def set_user_permission_doctypes(doctype, role, apply_user_permissions, user_permission_doctypes): user_permission_doctypes = None if not user_permission_doctypes else json.dumps(user_permission_doctypes) update(doctype, role, 0, 'apply_user_permissions', 1) update(doctype, role, 0, 'user_permission_doctypes', user_permission_doctypes) frappe.clear_cache(doctype=doctype)
def test_nested_permission(self): clear_user_permissions_for_doctype("File") delete_test_file_hierarchy() # delete already existing folders from frappe.core.doctype.file.file import create_new_folder frappe.set_user('Administrator') create_new_folder('level1-A', 'Home') create_new_folder('level2-A', 'Home/level1-A') create_new_folder('level2-B', 'Home/level1-A') create_new_folder('level3-A', 'Home/level1-A/level2-A') create_new_folder('level1-B', 'Home') create_new_folder('level2-A', 'Home/level1-B') # user permission for only one root folder add_user_permission('File', 'Home/level1-A', '*****@*****.**') from frappe.core.page.permission_manager.permission_manager import update update('File', 'All', 0, 'if_owner', 0) # to avoid if_owner filter frappe.set_user('*****@*****.**') data = DatabaseQuery("File").execute() # children of root folder (for which we added user permission) should be accessible self.assertTrue({"name": "Home/level1-A/level2-A"} in data) self.assertTrue({"name": "Home/level1-A/level2-B"} in data) self.assertTrue({"name": "Home/level1-A/level2-A/level3-A"} in data) # other folders should not be accessible self.assertFalse({"name": "Home/level1-B"} in data) self.assertFalse({"name": "Home/level1-B/level2-B"} in data) update('File', 'All', 0, 'if_owner', 1) frappe.set_user('Administrator')
def if_owner_setup(self): update('Blog Post', 'Blogger', 0, 'if_owner', 1) add_user_permission("Blog Category", "_Test Blog Category 1", "*****@*****.**") add_user_permission("Blogger", "_Test Blogger 1", "*****@*****.**") frappe.clear_cache(doctype="Blog Post")
def if_owner_setup(self): update('Blog Post', 'Blogger', 0, 'if_owner', 1) add_user_permission("Blog Category", "_Test Blog Category 1", "*****@*****.**") add_user_permission("Blogger", "_Test Blogger 1", "*****@*****.**") update('Blog Post', 'Blogger', 0, 'user_permission_doctypes', json.dumps(["Blog Category"])) frappe.model.meta.clear_cache("Blog Post")
def test_fieldlevel_permissions_in_load(self): user = frappe.get_doc('User', '*****@*****.**') user.remove_roles('Website Manager') user.add_roles('Blogger') reset('Blog Post') frappe.db.set_value('DocField', { 'fieldname': 'published', 'parent': 'Blog Post' }, 'permlevel', 1) update('Blog Post', 'Website Manager', 0, 'permlevel', 1) frappe.set_user(user.name) # print frappe.as_json(get_valid_perms('Blog Post')) frappe.clear_cache(doctype='Blog Post') blog = frappe.db.get_value('Blog Post', {'title': '_Test Blog Post'}) getdoc('Blog Post', blog) checked = False for doc in frappe.response.docs: if doc.name == blog: self.assertEqual(doc.published, None) checked = True self.assertTrue(checked, True) frappe.db.set_value('DocField', { 'fieldname': 'published', 'parent': 'Blog Post' }, 'permlevel', 0) reset('Blog Post') frappe.clear_cache(doctype='Blog Post') frappe.response.docs = [] getdoc('Blog Post', blog) checked = False for doc in frappe.response.docs: if doc.name == blog: self.assertEqual(doc.published, 1) checked = True self.assertTrue(checked, True) frappe.set_user('Administrator')
def set_user_permission_doctypes(doctypes, role, apply_user_permissions, user_permission_doctypes): user_permission_doctypes = None if not user_permission_doctypes else json.dumps(user_permission_doctypes) if isinstance(doctypes, string_types): doctypes = [doctypes] for doctype in doctypes: update(doctype, role, 0, 'apply_user_permissions', 1) update(doctype, role, 0, 'user_permission_doctypes', user_permission_doctypes) frappe.clear_cache(doctype=doctype)
def test_fieldlevel_permissions_in_load(self): user = frappe.get_doc('User', '*****@*****.**') user.remove_roles('Website Manager') user.add_roles('Blogger') reset('Blog Post') frappe.db.sql('update tabDocField set permlevel=1 where fieldname="published" and parent="Blog Post"') update('Blog Post', 'Website Manager', 0, 'permlevel', 1) frappe.set_user(user.name) # print frappe.as_json(get_valid_perms('Blog Post')) frappe.clear_cache(doctype='Blog Post') blog = frappe.db.get_value('Blog Post', {'title': '_Test Blog Post'}) getdoc('Blog Post', blog) checked = False for doc in frappe.response.docs: if doc.name == blog: self.assertEquals(doc.published, None) checked = True self.assertTrue(checked, True) frappe.db.sql('update tabDocField set permlevel=0 where fieldname="published" and parent="Blog Post"') reset('Blog Post') frappe.clear_cache(doctype='Blog Post') frappe.response.docs = [] getdoc('Blog Post', blog) checked = False for doc in frappe.response.docs: if doc.name == blog: self.assertEquals(doc.published, 1) checked = True self.assertTrue(checked, True) frappe.set_user('Administrator')
def test_fieldlevel_permissions_in_load_for_child_table(self): contact = frappe.new_doc("Contact") contact.first_name = "_Test Contact 1" contact.append("phone_nos", {"phone": "123456"}) contact.insert() user = frappe.get_doc("User", "*****@*****.**") user_roles = frappe.get_roles() user.remove_roles(*user_roles) user.add_roles("Accounts User") make_property_setter("Contact Phone", "phone", "permlevel", 1, "Int") reset("Contact Phone") add("Contact", "Sales User", 1) update("Contact", "Sales User", 1, "write", 1) frappe.set_user(user.name) contact = frappe.get_doc("Contact", "_Test Contact 1") contact.phone_nos[0].phone = "654321" contact.save() self.assertEqual(contact.phone_nos[0].phone, "123456") frappe.set_user("Administrator") user.add_roles("Sales User") frappe.set_user(user.name) contact.phone_nos[0].phone = "654321" contact.save() contact = frappe.get_doc("Contact", "_Test Contact 1") self.assertEqual(contact.phone_nos[0].phone, "654321") frappe.set_user("Administrator") # reset user roles user.remove_roles("Accounts User", "Sales User") user.add_roles(*user_roles) contact.delete()
def test_if_owner_permission_overrides_properly(self): # check if user is not granted access if the user is not the owner of the doc # Blogger has only read access on the blog post unless he is the owner of the blog update('Blog Post', 'Blogger', 0, 'if_owner', 1) update('Blog Post', 'Blogger', 0, 'read', 1) update('Blog Post', 'Blogger', 0, 'write', 1) update('Blog Post', 'Blogger', 0, 'delete', 1) # currently test2 user has not created any document # still he should be able to do get_list query which should # not raise permission error but simply return empty list frappe.set_user("*****@*****.**") self.assertEqual(frappe.get_list('Blog Post'), []) frappe.set_user("Administrator") # creates a custom docperm with just read access # now any user can read any blog post (but other rights are limited to the blog post owner) add_permission('Blog Post', 'Blogger') frappe.clear_cache(doctype="Blog Post") frappe.delete_doc('Blog Post', '-test-blog-post-title') frappe.set_user("*****@*****.**") doc = frappe.get_doc({ "doctype": "Blog Post", "blog_category": "_Test Blog Category", "blogger": "_Test Blogger 1", "title": "_Test Blog Post Title", "content": "_Test Blog Post Content" }) doc.insert() frappe.set_user("*****@*****.**") doc = frappe.get_doc(doc.doctype, doc.name) self.assertTrue(doc.has_permission("read")) self.assertFalse(doc.has_permission("write")) self.assertFalse(doc.has_permission("delete")) # check if owner of the doc has the access that is available only for the owner of the doc frappe.set_user("*****@*****.**") doc = frappe.get_doc(doc.doctype, doc.name) self.assertTrue(doc.has_permission("read")) self.assertTrue(doc.has_permission("write")) self.assertTrue(doc.has_permission("delete")) # delete the created doc frappe.delete_doc('Blog Post', '-test-blog-post-title')