remove access checks from domain methods
This commit is contained in:
dandds
@@ -22,6 +22,7 @@ def developer():
|
||||
return UserFactory.create()
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_non_admin_cannot_view_audit_log(developer):
|
||||
with pytest.raises(UnauthorizedError):
|
||||
AuditLog.get_all_events(developer)
|
||||
@@ -63,6 +64,7 @@ def test_ws_owner_can_view_ws_audit_log():
|
||||
assert len(events) > 0
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_other_users_cannot_view_portfolio_audit_log():
|
||||
with pytest.raises(UnauthorizedError):
|
||||
portfolio = PortfolioFactory.create()
|
||||
|
||||
@@ -1,7 +1,13 @@
|
||||
import pytest
|
||||
|
||||
from tests.factories import TaskOrderFactory, UserFactory, PortfolioRoleFactory
|
||||
from atst.domain.authz import Authorization
|
||||
from tests.factories import (
|
||||
TaskOrderFactory,
|
||||
UserFactory,
|
||||
PortfolioFactory,
|
||||
PortfolioRoleFactory,
|
||||
)
|
||||
from atst.domain.authz import Authorization, user_can_access
|
||||
from atst.domain.authz.decorator import user_can_access_decorator
|
||||
from atst.domain.permission_sets import PermissionSets
|
||||
from atst.domain.exceptions import UnauthorizedError
|
||||
from atst.models.permissions import Permissions
|
||||
@@ -58,3 +64,85 @@ def test_has_portfolio_permission():
|
||||
assert not Authorization.has_portfolio_permission(
|
||||
different_user, port_role.portfolio, Permissions.VIEW_PORTFOLIO_REPORTS
|
||||
)
|
||||
|
||||
|
||||
def test_user_can_access():
|
||||
ccpo = UserFactory.create_ccpo()
|
||||
edit_admin = UserFactory.create()
|
||||
view_admin = UserFactory.create()
|
||||
|
||||
portfolio = PortfolioFactory.create(owner=edit_admin)
|
||||
# factory gives view perms by default
|
||||
PortfolioRoleFactory.create(user=view_admin, portfolio=portfolio)
|
||||
|
||||
# check a site-wide permission
|
||||
assert user_can_access(ccpo, Permissions.VIEW_AUDIT_LOG)
|
||||
with pytest.raises(UnauthorizedError):
|
||||
user_can_access(edit_admin, Permissions.VIEW_AUDIT_LOG)
|
||||
user_can_access(view_admin, Permissions.VIEW_AUDIT_LOG)
|
||||
|
||||
# check a portfolio view permission
|
||||
assert user_can_access(ccpo, Permissions.VIEW_PORTFOLIO, portfolio=portfolio)
|
||||
assert user_can_access(edit_admin, Permissions.VIEW_PORTFOLIO, portfolio=portfolio)
|
||||
assert user_can_access(view_admin, Permissions.VIEW_PORTFOLIO, portfolio=portfolio)
|
||||
|
||||
# check a portfolio edit permission
|
||||
assert user_can_access(ccpo, Permissions.EDIT_PORTFOLIO_NAME, portfolio=portfolio)
|
||||
assert user_can_access(
|
||||
edit_admin, Permissions.EDIT_PORTFOLIO_NAME, portfolio=portfolio
|
||||
)
|
||||
with pytest.raises(UnauthorizedError):
|
||||
user_can_access(
|
||||
view_admin, Permissions.EDIT_PORTFOLIO_NAME, portfolio=portfolio
|
||||
)
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def set_current_user(request_ctx):
|
||||
def _set_current_user(user):
|
||||
request_ctx.g.current_user = user
|
||||
|
||||
yield _set_current_user
|
||||
|
||||
request_ctx.g.current_user = None
|
||||
|
||||
|
||||
def test_user_can_access_decorator(set_current_user):
|
||||
ccpo = UserFactory.create_ccpo()
|
||||
edit_admin = UserFactory.create()
|
||||
view_admin = UserFactory.create()
|
||||
|
||||
portfolio = PortfolioFactory.create(owner=edit_admin)
|
||||
# factory gives view perms by default
|
||||
PortfolioRoleFactory.create(user=view_admin, portfolio=portfolio)
|
||||
|
||||
@user_can_access_decorator(Permissions.EDIT_PORTFOLIO_NAME)
|
||||
def _edit_portfolio_name(*args, **kwargs):
|
||||
return True
|
||||
|
||||
set_current_user(ccpo)
|
||||
assert _edit_portfolio_name(portfolio_id=portfolio.id)
|
||||
|
||||
set_current_user(edit_admin)
|
||||
assert _edit_portfolio_name(portfolio_id=portfolio.id)
|
||||
|
||||
set_current_user(view_admin)
|
||||
with pytest.raises(UnauthorizedError):
|
||||
_edit_portfolio_name(portfolio_id=portfolio.id)
|
||||
|
||||
|
||||
def test_user_can_access_decorator_exceptions(set_current_user):
|
||||
rando_calrissian = UserFactory.create()
|
||||
portfolio = PortfolioFactory.create()
|
||||
|
||||
wont_work = lambda *args, **kwargs: False
|
||||
because_i_said_so = lambda *args, **kwargs: True
|
||||
|
||||
@user_can_access_decorator(
|
||||
Permissions.EDIT_PORTFOLIO_NAME, exceptions=[wont_work, because_i_said_so]
|
||||
)
|
||||
def _edit_portfolio_name(*args, **kwargs):
|
||||
return True
|
||||
|
||||
set_current_user(rando_calrissian)
|
||||
assert _edit_portfolio_name(portfolio_id=portfolio.id)
|
||||
|
||||
@@ -46,16 +46,19 @@ def test_portfolio_has_timestamps(portfolio):
|
||||
assert portfolio.time_created == portfolio.time_updated
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_portfolios_get_ensures_user_is_in_portfolio(portfolio, portfolio_owner):
|
||||
outside_user = UserFactory.create()
|
||||
with pytest.raises(UnauthorizedError):
|
||||
Portfolios.get(outside_user, portfolio.id)
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_get_for_update_applications_allows_owner(portfolio, portfolio_owner):
|
||||
Portfolios.get_for_update_applications(portfolio_owner, portfolio.id)
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_get_for_update_applications_blocks_developer(portfolio):
|
||||
developer = UserFactory.create()
|
||||
PortfolioRoles.add(developer, portfolio.id)
|
||||
@@ -94,6 +97,7 @@ def test_can_add_existing_user_to_portfolio(portfolio, portfolio_owner):
|
||||
assert not new_member.user.provisional
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_need_permission_to_create_portfolio_role(portfolio, portfolio_owner):
|
||||
random_user = UserFactory.create()
|
||||
|
||||
@@ -127,6 +131,7 @@ def test_update_portfolio_role_role(portfolio, portfolio_owner):
|
||||
assert updated_member.portfolio == portfolio
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_need_permission_to_update_portfolio_role_role(portfolio, portfolio_owner):
|
||||
random_user = UserFactory.create()
|
||||
user_data = {
|
||||
@@ -154,6 +159,7 @@ def test_ccpo_can_view_portfolio_members(portfolio, portfolio_owner):
|
||||
assert Portfolios.get_with_members(ccpo, portfolio.id)
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_random_user_cannot_view_portfolio_members(portfolio):
|
||||
developer = UserFactory.create()
|
||||
|
||||
@@ -282,6 +288,7 @@ def test_for_user_returns_all_portfolios_for_ccpo(portfolio, portfolio_owner):
|
||||
assert len(sams_portfolios) == 2
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_get_for_update_information(portfolio, portfolio_owner):
|
||||
owner_ws = Portfolios.get_for_update_information(portfolio_owner, portfolio.id)
|
||||
assert portfolio == owner_ws
|
||||
|
||||
@@ -95,6 +95,7 @@ def test_add_officer_who_is_already_portfolio_member():
|
||||
assert member.user == owner
|
||||
|
||||
|
||||
@pytest.mark.auth
|
||||
def test_task_order_access():
|
||||
creator = UserFactory.create()
|
||||
member = UserFactory.create()
|
||||
|
||||
Reference in New Issue
Block a user