def test_need_all_orgs_to_admin_user(user): ''' Old behavior - org admin to ANY organization that a user is member of grants permission to admin that user New behavior enforced here - org admin to ALL organizations that a user is member of grants permission to admin that user ''' org1 = Organization.objects.create(name='org1') org2 = Organization.objects.create(name='org2') org1_admin = user('org1-admin') org1.admin_role.members.add(org1_admin) org12_member = user('org12-member') org1.member_role.members.add(org12_member) org2.member_role.members.add(org12_member) user_access = UserAccess(org1_admin) assert not user_access.can_change(org12_member, {'last_name': 'Witzel'}) role_access = RoleAccess(org1_admin) assert not role_access.can_attach(org1.admin_role, org12_member, 'members', None) assert not role_access.can_attach(org1.member_role, org12_member, 'members', None) org2.admin_role.members.add(org1_admin) assert role_access.can_attach(org1.admin_role, org12_member, 'members', None) assert role_access.can_attach(org1.member_role, org12_member, 'members', None)
def test_org_object_role_not_sufficient(user, organization): member = user('amember') obj_admin = user('icontrolallworkflows') organization.member_role.members.add(member) organization.workflow_admin_role.members.add(obj_admin) user_access = UserAccess(obj_admin) assert not user_access.can_change(member, {'last_name': 'Witzel'})
def test_orphaned_user_allowed(org_admin, rando, organization): ''' We still allow adoption of orphaned* users by assigning them to organization member role, but only in the situation where the org admin already posesses indirect access to all of the user's roles *orphaned means user is not a member of any organization ''' role_access = RoleAccess(org_admin) assert role_access.can_attach(organization.member_role, rando, 'members', None) # Cannot edit the user directly without adding to org first user_access = UserAccess(org_admin) assert not user_access.can_change(rando, {'last_name': 'Witzel'})
def test_org_superuser_role_attach(admin_user, org_admin, organization): ''' Ideally, you would not add superusers to roles (particularly member_role) but it has historically been possible this checks that the situation does not grant unexpected permissions ''' organization.member_role.members.add(admin_user) role_access = RoleAccess(org_admin) assert not role_access.can_attach(organization.member_role, admin_user, 'members', None) assert not role_access.can_attach(organization.admin_role, admin_user, 'members', None) user_access = UserAccess(org_admin) assert not user_access.can_change(admin_user, {'last_name': 'Witzel'})
def test_orphaned_user_allowed(org_admin, rando, organization, org_credential): ''' We still allow adoption of orphaned* users by assigning them to organization member role, but only in the situation where the org admin already posesses indirect access to all of the user's roles *orphaned means user is not a member of any organization ''' # give a descendent role to rando, to trigger the conditional # where all ancestor roles of rando should be in the set of # org_admin roles. org_credential.admin_role.members.add(rando) role_access = RoleAccess(org_admin) org_access = OrganizationAccess(org_admin) assert role_access.can_attach(organization.member_role, rando, 'members', None) assert org_access.can_attach(organization, rando, 'member_role.members', None) # Cannot edit the user directly without adding to org first user_access = UserAccess(org_admin) assert not user_access.can_change(rando, {'last_name': 'Witzel'})
def test_system_auditor_can_modify_self(system_auditor): access = UserAccess(system_auditor) assert access.can_change(obj=system_auditor, data=dict(is_system_auditor='true'))
def test_org_admin_edit_sys_auditor(org_admin, alice, organization): organization.member_role.members.add(alice) access = UserAccess(org_admin) assert not access.can_change(obj=alice, data=dict(is_system_auditor='true'))