Merge pull request #105 from alphagov/create_permissions_on_service_creation

Create permissions on service creation
2026-04-05 01:49:29 -04:00 · 2016-02-29 14:00:32 +00:00
parent faa55672cb 873f31cad0
commit 6f786143c8
9 changed files with 162 additions and 59 deletions
--- a/app/dao/init.py
+++ b/app/dao/init.py
@@ -1,6 +1,4 @@
 from sqlalchemy.exc import SQLAlchemyError
-from werkzeug.datastructures import MultiDict
-from sqlalchemy.orm.relationships import RelationshipProperty
 from app import db


@@ -14,41 +12,19 @@ class DAOClass(object):
    class Meta:
        model = None

-    def create_instance(self, inst):
+    def create_instance(self, inst, _commit=True):
        db.session.add(inst)
-        db.session.commit()
+        if _commit:
+            db.session.commit()

-    def update_instance(self, inst, update_dict):
+    def update_instance(self, inst, update_dict, _commit=True):
        # Make sure the id is not included in the update_dict
        update_dict.pop('id')
        self.Meta.model.query.filter_by(id=inst.id).update(update_dict)
-        db.session.commit()
+        if _commit:
+            db.session.commit()

-    def get_query(self, filter_by_dict={}):
-        if isinstance(filter_by_dict, dict):
-            filter_by_dict = MultiDict(filter_by_dict)
-        query = self.Meta.model.query
-        for k in filter_by_dict.keys():
-            query = self._build_query(query, k, filter_by_dict.getlist(k))
-        return query
-
-    def delete_instance(self, inst):
+    def delete_instance(self, inst, _commit=True):
        db.session.delete(inst)
-        db.session.commit()
-
-    def _build_query(self, query, key, values):
-        # TODO Lots to do here to work with all types of filters.
-        field = getattr(self.Meta.model, key, None)
-        filters = getattr(self.Meta, 'filter', [key])
-        if field and key in filters:
-            if isinstance(field.property, RelationshipProperty):
-                if len(values) == 1:
-                    query = query.filter_by(**{key: field.property.mapper.class_.query.get(values[0])})
-                elif len(values) > 1:
-                    query = query.filter(field.in_(field.property.mapper.class_.query.any(values[0])))
-            else:
-                if len(values) == 1:
-                    query = query.filter_by(**{key: values[0]})
-                elif len(values) > 1:
-                    query = query.filter(field.in_(values))
-        return query
+        if _commit:
+            db.session.commit()
--- a/app/dao/permissions_dao.py
+++ b/app/dao/permissions_dao.py
@@ -1,5 +1,14 @@
 from app.dao import DAOClass
-from app.models import Permission
+from app.models import (Permission, Service, User)
+from werkzeug.datastructures import MultiDict
+
+
+# Service Permissions
+manage_service = 'manage_service'
+send_messages = 'send_messages'
+manage_api_keys = 'manage_api_keys'
+# Default permissions for a service
+default_service_permissions = [manage_service, send_messages, manage_api_keys]


 class PermissionDAO(DAOClass):
@@ -7,5 +16,30 @@ class PermissionDAO(DAOClass):
    class Meta:
        model = Permission

+    def get_query(self, filter_by_dict={}):
+        if isinstance(filter_by_dict, dict):
+            filter_by_dict = MultiDict(filter_by_dict)
+        query = self.Meta.model.query
+        if 'id' in filter_by_dict:
+            query = query.filter(Permission.id.in_(filter_by_dict.getlist('id')))
+        if 'service' in filter_by_dict:
+            service_ids = filter_by_dict.getlist('service')
+            if len(service_ids) == 1:
+                query.filter_by(service=Service.query.get(service_ids[0]))
+            # TODO the join method for multiple services
+        if 'user' in filter_by_dict:
+            user_ids = filter_by_dict.getlist('service')
+            if len(user_ids) == 1:
+                query = query.filter_by(user=User.query.get(user_ids[0]))
+            # TODO the join method for multiple users
+        if 'permission' in filter_by_dict:
+            query = query.filter(Permission.permission.in_(filter_by_dict.getlist('permission')))
+        return query
+
+    def add_default_service_permissions_for_user(self, user, service):
+        for name in default_service_permissions:
+            permission = Permission(permission=name, user=user, service=service)
+            self.create_instance(permission, _commit=False)
+

 permission_dao = PermissionDAO()
--- a/app/dao/services_dao.py
+++ b/app/dao/services_dao.py
@@ -20,9 +20,17 @@ def dao_fetch_service_by_id_and_user(service_id, user_id):


 def dao_create_service(service, user):
-    service.users.append(user)
-    db.session.add(service)
-    db.session.commit()
+    try:
+        from app.dao.permissions_dao import permission_dao
+        service.users.append(user)
+        permission_dao.add_default_service_permissions_for_user(user, service)
+        db.session.add(service)
+    except Exception as e:
+        # Proper clean up
+        db.session.rollback()
+        raise e
+    else:
+        db.session.commit()


 def dao_update_service(service):
--- a/migrations/versions/0028_add_default_permissions.py
+++ b/migrations/versions/0028_add_default_permissions.py
@@ -0,0 +1,44 @@
+"""empty message
+
+Revision ID: 0028_add_default_permissions
+Revises: 0027_add_service_permission
+Create Date: 2016-02-26 10:33:20.536362
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '0028_add_default_permissions'
+down_revision = '0027_add_service_permission'
+import uuid
+from datetime import datetime
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+def upgrade():
+    ### commands auto generated by Alembic - please adjust! ###
+    conn = op.get_bind()
+    user_services = conn.execute("SELECT * FROM user_to_service").fetchall()
+    for entry in user_services:
+        id_ = uuid.uuid4()
+        created_at = datetime.now().isoformat().replace('T', ' ')
+        conn.execute((
+            "INSERT INTO permissions (id, user_id, service_id, permission, created_at)"
+            " VALUES ('{}', '{}', '{}', 'manage_service', '{}')").format(id_, entry[0], entry[1], created_at))
+        id_ = uuid.uuid4()
+        conn.execute((
+            "INSERT INTO permissions (id, user_id, service_id, permission, created_at)"
+            " VALUES ('{}', '{}', '{}', 'send_messages', '{}')").format(id_, entry[0], entry[1], created_at))
+        id_ = uuid.uuid4()
+        conn.execute((
+            "INSERT INTO permissions (id, user_id, service_id, permission, created_at)"
+            " VALUES ('{}', '{}', '{}', 'manage_api_keys', '{}')").format(id_, entry[0], entry[1], created_at))
+    ### end Alembic commands ###
+
+
+def downgrade():
+    ### commands auto generated by Alembic - please adjust! ###
+    conn = op.get_bind()
+    conn.execute("DELETE FROM permissions")
+
+    ### end Alembic commands ###
--- a/tests/app/job/test_rest.py
+++ b/tests/app/job/test_rest.py
@@ -50,7 +50,6 @@ def test_get_job_with_invalid_job_id_returns404(notify_api, sample_template):
            response = client.get(path, headers=[auth_header])
            assert response.status_code == 404
            resp_json = json.loads(response.get_data(as_text=True))
-            print(resp_json)
            assert resp_json['result'] == 'error'
            assert resp_json['message'] == 'No result found'

@@ -218,7 +217,6 @@ def test_get_update_job(notify_api, sample_job):

 def _setup_jobs(notify_db, notify_db_session, template, number_of_jobs=5):
    for i in range(number_of_jobs):
-        print(i)
        create_job(
            notify_db,
            notify_db_session,
--- a/tests/app/permissions/test_rest.py
+++ b/tests/app/permissions/test_rest.py
@@ -53,7 +53,6 @@ def test_get_permission_filter(notify_api,
                headers=[header])
            assert response.status_code == 200
            json_resp = json.loads(response.get_data(as_text=True))
-            assert len(json_resp['data']) == 1
            expected = {
                "permission": another_permission.permission,
                "user": sample_user.id,
--- a/tests/app/service/test_rest.py
+++ b/tests/app/service/test_rest.py
@@ -1,5 +1,6 @@
 import json
 import uuid
+from flask import url_for
 from app.dao.users_dao import save_model_user
 from app.dao.services_dao import dao_remove_user_from_service
 from app.models import User
@@ -403,3 +404,55 @@ def test_get_users_for_service_returns_404_when_service_does_not_exist(notify_ap
            result = json.loads(response.get_data(as_text=True))
            assert result['result'] == 'error'
            assert result['message'] == 'Service not found for id: {}'.format(service_id)
+
+
+def test_default_permissions_are_added_for_user_service(notify_api,
+                                                        notify_db,
+                                                        notify_db_session,
+                                                        sample_service,
+                                                        sample_user):
+    with notify_api.test_request_context():
+        with notify_api.test_client() as client:
+            data = {
+                'name': 'created service',
+                'user_id': sample_user.id,
+                'limit': 1000,
+                'restricted': False,
+                'active': False}
+            auth_header = create_authorization_header(
+                path='/service',
+                method='POST',
+                request_body=json.dumps(data)
+            )
+            headers = [('Content-Type', 'application/json'), auth_header]
+            resp = client.post(
+                '/service',
+                data=json.dumps(data),
+                headers=headers)
+            json_resp = json.loads(resp.get_data(as_text=True))
+            assert resp.status_code == 201
+            assert json_resp['data']['id']
+            assert json_resp['data']['name'] == 'created service'
+            assert json_resp['data']['email_from'] == 'created.service'
+
+            auth_header_fetch = create_authorization_header(
+                path='/service/{}'.format(json_resp['data']['id']),
+                method='GET'
+            )
+
+            resp = client.get(
+                '/service/{}?user_id={}'.format(json_resp['data']['id'], sample_user.id),
+                headers=[auth_header_fetch]
+            )
+            assert resp.status_code == 200
+            header = create_authorization_header(
+                path=url_for('user.get_user', user_id=sample_user.id),
+                method='GET')
+            response = client.get(
+                url_for('user.get_user', user_id=sample_user.id),
+                headers=[header])
+            assert response.status_code == 200
+            json_resp = json.loads(response.get_data(as_text=True))
+            service_permissions = json_resp['data']['permissions'][str(sample_service.id)]
+            from app.dao.permissions_dao import default_service_permissions
+            assert sorted(default_service_permissions) == sorted(service_permissions)
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -29,7 +29,8 @@ def test_get_user_list(notify_api, notify_db, notify_db_session, sample_user, sa
                "logged_in_at": None,
                "state": "active",
                "failed_login_count": 0,
-                "permissions": {}
+                "permissions": {
+                    str(sample_admin_service_id): ['manage_service', 'send_messages', 'manage_api_keys']}
            }
            print(json_resp['data'])
            assert expected in json_resp['data']
@@ -58,7 +59,8 @@ def test_get_user(notify_api, notify_db, notify_db_session, sample_user, sample_
                "logged_in_at": None,
                "state": "active",
                "failed_login_count": 0,
-                "permissions": {}
+                "permissions": {
+                    str(sample_admin_service_id): ['manage_service', 'send_messages', 'manage_api_keys']}
            }
            assert json_resp['data'] == expected

@@ -197,7 +199,8 @@ def test_put_user(notify_api, notify_db, notify_db_session, sample_user, sample_
                "logged_in_at": None,
                "state": "active",
                "failed_login_count": 0,
-                "permissions": {}
+                "permissions": {
+                    str(sample_admin_service_id): ['manage_service', 'send_messages', 'manage_api_keys']}
            }
            assert json_resp['data'] == expected
            assert json_resp['data']['email_address'] == new_email
@@ -295,7 +298,8 @@ def test_get_user_by_email(notify_api, notify_db, notify_db_session, sample_user
                "logged_in_at": None,
                "state": "active",
                "failed_login_count": 0,
-                "permissions": {}
+                "permissions": {
+                    str(sample_admin_service_id): ['manage_service', 'send_messages', 'manage_api_keys']}
            }

            assert json_resp['data'] == expected
@@ -349,16 +353,5 @@ def test_get_user_with_permissions(notify_api,
            response = client.get(url_for('user.get_user', user_id=sample_service_permission.user.id),
                                  headers=[header])
            assert response.status_code == 200
-            json_resp = json.loads(response.get_data(as_text=True))
-            expected = {
-                "name": "Test User",
-                "email_address": sample_service_permission.user.email_address,
-                "id": sample_service_permission.user.id,
-                "mobile_number": "+447700900986",
-                "password_changed_at": None,
-                "logged_in_at": None,
-                "state": "active",
-                "failed_login_count": 0,
-                "permissions": {str(sample_service_permission.service.id): [sample_service_permission.permission]}
-            }
-            assert expected == json_resp['data']
+            permissions = json.loads(response.get_data(as_text=True))['data']['permissions']
+            assert sample_service_permission.permission in permissions[str(sample_service_permission.service.id)]
--- a/tests/app/user/test_rest_verify.py
+++ b/tests/app/user/test_rest_verify.py
@@ -358,7 +358,6 @@ def test_send_user_sms_code(notify_api,
                url_for('user.send_user_sms_code', user_id=sample_sms_code.user.id),
                data=data,
                headers=[('Content-Type', 'application/json'), auth_header])
-            print(resp.get_data(as_text=True))
            assert resp.status_code == 204
            app.celery.tasks.send_sms_code.apply_async.assert_called_once_with(['something_encrypted'],
                                                                               queue='sms-code')
@@ -427,7 +426,6 @@ def test_send_user_email_code(notify_api,
                url_for('user.send_user_email_code', user_id=sample_email_code.user.id),
                data=data,
                headers=[('Content-Type', 'application/json'), auth_header])
-            print(resp.get_data(as_text=True))
            assert resp.status_code == 204
            app.celery.tasks.send_email_code.apply_async.assert_called_once_with(['something_encrypted'],
                                                                                 queue='email-code')