Merge pull request #2712 from PnX-SI/fix/datasets-route

fix(permission) add the json params to the checked params
PnX-SI · Sep 28, 2023 · 175dcec · 175dcec
2 parents 34815ef + eb25cff
commit 175dcec
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 5 deletions.
diff --git a/backend/geonature/core/gn_meta/models.py b/backend/geonature/core/gn_meta/models.py
@@ -253,10 +253,12 @@ def _get_read_scope(self, user=None):
         cruved = get_scopes_by_action(id_role=user.id_role, module_code="METADATA")
         return cruved["R"]
 
-    def _get_create_scope(self, module_code, user=None):
+    def _get_create_scope(self, module_code, user=None, object_code=None):
         if user is None:
             user = g.current_user
-        cruved = get_scopes_by_action(id_role=user.id_role, module_code=module_code)
+        cruved = get_scopes_by_action(
+            id_role=user.id_role, module_code=module_code, object_code=object_code
+        )
         return cruved["C"]
 
     def filter_by_scope(self, scope, user=None):
@@ -366,14 +368,14 @@ def filter_by_readable(self, user=None):
         """
         return self.filter_by_scope(self._get_read_scope(user))
 
-    def filter_by_creatable(self, module_code, user=None):
+    def filter_by_creatable(self, module_code, user=None, object_code=None):
         """
         Return all dataset where user have read rights minus those who user to not have
         create rigth
         """
         query = self.filter(TDatasets.modules.any(module_code=module_code))
         scope = self._get_read_scope(user)
-        create_scope = self._get_create_scope(module_code, user=user)
+        create_scope = self._get_create_scope(module_code, user=user, object_code=object_code)
         if create_scope < scope:
             scope = create_scope
         return query.filter_by_scope(scope)

diff --git a/backend/geonature/core/gn_meta/routes.py b/backend/geonature/core/gn_meta/routes.py
@@ -65,6 +65,7 @@
 from werkzeug.datastructures import Headers
 from geonature.core.gn_permissions import decorators as permissions
 from geonature.core.gn_permissions.tools import get_scopes_by_action
+from geonature.core.gn_permissions.models import TObjects
 from geonature.core.gn_meta.mtd import mtd_utils
 import geonature.utils.filemanager as fm
 import geonature.utils.utilsmails as mail
@@ -99,15 +100,25 @@ def get_datasets():
     .. :quickref: Metadata;
 
     :query boolean active: filter on active fiel
+    :query string create: filter on C permission for the module_code specified
+        (we can specify the object_code by adding a . between both)
     :query int id_acquisition_framework: get only dataset of given AF
     :returns:  `list<TDatasets>`
     """
     params = MultiDict(request.args)
+    if request.is_json:
+        params.update(request.json)
     fields = params.get("fields", type=str, default=[])
     if fields:
         fields = fields.split(",")
     if "create" in params:
-        query = TDatasets.query.filter_by_creatable(params.pop("create"))
+        create = params.pop("create").split(".")
+        if len(create) > 1:
+            query = TDatasets.query.filter_by_creatable(
+                module_code=create[0], object_code=create[1]
+            )
+        else:
+            query = TDatasets.query.filter_by_creatable(module_code=create[0])
     else:
         query = TDatasets.query.filter_by_readable()
 

diff --git a/backend/geonature/tests/test_gn_meta.py b/backend/geonature/tests/test_gn_meta.py
@@ -679,6 +679,25 @@ def test_get_dataset_filter_module_code(self, users, datasets, module):
         assert expected_ds.issubset(filtered_ds)
         assert datasets["own_dataset"].id_dataset not in filtered_ds
 
+    def test_get_dataset_filter_create(self, users, datasets, module):
+        set_logged_user_cookie(self.client, users["admin_user"])
+
+        response = self.client.get(
+            url_for("gn_meta.get_datasets"),
+            json={"module_code": module.module_code, "create": module.module_code},
+        )
+
+        response_with_object = self.client.get(
+            url_for("gn_meta.get_datasets"),
+            json={"module_code": module.module_code, "create": module.module_code + ".ALL"},
+        )
+
+        expected_ds = {datasets["with_module_1"].id_dataset}
+        filtered_ds = {ds["id_dataset"] for ds in response.json}
+        assert response.json == response_with_object.json
+        assert expected_ds.issubset(filtered_ds)
+        assert datasets["own_dataset"].id_dataset not in filtered_ds
+
     def test_get_dataset_search(self, users, datasets, module):
         set_logged_user_cookie(self.client, users["admin_user"])
         ds = datasets["with_module_1"]

diff --git a/backend/geonature/tests/test_reports.py b/backend/geonature/tests/test_reports.py
@@ -70,6 +70,16 @@ def test_create_report(self, synthese_data, users):
         data = {"content": "comment 4", "type": "discussion"}
         response = self.client.post(url_for(url), data=data)
         assert response.status_code == BadRequest.code
+        # TEST VALID - ADD PIN
+        response = self.client.post(
+            url_for(url), data={"item": id_synthese, "content": "", "type": "pin"}
+        )
+        assert response.status_code == 204
+        # TEST INVALID - ADD PIN
+        response = self.client.post(
+            url_for(url), data={"item": id_synthese, "content": "", "type": "pin"}
+        )
+        assert response.status_code == 409
 
     def test_delete_report(self, reports_data, users):
         # NO AUTHENT