diff --git a/SAS/TMSS/backend/src/tmss/tmssapp/populate.py b/SAS/TMSS/backend/src/tmss/tmssapp/populate.py
index 8e0b5f493d05f8adbf40a007b307b15a2e3a6b93..c580d08418eb236fc419acc297bbc4b010bc58a4 100644
--- a/SAS/TMSS/backend/src/tmss/tmssapp/populate.py
+++ b/SAS/TMSS/backend/src/tmss/tmssapp/populate.py
@@ -1384,6 +1384,17 @@ def assign_system_permissions():
admin_group.permissions.add(perm)
maintenance_group.permissions.add(perm)
+ extra_actions = view.get_extra_actions()
+ if extra_actions:
+ for action in extra_actions:
+ perm = Permission.objects.get(codename='%s_%s' % (action.__name__, name))
+ if 'get' in action.mapping and perm not in already_handled:
+ operator_group.permissions.add(perm)
+ support_group.permissions.add(perm)
+ developer_group.permissions.add(perm)
+ admin_group.permissions.add(perm)
+ maintenance_group.permissions.add(perm)
+
# Note: we only grant view permissions, since alteration is only permitted to users who are superuser anyway.
# operational
diff --git a/SAS/TMSS/backend/test/t_permissions_system_roles.py b/SAS/TMSS/backend/test/t_permissions_system_roles.py
index b5e7042e4c4afeb4a2f3ad5e4408484ed71c0324..c3b662abfb6c82b0c03bdfe86797a16512624041 100755
--- a/SAS/TMSS/backend/test/t_permissions_system_roles.py
+++ b/SAS/TMSS/backend/test/t_permissions_system_roles.py
@@ -68,8 +68,11 @@ class SystemPermissionTestCase(unittest.TestCase):
'''
@classmethod
- def create_subtask(cls) -> int:
- # Create preparatory data
+ def create_subtask(cls) -> (int, int):
+ """
+ returns ids of the created Subtask and its related TaskBlueprint
+ """
+ # Create preparatory data,
with tmss_test_env.create_tmss_client() as client:
test_data_creator.wipe_cache()
@@ -92,13 +95,13 @@ class SystemPermissionTestCase(unittest.TestCase):
obs_subtask_output_url = test_data_creator.post_data_and_get_url(test_data_creator.SubtaskOutput(subtask_url=obs_subtask['url']), '/subtask_output/')
test_data_creator.post_data_and_get_url(test_data_creator.Dataproduct(filename="L%s_SB000.MS" % obs_subtask['id'],
subtask_output_url=obs_subtask_output_url), '/dataproduct/')
- return obs_subtask['id']
+ return obs_subtask['id'], obs_task_blueprint['id']
@classmethod
def setUpClass(cls) -> None:
super().setUpClass()
- cls.obs_subtask_id = cls.create_subtask()
+ cls.obs_subtask_id, cls.obs_taskblueprint_id = cls.create_subtask()
# Create test_data_creator as regular user
cls.test_data_creator = TMSSRESTTestDataCreator(BASE_URL, requests.auth.HTTPBasicAuth('paulus', 'pauluspass'))
@@ -107,8 +110,9 @@ class SystemPermissionTestCase(unittest.TestCase):
# Populate permissions
tmss_test_env.populate_permissions()
- # Retrieve operator system role
+ # Retrieve operator and support system roles
cls.operator_group = Group.objects.get(name='operator')
+ cls.support_group = Group.objects.get(name='support')
def setUp(self):
super().setUp()
@@ -328,7 +332,6 @@ class SystemPermissionTestCase(unittest.TestCase):
200,
auth=self.test_data_creator.auth)
-
def test_Subtask_cannot_process_feedback_and_set_to_finished_if_complete_without_operator_group(self):
user = User.objects.get(username='paulus')
user.groups.set([])
@@ -362,7 +365,7 @@ class SystemPermissionTestCase(unittest.TestCase):
# Assert Paulus has the process_feedback_and_set_to_finished_if_complete_subtask permission
self.assertTrue(user.has_perm('tmssapp.process_feedback_and_set_to_finished_if_complete_subtask'))
- obs_subtask_id = self.create_subtask()
+ obs_subtask_id, _ = self.create_subtask()
# Set subtask status to finishing, so it can process feedback and set to finished.
set_subtask_state_following_allowed_transitions(Subtask.objects.get(id=obs_subtask_id), 'finishing')
@@ -410,7 +413,7 @@ class SystemPermissionTestCase(unittest.TestCase):
# Assert Paulus has the schedule_subtask permission
self.assertTrue(user.has_perm('tmssapp.schedule_subtask'))
- obs_subtask_id = self.create_subtask()
+ obs_subtask_id, _ = self.create_subtask()
# Set subtask status to defined, so it can be scheduled.
set_subtask_state_following_allowed_transitions(Subtask.objects.get(id=obs_subtask_id), 'defined')
@@ -583,7 +586,7 @@ class SystemPermissionTestCase(unittest.TestCase):
# Assert Paulus has the unschedule_subtask permission
self.assertTrue(user.has_perm('tmssapp.unschedule_subtask'))
- obs_subtask_id = self.create_subtask()
+ obs_subtask_id, _ = self.create_subtask()
# Set subtask status to scheduled, so it can be unscheduled.
set_subtask_state_following_allowed_transitions(Subtask.objects.get(id=obs_subtask_id), 'scheduled')
@@ -594,6 +597,45 @@ class SystemPermissionTestCase(unittest.TestCase):
None,
auth=self.test_data_creator.auth)
+ def test_TaskBlueprint_cannot_predecessors_without_support_group(self):
+ user = User.objects.get(username='paulus')
+ user.groups.set([])
+
+ # refresh user to update cache, see: https://docs.djangoproject.com/en/3.0/topics/auth/default/#permission-caching
+ user = User.objects.get(username='paulus')
+ while user.has_perm('tmssapp.predecessors_taskblueprint'):
+ user = User.objects.get(username='paulus')
+
+ # Assert support group has the predecessors_taskblueprint permission
+ self.assertIsNotNone(self.support_group.permissions.all().filter(codename='predecessors_taskblueprint'))
+ # Assert Paulus does not have the predecessors_taskblueprint permission
+ self.assertFalse(user.has_perm('tmssapp.predecessors_taskblueprint'))
+
+ # Try to predecessors taskblueprint and assert Paulus can't do it without the support group permissions.
+ response = GET_and_assert_equal_expected_code(self,
+ BASE_URL + '/task_blueprint/%s/predecessors/' % self.obs_taskblueprint_id,
+ 403,
+ auth=self.test_data_creator.auth)
+
+ def test_TaskBlueprint_can_predecessors_with_support_group(self):
+ user = User.objects.get(username='paulus')
+ user.groups.set([self.support_group])
+
+ # refresh user to update cache, see: https://docs.djangoproject.com/en/3.0/topics/auth/default/#permission-caching
+ user = User.objects.get(username='paulus')
+ while not user.has_perm('tmssapp.predecessors_taskblueprint'):
+ user = User.objects.get(username='paulus')
+
+ # Assert support group has the predecessors_taskblueprint permission
+ self.assertIsNotNone(self.support_group.permissions.all().filter(codename='predecessors_taskblueprint'))
+ # Assert Paulus does not have the predecessors_taskblueprint permission
+ self.assertTrue(user.has_perm('tmssapp.predecessors_taskblueprint'))
+
+ # Try to predecessors taskblueprint and assert Paulus can't do it without the support group permissions.
+ response = GET_and_assert_equal_expected_code(self,
+ BASE_URL + '/task_blueprint/%s/predecessors/' % self.obs_taskblueprint_id,
+ 200,
+ auth=self.test_data_creator.auth)
if __name__ == "__main__":
logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s',