def add_project_to_program(request, program_pk):
program = get_object_or_404(Project, pk=program_pk)
parent_pk = request.data.get('parent')
if parent_pk is None:
parent_pk = program_pk
project = Project.objects.create()
# Set reporting organisation and log creation
Project.new_project_created(project.id, request.user)
project.set_reporting_org(program.reporting_org)
# Set user's primary org as accountable partner
org = request.user.first_organisation()
if org is not None and org != program.reporting_org:
project.set_accountable_partner(org)
# Set validation sets
for validation_set in program.validations.all():
project.add_validation_set(validation_set)
# set parent project
project.set_parent(parent_pk)
# Import Results
project.import_results()
# Refresh to get updated attributes
project.refresh_from_db()
response = ProjectSerializer(project, context=dict(request=request)).data
return Response(response, status=HTTP_201_CREATED)
def test_new_projects_not_accessible_to_implementing_partners_not_content_owned_org_users(
self):
"""
---------------------------------------------+
/ |
User M User N User O User P |
Admin Admin User | |
\ / \ / | |
\ / \ / | |
Org A Org B --- Project W---Org C --+
/ \ / \ |
/ \ / \ |
Project X Project Y Project Z |
| |
+-------------------------------------+
"""
# Given
self.org_b.enable_restrictions = False
self.org_b.save()
implementing_partner = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=True,
enable_restrictions=True)
Partnership.objects.create(
organisation=implementing_partner,
project=self.projects['X'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
self.user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=self.user_p,
organisation=implementing_partner,
group=self.users,
is_approved=True)
Employment.objects.create(user=self.user_m,
organisation=implementing_partner,
group=self.admins,
is_approved=True)
restrict_projects(self.user_m, self.user_p, [self.projects['X']])
# When
self.projects['W'] = project = Project.objects.create(title='W')
# FIXME: Ideally, this call should be automatic, but is manual now.
Project.new_project_created(project.id, self.user_n)
Partnership.objects.create(
organisation=implementing_partner,
project=project,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
# Then
self.assertFalse(self.org_b.enable_restrictions)
self.assertTrue(implementing_partner.enable_restrictions)
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['X']))
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['Y']))
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['Z']))
self.assertFalse(self.user_p.has_perm('rsr.view_project', project))
def log_project_addition(request, project_pk=None):
project = Project.objects.get(pk=project_pk)
user = request.user
if not user.has_perm('rsr.change_project', project):
return HttpResponseForbidden()
Project.log_project_addition(project_pk, user)
content = {'log_entry': 'added successfully'}
return Response(content, status=http_status.HTTP_201_CREATED)
def log_project_addition(request, project_pk=None):
project = Project.objects.get(pk=project_pk)
user = request.user
if not user.has_perm('rsr.change_project', project):
return HttpResponseForbidden()
Project.log_project_addition(project_pk, user)
content = {'log_entry': 'added successfully'}
return Response(content, status=http_status.HTTP_201_CREATED)
def test_new_projects_are_not_accessible_to_restricted_users_if_enable_restrictions(
self):
restrict_projects(self.user_n, self.user_o, [self.projects['Z']])
project = Project.objects.create(title='W')
Project.new_project_created(project.id, self.user_n)
self.assertFalse(self.user_o.has_perm('rsr.view_project', project))
self.assertFalse(
self.user_o.has_perm('rsr.view_project', self.projects['Z']))
def add_project_to_program(request, program_pk):
program = get_object_or_404(Project, pk=program_pk)
parent_pk = request.data.get('parent')
if parent_pk is not None:
program = get_object_or_404(Project, pk=parent_pk)
project = Project.objects.create()
Project.new_project_created(project.id, request.user) # Log creation
project.add_to_program(program)
# Set user's primary org as accountable partner
org = request.user.first_organisation()
if org is not None and org != program.reporting_org:
project.set_accountable_partner(org)
response = ProjectSerializer(project, context=dict(request=request)).data
return Response(response, status=HTTP_201_CREATED)
def test_admin_can_restrict_user_with_restricted_projects_from_other_org(
self):
"""
User M User N User O User P
Admin Admin User |
\ \ / |
\ \ / |
Org A Org B Org C (content owned)
/ \ / \ /̶ P |
/ \ / \ /̶ P |
Project X Project Y Project W Project Z |
| | | |
+--------------+------------+-------------+
Test that you can restrict permissions for a user with restricted
projects that you don't control
"""
# Given
Y, Z = self.projects['Y'], self.projects['Z']
W = Project.objects.create(title='W')
Project.new_project_created(W.id, self.user_n)
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=Y,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=Z,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=W,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
Employment.objects.get(user=self.user_n,
organisation=self.org_a).delete()
Partnership.objects.get(organisation=self.org_b, project=Y).delete()
restrict_projects(self.user_n, user_p, [Z])
self.c.login(username=self.user_m.username, password=self.password_m)
data = json.dumps({
'user_projects': {
'is_restricted': True,
'projects': []
},
})
# When
response = self.c.patch('/rest/v1/user_projects_access/{}/'.format(
user_p.pk),
data=data,
content_type='application/json')
# Then
may_unrestrict_m = response.data['user_projects']['may_unrestrict']
self.assertFalse(may_unrestrict_m)
projects = response.data['user_projects']['projects']
self.assertEqual(projects, [W.id])
def create(self, request, *args, **kwargs):
response = super(ProjectViewSet, self).create(request, *args, **kwargs)
user = request.user
project_id = response.data['id']
Project.new_project_created(project_id, user)
return response
def create(self, request, *args, **kwargs):
response = super(ProjectViewSet, self).create(request, *args, **kwargs)
user = request.user
project_id = response.data['id']
Project.new_project_created(project_id, user)
return response
def create(self, validated_data):
project = super(ProjectSerializer, self).create(validated_data)
user = self.context['request'].user
Project.new_project_created(project.id, user)
project.refresh_from_db()
return project
def test_new_projects_are_accessible_in_unrestricted_content_owner_orgs(
self):
"""
User M User N User O User P
Admin Admin User |
\ / \ / |
\ / \ / |
Org A Org B - -Project W- - Org C
/ \ / \ _____/ |
/ \ / \ / |
Project X Project Y Project Z |
| |
+-------------------------------------+
| |
Project U --------------------------------+
"""
# Given
self.org_b.enable_restrictions = False
self.org_b.save()
org_content_owned = Organisation.objects.create(
name='C',
long_name='C',
can_create_projects=False,
enable_restrictions=True)
Partnership.objects.create(
organisation=org_content_owned,
project=self.projects['X'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
Partnership.objects.create(
organisation=org_content_owned,
project=self.projects['Z'],
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
self.user_p = self.create_user('*****@*****.**')
Employment.objects.create(user=self.user_p,
organisation=org_content_owned,
group=self.users,
is_approved=True)
restrict_projects(self.user_m, self.user_p, [self.projects['X']])
# When
self.projects['W'] = project = Project.objects.create(title='W')
# FIXME: Ideally, this call should be automatic, but is manual now.
Project.new_project_created(project.id, self.user_n)
Partnership.objects.create(
organisation=org_content_owned,
project=project,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
self.projects['U'] = project = Project.objects.create(title='U')
# FIXME: Ideally, this call should be automatic, but is manual now.
Project.new_project_created(project.id, self.user_m)
Partnership.objects.create(
organisation=org_content_owned,
project=project,
iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER)
# Then
self.assertFalse(self.org_b.enable_restrictions)
self.assertTrue(self.org_a.enable_restrictions)
self.assertTrue(org_content_owned.enable_restrictions)
self.assertTrue(
self.user_p.has_perm('rsr.view_project', self.projects['Z']))
self.assertTrue(
self.user_p.has_perm('rsr.view_project', self.projects['W']))
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['Y']))
self.assertFalse(
self.user_p.has_perm('rsr.view_project', self.projects['U']))