Use an ad-hoc permission for who can view a certificate

03c7acbb · Enrico Zini · 3fb74cf7 · 03c7acbb · 03c7acbb · 03c7acbb
Commit 03c7acbb authored Apr 21, 2022 by Enrico Zini
--- a/backend/permissions.py
+++ b/backend/permissions.py
@@ -17,6 +17,7 @@ class PersonVisitorPermissions(Permissions):
    edit_fpr = Permission(doc="the visitor can edit the person's key fingerprint")
    fd_comments = Permission(doc="the visitor can view the person's FD comments")
    endorse_key = Permission(doc="the visitor can endorse a FingerPrint")
+    view_certificate = Permission(doc="the visitor can view the DPL certificate")

    def __init__(self, person, visitor, **kw):
        super(PersonVisitorPermissions, self).__init__(**kw)
@@ -64,6 +65,8 @@ class PersonVisitorPermissions(Permissions):
        self.update_keycheck = True
        self.view_person_audit_log = True
        self.endorse_key = True
+        if self.person.status in (const.STATUS_DM, const.STATUS_DM_GA, const.STATUS_DD_NU, const.STATUS_DD_U):
+            self.view_certificate = True
        if self.person.possible_new_statuses:
            self.request_new_status = True
        if not self._person_has_ldap_record():
@@ -80,6 +83,8 @@ class PersonVisitorPermissions(Permissions):
        self.edit_email = True
        self.update_keycheck = True
        self.endorse_key = False
+        if self.person.status in (const.STATUS_DM, const.STATUS_DM_GA, const.STATUS_DD_NU, const.STATUS_DD_U):
+            self.view_certificate = True
        if not self._person_has_frozen_processes():
            if not self.person.pending:
                if not self._person_has_ldap_record():

--- a/backend/tests/test_perms.py
+++ b/backend/tests/test_perms.py
@@ -53,64 +53,76 @@ class TestVisitPersonNoProcess(OldProcessFixtureMixin, TestCase):
    @classmethod
    def __add_extra_tests__(cls):
        cls._add_method(cls._test_perms, "pending", perms={
-            "fd dam": "update_keycheck edit_email edit_bio edit_ldap edit_fpr view_person_audit_log fd_comments endorse_key",
+            "fd dam": "update_keycheck edit_email edit_bio edit_ldap edit_fpr view_person_audit_log fd_comments"
+                      " endorse_key",
            "activeam": "update_keycheck edit_bio edit_ldap edit_fpr view_person_audit_log endorse_key",
            "pending": "update_keycheck edit_email edit_bio",
            "dd_nu dd_u oldam": "view_person_audit_log update_keycheck endorse_key",
        })

        cls._add_method(cls._test_perms, "dc", perms={
-            "fd dam": "update_keycheck edit_email edit_bio edit_ldap edit_fpr view_person_audit_log request_new_status fd_comments endorse_key",
+            "fd dam": "update_keycheck edit_email edit_bio edit_ldap edit_fpr view_person_audit_log request_new_status"
+                      " fd_comments endorse_key",
            "dc": "update_keycheck edit_email edit_bio edit_ldap edit_fpr view_person_audit_log request_new_status",
            "activeam": "update_keycheck edit_bio edit_ldap edit_fpr view_person_audit_log endorse_key",
            "dd_nu dd_u oldam": "view_person_audit_log update_keycheck endorse_key",
        })

        cls._add_method(cls._test_perms, "dc_ga", perms={
-            "fd dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments endorse_key",
+            "fd dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments"
+                      " endorse_key",
            "dc_ga": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status",
            "activeam": "update_keycheck edit_bio view_person_audit_log endorse_key",
            "dd_nu dd_u oldam": "view_person_audit_log update_keycheck endorse_key",
        })

        cls._add_method(cls._test_perms, "dm", perms={
-            "fd dam": "update_keycheck edit_email edit_bio edit_ldap edit_fpr view_person_audit_log request_new_status fd_comments endorse_key",
-            "dm": "update_keycheck edit_email edit_bio edit_ldap view_person_audit_log request_new_status",
+            "fd dam": "update_keycheck edit_email edit_bio edit_ldap edit_fpr"
+                      " view_person_audit_log request_new_status fd_comments endorse_key view_certificate",
+            "dm": "update_keycheck edit_email edit_bio edit_ldap"
+                  " view_person_audit_log request_new_status view_certificate",
            "activeam": "update_keycheck edit_bio edit_ldap view_person_audit_log endorse_key",
            "dd_nu dd_u oldam": "view_person_audit_log update_keycheck endorse_key",
        })

        cls._add_method(cls._test_perms, "dm_ga", perms={
-            "fd dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments endorse_key",
-            "dm_ga": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status",
+            "fd dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments"
+                      " endorse_key view_certificate",
+            "dm_ga": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status view_certificate",
            "activeam": "update_keycheck edit_bio view_person_audit_log endorse_key",
            "dd_nu dd_u oldam": "view_person_audit_log update_keycheck endorse_key",
        })

        cls._add_method(cls._test_perms, "dd_nu", perms={
-            "fd dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments endorse_key",
-            "dd_nu": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status",
+            "fd dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments"
+                      " endorse_key view_certificate",
+            "dd_nu": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status view_certificate",
            "activeam": "update_keycheck edit_bio view_person_audit_log endorse_key",
            "dd_u oldam": "view_person_audit_log update_keycheck endorse_key",
        })

        cls._add_method(cls._test_perms, "dd_u", perms={
-            "fd dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments endorse_key",
-            "dd_u": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status",
+            "fd dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments"
+                      " endorse_key view_certificate",
+            "dd_u": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status view_certificate",
            "activeam": "update_keycheck edit_bio view_person_audit_log endorse_key",
            "dd_nu oldam": "view_person_audit_log update_keycheck endorse_key",
        })

        cls._add_method(cls._test_perms, "fd", perms={
-            "fd": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments",
-            "dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments endorse_key",
+            "fd": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments"
+                  " view_certificate",
+            "dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments"
+                   " endorse_key view_certificate",
            "activeam": "update_keycheck edit_bio view_person_audit_log endorse_key",
            "dd_nu dd_u oldam": "view_person_audit_log update_keycheck endorse_key",
        })

        cls._add_method(cls._test_perms, "dam", perms={
-            "fd": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments endorse_key",
-            "dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments",
+            "fd": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments"
+                  " endorse_key view_certificate",
+            "dam": "update_keycheck edit_email edit_bio view_person_audit_log request_new_status fd_comments"
+                   " view_certificate",
            "activeam": "view_person_audit_log update_keycheck edit_bio endorse_key",
            "dd_nu dd_u oldam": "view_person_audit_log update_keycheck endorse_key",
        })
@@ -167,6 +179,9 @@ class ProcExpected(object):
    def patch_generic_process_final(self):
        self.proc.patch("app activeam", "+edit_bio")
        self.proc.patch("fd dam app", "-edit_ldap -edit_fpr")
+        if self.proc.testcase.processes.app.applying_for in (
+                const.STATUS_DM, const.STATUS_DM_GA, const.STATUS_DD_NU, const.STATUS_DD_U):
+            self.proc.patch("fd dam app", "+view_certificate")


 class TestVisitApplicant(OldProcessFixtureMixin, TestCase):

--- a/backend/unittest.py
+++ b/backend/unittest.py
@@ -134,7 +134,7 @@ class TestBase(nm2.lib.unittest.TestBase):
        for identity in signon_identities:
            identity = self.identities[identity]
            if identity.issuer == "salsa":
-                client.session[f"signon_identity_salsa"] = identity.pk
+                client.session["signon_identity_salsa"] = identity.pk
                client.session.save()
            elif identity.issuer == "debsso":
                client.defaults["SSL_CLIENT_S_DN_CN"] = identity.subject

--- a/person/views.py
+++ b/person/views.py
@@ -245,6 +245,7 @@ class Identities(VisitPersonMixin, TemplateView):

 class Certificate(VisitPersonMixin, TemplateView):
    template_name = "person/certificate.html"
+    require_visit_perms = "view_certificate"

    def check_permissions(self):
        super().check_permissions()

--- a/process/tests/test_perms.py
+++ b/process/tests/test_perms.py
@@ -226,8 +226,8 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        self.processes.create("app", person=self.persons.app, applying_for=const.STATUS_DM_GA)
        expected.patch_generic_process_started()
        expected.starts.patch("-dm_ga")
-        expected.proc.patch("fd dam", "+edit_ldap +edit_fpr -am_assign")
-        expected.proc.patch("app", "+edit_ldap")
+        expected.proc.patch("fd dam", "+edit_ldap +edit_fpr -am_assign +view_certificate")
+        expected.proc.patch("app", "+edit_ldap +view_certificate")
        self.assertPerms(expected)

        # Freeze for review
@@ -278,6 +278,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        self._close_process("dam")
        expected.patch_generic_process_closed()
        expected.proc.patch("app activeam", "+edit_ldap")
+        expected.proc.patch("app fd dam", "+view_certificate")
        expected.starts.patch("-dc_ga -dm +dm_ga")
        self.assertPerms(expected)

@@ -320,7 +321,8 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        self._close_process("dam")
        expected.patch_generic_process_closed()
        expected.starts.patch("-dc_ga -dm -dd_nu +dd_u +dd_e")
-        expected.proc.patch("fd dam", "-edit_ldap -edit_fpr")
+        expected.proc.patch("fd dam", "-edit_ldap -edit_fpr +view_certificate")
+        expected.proc.patch("app", "+view_certificate")
        self.assertPerms(expected)

    def test_dcga_ddnu(self):
@@ -360,6 +362,8 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        self._close_process("dam")
        expected.patch_generic_process_closed()
        expected.starts.patch("-dm_ga -dd_nu +dd_u +dd_e")
+        expected.proc.patch("fd dam", "+view_certificate")
+        expected.proc.patch("app", "+view_certificate")
        self.assertPerms(expected)

    def test_dc_ddu(self):
@@ -402,7 +406,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        expected.patch_generic_process_closed()
        expected.starts.patch("-dc_ga -dm -dd_nu -dd_u +dd_e +dd_nu")
        expected.proc.patch("fd dam", "-edit_ldap -edit_fpr")
-        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr")
+        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr +view_certificate")
        self.assertPerms(expected)

    def test_dcga_ddu(self):
@@ -442,7 +446,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        self._close_process("dam")
        expected.patch_generic_process_closed()
        expected.starts.patch("-dm_ga -dd_nu -dd_u")
-        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr")
+        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr +view_certificate")
        expected.starts.patch("+dd_e +dd_nu")
        self.assertPerms(expected)

@@ -461,8 +465,8 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        self.processes.create("app", person=self.persons.app, applying_for=const.STATUS_DD_U)
        expected.patch_generic_process_started()
        expected.starts.patch("-dd_u -dd_nu")
-        expected.proc.patch("fd dam", "+edit_ldap +edit_fpr")
-        expected.proc.patch("app", "+edit_ldap")
+        expected.proc.patch("fd dam", "+edit_ldap +edit_fpr +view_certificate")
+        expected.proc.patch("app", "+edit_ldap +view_certificate")
        self.assertPerms(expected)

        # Assign manager
@@ -504,7 +508,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        expected.patch_generic_process_started()
        expected.starts.patch("-dd_u -dd_nu")
        expected.proc.patch("app am activeam fd dam", "-edit_ldap -edit_fpr")
-        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr -request_new_status")
+        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr -request_new_status +view_certificate")
        self.assertPerms(expected)

        # Assign manager
@@ -547,7 +551,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        expected.patch_generic_process_started()
        expected.starts.patch("-dd_u -dd_e")
        expected.proc.patch("app activeam fd dam", "-edit_ldap -edit_fpr")
-        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr -request_new_status")
+        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr -request_new_status +view_certificate")
        expected.proc.patch("fd dam", "-am_assign")
        expected.intent.patch("app", "+req_approve")
        expected.intent.patch("- pending dc dc_ga dm dm_ga dd_e dd_r", "-req_view")
@@ -566,7 +570,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        # Finalize
        self._close_process("dam")
        expected.patch_generic_process_closed()
-        expected.proc.patch("app fd dam", "+request_new_status +edit_fpr")
+        expected.proc.patch("app fd dam", "+request_new_status +edit_fpr -view_certificate")
        expected.proc.patch("activeam", "+edit_fpr")
        expected.starts.patch("+dd_u +dd_nu")
        self.assertPerms(expected)
@@ -589,7 +593,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        expected.patch_generic_process_started()
        expected.starts.patch("-dd_e -dd_nu")
        expected.proc.patch("app activeam fd dam", "-edit_ldap -edit_fpr")
-        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr -request_new_status")
+        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr -request_new_status +view_certificate")
        expected.proc.patch("fd dam", "-am_assign")
        expected.intent.patch("app", "+req_approve")
        expected.intent.patch("- pending dc dc_ga dm dm_ga dd_e dd_r", "-req_view")
@@ -608,7 +612,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        # Finalize
        self._close_process("dam")
        expected.patch_generic_process_closed()
-        expected.proc.patch("app fd dam", "+request_new_status +edit_fpr")
+        expected.proc.patch("app fd dam", "+request_new_status +edit_fpr -view_certificate")
        expected.proc.patch("activeam", "+edit_fpr")
        expected.starts.patch("+dd_u +dd_nu")
        self.assertPerms(expected)
@@ -631,7 +635,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        expected.patch_generic_process_started()
        expected.starts.patch("-dd_e -dd_nu")
        expected.proc.patch("app activeam fd dam", "-edit_ldap -edit_fpr")
-        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr -request_new_status")
+        expected.proc.patch("app fd dam", "-edit_ldap -edit_fpr -request_new_status +view_certificate")
        expected.proc.patch("fd dam", "-am_assign")
        expected.intent.patch("app", "+req_approve")
        expected.intent.patch("- pending dc dc_ga dm dm_ga dd_e dd_r", "-req_view")
@@ -650,7 +654,7 @@ class TestVisitApplicant(ProcessFixtureMixin, TestCase):
        # Finalize
        self._close_process("dam")
        expected.patch_generic_process_closed()
-        expected.proc.patch("app fd dam", "+request_new_status +edit_fpr")
+        expected.proc.patch("app fd dam", "+request_new_status +edit_fpr -view_certificate")
        expected.proc.patch("activeam", "+edit_fpr")
        expected.starts.patch("+dd_u +dd_nu")
        self.assertPerms(expected)