This commit is contained in:
SvyatoslavArtymovych 2023-06-07 16:49:45 +03:00
parent b133cd78cd
commit e6b7b07f1f
3 changed files with 280 additions and 6 deletions

View File

@ -43,7 +43,11 @@ def check_permissions(
if type(entity) == m.Comment:
log(log.INFO, "Entity is Comment. Replace it by entity.interpretation")
entity = entity.interpretation
elif type(entity) == m.Interpretation and entity.user_id == current_user.id:
elif (
type(entity) == m.Interpretation
and entity.user_id == current_user.id
and m.Permission.Access.A not in access
):
log(log.INFO, "User [%s] is interpretation creator [%s]", current_user, entity)
return None

View File

@ -10,7 +10,7 @@ from tests.utils import (
def test_approve_interpretation(client: FlaskClient):
_, user = login(client)
login(client)
book = create_book(client)

View File

@ -11,10 +11,11 @@ from tests.utils import (
create_section,
create_interpretation,
create_comment,
create_sub_collection,
)
def test_editor_access_to_entire_book(client):
def test_editor_permissions_entire_and_local(client):
login(client)
book = create_book(client)
@ -159,15 +160,135 @@ def test_editor_access_to_entire_book(client):
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# set local permissions
logout(client)
login(client)
collection_1, response = create_collection(client, book.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
collection_2, response = create_collection(client, book.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
json_string = json.dumps({"collection": [collection_1.id]})
response: Response = client.post(
"/permission/set",
data=dict(
book_id=book.id,
user_id=editor.id,
permissions=json_string,
),
follow_redirects=True,
)
assert b"Success!" in response.data
logout(client)
login(client, "editor", "editor")
# access to settings page
response: Response = client.get(f"/book/{book.id}/settings", follow_redirects=True)
assert b"You do not have permission" in response.data
# access to edit book
response: Response = client.post(
f"/book/{book.id}/edit",
data=dict(book_id=book.id, label="BookEdited"),
follow_redirects=True,
)
assert b"You do not have permission" in response.data
# dont have access to delete
response: Response = client.post(
f"/book/{book.id}/delete",
data=dict(book_id=book.id),
follow_redirects=True,
)
assert b"You do not have permission" in response.data
# access to create collection
_, response = create_collection(client, book.id)
assert b"You do not have permission" in response.data
# access to edit collection
response: Response = client.post(
f"/book/{book.id}/{collection.id}/edit",
data=dict(label="NewLabel"),
follow_redirects=True,
)
assert b"You do not have permission" in response.data
response: Response = client.post(
f"/book/{book.id}/{collection_2.id}/edit",
data=dict(label="NewLabel"),
follow_redirects=True,
)
assert b"You do not have permission" in response.data
response: Response = client.post(
f"/book/{book.id}/{collection_1.id}/edit",
data=dict(label="NewLabel-LocalPermission"),
follow_redirects=True,
)
assert b"You do not have permission" not in response.data
assert b"Success" in response.data
# access to create sub collection
_, response = create_sub_collection(client, book.id, collection_2.id)
assert b"You do not have permission" in response.data
sub_collection, response = create_sub_collection(client, book.id, collection_1.id)
assert b"You do not have permission" not in response.data
assert b"Success" in response.data
response: Response = client.post(
f"/book/{book.id}/{sub_collection.id}/edit",
data=dict(label="NewSubLabel-LocalPermission"),
follow_redirects=True,
)
assert b"You do not have permission" not in response.data
assert b"Success" in response.data
logout(client)
login(client)
json_string = json.dumps(
{"collection": [collection_1.id, collection_2.id, sub_collection.id]}
)
response: Response = client.post(
"/permission/set",
data=dict(
book_id=book.id,
user_id=editor.id,
permissions=json_string,
),
follow_redirects=True,
)
assert b"Success!" in response.data
logout(client)
login(client, "editor", "editor")
response: Response = client.post(
f"/book/{book.id}/{sub_collection.id}/delete",
follow_redirects=True,
)
assert response.status_code == 200
assert b"Success!" in response.data
assert sub_collection.is_deleted
response: Response = client.post(
f"/book/{book.id}/{collection_2.id}/edit",
data=dict(label="NewSLabel"),
follow_redirects=True,
)
assert b"You do not have permission" not in response.data
assert b"Success" in response.data
def test_moderator_access_to_entire_book(client):
login(client)
book = create_book(client)
editor = m.User(username="moderator", password="moderator").save()
moderator = m.User(username="moderator", password="moderator").save()
response: Response = client.post(
f"/book/{book.id}/add_contributor",
data=dict(user_id=editor.id, role=m.BookContributor.Roles.MODERATOR),
data=dict(user_id=moderator.id, role=m.BookContributor.Roles.MODERATOR),
follow_redirects=True,
)
assert response.status_code == 200
@ -260,6 +381,156 @@ def test_moderator_access_to_entire_book(client):
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# set local permissions
logout(client)
login(client)
collection_1, response = create_collection(client, book.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
section_1, response = create_section(client, book.id, collection_1.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
collection_2, response = create_collection(client, book.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
section_2, response = create_section(client, book.id, collection_2.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
json_string = json.dumps(
{"collection": [collection_1.id], "section": [section_1.id]}
)
response: Response = client.post(
"/permission/set",
data=dict(
book_id=book.id,
user_id=moderator.id,
permissions=json_string,
),
follow_redirects=True,
)
assert b"Success!" in response.data
logout(client)
login(client, "moderator", "moderator")
#
#
#
#
# access to create interpretation
interpretation_1, response = create_interpretation(client, book.id, section_1.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# access to approve interpretation
response: Response = client.post(
f"/approve/interpretation/{interpretation_1.id}",
follow_redirects=True,
)
assert response
assert response.json["message"] == "success"
assert response.json["approve"]
assert interpretation_1.approved
# access to delete interpretation
response: Response = client.post(
f"/book/{book.id}/{interpretation_1.id}/delete_interpretation",
data=dict(interpretation_id=interpretation_1.id),
follow_redirects=True,
)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# restore interpretation
interpretation_1.is_deleted = False
interpretation_1.save()
# access to create comment
comment, response = create_comment(client, book.id, interpretation_1.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# access to approve comment
response: Response = client.post(
f"/approve/comment/{comment.id}",
follow_redirects=True,
)
assert response
assert response.json["message"] == "success"
assert response.json["approve"]
assert interpretation_1.approved
# access to delete comment
response: Response = client.post(
f"/book/{book.id}/{interpretation_1.id}/comment_delete",
data=dict(
text=comment.text,
interpretation_1=interpretation_1.id,
comment_id=comment.id,
),
follow_redirects=True,
)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# access to create interpretation
interpretation_2, response = create_interpretation(client, book.id, section_2.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# access to approve interpretation
response: Response = client.post(
f"/approve/interpretation/{interpretation_2.id}",
follow_redirects=True,
)
assert response
assert b"You do not have permission" in response.data
assert not interpretation_2.approved
# access to delete interpretation
response: Response = client.post(
f"/book/{book.id}/{interpretation_2.id}/delete_interpretation",
data=dict(interpretation_id=interpretation_2.id),
follow_redirects=True,
)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# restore interpretation
interpretation_2.is_deleted = False
interpretation_2.save()
# access to create comment
comment, response = create_comment(client, book.id, interpretation_2.id)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
# access to approve comment
response: Response = client.post(
f"/approve/comment/{comment.id}",
follow_redirects=True,
)
assert response
assert b"You do not have permission" in response.data
assert not comment.approved
# access to delete comment
response: Response = client.post(
f"/book/{book.id}/{interpretation_2.id}/comment_delete",
data=dict(
text=comment.text,
interpretation_2=interpretation_2.id,
comment_id=comment.id,
),
follow_redirects=True,
)
assert b"You do not have permission" not in response.data
assert b"Success!" in response.data
def test_editor_access_tree_entire_book(client):
login(client)
@ -295,7 +566,6 @@ def test_set_access_level(client):
login(client)
book = create_book(client)
collection_1, _ = create_collection(client, book.id)
collection_2, _ = create_collection(client, book.id)
editor = m.User(username="editor", password="editor").save()
response: Response = client.post(