Allow user folder permissions to be updated

Updated the endpoint for `.set_permissions` to update a user's folder permissions as well as permissions for a service. User folder permissions are optional for now, since Admin is not currently passing this data through.
2026-02-04 02:11:11 -05:00 · 2019-02-22 11:26:44 +00:00
parent 33166f3fb2
commit d981abf18e
4 changed files with 174 additions and 43 deletions
--- a/app/dao/service_user_dao.py
+++ b/app/dao/service_user_dao.py
@@ -0,0 +1,13 @@
+
+from app import db
+from app.dao.dao_utils import transactional
+from app.models import ServiceUser
+
+
+def dao_get_service_user(user_id, service_id):
+    return ServiceUser.query.filter_by(user_id=user_id, service_id=service_id).one()
+
+
+@transactional
+def dao_update_service_user(service_user):
+    db.session.add(service_user)
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -24,9 +24,11 @@ from app.dao.users_dao import (
    get_user_and_accounts
 )
 from app.dao.permissions_dao import permission_dao
+from app.dao.service_user_dao import dao_get_service_user, dao_update_service_user
 from app.dao.services_dao import dao_fetch_service_by_id
 from app.dao.templates_dao import dao_get_template_by_id
-from app.models import KEY_TYPE_NORMAL, Service, SMS_TYPE, EMAIL_TYPE
+from app.dao.template_folder_dao import dao_get_template_folder_by_id_and_service_id
+from app.models import KEY_TYPE_NORMAL, Permission, Service, SMS_TYPE, EMAIL_TYPE
 from app.notifications.process_notifications import (
    persist_notification,
    send_notification_to_queue
@@ -35,7 +37,6 @@ from app.schemas import (
    email_data_request_schema,
    partial_email_data_request_schema,
    create_user_schema,
-    permission_schema,
    user_update_schema_load_json,
    user_update_password_schema_load_json
 )
@@ -48,6 +49,7 @@ from app.user.users_schema import (
    post_verify_code_schema,
    post_send_user_sms_code_schema,
    post_send_user_email_code_schema,
+    post_set_permissions_schema,
 )
 from app.schema_validation import validate

@@ -371,21 +373,29 @@ def get_user(user_id=None):
 def set_permissions(user_id, service_id):
    # TODO fix security hole, how do we verify that the user
    # who is making this request has permission to make the request.
-    user = get_user_by_id(user_id=user_id)
+    service_user = dao_get_service_user(user_id, service_id)
+    user = service_user.user
    service = dao_fetch_service_by_id(service_id=service_id)

    data = request.get_json()
-    if 'permissions' in data:
-        user_permissions = data['permissions']
-    else:
-        user_permissions = data
+    validate(data, post_set_permissions_schema)

-    permissions, errors = permission_schema.load(user_permissions, many=True)
+    permission_list = [
+        Permission(service_id=service_id, user_id=user_id, permission=p['permission'])
+        for p in data['permissions']
+    ]
+
+    permission_dao.set_user_service_permission(user, service, permission_list, _commit=True, replace=True)
+
+    if 'folder_permissions' in data:
+        folders = [
+            dao_get_template_folder_by_id_and_service_id(folder_id, service_id)
+            for folder_id in data['folder_permissions']
+        ]
+
+        service_user.folders = folders
+        dao_update_service_user(service_user)

-    for p in permissions:
-        p.user = user
-        p.service = service
-    permission_dao.set_user_service_permission(user, service, permissions, _commit=True, replace=True)
    return jsonify({}), 204


--- a/app/user/users_schema.py
+++ b/app/user/users_schema.py
@@ -40,3 +40,16 @@ post_send_user_sms_code_schema = {
    'required': [],
    'additionalProperties': False
 }
+
+
+post_set_permissions_schema = {
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "description": "POST schema for setting user permissions",
+    "type": "object",
+    "properties": {
+        "permissions": {"type": "array", "items": {"type": "object"}},
+        "folder_permissions": {"type": "array", "items": {"type": "string"}}
+    },
+    "required": ["permissions"],
+    "additionalProperties": False
+}
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -16,8 +16,9 @@ from app.models import (
    EMAIL_AUTH_TYPE
 )
 from app.dao.permissions_dao import default_service_permissions
+from app.dao.service_user_dao import dao_get_service_user, dao_update_service_user
 from tests import create_authorization_header
-from tests.app.db import create_service, create_organisation, create_user
+from tests.app.db import create_service, create_template_folder, create_organisation, create_user


 def test_get_user_list(admin_request, sample_service):
@@ -357,7 +358,7 @@ def test_get_user_with_permissions(client, sample_user_service_permission):


 def test_set_user_permissions(client, sample_user, sample_service):
-    data = json.dumps([{'permission': MANAGE_SETTINGS}])
+    data = json.dumps({'permissions': [{'permission': MANAGE_SETTINGS}]})
    header = create_authorization_header()
    headers = [('Content-Type', 'application/json'), header]
    response = client.post(
@@ -376,34 +377,7 @@ def test_set_user_permissions(client, sample_user, sample_service):


 def test_set_user_permissions_multiple(client, sample_user, sample_service):
-    data = json.dumps([{'permission': MANAGE_SETTINGS}, {'permission': MANAGE_TEMPLATES}])
-    header = create_authorization_header()
-    headers = [('Content-Type', 'application/json'), header]
-    response = client.post(
-        url_for(
-            'user.set_permissions',
-            user_id=str(sample_user.id),
-            service_id=str(sample_service.id)),
-        headers=headers,
-        data=data)
-
-    assert response.status_code == 204
-    permission = Permission.query.filter_by(permission=MANAGE_SETTINGS).first()
-    assert permission.user == sample_user
-    assert permission.service == sample_service
-    assert permission.permission == MANAGE_SETTINGS
-    permission = Permission.query.filter_by(permission=MANAGE_TEMPLATES).first()
-    assert permission.user == sample_user
-    assert permission.service == sample_service
-    assert permission.permission == MANAGE_TEMPLATES
-
-
-def test_set_user_permissions_multiple_with_new_data_format(client, sample_user, sample_service):
-    permissions_data = {
-        'permissions': [{'permission': MANAGE_SETTINGS}, {'permission': MANAGE_TEMPLATES}]
-    }
-
-    data = json.dumps(permissions_data)
+    data = json.dumps({'permissions': [{'permission': MANAGE_SETTINGS}, {'permission': MANAGE_TEMPLATES}]})
    header = create_authorization_header()
    headers = [('Content-Type', 'application/json'), header]
    response = client.post(
@@ -426,7 +400,7 @@ def test_set_user_permissions_multiple_with_new_data_format(client, sample_user,


 def test_set_user_permissions_remove_old(client, sample_user, sample_service):
-    data = json.dumps([{'permission': MANAGE_SETTINGS}])
+    data = json.dumps({'permissions': [{'permission': MANAGE_SETTINGS}]})
    header = create_authorization_header()
    headers = [('Content-Type', 'application/json'), header]
    response = client.post(
@@ -443,6 +417,127 @@ def test_set_user_permissions_remove_old(client, sample_user, sample_service):
    assert query.first().permission == MANAGE_SETTINGS


+def test_set_user_folder_permissions(client, sample_user, sample_service):
+    tf1 = create_template_folder(sample_service)
+    tf2 = create_template_folder(sample_service)
+    data = json.dumps({'permissions': [], 'folder_permissions': [str(tf1.id), str(tf2.id)]})
+
+    response = client.post(
+        url_for(
+            'user.set_permissions',
+            user_id=str(sample_user.id),
+            service_id=str(sample_service.id)),
+        headers=[('Content-Type', 'application/json'), create_authorization_header()],
+        data=data)
+
+    assert response.status_code == 204
+
+    service_user = dao_get_service_user(sample_user.id, sample_service.id)
+    assert len(service_user.folders) == 2
+    assert tf1 in service_user.folders
+    assert tf2 in service_user.folders
+
+
+def test_set_user_folder_permissions_when_user_does_not_belong_to_service(client, sample_user):
+    service = create_service()
+    tf1 = create_template_folder(service)
+    tf2 = create_template_folder(service)
+
+    data = json.dumps({'permissions': [], 'folder_permissions': [str(tf1.id), str(tf2.id)]})
+
+    response = client.post(
+        url_for(
+            'user.set_permissions',
+            user_id=str(sample_user.id),
+            service_id=str(service.id)),
+        headers=[('Content-Type', 'application/json'), create_authorization_header()],
+        data=data)
+
+    assert response.status_code == 404
+
+
+def test_set_user_folder_permissions_does_not_affect_permissions_for_other_services(
+    client,
+    sample_user,
+    sample_service,
+):
+    tf1 = create_template_folder(sample_service)
+    tf2 = create_template_folder(sample_service)
+
+    service_2 = create_service(sample_user, service_name='other service')
+    tf3 = create_template_folder(service_2)
+
+    sample_service_user = dao_get_service_user(sample_user.id, sample_service.id)
+    sample_service_user.folders = [tf1]
+    dao_update_service_user(sample_service_user)
+
+    service_2_user = dao_get_service_user(sample_user.id, service_2.id)
+    service_2_user.folders = [tf3]
+    dao_update_service_user(service_2_user)
+
+    data = json.dumps({'permissions': [], 'folder_permissions': [str(tf2.id)]})
+
+    response = client.post(
+        url_for(
+            'user.set_permissions',
+            user_id=str(sample_user.id),
+            service_id=str(sample_service.id)),
+        headers=[('Content-Type', 'application/json'), create_authorization_header()],
+        data=data)
+
+    assert response.status_code == 204
+
+    assert sample_service_user.folders == [tf2]
+    assert service_2_user.folders == [tf3]
+
+
+def test_update_user_folder_permissions(client, sample_user, sample_service):
+    tf1 = create_template_folder(sample_service)
+    tf2 = create_template_folder(sample_service)
+    tf3 = create_template_folder(sample_service)
+
+    service_user = dao_get_service_user(sample_user.id, sample_service.id)
+    service_user.folders = [tf1, tf2]
+    dao_update_service_user(service_user)
+
+    data = json.dumps({'permissions': [], 'folder_permissions': [str(tf2.id), str(tf3.id)]})
+
+    response = client.post(
+        url_for(
+            'user.set_permissions',
+            user_id=str(sample_user.id),
+            service_id=str(sample_service.id)),
+        headers=[('Content-Type', 'application/json'), create_authorization_header()],
+        data=data)
+
+    assert response.status_code == 204
+    assert len(service_user.folders) == 2
+    assert tf2 in service_user.folders
+    assert tf3 in service_user.folders
+
+
+def test_remove_user_folder_permissions(client, sample_user, sample_service):
+    tf1 = create_template_folder(sample_service)
+    tf2 = create_template_folder(sample_service)
+
+    service_user = dao_get_service_user(sample_user.id, sample_service.id)
+    service_user.folders = [tf1, tf2]
+    dao_update_service_user(service_user)
+
+    data = json.dumps({'permissions': [], 'folder_permissions': []})
+
+    response = client.post(
+        url_for(
+            'user.set_permissions',
+            user_id=str(sample_user.id),
+            service_id=str(sample_service.id)),
+        headers=[('Content-Type', 'application/json'), create_authorization_header()],
+        data=data)
+
+    assert response.status_code == 204
+    assert service_user.folders == []
+
+
@freeze_time("2016-01-01 11:09:00.061258")
 def test_send_user_reset_password_should_send_reset_password_link(client,
                                                                  sample_user,