taiga
/
taiga-back
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fixing timeline permissions for admin and superusers

remotes/origin/issue/4795/notification_even_they_are_disabled
Alejandro Alonso 2016-05-23 13:22:45 +02:00 committed by David Barragán Merino
parent aee1ee13d6
commit 827d1b6132
2 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
taiga/timeline/service.py
View File

@ -128,6 +128,10 @@ def get_timeline(obj, namespace=None):
def filter_timeline_for_user(timeline, user): def filter_timeline_for_user(timeline, user):
# Superusers can see everything
if user.is_superuser:
return timeline
# Filtering entities from public projects or entities without project # Filtering entities from public projects or entities without project
tl_filter = Q(project__is_private=False) | Q(project=None) tl_filter = Q(project__is_private=False) | Q(project=None)
@ -156,6 +160,10 @@ def filter_timeline_for_user(timeline, user):
# Filtering private projects where user is member # Filtering private projects where user is member
if not user.is_anonymous(): if not user.is_anonymous():
for membership in user.cached_memberships: for membership in user.cached_memberships:
# Admin roles can see everything in a project
if membership.is_admin:
tl_filter |= Q(project=membership.project)
else:
data_content_types = list(filter(None, [content_types.get(a, None) for a in membership.role.permissions])) data_content_types = list(filter(None, [content_types.get(a, None) for a in membership.role.permissions]))
data_content_types.append(membership_content_type) data_content_types.append(membership_content_type)
tl_filter |= Q(project=membership.project, data_content_type__in=data_content_types) tl_filter |= Q(project=membership.project, data_content_type__in=data_content_types)

34
tests/integration/test_timeline.py
View File

@ -130,6 +130,40 @@ def test_filter_timeline_private_project_member_permissions():
assert timeline.count() == 3 assert timeline.count() == 3
def test_filter_timeline_private_project_member_admin():
Timeline.objects.all().delete()
user1 = factories.UserFactory()
user2 = factories.UserFactory()
project = factories.ProjectFactory.create(is_private=True)
membership = factories.MembershipFactory.create(user=user2, project=project, is_admin=True)
task1= factories.TaskFactory()
task2= factories.TaskFactory.create(project=project)
service.register_timeline_implementation("tasks.task", "test", lambda x, extra_data=None: str(id(x)))
service._add_to_object_timeline(user1, task1, "test", task1.created_date)
service._add_to_object_timeline(user1, task2, "test", task2.created_date)
timeline = Timeline.objects.exclude(event_type="users.user.create")
timeline = service.filter_timeline_for_user(timeline, user2)
assert timeline.count() == 3
def test_filter_timeline_private_project_member_superuser():
Timeline.objects.all().delete()
user1 = factories.UserFactory()
user2 = factories.UserFactory(is_superuser=True)
project = factories.ProjectFactory.create(is_private=True)
task1= factories.TaskFactory()
task2= factories.TaskFactory.create(project=project)
service.register_timeline_implementation("tasks.task", "test", lambda x, extra_data=None: str(id(x)))
service._add_to_object_timeline(user1, task1, "test", task1.created_date)
service._add_to_object_timeline(user1, task2, "test", task2.created_date)
timeline = Timeline.objects.exclude(event_type="users.user.create")
timeline = service.filter_timeline_for_user(timeline, user2)
assert timeline.count() == 2
def test_create_project_timeline(): def test_create_project_timeline():
project = factories.ProjectFactory.create(name="test project timeline") project = factories.ProjectFactory.create(name="test project timeline")
history_services.take_snapshot(project, user=project.owner) history_services.take_snapshot(project, user=project.owner)