0003-backoffice-check-category-permissions-for-export-sta.patch
| tests/backoffice_pages/test_all.py | ||
|---|---|---|
| 1500 | 1500 |
assert 'End: 2013-01-01' in resp.text |
| 1501 | 1501 | |
| 1502 | 1502 | |
| 1503 |
def test_backoffice_form_category_permissions(pub): |
|
| 1504 |
user = create_user(pub) |
|
| 1505 |
create_environment(pub) |
|
| 1506 | ||
| 1507 |
formdef = FormDef.get_by_urlname('form-title')
|
|
| 1508 | ||
| 1509 |
app = login(get_app(pub)) |
|
| 1510 |
resp = app.get('/backoffice/management/form-title/')
|
|
| 1511 |
assert 'Export a Spreadsheet' in resp.text |
|
| 1512 |
assert 'Statistics' in resp.text |
|
| 1513 | ||
| 1514 |
cat1 = Category(name='cat1') |
|
| 1515 |
cat1.store() |
|
| 1516 |
formdef.category_id = cat1.id |
|
| 1517 |
formdef.store() |
|
| 1518 |
resp = app.get('/backoffice/management/form-title/')
|
|
| 1519 |
assert 'Export a Spreadsheet' in resp.text |
|
| 1520 |
assert 'Statistics' in resp.text |
|
| 1521 | ||
| 1522 |
role = pub.role_class(name='limited perms') |
|
| 1523 |
role.store() |
|
| 1524 |
cat1.export_roles = [role] |
|
| 1525 |
cat1.store() |
|
| 1526 |
resp = app.get('/backoffice/management/form-title/')
|
|
| 1527 |
assert 'Export a Spreadsheet' not in resp.text |
|
| 1528 |
assert 'Statistics' in resp.text |
|
| 1529 | ||
| 1530 |
cat1.statistics_roles = [role] |
|
| 1531 |
cat1.store() |
|
| 1532 |
resp = app.get('/backoffice/management/form-title/')
|
|
| 1533 |
assert 'Export a Spreadsheet' not in resp.text |
|
| 1534 |
assert 'Statistics' not in resp.text |
|
| 1535 |
app.get('/backoffice/management/form-title/stats', status=403)
|
|
| 1536 |
app.get('/backoffice/management/form-title/export-spreadsheet', status=403)
|
|
| 1537 |
app.get('/backoffice/management/form-title/csv', status=403)
|
|
| 1538 |
app.get('/backoffice/management/form-title/ods', status=403)
|
|
| 1539 | ||
| 1540 |
# check it's ok for admins |
|
| 1541 |
user.is_admin = True |
|
| 1542 |
user.store() |
|
| 1543 |
resp = app.get('/backoffice/management/form-title/')
|
|
| 1544 |
assert 'Export a Spreadsheet' in resp.text |
|
| 1545 |
assert 'Statistics' in resp.text |
|
| 1546 |
app.get('/backoffice/management/form-title/stats', status=200)
|
|
| 1547 |
app.get('/backoffice/management/form-title/export-spreadsheet', status=200)
|
|
| 1548 |
app.get('/backoffice/management/form-title/csv', status=200)
|
|
| 1549 |
app.get('/backoffice/management/form-title/ods', status=200)
|
|
| 1550 | ||
| 1551 |
# check it's ok for agents with roles |
|
| 1552 |
user.is_admin = False |
|
| 1553 |
user.roles.append(role.id) |
|
| 1554 |
user.store() |
|
| 1555 |
resp = app.get('/backoffice/management/form-title/')
|
|
| 1556 |
assert 'Export a Spreadsheet' in resp.text |
|
| 1557 |
assert 'Statistics' in resp.text |
|
| 1558 |
app.get('/backoffice/management/form-title/stats', status=200)
|
|
| 1559 |
app.get('/backoffice/management/form-title/export-spreadsheet', status=200)
|
|
| 1560 |
app.get('/backoffice/management/form-title/csv', status=200)
|
|
| 1561 |
app.get('/backoffice/management/form-title/ods', status=200)
|
|
| 1562 | ||
| 1563 | ||
| 1503 | 1564 |
def test_backoffice_multi_actions(pub): |
| 1504 | 1565 |
create_superuser(pub) |
| 1505 | 1566 |
create_environment(pub) |
| wcs/backoffice/management.py | ||
|---|---|---|
| 1176 | 1176 | |
| 1177 | 1177 |
def get_formdata_sidebar_actions(self, qs=''): |
| 1178 | 1178 |
r = TemplateIO(html=True) |
| 1179 |
r += htmltext( |
|
| 1180 |
' <li><a rel="popup" data-base-href="export-spreadsheet" data-autoclose-dialog="true" ' |
|
| 1181 |
'href="export-spreadsheet%s">%s</a></li>' |
|
| 1182 |
) % ( |
|
| 1183 |
qs, |
|
| 1184 |
_('Export a Spreadsheet'),
|
|
| 1185 |
) |
|
| 1179 |
if not self.formdef.category or self.formdef.category.has_permission('export', get_request().user):
|
|
| 1180 |
r += htmltext( |
|
| 1181 |
' <li><a rel="popup" data-base-href="export-spreadsheet" data-autoclose-dialog="true" ' |
|
| 1182 |
'href="export-spreadsheet%s">%s</a></li>' |
|
| 1183 |
) % ( |
|
| 1184 |
qs, |
|
| 1185 |
_('Export a Spreadsheet'),
|
|
| 1186 |
) |
|
| 1186 | 1187 |
if self.formdef.geolocations: |
| 1187 | 1188 |
r += htmltext(' <li><a data-base-href="map" href="map%s">%s</a></li>') % (qs, _('Plot on a Map'))
|
| 1188 |
if 'stats' in self._q_exports: |
|
| 1189 |
if 'stats' in self._q_exports and ( |
|
| 1190 |
not self.formdef.category |
|
| 1191 |
or self.formdef.category.has_permission('statistics', get_request().user)
|
|
| 1192 |
): |
|
| 1189 | 1193 |
r += htmltext(' <li class="stats"><a href="stats">%s</a></li>') % _('Statistics')
|
| 1190 | 1194 |
return r.getvalue() |
| 1191 | 1195 | |
| ... | ... | |
| 2133 | 2137 | |
| 2134 | 2138 |
def export_spreadsheet(self): |
| 2135 | 2139 |
self.check_access() |
| 2140 |
if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user):
|
|
| 2141 |
raise errors.AccessForbiddenError() |
|
| 2136 | 2142 |
form = Form() |
| 2137 | 2143 |
form.add_hidden('query_string', get_request().get_query())
|
| 2138 | 2144 |
form.add( |
| ... | ... | |
| 2168 | 2174 | |
| 2169 | 2175 |
def csv(self): |
| 2170 | 2176 |
self.check_access() |
| 2177 |
if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user):
|
|
| 2178 |
raise errors.AccessForbiddenError() |
|
| 2171 | 2179 |
fields = self.get_fields_from_query() |
| 2172 | 2180 |
selected_filter = self.get_filter_from_query() |
| 2173 | 2181 |
user = get_request().user |
| ... | ... | |
| 2220 | 2228 |
if get_request().has_anonymised_data_api_restriction(): |
| 2221 | 2229 |
# api/ will let this pass but we don't want that. |
| 2222 | 2230 |
raise errors.AccessForbiddenError() |
| 2231 |
if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user):
|
|
| 2232 |
raise errors.AccessForbiddenError() |
|
| 2223 | 2233 |
fields = self.get_fields_from_query() |
| 2224 | 2234 |
selected_filter = self.get_filter_from_query() |
| 2225 | 2235 |
user = get_user_from_api_query_string() or get_request().user |
| ... | ... | |
| 2469 | 2479 | |
| 2470 | 2480 |
def stats(self): |
| 2471 | 2481 |
self.check_access() |
| 2482 |
if self.formdef.category and not self.formdef.category.has_permission( |
|
| 2483 |
'statistics', get_request().user |
|
| 2484 |
): |
|
| 2485 |
raise errors.AccessForbiddenError() |
|
| 2472 | 2486 |
get_logger().info('backoffice - form %s - stats' % self.formdef.name)
|
| 2473 | 2487 |
html_top('management', '%s - %s' % (_('Form'), self.formdef.name))
|
| 2474 | 2488 |
r = TemplateIO(html=True) |
| wcs/categories.py | ||
|---|---|---|
| 124 | 124 |
text = '<p>%s</p>' % text |
| 125 | 125 |
return htmltext(text) |
| 126 | 126 | |
| 127 |
def has_permission(self, permission_name, user): |
|
| 128 |
if user.is_admin: |
|
| 129 |
return True |
|
| 130 |
permission_roles = getattr(self, '%s_roles' % permission_name, None) or [] |
|
| 131 |
if not permission_roles: |
|
| 132 |
return True |
|
| 133 |
user_roles = set(user.get_roles()) if user else set() |
|
| 134 |
return bool(user_roles.intersection([x.id for x in permission_roles])) |
|
| 135 | ||
| 127 | 136 | |
| 128 | 137 |
class CardDefCategory(Category): |
| 129 | 138 |
_names = 'carddef_categories' |
| 130 |
- |
|