Refactored and added tests for Org manager / units

SURFscz · Nov 15, 2023 · b5a85b9 · b5a85b9
1 parent 34a35ee
commit b5a85b9
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 13 deletions.
diff --git a/server/auth/security.py b/server/auth/security.py
@@ -41,18 +41,16 @@ def _get_impersonated_session():
     return session
 
 
-def _has_org_manager_unit_access(user_id, collaboration, org_manager_allowed=True):
-    organisation_id = collaboration.organisation_id
-    if is_organisation_admin(organisation_id):
+def has_org_manager_unit_access(user_id, collaboration, org_manager_allowed=True):
+    members = list(filter(lambda m: m.user_id == user_id, collaboration.organisation.organisation_memberships))
+    if not members:
+        return False
+    membership = members[0]
+    if membership.role == "admin":
         return True
     if not org_manager_allowed:
         return False
-    is_organisation_member = is_organisation_admin_or_manager(organisation_id)
-    if not is_organisation_member:
-        return False
     unit_allowed = True
-    membership = list(
-        filter(lambda m: m.user_id == user_id, collaboration.organisation.organisation_memberships))[0]
     if membership.units:
         unit_allowed = collaboration.is_allowed_unit_organisation_membership(membership)
     return unit_allowed
@@ -197,7 +195,7 @@ def override_func():
             collaboration = db.session.get(Collaboration, collaboration_id)
             if not collaboration:
                 return False
-            return _has_org_manager_unit_access(user_id, collaboration, org_manager_allowed=org_manager_allowed)
+            return has_org_manager_unit_access(user_id, collaboration, org_manager_allowed=org_manager_allowed)
         return True
 
     if read_only:
@@ -219,7 +217,7 @@ def override_func():
         collaboration = db.session.get(Collaboration, collaboration_id)
         if not collaboration:
             return False
-        return _has_org_manager_unit_access(user_id, collaboration)
+        return has_org_manager_unit_access(user_id, collaboration)
 
     confirm_write_access(override_func=override_func)
 

diff --git a/server/test/auth/test_security.py b/server/test/auth/test_security.py
@@ -4,10 +4,10 @@
 from server.auth.security import is_admin_user, is_application_admin, confirm_allow_impersonation, \
     confirm_write_access, \
     confirm_collaboration_admin, confirm_collaboration_member, confirm_organisation_admin, current_user_name, \
-    is_current_user_organisation_admin_or_manager
+    is_current_user_organisation_admin_or_manager, has_org_manager_unit_access
 from server.db.domain import CollaborationMembership, Collaboration, User, OrganisationMembership, Organisation
 from server.test.abstract_test import AbstractTest
-from server.test.seed import ai_computing_name, the_boss_name, uuc_name
+from server.test.seed import ai_computing_name, the_boss_name, uuc_name, monitoring_co_name
 
 
 class TestSecurity(AbstractTest):
@@ -127,3 +127,16 @@ def test_has_access_to_co_units(self):
             session["user"] = {"uid": "urn:paul", "id": paul.id, "admin": False}
 
             self.assertRaises(Forbidden, lambda: confirm_collaboration_admin(collaboration.id))
+
+    def test_has_org_manager_unit_access(self):
+        with self.app.app_context() as context:
+            org_manager = self.find_entity_by_name(User, "Harry Doe")
+            context.g.is_authorized_api_call = False
+            session["user"] = {"uid": "urn:paul", "id": org_manager.id, "admin": False}
+
+            collaboration = self.find_entity_by_name(Collaboration, monitoring_co_name)
+            self.assertFalse(has_org_manager_unit_access(org_manager.id, collaboration))
+
+            collaboration = self.find_entity_by_name(Collaboration, ai_computing_name)
+            self.assertTrue(has_org_manager_unit_access(org_manager.id, collaboration))
+            self.assertFalse(has_org_manager_unit_access(org_manager.id, collaboration, org_manager_allowed=False))
diff --git a/server/test/seed.py b/server/test/seed.py
@@ -60,6 +60,8 @@
 uuc_unit_research_name = "Research"
 uuc_unit_support_name = "Support"
 
+monitoring_co_name = "Monitoring CO numero 1"
+
 uva_secret = generate_token()
 uva_hashed_secret = secure_hash(uva_secret)
 
@@ -541,7 +543,7 @@ def seed(db, app_config, skip_seed=False, perf_test=False):
                                  short_name="uuc_teachers_short_name",
                                  accepted_user_policy="https://www.uuc.nl/teachers")
 
-    monitoring_co_1 = Collaboration(name="Monitoring CO numero 1",
+    monitoring_co_1 = Collaboration(name=monitoring_co_name,
                                     identifier="37d55167-23e4-4099-ae20-4f3d8d284b14",
                                     uuid4="b85e2ae6-05f3-4c27-9078-e11a420bdc08",
                                     global_urn="ucc:monitoring1",