def setUp(self):
frappe.clear_cache(doctype="Blog Post")
if not frappe.flags.permission_user_setup_done:
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Website Manager")
user.add_roles("System Manager")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Blogger")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Sales User")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Website Manager")
frappe.flags.permission_user_setup_done = True
reset("Blogger")
reset("Blog Post")
frappe.db.sql("delete from `tabUser Permission`")
frappe.set_user("*****@*****.**")
def test_fieldlevel_permissions_in_load(self):
blog = frappe.get_doc({
"doctype": "Blog Post",
"blog_category": "-test-blog-category-1",
"blog_intro": "Test Blog Intro",
"blogger": "_Test Blogger 1",
"content": "Test Blog Content",
"title": "_Test Blog Post {}".format(frappe.utils.now()),
"published": 0
})
blog.insert()
user = frappe.get_doc('User', '*****@*****.**')
user_roles = frappe.get_roles()
user.remove_roles(*user_roles)
user.add_roles('Blogger')
blog_post_property_setter = make_property_setter('Blog Post', 'published', 'permlevel', 1, 'Int')
reset('Blog Post')
add('Blog Post', 'Website Manager', 1)
update('Blog Post', 'Website Manager', 1, 'write', 1)
frappe.set_user(user.name)
blog_doc = get_blog(blog.name)
self.assertEqual(blog_doc.name, blog.name)
# since published field has higher permlevel
self.assertEqual(blog_doc.published, None)
# this will be ignored because user does not
# have write access on `published` field (or on permlevel 1 fields)
blog_doc.published = 1
blog_doc.save()
# since published field has higher permlevel
self.assertEqual(blog_doc.published, 0)
frappe.set_user('Administrator')
user.add_roles('Website Manager')
frappe.set_user(user.name)
doc = frappe.get_doc('Blog Post', blog.name)
doc.published = 1
doc.save()
blog_doc = get_blog(blog.name)
# now user should be allowed to read field with higher permlevel
# (after adding Website Manager role)
self.assertEqual(blog_doc.published, 1)
frappe.set_user('Administrator')
# reset user roles
user.remove_roles('Blogger', 'Website Manager')
user.add_roles(*user_roles)
blog_doc.delete()
frappe.delete_doc(blog_post_property_setter.doctype, blog_post_property_setter.name)
def set_print_email_permissions():
# reset Page perms
from frappe.core.page.permission_manager.permission_manager import reset
reset("Page")
reset("Report")
if "allow_print" not in frappe.db.get_table_columns("DocType"):
return
# patch to move print, email into DocPerm
# NOTE: allow_print and allow_email are misnamed. They were used to hide print / hide email
for doctype, hide_print, hide_email in frappe.db.sql(
"""select name, ifnull(allow_print, 0), ifnull(allow_email, 0)
from `tabDocType` where ifnull(issingle, 0)=0 and ifnull(istable, 0)=0 and
(ifnull(allow_print, 0)=0 or ifnull(allow_email, 0)=0)"""):
if not hide_print:
frappe.db.sql(
"""update `tabDocPerm` set `print`=1
where permlevel=0 and `read`=1 and parent=%s""", doctype)
if not hide_email:
frappe.db.sql(
"""update `tabDocPerm` set `email`=1
where permlevel=0 and `read`=1 and parent=%s""", doctype)
def test_reportview_get(self):
user = frappe.get_doc("User", "*****@*****.**")
add_child_table_to_blog_post()
user_roles = frappe.get_roles()
user.remove_roles(*user_roles)
user.add_roles("Blogger")
make_property_setter("Blog Post", "published", "permlevel", 1, "Int")
reset("Blog Post")
add("Blog Post", "Website Manager", 1)
update("Blog Post", "Website Manager", 1, "write", 1)
frappe.set_user(user.name)
frappe.local.request = frappe._dict()
frappe.local.request.method = "POST"
frappe.local.form_dict = frappe._dict({
"doctype":
"Blog Post",
"fields": ["published", "title", "`tabTest Child`.`test_field`"],
})
# even if * is passed, fields which are not accessible should be filtered out
response = execute_cmd("frappe.desk.reportview.get")
self.assertListEqual(response["keys"], ["title"])
frappe.local.form_dict = frappe._dict({
"doctype": "Blog Post",
"fields": ["*"],
})
response = execute_cmd("frappe.desk.reportview.get")
self.assertNotIn("published", response["keys"])
frappe.set_user("Administrator")
user.add_roles("Website Manager")
frappe.set_user(user.name)
frappe.set_user("Administrator")
# Admin should be able to see access all fields
frappe.local.form_dict = frappe._dict({
"doctype":
"Blog Post",
"fields": ["published", "title", "`tabTest Child`.`test_field`"],
})
response = execute_cmd("frappe.desk.reportview.get")
self.assertListEqual(response["keys"],
["published", "title", "test_field"])
# reset user roles
user.remove_roles("Blogger", "Website Manager")
user.add_roles(*user_roles)
def test_fieldlevel_permissions_in_load(self):
user = frappe.get_doc('User', '*****@*****.**')
user.remove_roles('Website Manager')
user.add_roles('Blogger')
reset('Blog Post')
frappe.db.set_value('DocField', {
'fieldname': 'published',
'parent': 'Blog Post'
}, 'permlevel', 1)
update('Blog Post', 'Website Manager', 0, 'permlevel', 1)
frappe.set_user(user.name)
# print frappe.as_json(get_valid_perms('Blog Post'))
frappe.clear_cache(doctype='Blog Post')
blog = frappe.db.get_value('Blog Post', {'title': '_Test Blog Post'})
getdoc('Blog Post', blog)
checked = False
for doc in frappe.response.docs:
if doc.name == blog:
self.assertEqual(doc.published, None)
checked = True
self.assertTrue(checked, True)
frappe.db.set_value('DocField', {
'fieldname': 'published',
'parent': 'Blog Post'
}, 'permlevel', 0)
reset('Blog Post')
frappe.clear_cache(doctype='Blog Post')
frappe.response.docs = []
getdoc('Blog Post', blog)
checked = False
for doc in frappe.response.docs:
if doc.name == blog:
self.assertEqual(doc.published, 1)
checked = True
self.assertTrue(checked, True)
frappe.set_user('Administrator')
def setUp(self):
items = create_items()
reset('Stock Entry')
# delete SLE and BINs for all items
frappe.db.sql(
"delete from `tabStock Ledger Entry` where item_code in (%s)" %
(', '.join(['%s'] * len(items))), items)
frappe.db.sql(
"delete from `tabBin` where item_code in (%s)" %
(', '.join(['%s'] * len(items))), items)
def tearDown(self):
frappe.set_user("Administrator")
frappe.db.set_value("Blogger", "_Test Blogger 1", "user", None)
clear_user_permissions_for_doctype("Blog Category")
clear_user_permissions_for_doctype("Blog Post")
clear_user_permissions_for_doctype("Blogger")
reset('Blogger')
reset('Blog Post')
self.set_ignore_user_permissions_if_missing(0)
def setUp(self):
items = create_items()
reset("Stock Entry")
# delete SLE and BINs for all items
frappe.db.sql(
"delete from `tabStock Ledger Entry` where item_code in (%s)" %
(", ".join(["%s"] * len(items))),
items,
)
frappe.db.sql(
"delete from `tabBin` where item_code in (%s)" %
(", ".join(["%s"] * len(items))), items)
def setUp(self):
frappe.clear_cache(doctype="Blog Post")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Website Manager")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Blogger")
reset('Blogger')
reset('Blog Post')
self.set_ignore_user_permissions_if_missing(0)
frappe.set_user("*****@*****.**")
def test_fieldlevel_permissions_in_load(self):
user = frappe.get_doc('User', '*****@*****.**')
user.remove_roles('Website Manager')
user.add_roles('Blogger')
reset('Blog Post')
frappe.db.sql('update tabDocField set permlevel=1 where fieldname="published" and parent="Blog Post"')
update('Blog Post', 'Website Manager', 0, 'permlevel', 1)
frappe.set_user(user.name)
# print frappe.as_json(get_valid_perms('Blog Post'))
frappe.clear_cache(doctype='Blog Post')
blog = frappe.db.get_value('Blog Post', {'title': '_Test Blog Post'})
getdoc('Blog Post', blog)
checked = False
for doc in frappe.response.docs:
if doc.name == blog:
self.assertEquals(doc.published, None)
checked = True
self.assertTrue(checked, True)
frappe.db.sql('update tabDocField set permlevel=0 where fieldname="published" and parent="Blog Post"')
reset('Blog Post')
frappe.clear_cache(doctype='Blog Post')
frappe.response.docs = []
getdoc('Blog Post', blog)
checked = False
for doc in frappe.response.docs:
if doc.name == blog:
self.assertEquals(doc.published, 1)
checked = True
self.assertTrue(checked, True)
frappe.set_user('Administrator')
def execute():
# reset Page perms
from frappe.core.page.permission_manager.permission_manager import reset
reset("Page")
reset("Report")
# patch to move print, email into DocPerm
for doctype, hide_print, hide_email in frappe.db.sql("""select name, ifnull(allow_print, 0), ifnull(allow_email, 0)
from `tabDocType` where ifnull(issingle, 0)=0 and ifnull(istable, 0)=0 and
(ifnull(allow_print, 0)=0 or ifnull(allow_email, 0)=0)"""):
if not hide_print:
frappe.db.sql("""update `tabDocPerm` set `print`=1
where permlevel=0 and `read`=1 and parent=%s""", doctype)
if not hide_email:
frappe.db.sql("""update `tabDocPerm` set `email`=1
where permlevel=0 and `read`=1 and parent=%s""", doctype)
def test_fieldlevel_permissions_in_load_for_child_table(self):
contact = frappe.new_doc('Contact')
contact.first_name = '_Test Contact 1'
contact.append('phone_nos', {'phone': '123456'})
contact.insert()
user = frappe.get_doc('User', '*****@*****.**')
user_roles = frappe.get_roles()
user.remove_roles(*user_roles)
user.add_roles('Accounts User')
make_property_setter('Contact Phone', 'phone', 'permlevel', 1, 'Int')
reset('Contact Phone')
add('Contact', 'Sales User', 1)
update('Contact', 'Sales User', 1, 'write', 1)
frappe.set_user(user.name)
contact = frappe.get_doc('Contact', '_Test Contact 1')
contact.phone_nos[0].phone = '654321'
contact.save()
self.assertEqual(contact.phone_nos[0].phone, '123456')
frappe.set_user('Administrator')
user.add_roles('Sales User')
frappe.set_user(user.name)
contact.phone_nos[0].phone = '654321'
contact.save()
contact = frappe.get_doc('Contact', '_Test Contact 1')
self.assertEqual(contact.phone_nos[0].phone, '654321')
frappe.set_user('Administrator')
# reset user roles
user.remove_roles('Accounts User', 'Sales User')
user.add_roles(*user_roles)
contact.delete()
def test_fieldlevel_permissions_in_load_for_child_table(self):
contact = frappe.new_doc("Contact")
contact.first_name = "_Test Contact 1"
contact.append("phone_nos", {"phone": "123456"})
contact.insert()
user = frappe.get_doc("User", "*****@*****.**")
user_roles = frappe.get_roles()
user.remove_roles(*user_roles)
user.add_roles("Accounts User")
make_property_setter("Contact Phone", "phone", "permlevel", 1, "Int")
reset("Contact Phone")
add("Contact", "Sales User", 1)
update("Contact", "Sales User", 1, "write", 1)
frappe.set_user(user.name)
contact = frappe.get_doc("Contact", "_Test Contact 1")
contact.phone_nos[0].phone = "654321"
contact.save()
self.assertEqual(contact.phone_nos[0].phone, "123456")
frappe.set_user("Administrator")
user.add_roles("Sales User")
frappe.set_user(user.name)
contact.phone_nos[0].phone = "654321"
contact.save()
contact = frappe.get_doc("Contact", "_Test Contact 1")
self.assertEqual(contact.phone_nos[0].phone, "654321")
frappe.set_user("Administrator")
# reset user roles
user.remove_roles("Accounts User", "Sales User")
user.add_roles(*user_roles)
contact.delete()
def test_strict_user_permissions(self):
"""If `Strict User Permissions` is checked in System Settings,
show records even if User Permissions are missing for a linked
doctype"""
frappe.set_user('Administrator')
frappe.db.sql('DELETE FROM `tabContact`')
frappe.db.sql('DELETE FROM `tabContact Email`')
frappe.db.sql('DELETE FROM `tabContact Phone`')
reset('Salutation')
reset('Contact')
make_test_records_for_doctype('Contact', force=True)
add_user_permission("Salutation", "Mr", "*****@*****.**")
self.set_strict_user_permissions(0)
allowed_contact = frappe.get_doc('Contact',
'_Test Contact For _Test Customer')
other_contact = frappe.get_doc('Contact',
'_Test Contact For _Test Supplier')
frappe.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertTrue(other_contact.has_permission('read'))
self.assertEqual(len(frappe.get_list("Contact")), 2)
frappe.set_user("Administrator")
self.set_strict_user_permissions(1)
frappe.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertFalse(other_contact.has_permission('read'))
self.assertTrue(len(frappe.get_list("Contact")), 1)
frappe.set_user("Administrator")
self.set_strict_user_permissions(0)
clear_user_permissions_for_doctype("Salutation")
clear_user_permissions_for_doctype("Contact")
def setUp(self):
frappe.clear_cache(doctype="Blog Post")
if not frappe.flags.permission_user_setup_done:
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Website Manager")
user.add_roles("System Manager")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Blogger")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Sales User")
frappe.flags.permission_user_setup_done = True
reset('Blogger')
reset('Blog Post')
frappe.db.sql('delete from `tabUser Permission`')
frappe.set_user("*****@*****.**")
def set_print_email_permissions():
# reset Page perms
from frappe.core.page.permission_manager.permission_manager import reset
reset("Page")
reset("Report")
if "allow_print" not in frappe.db.get_table_columns("DocType"):
return
# patch to move print, email into DocPerm
# NOTE: allow_print and allow_email are misnamed. They were used to hide print / hide email
for doctype, hide_print, hide_email in frappe.db.sql("""select name, ifnull(allow_print, 0), ifnull(allow_email, 0)
from `tabDocType` where ifnull(issingle, 0)=0 and ifnull(istable, 0)=0 and
(ifnull(allow_print, 0)=0 or ifnull(allow_email, 0)=0)"""):
if not hide_print:
frappe.db.sql("""update `tabDocPerm` set `print`=1
where permlevel=0 and `read`=1 and parent=%s""", doctype)
if not hide_email:
frappe.db.sql("""update `tabDocPerm` set `email`=1
where permlevel=0 and `read`=1 and parent=%s""", doctype)
def tearDown(self):
frappe.set_user("Administrator")
frappe.db.set_value("Blogger", "_Test Blogger 1", "user", None)
clear_user_permissions_for_doctype("Blog Category")
clear_user_permissions_for_doctype("Blog Post")
clear_user_permissions_for_doctype("Blogger")
clear_user_permissions_for_doctype("Contact")
clear_user_permissions_for_doctype("Salutation")
reset('Blogger')
reset('Blog Post')
reset('Contact')
reset('Salutation')
self.set_ignore_user_permissions_if_missing(0)
def test_strict_user_permissions(self):
"""If `Strict User Permissions` is checked in System Settings,
show records even if User Permissions are missing for a linked
doctype"""
frappe.set_user('Administrator')
frappe.db.sql('delete from tabContact')
reset('Salutation')
reset('Contact')
make_test_records_for_doctype('Contact', force=True)
add_user_permission("Salutation", "Mr", "*****@*****.**")
self.set_strict_user_permissions(0)
allowed_contact = frappe.get_doc('Contact', '_Test Contact for _Test Customer')
other_contact = frappe.get_doc('Contact', '_Test Contact for _Test Supplier')
frappe.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertTrue(other_contact.has_permission('read'))
self.assertEqual(len(frappe.get_list("Contact")), 2)
frappe.set_user("Administrator")
self.set_strict_user_permissions(1)
frappe.set_user("*****@*****.**")
self.assertTrue(allowed_contact.has_permission('read'))
self.assertFalse(other_contact.has_permission('read'))
self.assertTrue(len(frappe.get_list("Contact")), 1)
frappe.set_user("Administrator")
self.set_strict_user_permissions(0)
clear_user_permissions_for_doctype("Salutation")
clear_user_permissions_for_doctype("Contact")
def setUp(self):
frappe.clear_cache(doctype="Blog Post")
frappe.clear_cache(doctype="Contact")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Website Manager")
user.add_roles("System Manager")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Blogger")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Sales User")
reset('Blogger')
reset('Blog Post')
reset('Contact')
reset('Salutation')
frappe.db.sql('delete from `tabUser Permission`')
self.set_ignore_user_permissions_if_missing(0)
frappe.set_user("*****@*****.**")
def setUp(self):
frappe.clear_cache(doctype="Blog Post")
frappe.clear_cache(doctype="Contact")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Website Manager")
user.add_roles("System Manager")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Blogger")
user = frappe.get_doc("User", "*****@*****.**")
user.add_roles("Sales User")
reset('Blogger')
reset('Blog Post')
reset('Contact')
reset('Salutation')
frappe.db.sql('delete from `tabUser Permission`')
self.set_ignore_user_permissions_if_missing(0)
frappe.set_user("*****@*****.**")
