Skip to content

Commit

Permalink
fix(permissions) fix for import case
Browse files Browse the repository at this point in the history
  • Loading branch information
Pierre-Narcisi committed Sep 27, 2023
1 parent abf568c commit b65d39d
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 6 deletions.
10 changes: 6 additions & 4 deletions backend/geonature/core/gn_meta/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -253,10 +253,12 @@ def _get_read_scope(self, user=None):
cruved = get_scopes_by_action(id_role=user.id_role, module_code="METADATA")
return cruved["R"]

def _get_create_scope(self, module_code, user=None):
def _get_create_scope(self, module_code, user=None, object_code=None):
if user is None:
user = g.current_user
cruved = get_scopes_by_action(id_role=user.id_role, module_code=module_code)
cruved = get_scopes_by_action(
id_role=user.id_role, module_code=module_code, object_code=object_code
)
return cruved["C"]

def filter_by_scope(self, scope, user=None):
Expand Down Expand Up @@ -366,14 +368,14 @@ def filter_by_readable(self, user=None):
"""
return self.filter_by_scope(self._get_read_scope(user))

def filter_by_creatable(self, module_code, user=None):
def filter_by_creatable(self, module_code, user=None, object_code=None):
"""
Return all dataset where user have read rights minus those who user to not have
create rigth
"""
query = self.filter(TDatasets.modules.any(module_code=module_code))
scope = self._get_read_scope(user)
create_scope = self._get_create_scope(module_code, user=user)
create_scope = self._get_create_scope(module_code, user=user, object_code=object_code)
if create_scope < scope:
scope = create_scope
return query.filter_by_scope(scope)
Expand Down
9 changes: 7 additions & 2 deletions backend/geonature/core/gn_meta/routes.py
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
from werkzeug.datastructures import Headers
from geonature.core.gn_permissions import decorators as permissions
from geonature.core.gn_permissions.tools import get_scopes_by_action
from geonature.core.gn_permissions.models import TObjects
from geonature.core.gn_meta.mtd import mtd_utils
import geonature.utils.filemanager as fm
import geonature.utils.utilsmails as mail
Expand Down Expand Up @@ -104,12 +105,16 @@ def get_datasets():
"""
params = MultiDict(request.args)
if request.is_json:
params.update(MultiDict(request.json))
params.update(request.json)
fields = params.get("fields", type=str, default=[])
if fields:
fields = fields.split(",")
if "create" in params:
query = TDatasets.query.filter_by_creatable(params.pop("create"))
create = params.pop("create").split(".")
if len(create) > 1:
query = TDatasets.query.filter_by_creatable(create[0], object_code=create[1])
else:
query = TDatasets.query.filter_by_creatable(create[0])

Check warning on line 117 in backend/geonature/core/gn_meta/routes.py

View check run for this annotation

Codecov / codecov/patch

backend/geonature/core/gn_meta/routes.py#L117

Added line #L117 was not covered by tests
else:
query = TDatasets.query.filter_by_readable()

Expand Down
25 changes: 25 additions & 0 deletions backend/geonature/tests/test_gn_meta.py
Original file line number Diff line number Diff line change
Expand Up @@ -679,6 +679,31 @@ def test_get_dataset_filter_module_code(self, users, datasets, module):
assert expected_ds.issubset(filtered_ds)
assert datasets["own_dataset"].id_dataset not in filtered_ds

def test_get_dataset_filter_create(self, users, datasets, module):
set_logged_user_cookie(self.client, users["admin_user"])

response = self.client.get(
url_for("gn_meta.get_datasets"),
json={
"module_code": module.module_code,
"create": module.module_code + ".ALL"
},
)

response_with_object = self.client.get(
url_for("gn_meta.get_datasets"),
json={
"module_code": module.module_code,
"create": module.module_code + ".ALL"
},
)

expected_ds = {datasets["with_module_1"].id_dataset}
filtered_ds = {ds["id_dataset"] for ds in response.json}
assert response.json == response_with_object.json
assert expected_ds.issubset(filtered_ds)
assert datasets["own_dataset"].id_dataset not in filtered_ds

def test_get_dataset_search(self, users, datasets, module):
set_logged_user_cookie(self.client, users["admin_user"])
ds = datasets["with_module_1"]
Expand Down

0 comments on commit b65d39d

Please sign in to comment.