Merge branch 'f-transaction-permissions' into 'dev'

TST: issue caosdb-server#196.

See merge request !56

tests/test_issues_server.py

@@ -1178,6 +1178,84 @@ def test_192():
     assert count8 == 1
 
 
+def test_196a():
+    """See https://gitlab.com/caosdb/caosdb-server/-/issues/196"""
+    admin._insert_role(name=CURATOR_ROLE, description="Desc")
+
+    perms = admin._get_permissions(CURATOR_ROLE)
+    g = admin.PermissionRule(action="Grant", permission="TRANSACTION:*")
+    perms.add(g)
+    admin._set_permissions(CURATOR_ROLE, permission_rules=perms)
+    admin._insert_user(name="TestUser", password="Password1!", status="ACTIVE")
+    admin._set_roles(username="TestUser", roles=[CURATOR_ROLE])
+
+    db.configure_connection(username="TestUser", password_method="plain",
+                            password="Password1!")
+    # works
+    db.RecordType(name="TestRT1").insert()
+    db.Property(name="TestProp1", datatype=db.TEXT).insert()
+
+    # Deny TRANSACTION:INSERT:PROPERTY
+    db.configure_connection()
+    perms = admin._get_permissions(CURATOR_ROLE)
+    g = admin.PermissionRule(action="Deny", permission="TRANSACTION:INSERT:PROPERTY")
+    perms.add(g)
+    admin._set_permissions(CURATOR_ROLE, permission_rules=perms)
+
+    db.configure_connection(username="TestUser", password_method="plain",
+                            password="Password1!")
+
+    # it is still allowed to insert a record type...
+    db.RecordType(name="TestRT2").insert()
+
+    # fails
+    with pytest.raises(TransactionError) as cm:
+        # this should fail because the curator doesn't have TRANSACTION:INSERT:PROPERTY
+        db.Property(name="TestProp2", datatype=db.TEXT).insert()
+    assert cm.value.errors[0].msg == "You are not allowed to do this."
+
+
+@pytest.mark.parametrize("deny", ["TRANSACTION:INSERT:", "TRANSACTION:INSERT:*"])
+def test_196b(deny):
+    """Same as test_196a but we completely deny insertion."""
+    admin._insert_role(name=CURATOR_ROLE, description="Desc")
+
+    perms = admin._get_permissions(CURATOR_ROLE)
+    g = admin.PermissionRule(action="Grant", permission="TRANSACTION:*")
+    perms.add(g)
+    admin._set_permissions(CURATOR_ROLE, permission_rules=perms)
+    admin._insert_user(name="TestUser", password="Password1!", status="ACTIVE")
+    admin._set_roles(username="TestUser", roles=[CURATOR_ROLE])
+
+    db.configure_connection(username="TestUser", password_method="plain",
+                            password="Password1!")
+    # works
+    db.RecordType(name="TestRT1").insert()
+    db.Property(name="TestProp1", datatype=db.TEXT).insert()
+
+    # Deny TRANSACTION:INSERT
+    db.configure_connection()
+    perms = admin._get_permissions(CURATOR_ROLE)
+    g = admin.PermissionRule(action="Deny", permission=deny)
+    perms.add(g)
+    admin._set_permissions(CURATOR_ROLE, permission_rules=perms)
+
+    db.configure_connection(username="TestUser", password_method="plain",
+                            password="Password1!")
+
+    # fails (in contrast to test_196a)
+    with pytest.raises(TransactionError) as cm:
+        # this should fail because the curator doesn't have TRANSACTION:INSERT:RECORDTYPE
+        db.RecordType(name="TestRT2").insert()
+    assert cm.value.errors[0].msg == "You are not allowed to do this."
+
+    # fails
+    with pytest.raises(TransactionError) as cm:
+        # this should fail because the curator doesn't have TRANSACTION:INSERT:PROPERTY
+        db.Property(name="TestProp2", datatype=db.TEXT).insert()
+    assert cm.value.errors[0].msg == "You are not allowed to do this."
+
+
 @pytest.mark.xfail(reason="fix needed")
 @pytest.mark.parametrize("num", ["1e+23", "5e22", "2e-323"])
 def test_143(num):