fix(settings): AppSettings requires super user perms

ref: #855 #834
2025-07-06 20:49:23 +09:30
parent c54de5c627
commit baabf84234
2 changed files with 131 additions and 0 deletions
--- a/app/access/mixins/permissions.py
+++ b/app/access/mixins/permissions.py
@ -290,6 +290,11 @@ class OrganizationPermissionMixin(
                    view.model.__name__ == 'AuthToken'
                    and request._user.id == int(view.kwargs.get('model_id', 0))
                )
+                or (    # org=None is the application wide settings.
+                    view.model.__name__ == 'AppSettings'
+                    and request.user.is_superuser
+                    and obj.organization is None
+                )
            ):

                return True
--- a/app/settings/tests/functional/additional_appsettings_permissions_api.py
+++ b/app/settings/tests/functional/additional_appsettings_permissions_api.py
@ -1,5 +1,7 @@
 import pytest

+from django.test import Client
+


 class AdditionalTestCases:
@ -33,6 +35,130 @@ class AdditionalTestCases:



+    def test_permission_change(self, model_instance, api_request_permissions):
+        """ Check correct permission for change
+
+        Make change with user who has change permission
+        """
+
+        client = Client()
+
+        client.force_login( api_request_permissions['user']['change'] )
+
+        change_item = model_instance(
+            kwargs_create = {
+                'organization': api_request_permissions['tenancy']['user']
+            },
+        )
+
+        response = client.patch(
+            path = change_item.get_url( many = False ),
+            data = self.change_data,
+            content_type = 'application/json'
+        )
+
+        if response.status_code == 405:
+            pytest.xfail( reason = 'ViewSet does not have this request method.' )
+
+        assert response.status_code == 403, response.content
+
+
+
+    def test_permission_change_super_user_only(self, model_instance, api_request_permissions):
+        """ Check correct permission for change
+
+        Make change with user who has change permission
+        """
+
+        client = Client()
+
+        api_request_permissions['user']['change'].is_superuser = True
+        api_request_permissions['user']['change'].save()
+
+        client.force_login( api_request_permissions['user']['change'] )
+
+        change_item = model_instance(
+            kwargs_create = {
+                'organization': api_request_permissions['tenancy']['user']
+            },
+        )
+
+        response = client.patch(
+            path = change_item.get_url( many = False ),
+            data = self.change_data,
+            content_type = 'application/json'
+        )
+
+        api_request_permissions['user']['change'].is_superuser = False
+        api_request_permissions['user']['change'].save()
+
+        if response.status_code == 405:
+            pytest.xfail( reason = 'ViewSet does not have this request method.' )
+
+        assert response.status_code == 200, response.content
+
+
+
+    def test_permission_view(self, model_instance, api_request_permissions):
+        """ Check correct permission for view
+
+        Attempt to view as user with view permission
+        """
+
+        client = Client()
+
+        client.force_login( api_request_permissions['user']['view'] )
+
+        view_item = model_instance(
+            kwargs_create = {
+                'organization': api_request_permissions['tenancy']['user']
+            }
+        )
+
+        response = client.get(
+            path = view_item.get_url( many = False )
+        )
+
+        if response.status_code == 405:
+            pytest.xfail( reason = 'ViewSet does not have this request method.' )
+
+        assert response.status_code == 403, response.content
+
+
+
+    def test_permission_view_super_user_only(self, model_instance, api_request_permissions):
+        """ Check correct permission for view
+
+        Attempt to view as user with view permission
+        """
+
+        client = Client()
+
+        api_request_permissions['user']['view'].is_superuser = True
+        api_request_permissions['user']['view'].save()
+
+        client.force_login( api_request_permissions['user']['view'] )
+
+        view_item = model_instance(
+            kwargs_create = {
+                'organization': api_request_permissions['tenancy']['user']
+            }
+        )
+
+        response = client.get(
+            path = view_item.get_url( many = False )
+        )
+
+        api_request_permissions['user']['view'].is_superuser = False
+        api_request_permissions['user']['view'].save()
+
+        if response.status_code == 405:
+            pytest.xfail( reason = 'ViewSet does not have this request method.' )
+
+        assert response.status_code == 200, response.content
+
+
+
    def test_returned_results_only_user_orgs(self):
        """Returned results check