tests

app/controllers/require_permission.py

@@ -43,7 +43,11 @@ def check_permissions(
     if type(entity) == m.Comment:
         log(log.INFO, "Entity is Comment. Replace it by entity.interpretation")
         entity = entity.interpretation
-    elif type(entity) == m.Interpretation and entity.user_id == current_user.id:
+    elif (
+        type(entity) == m.Interpretation
+        and entity.user_id == current_user.id
+        and m.Permission.Access.A not in access
+    ):
         log(log.INFO, "User [%s] is interpretation creator [%s]", current_user, entity)
         return None
 

tests/test_navigation_btns.py

@@ -10,7 +10,7 @@ from tests.utils import (
 
 
 def test_approve_interpretation(client: FlaskClient):
-    _, user = login(client)
+    login(client)
 
     book = create_book(client)
 

tests/test_permissions.py

@@ -11,10 +11,11 @@ from tests.utils import (
     create_section,
     create_interpretation,
     create_comment,
+    create_sub_collection,
 )
 
 
-def test_editor_access_to_entire_book(client):
+def test_editor_permissions_entire_and_local(client):
     login(client)
     book = create_book(client)
 
@@ -159,15 +160,135 @@ def test_editor_access_to_entire_book(client):
     assert b"You do not have permission" not in response.data
     assert b"Success!" in response.data
 
+    # set local permissions
+    logout(client)
+    login(client)
+
+    collection_1, response = create_collection(client, book.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+    collection_2, response = create_collection(client, book.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    json_string = json.dumps({"collection": [collection_1.id]})
+    response: Response = client.post(
+        "/permission/set",
+        data=dict(
+            book_id=book.id,
+            user_id=editor.id,
+            permissions=json_string,
+        ),
+        follow_redirects=True,
+    )
+    assert b"Success!" in response.data
+    logout(client)
+
+    login(client, "editor", "editor")
+
+    # access to settings page
+    response: Response = client.get(f"/book/{book.id}/settings", follow_redirects=True)
+    assert b"You do not have permission" in response.data
+
+    # access to edit book
+    response: Response = client.post(
+        f"/book/{book.id}/edit",
+        data=dict(book_id=book.id, label="BookEdited"),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" in response.data
+
+    # dont have access to delete
+    response: Response = client.post(
+        f"/book/{book.id}/delete",
+        data=dict(book_id=book.id),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" in response.data
+
+    # access to create collection
+    _, response = create_collection(client, book.id)
+    assert b"You do not have permission" in response.data
+
+    # access to edit collection
+    response: Response = client.post(
+        f"/book/{book.id}/{collection.id}/edit",
+        data=dict(label="NewLabel"),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" in response.data
+    response: Response = client.post(
+        f"/book/{book.id}/{collection_2.id}/edit",
+        data=dict(label="NewLabel"),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" in response.data
+    response: Response = client.post(
+        f"/book/{book.id}/{collection_1.id}/edit",
+        data=dict(label="NewLabel-LocalPermission"),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" not in response.data
+    assert b"Success" in response.data
+
+    # access to create sub collection
+    _, response = create_sub_collection(client, book.id, collection_2.id)
+    assert b"You do not have permission" in response.data
+    sub_collection, response = create_sub_collection(client, book.id, collection_1.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success" in response.data
+
+    response: Response = client.post(
+        f"/book/{book.id}/{sub_collection.id}/edit",
+        data=dict(label="NewSubLabel-LocalPermission"),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" not in response.data
+    assert b"Success" in response.data
+
+    logout(client)
+    login(client)
+    json_string = json.dumps(
+        {"collection": [collection_1.id, collection_2.id, sub_collection.id]}
+    )
+    response: Response = client.post(
+        "/permission/set",
+        data=dict(
+            book_id=book.id,
+            user_id=editor.id,
+            permissions=json_string,
+        ),
+        follow_redirects=True,
+    )
+    assert b"Success!" in response.data
+    logout(client)
+    login(client, "editor", "editor")
+
+    response: Response = client.post(
+        f"/book/{book.id}/{sub_collection.id}/delete",
+        follow_redirects=True,
+    )
+    assert response.status_code == 200
+    assert b"Success!" in response.data
+    assert sub_collection.is_deleted
+
+    response: Response = client.post(
+        f"/book/{book.id}/{collection_2.id}/edit",
+        data=dict(label="NewSLabel"),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" not in response.data
+    assert b"Success" in response.data
+
 
 def test_moderator_access_to_entire_book(client):
     login(client)
     book = create_book(client)
 
-    editor = m.User(username="moderator", password="moderator").save()
+    moderator = m.User(username="moderator", password="moderator").save()
     response: Response = client.post(
         f"/book/{book.id}/add_contributor",
-        data=dict(user_id=editor.id, role=m.BookContributor.Roles.MODERATOR),
+        data=dict(user_id=moderator.id, role=m.BookContributor.Roles.MODERATOR),
         follow_redirects=True,
     )
     assert response.status_code == 200
@@ -260,6 +381,156 @@ def test_moderator_access_to_entire_book(client):
     assert b"You do not have permission" not in response.data
     assert b"Success!" in response.data
 
+    # set local permissions
+    logout(client)
+    login(client)
+
+    collection_1, response = create_collection(client, book.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+    section_1, response = create_section(client, book.id, collection_1.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+    collection_2, response = create_collection(client, book.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+    section_2, response = create_section(client, book.id, collection_2.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    json_string = json.dumps(
+        {"collection": [collection_1.id], "section": [section_1.id]}
+    )
+    response: Response = client.post(
+        "/permission/set",
+        data=dict(
+            book_id=book.id,
+            user_id=moderator.id,
+            permissions=json_string,
+        ),
+        follow_redirects=True,
+    )
+    assert b"Success!" in response.data
+    logout(client)
+    login(client, "moderator", "moderator")
+
+    #
+    #
+    #
+    #
+
+    # access to create interpretation
+    interpretation_1, response = create_interpretation(client, book.id, section_1.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    # access to approve interpretation
+    response: Response = client.post(
+        f"/approve/interpretation/{interpretation_1.id}",
+        follow_redirects=True,
+    )
+
+    assert response
+    assert response.json["message"] == "success"
+    assert response.json["approve"]
+    assert interpretation_1.approved
+
+    # access to delete interpretation
+    response: Response = client.post(
+        f"/book/{book.id}/{interpretation_1.id}/delete_interpretation",
+        data=dict(interpretation_id=interpretation_1.id),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    # restore interpretation
+    interpretation_1.is_deleted = False
+    interpretation_1.save()
+
+    # access to create comment
+    comment, response = create_comment(client, book.id, interpretation_1.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    # access to approve comment
+    response: Response = client.post(
+        f"/approve/comment/{comment.id}",
+        follow_redirects=True,
+    )
+
+    assert response
+    assert response.json["message"] == "success"
+    assert response.json["approve"]
+    assert interpretation_1.approved
+
+    # access to delete comment
+    response: Response = client.post(
+        f"/book/{book.id}/{interpretation_1.id}/comment_delete",
+        data=dict(
+            text=comment.text,
+            interpretation_1=interpretation_1.id,
+            comment_id=comment.id,
+        ),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    # access to create interpretation
+    interpretation_2, response = create_interpretation(client, book.id, section_2.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    # access to approve interpretation
+    response: Response = client.post(
+        f"/approve/interpretation/{interpretation_2.id}",
+        follow_redirects=True,
+    )
+    assert response
+    assert b"You do not have permission" in response.data
+    assert not interpretation_2.approved
+
+    # access to delete interpretation
+    response: Response = client.post(
+        f"/book/{book.id}/{interpretation_2.id}/delete_interpretation",
+        data=dict(interpretation_id=interpretation_2.id),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    # restore interpretation
+    interpretation_2.is_deleted = False
+    interpretation_2.save()
+
+    # access to create comment
+    comment, response = create_comment(client, book.id, interpretation_2.id)
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
+    # access to approve comment
+    response: Response = client.post(
+        f"/approve/comment/{comment.id}",
+        follow_redirects=True,
+    )
+    assert response
+    assert b"You do not have permission" in response.data
+    assert not comment.approved
+
+    # access to delete comment
+    response: Response = client.post(
+        f"/book/{book.id}/{interpretation_2.id}/comment_delete",
+        data=dict(
+            text=comment.text,
+            interpretation_2=interpretation_2.id,
+            comment_id=comment.id,
+        ),
+        follow_redirects=True,
+    )
+    assert b"You do not have permission" not in response.data
+    assert b"Success!" in response.data
+
 
 def test_editor_access_tree_entire_book(client):
     login(client)
@@ -295,7 +566,6 @@ def test_set_access_level(client):
     login(client)
     book = create_book(client)
     collection_1, _ = create_collection(client, book.id)
-    collection_2, _ = create_collection(client, book.id)
 
     editor = m.User(username="editor", password="editor").save()
     response: Response = client.post(