"Own" rights management (refs #1564)

* fix own queries for operations and archaeological files * fix permission checking * tests
author: Étienne Loks <etienne.loks@proxience.com> 2014-05-28 11:23:20 +0200
committer: Étienne Loks <etienne.loks@proxience.com> 2014-05-28 11:23:20 +0200
commit: 20cc3229118c991096019c1e98da0967fc72a2a2 (patch)
tree: 838934d2ae466f6821bca7048ab1edaa53d2a7fa
parent: 2298cf58af47d7b8a5bee38555422a7d181537f8 (diff)
download: Ishtar-20cc3229118c991096019c1e98da0967fc72a2a2.tar.bz2
Ishtar-20cc3229118c991096019c1e98da0967fc72a2a2.zip
4 files changed, 36 insertions, 9 deletions
diff --git a/archaeological_files/models.py b/archaeological_files/models.py
index 297a23fed..db33ed9b2 100644
--- a/archaeological_files/models.py
+++ b/archaeological_files/models.py
@@ -228,7 +228,8 @@ class File(BaseHistorizedItem, OwnPerms, ValueGetter):
 
     @classmethod
     def get_query_owns(cls, user):
-        return (Q(history_creator=user) | Q(in_charge__ishtaruser=user)) \
+        return (Q(history_creator=user) |
+                Q(in_charge__ishtaruser=user.ishtaruser)) \
               & Q(end_date__isnull=True)
 
     def is_active(self):
diff --git a/archaeological_operations/models.py b/archaeological_operations/models.py
index 97d10801c..8601c602f 100644
--- a/archaeological_operations/models.py
+++ b/archaeological_operations/models.py
@@ -375,7 +375,8 @@ class Operation(BaseHistorizedItem, OwnPerms, ValueGetter):
 
     @classmethod
     def get_query_owns(cls, user):
-        return Q(in_charge=user.person)|Q(scientist=user.person)|\
+        return Q(in_charge=user.ishtaruser.person)|\
+               Q(scientist=user.ishtaruser.person)|\
                Q(history_creator=user) & Q(end_date__isnull=True)
 
     def is_active(self):
diff --git a/archaeological_operations/tests.py b/archaeological_operations/tests.py
index 2dd3c519e..808d999af 100644
--- a/archaeological_operations/tests.py
+++ b/archaeological_operations/tests.py
@@ -28,7 +28,7 @@ from django.core.urlresolvers import reverse
 from django.test import TestCase
 from django.test.client import Client
 
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, Permission
 import models
 
 from ishtar_common.models import OrganizationType, Organization, Town, \
@@ -43,7 +43,7 @@ class ImportOperationTest(TestCase):
                 '../archaeological_operations/fixtures/initial_data-fr.json']
 
     def setUp(self):
-        user = User.objects.create_user('username')
+        user = User.objects.create_superuser('username')
 
     def testImportDbfOperation(self):
         """
@@ -303,13 +303,21 @@ class ImportOperationTest(TestCase):
                                                        value)
                              )
 
-def create_user():
+def create_superuser():
     username = 'username4277'
     password = 'dcbqj756456!@%'
     user = User.objects.create_superuser(username, "nomail@nomail.com",
                                               password)
     return username, password, user
 
+def create_user():
+    username = 'username678'
+    password = 'dcbqj756456!@%'
+    user = User.objects.create_user(username, email="nomail2@nomail.com")
+    user.set_password(password)
+    user.save()
+    return username, password, user
+
 def create_orga(user):
     orga_type, created = OrganizationType.objects.get_or_create(
                                                 txt_idx='operator')
@@ -335,9 +343,13 @@ class OperationTest(TestCase):
                 '../archaeological_operations/fixtures/initial_data-fr.json']
 
     def setUp(self):
-        self.username, self.password, self.user = create_user()
+        self.username, self.password, self.user = create_superuser()
+        self.alt_username, self.alt_password, self.alt_user = create_user()
+        self.alt_user.user_permissions.add(Permission.objects.get(
+                                            codename='view_own_operation'))
         self.orgas = create_orga(self.user)
         self.operations = create_operation(self.user, self.orgas[0])
+        self.operations += create_operation(self.alt_user, self.orgas[0])
         self.item = self.operations[0]
 
     def testSearch(self):
@@ -347,6 +359,19 @@ class OperationTest(TestCase):
         self.assertTrue(not json.loads(response.content))
         c.login(username=self.username, password=self.password)
         response = c.get(reverse('get-operation'), {'year': '2010',})
+        self.assertTrue(json.loads(response.content)['total'] == 2)
+        response = c.get(reverse('get-operation'),
+                         {'operator': self.orgas[0].pk})
+        self.assertTrue(json.loads(response.content)['total'] == 2)
+
+    def testOwnSearch(self):
+        c = Client()
+        response = c.get(reverse('get-operation'), {'year': '2010',})
+        # no result when no authentification
+        self.assertTrue(not json.loads(response.content))
+        c.login(username=self.alt_username, password=self.alt_password)
+        response = c.get(reverse('get-operation'), {'year': '2010',})
+        # only one "own" operation available
         self.assertTrue(json.loads(response.content)['total'] == 1)
         response = c.get(reverse('get-operation'),
                          {'operator': self.orgas[0].pk})
@@ -372,7 +397,7 @@ class RegisterTest(TestCase):
                 '../archaeological_operations/fixtures/initial_data-fr.json']
 
     def setUp(self):
-        self.username, self.password, self.user = create_user()
+        self.username, self.password, self.user = create_superuser()
         self.operations = create_operation(self.user)
         self.act_types, self.operations = create_administrativact(
                                             self.user, self.operations[0])
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 11351d7c0..0292021bf 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -230,7 +230,7 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
             # if not specific any perm is relevant (read right)
             if specific_perms and perm not in specific_perms:
                 continue
-            if request.user.has_perm(perm) \
+            if request.user.has_perm(model._meta.app_label + '.' + perm) \
              or (request.user.is_authenticated()
                  and request.user.ishtaruser.has_right(perm)):
                 allowed = True
@@ -339,7 +339,7 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
                     break
         query = Q(**dct)
         if own:
-            query = query & model.get_query_own(request.user)
+            query = query & model.get_query_owns(request.user)
         for k, or_req in or_reqs:
             alt_dct = dct.copy()
             alt_dct.pop(k)
author	Étienne Loks <etienne.loks@proxience.com>	2014-05-28 11:23:20 +0200
committer	Étienne Loks <etienne.loks@proxience.com>	2014-05-28 11:23:20 +0200
commit	20cc3229118c991096019c1e98da0967fc72a2a2 (patch)
tree	838934d2ae466f6821bca7048ab1edaa53d2a7fa
parent	2298cf58af47d7b8a5bee38555422a7d181537f8 (diff)
download	Ishtar-20cc3229118c991096019c1e98da0967fc72a2a2.tar.bz2 Ishtar-20cc3229118c991096019c1e98da0967fc72a2a2.zip