added test to check only privileged users can call refresh_permissions w/ burnettk

2022-12-22 17:12:21 -05:00 · 2022-12-22 17:12:21 -05:00 · 1dd32da9e4
parent bcc939d6f3
commit 1dd32da9e4
3 changed files with 92 additions and 2 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/refresh_permissions.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/refresh_permissions.py
@ -8,8 +8,8 @@ from spiffworkflow_backend.scripts.script import Script
 from spiffworkflow_backend.services.authorization_service import AuthorizationService


-class RecreatePermissions(Script):
-    """RecreatePermissions."""
+class RefreshPermissions(Script):
+    """RefreshPermissions."""

    def get_description(self) -> str:
        """Get_description."""
--- a/spiffworkflow-backend/tests/data/script_refresh_permissions/refresh_permisions.bpmn
+++ b/spiffworkflow-backend/tests/data/script_refresh_permissions/refresh_permisions.bpmn
@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" id="Definitions_96f6665" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="3.0.0-dev">
+  <bpmn:process id="Process_02u675m" isExecutable="true">
+    <bpmn:startEvent id="StartEvent_1">
+      <bpmn:outgoing>Flow_01cweoc</bpmn:outgoing>
+    </bpmn:startEvent>
+    <bpmn:sequenceFlow id="Flow_01cweoc" sourceRef="StartEvent_1" targetRef="refresh_permission_script" />
+    <bpmn:endEvent id="Event_11584qn">
+      <bpmn:incoming>Flow_1xle2yo</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:sequenceFlow id="Flow_1xle2yo" sourceRef="refresh_permission_script" targetRef="Event_11584qn" />
+    <bpmn:scriptTask id="refresh_permission_script" name="Add Permission">
+      <bpmn:incoming>Flow_01cweoc</bpmn:incoming>
+      <bpmn:outgoing>Flow_1xle2yo</bpmn:outgoing>
+      <bpmn:script>refresh_permissions([])</bpmn:script>
+    </bpmn:scriptTask>
+  </bpmn:process>
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="Process_02u675m">
+      <bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
+        <dc:Bounds x="179" y="159" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_11584qn_di" bpmnElement="Event_11584qn">
+        <dc:Bounds x="432" y="159" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_1ymj79t_di" bpmnElement="refresh_permission_script">
+        <dc:Bounds x="270" y="137" width="100" height="80" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_01cweoc_di" bpmnElement="Flow_01cweoc">
+        <di:waypoint x="215" y="177" />
+        <di:waypoint x="270" y="177" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1xle2yo_di" bpmnElement="Flow_1xle2yo">
+        <di:waypoint x="370" y="177" />
+        <di:waypoint x="432" y="177" />
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_refresh_permissions.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_refresh_permissions.py
@ -0,0 +1,51 @@
+"""Test_get_localtime."""
+from flask_bpmn.api.api_error import ApiError
+import pytest
+
+from flask.app import Flask
+from flask.testing import FlaskClient
+from tests.spiffworkflow_backend.helpers.base_test import BaseTest
+from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
+
+from spiffworkflow_backend.services.process_instance_processor import (
+    ProcessInstanceProcessor,
+)
+
+
+class TestRefreshPermissions(BaseTest):
+    """TestRefreshPermissions."""
+
+    def test_refresh_permissions_requires_elevated_permission(
+        self,
+        app: Flask,
+        client: FlaskClient,
+        with_db_and_bpmn_file_cleanup: None,
+    ) -> None:
+        """Test_refresh_permissions_requires_elevated_permission."""
+        basic_user = self.find_or_create_user("basic_user")
+        privileged_user = self.find_or_create_user("privileged_user")
+        self.add_permissions_to_user(
+            privileged_user,
+            target_uri="/can-run-privileged-script/refresh_permissions",
+            permission_names=["create"],
+        )
+        process_model = load_test_spec(
+            process_model_id="refresh_permissions",
+            process_model_source_directory="script_refresh_permissions",
+        )
+        process_instance = self.create_process_instance_from_process_model(
+            process_model=process_model, user=basic_user
+        )
+
+        processor = ProcessInstanceProcessor(process_instance)
+
+        with pytest.raises(ApiError) as exception:
+            processor.do_engine_steps(save=True)
+            assert "ScriptUnauthorizedForUserError" in str(exception)
+
+        process_instance = self.create_process_instance_from_process_model(
+            process_model=process_model, user=privileged_user
+        )
+        processor = ProcessInstanceProcessor(process_instance)
+        processor.do_engine_steps(save=True)
+        assert process_instance.status == "complete"