def test_registrar_search_after_adding_new_ra_to_workgroup(self):
self.logout()
response = self.client.post(reverse('friendly_login'),
{'username': '******', 'password': '******'})
steve_rogers = models.ObjectClass.objects.get(name="captainAmerica")
self.assertFalse(perms.user_can_view(self.registrar,steve_rogers))
steve_rogers.readyToReview = True
steve_rogers.save()
self.assertFalse(perms.user_can_view(self.registrar,steve_rogers))
response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica")
self.assertEqual(len(response.context['page'].object_list),0)
# Adding the registrars Authorities to the managing authorities of the workgroup
# should grant them access to see item in that workgroup now.
self.avengers_wg.registrationAuthorities.add(self.ra)
self.avengers_wg.save()
self.assertTrue(perms.user_can_view(self.registrar,steve_rogers))
response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica")
self.assertEqual(len(response.context['page'].object_list),0) # indexes are stale, so no results
from django.core import management # Lets recache this workgroup
management.call_command('recache_workgroup_item_visibility', wg=[self.avengers_wg.pk], verbosity=0)
response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica")
self.assertEqual(len(response.context['page'].object_list),1)
self.assertEqual(response.context['page'].object_list[0].object.item,steve_rogers)
self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def test_registrar_search(self):
self.logout()
response = self.client.post(reverse('django.contrib.auth.views.login'),
{'username': '******', 'password': '******'})
self.assertEqual(response.status_code,302) # logged in
self.assertTrue(perms.user_is_registrar(self.registrar,self.ra))
dp = models.ObjectClass.objects.create(name="deadpool",
description="not really an xman, no matter how much he tries",
workgroup=self.xmen_wg,readyToReview=False)
dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache
self.assertFalse(perms.user_can_view(self.registrar,dp))
self.assertFalse(dp.is_public())
response = self.client.get(reverse('aristotle:search')+"?q=xman")
self.assertFalse(dp in [x.object for x in response.context['page'].object_list])
for i in response.context['page'].object_list:
self.assertTrue(perms.user_can_view(self.registrar,i.object))
response = self.client.get(reverse('aristotle:search')+"?q=deadpool")
self.assertEqual(len(response.context['page'].object_list),0)
dp.readyToReview = True
dp.save()
dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache
self.assertTrue(perms.user_can_view(self.registrar,dp))
# Stryker should be able to find items that are "ready for review" in his RA only.
response = self.client.get(reverse('aristotle:search')+"?q=deadpool")
self.assertEqual(len(response.context['page'].object_list),1)
self.assertEqual(response.context['page'].object_list[0].object.item,dp)
self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def test_bulk_review_request_on_forbidden_items(self):
self.login_viewer()
self.assertTrue(perms.user_can_view(self.viewer, self.item1))
self.assertTrue(perms.user_can_view(self.viewer, self.item4))
self.assertTrue(models.ReviewRequest.objects.count() == 0)
response = self.client.post(
reverse('aristotle:bulk_action'),
{
'bulkaction': 'aristotle_mdr.contrib.reviews.forms.RequestReviewBulkActionForm',
'items': [self.item1.id, self.item4.id],
},
follow=True
)
from urllib.parse import urlencode
params = {'items': [self.item1.id, self.item4.id]}
url = "{}?{}".format(
reverse("aristotle_reviews:review_create"),
urlencode(params, True)
)
self.assertRedirects(response, url)
self.assertContains(response, "items when registering metadata")
self.assertTrue(self.item1 in response.context['form']['concepts'].initial)
self.assertTrue(self.item4 in response.context['form']['concepts'].initial)
self.assertTrue(len(response.context['form']['concepts'].initial) == 2)
def test_registrar_search_after_adding_new_ra_to_workgroup(self):
self.logout()
response = self.client.post(reverse('django.contrib.auth.views.login'),
{'username': '******', 'password': '******'})
steve_rogers = models.ObjectClass.objects.get(name="captainAmerica")
self.assertFalse(perms.user_can_view(self.registrar,steve_rogers))
steve_rogers.readyToReview = True
steve_rogers.save()
self.assertFalse(perms.user_can_view(self.registrar,steve_rogers))
response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica")
self.assertEqual(len(response.context['page'].object_list),0)
# Adding the registrars Authorities to the managing authorities of the workgroup
# should grant them access to see item in that workgroup now.
self.avengers_wg.registrationAuthorities.add(self.ra)
self.avengers_wg.save()
self.assertTrue(perms.user_can_view(self.registrar,steve_rogers))
response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica")
self.assertEqual(len(response.context['page'].object_list),1)
self.assertEqual(response.context['page'].object_list[0].object.item,steve_rogers)
self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def test_canViewProfile(self):
u1 = User.objects.create_user('user1','','user1')
u2 = User.objects.create_user('user2','','user2')
self.assertFalse(perms.user_can_view(u1,u2))
self.assertFalse(perms.user_can_view(u2,u1))
self.assertTrue(perms.user_can_view(u1,u1))
self.assertTrue(perms.user_can_view(u2,u2))
def test_canViewProfile(self):
u1 = get_user_model().objects.create_user('*****@*****.**','user1')
u2 = get_user_model().objects.create_user('*****@*****.**','user2')
self.assertFalse(perms.user_can_view(u1,u2))
self.assertFalse(perms.user_can_view(u2,u1))
self.assertTrue(perms.user_can_view(u1,u1))
self.assertTrue(perms.user_can_view(u2,u2))
def test_registrar_can_change_status(self):
self.login_registrar()
self.assertFalse(perms.user_can_view(self.registrar,self.item1))
self.item1.readyToReview = True
self.item1.save()
self.item1 = self.itemType.objects.get(pk=self.item1.pk)
self.assertTrue(perms.user_can_view(self.registrar,self.item1))
self.assertTrue(perms.user_can_change_status(self.registrar,self.item1))
response = self.client.get(reverse('aristotle:changeStatus',args=[self.item1.id]))
self.assertEqual(response.status_code,200)
self.assertEqual(self.item1.statuses.count(),0)
response = self.client.post(reverse('aristotle:changeStatus',args=[self.item1.id]),
{ 'registrationAuthorities': [str(self.ra.id)],
'state': self.ra.public_state,
'changeDetails': "testing",
'cascadeRegistration': 0, #no
}
)
self.assertRedirects(response,url_slugify_concept(self.item1))
self.item1 = self.itemType.objects.get(pk=self.item1.pk)
self.assertEqual(self.item1.statuses.count(),1)
self.assertTrue(self.item1.is_registered)
self.assertTrue(self.item1.is_public())
def test_registrar_cannot_use_faulty_statuses(self):
self.login_registrar()
self.assertFalse(perms.user_can_view(self.registrar,self.item1))
self.item1.readyToReview = True
self.item1.save()
self.item1 = self.itemType.objects.get(pk=self.item1.pk)
self.assertTrue(perms.user_can_view(self.registrar,self.item1))
self.assertTrue(perms.user_can_change_status(self.registrar,self.item1))
response = self.client.get(reverse('aristotle:changeStatus',args=[self.item1.id]))
self.assertEqual(response.status_code,200)
self.assertEqual(self.item1.statuses.count(),0)
response = self.client.post(reverse('aristotle:changeStatus',args=[self.item1.id]),
{ 'registrationAuthorities': [str(self.ra.id)],
'state': "Not a number",#obviously wrong
'changeDetails': "testing",
'cascadeRegistration': 0, #no
}
)
self.assertFormError(response, 'form', 'state', 'Select a valid choice. Not a number is not one of the available choices.')
response = self.client.post(reverse('aristotle:changeStatus',args=[self.item1.id]),
{ 'registrationAuthorities': [str(self.ra.id)],
'state': "343434", #also wrong
'changeDetails': "testing",
'cascadeRegistration': 0, #no
}
)
self.assertFormError(response, 'form', 'state', 'Select a valid choice. 343434 is not one of the available choices.')
def test_bulk_review_request_on_forbidden_items(self):
self.login_viewer()
self.assertTrue(perms.user_can_view(self.viewer, self.item1))
self.assertFalse(perms.user_can_view(self.viewer, self.item4))
self.assertTrue(models.ReviewRequest.objects.count() == 0)
response = self.client.post(
reverse('aristotle:bulk_action'),
{
'bulkaction': 'request_review',
'state': 1,
'items': [self.item1.id, self.item4.id],
'registration_authority': self.ra.id,
"message": "review these plz",
'confirmed': 'confirmed',
}
)
self.assertTrue(models.ReviewRequest.objects.count() == 1)
review = models.ReviewRequest.objects.first()
self.assertTrue(review.concepts.count() == 1)
self.assertTrue(self.item1.concept in review.concepts.all())
self.assertFalse(self.item4.concept in review.concepts.all())
def resolver(cls, attname, default_value, root, info, **args):
retval = getattr(root, attname, default_value)
# If object is a django model
if isinstance(retval, Model):
if isinstance(retval, mdr_models._concept):
# Use user_can_view to determine if we display
if perms.user_can_view(info.context.user, retval):
return retval
else:
return None
if isinstance(retval, mdr_models.aristotleComponent):
# Use user_can_view to determine if we display
if perms.user_can_view(info.context.user, retval):
return retval
else:
return None
if isinstance(retval, mdr_models.RegistrationAuthority):
if retval.is_visible:
return retval
else:
return None
return None
elif isinstance(retval, Manager):
# Need this for when related manager is returned when querying object.related_set
# Can safely return restricted queryset
queryset = retval.get_queryset()
if queryset.model == slots_models.Slot:
instance = getattr(retval, 'instance', None)
if instance:
return slots_models.Slot.objects.get_item_allowed(instance, info.context.user)
else:
return queryset.visible(info.context.user)
if hasattr(queryset, 'visible'):
return queryset.visible(info.context.user)
if issubclass(queryset.model, mdr_models.aristotleComponent):
return queryset
return None
elif isinstance(retval, QuerySet):
# In case a queryset is returned
if hasattr(retval, 'visible'):
return retval.visible(info.context.user)
if issubclass(retval.model, mdr_models.aristotleComponent):
return retval
return None
return retval
def test_current_statuses_only_in_search_results_and_index(self):
# See issue #327
self.logout()
response = self.client.post(reverse('friendly_login'),
{'username': '******', 'password': '******'})
self.assertEqual(response.status_code,302) # logged in
self.assertTrue(perms.user_is_registrar(self.registrar,self.ra))
with reversion.create_revision():
dp = models.ObjectClass.objects.create(name="deadpool",
definition="not really an xman, no matter how much he tries",
workgroup=self.xmen_wg,readyToReview=True)
dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache
self.assertTrue(perms.user_can_view(self.registrar,dp))
self.assertFalse(dp.is_public())
from django.utils import timezone
import datetime
self.ra.register(dp,models.STATES.incomplete,self.registrar,
registrationDate=timezone.now()+datetime.timedelta(days=-7)
)
self.ra.register(dp,models.STATES.standard,self.registrar,
registrationDate=timezone.now()+datetime.timedelta(days=-1)
)
response = self.client.get(reverse('aristotle:search')+"?q=deadpool")
self.assertEqual(len(response.context['page'].object_list),1)
dp_result = response.context['page'].object_list[0]
self.assertTrue(dp_result.object.name=="deadpool")
self.assertTrue(len(dp_result.statuses) == 1)
self.assertTrue(int(dp_result.statuses[0]) == int(models.STATES.standard))
def get_object(self):
item = super(ConceptViewSet,self).get_object()
request = self.request
item = item.item
if not perms.user_can_view(request.user, item):
raise PermissionDenied
else:
return item
def removeDataElementFromDSS(request,de_id,dss_id):
de = get_object_or_404(aristotle.models.DataElement,id=de_id)
dss = get_object_or_404(aristotle_dse.models.DataSetSpecification,id=dss_id)
if user_can_view(request.user,de) and user_can_edit(request.user,dss):
dss.dataElements.filter(dataElement=de).delete()
else:
raise PermissionDenied
return HttpResponseRedirect(reverse("aristotle_dse:%s"%dss.template_name(),args=[dss.id]))
def test_registrar_can_view(self):
# make editor for wg1
r1 = User.objects.create_user("reggie", "", "reg")
self.assertEqual(perms.user_can_view(r1, self.item), False)
s = models.Status.objects.create(
concept=self.item,
registrationAuthority=self.ra,
registrationDate=timezone.now(),
state=self.ra.locked_state,
)
self.assertEqual(perms.user_can_view(r1, self.item), False)
# Caching issue, refresh from DB with correct permissions
self.ra.giveRoleToUser("registrar", r1)
r1 = User.objects.get(pk=r1.pk)
self.assertEqual(perms.user_can_view(r1, self.item), True)
def clean_relatedItems(self):
"""
Attempting to add items you don't have permission to will silently fail.
Its unlikely to happen in normal use.
"""
relatedItems = self.cleaned_data['relatedItems']
relatedItems = [i for i in relatedItems if user_can_view(self.user, i)]
return relatedItems
def bulkFavourite(request,url="aristotle:userFavourites"):
print request.GET.getlist('favourites',[])
for item in request.GET.getlist('favourites',[]):
item = get_or_none(MDR.trebleObject,id=int(item))
if item and user_can_view(request.user,item):
request.user.profile.favourites.add(item)
getVars = request.GET.copy()
if 'favourites' in getVars.keys(): getVars.pop('favourites')
if 'addFavourites' in getVars.keys(): getVars.pop('addFavourites')
return HttpResponseRedirect(reverse(url)+'?'+urllib.urlencode(getVars))
def make_review_request(self, item, user, requester=None):
if not requester:
requester = self.su
self.assertFalse(perms.user_can_view(user,item))
item.save()
item = item.__class__.objects.get(pk=item.pk)
review = ReviewRequest.objects.create(
requester=requester,registration_authority=self.ra,
target_registration_state=self.ra.public_state,
due_date=datetime.date(2010,1,1),
registration_date=datetime.date(2010,1,1)
)
review.concepts.add(item)
self.assertTrue(perms.user_can_view(user,item))
self.assertTrue(perms.user_can_change_status(user,item))
return review
def test_registrar_search_after_adding_new_status_request(self):
self.logout()
response = self.client.post(reverse('friendly_login'),
{'username': '******', 'password': '******'})
steve_rogers = models.ObjectClass.objects.get(name="captainAmerica")
self.assertFalse(perms.user_can_view(self.registrar,steve_rogers))
with reversion.create_revision():
steve_rogers.save()
self.make_review_request(steve_rogers, self.registrar)
self.assertTrue(perms.user_can_view(self.registrar,steve_rogers))
response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica")
self.assertEqual(len(response.context['page'].object_list),1)
self.assertEqual(response.context['page'].object_list[0].object.item,steve_rogers)
self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def toggleFavourite(request, iid):
item = get_object_or_404(MDR._concept,pk=iid).item
if not user_can_view(request.user, item):
if request.user.is_anonymous():
return redirect(reverse('django.contrib.auth.views.login')+'?next=%s' % request.path)
else:
raise PermissionDenied
request.user.profile.toggleFavourite(item)
if request.GET.get('next',None):
return redirect(request.GET.get('next'))
return redirect(url_slugify_concept(item))
def has_object_permission(self, request, view, obj):
# Safe methods are GET, HEAD and OPTIONS
if request.method in SAFE_METHODS:
return perms.user_can_view(request.user, obj)
elif request.method in ['PUT', 'PATCH']:
return perms.user_can_edit(request.user, obj)
elif request.method == 'DELETE':
return obj.can_delete(request.user)
return False
def test_registrar_can_view(self):
# set up
ra = models.RegistrationAuthority.objects.create(name="Test RA")
# make editor for wg1
r1 = User.objects.create_user('reg','','reg')
self.assertEqual(perms.user_can_view(r1,self.item),False)
s = models.Status.objects.create(
concept=self.item,
registrationAuthority=ra,
registrationDate=timezone.now(),
state=ra.locked_state
)
self.assertEqual(perms.user_can_view(r1,self.item),False)
# Caching issue, refresh from DB with correct permissions
ra.giveRoleToUser('Registrar',r1)
r1 = User.objects.get(pk=r1.pk)
self.assertEqual(perms.user_can_view(r1,self.item),True)
def make_changes(self):
items = self.cleaned_data.get('items')
bad_items = [str(i.id) for i in items if not user_can_view(self.user, i)]
items = items.visible(self.user)
self.user.profile.favourites.add(*items)
return _(
"%(num_items)s items favourited. \n"
"Some items failed, they had the id's: %(bad_ids)s"
) % {
'num_items': len(items),
'bad_ids': ",".join(bad_items)
}
def test_registrar_search_after_adding_new_status_request(self):
self.logout()
response = self.client.post(reverse('friendly_login'),
{'username': '******', 'password': '******'})
steve_rogers = models.ObjectClass.objects.get(name="captainAmerica")
self.assertFalse(perms.user_can_view(self.registrar,steve_rogers))
review = models.ReviewRequest.objects.create(requester=self.su,registration_authority=self.ra)
review.concepts.add(steve_rogers)
with reversion.create_revision():
steve_rogers.save()
review = models.ReviewRequest.objects.create(requester=self.su,registration_authority=self.ra)
review.concepts.add(steve_rogers)
self.assertTrue(perms.user_can_view(self.registrar,steve_rogers))
response = self.client.get(reverse('aristotle:search')+"?q=captainAmerica")
self.assertEqual(len(response.context['page'].object_list),1)
self.assertEqual(response.context['page'].object_list[0].object.item,steve_rogers)
self.assertTrue(perms.user_can_view(self.registrar,response.context['page'].object_list[0].object))
def can_view(item, user):
"""
A filter that acts as a wrapper around ``aristotle_mdr.perms.user_can_view``.
Returns true if the user has permission to view the item, otherwise it returns False.
If calling ``user_can_view`` throws an exception it safely returns False.
For example::
{% if myItem|can_view:request.user %}
{{ item }}
{% endif %}
"""
return perms.user_can_view(user, item)
def get_item(self, user):
item_id = self.kwargs.get(self.item_id_arg, None)
if item_id is None:
raise Http404
try:
item = _concept.objects.get(id=item_id)
except _concept.DoesNotExist:
raise Http404
if not user_can_view(user, item):
raise PermissionDenied
return item
def test_managersCanEditWorkgroups(self):
wg = models.Workgroup.objects.create(name="Test WG 1")
user1 = User.objects.create_user('manager','','manager')
user2 = User.objects.create_user('viewer','','viewer')
wg.managers.add(user1)
wg.viewers.add(user2)
wg.save()
wg = models.Workgroup.objects.get(pk=wg.id)
self.assertTrue(perms.user_in_workgroup(user1,wg))
self.assertTrue(perms.user_in_workgroup(user2,wg))
self.assertTrue(perms.user_can_view(user2,wg))
self.assertTrue(perms.user_can_view(user1,wg))
self.assertTrue(perms.user_can_edit(user1,wg))
self.assertFalse(perms.user_can_edit(user2,wg))
wg.removeUser(user1)
wg.removeUser(user2)
# Caching issue, refresh from DB with correct permissions
user1 = User.objects.get(pk=user1.pk)
user2 = User.objects.get(pk=user2.pk)
self.assertFalse(perms.user_can_edit(user1,wg))
self.assertFalse(perms.user_can_edit(user2,wg))
def test_object_editor_can_view(self):
# set up
ra = models.RegistrationAuthority.objects.create(name="Test RA")
# make editor for wg1
wg1 = models.Workgroup.objects.create(name="Test WG 1")
e1 = User.objects.create_user('editor1','','editor1')
wg1.giveRoleToUser('Editor',e1)
# make editor for wg2
wg2 = models.Workgroup.objects.create(name="Test WG 2")
e2 = User.objects.create_user('editor2','','editor2')
wg2.giveRoleToUser('Editor',e2)
# make an Object Class in wg1
oc = self.item
self.item.workgroup = wg1
self.item.save()
# test editor 1 can view, editor 2 cannot
self.assertEqual(perms.user_can_view(e1,self.item),True)
self.assertEqual(perms.user_can_view(e2,self.item),False)
# move Object Class to wg2
self.item.workgroup = wg2
self.item.save()
# test editor 2 can view, editor 1 cannot
self.assertEqual(perms.user_can_view(e2,self.item),True)
self.assertEqual(perms.user_can_view(e1,self.item),False)
s = models.Status.objects.create(
concept=self.item,
registrationAuthority=ra,
registrationDate=timezone.now(),
state=ra.locked_state
)
# Editor 2 can view. Editor 1 cannot
self.assertEqual(perms.user_can_view(e2,self.item),True)
self.assertEqual(perms.user_can_view(e1,self.item),False)
# Set status to a public state
s.state = ra.public_state
s.save()
# Both can view, neither can edit.
self.assertEqual(perms.user_can_view(e1,self.item),True)
self.assertEqual(perms.user_can_view(e2,self.item),True)
def test_visibility_restriction_facets(self):
# See issue #351
self.logout()
response = self.client.get(reverse('aristotle:search')+"?q=xman")
self.assertTrue('Restriction' not in response.content)
response = self.client.post(reverse('friendly_login'),
{'username': '******', 'password': '******'})
self.assertEqual(response.status_code,302) # logged in
self.assertTrue(perms.user_is_registrar(self.registrar,self.ra))
with reversion.create_revision():
dp = models.ObjectClass.objects.create(name="deadpool",
definition="not really an xman, no matter how much he tries",
workgroup=self.xmen_wg)
review = models.ReviewRequest.objects.create(requester=self.su,registration_authority=self.ra)
review.concepts.add(dp)
dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache
self.assertTrue(perms.user_can_view(self.registrar,dp))
self.assertFalse(dp.is_public())
from django.utils import timezone
import datetime
self.ra.register(dp,models.STATES.candidate,self.registrar,
registrationDate=timezone.now()+datetime.timedelta(days=-7)
)
response = self.client.get(reverse('aristotle:search')+"?q=xman")
self.assertTrue('Restriction' in response.content)
response = self.client.get(reverse('aristotle:search')+"?q=xman&res=1")
self.assertTrue('Restriction' not in response.content)
self.assertTrue('Item visibility state is Locked' in response.content)
self.assertEqual(len(response.context['page'].object_list),1)
dp_result = response.context['page'].object_list[0]
self.assertTrue(dp_result.object.name=="deadpool")
self.assertTrue(len(dp_result.statuses) == 1)
self.assertTrue(dp_result.object.is_locked())
self.assertFalse(dp_result.object.is_public())
self.assertTrue(int(dp_result.statuses[0]) == int(models.STATES.candidate))
def perform_deletion(self):
de_id = self.kwargs['de_id']
dss_id = self.kwargs['dss_id']
de = get_object_or_404(aristotle.models.DataElement, id=de_id)
dss = get_object_or_404(aristotle_dse.models.DataSetSpecification, id=dss_id)
if user_can_view(self.request.user, de) and user_can_edit(self.request.user, dss):
dss.dssdeinclusion_set.filter(data_element=de).delete()
messages.success(
self.request,
_('The Data Element "%(de_name)s" was removed from the dataset "%(dss_name)s".') % {
"de_name": de.name, "dss_name": dss.name
}
)
else:
raise PermissionDenied
def test_object_submitter_can_view(self):
# make editor for wg1
wg1 = models.Workgroup.objects.create(name="Test WG 1")
e1 = User.objects.create_user("editor1", "", "editor1")
wg1.giveRoleToUser("submitter", e1)
# make editor for wg2
wg2 = models.Workgroup.objects.create(name="Test WG 2")
e2 = User.objects.create_user("editor2", "", "editor2")
wg2.giveRoleToUser("submitter", e2)
wg1.registrationAuthorities.add(self.ra)
wg2.registrationAuthorities.add(self.ra)
# ensure object is in wg1
self.item.workgroup = wg1
self.item.save()
# test editor 1 can view, editor 2 cannot
self.assertEqual(perms.user_can_view(e1, self.item), True)
self.assertEqual(perms.user_can_view(e2, self.item), False)
# move object to wg2
self.item.workgroup = wg2
self.item.save()
# test editor 2 can view, editor 1 cannot
self.assertEqual(perms.user_can_view(e2, self.item), True)
self.assertEqual(perms.user_can_view(e1, self.item), False)
s = models.Status.objects.create(
concept=self.item,
registrationAuthority=self.ra,
registrationDate=timezone.now(),
state=self.ra.locked_state,
)
# Editor 2 can view. Editor 1 cannot
self.assertEqual(perms.user_can_view(e2, self.item), True)
self.assertEqual(perms.user_can_view(e1, self.item), False)
# Set status to a public state
s.state = self.ra.public_state
s.save()
# Both can view, neither can edit.
self.assertEqual(perms.user_can_view(e1, self.item), True)
self.assertEqual(perms.user_can_view(e2, self.item), True)
def perform_deletion(self):
de_id = self.kwargs['de_id']
dss_id = self.kwargs['dss_id']
de = get_object_or_404(aristotle_models.DataElement, id=de_id)
dss = get_object_or_404(models.DataSetSpecification, id=dss_id)
if user_can_view(self.request.user, de) and user_can_edit(
self.request.user, dss):
with reversion.revisions.create_revision():
dss.dssdeinclusion_set.filter(data_element=de).delete()
dss.save()
reversion.set_comment('Removed {}'.format(de.name))
messages.success(
self.request,
_('The Data Element "%(de_name)s" was removed from the dataset "%(dss_name)s".'
) % {
"de_name": de.name,
"dss_name": dss.name
})
else:
raise PermissionDenied
def perform_deletion(self):
cluster_id = self.kwargs['cluster_id']
dss_id = self.kwargs['dss_id']
cluster = get_object_or_404(models.DataSetSpecification, id=cluster_id)
dss = get_object_or_404(models.DataSetSpecification, id=dss_id)
if user_can_view(self.request.user, cluster) and user_can_edit(
self.request.user, dss):
with reversion.revisions.create_revision():
dss.dssclusterinclusion_set.filter(child=cluster).delete()
dss.save()
reversion.set_comment('Removed {}'.format(cluster.name))
messages.success(
self.request,
_('The cluster "%(cl_name)s" was removed from the dataset "%(dss_name)s".'
) % {
"cl_name": cluster.name,
"dss_name": dss.name
})
else:
raise PermissionDenied
def test_object_submitter_can_edit(self):
registrar = User.objects.create_user('registrar', '', 'registrar')
self.ra.registrars.add(registrar)
# make editor for wg1
wg1 = models.Workgroup.objects.create(name="Test WG 1")
e1 = User.objects.create_user('editor1', '', 'editor1')
wg1.giveRoleToUser('submitter', e1)
# make editor for wg2
wg2 = models.Workgroup.objects.create(name="Test WG 2")
e2 = User.objects.create_user('editor2', '', 'editor2')
wg2.giveRoleToUser('submitter', e2)
wg1.registrationAuthorities.add(self.ra)
wg2.registrationAuthorities.add(self.ra)
# ensure object is in wg1
self.item.workgroup = wg1
self.item.save()
# test editor 1 can edit, editor 2 cannot
self.assertEqual(perms.user_can_edit(e1, self.item), True)
self.assertEqual(perms.user_can_edit(e2, self.item), False)
# move Object Class to wg2
self.item.workgroup = wg2
self.item.save()
# test editor 2 can edit, editor 1 cannot
self.assertEqual(perms.user_can_edit(e2, self.item), True)
self.assertEqual(perms.user_can_edit(e1, self.item), False)
# self.ra.register(self.item,self.ra.locked_state,registrar,timezone.now(),)
s = models.Status.objects.create(concept=self.item,
registrationAuthority=self.ra,
registrationDate=timezone.now(),
state=self.ra.locked_state)
# Editor 2 can no longer edit. Neither can Editor 1
self.assertEqual(perms.user_can_edit(e2, self.item), False)
self.assertEqual(perms.user_can_view(e1, self.item), False)
def test_current_statuses_only_in_search_results_and_index(self):
# See issue #327
self.logout()
response = self.client.post(reverse('friendly_login'),
{'username': '******', 'password': '******'})
self.assertEqual(response.status_code,302) # logged in
self.assertTrue(perms.user_is_registrar(self.registrar,self.ra))
with reversion.create_revision():
dp = models.ObjectClass.objects.create(name="deadpool",
definition="not really an xman, no matter how much he tries",
workgroup=self.xmen_wg)
review = models.ReviewRequest.objects.create(
requester=self.su,registration_authority=self.ra,
state=self.ra.public_state,
registration_date=datetime.date(2010,1,1)
)
review.concepts.add(dp)
dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache
self.assertTrue(perms.user_can_view(self.registrar,dp))
self.assertFalse(dp.is_public())
self.ra.register(dp,models.STATES.incomplete,self.registrar,
registrationDate=timezone.now()+datetime.timedelta(days=-7)
)
self.ra.register(dp,models.STATES.standard,self.registrar,
registrationDate=timezone.now()+datetime.timedelta(days=-1)
)
response = self.client.get(reverse('aristotle:search')+"?q=deadpool")
self.assertEqual(len(response.context['page'].object_list),1)
dp_result = response.context['page'].object_list[0]
self.assertTrue(dp_result.object.name=="deadpool")
self.assertTrue(len(dp_result.statuses) == 1)
self.assertTrue(int(dp_result.statuses[0]) == int(models.STATES.standard))
def make_changes(self):
items = self.items_to_change
items = items.visible(self.user)
fav_tag, created = fav_models.Tag.objects.get_or_create(
profile=self.user.profile,
primary=True,
)
num_items = 0
bad_items = []
for item in items:
if not user_can_view(self.user, item):
bad_items.append(str(item.id))
else:
favourite, created = fav_models.Favourite.objects.get_or_create(
tag=fav_tag, item=item)
if created:
num_items += 1
message_text = "{0} items favourited.".format(num_items)
return _(message_text)
def test_can_view_cache(self):
self.viewer = User.objects.create_user('vicky', '', 'viewer') # Don't need to assign any workgroups
self.assertTrue(perms.user_can_view(self.submitter, self.item))
self.assertFalse(perms.user_can_view(self.viewer, self.item))
self.item.definition = "edit name, then quickly check permission"
self.item.save()
self.assertTrue(perms.user_can_view(self.submitter, self.item))
self.assertFalse(perms.user_can_view(self.viewer, self.item))
self.item.definition = "edit name, then wait 30 secs for 'recently edited to expire'"
self.item.save()
sleep(models.VERY_RECENTLY_SECONDS + 2)
self.assertTrue(perms.user_can_view(self.submitter, self.item))
self.assertFalse(perms.user_can_view(self.viewer, self.item))
# register then immediately check the permissions to make sure the cache is ignored
# technically we haven't edited the item yet, although ``concept.recache_states`` will be called.
reg, c = models.Status.objects.get_or_create(
concept=self.item,
registrationAuthority=self.ra,
registrationDate=datetime.date(2009, 04, 28),
state=models.STATES.standard
)
self.assertTrue(perms.user_can_view(self.submitter, self.item))
self.assertTrue(perms.user_can_view(self.viewer, self.item))
def resolver(cls, attname, default_value, root, info, **args):
retval = getattr(root, attname, default_value)
# If object is a django model
if isinstance(retval, Model):
if isinstance(retval, mdr_models._concept):
# Use user_can_view to determine if we display
if perms.user_can_view(info.context.user, retval):
return retval
return None
elif isinstance(retval, Manager):
# Need this for when related manager is returned when querying object.related_set
# Can safely return restricted queryset
queryset = retval.get_queryset()
if queryset.model == slots_models.Slot:
instance = getattr(retval, 'instance', None)
if instance:
return get_allowed_slots(instance, info.context.user)
else:
return filter_slot_perms(queryset, info.context.user)
if hasattr(queryset, 'visible'):
return queryset.visible(info.context.user)
elif isinstance(retval, QuerySet):
# In case a queryset is returned
if hasattr(retval, 'visible'):
return retval.visible(info.context.user)
else:
return retval
return retval
def test_workgroup_member_search_has_valid_facets(self):
self.logout()
self.viewer = get_user_model().objects.create_user('charles.xavier','*****@*****.**','equalRightsForAll')
response = self.client.post(reverse('friendly_login'),
{'username': '******', 'password': '******'})
self.assertEqual(response.status_code,302) # logged in
self.xmen_wg.giveRoleToUser('viewer',self.viewer)
self.weaponx_wg = models.Workgroup.objects.create(name="WeaponX")
response = self.client.post(reverse('friendly_login'),
{'username': '******', 'password': '******'})
self.assertEqual(response.status_code,302) # logged in
#Create Deadpool in Weapon X workgroup
with reversion.create_revision():
dp = models.ObjectClass.objects.create(name="deadpool",
definition="not really an xman, no matter how much he tries",
workgroup=self.weaponx_wg)
dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache
self.assertFalse(perms.user_can_view(self.viewer,dp))
self.assertFalse(dp.is_public())
response = self.client.get(reverse('aristotle:search')+"?q=xman")
self.assertEqual(response.status_code,200)
facets = response.context['form'].facets['fields']
self.assertTrue('restriction' in facets.keys())
self.assertTrue('facet_model_ct' in facets.keys())
self.assertTrue('statuses' in facets.keys())
self.assertTrue('workgroup' in facets.keys())
for wg, count in facets['workgroup']:
wg = models.Workgroup.objects.get(pk=wg)
self.assertTrue(perms.user_in_workgroup(self.viewer,wg))
def resolver(cls, attname, default_value, root, info, **args):
retval = getattr(root, attname, default_value)
# If object is a django model
if isinstance(retval, Model):
# Use user_can_view to determine if we display
if perms.user_can_view(info.context.user, retval):
return retval
else:
return None
elif isinstance(retval, Manager):
# Need this for when related manager is returned when querying object.related_set
# Can safely return restricted queryset
return retval.get_queryset().visible(info.context.user)
elif isinstance(retval, QuerySet):
# In case a queryset is returned
return retval.visible(info.context.user)
return retval
def test_user_can_view_efficiency(self):
# Currently 2 because of is_registrar check
with self.assertNumQueries(2):
perms.user_can_view(self.editor, self.oc)
def get(self, request, pk, format=None):
relational_attr = self.get_object()
seen_items_ids = set()
# queue = collections.deque([relational_attr])
nodes = []
edges = []
source_item = ConceptSerializer(relational_attr).data
source_item["type"] = self.split_camel_case(relational_attr.__class__.__name__)
source_item["node_options"] = {
"shape": "ellipse",
"borderWidth": 2, "margin": 3,
"font": {"size": 15}
}
nodes.append(source_item)
if hasattr(relational_attr, 'relational_attributes'):
for queryset in relational_attr.relational_attributes.values():
for related_concept in queryset['qs']:
related_item = related_concept.item
if perms.user_can_view(self.request.user, related_item):
serialized_item = ConceptSerializer(related_item).data
serialized_item["type"] = self.split_camel_case(related_item.__class__.__name__)
if serialized_item["id"] not in seen_items_ids and len(nodes) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GRAPHS:
nodes.append(serialized_item)
if is_active_extension("comet"):
from comet.models import Indicator, IndicatorSet
# Change the direction of arrows from Indicator to Indicator Set:
if isinstance(relational_attr, IndicatorSet) and isinstance(relational_attr, Indicator):
edges.append(({"from": relational_attr.id, "to": serialized_item["id"]}))
else:
edges.append(({"from": serialized_item["id"], "to": relational_attr.id}))
else:
edges.append(({"from": serialized_item["id"], "to": relational_attr.id}))
seen_items_ids.add(serialized_item["id"])
for field in relational_attr._meta.get_fields():
if field.is_relation and field.many_to_one and issubclass(field.related_model, concept):
related_concept_instance = getattr(relational_attr, field.name)
if related_concept_instance is not None:
related_concept_instance = related_concept_instance.item
if perms.user_can_view(self.request.user, related_concept_instance):
serialised_concept = ConceptSerializer(related_concept_instance).data
serialised_concept["type"] = self.split_camel_case(str(type(related_concept_instance)))
if serialised_concept["id"] not in seen_items_ids and len(nodes) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GRAPHS:
nodes.append(serialised_concept)
edges.append({"from": relational_attr.id, "to": serialised_concept["id"]})
seen_items_ids.add(serialised_concept["id"])
if field.is_relation and field.one_to_many and issubclass(field.related_model, aristotleComponent):
for aris_comp_field in field.related_model._meta.get_fields():
if aris_comp_field.is_relation and aris_comp_field.many_to_one and\
issubclass(aris_comp_field.related_model, concept) and aris_comp_field.related_model != type(relational_attr):
queryset = getattr(relational_attr, field.get_accessor_name()).all()
for component in queryset:
component_instance = getattr(component, aris_comp_field.name)
if component_instance is not None:
serialised_concept_instance = ConceptSerializer(component_instance).data
serialised_concept_instance["type"] = self.split_camel_case(component_instance.__class__.__name__)
if serialised_concept_instance["id"] not in seen_items_ids and len(nodes) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GRAPHS:
nodes.append(serialised_concept_instance)
edges.append({"from": serialised_concept_instance["id"], "to": relational_attr.id})
seen_items_ids.add(serialised_concept_instance["id"])
json_response = {'nodes': nodes, 'edges': edges}
return Response(
json_response,
status=status.HTTP_200_OK
)
def get(self, request, pk, format=None):
item = self.get_object()
seen_items_ids = set()
# queue = collections.deque([item])
nodes = []
edges = []
source_item = ConceptSerializer(item).data
source_item["type"] = self.camel_case_split(item.__class__.__name__)
source_item["node_options"] = {
"shape": "ellipse",
"borderWidth": 2,
"margin": 3,
"font": {
"size": 15
}
}
nodes.append(source_item)
if hasattr(item, 'relational_attributes'):
for d in item.relational_attributes.values():
for rel_attr in d['qs']:
if perms.user_can_view(self.request.user, rel_attr):
serialised_rel_attr = ConceptSerializer(rel_attr).data
serialised_rel_attr["type"] = self.camel_case_split(
rel_attr.__class__.__name__)
if serialised_rel_attr["id"] not in seen_items_ids and len(
nodes
) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GENERAL_GRAPHICAL_REPRESENTATION:
nodes.append(serialised_rel_attr)
edges.append(({
"from": serialised_rel_attr["id"],
"to": item.id
}))
seen_items_ids.add(serialised_rel_attr["id"])
for field in item._meta.get_fields():
if field.is_relation and field.many_to_one and issubclass(
field.related_model, concept):
related_concept_instance = getattr(item, field.name)
if related_concept_instance is not None:
if perms.user_can_view(self.request.user,
related_concept_instance):
serialised_concept = ConceptSerializer(
related_concept_instance).data
serialised_concept["type"] = self.camel_case_split(
related_concept_instance.__class__.__name__)
if serialised_concept["id"] not in seen_items_ids and len(
nodes
) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GENERAL_GRAPHICAL_REPRESENTATION:
nodes.append(serialised_concept)
edges.append({
"from": item.id,
"to": serialised_concept["id"]
})
seen_items_ids.add(serialised_concept["id"])
if field.is_relation and field.one_to_many and issubclass(
field.related_model, aristotleComponent):
for aris_comp_field in field.related_model._meta.get_fields():
if aris_comp_field.is_relation and aris_comp_field.many_to_one and\
issubclass(aris_comp_field.related_model, concept) and aris_comp_field.related_model != type(item):
queryset = getattr(item,
field.get_accessor_name()).all()
for component in queryset:
component_instance = getattr(
component, aris_comp_field.name)
if component_instance is not None:
serialised_concept_instance = ConceptSerializer(
component_instance).data
serialised_concept_instance[
"type"] = self.camel_case_split(
component_instance.__class__.__name__)
if serialised_concept_instance[
"id"] not in seen_items_ids and len(
nodes
) < settings.MAXIMUM_NUMBER_OF_NODES_IN_GENERAL_GRAPHICAL_REPRESENTATION:
nodes.append(serialised_concept_instance)
edges.append({
"from":
serialised_concept_instance["id"],
"to":
item.id
})
seen_items_ids.add(
serialised_concept_instance["id"])
json_response = {'nodes': nodes, 'edges': edges}
return Response(json_response, status=status.HTTP_200_OK)
def check_item(self, item):
# Will 403 when user cant view the item
return user_can_view(self.request.user, item)
def test_can_view(self):
self.assertTrue(perms.user_can_view(self.su,None))
def get_object(self, queryset=None):
item = super().get_object(queryset)
if not user_can_view(self.request.user, item):
raise PermissionDenied
self.model = item.item.__class__ # Get the subclassed object
return item
def get_object(self):
id = self.kwargs[self.pk_url_kwarg]
obj = get_object_or_404(self.model, pk=id).item
if not perms.user_can_view(self.request.user, obj):
raise PermissionDenied
return obj
def get_object(self):
item = super(ConceptViewSet, self).get_object().item
if not perms.user_can_view(self.request.user, item):
raise PermissionDenied
else:
return item
def has_object_permission(self, request, view, obj):
if request.method in self.can_view_methods:
return perms.user_can_view(request.user, obj)
else:
return perms.user_can_edit(request.user, obj)
def validate_issue(self, value):
if not user_can_view(self.context['request'].user, value):
raise serializers.ValidationError(
'You don\'t have permission to comment on this issue')
return value
def check_object_permissions(self, request, obj):
item = obj.item
if not perms.user_can_view(request.user, item):
raise PermissionDenied
else:
return obj
def clean_dataElements(self):
dataElements = self.cleaned_data['dataElements']
cleaned = [de for de in dataElements if user_can_view(self.user, de)]
return cleaned
def clean_dataElements(self):
clusters = self.cleaned_data['clusters']
cleaned = [dss for dss in clusters if user_can_view(self.user, dss)]
return cleaned
def test_workgroup_member_search(self):
self.logout()
self.viewer = User.objects.create_user(
'charles.xavier', '*****@*****.**',
'equalRightsForAll')
self.weaponx_wg = models.Workgroup.objects.create(name="WeaponX")
response = self.client.post(reverse('friendly_login'), {
'username': '******',
'password': '******'
})
self.assertEqual(response.status_code, 302) # logged in
#Charles is not in any workgroups
self.assertFalse(perms.user_in_workgroup(self.viewer, self.xmen_wg))
self.assertFalse(perms.user_in_workgroup(self.viewer, self.weaponx_wg))
#Create Deadpool in Weapon X workgroup
with reversion.create_revision():
dp = models.ObjectClass.objects.create(
name="deadpool",
definition="not really an xman, no matter how much he tries",
workgroup=self.weaponx_wg,
readyToReview=False)
dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache
self.assertFalse(perms.user_can_view(self.viewer, dp))
self.assertFalse(dp.is_public())
# Charles isn't a viewer of X-men yet, so no results.
from aristotle_mdr.forms.search import PermissionSearchQuerySet
psqs = PermissionSearchQuerySet()
psqs = psqs.auto_query('deadpool').apply_permission_checks(self.viewer)
self.assertEqual(len(psqs), 0)
#response = self.client.get(reverse('aristotle:search')+"?q=deadpool")
#self.assertEqual(len(response.context['page'].object_list),0)
# Make viewer of XMen
self.xmen_wg.giveRoleToUser('viewer', self.viewer)
self.assertFalse(perms.user_can_view(self.viewer, dp))
# Deadpool isn't an Xman yet, still no results.
psqs = PermissionSearchQuerySet()
psqs = psqs.auto_query('deadpool').apply_permission_checks(self.viewer)
self.assertEqual(len(psqs), 0)
with reversion.create_revision():
dp.workgroup = self.xmen_wg
dp.save()
dp = models.ObjectClass.objects.get(pk=dp.pk) # Un-cache
# Charles is a viewer, Deadpool is in X-men, should have results now.
psqs = PermissionSearchQuerySet()
psqs = psqs.auto_query('deadpool').apply_permission_checks(self.viewer)
self.assertEqual(len(psqs), 1)
response = self.client.get(reverse('aristotle:search') + "?q=deadpool")
self.assertTrue(perms.user_can_view(self.viewer, dp))
self.assertEqual(len(response.context['page'].object_list), 1)
self.assertEqual(response.context['page'].object_list[0].object.item,
dp)
# Take away Charles viewing rights and no results again.
self.xmen_wg.removeRoleFromUser('viewer', self.viewer)
psqs = PermissionSearchQuerySet()
psqs = psqs.auto_query('deadpool').apply_permission_checks(self.viewer)
self.assertEqual(len(psqs), 0)
response = self.client.get(reverse('aristotle:search') + "?q=deadpool")
self.assertEqual(len(response.context['page'].object_list), 0)
def check_item(self, item):
return user_can_view(self.request.user, item)
def get_if_user_can_view(objtype, user, iid):
item = get_object_or_404(objtype, pk=iid)
if user_can_view(user, item):
return item
else:
return False
def resolver(cls, attname, default_value, root, info, **args):
retval = getattr(root, attname, default_value)
# If object is a django model
if isinstance(retval, Model):
if isinstance(retval, mdr_models._concept):
# Use user_can_view to determine if we display
if perms.user_can_view(info.context.user, retval):
return retval
else:
return None
if isinstance(retval, mdr_models.aristotleComponent):
# Use user_can_view to determine if we display
if perms.user_can_view(info.context.user, retval):
return retval
else:
return None
if isinstance(retval, mdr_models.RegistrationAuthority):
if retval.is_visible:
return retval
else:
return None
if type(retval) in cls.allowed_models:
return retval
return None
elif isinstance(retval, Manager):
# Need this for when related manager is returned when querying object.related_set
# Can safely return restricted queryset
queryset = retval.get_queryset()
# We need to check permissions for Organisations depending on the authentication of the user:
if queryset.model == mdr_models.RecordRelation:
return queryset
if queryset.model == slots_models.Slot:
instance = getattr(retval, 'instance', None)
if instance:
return slots_models.Slot.objects.get_item_allowed(
instance, info.context.user)
else:
return queryset.visible(info.context.user)
if queryset.model == cf_models.CustomValue:
instance = getattr(retval, 'instance', None)
if instance:
return cf_models.CustomValue.objects.get_item_allowed(
instance, info.context.user)
else:
return queryset.visible(info.context.user)
if hasattr(queryset, 'visible'):
return queryset.visible(info.context.user)
if queryset.model in (link_models.Link, link_models.LinkEnd):
return queryset
if issubclass(queryset.model, mdr_models.aristotleComponent):
return queryset
return queryset.none()
elif isinstance(retval, QuerySet):
# In case a queryset is returned
if hasattr(retval, 'visible'):
return retval.visible(info.context.user)
if issubclass(retval.model, mdr_models.aristotleComponent):
return retval
return retval.none()
return retval
def validate_item(self, value):
if not user_can_view(self.context['request'].user, value):
raise serializers.ValidationError(
'You don\'t have permission to create an issue against this item'
)
return value
