anoopmb
/
frappe
1
0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Toiminta
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12938 Commitit
1 Haara
314 MiB
 
 
 
 
 
 
Puu: a93acd8579
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from 'a93acd8579'
${ noResults }
frappe/frappe/tests/test_permissions.py

327 rivejä
11 KiB
Raaka Blame Historia 

  1. # Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors

  2. # MIT License. See license.txt

  3. from __future__ import unicode_literals

  4. 

  5. """Use blog post test to test user permissions logic"""

  6. 

  7. import frappe

  8. import frappe.defaults

  9. import unittest

  10. import json

  11. import frappe.model.meta

  12. from frappe.core.page.user_permissions.user_permissions import add, remove, get_permissions

  13. from frappe.permissions import clear_user_permissions_for_doctype, get_doc_permissions

  14. from frappe.core.page.permission_manager.permission_manager import update, reset

  15. 

  16. test_records = frappe.get_test_records('Blog Post')

  17. 

  18. test_dependencies = ["User", "Contact", "Salutation"]

  19. 

  20. class TestPermissions(unittest.TestCase):

  21. 	def setUp(self):

  22. 		frappe.clear_cache(doctype="Blog Post")

  23. 		frappe.clear_cache(doctype="Contact")

  24. 

  25. 		user = frappe.get_doc("User", "test1@example.com")

  26. 		user.add_roles("Website Manager")

  27. 

  28. 		user = frappe.get_doc("User", "test2@example.com")

  29. 		user.add_roles("Blogger")

  30. 

  31. 		user = frappe.get_doc("User", "test3@example.com")

  32. 		user.add_roles("Sales User")

  33. 

  34. 		reset('Blogger')

  35. 		reset('Blog Post')

  36. 		reset('Contact')

  37. 		reset('Salutation')

  38. 

  39. 		self.set_ignore_user_permissions_if_missing(0)

  40. 

  41. 		frappe.set_user("test1@example.com")

  42. 

  43. 	def tearDown(self):

  44. 		frappe.set_user("Administrator")

  45. 		frappe.db.set_value("Blogger", "_Test Blogger 1", "user", None)

  46. 

  47. 		clear_user_permissions_for_doctype("Blog Category")

  48. 		clear_user_permissions_for_doctype("Blog Post")

  49. 		clear_user_permissions_for_doctype("Blogger")

  50. 		clear_user_permissions_for_doctype("Contact")

  51. 		clear_user_permissions_for_doctype("Salutation")

  52. 

  53. 		reset('Blogger')

  54. 		reset('Blog Post')

  55. 		reset('Contact')

  56. 		reset('Salutation')

  57. 

  58. 		self.set_ignore_user_permissions_if_missing(0)

  59. 

  60. 	@staticmethod

  61. 	def set_ignore_user_permissions_if_missing(ignore):

  62. 		ss = frappe.get_doc("System Settings")

  63. 		ss.ignore_user_permissions_if_missing = ignore

  64. 		ss.flags.ignore_mandatory = 1

  65. 		ss.save()

  66. 

  67. 	@staticmethod

  68. 	def set_strict_user_permissions(ignore):

  69. 		ss = frappe.get_doc("System Settings")

  70. 		ss.apply_strict_user_permissions = ignore

  71. 		ss.flags.ignore_mandatory = 1

  72. 		ss.save()

  73. 

  74. 	def test_basic_permission(self):

  75. 		post = frappe.get_doc("Blog Post", "-test-blog-post")

  76. 		self.assertTrue(post.has_permission("read"))

  77. 

  78. 	def test_user_permissions_in_doc(self):

  79. 		self.set_user_permission_doctypes(["Blog Category"])

  80. 

  81. 		frappe.permissions.add_user_permission("Blog Category", "_Test Blog Category 1",

  82. 			"test2@example.com")

  83. 

  84. 		frappe.set_user("test2@example.com")

  85. 

  86. 		post = frappe.get_doc("Blog Post", "-test-blog-post")

  87. 		self.assertFalse(post.has_permission("read"))

  88. 		self.assertFalse(get_doc_permissions(post).get("read"))

  89. 

  90. 		post1 = frappe.get_doc("Blog Post", "-test-blog-post-1")

  91. 		self.assertTrue(post1.has_permission("read"))

  92. 		self.assertTrue(get_doc_permissions(post1).get("read"))

  93. 

  94. 	def test_user_permissions_in_report(self):

  95. 		self.set_user_permission_doctypes(["Blog Category"])

  96. 

  97. 		frappe.permissions.add_user_permission("Blog Category", "_Test Blog Category 1", "test2@example.com")

  98. 

  99. 		frappe.set_user("test2@example.com")

  100. 		names = [d.name for d in frappe.get_list("Blog Post", fields=["name", "blog_category"])]

  101. 

  102. 		self.assertTrue("-test-blog-post-1" in names)

  103. 		self.assertFalse("-test-blog-post" in names)

  104. 

  105. 	def test_default_values(self):

  106. 		frappe.permissions.add_user_permission("Blog Category", "_Test Blog Category 1", "test2@example.com")

  107. 

  108. 		frappe.set_user("test2@example.com")

  109. 		doc = frappe.new_doc("Blog Post")

  110. 		self.assertEquals(doc.get("blog_category"), "_Test Blog Category 1")

  111. 

  112. 	def test_user_link_match_doc(self):

  113. 		self.set_user_permission_doctypes(["Blogger"])

  114. 

  115. 		blogger = frappe.get_doc("Blogger", "_Test Blogger 1")

  116. 		blogger.user = "test2@example.com"

  117. 		blogger.save()

  118. 

  119. 		frappe.set_user("test2@example.com")

  120. 

  121. 		post = frappe.get_doc("Blog Post", "-test-blog-post-2")

  122. 		self.assertTrue(post.has_permission("read"))

  123. 

  124. 		post1 = frappe.get_doc("Blog Post", "-test-blog-post-1")

  125. 		self.assertFalse(post1.has_permission("read"))

  126. 

  127. 	def test_user_link_match_report(self):

  128. 		self.set_user_permission_doctypes(["Blogger"])

  129. 

  130. 		blogger = frappe.get_doc("Blogger", "_Test Blogger 1")

  131. 		blogger.user = "test2@example.com"

  132. 		blogger.save()

  133. 

  134. 		frappe.set_user("test2@example.com")

  135. 

  136. 		names = [d.name for d in frappe.get_list("Blog Post", fields=["name", "owner"])]

  137. 		self.assertTrue("-test-blog-post-2" in names)

  138. 		self.assertFalse("-test-blog-post-1" in names)

  139. 

  140. 	def test_set_user_permissions(self):

  141. 		frappe.set_user("test1@example.com")

  142. 		add("test2@example.com", "Blog Post", "-test-blog-post")

  143. 

  144. 	def test_not_allowed_to_set_user_permissions(self):

  145. 		frappe.set_user("test2@example.com")

  146. 

  147. 		# this user can't add user permissions

  148. 		self.assertRaises(frappe.PermissionError, add,

  149. 			"test2@example.com", "Blog Post", "-test-blog-post")

  150. 

  151. 	def test_read_if_explicit_user_permissions_are_set(self):

  152. 		self.set_user_permission_doctypes(["Blog Post"])

  153. 

  154. 		self.test_set_user_permissions()

  155. 

  156. 		frappe.set_user("test2@example.com")

  157. 

  158. 		# user can only access permitted blog post

  159. 		doc = frappe.get_doc("Blog Post", "-test-blog-post")

  160. 		self.assertTrue(doc.has_permission("read"))

  161. 

  162. 		# and not this one

  163. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-1")

  164. 		self.assertFalse(doc.has_permission("read"))

  165. 

  166. 	def test_not_allowed_to_remove_user_permissions(self):

  167. 		self.test_set_user_permissions()

  168. 		defname = get_permissions("test2@example.com", "Blog Post", "-test-blog-post")[0].name

  169. 

  170. 		frappe.set_user("test2@example.com")

  171. 

  172. 		# user cannot remove their own user permissions

  173. 		self.assertRaises(frappe.PermissionError, remove,

  174. 			"test2@example.com", defname, "Blog Post", "-test-blog-post")

  175. 

  176. 	def test_user_permissions_based_on_blogger(self):

  177. 		frappe.set_user("test2@example.com")

  178. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-1")

  179. 		self.assertTrue(doc.has_permission("read"))

  180. 

  181. 		self.set_user_permission_doctypes(["Blog Post"])

  182. 

  183. 		frappe.set_user("test1@example.com")

  184. 		add("test2@example.com", "Blog Post", "-test-blog-post")

  185. 

  186. 		frappe.set_user("test2@example.com")

  187. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-1")

  188. 		self.assertFalse(doc.has_permission("read"))

  189. 

  190. 		doc = frappe.get_doc("Blog Post", "-test-blog-post")

  191. 		self.assertTrue(doc.has_permission("read"))

  192. 

  193. 	def test_set_only_once(self):

  194. 		blog_post = frappe.get_meta("Blog Post")

  195. 		blog_post.get_field("title").set_only_once = 1

  196. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-1")

  197. 		doc.title = "New"

  198. 		self.assertRaises(frappe.CannotChangeConstantError, doc.save)

  199. 		blog_post.get_field("title").set_only_once = 0

  200. 

  201. 	def test_user_permission_doctypes(self):

  202. 		frappe.permissions.add_user_permission("Blog Category", "_Test Blog Category 1",

  203. 			"test2@example.com")

  204. 		frappe.permissions.add_user_permission("Blogger", "_Test Blogger 1",

  205. 			"test2@example.com")

  206. 

  207. 		frappe.set_user("test2@example.com")

  208. 

  209. 		self.set_user_permission_doctypes(["Blogger"])

  210. 

  211. 		frappe.model.meta.clear_cache("Blog Post")

  212. 

  213. 		doc = frappe.get_doc("Blog Post", "-test-blog-post")

  214. 		self.assertFalse(doc.has_permission("read"))

  215. 

  216. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-2")

  217. 		self.assertTrue(doc.has_permission("read"))

  218. 

  219. 		frappe.model.meta.clear_cache("Blog Post")

  220. 

  221. 	def if_owner_setup(self):

  222. 		update('Blog Post', 'Blogger', 0, 'if_owner', 1)

  223. 

  224. 		frappe.permissions.add_user_permission("Blog Category", "_Test Blog Category 1",

  225. 			"test2@example.com")

  226. 		frappe.permissions.add_user_permission("Blogger", "_Test Blogger 1",

  227. 			"test2@example.com")

  228. 

  229. 		update('Blog Post', 'Blogger', 0, 'user_permission_doctypes', json.dumps(["Blog Category"]))

  230. 

  231. 		frappe.model.meta.clear_cache("Blog Post")

  232. 

  233. 	def set_user_permission_doctypes(self, user_permission_doctypes):

  234. 		set_user_permission_doctypes(doctype="Blog Post", role="Blogger",

  235. 			apply_user_permissions=1, user_permission_doctypes=user_permission_doctypes)

  236. 

  237. 	def test_insert_if_owner_with_user_permissions(self):

  238. 		"""If `If Owner` is checked for a Role, check if that document is allowed to be read, updated, submitted, etc. except be created, even if the document is restricted based on User Permissions."""

  239. 		self.set_user_permission_doctypes(["Blog Category"])

  240. 		self.if_owner_setup()

  241. 

  242. 		frappe.set_user("test2@example.com")

  243. 

  244. 		doc = frappe.get_doc({

  245. 			"doctype": "Blog Post",

  246. 			"blog_category": "_Test Blog Category",

  247. 			"blogger": "_Test Blogger 1",

  248. 			"title": "_Test Blog Post Title",

  249. 			"content": "_Test Blog Post Content"

  250. 		})

  251. 

  252. 		self.assertRaises(frappe.PermissionError, doc.insert)

  253. 

  254. 		frappe.set_user("Administrator")

  255. 		frappe.permissions.add_user_permission("Blog Category", "_Test Blog Category",

  256. 			"test2@example.com")

  257. 

  258. 		frappe.set_user("test2@example.com")

  259. 		doc.insert()

  260. 

  261. 		frappe.set_user("Administrator")

  262. 		frappe.permissions.remove_user_permission("Blog Category", "_Test Blog Category",

  263. 			"test2@example.com")

  264. 

  265. 		frappe.set_user("test2@example.com")

  266. 		doc = frappe.get_doc(doc.doctype, doc.name)

  267. 		self.assertTrue(doc.has_permission("read"))

  268. 		self.assertTrue(doc.has_permission("write"))

  269. 		self.assertFalse(doc.has_permission("create"))

  270. 

  271. 	def test_ignore_user_permissions_if_missing(self):

  272. 		"""If `Ignore User Permissions If Missing` is checked in System Settings, show records even if User Permissions are missing for a linked doctype"""

  273. 		self.set_user_permission_doctypes(['Blog Category', 'Blog Post', 'Blogger'])

  274. 

  275. 		frappe.set_user("Administrator")

  276. 		frappe.permissions.add_user_permission("Blog Category", "_Test Blog Category",

  277. 			"test2@example.com")

  278. 		frappe.set_user("test2@example.com")

  279. 

  280. 		doc = frappe.get_doc({

  281. 			"doctype": "Blog Post",

  282. 			"blog_category": "_Test Blog Category",

  283. 			"blogger": "_Test Blogger 1",

  284. 			"title": "_Test Blog Post Title",

  285. 			"content": "_Test Blog Post Content"

  286. 		})

  287. 

  288. 		self.assertFalse(doc.has_permission("write"))

  289. 

  290. 		frappe.set_user("Administrator")

  291. 		self.set_ignore_user_permissions_if_missing(1)

  292. 

  293. 		frappe.set_user("test2@example.com")

  294. 		self.assertTrue(doc.has_permission("write"))

  295. 

  296. 	def test_strict_user_permissions(self):

  297. 		"""If `Strict User Permissions` is checked in System Settings, show records even if User Permissions are missing for a linked doctype"""

  298. 		set_user_permission_doctypes(doctype="Contact", role="Sales User",

  299. 			apply_user_permissions=1, user_permission_doctypes=['Salutation'])

  300. 		set_user_permission_doctypes(doctype="Salutation", role="All",

  301. 			apply_user_permissions=1, user_permission_doctypes=['Salutation'])

  302. 

  303. 		frappe.set_user("Administrator")

  304. 		frappe.permissions.add_user_permission("Salutation", "Mr", "test3@example.com")

  305. 		self.set_strict_user_permissions(0)

  306. 

  307. 		frappe.set_user("test3@example.com")

  308. 		self.assertEquals(len(frappe.get_list("Contact")),2)

  309. 

  310. 		frappe.set_user("Administrator")

  311. 		self.set_strict_user_permissions(1)

  312. 

  313. 		frappe.set_user("test3@example.com")

  314. 		self.assertTrue(len(frappe.get_list("Contact")),1)

  315. 

  316. 		frappe.set_user("Administrator")

  317. 		self.set_strict_user_permissions(0)

  318. 

  319. 

  320. def set_user_permission_doctypes(doctype, role, apply_user_permissions, user_permission_doctypes):

  321. 	user_permission_doctypes = None if not user_permission_doctypes else json.dumps(user_permission_doctypes)

  322. 

  323. 	update(doctype, role, 0, 'apply_user_permissions', 1)

  324. 	update(doctype, role, 0, 'user_permission_doctypes', user_permission_doctypes)

  325. 

  326. 	frappe.clear_cache(doctype=doctype)