class Meta(CustomResourceMeta): authentication = RequirePermissionAuthentication( Permissions.edit_commcare_users) object_class = Group list_allowed_methods = ['get'] detail_allowed_methods = ['get'] resource_name = 'group'
class Meta(CustomResourceMeta): resource_name = 'ucr_data_source' list_allowed_methods = ['get'] detail_allowed_methods = ['get', 'put'] always_return_data = True paginator_class = DoesNothingPaginator authentication = RequirePermissionAuthentication(Permissions.edit_ucrs)
class Meta(object): resource_name = 'location' detail_uri_name = 'location_id' queryset = SQLLocation.objects.filter(is_archived=False).all() authentication = RequirePermissionAuthentication( Permissions.edit_locations) allowed_methods = ['get'] fields = [ 'id', 'name', 'domain', 'location_id', 'site_code', 'external_id', 'created_at', 'last_modified', 'latitude', 'longitude', ] filtering = { 'domain': ['exact'], 'site_code': ['exact'], 'external_id': ['exact'], 'created_at': ALL, 'last_modified': ALL, 'latitude': ALL, 'longitude': ALL, }
class Meta(object): resource_name = 'domain_usernames' authentication = RequirePermissionAuthentication( Permissions.view_commcare_users) object_class = User include_resource_uri = False allowed_methods = ['get']
class Meta(CustomResourceMeta): authentication = RequirePermissionAuthentication(Permissions.edit_data) object_class = ESXFormInstance list_allowed_methods = ['get'] detail_allowed_methods = ['get'] resource_name = 'form' ordering = ['received_on'] serializer = XFormInstanceSerializer(formats=['json'])
class Meta(object): resource_name = 'domain_cases' authentication = RequirePermissionAuthentication(Permissions.access_api) object_class = CaseType include_resource_uri = False allowed_methods = ['get'] limit = 100 max_limit = 1000
class Meta: queryset = StockTransaction.objects.all() list_allowed_methods = ['get'] detail_allowed_methods = ['get'] resource_name = 'stock_transaction' authentication = RequirePermissionAuthentication(Permissions.view_reports) paginator_class = NoCountingPaginator authorization = DomainAuthorization(domain_key='report__domain') filtering = { "case_id": ('exact',), "section_id": ('exact'), } fields = ['case_id', 'product_id', 'type', 'section_id', 'quantity', 'stock_on_hand'] include_resource_uri = False
class Meta(object): resource_name = 'location_type' queryset = LocationType.objects.all() authentication = RequirePermissionAuthentication( Permissions.edit_locations) fields = [ 'id', 'domain', 'name', 'code', 'parent_type', 'administrative', 'shares_cases', 'view_descendants', ] filtering = { "domain": ('exact', ), }
class Meta(object): queryset = DeviceReportEntry.objects.all() list_allowed_methods = ['get'] detail_allowed_methods = ['get'] resource_name = 'device-log' authentication = RequirePermissionAuthentication(Permissions.edit_data) authorization = DomainAuthorization() paginator_class = NoCountingPaginator filtering = { # this is needed for the domain filtering but any values passed in via the URL get overridden "domain": ('exact', ), "date": ('exact', 'gt', 'gte', 'lt', 'lte', 'range'), "user_id": ('exact', ), "username": ('exact', ), "type": ('exact', ), "xform_id": ('exact', ), "device_id": ('exact', ), }
class Meta(object): queryset = MessagingEvent.objects.all() list_allowed_methods = ['get'] detail_allowed_methods = ['get'] resource_name = 'messaging-event' authentication = RequirePermissionAuthentication(Permissions.edit_data) authorization = DomainAuthorization() paginator_class = NoCountingPaginator filtering = { # this is needed for the domain filtering but any values passed in via the URL get overridden "domain": ('exact', ), "date": ('exact', 'gt', 'gte', 'lt', 'lte', 'range'), "source": ('exact', ), "content_type": ('exact', ), "status": ('exact', ), } ordering = [ 'date', ]
class Meta(object): authentication = RequirePermissionAuthentication(Permissions.edit_data) resource_name = 'sms_user_registration_reinstall' allowed_methods = ['post'] validation = UserSelfRegistrationReinstallValidation()
class Meta(CustomResourceMeta): authentication = RequirePermissionAuthentication(Permissions.edit_apps) object_class = Application list_allowed_methods = ['get'] detail_allowed_methods = ['get'] resource_name = 'application'
class Meta(CustomResourceMeta): authentication = RequirePermissionAuthentication( Permissions.edit_apps, allow_session_auth=True) object_class = FixtureDataItem resource_name = 'fixture_internal' limit = 0
class Meta(CustomResourceMeta): authentication = RequirePermissionAuthentication(Permissions.edit_data) object_class = CommCareCase resource_name = 'case' list_allowed_methods = ['get'] detail_allowed_methods = ['get']
class Meta(UserResource.Meta): authentication = RequirePermissionAuthentication( Permissions.edit_commcare_users) object_class = CommCareUser resource_name = 'user'
class Meta(UserResource.Meta): authentication = RequirePermissionAuthentication( Permissions.edit_web_users) object_class = WebUser resource_name = 'web-user'
class RequirePermissionAuthenticationTest(AuthenticationTestBase): require_edit_data = RequirePermissionAuthentication(Permissions.edit_data) @classmethod def setUpClass(cls): super().setUpClass() cls.role_with_permission = UserRole.create( cls.domain, 'edit-data', permissions=Permissions(edit_data=True)) cls.role_without_permission = UserRole.create( cls.domain, 'no-edit-data', permissions=Permissions(edit_data=False)) cls.role_with_permission_but_no_api_access = UserRole.create( cls.domain, 'no-api-access', permissions=Permissions(edit_data=True, access_api=False)) cls.domain_admin = WebUser.create(cls.domain, 'domain_admin', cls.password, None, None, is_admin=True) cls.user_with_permission = WebUser.create( cls.domain, 'permission', cls.password, None, None, role_id=cls.role_with_permission.get_id) cls.user_without_permission = WebUser.create( cls.domain, 'no-permission', cls.password, None, None, role_id=cls.role_without_permission.get_id) cls.user_with_permission_but_no_api_access = WebUser.create( cls.domain, 'no-api-access', cls.password, None, None, role_id=cls.role_with_permission_but_no_api_access.get_id, ) def test_login_no_auth_no_domain(self): self.assertAuthenticationFail(self.require_edit_data, self._get_request()) def test_login_no_auth_with_domain(self): self.assertAuthenticationFail(self.require_edit_data, self._get_request(domain=self.domain)) def test_login_with_wrong_domain(self): project = Domain.get_or_create_with_name('api-test-fail', is_active=True) self.addCleanup(project.delete) self.assertAuthenticationFail( self.require_edit_data, self._get_request_with_api_key(domain=project.name)) def test_login_with_domain_no_permissions(self): self.assertAuthenticationFail( self.require_edit_data, self._get_request_with_api_key(domain=self.domain)) def test_login_with_domain_admin_default(self): api_key_with_default_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.domain_admin), name='default', ) self.assertAuthenticationSuccess( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.domain_admin.username, api_key_with_default_permissions))) def test_domain_admin_with_explicit_roles(self): api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.domain_admin), name='explicit_with_permission', role_id=self.role_with_permission.get_id, ) api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.domain_admin), name='explicit_without_permission', role_id=self.role_without_permission.get_id, ) self.assertAuthenticationSuccess( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.domain_admin.username, api_key_with_explicit_permissions))) self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.domain_admin.username, api_key_without_explicit_permissions))) def test_login_with_explicit_permission_default(self): api_key_with_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_with_permission)) self.assertAuthenticationSuccess( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_with_permission.username, api_key_with_permissions))) def test_login_with_explicit_permission_and_roles(self): api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_with_permission), name='explicit_with_permission', role_id=self.role_with_permission.get_id, ) api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_with_permission), name='explicit_without_permission', role_id=self.role_without_permission.get_id, ) self.assertAuthenticationSuccess( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_with_permission.username, api_key_with_explicit_permissions))) self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_with_permission.username, api_key_without_explicit_permissions))) def test_login_with_no_api_access_default(self): api_key_with_no_access, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user( self.user_with_permission_but_no_api_access)) self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_with_permission_but_no_api_access.username, api_key_with_no_access, ))) def test_login_with_wrong_permission(self): api_key_without_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_without_permission)) self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_without_permission.username, api_key_without_permissions))) def test_login_with_wrong_permission_explicit_roles(self): api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_without_permission), name='explicit_with_permission', role_id=self.role_with_permission.get_id, ) api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_without_permission), name='explicit_without_permission', role_id=self.role_without_permission.get_id, ) # both of these should fail since the user shouldn't be allowed API access # to a role they don't have self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_without_permission.username, api_key_with_explicit_permissions))) self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_without_permission.username, api_key_without_explicit_permissions))) def test_explicit_role_wrong_domain(self): project = Domain.get_or_create_with_name('api-test-fail-2', is_active=True) self.addCleanup(project.delete) user = WebUser.create(self.domain, 'multi_domain_admin', '***', None, None, is_admin=True) user.add_domain_membership(project.name, is_admin=True) user.save() self.addCleanup(user.delete, self.domain, deleted_by=None) unscoped_api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(user), name='unscoped', ) # this key should only be able to access default project, not new one scoped_api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(user), name='explicit_with_permission_wrong_domain', role_id=self.role_with_permission.get_id, ) unscoped_auth_header = self._construct_api_auth_header( user.username, unscoped_api_key) scoped_auth_header = self._construct_api_auth_header( user.username, scoped_api_key) for domain in [self.domain, project.name]: self.assertAuthenticationSuccess( self.require_edit_data, self._get_request(domain=domain, HTTP_AUTHORIZATION=unscoped_auth_header)) self.assertAuthenticationSuccess( self.require_edit_data, self._get_request(domain=self.domain, HTTP_AUTHORIZATION=scoped_auth_header)) self.assertAuthenticationFail( self.require_edit_data, self._get_request(domain=project.name, HTTP_AUTHORIZATION=scoped_auth_header)) def test_auth_type_basic(self): self.assertAuthenticationSuccess( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_basic_auth_header( self.domain_admin.username, self.password)))
class Meta(CustomResourceMeta): authentication = RequirePermissionAuthentication( Permissions.view_reports, allow_session_auth=True) list_allowed_methods = [] detail_allowed_methods = ["get"]
class Meta(CustomResourceMeta): authentication = RequirePermissionAuthentication(Permissions.edit_apps) object_class = FixtureDataItem resource_name = 'fixture' limit = 0