def test_roles_visibility(get, organization, project, admin, alice, bob): Role.singleton('system_auditor').members.add(alice) assert get(reverse('api:role_list') + '?id=%d' % project.update_role.id, user=admin).data['count'] == 1 assert get(reverse('api:role_list') + '?id=%d' % project.update_role.id, user=alice).data['count'] == 1 assert get(reverse('api:role_list') + '?id=%d' % project.update_role.id, user=bob).data['count'] == 0 organization.auditor_role.members.add(bob) assert get(reverse('api:role_list') + '?id=%d' % project.update_role.id, user=bob).data['count'] == 1
def user_is_system_auditor(user, tf): if user.id: if tf: Role.singleton('system_auditor').members.add(user) user._is_system_auditor = True else: Role.singleton('system_auditor').members.remove(user) user._is_system_auditor = False
def test_metrics_permissions(get, admin, org_admin, alice, bob, organization): assert get(get_metrics_view_db_only(), user=admin).status_code == 200 assert get(get_metrics_view_db_only(), user=org_admin).status_code == 403 assert get(get_metrics_view_db_only(), user=alice).status_code == 403 assert get(get_metrics_view_db_only(), user=bob).status_code == 403 organization.auditor_role.members.add(bob) assert get(get_metrics_view_db_only(), user=bob).status_code == 403 Role.singleton('system_auditor').members.add(bob) bob.is_system_auditor = True assert get(get_metrics_view_db_only(), user=bob).status_code == 200
def test_roles_filter_visibility(get, organization, project, admin, alice, bob): Role.singleton('system_auditor').members.add(alice) project.update_role.members.add(admin) assert get(reverse('api:user_roles_list', kwargs={'pk': admin.id}) + '?id=%d' % project.update_role.id, user=admin).data['count'] == 1 assert get(reverse('api:user_roles_list', kwargs={'pk': admin.id}) + '?id=%d' % project.update_role.id, user=alice).data['count'] == 1 assert get(reverse('api:user_roles_list', kwargs={'pk': admin.id}) + '?id=%d' % project.update_role.id, user=bob).data['count'] == 0 organization.auditor_role.members.add(bob) assert get(reverse('api:user_roles_list', kwargs={'pk': admin.id}) + '?id=%d' % project.update_role.id, user=bob).data['count'] == 1 organization.auditor_role.members.remove(bob) project.use_role.members.add(bob) # sibling role should still grant visibility assert get(reverse('api:user_roles_list', kwargs={'pk': admin.id}) + '?id=%d' % project.update_role.id, user=bob).data['count'] == 1
def user_is_system_auditor(user, tf): if user.id: if tf: role = Role.singleton('system_auditor') # must check if member to not duplicate activity stream if user not in role.members.all(): role.members.add(user) user._is_system_auditor = True else: role = Role.singleton('system_auditor') if user in role.members.all(): role.members.remove(user) user._is_system_auditor = False
def test_get_roles_list_user(organization, inventory, team, get, user): 'Users can see all roles they have access to, but not all roles' this_user = user('user-test_get_roles_list_user') organization.member_role.members.add(this_user) custom_role = Role.objects.create( role_field='custom_role-test_get_roles_list_user') organization.member_role.children.add(custom_role) url = reverse('api:role_list') response = get(url, this_user) assert response.status_code == 200 roles = response.data assert roles['count'] > 0 assert roles['count'] == len( roles['results']) # just to make sure the tests below are valid role_hash = {} for r in roles['results']: role_hash[r['id']] = r assert Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).id in role_hash assert organization.admin_role.id in role_hash assert organization.member_role.id in role_hash assert this_user.admin_role.id in role_hash assert custom_role.id in role_hash assert inventory.admin_role.id not in role_hash assert team.member_role.id not in role_hash
def user_is_system_auditor(user, tf): if not user.id: # If the user doesn't have a primary key yet (i.e., this is the *first* # time they've logged in, and we've just created the new User in this # request), we need one to set up the system auditor role user.save() if tf: role = Role.singleton('system_auditor') # must check if member to not duplicate activity stream if user not in role.members.all(): role.members.add(user) user._is_system_auditor = True else: role = Role.singleton('system_auditor') if user in role.members.all(): role.members.remove(user) user._is_system_auditor = False
def test_user_view_other_user_roles(organization, inventory, team, get, alice, bob): 'Users can see roles for other users, but only the roles that that user has access to see as well' organization.member_role.members.add(alice) organization.admin_role.members.add(bob) organization.member_role.members.add(bob) custom_role = Role.objects.create( role_field='custom_role-test_user_view_admin_roles_list') organization.member_role.children.add(custom_role) team.member_role.members.add(bob) # alice and bob are in the same org and can see some child role of that org. # Bob is an org admin, alice can see this. # Bob is in a team that alice is not, alice cannot see that bob is a member of that team. url = reverse('api:user_roles_list', kwargs={'pk': bob.id}) response = get(url, alice) assert response.status_code == 200 roles = response.data assert roles['count'] > 0 assert roles['count'] == len( roles['results']) # just to make sure the tests below are valid role_hash = {} for r in roles['results']: role_hash[r['id']] = r['name'] assert organization.admin_role.id in role_hash assert custom_role.id not in role_hash # doesn't show up in the user roles list, not an explicit grant assert Role.singleton( ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).id not in role_hash assert inventory.admin_role.id not in role_hash assert team.member_role.id not in role_hash # alice can't see this # again but this time alice is part of the team, and should be able to see the team role team.member_role.members.add(alice) response = get(url, alice) assert response.status_code == 200 roles = response.data assert roles['count'] > 0 assert roles['count'] == len( roles['results']) # just to make sure the tests below are valid role_hash = {} for r in roles['results']: role_hash[r['id']] = r['name'] assert team.member_role.id in role_hash # Alice can now see this
def system_auditor(user): u = user('an-auditor', False) Role.singleton('system_auditor').members.add(u) return u