Fix #961 -- Move view detail permissions into project user policy (#1071

) * Fix #961 -- Move view detail permissions into project user policy * Change comment on project user policy * Restrict permissions to projects
Cadasta · Feb 16, 2017 · 96b7f8a · 96b7f8a
1 parent 241d1ee
commit 96b7f8a
Show file tree

Hide file tree

Showing 9 changed files with 62 additions and 46 deletions.
diff --git a/cadasta/config/permissions/org-member.json b/cadasta/config/permissions/org-member.json
@@ -10,36 +10,6 @@
                  "party.list", "party_rel.list",
                  "tenure_rel.list", "resource.list"],
       "object": ["project/$organization/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["spatial.view"],
-      "object": ["spatial/$organization/*/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["spatial_rel.view"],
-      "object": ["spatial_rel/$organization/*/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["party.view"],
-      "object": ["party/$organization/*/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["party_rel.view"],
-      "object": ["party_rel/$organization/*/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["tenure_rel.view"],
-      "object": ["tenure_rel/$organization/*/*"]
-    },
-    {
-      "effect": "allow",
-      "action": ["resource.view"],
-      "object": ["resource/$organization/*/*"]
     }
   ]
 }
diff --git a/cadasta/config/permissions/project-user.json b/cadasta/config/permissions/project-user.json
@@ -1,8 +1,37 @@
 {
   "clause": [
-    // Currently, "ordinary" users associated with a project have no
-    // additional permissions over those given to all users.  This may
-    // change in the future.  In particular, project users may be
-    // permitted access to projects that are normally private.
+    // In addition to the permissions provided by the organization member
+    // policy, project users can view details of locations, parties,
+    // relationships and resources. 
+    {
+      "effect": "allow",
+      "action": ["spatial.view"],
+      "object": ["spatial/$organization/$project/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["spatial_rel.view"],
+      "object": ["spatial_rel/$organization/$project/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["party.view"],
+      "object": ["party/$organization/$project/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["party_rel.view"],
+      "object": ["party_rel/$organization/$project/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["tenure_rel.view"],
+      "object": ["tenure_rel/$organization/$project/*"]
+    },
+    {
+      "effect": "allow",
+      "action": ["resource.view"],
+      "object": ["resource/$organization/$project/*"]
+    }
   ]
 }
diff --git a/cadasta/core/static/css/main.css b/cadasta/core/static/css/main.css
diff --git a/cadasta/party/tests/test_views_api_party_relationships.py b/cadasta/party/tests/test_views_api_party_relationships.py
@@ -283,8 +283,8 @@ def test_get_private_record_based_on_org_membership(self):
         OrganizationRole.objects.create(organization=self.org, user=user)
 
         response = self.request(user=user)
-        assert response.status_code == 200
-        assert response.content['id'] == self.rel.id
+        assert response.status_code == 403
+        assert response.content['detail'] == PermissionDenied.default_detail
 
 
 class PartyRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):

diff --git a/cadasta/party/tests/test_views_api_tenure_relationships.py b/cadasta/party/tests/test_views_api_tenure_relationships.py
@@ -267,8 +267,8 @@ def test_get_private_record_based_on_org_membership(self):
                                         user=user)
 
         response = self.request(user=user)
-        assert response.status_code == 200
-        assert response.content['id'] == self.rel.id
+        assert response.status_code == 403
+        assert response.content['detail'] == PermissionDenied.default_detail
 
 
 class TenureRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):

diff --git a/cadasta/party/tests/test_views_default.py b/cadasta/party/tests/test_views_default.py
@@ -83,9 +83,28 @@ def test_get_from_non_existent_project(self):
 
     def test_get_with_unauthorized_user(self):
         user = UserFactory.create()
+        response = self.request(user=user)
+        assert response.status_code == 302
+
+    def test_get_with_user_without_view_permissions(self):
+        user = UserFactory.create()
+        clauses = {
+            'clause': [
+                {
+                    'effect': 'allow',
+                    'object': ['project/*/*'],
+                    'action': ['project.*.*', 'party.list']
+                }
+            ]
+        }
+        policy = Policy.objects.create(
+            name='allow',
+            body=json.dumps(clauses))
+        assign_user_policies(user, policy)
+
         response = self.request(user=user)
         assert response.status_code == 200
-        assert response.content == self.render_content(object_list=[])
+        assert response.content == self.expected_content
 
     def test_get_with_unauthenticated_user(self):
         response = self.request()

diff --git a/cadasta/party/views/default.py b/cadasta/party/views/default.py
@@ -19,7 +19,6 @@ class PartiesList(LoginPermissionRequiredMixin,
     template_name = 'party/party_list.html'
     permission_required = 'party.list'
     permission_denied_message = error_messages.PARTY_LIST
-    permission_filter_queryset = ('party.view',)
     no_jsonattrs_in_queryset = True
 
 

diff --git a/cadasta/spatial/tests/test_views_api_spatial_relationships.py b/cadasta/spatial/tests/test_views_api_spatial_relationships.py
@@ -272,8 +272,8 @@ def test_get_private_record_based_on_org_membership(self):
                                         user=user)
 
         response = self.request(user=user)
-        assert response.status_code == 200
-        assert response.content['id'] == self.rel.id
+        assert response.status_code == 403
+        assert response.content['detail'] == PermissionDenied.default_detail
 
 
 class SpatialRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):

diff --git a/cadasta/spatial/tests/test_views_api_spatial_units.py b/cadasta/spatial/tests/test_views_api_spatial_units.py
@@ -435,9 +435,8 @@ def test_get_private_record_based_on_org_membership(self):
                                         user=user)
 
         response = self.request(user=user)
-        assert response.status_code == 200
-        print(response.content)
-        assert response.content['properties']['id'] == self.su.id
+        assert response.status_code == 403
+        assert response.content['detail'] == PermissionDenied.default_detail
 
 
 class SpatialUnitUpdateAPITest(APITestCase, UserTestCase, TestCase):