member",
"email": email,
"email_group": "_Test Email Group"
}).insert()
def test_globally_hidden_desktop_icon(self):
set_hidden_list(["Desk"])
icon = self.get_icon('Desk')
self.assertEqual(icon.hidden, 1)
dataent.set_user('*****@*****.**')
icon = self.get_icon('Desk')
self.assertEqual(icon.hidden, 1)
def test_pos_closing_voucher(self):
old_user = dataent.session.user
user = '******'
test_user = dataent.get_doc('User', user)
roles = ("Accounts Manager", "Accounts User", "Sales Manager")
test_user.add_roles(*roles)
dataent.set_user(user)
pos_profile = make_pos_profile()
pos_profile.append('applicable_for_users', {
'default': 1,
'user': user
})
pos_profile.save()
si1 = create_sales_invoice(is_pos=1, rate=3500, do_not_submit=1)
si1.append('payments', {
'mode_of_payment': 'Cash',
'account': 'Cash - _TC',
'amount': 3500
})
si1.submit()
si2 = create_sales_invoice(is_pos=1, rate=3200, do_not_submit=1)
si2.append('payments', {
'mode_of_payment': 'Cash',
'account': 'Cash - _TC',
'amount': 3200
})
si2.submit()
pcv_doc = create_pos_closing_voucher(user=user,
pos_profile=pos_profile.name,
collected_amount=6700)
pcv_doc.get_closing_voucher_details()
self.assertEqual(pcv_doc.total_quantity, 2)
self.assertEqual(pcv_doc.net_total, 6700)
payment = pcv_doc.payment_reconciliation[0]
self.assertEqual(payment.mode_of_payment, 'Cash')
si1.load_from_db()
si1.cancel()
si2.load_from_db()
si2.cancel()
test_user.load_from_db()
test_user.remove_roles(*roles)
dataent.set_user(old_user)
dataent.db.sql("delete from `tabPOS Profile`")
def work():
dataent.set_user(dataent.db.get_global('demo_education_user'))
for d in range(20):
approve_random_student_applicant()
enroll_random_student(dataent.flags.current_date)
# if dataent.flags.current_date.weekday()== 0:
# make_course_schedule(dataent.flags.current_date, dataent.utils.add_days(dataent.flags.current_date, 5))
mark_student_attendance(dataent.flags.current_date)
# make_assessment_plan()
make_fees()
def validate_api_key_secret(api_key, api_secret):
user = dataent.db.get_value(doctype="User",
filters={"api_key": api_key},
fieldname=['name'])
form_dict = dataent.local.form_dict
user_secret = dataent.utils.password.get_decrypted_password(
"User", user, fieldname='api_secret')
if api_secret == user_secret:
dataent.set_user(user)
dataent.local.form_dict = form_dict
def test_event_list(self):
dataent.set_user(self.test_user)
res = dataent.get_list(
"Event",
filters=[["Event", "subject", "like", "_Test Event%"]],
fields=["name", "subject"])
self.assertEqual(len(res), 1)
subjects = [r.subject for r in res]
self.assertTrue("_Test Event 1" in subjects)
self.assertFalse("_Test Event 3" in subjects)
self.assertFalse("_Test Event 2" in subjects)
def work():
dataent.set_user(dataent.db.get_global('demo_accounts_user'))
if random.random() <= 0.6:
report = "Ordered Items to be Billed"
for so in list(set([r[0] for r in query_report.run(report)["result"]
if r[0]!="Total"]))[:random.randint(1, 5)]:
try:
si = dataent.get_doc(make_sales_invoice(so))
si.posting_date = dataent.flags.current_date
for d in si.get("items"):
if not d.income_account:
d.income_account = "Sales - {}".format(dataent.get_cached_value('Company', si.company, 'abbr'))
si.insert()
si.submit()
dataent.db.commit()
except dataent.ValidationError:
pass
if random.random() <= 0.6:
report = "Received Items to be Billed"
for pr in list(set([r[0] for r in query_report.run(report)["result"]
if r[0]!="Total"]))[:random.randint(1, 5)]:
try:
pi = dataent.get_doc(make_purchase_invoice(pr))
pi.posting_date = dataent.flags.current_date
pi.bill_no = random_string(6)
pi.insert()
pi.submit()
dataent.db.commit()
except dataent.ValidationError:
pass
if random.random() < 0.5:
make_payment_entries("Sales Invoice", "Accounts Receivable")
if random.random() < 0.5:
make_payment_entries("Purchase Invoice", "Accounts Payable")
if random.random() < 0.4:
#make payment request against sales invoice
sales_invoice_name = get_random("Sales Invoice", filters={"docstatus": 1})
if sales_invoice_name:
si = dataent.get_doc("Sales Invoice", sales_invoice_name)
if si.outstanding_amount > 0:
payment_request = make_payment_request(dt="Sales Invoice", dn=si.name, recipient_id=si.contact_email,
submit_doc=True, mute_email=True, use_dummy_message=True)
payment_entry = dataent.get_doc(make_payment_entry(payment_request.name))
payment_entry.posting_date = dataent.flags.current_date
payment_entry.submit()
make_pos_invoice()
def test_accept(self):
dataent.set_user("Administrator")
accept(web_form='manage-events', data=json.dumps({
'doctype': 'Event',
'subject': '_Test Event Web Form',
'description': '_Test Event Description',
'starts_on': '2014-09-09'
}))
self.event_name = dataent.db.get_value("Event",
{"subject": "_Test Event Web Form"})
self.assertTrue(self.event_name)
def test_user_link_match_doc(self):
blogger = dataent.get_doc("Blogger", "_Test Blogger 1")
blogger.user = "******"
blogger.save()
dataent.set_user("*****@*****.**")
post = dataent.get_doc("Blog Post", "-test-blog-post-2")
self.assertTrue(post.has_permission("read"))
post1 = dataent.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(post1.has_permission("read"))
def test_read_if_explicit_user_permissions_are_set(self):
self.test_set_user_permissions()
dataent.set_user("*****@*****.**")
# user can only access permitted blog post
doc = dataent.get_doc("Blog Post", "-test-blog-post")
self.assertTrue(doc.has_permission("read"))
# and not this one
doc = dataent.get_doc("Blog Post", "-test-blog-post-1")
self.assertFalse(doc.has_permission("read"))
def test_user_permissions_in_report(self):
add_user_permission("Blog Category", "_Test Blog Category 1",
"*****@*****.**")
dataent.set_user("*****@*****.**")
names = [
d.name for d in dataent.get_list("Blog Post",
fields=["name", "blog_category"])
]
self.assertTrue("-test-blog-post-1" in names)
self.assertFalse("-test-blog-post" in names)
def test_date_changed(self):
event = dataent.new_doc("Event")
event.subject = "test",
event.event_type = "Private"
event.starts_on = "2014-01-01 12:00:00"
event.insert()
self.assertFalse(
dataent.db.get_value(
"Email Queue", {
"reference_doctype": "Event",
"reference_name": event.name,
"status": "Not Sent"
}))
dataent.set_user('Administrator')
dataent.utils.scheduler.trigger(dataent.local.site, "daily", now=True)
# not today, so no alert
self.assertFalse(
dataent.db.get_value(
"Email Queue", {
"reference_doctype": "Event",
"reference_name": event.name,
"status": "Not Sent"
}))
event.starts_on = dataent.utils.add_days(dataent.utils.nowdate(),
2) + " 12:00:00"
event.save()
# Value Change notification alert will be trigger as description is not changed
# mail will not be sent
self.assertFalse(
dataent.db.get_value(
"Email Queue", {
"reference_doctype": "Event",
"reference_name": event.name,
"status": "Not Sent"
}))
dataent.utils.scheduler.trigger(dataent.local.site, "daily", now=True)
# today so show alert
self.assertTrue(
dataent.db.get_value(
"Email Queue", {
"reference_doctype": "Event",
"reference_name": event.name,
"status": "Not Sent"
}))
def test_if_owner_permission_overrides_properly(self):
# check if user is not granted access if the user is not the owner of the doc
# Blogger has only read access on the blog post unless he is the owner of the blog
update('Blog Post', 'Blogger', 0, 'if_owner', 1)
update('Blog Post', 'Blogger', 0, 'read', 1)
update('Blog Post', 'Blogger', 0, 'write', 1)
update('Blog Post', 'Blogger', 0, 'delete', 1)
# currently test2 user has not created any document
# still he should be able to do get_list query which should
# not raise permission error but simply return empty list
dataent.set_user("*****@*****.**")
self.assertEqual(dataent.get_list('Blog Post'), [])
dataent.set_user("Administrator")
# creates a custom docperm with just read access
# now any user can read any blog post (but other rights are limited to the blog post owner)
add_permission('Blog Post', 'Blogger')
dataent.clear_cache(doctype="Blog Post")
dataent.delete_doc('Blog Post', '-test-blog-post-title')
dataent.set_user("*****@*****.**")
doc = dataent.get_doc({
"doctype": "Blog Post",
"blog_category": "_Test Blog Category",
"blogger": "_Test Blogger 1",
"title": "_Test Blog Post Title",
"content": "_Test Blog Post Content"
})
doc.insert()
dataent.set_user("*****@*****.**")
doc = dataent.get_doc(doc.doctype, doc.name)
self.assertTrue(doc.has_permission("read"))
self.assertFalse(doc.has_permission("write"))
self.assertFalse(doc.has_permission("delete"))
# check if owner of the doc has the access that is available only for the owner of the doc
dataent.set_user("*****@*****.**")
doc = dataent.get_doc(doc.doctype, doc.name)
self.assertTrue(doc.has_permission("read"))
self.assertTrue(doc.has_permission("write"))
self.assertTrue(doc.has_permission("delete"))
# delete the created doc
dataent.delete_doc('Blog Post', '-test-blog-post-title')
def test_page_load(self):
dataent.set_user('Guest')
set_request(method='POST', path='login')
response = render.render()
self.assertEquals(response.status_code, 200)
html = dataent.safe_decode(response.get_data())
self.assertTrue('/* login-css */' in html)
self.assertTrue('// login.js' in html)
self.assertTrue('<!-- login.html -->' in html)
dataent.set_user('Administrator')
