studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻️(models) rename document/template access rights

Browse Source 
The "member" access right does not make sense for documents and templates.
What we really need are "editor" and "reader" access rights.
This commit is contained in:
Samuel Paccoud - DINUM
2024-05-25 08:15:34 +02:00
committed by Samuel Paccoud
parent 51325df7d9
commit 926fe37e85
22 changed files with 601 additions and 265 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/backend/core/tests/documents/test_api_documents_delete.py
View File

@@ -45,14 +45,12 @@ def test_api_documents_delete_authenticated_unrelated():
assert models.Document.objects.count() == 1
@pytest.mark.parametrize("role", ["member", "administrator"])
@pytest.mark.parametrize("role", ["reader", "editor", "administrator"])
@pytest.mark.parametrize("via", VIA)
def test_api_documents_delete_authenticated_member_or_administrator(
via, role, mock_user_get_teams
):
def test_api_documents_delete_authenticated_not_owner(via, role, mock_user_get_teams):
"""
Authenticated users should not be allowed to delete a document for which they are
only a member or administrator.
only a reader, editor or administrator.
"""
user = factories.UserFactory()

93
src/backend/core/tests/documents/test_api_documents_retrieve.py
View File

@@ -161,7 +161,10 @@ def test_api_documents_retrieve_authenticated_related_team_none(mock_user_get_te
document = factories.DocumentFactory(is_public=False)
factories.TeamDocumentAccessFactory(
document=document, team="members", role="member"
document=document, team="readers", role="reader"
)
factories.TeamDocumentAccessFactory(
document=document, team="editors", role="editor"
)
factories.TeamDocumentAccessFactory(
document=document, team="administrators", role="administrator"
@@ -178,8 +181,10 @@ def test_api_documents_retrieve_authenticated_related_team_none(mock_user_get_te
@pytest.mark.parametrize(
"teams",
[
["members"],
["unknown", "members"],
["readers"],
["unknown", "readers"],
["editors"],
["unknown", "editors"],
],
)
def test_api_documents_retrieve_authenticated_related_team_members(
@@ -198,8 +203,11 @@ def test_api_documents_retrieve_authenticated_related_team_members(
document = factories.DocumentFactory(is_public=False)
access_member = factories.TeamDocumentAccessFactory(
document=document, team="members", role="member"
access_reader = factories.TeamDocumentAccessFactory(
document=document, team="readers", role="reader"
)
access_editor = factories.TeamDocumentAccessFactory(
document=document, team="editors", role="editor"
)
access_administrator = factories.TeamDocumentAccessFactory(
document=document, team="administrators", role="administrator"
@@ -222,10 +230,17 @@ def test_api_documents_retrieve_authenticated_related_team_members(
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
[
{
"id": str(access_member.id),
"id": str(access_reader.id),
"user": None,
"team": "members",
"role": access_member.role,
"team": "readers",
"role": access_reader.role,
"abilities": expected_abilities,
},
{
"id": str(access_editor.id),
"user": None,
"team": "editors",
"role": access_editor.role,
"abilities": expected_abilities,
},
{
@@ -265,7 +280,7 @@ def test_api_documents_retrieve_authenticated_related_team_members(
"teams",
[
["administrators"],
["members", "administrators"],
["editors", "administrators"],
["unknown", "administrators"],
],
)
@@ -285,8 +300,11 @@ def test_api_documents_retrieve_authenticated_related_team_administrators(
document = factories.DocumentFactory(is_public=False)
access_member = factories.TeamDocumentAccessFactory(
document=document, team="members", role="member"
access_reader = factories.TeamDocumentAccessFactory(
document=document, team="readers", role="reader"
)
access_editor = factories.TeamDocumentAccessFactory(
document=document, team="editors", role="editor"
)
access_administrator = factories.TeamDocumentAccessFactory(
document=document, team="administrators", role="administrator"
@@ -305,14 +323,26 @@ def test_api_documents_retrieve_authenticated_related_team_administrators(
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
[
{
"id": str(access_member.id),
"id": str(access_reader.id),
"user": None,
"team": "members",
"role": "member",
"team": "readers",
"role": "reader",
"abilities": {
"destroy": True,
"retrieve": True,
"set_role_to": ["administrator"],
"set_role_to": ["administrator", "editor"],
"update": True,
},
},
{
"id": str(access_editor.id),
"user": None,
"team": "editors",
"role": "editor",
"abilities": {
"destroy": True,
"retrieve": True,
"set_role_to": ["administrator", "reader"],
"update": True,
},
},
@@ -324,7 +354,7 @@ def test_api_documents_retrieve_authenticated_related_team_administrators(
"abilities": {
"destroy": True,
"retrieve": True,
"set_role_to": ["member"],
"set_role_to": ["editor", "reader"],
"update": True,
},
},
@@ -384,8 +414,11 @@ def test_api_documents_retrieve_authenticated_related_team_owners(
document = factories.DocumentFactory(is_public=False)
access_member = factories.TeamDocumentAccessFactory(
document=document, team="members", role="member"
access_reader = factories.TeamDocumentAccessFactory(
document=document, team="readers", role="reader"
)
access_editor = factories.TeamDocumentAccessFactory(
document=document, team="editors", role="editor"
)
access_administrator = factories.TeamDocumentAccessFactory(
document=document, team="administrators", role="administrator"
@@ -404,14 +437,26 @@ def test_api_documents_retrieve_authenticated_related_team_owners(
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
[
{
"id": str(access_member.id),
"id": str(access_reader.id),
"user": None,
"team": "members",
"role": "member",
"team": "readers",
"role": "reader",
"abilities": {
"destroy": True,
"retrieve": True,
"set_role_to": ["owner", "administrator"],
"set_role_to": ["owner", "administrator", "editor"],
"update": True,
},
},
{
"id": str(access_editor.id),
"user": None,
"team": "editors",
"role": "editor",
"abilities": {
"destroy": True,
"retrieve": True,
"set_role_to": ["owner", "administrator", "reader"],
"update": True,
},
},
@@ -423,7 +468,7 @@ def test_api_documents_retrieve_authenticated_related_team_owners(
"abilities": {
"destroy": True,
"retrieve": True,
"set_role_to": ["owner", "member"],
"set_role_to": ["owner", "editor", "reader"],
"update": True,
},
},
@@ -436,7 +481,7 @@ def test_api_documents_retrieve_authenticated_related_team_owners(
# editable only if there is another owner role than the user's team...
"destroy": other_access.role == "owner",
"retrieve": True,
"set_role_to": ["administrator", "member"]
"set_role_to": ["administrator", "editor", "reader"]
if other_access.role == "owner"
else [],
"update": other_access.role == "owner",

14
src/backend/core/tests/documents/test_api_documents_update.py
View File

@@ -66,9 +66,9 @@ def test_api_documents_update_authenticated_unrelated():
@pytest.mark.parametrize("via", VIA)
def test_api_documents_update_authenticated_members(via, mock_user_get_teams):
def test_api_documents_update_authenticated_reader(via, mock_user_get_teams):
"""
Users who are members of a document but not administrators should
Users who are editors or reader of a document but not administrators should
not be allowed to update it.
"""
user = factories.UserFactory()
@@ -78,11 +78,11 @@ def test_api_documents_update_authenticated_members(via, mock_user_get_teams):
document = factories.DocumentFactory()
if via == USER:
factories.UserDocumentAccessFactory(document=document, user=user, role="member")
factories.UserDocumentAccessFactory(document=document, user=user, role="reader")
elif via == TEAM:
mock_user_get_teams.return_value = ["lasuite", "unknown"]
factories.TeamDocumentAccessFactory(
document=document, team="lasuite", role="member"
document=document, team="lasuite", role="reader"
)
old_document_values = serializers.DocumentSerializer(instance=document).data
@@ -106,12 +106,12 @@ def test_api_documents_update_authenticated_members(via, mock_user_get_teams):
assert document_values == old_document_values
@pytest.mark.parametrize("role", ["administrator", "owner"])
@pytest.mark.parametrize("role", ["editor", "administrator", "owner"])
@pytest.mark.parametrize("via", VIA)
def test_api_documents_update_authenticated_administrator_or_owner(
def test_api_documents_update_authenticated_editor_administrator_or_owner(
via, role, mock_user_get_teams
):
"""Administrator or owner of a document should be allowed to update it."""
"""A user who is editor, administrator or owner of a document should be allowed to update it."""
user = factories.UserFactory()
client = APIClient()