def set_permissions(user_id, service_id): # TODO fix security hole, how do we verify that the user # who is making this request has permission to make the request. service_user = dao_get_service_user(user_id, service_id) user = service_user.user service = dao_fetch_service_by_id(service_id=service_id) data = request.get_json() validate(data, post_set_permissions_schema) permission_list = [ Permission(service_id=service_id, user_id=user_id, permission=p['permission']) for p in data['permissions'] ] service_key = "service_id_{}".format(service_id) change_dict = {service_key: service_id, "permissions": permission_list} try: _update_alert(user, change_dict) except Exception as e: current_app.logger.error(e) permission_dao.set_user_service_permission(user, service, permission_list, _commit=True, replace=True) if 'folder_permissions' in data: folders = [ dao_get_template_folder_by_id_and_service_id(folder_id, service_id) for folder_id in data['folder_permissions'] ] service_user.folders = folders dao_update_service_user(service_user) return jsonify({}), 204
def test_update_user_folder_permissions(client, sample_user, sample_service): tf1 = create_template_folder(sample_service) tf2 = create_template_folder(sample_service) tf3 = create_template_folder(sample_service) service_user = dao_get_service_user(sample_user.id, sample_service.id) service_user.folders = [tf1, tf2] dao_update_service_user(service_user) data = json.dumps({ 'permissions': [], 'folder_permissions': [str(tf2.id), str(tf3.id)] }) response = client.post(url_for('user.set_permissions', user_id=str(sample_user.id), service_id=str(sample_service.id)), headers=[('Content-Type', 'application/json'), create_authorization_header()], data=data) assert response.status_code == 204 assert len(service_user.folders) == 2 assert tf2 in service_user.folders assert tf3 in service_user.folders
def test_set_user_folder_permissions_does_not_affect_permissions_for_other_services( client, sample_user, sample_service, ): tf1 = create_template_folder(sample_service) tf2 = create_template_folder(sample_service) service_2 = create_service(sample_user, service_name='other service') tf3 = create_template_folder(service_2) sample_service_user = dao_get_service_user(sample_user.id, sample_service.id) sample_service_user.folders = [tf1] dao_update_service_user(sample_service_user) service_2_user = dao_get_service_user(sample_user.id, service_2.id) service_2_user.folders = [tf3] dao_update_service_user(service_2_user) data = json.dumps({'permissions': [], 'folder_permissions': [str(tf2.id)]}) response = client.post(url_for('user.set_permissions', user_id=str(sample_user.id), service_id=str(sample_service.id)), headers=[('Content-Type', 'application/json'), create_authorization_header()], data=data) assert response.status_code == 204 assert sample_service_user.folders == [tf2] assert service_2_user.folders == [tf3]
def set_permissions(user_id, service_id): # TODO fix security hole, how do we verify that the user # who is making this request has permission to make the request. service_user = dao_get_service_user(user_id, service_id) user = service_user.user service = dao_fetch_service_by_id(service_id=service_id) data = request.get_json() validate(data, post_set_permissions_schema) permission_list = [ Permission(service_id=service_id, user_id=user_id, permission=p['permission']) for p in data['permissions'] ] permission_dao.set_user_service_permission(user, service, permission_list, _commit=True, replace=True) if 'folder_permissions' in data: folders = [ dao_get_template_folder_by_id_and_service_id( folder_id, service_id) for folder_id in data['folder_permissions'] ] service_user.folders = folders dao_update_service_user(service_user) return jsonify({}), 204
def test_removing_a_user_from_a_service_deletes_their_folder_permissions_for_that_service(sample_user, sample_service): tf1 = create_template_folder(sample_service) tf2 = create_template_folder(sample_service) service_2 = create_service(sample_user, service_name='other service') tf3 = create_template_folder(service_2) service_user = dao_get_service_user(sample_user.id, sample_service.id) service_user.folders = [tf1, tf2] dao_update_service_user(service_user) service_2_user = dao_get_service_user(sample_user.id, service_2.id) service_2_user.folders = [tf3] dao_update_service_user(service_2_user) dao_remove_user_from_service(sample_service, sample_user) user_folder_permission = db.session.query(user_folder_permissions).one() assert user_folder_permission.user_id == service_2_user.user_id assert user_folder_permission.service_id == service_2_user.service_id assert user_folder_permission.template_folder_id == tf3.id
def test_dao_archive_user(sample_user, sample_organisation, fake_uuid): sample_user.current_session_id = fake_uuid # create 2 services for sample_user to be a member of (each with another active user) service_1 = create_service(service_name='Service 1') service_1_user = create_user(email='*****@*****.**') service_1.users = [sample_user, service_1_user] create_permissions(sample_user, service_1, 'manage_settings') create_permissions(service_1_user, service_1, 'manage_settings', 'view_activity') service_2 = create_service(service_name='Service 2') service_2_user = create_user(email='*****@*****.**') service_2.users = [sample_user, service_2_user] create_permissions(sample_user, service_2, 'view_activity') create_permissions(service_2_user, service_2, 'manage_settings') # make sample_user an org member sample_organisation.users = [sample_user] # give sample_user folder permissions for a service_1 folder folder = create_template_folder(service_1) service_user = dao_get_service_user(sample_user.id, service_1.id) service_user.folders = [folder] dao_update_service_user(service_user) dao_archive_user(sample_user) assert sample_user.get_permissions() == {} assert sample_user.services == [] assert sample_user.organisations == [] assert sample_user.auth_type == EMAIL_AUTH_TYPE assert sample_user.email_address == '*****@*****.**' assert sample_user.mobile_number is None assert sample_user.current_session_id == uuid.UUID( '00000000-0000-0000-0000-000000000000') assert sample_user.state == 'inactive' assert not sample_user.check_password('password')