From 39cdaaeb36b78cbddcca45accd15820a55634c8b Mon Sep 17 00:00:00 2001 From: Ian Ross Date: Wed, 6 Jul 2016 13:01:54 +0200 Subject: [PATCH] Fix permissions policies and tests (fixes #303) --- .../config/permissions/data-collector.json | 22 ++++--- cadasta/config/permissions/org-admin.json | 30 +++------ cadasta/config/permissions/org-member.json | 46 ++++++++++---- .../config/permissions/project-manager.json | 37 ++++------- cadasta/config/permissions/superuser.json | 62 +++++++++++++++---- cadasta/party/models.py | 7 +++ cadasta/party/tests/test_models.py | 7 ++- cadasta/party/views/api.py | 9 --- cadasta/party/views/mixins.py | 10 ++- cadasta/spatial/models.py | 7 +++ cadasta/spatial/tests/test_models.py | 5 ++ cadasta/spatial/views/api.py | 5 -- cadasta/spatial/views/mixins.py | 4 -- requirements/common.txt | 2 +- 14 files changed, 148 insertions(+), 105 deletions(-) diff --git a/cadasta/config/permissions/data-collector.json b/cadasta/config/permissions/data-collector.json index 6222748ec..01b26236d 100644 --- a/cadasta/config/permissions/data-collector.json +++ b/cadasta/config/permissions/data-collector.json @@ -1,11 +1,9 @@ { "clause": [ - // In addition to the permissions provided by the default - // policy, data collectors are allowed to manage resources for a - // specified project within a specified organization. { "effect": "allow", - "action": ["resource.*"], + "action": ["resource.*", "spatial.*", "spatial_rel.*", + "party.*", "party_rel.*", "tenure_rel.*"], "object": ["project/$organization/$project"] }, { @@ -16,17 +14,27 @@ { "effect": "allow", - "action": ["spatial.*"], + "action": ["spatial.*", "spatial.resources.*"], "object": ["spatial/$organization/$project/*"] }, { "effect": "allow", - "action": ["party.*"], + "action": ["spatial_rel.*"], + "object": ["spatial_rel/$organization/*/*"] + }, + { + "effect": "allow", + "action": ["party.*", "party.resources.*"], "object": ["party/$organization/$project/*"] }, { "effect": "allow", - "action": ["tenure_rel.*", "tenure_rel.*.*"], + "action": ["party_rel.*"], + "object": ["party_rel/$organization/$project/*"] + }, + { + "effect": "allow", + "action": ["tenure_rel.*", "tenure_rel.resources.*"], "object": ["tenure_rel/$organization/$project/*"] } ] diff --git a/cadasta/config/permissions/org-admin.json b/cadasta/config/permissions/org-admin.json index c4416f6dc..4f695b00d 100644 --- a/cadasta/config/permissions/org-admin.json +++ b/cadasta/config/permissions/org-admin.json @@ -7,18 +7,20 @@ // specified organization. { "effect": "allow", - "action": ["org.*", "org.*.*", "project.*", "project.*.*"], + "action": ["org.*", "org.users.*", "project.*"], "object": ["organization/$organization"] }, { "effect": "allow", - "action": ["project.*", "project.*.*", "questionaire.*", "resource.*", - "spatial.*", "spatial_rel.*", "party.*", "party_rel.*", "tenure_rel.*"], + "action": ["project.*", "project.users.*", "questionaire.*", + "resource.*", "spatial.*", "spatial_rel.*", + "party.*", "party_rel.*", "tenure_rel.*"], "object": ["project/$organization/*"] }, + { "effect": "allow", - "action": ["spatial.*"], + "action": ["spatial.*", "spatial.resources.*"], "object": ["spatial/$organization/*/*"] }, { @@ -28,7 +30,7 @@ }, { "effect": "allow", - "action": ["party.*"], + "action": ["party.*", "party.resources.*"], "object": ["party/$organization/*/*"] }, { @@ -38,29 +40,13 @@ }, { "effect": "allow", - "action": ["tenure_rel.*"], + "action": ["tenure_rel.*", "tenure_rel.resources.*"], "object": ["tenure_rel/$organization/*/*"] }, { "effect": "allow", "action": ["resource.*"], "object": ["resource/$organization/*/*"] - }, - - { - "effect": "allow", - "action": ["spatial.*"], - "object": ["spatial/$organization/*/*"] - }, - { - "effect": "allow", - "action": ["party.*"], - "object": ["party/$organization/*/*"] - }, - { - "effect": "allow", - "action": ["tenure_rel.*", "tenure_rel.*.*"], - "object": ["tenure_rel/$organization/*/*"] } ] } diff --git a/cadasta/config/permissions/org-member.json b/cadasta/config/permissions/org-member.json index f8a40e7d6..9240acced 100644 --- a/cadasta/config/permissions/org-member.json +++ b/cadasta/config/permissions/org-member.json @@ -6,18 +6,40 @@ { "effect": "allow", "action": ["project.view_private", - "spatial.list", "spatial.view", - "spatial_rel.list", "spatial_rel.view", - "party.list", "party.view", - "party_rel.list", "party_rel.view", - "tenure_rel.list", "tenure_rel.view"], - "object": ["project/$organization/*", - "project/$organization/*/*", - "spatial/$organization/*/*", - "spatial_rel/$organization/*/*", - "party/$organization/*/*", - "party_rel/$organization/*/*", - "tenure_rel/$organization/*/*"] + "spatial.list", "spatial_rel.list", + "party.list", "party_rel.list", + "tenure_rel.list", "resource.list"], + "object": ["project/$organization/*"] + }, + { + "effect": "allow", + "action": ["spatial.view"], + "object": ["spatial/$organization/*/*"] + }, + { + "effect": "allow", + "action": ["spatial_rel.view"], + "object": ["spatial_rel/$organization/*/*"] + }, + { + "effect": "allow", + "action": ["party.view"], + "object": ["party/$organization/*/*"] + }, + { + "effect": "allow", + "action": ["party_rel.view"], + "object": ["party_rel/$organization/*/*"] + }, + { + "effect": "allow", + "action": ["tenure_rel.view"], + "object": ["tenure_rel/$organization/*/*"] + }, + { + "effect": "allow", + "action": ["resource.view"], + "object": ["resource/$organization/*/*"] } ] } diff --git a/cadasta/config/permissions/project-manager.json b/cadasta/config/permissions/project-manager.json index ab517a09f..50da48204 100644 --- a/cadasta/config/permissions/project-manager.json +++ b/cadasta/config/permissions/project-manager.json @@ -7,13 +7,20 @@ // organization. { "effect": "allow", - "action": ["project.*", "project.*.*", "questionaire.*", "spatial.*", - "resource.*", "party.*", "tenure_rel.*"], + "action": ["project.*", "project.users.*", "questionaire.*", + "resource.*", "spatial.*", "spatial_rel.*", + "party.*", "party_rel.*", "tenure_rel.*"], "object": ["project/$organization/$project"] }, + { + "effect": "deny", + "action": ["project.archive", "project.unarchive", "questionaire.add"], + "object": ["project/$organization/$project"] + }, + { "effect": "allow", - "action": ["spatial.*"], + "action": ["spatial.*", "spatial.resources.*"], "object": ["spatial/$organization/$project/*"] }, { @@ -23,7 +30,7 @@ }, { "effect": "allow", - "action": ["party.*"], + "action": ["party.*", "party.resources.*"], "object": ["party/$organization/$project/*"] }, { @@ -33,33 +40,13 @@ }, { "effect": "allow", - "action": ["tenure_rel.*"], + "action": ["tenure_rel.*", "tenure_rel.resources.*"], "object": ["tenure_rel/$organization/$project/*"] }, { "effect": "allow", "action": ["resource.*"], "object": ["resource/$organization/$project/*"] - }, - { - "effect": "deny", - "action": ["project.archive", "project.unarchive", "questionaire.add"], - "object": ["project/$organization/$project"] - }, - { - "effect": "allow", - "action": ["spatial.*", "spatial.*.*"], - "object": ["spatial/$organization/$project/*"] - }, - { - "effect": "allow", - "action": ["party.*", "party.*.*"], - "object": ["party/$organization/$project/*"] - }, - { - "effect": "allow", - "action": ["tenure_rel.*", "tenure_rel.*.*"], - "object": ["tenure_rel/$organization/$project/*"] } ] } diff --git a/cadasta/config/permissions/superuser.json b/cadasta/config/permissions/superuser.json index 3ba8a62f2..7294aedf0 100644 --- a/cadasta/config/permissions/superuser.json +++ b/cadasta/config/permissions/superuser.json @@ -8,42 +8,82 @@ }, { "effect": "allow", - "action": ["org.*", "org.*.*"], + "action": ["org.*", "org.users.*"], "object": ["organization/*"] }, + { "effect": "allow", - "action": ["project.*", "project.*.*"], + "action": ["project.*"], "object": ["organization/*"] }, { "effect": "allow", - "action": ["project.*", "project.*.*", "resource.*", - "spatial.*", "spatial_rel.*", - "party.*", "party_rel.*", "tenure_rel.*"], - "object": ["project/*/*", "spatial/*/*/*", "spatial_rel/*/*/*", - "party/*/*/*", "party_rel/*/*/*", "tenure_rel/*/*/*"] + "action": ["project.*", "project.users.*"], + "object": ["project/*/*"] }, + { "effect": "allow", "action": ["resource.*"], - "object": ["resource/*/*/*"] + "object": ["project/*/*", "resource/*/*/*"] }, + { "effect": "allow", - "action": ["spatial.*", "spatial.*.*"], + "action": ["spatial.*"], + "object": ["project/*/*"] + }, + { + "effect": "allow", + "action": ["spatial.*", "spatial.resources.*"], "object": ["spatial/*/*/*"] }, + + { + "effect": "allow", + "action": ["spatial_rel.*"], + "object": ["project/*/*"] + }, { "effect": "allow", - "action": ["party.*", "party.*.*"], + "action": ["spatial_rel.*"], + "object": ["spatial_rel/*/*/*"] + }, + + { + "effect": "allow", + "action": ["party.*"], + "object": ["project/*/*"] + }, + { + "effect": "allow", + "action": ["party.*", "party.resources.*"], "object": ["party/*/*/*"] }, + + { + "effect": "allow", + "action": ["party_rel.*"], + "object": ["project/*/*"] + }, + { + "effect": "allow", + "action": ["party_rel.*"], + "object": ["party_rel/*/*/*"] + }, + + { + "effect": "allow", + "action": ["tenure_rel.*"], + "object": ["project/*/*"] + }, { "effect": "allow", - "action": ["tenure_rel.*", "tenure_rel.*.*"], + "action": ["tenure_rel.*", "tenure_rel.resources.*"], "object": ["tenure_rel/*/*/*"] }, + { "effect": "allow", "action": ["user.*"] diff --git a/cadasta/party/models.py b/cadasta/party/models.py index 06019d61d..a58a6347c 100644 --- a/cadasta/party/models.py +++ b/cadasta/party/models.py @@ -117,6 +117,7 @@ def __repr__(self): @fix_model_for_attributes +@permissioned_model class PartyRelationship(RandomIDModel): """ PartyRelationship model. @@ -183,6 +184,9 @@ def __str__(self): party1=self.party1.name, party2=self.party2.name, type=dict(self.TYPE_CHOICES).get(self.type)) + def __repr__(self): + return str(self) + @fix_model_for_attributes @permissioned_model @@ -268,6 +272,9 @@ def __str__(self): party=self.party.name, su=self.spatial_unit.name, type=self.tenure_type.label) + def __repr__(self): + return str(self) + class TenureRelationshipType(models.Model): """Defines allowable tenure types.""" diff --git a/cadasta/party/tests/test_models.py b/cadasta/party/tests/test_models.py index eda04ef7b..0f2717aa0 100644 --- a/cadasta/party/tests/test_models.py +++ b/cadasta/party/tests/test_models.py @@ -18,9 +18,6 @@ class PartyTest(TestCase): def test_str(self): party = PartyFactory.create(name='TeaParty') assert str(party) == '' - - def test_repr(self): - party = PartyFactory.create(name='TeaParty') assert repr(party) == '' def test_has_random_id(self): @@ -68,6 +65,8 @@ def test_str(self): type='C') assert str(relationship) == ( " is-child-of >") + assert repr(relationship) == ( + " is-child-of >") def test_relationships_creation(self): relationship = PartyRelationshipFactory( @@ -137,6 +136,8 @@ def test_str(self): tenure_type=tenure_type) assert str(relationship) == ( " Leasehold >") + assert repr(relationship) == ( + " Leasehold >") def test_tenure_relationship_creation(self): tenure_relationship = TenureRelationshipFactory.create() diff --git a/cadasta/party/views/api.py b/cadasta/party/views/api.py index 4f7d2effa..a6359a338 100644 --- a/cadasta/party/views/api.py +++ b/cadasta/party/views/api.py @@ -127,9 +127,6 @@ class PartyRelationshipCreate(APIPermissionRequiredMixin, permission_required = 'party_rel.create' serializer_class = serializers.PartyRelationshipWriteSerializer - def get_perms_objects(self): - return [self.get_project()] - class PartyRelationshipDetail(APIPermissionRequiredMixin, mixins.PartyRelationshipQuerySetMixin, @@ -153,9 +150,6 @@ def destroy(self, request, *args, **kwargs): self.get_object().delete() return Response(status=status.HTTP_204_NO_CONTENT) - def get_perms_objects(self): - return [self.get_project()] - class TenureRelationshipCreate(APIPermissionRequiredMixin, mixins.TenureRelationshipQuerySetMixin, @@ -177,9 +171,6 @@ class TenureRelationshipDetail(APIPermissionRequiredMixin, 'DELETE': 'tenure_rel.delete' } - def get_perms_objects(self): - return [self.get_project()] - def get_serializer_class(self): if self.request.method == 'PATCH': return serializers.TenureRelationshipWriteSerializer diff --git a/cadasta/party/views/mixins.py b/cadasta/party/views/mixins.py index d8683a545..8f6800774 100644 --- a/cadasta/party/views/mixins.py +++ b/cadasta/party/views/mixins.py @@ -102,10 +102,6 @@ def get_context_data(self, *args, **kwargs): return context - def get_queryset(self): - self.proj = self.get_project() - return self.proj.tenure_relationships.all() - def get_object(self): try: return TenureRelationship.objects.get( @@ -119,8 +115,10 @@ def get_object(self): class PartyRelationshipResourceMixin(ResourceViewMixin, PartyRelationshipObjectMixin): - def get_content_object(self): - return self.get_object() + # UNUSED until party relationship list view is used + # + # def get_content_object(self): + # return self.get_object() def get_form_kwargs(self, *args, **kwargs): kwargs = { diff --git a/cadasta/spatial/models.py b/cadasta/spatial/models.py index 507a8bc58..7ca9a2c75 100644 --- a/cadasta/spatial/models.py +++ b/cadasta/spatial/models.py @@ -87,6 +87,9 @@ class TutelaryMeta: def __str__(self): return "".format(self.name) + def __repr__(self): + return str(self) + class SpatialRelationshipManager(managers.BaseRelationshipManager): """Check conditions based on spatial unit type before creating @@ -123,6 +126,7 @@ def create(self, *args, **kwargs): @fix_model_for_attributes +@permissioned_model class SpatialRelationship(RandomIDModel): """A relationship between spatial units: encodes simple logical terms like ``su1 is-contained-in su2`` or ``su1 is-split-of su2``. May @@ -185,3 +189,6 @@ def __str__(self): return " {type} <{su2}>>".format( su1=self.su1.name, su2=self.su2.name, type=dict(self.TYPE_CHOICES).get(self.type)) + + def __repr__(self): + return str(self) diff --git a/cadasta/spatial/tests/test_models.py b/cadasta/spatial/tests/test_models.py index aebfce8bb..d8c536385 100644 --- a/cadasta/spatial/tests/test_models.py +++ b/cadasta/spatial/tests/test_models.py @@ -14,6 +14,7 @@ class SpatialUnitTest(TestCase): def test_str(self): spatial_unit = SpatialUnitFactory.create(name='Disneyland') assert str(spatial_unit) == '' + assert repr(spatial_unit) == '' def test_has_random_id(self): spatial_unit = SpatialUnitFactory.create() @@ -82,6 +83,10 @@ def test_str(self): " is-contained-in >" ) + assert repr(relationship) == ( + " is-contained-in >" + ) def test_relationships_creation(self): relationship = SpatialRelationshipFactory( diff --git a/cadasta/spatial/views/api.py b/cadasta/spatial/views/api.py index 47f13e0d3..7157ae63b 100644 --- a/cadasta/spatial/views/api.py +++ b/cadasta/spatial/views/api.py @@ -40,11 +40,6 @@ class SpatialUnitDetail(APIPermissionRequiredMixin, 'DELETE': 'spatial.delete' } - def get_perms_objects(self): - # Talk to Brian about this. This should be the Spatial Unit not the - # project - return [self.get_project()] - def destroy(self, request, *args, **kwargs): self.get_object().delete() return Response(status=status.HTTP_204_NO_CONTENT) diff --git a/cadasta/spatial/views/mixins.py b/cadasta/spatial/views/mixins.py index b885a8527..429a63a55 100644 --- a/cadasta/spatial/views/mixins.py +++ b/cadasta/spatial/views/mixins.py @@ -44,10 +44,6 @@ def get_success_url(self): class SpatialRelationshipQuerySetMixin(ProjectMixin): - - def get_perms_objects(self): - return [self.get_project()] - def get_queryset(self): self.proj = self.get_project() return self.proj.spatial_relationships.all() diff --git a/requirements/common.txt b/requirements/common.txt index 83bc28f25..09f0a1388 100644 --- a/requirements/common.txt +++ b/requirements/common.txt @@ -14,7 +14,7 @@ djangorestframework-gis==0.10.1 jsonschema==2.5.1 rfc3987==1.3.5 drfdocs==0.0.9 -django-tutelary==0.1.13 +django-tutelary==0.1.14 django-audit-log==0.7.0 django-simple-history==1.8.1 simplejson==3.8.1