def set_permissions(user_id, service_id):
# TODO fix security hole, how do we verify that the user
# who is making this request has permission to make the request.
service_user = dao_get_service_user(user_id, service_id)
user = service_user.user
service = dao_fetch_service_by_id(service_id=service_id)
data = request.get_json()
validate(data, post_set_permissions_schema)
permission_list = [
Permission(service_id=service_id, user_id=user_id, permission=p['permission'])
for p in data['permissions']
]
service_key = "service_id_{}".format(service_id)
change_dict = {service_key: service_id, "permissions": permission_list}
try:
_update_alert(user, change_dict)
except Exception as e:
current_app.logger.error(e)
permission_dao.set_user_service_permission(user, service, permission_list, _commit=True, replace=True)
if 'folder_permissions' in data:
folders = [
dao_get_template_folder_by_id_and_service_id(folder_id, service_id)
for folder_id in data['folder_permissions']
]
service_user.folders = folders
dao_update_service_user(service_user)
return jsonify({}), 204
def test_update_user_folder_permissions(client, sample_user, sample_service):
tf1 = create_template_folder(sample_service)
tf2 = create_template_folder(sample_service)
tf3 = create_template_folder(sample_service)
service_user = dao_get_service_user(sample_user.id, sample_service.id)
service_user.folders = [tf1, tf2]
dao_update_service_user(service_user)
data = json.dumps({
'permissions': [],
'folder_permissions': [str(tf2.id), str(tf3.id)]
})
response = client.post(url_for('user.set_permissions',
user_id=str(sample_user.id),
service_id=str(sample_service.id)),
headers=[('Content-Type', 'application/json'),
create_authorization_header()],
data=data)
assert response.status_code == 204
assert len(service_user.folders) == 2
assert tf2 in service_user.folders
assert tf3 in service_user.folders
def test_set_user_folder_permissions_does_not_affect_permissions_for_other_services(
client,
sample_user,
sample_service,
):
tf1 = create_template_folder(sample_service)
tf2 = create_template_folder(sample_service)
service_2 = create_service(sample_user, service_name='other service')
tf3 = create_template_folder(service_2)
sample_service_user = dao_get_service_user(sample_user.id,
sample_service.id)
sample_service_user.folders = [tf1]
dao_update_service_user(sample_service_user)
service_2_user = dao_get_service_user(sample_user.id, service_2.id)
service_2_user.folders = [tf3]
dao_update_service_user(service_2_user)
data = json.dumps({'permissions': [], 'folder_permissions': [str(tf2.id)]})
response = client.post(url_for('user.set_permissions',
user_id=str(sample_user.id),
service_id=str(sample_service.id)),
headers=[('Content-Type', 'application/json'),
create_authorization_header()],
data=data)
assert response.status_code == 204
assert sample_service_user.folders == [tf2]
assert service_2_user.folders == [tf3]
def set_permissions(user_id, service_id):
# TODO fix security hole, how do we verify that the user
# who is making this request has permission to make the request.
service_user = dao_get_service_user(user_id, service_id)
user = service_user.user
service = dao_fetch_service_by_id(service_id=service_id)
data = request.get_json()
validate(data, post_set_permissions_schema)
permission_list = [
Permission(service_id=service_id,
user_id=user_id,
permission=p['permission']) for p in data['permissions']
]
permission_dao.set_user_service_permission(user,
service,
permission_list,
_commit=True,
replace=True)
if 'folder_permissions' in data:
folders = [
dao_get_template_folder_by_id_and_service_id(
folder_id, service_id)
for folder_id in data['folder_permissions']
]
service_user.folders = folders
dao_update_service_user(service_user)
return jsonify({}), 204
def test_removing_a_user_from_a_service_deletes_their_folder_permissions_for_that_service(sample_user, sample_service):
tf1 = create_template_folder(sample_service)
tf2 = create_template_folder(sample_service)
service_2 = create_service(sample_user, service_name='other service')
tf3 = create_template_folder(service_2)
service_user = dao_get_service_user(sample_user.id, sample_service.id)
service_user.folders = [tf1, tf2]
dao_update_service_user(service_user)
service_2_user = dao_get_service_user(sample_user.id, service_2.id)
service_2_user.folders = [tf3]
dao_update_service_user(service_2_user)
dao_remove_user_from_service(sample_service, sample_user)
user_folder_permission = db.session.query(user_folder_permissions).one()
assert user_folder_permission.user_id == service_2_user.user_id
assert user_folder_permission.service_id == service_2_user.service_id
assert user_folder_permission.template_folder_id == tf3.id
def test_dao_archive_user(sample_user, sample_organisation, fake_uuid):
sample_user.current_session_id = fake_uuid
# create 2 services for sample_user to be a member of (each with another active user)
service_1 = create_service(service_name='Service 1')
service_1_user = create_user(email='*****@*****.**')
service_1.users = [sample_user, service_1_user]
create_permissions(sample_user, service_1, 'manage_settings')
create_permissions(service_1_user, service_1, 'manage_settings',
'view_activity')
service_2 = create_service(service_name='Service 2')
service_2_user = create_user(email='*****@*****.**')
service_2.users = [sample_user, service_2_user]
create_permissions(sample_user, service_2, 'view_activity')
create_permissions(service_2_user, service_2, 'manage_settings')
# make sample_user an org member
sample_organisation.users = [sample_user]
# give sample_user folder permissions for a service_1 folder
folder = create_template_folder(service_1)
service_user = dao_get_service_user(sample_user.id, service_1.id)
service_user.folders = [folder]
dao_update_service_user(service_user)
dao_archive_user(sample_user)
assert sample_user.get_permissions() == {}
assert sample_user.services == []
assert sample_user.organisations == []
assert sample_user.auth_type == EMAIL_AUTH_TYPE
assert sample_user.email_address == '*****@*****.**'
assert sample_user.mobile_number is None
assert sample_user.current_session_id == uuid.UUID(
'00000000-0000-0000-0000-000000000000')
assert sample_user.state == 'inactive'
assert not sample_user.check_password('password')
