Skip to content

Commit

Permalink
Merge branch '__rultor'
Browse files Browse the repository at this point in the history
  • Loading branch information
rultor committed Feb 20, 2019
2 parents 5057d13 + 3bf62ed commit 7efee79
Show file tree
Hide file tree
Showing 3 changed files with 112 additions and 15 deletions.
105 changes: 101 additions & 4 deletions tests/integration/it_owner_privilages_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,9 @@

from timeless.access_control.methods import Method
from timeless.access_control.owner_privileges import has_privilege
from timeless.companies.models import Company
from timeless.employees.models import Employee


def test_can_access_location(app):
assert has_privilege(method=Method.CREATE, resource="location")
from timeless.restaurants.models import Location


def test_cant_access_unknown_resource(app):
Expand Down Expand Up @@ -41,3 +39,102 @@ def test_can_access_own_employees(app):
registration_date=datetime.utcnow(), user_status="T",
email="[email protected]", password="bla")
assert has_privilege(method=Method.READ, resource="employee")


def test_can_manage_locations_from_same_company(app, db_session):
my_company = Company(
name="Acme Inc.", code="code1", address="addr"
)
db_session.add(my_company)
db_session.commit()
me = Employee(
first_name="Alice", last_name="Cooper",
username="alice", phone_number="1",
birth_date=datetime.utcnow(),
pin_code=7777,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=my_company.id,
email="[email protected]", password="bla"
)
db_session.add(me)
flask.g.user = me
location = Location(
name="name",
code="123",
company_id=my_company.id,
country="US",
region="region",
city="city",
address="address",
longitude="123",
latitude="123",
type="type",
status="status"
)
db_session.add(location)
db_session.commit()
assert has_privilege(
method=Method.READ, resource="location", id=location.id
)
assert has_privilege(
method=Method.CREATE, resource="location", id=location.id
)
assert has_privilege(
method=Method.UPDATE, resource="location", id=location.id
)
assert has_privilege(
method=Method.DELETE, resource="location", id=location.id
)


def test_can_not_manage_locations_from_different_company(app, db_session):
my_company = Company(
id=1, name="Foo Inc.", code="code1", address="addr"
)
db_session.add(my_company)
me = Employee(
id=1, first_name="Bob", last_name="Cooper",
username="alice", phone_number="1",
birth_date=datetime.utcnow(),
pin_code=1111,
account_status="on",
user_status="on",
registration_date=datetime.utcnow(),
company_id=my_company.id,
email="[email protected]", password="bla"
)
db_session.add(me)
flask.g.user = me
other_company = Company(
id=2, name="Bar Inc.", code="code2", address="addr"
)
db_session.add(other_company)
location = Location(
name="name",
code="123",
company_id=other_company.id,
country="US",
region="region",
city="city",
address="address",
longitude="123",
latitude="123",
type="type",
status="status"
)
db_session.add(location)
db_session.commit()
assert not has_privilege(
method=Method.READ, resource="location", id=location.id
)
assert not has_privilege(
method=Method.CREATE, resource="location", id=location.id
)
assert not has_privilege(
method=Method.UPDATE, resource="location", id=location.id
)
assert not has_privilege(
method=Method.DELETE, resource="location", id=location.id
)
8 changes: 7 additions & 1 deletion tests/test_authorization.py
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
import pytest

from timeless.access_control.authorization import is_allowed
from timeless.access_control.methods import Method


# @todo #181:30min This test stopped working because it was not working
# according to requirements.
# Write new tests that validate 'is_allowed' according to specifications in #22
@pytest.mark.skip("fix me")
def test_owner_can_access_location():
assert (
is_allowed(method=Method.DELETE, resource="location") == True
)
)
14 changes: 4 additions & 10 deletions timeless/access_control/owner_privileges.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import flask

from timeless.access_control.methods import Method
from timeless.restaurants.models import Location


def has_privilege(method=None, resource=None, *args, **kwargs) -> bool:
Expand All @@ -13,16 +14,9 @@ def has_privilege(method=None, resource=None, *args, **kwargs) -> bool:


def __location_access(method=None, *args, **kwargs):
"""
@todo #22:30min Implement __location_access. Owner should
Create / modify / delete Locations associated with owned Company.
Fetch owner from g.user (if it doesnt exist than fetch its id from
session. Location id can be obtained from args.
"""
permitted = False
if method in (Method.CREATE, Method.UPDATE, Method.DELETE):
permitted = True
return permitted
user_company = flask.g.get("user").company_id
location_company = Location.query.get(kwargs.get("id")).company_id
return user_company == location_company


def __employee_access(method=None, *args, **kwargs):
Expand Down

2 comments on commit 7efee79

@0pdd
Copy link

@0pdd 0pdd commented on 7efee79 Feb 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Puzzle 22-0fe68fd2 disappeared from timeless/access_control/owner_privileges.py, that's why I closed #181. Please, remember that the puzzle was not necessarily removed in this particular commit. Maybe it happened earlier, but we discovered this fact only now.

@0pdd
Copy link

@0pdd 0pdd commented on 7efee79 Feb 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Puzzle 181-375c6297 discovered in tests/test_authorization.py and submitted as #329. Please, remember that the puzzle was not necessarily added in this particular commit. Maybe it was added earlier, but we discovered it only now.

Please sign in to comment.