From 827d1b61328a9a0270cce182769170f2424dca22 Mon Sep 17 00:00:00 2001 From: Alejandro Alonso Date: Mon, 23 May 2016 13:22:45 +0200 Subject: [PATCH] Fixing timeline permissions for admin and superusers --- taiga/timeline/service.py | 14 +++++++++--- tests/integration/test_timeline.py | 34 ++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/taiga/timeline/service.py b/taiga/timeline/service.py index 12f7f29e..11517542 100644 --- a/taiga/timeline/service.py +++ b/taiga/timeline/service.py @@ -128,6 +128,10 @@ def get_timeline(obj, namespace=None): def filter_timeline_for_user(timeline, user): + # Superusers can see everything + if user.is_superuser: + return timeline + # Filtering entities from public projects or entities without project tl_filter = Q(project__is_private=False) | Q(project=None) @@ -156,9 +160,13 @@ def filter_timeline_for_user(timeline, user): # Filtering private projects where user is member if not user.is_anonymous(): for membership in user.cached_memberships: - data_content_types = list(filter(None, [content_types.get(a, None) for a in membership.role.permissions])) - data_content_types.append(membership_content_type) - tl_filter |= Q(project=membership.project, data_content_type__in=data_content_types) + # Admin roles can see everything in a project + if membership.is_admin: + tl_filter |= Q(project=membership.project) + else: + data_content_types = list(filter(None, [content_types.get(a, None) for a in membership.role.permissions])) + data_content_types.append(membership_content_type) + tl_filter |= Q(project=membership.project, data_content_type__in=data_content_types) timeline = timeline.filter(tl_filter) return timeline diff --git a/tests/integration/test_timeline.py b/tests/integration/test_timeline.py index 81912fdb..8c8e0182 100644 --- a/tests/integration/test_timeline.py +++ b/tests/integration/test_timeline.py @@ -130,6 +130,40 @@ def test_filter_timeline_private_project_member_permissions(): assert timeline.count() == 3 +def test_filter_timeline_private_project_member_admin(): + Timeline.objects.all().delete() + user1 = factories.UserFactory() + user2 = factories.UserFactory() + project = factories.ProjectFactory.create(is_private=True) + membership = factories.MembershipFactory.create(user=user2, project=project, is_admin=True) + task1= factories.TaskFactory() + task2= factories.TaskFactory.create(project=project) + + service.register_timeline_implementation("tasks.task", "test", lambda x, extra_data=None: str(id(x))) + service._add_to_object_timeline(user1, task1, "test", task1.created_date) + service._add_to_object_timeline(user1, task2, "test", task2.created_date) + timeline = Timeline.objects.exclude(event_type="users.user.create") + timeline = service.filter_timeline_for_user(timeline, user2) + assert timeline.count() == 3 + + +def test_filter_timeline_private_project_member_superuser(): + Timeline.objects.all().delete() + user1 = factories.UserFactory() + user2 = factories.UserFactory(is_superuser=True) + project = factories.ProjectFactory.create(is_private=True) + + task1= factories.TaskFactory() + task2= factories.TaskFactory.create(project=project) + + service.register_timeline_implementation("tasks.task", "test", lambda x, extra_data=None: str(id(x))) + service._add_to_object_timeline(user1, task1, "test", task1.created_date) + service._add_to_object_timeline(user1, task2, "test", task2.created_date) + timeline = Timeline.objects.exclude(event_type="users.user.create") + timeline = service.filter_timeline_for_user(timeline, user2) + assert timeline.count() == 2 + + def test_create_project_timeline(): project = factories.ProjectFactory.create(name="test project timeline") history_services.take_snapshot(project, user=project.owner)