From 6e1945b7a75f15b9ffefcb33173d4202523147af Mon Sep 17 00:00:00 2001 From: Jonas Metzener Date: Fri, 26 Aug 2022 14:07:45 +0200 Subject: [PATCH] fix(permissions): make sure user permission classes call super Fixes #1830 --- caluma/caluma_user/permissions.py | 9 +++- caluma/caluma_user/tests/test_permissions.py | 57 +++++++++++++++++++- 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/caluma/caluma_user/permissions.py b/caluma/caluma_user/permissions.py index b7b913292..eb7dfffb0 100644 --- a/caluma/caluma_user/permissions.py +++ b/caluma/caluma_user/permissions.py @@ -5,11 +5,16 @@ class IsAuthenticated(BasePermission): """Only allow authenticated users to execute mutations.""" def has_permission(self, mutation, info): - return info.context.user.is_authenticated + return info.context.user.is_authenticated and super().has_permission( + mutation, info + ) class CreatedByGroup(BasePermission): """Only allow mutating data that belongs to same group as current user.""" def has_object_permission(self, mutation, info, instance): - return instance.created_by_group in info.context.user.groups + return ( + instance.created_by_group in info.context.user.groups + and super().has_object_permission(mutation, info, instance) + ) diff --git a/caluma/caluma_user/tests/test_permissions.py b/caluma/caluma_user/tests/test_permissions.py index 46174db09..ed97c8952 100644 --- a/caluma/caluma_user/tests/test_permissions.py +++ b/caluma/caluma_user/tests/test_permissions.py @@ -1,6 +1,9 @@ import pytest from ...caluma_core.models import UUIDModel +from ...caluma_core.mutation import Mutation +from ...caluma_core.permissions import object_permission_for, permission_for +from ...caluma_core.serializers import ModelSerializer from ...caluma_core.tests.fake_model import get_fake_model from .. import permissions @@ -10,7 +13,9 @@ ) def test_is_authenticated_permission(db, info_fixture, is_authenticated, request): info = request.getfixturevalue(info_fixture) - assert permissions.IsAuthenticated().has_permission(None, info) == is_authenticated + assert ( + permissions.IsAuthenticated().has_permission(Mutation, info) == is_authenticated + ) @pytest.mark.parametrize( @@ -20,6 +25,54 @@ def test_created_by_group_permission(db, admin_info, is_created_by, history_mock FakeModel = get_fake_model(model_base=UUIDModel) instance = FakeModel.objects.create(created_by_group="admin_group") assert ( - permissions.CreatedByGroup().has_object_permission(None, admin_info, instance) + permissions.CreatedByGroup().has_object_permission( + Mutation, admin_info, instance + ) == is_created_by ) + + +def test_is_authenticated_permission_super(db, request): + FakeModel = get_fake_model() + + class Serializer(ModelSerializer): + class Meta: + model = FakeModel + fields = "__all__" + + class CustomMutation(Mutation): + class Meta: + serializer_class = Serializer + + class CustomPermission(permissions.IsAuthenticated): + @permission_for(CustomMutation) + def has_permission_for_custom_mutation(self, mutation, info): + return False + + assert not CustomPermission().has_permission( + CustomMutation, request.getfixturevalue("admin_info") + ) + + +@pytest.mark.parametrize("admin_groups", ["admin_group"]) +def test_created_by_group_permission_super(db, admin_info, history_mock): + FakeModel = get_fake_model(model_base=UUIDModel) + instance = FakeModel.objects.create(created_by_group="admin_group") + + class Serializer(ModelSerializer): + class Meta: + model = FakeModel + fields = "__all__" + + class CustomMutation(Mutation): + class Meta: + serializer_class = Serializer + + class CustomPermission(permissions.CreatedByGroup): + @object_permission_for(CustomMutation) + def has_object_permission_for_custom_mutation(self, mutation, info, instance): + return False + + assert not CustomPermission().has_object_permission( + CustomMutation, admin_info, instance + )