def test_works_for_non_owner_with_permission(self):
d = self.factory.create_dashboard()
user = self.factory.create_user()
new_name = 'New Name'
rv = self.make_request('post',
'/api/dashboards/{0}'.format(d.id),
data={
'name': new_name,
'layout': '[]',
'version': d.version
},
user=user)
self.assertEqual(rv.status_code, 403)
AccessPermission.grant(obj=d,
access_type=ACCESS_TYPE_MODIFY,
grantee=user,
grantor=d.user)
rv = self.make_request('post',
'/api/dashboards/{0}'.format(d.id),
data={
'name': new_name,
'layout': '[]',
'version': d.version
},
user=user)
self.assertEqual(rv.status_code, 200)
self.assertEqual(rv.json['name'], new_name)
def test_works_for_non_owner_with_permission(self):
d = self.factory.create_dashboard()
user = self.factory.create_user()
new_name = "New Name"
rv = self.make_request(
"post",
"/api/dashboards/{0}".format(d.id),
data={"name": new_name, "layout": "[]", "version": d.version},
user=user,
)
self.assertEqual(rv.status_code, 403)
AccessPermission.grant(
obj=d, access_type=ACCESS_TYPE_MODIFY, grantee=user, grantor=d.user
)
rv = self.make_request(
"post",
"/api/dashboards/{0}".format(d.id),
data={"name": new_name, "layout": "[]", "version": d.version},
user=user,
)
self.assertEqual(rv.status_code, 200)
self.assertEqual(rv.json["name"], new_name)
def test_returns_true_for_existing_permission(self):
query = self.factory.create_query()
other_user = self.factory.create_user()
AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user)
rv = self.make_request("get", "/api/queries/{}/acl/{}".format(query.id, ACCESS_TYPE_MODIFY), user=other_user)
self.assertEqual(rv.status_code, 200)
self.assertEqual(True, rv.json["response"])
def test_returns_true_for_existing_permission(self):
query = self.factory.create_query()
other_user = self.factory.create_user()
AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user)
rv = self.make_request('get', '/api/queries/{}/acl/{}'.format(query.id, ACCESS_TYPE_MODIFY), user=other_user)
self.assertEqual(rv.status_code, 200)
self.assertEqual(True, rv.json['response'])
def test_returns_existing_object_if_exists(self):
q = self.factory.create_query()
permission1 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
permission2 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(permission1.id, permission2.id)
def test_returns_permissions(self):
query = self.factory.create_query()
user = self.factory.user
AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user, grantee=self.factory.user)
rv = self.make_request('get', '/api/queries/{}/acl'.format(query.id), user=user)
self.assertEqual(rv.status_code, 200)
self.assertIn('modify', rv.json)
self.assertEqual(user.id, rv.json['modify'][0]['id'])
def test_deletes_all_permissions_if_no_type_given(self):
q = self.factory.create_query()
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(2, AccessPermission.revoke(q, self.factory.user))
def test_returns_permissions(self):
query = self.factory.create_query()
user = self.factory.user
AccessPermission.grant(
obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user
)
rv = self.make_request("get", "/api/queries/{}/acl".format(query.id), user=user)
self.assertEqual(rv.status_code, 200)
self.assertIn("modify", rv.json)
self.assertEqual(user.id, rv.json["modify"][0]["id"])
def test_removes_permission(self):
query = self.factory.create_query()
user = self.factory.user
other_user = self.factory.create_user()
data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id}
AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user)
rv = self.make_request("delete", "/api/queries/{}/acl".format(query.id), user=user, data=data)
self.assertEqual(rv.status_code, 200)
self.assertFalse(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def test_works_for_non_owner_with_permission(self):
d = self.factory.create_dashboard()
user = self.factory.create_user()
new_name = 'New Name'
rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id),
data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user)
self.assertEqual(rv.status_code, 403)
AccessPermission.grant(obj=d, access_type=ACCESS_TYPE_MODIFY, grantee=user, grantor=d.user)
rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id),
data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user)
self.assertEqual(rv.status_code, 200)
self.assertEqual(rv.json['name'], new_name)
def post(self, object_type, object_id):
model = get_model_from_type(object_type)
obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)
require_admin_or_owner(obj.user_id)
req = request.get_json(True)
access_type = req['access_type']
if access_type not in ACCESS_TYPES:
abort(400, message='Unknown access type.')
try:
grantee = User.get_by_id_and_org(req['user_id'], self.current_org)
except User.DoesNotExist:
abort(400, message='User not found.')
permission = AccessPermission.grant(obj, access_type, grantee, self.current_user)
self.record_event({
'action': 'grant_permission',
'object_id': object_id,
'object_type': object_type,
'access_type': access_type,
'grantee': grantee.id
})
return permission.to_dict()
def post(self, object_type, object_id):
model = get_model_from_type(object_type)
obj = get_object_or_404(model.get_by_id_and_org, object_id,
self.current_org)
require_admin_or_owner(obj.user_id)
req = request.get_json(True)
access_type = req['access_type']
if access_type not in ACCESS_TYPES:
abort(400, message='Unknown access type.')
try:
grantee = User.get_by_id_and_org(req['user_id'], self.current_org)
except NoResultFound:
abort(400, message='User not found.')
permission = AccessPermission.grant(obj, access_type, grantee,
self.current_user)
db.session.commit()
self.record_event({
'action': 'grant_permission',
'object_id': object_id,
'object_type': object_type,
'grantee': grantee.id,
'access_type': access_type,
})
return permission.to_dict()
def test_removes_permission_created_by_another_user(self):
query = self.factory.create_query()
other_user = self.factory.create_user()
data = {
'access_type': ACCESS_TYPE_MODIFY,
'user_id': other_user.id
}
AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user)
rv = self.make_request('delete', '/api/queries/{}/acl'.format(query.id), user=self.factory.create_admin(),
data=data)
self.assertEqual(rv.status_code, 200)
self.assertFalse(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def test_deletes_permission(self):
q = self.factory.create_query()
permission = AccessPermission.grant(obj=q,
access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(
1, AccessPermission.revoke(q, self.factory.user,
ACCESS_TYPE_MODIFY))
def test_creates_correct_object(self):
q = self.factory.create_query()
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(permission.object, q)
self.assertEqual(permission.grantor, self.factory.user)
self.assertEqual(permission.grantee, self.factory.user)
self.assertEqual(permission.access_type, ACCESS_TYPE_MODIFY)
def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self):
q = self.factory.create_query()
first_user = self.factory.create_user()
second_user = self.factory.create_user()
AccessPermission.grant(
obj=q,
access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=first_user,
)
AccessPermission.grant(
obj=q,
access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=second_user,
)
AccessPermission.grant(
obj=q,
access_type=ACCESS_TYPE_VIEW,
grantor=self.factory.user,
grantee=second_user,
)
self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
def test_removes_permission(self):
query = self.factory.create_query()
user = self.factory.user
other_user = self.factory.create_user()
data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id}
AccessPermission.grant(
obj=query,
access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=other_user,
)
rv = self.make_request("delete",
"/api/queries/{}/acl".format(query.id),
user=user,
data=data)
self.assertEqual(rv.status_code, 200)
self.assertFalse(
AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self):
q = self.factory.create_query()
first_user = self.factory.create_user()
second_user = self.factory.create_user()
AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=first_user)
AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=second_user)
AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW,
grantor=self.factory.user,
grantee=second_user)
self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
def test_deletes_permission(self):
q = self.factory.create_query()
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
