anoopmb
/
frappe
1
0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14179 Комити
1 Грана
314 MiB
 
 
 
 
 
 
Дрво: dfbff09b52
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from 'dfbff09b52'
${ noResults }
frappe/frappe/tests/test_permissions.py

374 lines
12 KiB
Датотека Blame Историја 

  1. # Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors

  2. # MIT License. See license.txt

  3. from __future__ import unicode_literals

  4. 

  5. """Use blog post test to test user permissions logic"""

  6. 

  7. import frappe

  8. import frappe.defaults

  9. import unittest

  10. import json

  11. import frappe.model.meta

  12. from frappe.permissions import (add_user_permission, remove_user_permission,

  13. 	clear_user_permissions_for_doctype, get_doc_permissions, add_permission,

  14. 	get_valid_perms)

  15. from frappe.core.page.permission_manager.permission_manager import update, reset

  16. from frappe.test_runner import make_test_records_for_doctype

  17. from six import string_types

  18. 

  19. test_records = frappe.get_test_records('Blog Post')

  20. 

  21. test_dependencies = ["User", "Contact", "Salutation"]

  22. 

  23. class TestPermissions(unittest.TestCase):

  24. 	def setUp(self):

  25. 		frappe.clear_cache(doctype="Blog Post")

  26. 		frappe.clear_cache(doctype="Contact")

  27. 

  28. 		user = frappe.get_doc("User", "test1@example.com")

  29. 		user.add_roles("Website Manager")

  30. 		user.add_roles("System Manager")

  31. 

  32. 		user = frappe.get_doc("User", "test2@example.com")

  33. 		user.add_roles("Blogger")

  34. 

  35. 		user = frappe.get_doc("User", "test3@example.com")

  36. 		user.add_roles("Sales User")

  37. 

  38. 		reset('Blogger')

  39. 		reset('Blog Post')

  40. 		reset('Contact')

  41. 		reset('Salutation')

  42. 

  43. 		frappe.db.sql('delete from `tabUser Permission`')

  44. 

  45. 		self.set_ignore_user_permissions_if_missing(0)

  46. 

  47. 		frappe.set_user("test1@example.com")

  48. 

  49. 	def tearDown(self):

  50. 		frappe.set_user("Administrator")

  51. 		frappe.db.set_value("Blogger", "_Test Blogger 1", "user", None)

  52. 

  53. 		clear_user_permissions_for_doctype("Blog Category")

  54. 		clear_user_permissions_for_doctype("Blog Post")

  55. 		clear_user_permissions_for_doctype("Blogger")

  56. 		clear_user_permissions_for_doctype("Contact")

  57. 		clear_user_permissions_for_doctype("Salutation")

  58. 

  59. 		reset('Blogger')

  60. 		reset('Blog Post')

  61. 		reset('Contact')

  62. 		reset('Salutation')

  63. 

  64. 		self.set_ignore_user_permissions_if_missing(0)

  65. 

  66. 	@staticmethod

  67. 	def set_ignore_user_permissions_if_missing(ignore):

  68. 		ss = frappe.get_doc("System Settings")

  69. 		ss.ignore_user_permissions_if_missing = ignore

  70. 		ss.flags.ignore_mandatory = 1

  71. 		ss.save()

  72. 

  73. 	@staticmethod

  74. 	def set_strict_user_permissions(ignore):

  75. 		ss = frappe.get_doc("System Settings")

  76. 		ss.apply_strict_user_permissions = ignore

  77. 		ss.flags.ignore_mandatory = 1

  78. 		ss.save()

  79. 

  80. 	def test_basic_permission(self):

  81. 		post = frappe.get_doc("Blog Post", "-test-blog-post")

  82. 		self.assertTrue(post.has_permission("read"))

  83. 

  84. 	def test_user_permissions_in_doc(self):

  85. 		self.set_user_permission_doctypes(["Blog Category"])

  86. 

  87. 		add_user_permission("Blog Category", "_Test Blog Category 1",

  88. 			"test2@example.com")

  89. 

  90. 		frappe.set_user("test2@example.com")

  91. 

  92. 		post = frappe.get_doc("Blog Post", "-test-blog-post")

  93. 		self.assertFalse(post.has_permission("read"))

  94. 		self.assertFalse(get_doc_permissions(post).get("read"))

  95. 

  96. 		post1 = frappe.get_doc("Blog Post", "-test-blog-post-1")

  97. 		self.assertTrue(post1.has_permission("read"))

  98. 		self.assertTrue(get_doc_permissions(post1).get("read"))

  99. 

  100. 	def test_user_permissions_in_report(self):

  101. 		self.set_user_permission_doctypes(["Blog Category"])

  102. 

  103. 		add_user_permission("Blog Category", "_Test Blog Category 1", "test2@example.com")

  104. 

  105. 		frappe.set_user("test2@example.com")

  106. 		names = [d.name for d in frappe.get_list("Blog Post", fields=["name", "blog_category"])]

  107. 

  108. 		self.assertTrue("-test-blog-post-1" in names)

  109. 		self.assertFalse("-test-blog-post" in names)

  110. 

  111. 	def test_default_values(self):

  112. 		add_user_permission("Blog Category", "_Test Blog Category 1", "test2@example.com")

  113. 

  114. 		frappe.set_user("test2@example.com")

  115. 		doc = frappe.new_doc("Blog Post")

  116. 		self.assertEquals(doc.get("blog_category"), "_Test Blog Category 1")

  117. 

  118. 	def test_user_link_match_doc(self):

  119. 		self.set_user_permission_doctypes(["Blogger"])

  120. 

  121. 		blogger = frappe.get_doc("Blogger", "_Test Blogger 1")

  122. 		blogger.user = "test2@example.com"

  123. 		blogger.save()

  124. 

  125. 		frappe.set_user("test2@example.com")

  126. 

  127. 		post = frappe.get_doc("Blog Post", "-test-blog-post-2")

  128. 		self.assertTrue(post.has_permission("read"))

  129. 

  130. 		post1 = frappe.get_doc("Blog Post", "-test-blog-post-1")

  131. 		self.assertFalse(post1.has_permission("read"))

  132. 

  133. 	def test_user_link_match_report(self):

  134. 		self.set_user_permission_doctypes(["Blogger"])

  135. 

  136. 		blogger = frappe.get_doc("Blogger", "_Test Blogger 1")

  137. 		blogger.user = "test2@example.com"

  138. 		blogger.save()

  139. 

  140. 		frappe.set_user("test2@example.com")

  141. 

  142. 		names = [d.name for d in frappe.get_list("Blog Post", fields=["name", "owner"])]

  143. 		self.assertTrue("-test-blog-post-2" in names)

  144. 		self.assertFalse("-test-blog-post-1" in names)

  145. 

  146. 	def test_set_user_permissions(self):

  147. 		frappe.set_user("test1@example.com")

  148. 		add_user_permission("Blog Post", "-test-blog-post", "test2@example.com")

  149. 

  150. 	def test_not_allowed_to_set_user_permissions(self):

  151. 		frappe.set_user("test2@example.com")

  152. 

  153. 		# this user can't add user permissions

  154. 		self.assertRaises(frappe.PermissionError, add_user_permission,

  155. 			"Blog Post", "-test-blog-post", "test2@example.com")

  156. 

  157. 	def test_read_if_explicit_user_permissions_are_set(self):

  158. 		self.set_user_permission_doctypes(["Blog Post"])

  159. 

  160. 		self.test_set_user_permissions()

  161. 

  162. 		frappe.set_user("test2@example.com")

  163. 

  164. 		# user can only access permitted blog post

  165. 		doc = frappe.get_doc("Blog Post", "-test-blog-post")

  166. 		self.assertTrue(doc.has_permission("read"))

  167. 

  168. 		# and not this one

  169. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-1")

  170. 		self.assertFalse(doc.has_permission("read"))

  171. 

  172. 	def test_not_allowed_to_remove_user_permissions(self):

  173. 		self.test_set_user_permissions()

  174. 

  175. 		frappe.set_user("test2@example.com")

  176. 

  177. 		# user cannot remove their own user permissions

  178. 		self.assertRaises(frappe.PermissionError, remove_user_permission,

  179. 			"Blog Post", "-test-blog-post", "test2@example.com")

  180. 

  181. 	def test_user_permissions_based_on_blogger(self):

  182. 		frappe.set_user("test2@example.com")

  183. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-1")

  184. 		self.assertTrue(doc.has_permission("read"))

  185. 

  186. 		self.set_user_permission_doctypes(["Blog Post"])

  187. 

  188. 		frappe.set_user("test1@example.com")

  189. 		add_user_permission("Blog Post", "-test-blog-post", "test2@example.com")

  190. 

  191. 		frappe.set_user("test2@example.com")

  192. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-1")

  193. 		self.assertFalse(doc.has_permission("read"))

  194. 

  195. 		doc = frappe.get_doc("Blog Post", "-test-blog-post")

  196. 		self.assertTrue(doc.has_permission("read"))

  197. 

  198. 	def test_set_only_once(self):

  199. 		blog_post = frappe.get_meta("Blog Post")

  200. 		blog_post.get_field("title").set_only_once = 1

  201. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-1")

  202. 		doc.title = "New"

  203. 		self.assertRaises(frappe.CannotChangeConstantError, doc.save)

  204. 		blog_post.get_field("title").set_only_once = 0

  205. 

  206. 	def test_user_permission_doctypes(self):

  207. 		add_user_permission("Blog Category", "_Test Blog Category 1",

  208. 			"test2@example.com")

  209. 		add_user_permission("Blogger", "_Test Blogger 1",

  210. 			"test2@example.com")

  211. 

  212. 		frappe.set_user("test2@example.com")

  213. 

  214. 		self.set_user_permission_doctypes(["Blogger"])

  215. 

  216. 		frappe.model.meta.clear_cache("Blog Post")

  217. 

  218. 		doc = frappe.get_doc("Blog Post", "-test-blog-post")

  219. 		self.assertFalse(doc.has_permission("read"))

  220. 

  221. 		doc = frappe.get_doc("Blog Post", "-test-blog-post-2")

  222. 		self.assertTrue(doc.has_permission("read"))

  223. 

  224. 		frappe.model.meta.clear_cache("Blog Post")

  225. 

  226. 	def if_owner_setup(self):

  227. 		update('Blog Post', 'Blogger', 0, 'if_owner', 1)

  228. 

  229. 		add_user_permission("Blog Category", "_Test Blog Category 1",

  230. 			"test2@example.com")

  231. 		add_user_permission("Blogger", "_Test Blogger 1",

  232. 			"test2@example.com")

  233. 

  234. 		update('Blog Post', 'Blogger', 0, 'user_permission_doctypes', json.dumps(["Blog Category"]))

  235. 

  236. 		frappe.model.meta.clear_cache("Blog Post")

  237. 

  238. 	def set_user_permission_doctypes(self, user_permission_doctypes):

  239. 		set_user_permission_doctypes(["Blog Post"], role="Blogger",

  240. 			apply_user_permissions=1, user_permission_doctypes=user_permission_doctypes)

  241. 

  242. 	def test_insert_if_owner_with_user_permissions(self):

  243. 		"""If `If Owner` is checked for a Role, check if that document is allowed to be read, updated, submitted, etc. except be created, even if the document is restricted based on User Permissions."""

  244. 		frappe.delete_doc('Blog Post', '-test-blog-post-title')

  245. 

  246. 		self.set_user_permission_doctypes(["Blog Category"])

  247. 		self.if_owner_setup()

  248. 

  249. 		frappe.set_user("test2@example.com")

  250. 

  251. 		doc = frappe.get_doc({

  252. 			"doctype": "Blog Post",

  253. 			"blog_category": "_Test Blog Category",

  254. 			"blogger": "_Test Blogger 1",

  255. 			"title": "_Test Blog Post Title",

  256. 			"content": "_Test Blog Post Content"

  257. 		})

  258. 

  259. 		self.assertRaises(frappe.PermissionError, doc.insert)

  260. 

  261. 		frappe.set_user("Administrator")

  262. 		add_user_permission("Blog Category", "_Test Blog Category",

  263. 			"test2@example.com")

  264. 

  265. 		frappe.set_user("test2@example.com")

  266. 		doc.insert()

  267. 

  268. 		frappe.set_user("Administrator")

  269. 		frappe.permissions.remove_user_permission("Blog Category", "_Test Blog Category",

  270. 			"test2@example.com")

  271. 

  272. 		frappe.set_user("test2@example.com")

  273. 		doc = frappe.get_doc(doc.doctype, doc.name)

  274. 		self.assertTrue(doc.has_permission("read"))

  275. 		self.assertTrue(doc.has_permission("write"))

  276. 		self.assertFalse(doc.has_permission("create"))

  277. 

  278. 	def test_ignore_user_permissions_if_missing(self):

  279. 		"""If `Ignore User Permissions If Missing` is checked in System Settings, show records even if User Permissions are missing for a linked doctype"""

  280. 		self.set_user_permission_doctypes(['Blog Category', 'Blog Post', 'Blogger'])

  281. 

  282. 		frappe.set_user("Administrator")

  283. 		# add_user_permission("Blog Category", "_Test Blog Category",

  284. 		# 	"test2@example.com")

  285. 		frappe.set_user("test2@example.com")

  286. 

  287. 		doc = frappe.get_doc({

  288. 			"doctype": "Blog Post",

  289. 			"blog_category": "_Test Blog Category",

  290. 			"blogger": "_Test Blogger 1",

  291. 			"title": "_Test Blog Post Title",

  292. 			"content": "_Test Blog Post Content"

  293. 		})

  294. 

  295. 		self.assertFalse(doc.has_permission("write"))

  296. 

  297. 		frappe.set_user("Administrator")

  298. 		self.set_ignore_user_permissions_if_missing(1)

  299. 

  300. 		frappe.set_user("test2@example.com")

  301. 		self.assertTrue(doc.has_permission("write"))

  302. 

  303. 	def test_strict_user_permissions(self):

  304. 		"""If `Strict User Permissions` is checked in System Settings,

  305. 			show records even if User Permissions are missing for a linked

  306. 			doctype"""

  307. 

  308. 		frappe.set_user("Administrator")

  309. 		frappe.db.sql('delete from tabContact')

  310. 		make_test_records_for_doctype('Contact', force=True)

  311. 

  312. 		set_user_permission_doctypes("Contact", role="Sales User",

  313. 			apply_user_permissions=1, user_permission_doctypes=['Salutation'])

  314. 		set_user_permission_doctypes("Salutation", role="All",

  315. 			apply_user_permissions=1, user_permission_doctypes=['Salutation'])

  316. 

  317. 		add_user_permission("Salutation", "Mr", "test3@example.com")

  318. 		self.set_strict_user_permissions(0)

  319. 

  320. 		frappe.set_user("test3@example.com")

  321. 		self.assertEquals(len(frappe.get_list("Contact")), 2)

  322. 

  323. 		frappe.set_user("Administrator")

  324. 		self.set_strict_user_permissions(1)

  325. 

  326. 		frappe.set_user("test3@example.com")

  327. 		self.assertTrue(len(frappe.get_list("Contact")), 1)

  328. 

  329. 		frappe.set_user("Administrator")

  330. 		self.set_strict_user_permissions(0)

  331. 

  332. 	def test_automatic_apply_user_permissions(self):

  333. 		'''Test user permissions are automatically applied when a user permission

  334. 		is created'''

  335. 		# create a user

  336. 		frappe.get_doc(dict(doctype='User', email='test_user_perm@example.com',

  337. 			first_name='tester')).insert(ignore_if_duplicate=True)

  338. 		frappe.get_doc(dict(doctype='Role', role_name='Test Role User Perm')

  339. 			).insert(ignore_if_duplicate=True)

  340. 

  341. 		# add a permission for event

  342. 		add_permission('DocType', 'Test Role User Perm')

  343. 		frappe.get_doc('User', 'test_user_perm@example.com').add_roles('Test Role User Perm')

  344. 

  345. 

  346. 		# add user permission

  347. 		add_user_permission('Module Def', 'Core', 'test_user_perm@example.com', True)

  348. 

  349. 		# check if user permission is applied in the new role

  350. 		_perm = None

  351. 		for perm in get_valid_perms('DocType', 'test_user_perm@example.com'):

  352. 			if perm.role == 'Test Role User Perm':

  353. 				_perm = perm

  354. 

  355. 		self.assertEqual(_perm.apply_user_permissions, 1)

  356. 

  357. 		# restrict by module

  358. 		self.assertTrue('Module Def' in json.loads(_perm.user_permission_doctypes))

  359. 

  360. 

  361. def set_user_permission_doctypes(doctypes, role, apply_user_permissions,

  362. 	user_permission_doctypes):

  363. 	user_permission_doctypes = None if not user_permission_doctypes else json.dumps(user_permission_doctypes)

  364. 

  365. 	if isinstance(doctypes, string_types):

  366. 		doctypes = [doctypes]

  367. 

  368. 	for doctype in doctypes:

  369. 		update(doctype, role, 0, 'apply_user_permissions', 1)

  370. 		update(doctype, role, 0, 'user_permission_doctypes',

  371. 			user_permission_doctypes)

  372. 

  373. 		frappe.clear_cache(doctype=doctype)