Fix permissions policies and tests (fixes #303)

Cadasta · Jul 7, 2016 · 39cdaae · seav · Jul 7, 2016 · ian-ross
1 parent 2145a1d
commit 39cdaae
Show file tree

Hide file tree

Showing 14 changed files with 148 additions and 105 deletions.
diff --git a/cadasta/config/permissions/data-collector.json b/cadasta/config/permissions/data-collector.json
@@ -1,11 +1,9 @@
 {
   "clause": [
-    // In addition to the permissions provided by the default
-    // policy, data collectors are allowed to manage resources for a
-    // specified project within a specified organization.
     {
       "effect": "allow",
-      "action": ["resource.*"],
+      "action": ["resource.*", "spatial.*", "spatial_rel.*",
+                 "party.*", "party_rel.*", "tenure_rel.*"],
       "object": ["project/$organization/$project"]
     },
     {
@@ -16,17 +14,27 @@
 
     {
       "effect": "allow",
-      "action": ["spatial.*"],
+      "action": ["spatial.*", "spatial.resources.*"],
       "object": ["spatial/$organization/$project/*"]
     },
     {
       "effect": "allow",
-      "action": ["party.*"],
+      "action": ["spatial_rel.*"],
+      "object": ["spatial_rel/$organization/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["party.*", "party.resources.*"],
       "object": ["party/$organization/$project/*"]
     },
     {
       "effect": "allow",
-      "action": ["tenure_rel.*", "tenure_rel.*.*"],
+      "action": ["party_rel.*"],
+      "object": ["party_rel/$organization/$project/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["tenure_rel.*", "tenure_rel.resources.*"],
       "object": ["tenure_rel/$organization/$project/*"]
     }
   ]

diff --git a/cadasta/config/permissions/org-admin.json b/cadasta/config/permissions/org-admin.json
@@ -7,18 +7,20 @@
     // specified organization.
     {
       "effect": "allow",
-      "action": ["org.*", "org.*.*", "project.*", "project.*.*"],
+      "action": ["org.*", "org.users.*", "project.*"],
       "object": ["organization/$organization"]
     },
     {
       "effect": "allow",
-      "action": ["project.*", "project.*.*", "questionaire.*", "resource.*",
-                 "spatial.*", "spatial_rel.*", "party.*", "party_rel.*", "tenure_rel.*"],
+      "action": ["project.*", "project.users.*", "questionaire.*",
+                 "resource.*", "spatial.*", "spatial_rel.*",
+                 "party.*", "party_rel.*", "tenure_rel.*"],
       "object": ["project/$organization/*"]
     },
+
     {
       "effect": "allow",
-      "action": ["spatial.*"],
+      "action": ["spatial.*", "spatial.resources.*"],
       "object": ["spatial/$organization/*/*"]
     },
     {
@@ -28,7 +30,7 @@
     },
     {
       "effect": "allow",
-      "action": ["party.*"],
+      "action": ["party.*", "party.resources.*"],
       "object": ["party/$organization/*/*"]
     },
     {
@@ -38,29 +40,13 @@
     },
     {
       "effect": "allow",
-      "action": ["tenure_rel.*"],
+      "action": ["tenure_rel.*", "tenure_rel.resources.*"],
       "object": ["tenure_rel/$organization/*/*"]
     },
     {
       "effect": "allow",
       "action": ["resource.*"],
       "object": ["resource/$organization/*/*"]
-    },
-
-    {
-      "effect": "allow",
-      "action": ["spatial.*"],
-      "object": ["spatial/$organization/*/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["party.*"],
-      "object": ["party/$organization/*/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["tenure_rel.*", "tenure_rel.*.*"],
-      "object": ["tenure_rel/$organization/*/*"]
     }
   ]
 }
diff --git a/cadasta/config/permissions/org-member.json b/cadasta/config/permissions/org-member.json
@@ -6,18 +6,40 @@
     {
       "effect": "allow",
       "action": ["project.view_private",
-                 "spatial.list", "spatial.view",
-                 "spatial_rel.list", "spatial_rel.view",
-                 "party.list", "party.view",
-                 "party_rel.list", "party_rel.view",
-                 "tenure_rel.list", "tenure_rel.view"],
-      "object": ["project/$organization/*",
-                 "project/$organization/*/*",
-                 "spatial/$organization/*/*",
-                 "spatial_rel/$organization/*/*",
-                 "party/$organization/*/*",
-                 "party_rel/$organization/*/*",
-                 "tenure_rel/$organization/*/*"]
+                 "spatial.list", "spatial_rel.list",
+                 "party.list", "party_rel.list",
+                 "tenure_rel.list", "resource.list"],
+      "object": ["project/$organization/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["spatial.view"],
+      "object": ["spatial/$organization/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["spatial_rel.view"],
+      "object": ["spatial_rel/$organization/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["party.view"],
+      "object": ["party/$organization/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["party_rel.view"],
+      "object": ["party_rel/$organization/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["tenure_rel.view"],
+      "object": ["tenure_rel/$organization/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["resource.view"],
+      "object": ["resource/$organization/*/*"]
     }
   ]
 }
diff --git a/cadasta/config/permissions/project-manager.json b/cadasta/config/permissions/project-manager.json
@@ -7,13 +7,20 @@
     // organization.
     {
       "effect": "allow",
-      "action": ["project.*", "project.*.*", "questionaire.*", "spatial.*",
-                 "resource.*", "party.*", "tenure_rel.*"],
+      "action": ["project.*", "project.users.*", "questionaire.*",
+                 "resource.*", "spatial.*", "spatial_rel.*",
+                 "party.*", "party_rel.*", "tenure_rel.*"],
       "object": ["project/$organization/$project"]
     },
+    {
+      "effect": "deny",
+      "action": ["project.archive", "project.unarchive", "questionaire.add"],
+      "object": ["project/$organization/$project"]
+    },
+
     {
       "effect": "allow",
-      "action": ["spatial.*"],
+      "action": ["spatial.*", "spatial.resources.*"],
       "object": ["spatial/$organization/$project/*"]
     },
     {
@@ -23,7 +30,7 @@
     },
     {
       "effect": "allow",
-      "action": ["party.*"],
+      "action": ["party.*", "party.resources.*"],
       "object": ["party/$organization/$project/*"]
     },
     {
@@ -33,33 +40,13 @@
     },
     {
       "effect": "allow",
-      "action": ["tenure_rel.*"],
+      "action": ["tenure_rel.*", "tenure_rel.resources.*"],
       "object": ["tenure_rel/$organization/$project/*"]
     },
     {
       "effect": "allow",
       "action": ["resource.*"],
       "object": ["resource/$organization/$project/*"]
-    },
-    {
-      "effect": "deny",
-      "action": ["project.archive", "project.unarchive", "questionaire.add"],
-      "object": ["project/$organization/$project"]
-    },
-    {
-      "effect": "allow",
-      "action": ["spatial.*", "spatial.*.*"],
-      "object": ["spatial/$organization/$project/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["party.*", "party.*.*"],
-      "object": ["party/$organization/$project/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["tenure_rel.*", "tenure_rel.*.*"],
-      "object": ["tenure_rel/$organization/$project/*"]
     }
   ]
 }
diff --git a/cadasta/config/permissions/superuser.json b/cadasta/config/permissions/superuser.json
@@ -8,42 +8,82 @@
     },
     {
       "effect": "allow",
-      "action": ["org.*", "org.*.*"],
+      "action": ["org.*", "org.users.*"],
       "object": ["organization/*"]
     },
+
     {
       "effect": "allow",
-      "action": ["project.*", "project.*.*"],
+      "action": ["project.*"],
       "object": ["organization/*"]
     },
     {
       "effect": "allow",
-      "action": ["project.*", "project.*.*", "resource.*",
-                 "spatial.*", "spatial_rel.*",
-                 "party.*", "party_rel.*", "tenure_rel.*"],
-      "object": ["project/*/*", "spatial/*/*/*", "spatial_rel/*/*/*",
-                 "party/*/*/*", "party_rel/*/*/*", "tenure_rel/*/*/*"]
+      "action": ["project.*", "project.users.*"],
+      "object": ["project/*/*"]
     },
+
     {
       "effect": "allow",
       "action": ["resource.*"],
-      "object": ["resource/*/*/*"]
+      "object": ["project/*/*", "resource/*/*/*"]
     },
+
     {
       "effect": "allow",
-      "action": ["spatial.*", "spatial.*.*"],
+      "action": ["spatial.*"],
+      "object": ["project/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["spatial.*", "spatial.resources.*"],
       "object": ["spatial/*/*/*"]
     },
+
+    {
+      "effect": "allow",
+      "action": ["spatial_rel.*"],
+      "object": ["project/*/*"]
+    },
     {
       "effect": "allow",
-      "action": ["party.*", "party.*.*"],
+      "action": ["spatial_rel.*"],
+      "object": ["spatial_rel/*/*/*"]
+    },
+
+    {
+      "effect": "allow",
+      "action": ["party.*"],
+      "object": ["project/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["party.*", "party.resources.*"],
       "object": ["party/*/*/*"]
     },
+
+    {
+      "effect": "allow",
+      "action": ["party_rel.*"],
+      "object": ["project/*/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["party_rel.*"],
+      "object": ["party_rel/*/*/*"]
+    },
+
+    {
+      "effect": "allow",
+      "action": ["tenure_rel.*"],
+      "object": ["project/*/*"]
+    },
     {
       "effect": "allow",
-      "action": ["tenure_rel.*", "tenure_rel.*.*"],
+      "action": ["tenure_rel.*", "tenure_rel.resources.*"],
       "object": ["tenure_rel/*/*/*"]
     },
+
     {
       "effect": "allow",
       "action": ["user.*"]

diff --git a/cadasta/party/models.py b/cadasta/party/models.py
@@ -117,6 +117,7 @@ def __repr__(self):
 
 
 @fix_model_for_attributes
+@permissioned_model
 class PartyRelationship(RandomIDModel):
     """
     PartyRelationship model.
@@ -183,6 +184,9 @@ def __str__(self):
             party1=self.party1.name, party2=self.party2.name,
             type=dict(self.TYPE_CHOICES).get(self.type))
 
+    def __repr__(self):
+        return str(self)
+
 
 @fix_model_for_attributes
 @permissioned_model
@@ -268,6 +272,9 @@ def __str__(self):
             party=self.party.name, su=self.spatial_unit.name,
             type=self.tenure_type.label)
 
+    def __repr__(self):
+        return str(self)
+
 
 class TenureRelationshipType(models.Model):
     """Defines allowable tenure types."""

diff --git a/cadasta/party/tests/test_models.py b/cadasta/party/tests/test_models.py
@@ -18,9 +18,6 @@ class PartyTest(TestCase):
     def test_str(self):
         party = PartyFactory.create(name='TeaParty')
         assert str(party) == '<Party: TeaParty>'
-
-    def test_repr(self):
-        party = PartyFactory.create(name='TeaParty')
         assert repr(party) == '<Party: TeaParty>'
 
     def test_has_random_id(self):
@@ -68,6 +65,8 @@ def test_str(self):
             type='C')
         assert str(relationship) == (
             "<PartyRelationship: <Simba> is-child-of <Mufasa>>")
+        assert repr(relationship) == (
+            "<PartyRelationship: <Simba> is-child-of <Mufasa>>")
 
     def test_relationships_creation(self):
         relationship = PartyRelationshipFactory(
@@ -137,6 +136,8 @@ def test_str(self):
             tenure_type=tenure_type)
         assert str(relationship) == (
             "<TenureRelationship: <Family> Leasehold <Parcel>>")
+        assert repr(relationship) == (
+            "<TenureRelationship: <Family> Leasehold <Parcel>>")
 
     def test_tenure_relationship_creation(self):
         tenure_relationship = TenureRelationshipFactory.create()