Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #961 -- Move view detail permissions into project user policy #1071

Merged
merged 3 commits into from
Feb 16, 2017
Merged

Fix #961 -- Move view detail permissions into project user policy #1071

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
171109b
Fix #961 -- Move view detail permissions into project user policy
oliverroick Jan 19, 2017
c6224ca
Change comment on project user policy
oliverroick Jan 24, 2017
878b32e
Restrict permissions to projects
oliverroick Feb 9, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 0 additions & 30 deletions cadasta/config/permissions/org-member.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,36 +10,6 @@
"party.list", "party_rel.list",
"tenure_rel.list", "resource.list"],
"object": ["project/$organization/*"]
},
{
"effect": "allow",
"action": ["spatial.view"],
"object": ["spatial/$organization/*/*"]
},
{
"effect": "allow",
"action": ["spatial_rel.view"],
"object": ["spatial_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["party.view"],
"object": ["party/$organization/*/*"]
},
{
"effect": "allow",
"action": ["party_rel.view"],
"object": ["party_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["tenure_rel.view"],
"object": ["tenure_rel/$organization/*/*"]
},
{
"effect": "allow",
"action": ["resource.view"],
"object": ["resource/$organization/*/*"]
}
]
}
37 changes: 33 additions & 4 deletions cadasta/config/permissions/project-user.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,37 @@
{
"clause": [
// Currently, "ordinary" users associated with a project have no
// additional permissions over those given to all users. This may
// change in the future. In particular, project users may be
// permitted access to projects that are normally private.
// In addition to the permissions provided by the organization member
// policy, project users can view details of locations, parties,
// relationships and resources.
{
"effect": "allow",
"action": ["spatial.view"],
"object": ["spatial/$organization/$project/*"]
},
{
"effect": "allow",
"action": ["spatial_rel.view"],
"object": ["spatial_rel/$organization/$project/*"]
},
{
"effect": "allow",
"action": ["party.view"],
"object": ["party/$organization/$project/*"]
},
{
"effect": "allow",
"action": ["party_rel.view"],
"object": ["party_rel/$organization/$project/*"]
},
{
"effect": "allow",
"action": ["tenure_rel.view"],
"object": ["tenure_rel/$organization/$project/*"]
},
{
"effect": "allow",
"action": ["resource.view"],
"object": ["resource/$organization/$project/*"]
}
]
}
2 changes: 1 addition & 1 deletion cadasta/core/static/css/main.css
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions cadasta/party/tests/test_views_api_party_relationships.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,8 +283,8 @@ def test_get_private_record_based_on_org_membership(self):
OrganizationRole.objects.create(organization=self.org, user=user)

response = self.request(user=user)
assert response.status_code == 200
assert response.content['id'] == self.rel.id
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail


class PartyRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):
Expand Down
4 changes: 2 additions & 2 deletions cadasta/party/tests/test_views_api_tenure_relationships.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,8 +267,8 @@ def test_get_private_record_based_on_org_membership(self):
user=user)

response = self.request(user=user)
assert response.status_code == 200
assert response.content['id'] == self.rel.id
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail


class TenureRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):
Expand Down
21 changes: 20 additions & 1 deletion cadasta/party/tests/test_views_default.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,9 +83,28 @@ def test_get_from_non_existent_project(self):

def test_get_with_unauthorized_user(self):
user = UserFactory.create()
response = self.request(user=user)
assert response.status_code == 302
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add another assertion for the redirect URL.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't necessary.

The redirect URL is based on the referrer and it is defined in core.mixins.PermissionRequiredMixin.handle_no_permission, which has appropriate tests.


def test_get_with_user_without_view_permissions(self):
user = UserFactory.create()
clauses = {
'clause': [
{
'effect': 'allow',
'object': ['project/*/*'],
'action': ['project.*.*', 'party.list']
}
]
}
policy = Policy.objects.create(
name='allow',
body=json.dumps(clauses))
assign_user_policies(user, policy)

response = self.request(user=user)
assert response.status_code == 200
assert response.content == self.render_content(object_list=[])
assert response.content == self.expected_content

def test_get_with_unauthenticated_user(self):
response = self.request()
Expand Down
1 change: 0 additions & 1 deletion cadasta/party/views/default.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ class PartiesList(LoginPermissionRequiredMixin,
template_name = 'party/party_list.html'
permission_required = 'party.list'
permission_denied_message = error_messages.PARTY_LIST
permission_filter_queryset = ('party.view',)
no_jsonattrs_in_queryset = True


Expand Down
4 changes: 2 additions & 2 deletions cadasta/spatial/tests/test_views_api_spatial_relationships.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,8 +272,8 @@ def test_get_private_record_based_on_org_membership(self):
user=user)

response = self.request(user=user)
assert response.status_code == 200
assert response.content['id'] == self.rel.id
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail


class SpatialRelationshipUpdateAPITest(APITestCase, UserTestCase, TestCase):
Expand Down
5 changes: 2 additions & 3 deletions cadasta/spatial/tests/test_views_api_spatial_units.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -435,9 +435,8 @@ def test_get_private_record_based_on_org_membership(self):
user=user)

response = self.request(user=user)
assert response.status_code == 200
print(response.content)
assert response.content['properties']['id'] == self.su.id
assert response.status_code == 403
assert response.content['detail'] == PermissionDenied.default_detail


class SpatialUnitUpdateAPITest(APITestCase, UserTestCase, TestCase):
Expand Down