Skip to content

Commit

Permalink
Merge branch 'permission-module-querysets' into 'master'
Browse files Browse the repository at this point in the history
feat(permissions): enable permissions module querysets for more roles

See merge request camac-ng/camac-ng!8784
  • Loading branch information
winged committed Jul 29, 2024
2 parents 9c976ed + c9c6d25 commit f0759c5
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 11 deletions.
25 changes: 18 additions & 7 deletions django/camac/applicants/tests/test_applicants.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,25 +48,29 @@ def test_applicant_update(admin_client, be_instance):

@pytest.fixture
def applicant_permissions_module(permissions_settings, access_level_factory):
lvl = access_level_factory(slug="applicant", applicable_area="APPLICANT")
muni = access_level_factory(slug="municipality", applicable_area="INTERNAL")
access_level_factory(slug="applicant", applicable_area="APPLICANT")
access_level_factory(slug="municipality", applicable_area="INTERNAL")
access_level_factory(slug="distribution-service", applicable_area="INTERNAL")
access_level_factory(slug="support", applicable_area="ANY")

# Bern already does the "right" thing
mod = "camac.permissions.config.kt_bern.PermissionEventHandlerBE"

permissions_settings["EVENT_HANDLER"] = mod
permissions_settings["PERMISSION_MODE"] = PERMISSION_MODE.AUTO_ON
permissions_settings["PERMISSION_MODE"] = PERMISSION_MODE.CHECKING

permissions_settings.setdefault("ACCESS_LEVELS", {})

permissions_settings["ACCESS_LEVELS"][lvl.slug] = [
permissions_settings["ACCESS_LEVELS"]["applicant"] = [
("applicant-add", Always()),
("applicant-remove", Always()),
("applicant-read", Always()),
]
permissions_settings["ACCESS_LEVELS"][muni.slug] = [
permissions_settings["ACCESS_LEVELS"]["municipality"] = [
("applicant-read", Always()),
]
permissions_settings["ACCESS_LEVELS"]["support"] = []
permissions_settings["ACCESS_LEVELS"]["distribution-service"] = []

# return value is just for parametrization id
return "permissions_module_active"
Expand Down Expand Up @@ -110,11 +114,18 @@ def test_applicant_delete(
# TODO can we lazyfixture this?
request.getfixturevalue("applicant_permissions_module")
_sync_applicants(be_instance)
if role.name == "Municipality":

role_mapping = {
"Municipality": "municipality",
"Support": "support",
"Service": "distribution-service",
}

if role.name in role_mapping:
instance_acl_factory(
user=admin_client.user,
grant_type="USER",
access_level_id="municipality",
access_level_id=role_mapping[role.name],
instance=be_instance,
)

Expand Down
31 changes: 27 additions & 4 deletions django/camac/instance/mixins.py
Original file line number Diff line number Diff line change
Expand Up @@ -100,8 +100,23 @@ def get_base_queryset(self):

return queryset.distinct()

def get_base_queryset_acl(self):
queryset = self.get_base_queryset()
return self.permissions_manager().filter_queryset(queryset, self.instance_field)

@permission_aware
def get_queryset(self, group=None):
# We can't do any permission switching on the `get_queryset` method as
# @permission_aware wouldn't work anymore so we extracted the applicant
# queryset in a separate, switched method.
return self._get_queryset_for_applicant(group)

@permission_switching_method
def _get_queryset_for_applicant(self, group=None):
return self.get_base_queryset_acl()

@_get_queryset_for_applicant.register_old
def _get_queryset_for_applicant_rbac(self, group=None):
queryset = self.get_base_queryset()

# A user should see dossiers which he submitted or has been invited to.
Expand Down Expand Up @@ -130,8 +145,7 @@ def get_queryset_for_reader(self, group=None):
return self.get_queryset_for_municipality()

def get_queryset_for_geometer(self, group=None):
queryset = self.get_base_queryset()
return self.permissions_manager().filter_queryset(queryset, self.instance_field)
return self.get_base_queryset_acl()

def get_queryset_for_coordination(self, group=None):
group = self._get_group(group)
Expand Down Expand Up @@ -184,8 +198,7 @@ def get_queryset_for_coordination(self, group=None):

@permission_switching_method
def get_queryset_for_municipality(self, group=None):
queryset = self.get_base_queryset()
return self.permissions_manager().filter_queryset(queryset, self.instance_field)
return self.get_base_queryset_acl()

@get_queryset_for_municipality.register_old
def get_queryset_for_municipality_rbac(self, group=None):
Expand All @@ -212,7 +225,12 @@ def get_queryset_for_municipality_rbac(self, group=None):
| self.permissions_manager().get_q_object(self.instance_field)
)

@permission_switching_method
def get_queryset_for_service(self, group=None):
return self.get_base_queryset_acl()

@get_queryset_for_service.register_old
def get_queryset_for_service_rbac(self, group=None):
group = self._get_group(group)
queryset = self.get_base_queryset()
instance_field = self._get_instance_filter_expr("pk", "in")
Expand Down Expand Up @@ -251,7 +269,12 @@ def get_queryset_for_trusted_service(self, group=None):
def get_queryset_for_canton(self, group=None):
return self.get_base_queryset()

@permission_switching_method
def get_queryset_for_support(self, group=None):
return self.get_base_queryset_acl()

@get_queryset_for_support.register_old
def get_queryset_for_support_rbac(self, group=None):
return self.get_base_queryset()

def get_queryset_for_organization_readonly(self, group=None):
Expand Down

0 comments on commit f0759c5

Please sign in to comment.