0003-backoffice-check-category-permissions-for-export-sta.patch
tests/backoffice_pages/test_all.py | ||
---|---|---|
1500 | 1500 |
assert 'End: 2013-01-01' in resp.text |
1501 | 1501 | |
1502 | 1502 | |
1503 |
def test_backoffice_form_category_permissions(pub): |
|
1504 |
user = create_user(pub) |
|
1505 |
create_environment(pub) |
|
1506 | ||
1507 |
formdef = FormDef.get_by_urlname('form-title') |
|
1508 | ||
1509 |
app = login(get_app(pub)) |
|
1510 |
resp = app.get('/backoffice/management/form-title/') |
|
1511 |
assert 'Export a Spreadsheet' in resp.text |
|
1512 |
assert 'Statistics' in resp.text |
|
1513 | ||
1514 |
cat1 = Category(name='cat1') |
|
1515 |
cat1.store() |
|
1516 |
formdef.category_id = cat1.id |
|
1517 |
formdef.store() |
|
1518 |
resp = app.get('/backoffice/management/form-title/') |
|
1519 |
assert 'Export a Spreadsheet' in resp.text |
|
1520 |
assert 'Statistics' in resp.text |
|
1521 | ||
1522 |
role = pub.role_class(name='limited perms') |
|
1523 |
role.store() |
|
1524 |
cat1.export_roles = [role] |
|
1525 |
cat1.store() |
|
1526 |
resp = app.get('/backoffice/management/form-title/') |
|
1527 |
assert 'Export a Spreadsheet' not in resp.text |
|
1528 |
assert 'Statistics' in resp.text |
|
1529 | ||
1530 |
cat1.statistics_roles = [role] |
|
1531 |
cat1.store() |
|
1532 |
resp = app.get('/backoffice/management/form-title/') |
|
1533 |
assert 'Export a Spreadsheet' not in resp.text |
|
1534 |
assert 'Statistics' not in resp.text |
|
1535 |
app.get('/backoffice/management/form-title/stats', status=403) |
|
1536 |
app.get('/backoffice/management/form-title/export-spreadsheet', status=403) |
|
1537 |
app.get('/backoffice/management/form-title/csv', status=403) |
|
1538 |
app.get('/backoffice/management/form-title/ods', status=403) |
|
1539 | ||
1540 |
# check it's ok for admins |
|
1541 |
user.is_admin = True |
|
1542 |
user.store() |
|
1543 |
resp = app.get('/backoffice/management/form-title/') |
|
1544 |
assert 'Export a Spreadsheet' in resp.text |
|
1545 |
assert 'Statistics' in resp.text |
|
1546 |
app.get('/backoffice/management/form-title/stats', status=200) |
|
1547 |
app.get('/backoffice/management/form-title/export-spreadsheet', status=200) |
|
1548 |
app.get('/backoffice/management/form-title/csv', status=200) |
|
1549 |
app.get('/backoffice/management/form-title/ods', status=200) |
|
1550 | ||
1551 |
# check it's ok for agents with roles |
|
1552 |
user.is_admin = False |
|
1553 |
user.roles.append(role.id) |
|
1554 |
user.store() |
|
1555 |
resp = app.get('/backoffice/management/form-title/') |
|
1556 |
assert 'Export a Spreadsheet' in resp.text |
|
1557 |
assert 'Statistics' in resp.text |
|
1558 |
app.get('/backoffice/management/form-title/stats', status=200) |
|
1559 |
app.get('/backoffice/management/form-title/export-spreadsheet', status=200) |
|
1560 |
app.get('/backoffice/management/form-title/csv', status=200) |
|
1561 |
app.get('/backoffice/management/form-title/ods', status=200) |
|
1562 | ||
1563 | ||
1503 | 1564 |
def test_backoffice_multi_actions(pub): |
1504 | 1565 |
create_superuser(pub) |
1505 | 1566 |
create_environment(pub) |
wcs/backoffice/management.py | ||
---|---|---|
1176 | 1176 | |
1177 | 1177 |
def get_formdata_sidebar_actions(self, qs=''): |
1178 | 1178 |
r = TemplateIO(html=True) |
1179 |
r += htmltext( |
|
1180 |
' <li><a rel="popup" data-base-href="export-spreadsheet" data-autoclose-dialog="true" ' |
|
1181 |
'href="export-spreadsheet%s">%s</a></li>' |
|
1182 |
) % ( |
|
1183 |
qs, |
|
1184 |
_('Export a Spreadsheet'), |
|
1185 |
) |
|
1179 |
if not self.formdef.category or self.formdef.category.has_permission('export', get_request().user): |
|
1180 |
r += htmltext( |
|
1181 |
' <li><a rel="popup" data-base-href="export-spreadsheet" data-autoclose-dialog="true" ' |
|
1182 |
'href="export-spreadsheet%s">%s</a></li>' |
|
1183 |
) % ( |
|
1184 |
qs, |
|
1185 |
_('Export a Spreadsheet'), |
|
1186 |
) |
|
1186 | 1187 |
if self.formdef.geolocations: |
1187 | 1188 |
r += htmltext(' <li><a data-base-href="map" href="map%s">%s</a></li>') % (qs, _('Plot on a Map')) |
1188 |
if 'stats' in self._q_exports: |
|
1189 |
if 'stats' in self._q_exports and ( |
|
1190 |
not self.formdef.category |
|
1191 |
or self.formdef.category.has_permission('statistics', get_request().user) |
|
1192 |
): |
|
1189 | 1193 |
r += htmltext(' <li class="stats"><a href="stats">%s</a></li>') % _('Statistics') |
1190 | 1194 |
return r.getvalue() |
1191 | 1195 | |
... | ... | |
2133 | 2137 | |
2134 | 2138 |
def export_spreadsheet(self): |
2135 | 2139 |
self.check_access() |
2140 |
if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user): |
|
2141 |
raise errors.AccessForbiddenError() |
|
2136 | 2142 |
form = Form() |
2137 | 2143 |
form.add_hidden('query_string', get_request().get_query()) |
2138 | 2144 |
form.add( |
... | ... | |
2168 | 2174 | |
2169 | 2175 |
def csv(self): |
2170 | 2176 |
self.check_access() |
2177 |
if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user): |
|
2178 |
raise errors.AccessForbiddenError() |
|
2171 | 2179 |
fields = self.get_fields_from_query() |
2172 | 2180 |
selected_filter = self.get_filter_from_query() |
2173 | 2181 |
user = get_request().user |
... | ... | |
2220 | 2228 |
if get_request().has_anonymised_data_api_restriction(): |
2221 | 2229 |
# api/ will let this pass but we don't want that. |
2222 | 2230 |
raise errors.AccessForbiddenError() |
2231 |
if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user): |
|
2232 |
raise errors.AccessForbiddenError() |
|
2223 | 2233 |
fields = self.get_fields_from_query() |
2224 | 2234 |
selected_filter = self.get_filter_from_query() |
2225 | 2235 |
user = get_user_from_api_query_string() or get_request().user |
... | ... | |
2469 | 2479 | |
2470 | 2480 |
def stats(self): |
2471 | 2481 |
self.check_access() |
2482 |
if self.formdef.category and not self.formdef.category.has_permission( |
|
2483 |
'statistics', get_request().user |
|
2484 |
): |
|
2485 |
raise errors.AccessForbiddenError() |
|
2472 | 2486 |
get_logger().info('backoffice - form %s - stats' % self.formdef.name) |
2473 | 2487 |
html_top('management', '%s - %s' % (_('Form'), self.formdef.name)) |
2474 | 2488 |
r = TemplateIO(html=True) |
wcs/categories.py | ||
---|---|---|
124 | 124 |
text = '<p>%s</p>' % text |
125 | 125 |
return htmltext(text) |
126 | 126 | |
127 |
def has_permission(self, permission_name, user): |
|
128 |
if user.is_admin: |
|
129 |
return True |
|
130 |
permission_roles = getattr(self, '%s_roles' % permission_name, None) or [] |
|
131 |
if not permission_roles: |
|
132 |
return True |
|
133 |
user_roles = set(user.get_roles()) if user else set() |
|
134 |
return bool(user_roles.intersection([x.id for x in permission_roles])) |
|
135 | ||
127 | 136 | |
128 | 137 |
class CardDefCategory(Category): |
129 | 138 |
_names = 'carddef_categories' |
130 |
- |