Skip to content

Commit

Permalink
Fix #961 -- Move view detail permissions into project user policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@oliverroick
oliverroick committed Feb 8, 2017
1 parent 091ece2 commit 2544bb8
Show file tree
Hide file tree
Showing 8 changed files with 58 additions and 41 deletions.
30 changes: 0 additions & 30 deletions cadasta/config/permissions/org-member.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,36 +10,6 @@
"party.list", "party_rel.list",
"tenure_rel.list", "resource.list"],
"object": ["project/$organization/*"]
},
{
"effect": "allow",
"action": ["spatial.view"],
"object": ["spatial/$organization/*/*"]
},
{
"effect": "allow",
"action": ["spatial_rel.view"],
"object": ["spatial_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["party.view"],
"object": ["party/$organization/*/*"]
},
{
"effect": "allow",
"action": ["party_rel.view"],
"object": ["party_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["tenure_rel.view"],
"object": ["tenure_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["resource.view"],
"object": ["resource/$organization/*/*"]
}
]
}
30 changes: 30 additions & 0 deletions cadasta/config/permissions/project-user.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,35 @@
// additional permissions over those given to all users. This may
// change in the future. In particular, project users may be
// permitted access to projects that are normally private.
{
"effect": "allow",
"action": ["spatial.view"],
"object": ["spatial/$organization/*/*"]
},
{
"effect": "allow",
"action": ["spatial_rel.view"],
"object": ["spatial_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["party.view"],
"object": ["party/$organization/*/*"]
},
{
"effect": "allow",
"action": ["party_rel.view"],
"object": ["party_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["tenure_rel.view"],
"object": ["tenure_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["resource.view"],
"object": ["resource/$organization/*/*"]
}
]
}
4 changes: 2 additions & 2 deletions cadasta/party/tests/test_views_api_party_relationships.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -283,8 +283,8 @@ def test_get_private_record_based_on_org_membership(self):
OrganizationRole.objects.create(organization=self.org, user=user)

response = self.request(user=user)
assert response.status_code == 200
assert response.content['id'] == self.rel.id
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail


class PartyRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):
Expand Down
4 changes: 2 additions & 2 deletions cadasta/party/tests/test_views_api_tenure_relationships.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,8 +267,8 @@ def test_get_private_record_based_on_org_membership(self):
user=user)

response = self.request(user=user)
assert response.status_code == 200
assert response.content['id'] == self.rel.id
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail


class TenureRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):
Expand Down
21 changes: 20 additions & 1 deletion cadasta/party/tests/test_views_default.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,9 +83,28 @@ def test_get_from_non_existent_project(self):

def test_get_with_unauthorized_user(self):
user = UserFactory.create()
response = self.request(user=user)
assert response.status_code == 302

def test_get_with_user_without_view_permissions(self):
user = UserFactory.create()
clauses = {
'clause': [
{
'effect': 'allow',
'object': ['project/*/*'],
'action': ['project.*.*', 'party.list']
}
]
}
policy = Policy.objects.create(
name='allow',
body=json.dumps(clauses))
assign_user_policies(user, policy)

response = self.request(user=user)
assert response.status_code == 200
assert response.content == self.render_content(object_list=[])
assert response.content == self.expected_content

def test_get_with_unauthenticated_user(self):
response = self.request()
Expand Down
1 change: 0 additions & 1 deletion cadasta/party/views/default.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ class PartiesList(LoginPermissionRequiredMixin,
template_name = 'party/party_list.html'
permission_required = 'party.list'
permission_denied_message = error_messages.PARTY_LIST
permission_filter_queryset = ('party.view',)
no_jsonattrs_in_queryset = True


Expand Down
4 changes: 2 additions & 2 deletions cadasta/spatial/tests/test_views_api_spatial_relationships.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,8 +272,8 @@ def test_get_private_record_based_on_org_membership(self):
user=user)

response = self.request(user=user)
assert response.status_code == 200
assert response.content['id'] == self.rel.id
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail


class SpatialRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):
Expand Down
5 changes: 2 additions & 3 deletions cadasta/spatial/tests/test_views_api_spatial_units.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -435,9 +435,8 @@ def test_get_private_record_based_on_org_membership(self):
user=user)

response = self.request(user=user)
assert response.status_code == 200
print(response.content)
assert response.content['properties']['id'] == self.su.id
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail


class SpatialUnitUpdateAPITest(APITestCase, UserTestCase, TestCase):
Expand Down

0 comments on commit 2544bb8

Please sign in to comment.