def test_delete_draft_registration(self): assert_equal(1, DraftRegistration.find().count()) url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id) res = self.app.delete(url, auth=self.user.auth) assert_equal(res.status_code, http.NO_CONTENT) assert_equal(0, DraftRegistration.find().count())
def test_delete_draft_registration_non_admin(self): assert_equal(1, DraftRegistration.find().count()) url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id) res = self.app.delete(url, auth=self.non_admin.auth, expect_errors=True) assert_equal(res.status_code, http.FORBIDDEN) assert_equal(1, DraftRegistration.find().count())
def test_delete_draft_registration(self): assert_equal(1, DraftRegistration.find().count()) url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id) res = self.app.delete(url, auth=self.user.auth) assert_equal(res.status_code, http.NO_CONTENT) assert_equal(0, DraftRegistration.find().count())
def test_only_admin_can_delete_registration(self): non_admin = AuthUserFactory() assert_equal(1, DraftRegistration.find().count()) url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id) res = self.app.delete(url, auth=non_admin.auth, expect_errors=True) assert_equal(res.status_code, http.FORBIDDEN) assert_equal(1, DraftRegistration.find().count())
def test_delete_draft_registration_approved_and_registration_deleted(self, mock_register_draft): self.draft.register(auth=self.auth, save=True) self.draft.registered_node.is_deleted = True self.draft.registered_node.save() assert_equal(1, DraftRegistration.find().count()) url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id) res = self.app.delete(url, auth=self.user.auth) assert_equal(res.status_code, http.NO_CONTENT) assert_equal(0, DraftRegistration.find().count())
def test_delete_draft_registration_approved_and_registration_deleted( self, mock_register_draft): self.draft.register(auth=self.auth, save=True) self.draft.registered_node.is_deleted = True self.draft.registered_node.save() assert_equal(1, DraftRegistration.find().count()) url = self.node.api_url_for('delete_draft_registration', draft_id=self.draft._id) res = self.app.delete(url, auth=self.user.auth) assert_equal(res.status_code, http.NO_CONTENT) assert_equal(0, DraftRegistration.find().count())
def check_access(node, auth, action, cas_resp): """Verify that user can perform requested action on resource. Raise appropriate error code if action cannot proceed. """ permission = permission_map.get(action, None) if permission is None: raise HTTPError(httplib.BAD_REQUEST) if cas_resp: if permission == 'read': if node.is_public: return True required_scope = oauth_scopes.CoreScopes.NODE_FILE_READ else: required_scope = oauth_scopes.CoreScopes.NODE_FILE_WRITE if not cas_resp.authenticated \ or required_scope not in oauth_scopes.normalize_scopes(cas_resp.attributes['accessTokenScope']): raise HTTPError(httplib.FORBIDDEN) if permission == 'read': if node.can_view(auth): return True # The user may have admin privileges on a parent node, in which # case they should have read permissions if node.is_registration and node.registered_from.can_view(auth): return True if permission == 'write' and node.can_edit(auth): return True # Users attempting to register projects with components might not have # `write` permissions for all components. This will result in a 403 for # all `copyto` actions as well as `copyfrom` actions if the component # in question is not public. To get around this, we have to recursively # check the node's parent node to determine if they have `write` # permissions up the stack. # TODO(hrybacki): is there a way to tell if this is for a registration? # All nodes being registered that receive the `copyto` action will have # `node.is_registration` == True. However, we have no way of telling if # `copyfrom` actions are originating from a node being registered. # TODO This is raise UNAUTHORIZED for registrations that have not been archived yet if action == 'copyfrom' or (action == 'copyto' and node.is_registration): parent = node.parent_node while parent: if parent.can_edit(auth): return True parent = parent.parent_node # Users with the PREREG_ADMIN_TAG should be allowed to download files # from prereg challenge draft registrations. try: prereg_schema = MetaSchema.find_one( Q('name', 'eq', 'Prereg Challenge') & Q('schema_version', 'eq', 2) ) allowed_nodes = [node] + node.parents prereg_draft_registration = DraftRegistration.find( Q('branched_from', 'in', [n for n in allowed_nodes]) & Q('registration_schema', 'eq', prereg_schema) ) if action == 'download' and \ auth.user is not None and \ prereg_draft_registration.count() > 0 and \ settings.PREREG_ADMIN_TAG in auth.user.system_tags: return True except NoResultsFound: pass raise HTTPError(httplib.FORBIDDEN if auth.user else httplib.UNAUTHORIZED)
def check_access(node, auth, action, cas_resp): """Verify that user can perform requested action on resource. Raise appropriate error code if action cannot proceed. """ permission = permission_map.get(action, None) if permission is None: raise HTTPError(httplib.BAD_REQUEST) if cas_resp: if permission == 'read': if node.is_public: return True required_scope = oauth_scopes.CoreScopes.NODE_FILE_READ else: required_scope = oauth_scopes.CoreScopes.NODE_FILE_WRITE if not cas_resp.authenticated \ or required_scope not in oauth_scopes.normalize_scopes(cas_resp.attributes['accessTokenScope']): raise HTTPError(httplib.FORBIDDEN) if permission == 'read': if node.can_view(auth): return True # The user may have admin privileges on a parent node, in which # case they should have read permissions if node.is_registration and node.registered_from.can_view(auth): return True if permission == 'write' and node.can_edit(auth): return True # Users attempting to register projects with components might not have # `write` permissions for all components. This will result in a 403 for # all `copyto` actions as well as `copyfrom` actions if the component # in question is not public. To get around this, we have to recursively # check the node's parent node to determine if they have `write` # permissions up the stack. # TODO(hrybacki): is there a way to tell if this is for a registration? # All nodes being registered that receive the `copyto` action will have # `node.is_registration` == True. However, we have no way of telling if # `copyfrom` actions are originating from a node being registered. # TODO This is raise UNAUTHORIZED for registrations that have not been archived yet if action == 'copyfrom' or (action == 'copyto' and node.is_registration): parent = node.parent_node while parent: if parent.can_edit(auth): return True parent = parent.parent_node # Users with the PREREG_ADMIN_TAG should be allowed to download files # from prereg challenge draft registrations. try: prereg_schema = MetaSchema.find_one( Q('name', 'eq', 'Prereg Challenge') & Q('schema_version', 'eq', 2)) allowed_nodes = [node] + node.parents prereg_draft_registration = DraftRegistration.find( Q('branched_from', 'in', [n for n in allowed_nodes]) & Q('registration_schema', 'eq', prereg_schema)) if action == 'download' and \ auth.user is not None and \ prereg_draft_registration.count() > 0 and \ settings.PREREG_ADMIN_TAG in auth.user.system_tags: return True except NoResultsFound: pass raise HTTPError(httplib.FORBIDDEN if auth.user else httplib.UNAUTHORIZED)