Merge pull request #245 from alphagov/permission_check_fix

Exact permissions added.
2026-02-05 10:53:28 -05:00 · 2016-03-08 17:17:18 +00:00
parent dcdc9cd412 a1c4600b29
commit aa842875fc
2 changed files with 13 additions and 1 deletions
--- a/app/notify_client/models.py
+++ b/app/notify_client/models.py
@@ -88,7 +88,7 @@ class User(UserMixin):
        if service_id in self._permissions:
            if or_:
                return any([x in self._permissions[service_id] for x in permissions])
-            return set(self._permissions[service_id]) > set(permissions)
+            return set(self._permissions[service_id]) >= set(permissions)
        return False

    @property
--- a/tests/app/main/test_utils.py
+++ b/tests/app/main/test_utils.py
@@ -58,6 +58,18 @@ def test_user_has_permissions_multiple(app_,
            response = decorated_index()


+def test_exact_permissions(app_,
+                           api_user_active,
+                           mock_login,
+                           mock_get_user_with_permissions):
+    with app_.test_request_context():
+        with app_.test_client() as client:
+            client.login(api_user_active)
+            decorator = user_has_permissions('manage_users', 'manage_templates', 'manage_settings')
+            decorated_index = decorator(index)
+            response = decorated_index()
+
+
 def test_validate_header_row():
    row = {'bad': '+44 7700 900981'}
    try: