Skip to content

Commit

Permalink
change draft registration permissions and clean-up tests
Browse files Browse the repository at this point in the history
  • Loading branch information
John Tordoff committed Oct 17, 2023
1 parent b032af0 commit 6995a0c
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 24 deletions.
15 changes: 15 additions & 0 deletions api/nodes/permissions.py
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,21 @@ def has_object_permission(self, request, view, obj):
return obj.is_admin_contributor(auth.user)


class NodeDraftRegistrationsListPermission(permissions.BasePermission):
acceptable_models = (AbstractNode, DraftRegistration,)

def has_object_permission(self, request, view, obj):
"""
To make changes, user must be an admin contributor. Admin group membership is not sufficient.
"""
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return obj.has_permission(auth.user, osf_permissions.READ)
else:
return obj.is_admin_contributor(auth.user)


class ExcludeWithdrawals(permissions.BasePermission):

def has_object_permission(self, request, view, obj):
Expand Down
3 changes: 2 additions & 1 deletion api/nodes/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
ExcludeWithdrawals,
NodeLinksShowIfVersion,
ReadOnlyIfWithdrawn,
NodeDraftRegistrationsListPermission,
)
from api.nodes.serializers import (
NodeSerializer,
Expand Down Expand Up @@ -622,7 +623,7 @@ class NodeDraftRegistrationsList(JSONAPIBaseView, generics.ListCreateAPIView, No
Use DraftRegistrationsList endpoint instead.
"""
permission_classes = (
IsAdminContributor,
NodeDraftRegistrationsListPermission,
drf_permissions.IsAuthenticatedOrReadOnly,
base_permissions.TokenHasScope,
)
Expand Down
48 changes: 25 additions & 23 deletions api_tests/nodes/views/test_node_draft_registration_list.py
Original file line number Diff line number Diff line change
Expand Up @@ -138,37 +138,39 @@ def test_osf_group_with_admin_permissions_can_view(
assert len(data) == 1
assert schema._id in data[0]['relationships']['registration_schema']['links']['related']['href']

def test_cannot_view_draft_list(
self, app, user_write_contrib, project_public,
user_read_contrib, user_non_contrib,
url_draft_registrations, group, group_mem):
def test_read_only_contributor_can_view_draft_list(
self, app, project_public, user_read_contrib, user_non_contrib, url_draft_registrations
):

# test_read_only_contributor_cannot_view_draft_list
res = app.get(
url_draft_registrations,
auth=user_read_contrib.auth,
expect_errors=True)
assert res.status_code == 403
res = app.get(url_draft_registrations, auth=user_read_contrib.auth, expect_errors=True)
assert res.status_code == 200

# test_read_write_contributor_cannot_view_draft_list
res = app.get(
url_draft_registrations,
auth=user_write_contrib.auth,
expect_errors=True)
assert res.status_code == 403
def test_read_write_contributor_can_view_draft_list(
self, app, user_write_contrib, project_public, user_read_contrib, user_non_contrib, url_draft_registrations
):

# test_logged_in_non_contributor_cannot_view_draft_list
res = app.get(
url_draft_registrations,
auth=user_non_contrib.auth,
expect_errors=True)
res = app.get(url_draft_registrations, auth=user_write_contrib.auth, expect_errors=True)
assert res.status_code == 200

def test_logged_in_non_contributor_cannot_view_draft_list(
self, app, user_write_contrib, project_public, user_read_contrib, user_non_contrib, url_draft_registrations
):

res = app.get(url_draft_registrations, auth=user_non_contrib.auth, expect_errors=True)
assert res.status_code == 403

# test_unauthenticated_user_cannot_view_draft_list
def test_unauthenticated_user_cannot_view_draft_list(
self, app, user_write_contrib, project_public, user_read_contrib, user_non_contrib, url_draft_registrations
):

res = app.get(url_draft_registrations, expect_errors=True)
assert res.status_code == 401

# test_osf_group_with_read_permissions
def test_osf_group_with_read_permissions(
self, app, user_write_contrib, project_public,
user_read_contrib, user_non_contrib, url_draft_registrations, group, group_mem
):

project_public.remove_osf_group(group)
project_public.add_osf_group(group, permissions.READ)
res = app.get(url_draft_registrations, auth=group_mem.auth, expect_errors=True)
Expand Down

0 comments on commit 6995a0c

Please sign in to comment.