Skip to content

Commit

Permalink
Use beta-level 4 for box bulk-actions
Browse files Browse the repository at this point in the history
  • Loading branch information
pylipp committed Jun 25, 2024
1 parent ea5cb85 commit 4607985
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 6 deletions.
8 changes: 7 additions & 1 deletion back/boxtribute_server/authz.py
Original file line number Diff line number Diff line change
Expand Up @@ -324,14 +324,20 @@ def authorize_cross_organisation_access(
}
ALL_ALLOWED_MUTATIONS[3] = ALL_ALLOWED_MUTATIONS[2]
ALL_ALLOWED_MUTATIONS[4] = ALL_ALLOWED_MUTATIONS[3] + (
"deleteBoxes",
"moveBoxesToLocation",
"assignTagToBoxes",
"unassignTagFromBoxes",
)
ALL_ALLOWED_MUTATIONS[5] = ALL_ALLOWED_MUTATIONS[4] + (
"createCustomProduct",
"editCustomProduct",
"deleteProduct",
"enableStandardProduct",
"editStandardProductInstantiation",
"disableStandardProduct",
)
ALL_ALLOWED_MUTATIONS[99] = ALL_ALLOWED_MUTATIONS[2] + (
ALL_ALLOWED_MUTATIONS[99] = ALL_ALLOWED_MUTATIONS[5] + (
# + mutations for mobile distribution pages
"createDistributionSpot",
"createDistributionEvent",
Expand Down
27 changes: 22 additions & 5 deletions back/test/unit_tests/test_authz.py
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,7 @@ def test_check_beta_feature_access(mocker):
"createBox",
"createShipment",
"deleteProduct",
"deleteBoxes",
"createTag",
]:
payload = f"mutation {{ {mutation} }}"
Expand All @@ -294,7 +295,7 @@ def test_check_beta_feature_access(mocker):
# User with scope 1 can additionally access BoxCreate/ScanBox pages
beta_feature_scope = 1
current_user = CurrentUser(id=1, beta_feature_scope=beta_feature_scope)
for mutation in ["createShipment", "deleteProduct", "createTag"]:
for mutation in ["createShipment", "deleteProduct", "deleteBoxes", "createTag"]:
payload = f"mutation {{ {mutation} }}"
assert not check_beta_feature_access(payload, current_user=current_user)
for mutation in ALL_ALLOWED_MUTATIONS[beta_feature_scope]:
Expand All @@ -310,7 +311,7 @@ def test_check_beta_feature_access(mocker):
# User with scope 2 can additionally access Transfers pages
beta_feature_scope = 2
current_user = CurrentUser(id=1, beta_feature_scope=beta_feature_scope)
for mutation in ["deleteProduct", "createTag"]:
for mutation in ["deleteBoxes", "deleteProduct", "createTag"]:
payload = f"mutation {{ {mutation} }}"
assert not check_beta_feature_access(payload, current_user=current_user)
for mutation in ALL_ALLOWED_MUTATIONS[beta_feature_scope]:
Expand All @@ -327,7 +328,7 @@ def test_check_beta_feature_access(mocker):
# permissions
beta_feature_scope = 50
current_user = CurrentUser(id=1, beta_feature_scope=beta_feature_scope)
for mutation in ["deleteProduct", "createTag"]:
for mutation in ["deleteBoxes", "deleteProduct", "createTag"]:
payload = f"mutation {{ {mutation} }}"
assert not check_beta_feature_access(payload, current_user=current_user)
for mutation in ALL_ALLOWED_MUTATIONS[DEFAULT_BETA_FEATURE_SCOPE]:
Expand All @@ -343,7 +344,7 @@ def test_check_beta_feature_access(mocker):
# User with scope 3 can additionally access statviz data
beta_feature_scope = 3
current_user = CurrentUser(id=1, beta_feature_scope=beta_feature_scope)
for mutation in ["createTag"]:
for mutation in ["deleteBoxes", "deleteProduct", "createTag"]:
payload = f"mutation {{ {mutation} }}"
assert not check_beta_feature_access(payload, current_user=current_user)
for mutation in ALL_ALLOWED_MUTATIONS[beta_feature_scope]:
Expand All @@ -356,9 +357,25 @@ def test_check_beta_feature_access(mocker):
"query { base(id: 1) { name } }", current_user=current_user
)

# User with scope 4 can additionally access Product pages
# User with scope 4 can additionally execute Box bulk actions
beta_feature_scope = 4
current_user = CurrentUser(id=1, beta_feature_scope=beta_feature_scope)
for mutation in ["deleteProduct", "createTag"]:
payload = f"mutation {{ {mutation} }}"
assert not check_beta_feature_access(payload, current_user=current_user)
for mutation in ALL_ALLOWED_MUTATIONS[beta_feature_scope]:
payload = f"mutation {{ {mutation} }}"
assert check_beta_feature_access(payload, current_user=current_user)
for query in statistics_queries():
payload = f"query {{ {query} }}"
assert check_beta_feature_access(payload, current_user=current_user)
assert check_beta_feature_access(
"query { base(id: 1) { name } }", current_user=current_user
)

# User with scope 5 can additionally access Product pages
beta_feature_scope = 5
current_user = CurrentUser(id=1, beta_feature_scope=beta_feature_scope)
for mutation in ["createTag"]:
payload = f"mutation {{ {mutation} }}"
assert not check_beta_feature_access(payload, current_user=current_user)
Expand Down

0 comments on commit 4607985

Please sign in to comment.