fix(permissions): make sure user permission classes call super

Fixes #1830
projectcaluma · Aug 26, 2022 · 6e1945b · 6e1945b
1 parent 64ded1f
commit 6e1945b
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 4 deletions.
diff --git a/caluma/caluma_user/permissions.py b/caluma/caluma_user/permissions.py
@@ -5,11 +5,16 @@ class IsAuthenticated(BasePermission):
     """Only allow authenticated users to execute mutations."""
 
     def has_permission(self, mutation, info):
-        return info.context.user.is_authenticated
+        return info.context.user.is_authenticated and super().has_permission(
+            mutation, info
+        )
 
 
 class CreatedByGroup(BasePermission):
     """Only allow mutating data that belongs to same group as current user."""
 
     def has_object_permission(self, mutation, info, instance):
-        return instance.created_by_group in info.context.user.groups
+        return (
+            instance.created_by_group in info.context.user.groups
+            and super().has_object_permission(mutation, info, instance)
+        )
diff --git a/caluma/caluma_user/tests/test_permissions.py b/caluma/caluma_user/tests/test_permissions.py
@@ -1,6 +1,9 @@
 import pytest
 
 from ...caluma_core.models import UUIDModel
+from ...caluma_core.mutation import Mutation
+from ...caluma_core.permissions import object_permission_for, permission_for
+from ...caluma_core.serializers import ModelSerializer
 from ...caluma_core.tests.fake_model import get_fake_model
 from .. import permissions
 
@@ -10,7 +13,9 @@
 )
 def test_is_authenticated_permission(db, info_fixture, is_authenticated, request):
     info = request.getfixturevalue(info_fixture)
-    assert permissions.IsAuthenticated().has_permission(None, info) == is_authenticated
+    assert (
+        permissions.IsAuthenticated().has_permission(Mutation, info) == is_authenticated
+    )
 
 
 @pytest.mark.parametrize(
@@ -20,6 +25,54 @@ def test_created_by_group_permission(db, admin_info, is_created_by, history_mock
     FakeModel = get_fake_model(model_base=UUIDModel)
     instance = FakeModel.objects.create(created_by_group="admin_group")
     assert (
-        permissions.CreatedByGroup().has_object_permission(None, admin_info, instance)
+        permissions.CreatedByGroup().has_object_permission(
+            Mutation, admin_info, instance
+        )
         == is_created_by
     )
+
+
+def test_is_authenticated_permission_super(db, request):
+    FakeModel = get_fake_model()
+
+    class Serializer(ModelSerializer):
+        class Meta:
+            model = FakeModel
+            fields = "__all__"
+
+    class CustomMutation(Mutation):
+        class Meta:
+            serializer_class = Serializer
+
+    class CustomPermission(permissions.IsAuthenticated):
+        @permission_for(CustomMutation)
+        def has_permission_for_custom_mutation(self, mutation, info):
+            return False
+
+    assert not CustomPermission().has_permission(
+        CustomMutation, request.getfixturevalue("admin_info")
+    )
+
+
+@pytest.mark.parametrize("admin_groups", ["admin_group"])
+def test_created_by_group_permission_super(db, admin_info, history_mock):
+    FakeModel = get_fake_model(model_base=UUIDModel)
+    instance = FakeModel.objects.create(created_by_group="admin_group")
+
+    class Serializer(ModelSerializer):
+        class Meta:
+            model = FakeModel
+            fields = "__all__"
+
+    class CustomMutation(Mutation):
+        class Meta:
+            serializer_class = Serializer
+
+    class CustomPermission(permissions.CreatedByGroup):
+        @object_permission_for(CustomMutation)
+        def has_object_permission_for_custom_mutation(self, mutation, info, instance):
+            return False
+
+    assert not CustomPermission().has_object_permission(
+        CustomMutation, admin_info, instance
+    )