diff --git a/app/controllers/require_permission.py b/app/controllers/require_permission.py index f0b305a..66d32a8 100644 --- a/app/controllers/require_permission.py +++ b/app/controllers/require_permission.py @@ -43,7 +43,11 @@ def check_permissions( if type(entity) == m.Comment: log(log.INFO, "Entity is Comment. Replace it by entity.interpretation") entity = entity.interpretation - elif type(entity) == m.Interpretation and entity.user_id == current_user.id: + elif ( + type(entity) == m.Interpretation + and entity.user_id == current_user.id + and m.Permission.Access.A not in access + ): log(log.INFO, "User [%s] is interpretation creator [%s]", current_user, entity) return None diff --git a/tests/test_navigation_btns.py b/tests/test_navigation_btns.py index fd9c305..324910f 100644 --- a/tests/test_navigation_btns.py +++ b/tests/test_navigation_btns.py @@ -10,7 +10,7 @@ from tests.utils import ( def test_approve_interpretation(client: FlaskClient): - _, user = login(client) + login(client) book = create_book(client) diff --git a/tests/test_permissions.py b/tests/test_permissions.py index ba975bf..4c22c03 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -11,10 +11,11 @@ from tests.utils import ( create_section, create_interpretation, create_comment, + create_sub_collection, ) -def test_editor_access_to_entire_book(client): +def test_editor_permissions_entire_and_local(client): login(client) book = create_book(client) @@ -159,15 +160,135 @@ def test_editor_access_to_entire_book(client): assert b"You do not have permission" not in response.data assert b"Success!" in response.data + # set local permissions + logout(client) + login(client) + + collection_1, response = create_collection(client, book.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + collection_2, response = create_collection(client, book.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + json_string = json.dumps({"collection": [collection_1.id]}) + response: Response = client.post( + "/permission/set", + data=dict( + book_id=book.id, + user_id=editor.id, + permissions=json_string, + ), + follow_redirects=True, + ) + assert b"Success!" in response.data + logout(client) + + login(client, "editor", "editor") + + # access to settings page + response: Response = client.get(f"/book/{book.id}/settings", follow_redirects=True) + assert b"You do not have permission" in response.data + + # access to edit book + response: Response = client.post( + f"/book/{book.id}/edit", + data=dict(book_id=book.id, label="BookEdited"), + follow_redirects=True, + ) + assert b"You do not have permission" in response.data + + # dont have access to delete + response: Response = client.post( + f"/book/{book.id}/delete", + data=dict(book_id=book.id), + follow_redirects=True, + ) + assert b"You do not have permission" in response.data + + # access to create collection + _, response = create_collection(client, book.id) + assert b"You do not have permission" in response.data + + # access to edit collection + response: Response = client.post( + f"/book/{book.id}/{collection.id}/edit", + data=dict(label="NewLabel"), + follow_redirects=True, + ) + assert b"You do not have permission" in response.data + response: Response = client.post( + f"/book/{book.id}/{collection_2.id}/edit", + data=dict(label="NewLabel"), + follow_redirects=True, + ) + assert b"You do not have permission" in response.data + response: Response = client.post( + f"/book/{book.id}/{collection_1.id}/edit", + data=dict(label="NewLabel-LocalPermission"), + follow_redirects=True, + ) + assert b"You do not have permission" not in response.data + assert b"Success" in response.data + + # access to create sub collection + _, response = create_sub_collection(client, book.id, collection_2.id) + assert b"You do not have permission" in response.data + sub_collection, response = create_sub_collection(client, book.id, collection_1.id) + assert b"You do not have permission" not in response.data + assert b"Success" in response.data + + response: Response = client.post( + f"/book/{book.id}/{sub_collection.id}/edit", + data=dict(label="NewSubLabel-LocalPermission"), + follow_redirects=True, + ) + assert b"You do not have permission" not in response.data + assert b"Success" in response.data + + logout(client) + login(client) + json_string = json.dumps( + {"collection": [collection_1.id, collection_2.id, sub_collection.id]} + ) + response: Response = client.post( + "/permission/set", + data=dict( + book_id=book.id, + user_id=editor.id, + permissions=json_string, + ), + follow_redirects=True, + ) + assert b"Success!" in response.data + logout(client) + login(client, "editor", "editor") + + response: Response = client.post( + f"/book/{book.id}/{sub_collection.id}/delete", + follow_redirects=True, + ) + assert response.status_code == 200 + assert b"Success!" in response.data + assert sub_collection.is_deleted + + response: Response = client.post( + f"/book/{book.id}/{collection_2.id}/edit", + data=dict(label="NewSLabel"), + follow_redirects=True, + ) + assert b"You do not have permission" not in response.data + assert b"Success" in response.data + def test_moderator_access_to_entire_book(client): login(client) book = create_book(client) - editor = m.User(username="moderator", password="moderator").save() + moderator = m.User(username="moderator", password="moderator").save() response: Response = client.post( f"/book/{book.id}/add_contributor", - data=dict(user_id=editor.id, role=m.BookContributor.Roles.MODERATOR), + data=dict(user_id=moderator.id, role=m.BookContributor.Roles.MODERATOR), follow_redirects=True, ) assert response.status_code == 200 @@ -260,6 +381,156 @@ def test_moderator_access_to_entire_book(client): assert b"You do not have permission" not in response.data assert b"Success!" in response.data + # set local permissions + logout(client) + login(client) + + collection_1, response = create_collection(client, book.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + section_1, response = create_section(client, book.id, collection_1.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + collection_2, response = create_collection(client, book.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + section_2, response = create_section(client, book.id, collection_2.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + json_string = json.dumps( + {"collection": [collection_1.id], "section": [section_1.id]} + ) + response: Response = client.post( + "/permission/set", + data=dict( + book_id=book.id, + user_id=moderator.id, + permissions=json_string, + ), + follow_redirects=True, + ) + assert b"Success!" in response.data + logout(client) + login(client, "moderator", "moderator") + + # + # + # + # + + # access to create interpretation + interpretation_1, response = create_interpretation(client, book.id, section_1.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + # access to approve interpretation + response: Response = client.post( + f"/approve/interpretation/{interpretation_1.id}", + follow_redirects=True, + ) + + assert response + assert response.json["message"] == "success" + assert response.json["approve"] + assert interpretation_1.approved + + # access to delete interpretation + response: Response = client.post( + f"/book/{book.id}/{interpretation_1.id}/delete_interpretation", + data=dict(interpretation_id=interpretation_1.id), + follow_redirects=True, + ) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + # restore interpretation + interpretation_1.is_deleted = False + interpretation_1.save() + + # access to create comment + comment, response = create_comment(client, book.id, interpretation_1.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + # access to approve comment + response: Response = client.post( + f"/approve/comment/{comment.id}", + follow_redirects=True, + ) + + assert response + assert response.json["message"] == "success" + assert response.json["approve"] + assert interpretation_1.approved + + # access to delete comment + response: Response = client.post( + f"/book/{book.id}/{interpretation_1.id}/comment_delete", + data=dict( + text=comment.text, + interpretation_1=interpretation_1.id, + comment_id=comment.id, + ), + follow_redirects=True, + ) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + # access to create interpretation + interpretation_2, response = create_interpretation(client, book.id, section_2.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + # access to approve interpretation + response: Response = client.post( + f"/approve/interpretation/{interpretation_2.id}", + follow_redirects=True, + ) + assert response + assert b"You do not have permission" in response.data + assert not interpretation_2.approved + + # access to delete interpretation + response: Response = client.post( + f"/book/{book.id}/{interpretation_2.id}/delete_interpretation", + data=dict(interpretation_id=interpretation_2.id), + follow_redirects=True, + ) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + # restore interpretation + interpretation_2.is_deleted = False + interpretation_2.save() + + # access to create comment + comment, response = create_comment(client, book.id, interpretation_2.id) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + + # access to approve comment + response: Response = client.post( + f"/approve/comment/{comment.id}", + follow_redirects=True, + ) + assert response + assert b"You do not have permission" in response.data + assert not comment.approved + + # access to delete comment + response: Response = client.post( + f"/book/{book.id}/{interpretation_2.id}/comment_delete", + data=dict( + text=comment.text, + interpretation_2=interpretation_2.id, + comment_id=comment.id, + ), + follow_redirects=True, + ) + assert b"You do not have permission" not in response.data + assert b"Success!" in response.data + def test_editor_access_tree_entire_book(client): login(client) @@ -295,7 +566,6 @@ def test_set_access_level(client): login(client) book = create_book(client) collection_1, _ = create_collection(client, book.id) - collection_2, _ = create_collection(client, book.id) editor = m.User(username="editor", password="editor").save() response: Response = client.post(