diff --git a/CHANGELOG.md b/CHANGELOG.md index e20b8e5f..8977e56f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - Update ical schedule creation/update to trigger final schedule refresh ([#3156](https://github.com/grafana/oncall/pull/3156)) +- Handle None role when syncing users from Grafana ([#3147](https://github.com/grafana/oncall/pull/3147)) - Polish "Build 'When I am on-call' for web UI" [#2915](https://github.com/grafana/oncall/issues/2915) - Fix iCal schedule incorrect view [#2001](https://github.com/grafana/oncall-private/issues/2001) - Fix rotation name rendering issue [#2324](https://github.com/grafana/oncall/issues/2324) diff --git a/engine/apps/api/permissions.py b/engine/apps/api/permissions.py index 20aecdc0..ce58e375 100644 --- a/engine/apps/api/permissions.py +++ b/engine/apps/api/permissions.py @@ -80,6 +80,7 @@ class LegacyAccessControlRole(enum.IntEnum): ADMIN = 0 EDITOR = 1 VIEWER = 2 + NONE = 3 @classmethod def choices(cls): @@ -99,9 +100,9 @@ RBACObjectPermissionsAttribute = typing.Dict[permissions.BasePermission, typing. def get_most_authorized_role(permissions: LegacyAccessControlCompatiblePermissions) -> LegacyAccessControlRole: if not permissions: - return LegacyAccessControlRole.VIEWER + return LegacyAccessControlRole.NONE - # ex. Admin is 0, Viewer is 2, thereby min makes sense here + # ex. Admin is 0, None is 3, thereby min makes sense here return min({p.fallback_role for p in permissions}, key=lambda r: r.value) diff --git a/engine/apps/api/tests/test_alert_group.py b/engine/apps/api/tests/test_alert_group.py index 03ac9ae3..ee52d202 100644 --- a/engine/apps/api/tests/test_alert_group.py +++ b/engine/apps/api/tests/test_alert_group.py @@ -848,6 +848,7 @@ def test_get_filter_escalation_chain( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_acknowledge_permissions( @@ -883,6 +884,7 @@ def test_alert_group_acknowledge_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_unacknowledge_permissions( @@ -917,6 +919,7 @@ def test_alert_group_unacknowledge_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_resolve_permissions( @@ -951,6 +954,7 @@ def test_alert_group_resolve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_unresolve_permissions( @@ -985,6 +989,7 @@ def test_alert_group_unresolve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_silence_permissions( @@ -1019,6 +1024,7 @@ def test_alert_group_silence_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_unsilence_permissions( @@ -1053,6 +1059,7 @@ def test_alert_group_unsilence_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_attach_permissions( @@ -1087,6 +1094,7 @@ def test_alert_group_attach_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_unattach_permissions( @@ -1121,6 +1129,7 @@ def test_alert_group_unattach_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_list_permissions( @@ -1155,6 +1164,7 @@ def test_alert_group_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_stats_permissions( @@ -1189,6 +1199,7 @@ def test_alert_group_stats_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_bulk_action_permissions( @@ -1221,6 +1232,7 @@ def test_alert_group_bulk_action_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_filters_permissions( @@ -1255,6 +1267,7 @@ def test_alert_group_filters_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_detail_permissions( @@ -1678,6 +1691,7 @@ def test_alert_group_status_field( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_group_preview_template_permissions( diff --git a/engine/apps/api/tests/test_alert_receive_channel.py b/engine/apps/api/tests/test_alert_receive_channel.py index 16579802..2539a1a0 100644 --- a/engine/apps/api/tests/test_alert_receive_channel.py +++ b/engine/apps/api/tests/test_alert_receive_channel.py @@ -264,6 +264,7 @@ def test_integration_search( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_create_permissions( @@ -294,6 +295,7 @@ def test_alert_receive_channel_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_update_permissions( @@ -331,6 +333,7 @@ def test_alert_receive_channel_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_delete_permissions( @@ -363,6 +366,7 @@ def test_alert_receive_channel_delete_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_list_permissions( @@ -394,6 +398,7 @@ def test_alert_receive_channel_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_detail_permissions( @@ -427,6 +432,7 @@ def test_alert_receive_channel_detail_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_send_demo_alert_permissions( @@ -462,6 +468,7 @@ def test_alert_receive_channel_send_demo_alert_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_integration_options_permissions( @@ -493,6 +500,7 @@ def test_alert_receive_channel_integration_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_preview_template_permissions( @@ -606,6 +614,7 @@ def test_alert_receive_channel_preview_template_dynamic_payload( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_change_team_permissions( @@ -669,6 +678,7 @@ def test_alert_receive_channel_change_team( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_counters_permissions( @@ -702,6 +712,7 @@ def test_alert_receive_channel_counters_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_counters_per_integration_permissions( @@ -928,6 +939,7 @@ def test_alert_receive_channel_send_demo_alert_not_enabled( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_get_connected_contact_points_permissions( @@ -965,6 +977,7 @@ def test_alert_receive_channel_get_connected_contact_points_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_get_contact_points_permissions( @@ -998,6 +1011,7 @@ def test_alert_receive_channel_get_contact_points_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_connect_contact_point_permissions( @@ -1035,6 +1049,7 @@ def test_alert_receive_channel_connect_contact_point_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_201_CREATED), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_create_contact_point_permissions( @@ -1072,6 +1087,7 @@ def test_alert_receive_channel_create_contact_point_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_disconnect_contact_point_permissions( diff --git a/engine/apps/api/tests/test_alert_receive_channel_template.py b/engine/apps/api/tests/test_alert_receive_channel_template.py index 728add84..111696cd 100644 --- a/engine/apps/api/tests/test_alert_receive_channel_template.py +++ b/engine/apps/api/tests/test_alert_receive_channel_template.py @@ -19,6 +19,7 @@ from apps.base.tests.messaging_backend import TestOnlyBackend (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_template_update_permissions( @@ -53,6 +54,7 @@ def test_alert_receive_channel_template_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_alert_receive_channel_template_detail_permissions( diff --git a/engine/apps/api/tests/test_channel_filter.py b/engine/apps/api/tests/test_channel_filter.py index 5c8167f4..31ab0a27 100644 --- a/engine/apps/api/tests/test_channel_filter.py +++ b/engine/apps/api/tests/test_channel_filter.py @@ -17,6 +17,7 @@ from apps.api.permissions import LegacyAccessControlRole (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_channel_filter_create_permissions( @@ -48,6 +49,7 @@ def test_channel_filter_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_channel_filter_update_permissions( @@ -87,6 +89,7 @@ def test_channel_filter_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_channel_filter_list_permissions( @@ -122,6 +125,7 @@ def test_channel_filter_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_channel_filter_retrieve_permissions( @@ -157,6 +161,7 @@ def test_channel_filter_retrieve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_channel_filter_delete_permissions( @@ -192,6 +197,7 @@ def test_channel_filter_delete_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_channel_filter_move_to_position_permissions( @@ -487,6 +493,7 @@ def test_channel_filter_update_invalid_notification_backends( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_channel_filter_convert_from_regex_to_jinja2( @@ -521,6 +528,9 @@ def test_channel_filter_convert_from_regex_to_jinja2( url = reverse("api-internal:channel_filter-detail", kwargs={"pk": regex_channel_filter.public_primary_key}) response = client.get(url, format="json", **make_user_auth_headers(user, token)) + if role == LegacyAccessControlRole.NONE: + assert response.status_code == status.HTTP_403_FORBIDDEN + return assert response.status_code == status.HTTP_200_OK # Check if preview of the filtering term migration is correct diff --git a/engine/apps/api/tests/test_custom_button.py b/engine/apps/api/tests/test_custom_button.py index 0c3660eb..240b6745 100644 --- a/engine/apps/api/tests/test_custom_button.py +++ b/engine/apps/api/tests/test_custom_button.py @@ -280,6 +280,7 @@ def test_delete_custom_button(custom_button_internal_api_setup, make_user_auth_h (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_custom_button_create_permissions( @@ -311,6 +312,7 @@ def test_custom_button_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_custom_button_update_permissions( @@ -348,6 +350,7 @@ def test_custom_button_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_custom_button_list_permissions( @@ -381,6 +384,7 @@ def test_custom_button_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_custom_button_retrieve_permissions( @@ -414,6 +418,7 @@ def test_custom_button_retrieve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_custom_button_delete_permissions( diff --git a/engine/apps/api/tests/test_escalation_policy.py b/engine/apps/api/tests/test_escalation_policy.py index f14d4daa..30609c41 100644 --- a/engine/apps/api/tests/test_escalation_policy.py +++ b/engine/apps/api/tests/test_escalation_policy.py @@ -141,6 +141,7 @@ def test_move_to_position_invalid_index(escalation_policy_internal_api_setup, ma (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_escalation_policy_create_permissions( @@ -178,6 +179,7 @@ def test_escalation_policy_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_escalation_policy_update_permissions( @@ -219,6 +221,7 @@ def test_escalation_policy_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_escalation_policy_list_permissions( @@ -256,6 +259,7 @@ def test_escalation_policy_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_escalation_policy_retrieve_permissions( @@ -293,6 +297,7 @@ def test_escalation_policy_retrieve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_escalation_policy_delete_permissions( @@ -330,6 +335,7 @@ def test_escalation_policy_delete_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_escalation_policy_escalation_options_permissions( @@ -367,6 +373,7 @@ def test_escalation_policy_escalation_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_escalation_policy_delay_options_permissions( @@ -405,6 +412,7 @@ def test_escalation_policy_delay_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_escalation_policy_move_to_position_permissions( diff --git a/engine/apps/api/tests/test_integration_heartbeat.py b/engine/apps/api/tests/test_integration_heartbeat.py index 8954b74a..9b0cd9c7 100644 --- a/engine/apps/api/tests/test_integration_heartbeat.py +++ b/engine/apps/api/tests/test_integration_heartbeat.py @@ -188,6 +188,7 @@ def test_update_integration_heartbeat( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_integration_heartbeat_create_permissions( @@ -218,6 +219,7 @@ def test_integration_heartbeat_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_integration_heartbeat_update_permissions( @@ -257,6 +259,7 @@ def test_integration_heartbeat_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_integration_heartbeat_list_permissions( @@ -292,6 +295,7 @@ def test_integration_heartbeat_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_integration_heartbeat_timeout_options_permissions( @@ -323,6 +327,7 @@ def test_integration_heartbeat_timeout_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_integration_heartbeat_retrieve_permissions( diff --git a/engine/apps/api/tests/test_oncall_shift.py b/engine/apps/api/tests/test_oncall_shift.py index ab962707..af8191fe 100644 --- a/engine/apps/api/tests/test_oncall_shift.py +++ b/engine/apps/api/tests/test_oncall_shift.py @@ -1213,6 +1213,7 @@ def test_create_on_call_shift_override_in_past(on_call_shift_internal_api_setup, (LegacyAccessControlRole.ADMIN, status.HTTP_201_CREATED), (LegacyAccessControlRole.EDITOR, status.HTTP_201_CREATED), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_on_call_shift_create_permissions( @@ -1245,6 +1246,7 @@ def test_on_call_shift_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_on_call_shift_update_permissions( @@ -1292,6 +1294,7 @@ def test_on_call_shift_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_on_call_shift_list_permissions( @@ -1323,6 +1326,7 @@ def test_on_call_shift_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_on_call_shift_retrieve_permissions( @@ -1366,6 +1370,7 @@ def test_on_call_shift_retrieve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_on_call_shift_delete_permissions( @@ -1409,6 +1414,7 @@ def test_on_call_shift_delete_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_on_call_shift_frequency_options_permissions( @@ -1440,6 +1446,7 @@ def test_on_call_shift_frequency_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_on_call_shift_days_options_permissions( @@ -1471,6 +1478,7 @@ def test_on_call_shift_days_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_on_call_shift_preview_permissions( diff --git a/engine/apps/api/tests/test_organization.py b/engine/apps/api/tests/test_organization.py index 04470364..058c20a6 100644 --- a/engine/apps/api/tests/test_organization.py +++ b/engine/apps/api/tests/test_organization.py @@ -1,3 +1,4 @@ +import os from unittest.mock import patch import pytest @@ -10,12 +11,11 @@ from apps.api.permissions import LegacyAccessControlRole @pytest.mark.django_db -@pytest.mark.parametrize("rbac_enabled", [True, False]) -def test_get_organization_rbac_enabled( - make_organization_and_user_with_plugin_token, make_user_auth_headers, rbac_enabled -): +def test_get_organization_rbac_enabled(make_organization_and_user_with_plugin_token, make_user_auth_headers): + is_rbac_enabled = os.getenv("ONCALL_TESTING_RBAC_ENABLED", "True") == "True" organization, user, token = make_organization_and_user_with_plugin_token() - organization.is_rbac_permissions_enabled = rbac_enabled + # set rbac enabled based on env variable (factories use this value) + organization.is_rbac_permissions_enabled = is_rbac_enabled organization.save() client = APIClient() @@ -23,7 +23,7 @@ def test_get_organization_rbac_enabled( response = client.get(url, format="json", **make_user_auth_headers(user, token)) assert response.status_code == status.HTTP_200_OK - assert response.json()["rbac_enabled"] == rbac_enabled + assert response.json()["rbac_enabled"] == organization.is_rbac_permissions_enabled @pytest.mark.django_db @@ -49,6 +49,7 @@ def test_update_organization_settings(make_organization_and_user_with_plugin_tok (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_organization_retrieve_permissions( @@ -79,6 +80,7 @@ def test_organization_retrieve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_organization_update_permissions( @@ -110,6 +112,7 @@ def test_organization_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_organization_get_telegram_verification_code_permissions( @@ -134,6 +137,7 @@ def test_organization_get_telegram_verification_code_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_organization_get_channel_verification_code_permissions( diff --git a/engine/apps/api/tests/test_postmortem_messages.py b/engine/apps/api/tests/test_postmortem_messages.py index e2877ce0..a467a6a9 100644 --- a/engine/apps/api/tests/test_postmortem_messages.py +++ b/engine/apps/api/tests/test_postmortem_messages.py @@ -215,6 +215,7 @@ def test_delete_resolution_note( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_resolution_note_create_permissions( @@ -248,6 +249,7 @@ def test_resolution_note_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_resolution_note_update_permissions( @@ -292,6 +294,7 @@ def test_resolution_note_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_resolution_note_delete_permissions( @@ -334,6 +337,7 @@ def test_resolution_note_delete_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_resolution_note_list_permissions( @@ -366,6 +370,7 @@ def test_resolution_note_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_resolution_note_detail_permissions( diff --git a/engine/apps/api/tests/test_public_api_tokens.py b/engine/apps/api/tests/test_public_api_tokens.py index 5984a61e..2abc956a 100644 --- a/engine/apps/api/tests/test_public_api_tokens.py +++ b/engine/apps/api/tests/test_public_api_tokens.py @@ -13,6 +13,7 @@ from apps.api.permissions import LegacyAccessControlRole (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_public_api_tokens_retrieve_permissions( @@ -39,6 +40,7 @@ def test_public_api_tokens_retrieve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_public_api_tokens_list_permissions( @@ -65,6 +67,7 @@ def test_public_api_tokens_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_201_CREATED), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_public_api_tokens_create_permissions( @@ -96,6 +99,7 @@ def test_public_api_tokens_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_public_api_tokens_delete_permissions( diff --git a/engine/apps/api/tests/test_schedule_export.py b/engine/apps/api/tests/test_schedule_export.py index 02dc6a5b..f747067e 100644 --- a/engine/apps/api/tests/test_schedule_export.py +++ b/engine/apps/api/tests/test_schedule_export.py @@ -17,6 +17,7 @@ ICAL_URL = "https://calendar.google.com/calendar/ical/amixr.io_37gttuakhrtr75ano (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_get_schedule_export_token( @@ -52,6 +53,7 @@ def test_get_schedule_export_token( (LegacyAccessControlRole.ADMIN, status.HTTP_404_NOT_FOUND), (LegacyAccessControlRole.EDITOR, status.HTTP_404_NOT_FOUND), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_export_token_not_found( @@ -85,6 +87,7 @@ def test_schedule_export_token_not_found( (LegacyAccessControlRole.ADMIN, status.HTTP_201_CREATED), (LegacyAccessControlRole.EDITOR, status.HTTP_201_CREATED), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_create_export_token( @@ -118,6 +121,7 @@ def test_schedule_create_export_token( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_delete_export_token( diff --git a/engine/apps/api/tests/test_schedules.py b/engine/apps/api/tests/test_schedules.py index 828aa80c..db37c36d 100644 --- a/engine/apps/api/tests/test_schedules.py +++ b/engine/apps/api/tests/test_schedules.py @@ -1693,6 +1693,7 @@ def test_filter_events_invalid_type( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_create_permissions( @@ -1731,6 +1732,7 @@ def test_schedule_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_update_permissions( @@ -1773,6 +1775,7 @@ def test_schedule_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_list_permissions( @@ -1811,6 +1814,7 @@ def test_schedule_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_retrieve_permissions( @@ -1849,6 +1853,7 @@ def test_schedule_retrieve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_delete_permissions( @@ -1887,6 +1892,7 @@ def test_schedule_delete_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_events_permissions( @@ -1925,6 +1931,7 @@ def test_events_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_filter_shift_swaps_permissions( @@ -1963,6 +1970,7 @@ def test_filter_shift_swaps_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_reload_ical_permissions( @@ -2001,6 +2009,7 @@ def test_reload_ical_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_notify_oncall_shift_freq_options_permissions( @@ -2025,6 +2034,7 @@ def test_schedule_notify_oncall_shift_freq_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_notify_empty_oncall_options_permissions( @@ -2049,6 +2059,7 @@ def test_schedule_notify_empty_oncall_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_schedule_mention_options_permissions( @@ -2073,6 +2084,7 @@ def test_schedule_mention_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_current_user_events_permissions( diff --git a/engine/apps/api/tests/test_set_general_log_channel.py b/engine/apps/api/tests/test_set_general_log_channel.py index cdcce180..ad6a708e 100644 --- a/engine/apps/api/tests/test_set_general_log_channel.py +++ b/engine/apps/api/tests/test_set_general_log_channel.py @@ -17,6 +17,7 @@ from apps.api.permissions import LegacyAccessControlRole (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_set_general_log_channel_permissions( diff --git a/engine/apps/api/tests/test_shift_swaps.py b/engine/apps/api/tests/test_shift_swaps.py index 741bacdc..e45ccb75 100644 --- a/engine/apps/api/tests/test_shift_swaps.py +++ b/engine/apps/api/tests/test_shift_swaps.py @@ -116,6 +116,7 @@ def test_list(ssr_setup, make_user_auth_headers, expand_users): (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_list_permissions( @@ -157,6 +158,7 @@ def test_retrieve(ssr_setup, make_user_auth_headers, expand_users): (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_retrieve_permissions( @@ -277,6 +279,7 @@ def test_create_swap_start_and_swap_end_must_include_time_zone( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_create_permissions( @@ -398,6 +401,7 @@ def test_update_swap_start_and_swap_end_must_include_time_zone( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_update_own_ssr_permissions(ssr_setup, make_user_auth_headers, role, expected_status): @@ -551,6 +555,7 @@ def test_related_shifts(ssr_setup, make_on_call_shift, make_user_auth_headers): (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_partial_update_own_ssr_permissions(ssr_setup, make_user_auth_headers, role, expected_status): @@ -670,6 +675,7 @@ def test_delete( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_delete_own_ssr_permissions(ssr_setup, make_user_auth_headers, role, expected_status): @@ -778,6 +784,7 @@ def test_take_deleted_ssr(ssr_setup, make_user_auth_headers): (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_take_permissions( diff --git a/engine/apps/api/tests/test_slack_channels.py b/engine/apps/api/tests/test_slack_channels.py index 70a083b1..21224e4f 100644 --- a/engine/apps/api/tests/test_slack_channels.py +++ b/engine/apps/api/tests/test_slack_channels.py @@ -16,6 +16,7 @@ from apps.api.permissions import LegacyAccessControlRole (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_slack_channels_list_permissions( @@ -46,6 +47,7 @@ def test_slack_channels_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_slack_channels_detail_permissions( diff --git a/engine/apps/api/tests/test_slack_team_settings.py b/engine/apps/api/tests/test_slack_team_settings.py index 9de0e2ba..b492617f 100644 --- a/engine/apps/api/tests/test_slack_team_settings.py +++ b/engine/apps/api/tests/test_slack_team_settings.py @@ -16,6 +16,7 @@ from apps.api.permissions import LegacyAccessControlRole (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_get_slack_settings_permissions( @@ -46,6 +47,7 @@ def test_get_slack_settings_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_update_slack_settings_permissions( @@ -76,6 +78,7 @@ def test_update_slack_settings_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_get_acknowledge_remind_options_permissions( @@ -106,6 +109,7 @@ def test_get_acknowledge_remind_options_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_get_unacknowledge_timeout_options_permissions( diff --git a/engine/apps/api/tests/test_team.py b/engine/apps/api/tests/test_team.py index 91c7d5fe..7b611e5c 100644 --- a/engine/apps/api/tests/test_team.py +++ b/engine/apps/api/tests/test_team.py @@ -116,6 +116,7 @@ def test_list_teams_for_non_member( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_list_teams_permissions( diff --git a/engine/apps/api/tests/test_telegram_channel.py b/engine/apps/api/tests/test_telegram_channel.py index fa340ec4..6eccd9c2 100644 --- a/engine/apps/api/tests/test_telegram_channel.py +++ b/engine/apps/api/tests/test_telegram_channel.py @@ -37,6 +37,7 @@ def test_not_authorized(make_organization_and_user_with_plugin_token, make_teleg (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_list_telegram_channels_permissions( @@ -61,6 +62,7 @@ def test_list_telegram_channels_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_get_telegram_channels_permissions( @@ -87,6 +89,7 @@ def test_get_telegram_channels_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_delete_telegram_channels_permissions( @@ -114,6 +117,7 @@ def test_delete_telegram_channels_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_set_default_telegram_channels_permissions( diff --git a/engine/apps/api/tests/test_user.py b/engine/apps/api/tests/test_user.py index 47a6ece9..924cbcee 100644 --- a/engine/apps/api/tests/test_user.py +++ b/engine/apps/api/tests/test_user.py @@ -327,6 +327,7 @@ def test_notification_chain_verbal( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_update_self_permissions( @@ -356,6 +357,7 @@ def test_user_update_self_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_update_other_permissions( @@ -384,6 +386,7 @@ def test_user_update_other_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_list_permissions( @@ -414,6 +417,7 @@ def test_user_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_detail_self_permissions( @@ -444,6 +448,7 @@ def test_user_detail_self_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_detail_other_permissions( @@ -470,6 +475,7 @@ def test_user_detail_other_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_get_own_verification_code( @@ -500,6 +506,7 @@ def test_user_get_own_verification_code( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_get_other_verification_code( @@ -572,6 +579,7 @@ def test_verification_code_provider_exception( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_verify_own_phone( @@ -607,6 +615,7 @@ Tests below are outdated (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_verify_another_phone( @@ -635,6 +644,7 @@ def test_user_verify_another_phone( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_get_own_telegram_verification_code( @@ -659,6 +669,7 @@ def test_user_get_own_telegram_verification_code( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_get_another_telegram_verification_code( diff --git a/engine/apps/api/tests/test_user_groups.py b/engine/apps/api/tests/test_user_groups.py index 2e45e727..28176b56 100644 --- a/engine/apps/api/tests/test_user_groups.py +++ b/engine/apps/api/tests/test_user_groups.py @@ -55,6 +55,7 @@ def test_usergroup_list_without_slack_installed( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_usergroup_permissions( diff --git a/engine/apps/api/tests/test_user_schedule_export.py b/engine/apps/api/tests/test_user_schedule_export.py index fd467477..eec82fa0 100644 --- a/engine/apps/api/tests/test_user_schedule_export.py +++ b/engine/apps/api/tests/test_user_schedule_export.py @@ -16,6 +16,7 @@ ICAL_URL = "https://calendar.google.com/calendar/ical/amixr.io_37gttuakhrtr75ano (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_get_user_schedule_export_token( @@ -47,6 +48,7 @@ def test_get_user_schedule_export_token( (LegacyAccessControlRole.ADMIN, status.HTTP_404_NOT_FOUND), (LegacyAccessControlRole.EDITOR, status.HTTP_404_NOT_FOUND), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_schedule_export_token_not_found( @@ -73,6 +75,7 @@ def test_user_schedule_export_token_not_found( (LegacyAccessControlRole.ADMIN, status.HTTP_201_CREATED), (LegacyAccessControlRole.EDITOR, status.HTTP_201_CREATED), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_schedule_create_export_token( @@ -99,6 +102,7 @@ def test_user_schedule_create_export_token( (LegacyAccessControlRole.ADMIN, status.HTTP_409_CONFLICT), (LegacyAccessControlRole.EDITOR, status.HTTP_409_CONFLICT), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_schedule_create_multiple_export_tokens_fails( @@ -130,6 +134,7 @@ def test_user_schedule_create_multiple_export_tokens_fails( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_schedule_delete_export_token( @@ -166,6 +171,7 @@ def test_user_schedule_delete_export_token( (LegacyAccessControlRole.ADMIN, status.HTTP_404_NOT_FOUND), (LegacyAccessControlRole.EDITOR, status.HTTP_404_NOT_FOUND), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_cannot_get_another_users_schedule_token( @@ -198,6 +204,7 @@ def test_user_cannot_get_another_users_schedule_token( (LegacyAccessControlRole.ADMIN, status.HTTP_404_NOT_FOUND), (LegacyAccessControlRole.EDITOR, status.HTTP_404_NOT_FOUND), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_user_cannot_delete_another_users_schedule_token( diff --git a/engine/apps/api/tests/test_webhooks.py b/engine/apps/api/tests/test_webhooks.py index 867e366f..f3162515 100644 --- a/engine/apps/api/tests/test_webhooks.py +++ b/engine/apps/api/tests/test_webhooks.py @@ -291,6 +291,7 @@ def test_delete_webhook(webhook_internal_api_setup, make_user_auth_headers): (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_webhook_create_permissions( @@ -322,6 +323,7 @@ def test_webhook_create_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_webhook_update_permissions( @@ -359,6 +361,7 @@ def test_webhook_update_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_webhook_list_permissions( @@ -392,6 +395,7 @@ def test_webhook_list_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_200_OK), (LegacyAccessControlRole.VIEWER, status.HTTP_200_OK), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_webhook_retrieve_permissions( @@ -425,6 +429,7 @@ def test_webhook_retrieve_permissions( (LegacyAccessControlRole.ADMIN, status.HTTP_204_NO_CONTENT), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_webhook_delete_permissions( diff --git a/engine/apps/api/views/organization.py b/engine/apps/api/views/organization.py index 63b3f1e9..2ec62976 100644 --- a/engine/apps/api/views/organization.py +++ b/engine/apps/api/views/organization.py @@ -22,7 +22,7 @@ class CurrentOrganizationView(APIView): permission_classes = (IsAuthenticated, RBACPermission) rbac_permissions = { - "get": [], + "get": [RBACPermission.Permissions.OTHER_SETTINGS_READ], "put": [RBACPermission.Permissions.OTHER_SETTINGS_WRITE], } diff --git a/engine/apps/api/views/slack_channel.py b/engine/apps/api/views/slack_channel.py index 59ba10f3..1ec5cbec 100644 --- a/engine/apps/api/views/slack_channel.py +++ b/engine/apps/api/views/slack_channel.py @@ -3,6 +3,7 @@ from rest_framework.filters import SearchFilter from rest_framework.permissions import IsAuthenticated from rest_framework.viewsets import GenericViewSet +from apps.api.permissions import RBACPermission from apps.api.serializers.slack_channel import SlackChannelSerializer from apps.auth_token.auth import PluginAuthentication from apps.slack.models import SlackChannel @@ -12,7 +13,7 @@ from common.api_helpers.paginators import HundredPageSizePaginator class SlackChannelView(PublicPrimaryKeyMixin, mixins.ListModelMixin, mixins.RetrieveModelMixin, GenericViewSet): authentication_classes = (PluginAuthentication,) - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, RBACPermission) pagination_class = HundredPageSizePaginator @@ -21,6 +22,11 @@ class SlackChannelView(PublicPrimaryKeyMixin, mixins.ListModelMixin, mixins.Retr serializer_class = SlackChannelSerializer search_fields = ["name"] + rbac_permissions = { + "list": [RBACPermission.Permissions.CHATOPS_READ], + "retrieve": [RBACPermission.Permissions.CHATOPS_READ], + } + def get_queryset(self): organization = self.request.auth.organization slack_team_identity = organization.slack_team_identity diff --git a/engine/apps/api/views/slack_team_settings.py b/engine/apps/api/views/slack_team_settings.py index e52f250b..e91aa19d 100644 --- a/engine/apps/api/views/slack_team_settings.py +++ b/engine/apps/api/views/slack_team_settings.py @@ -44,7 +44,11 @@ class SlackTeamSettingsAPIView(views.APIView): class AcknowledgeReminderOptionsAPIView(views.APIView): authentication_classes = (PluginAuthentication,) - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, RBACPermission) + + rbac_permissions = { + "get": [RBACPermission.Permissions.CHATOPS_READ], + } def get(self, request): choices = [] @@ -57,7 +61,11 @@ class AcknowledgeReminderOptionsAPIView(views.APIView): class UnAcknowledgeTimeoutOptionsAPIView(views.APIView): authentication_classes = (PluginAuthentication,) - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, RBACPermission) + + rbac_permissions = { + "get": [RBACPermission.Permissions.CHATOPS_READ], + } def get(self, request): choices = [] diff --git a/engine/apps/api/views/user_group.py b/engine/apps/api/views/user_group.py index 4f230bae..296fcf1e 100644 --- a/engine/apps/api/views/user_group.py +++ b/engine/apps/api/views/user_group.py @@ -2,6 +2,7 @@ from rest_framework import mixins, viewsets from rest_framework.filters import SearchFilter from rest_framework.permissions import IsAuthenticated +from apps.api.permissions import RBACPermission from apps.api.serializers.user_group import UserGroupSerializer from apps.auth_token.auth import PluginAuthentication from apps.slack.models import SlackUserGroup @@ -9,9 +10,14 @@ from apps.slack.models import SlackUserGroup class UserGroupViewSet(mixins.ListModelMixin, viewsets.GenericViewSet): authentication_classes = (PluginAuthentication,) - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, RBACPermission) serializer_class = UserGroupSerializer + rbac_permissions = { + "list": [RBACPermission.Permissions.CHATOPS_READ], + "retrieve": [RBACPermission.Permissions.CHATOPS_READ], + } + filter_backends = (SearchFilter,) search_fields = ("name", "handle") diff --git a/engine/apps/slack/tests/test_reset_slack.py b/engine/apps/slack/tests/test_reset_slack.py index df572177..d54d7f0f 100644 --- a/engine/apps/slack/tests/test_reset_slack.py +++ b/engine/apps/slack/tests/test_reset_slack.py @@ -20,6 +20,7 @@ from apps.user_management.models import User (LegacyAccessControlRole.ADMIN, status.HTTP_200_OK), (LegacyAccessControlRole.EDITOR, status.HTTP_403_FORBIDDEN), (LegacyAccessControlRole.VIEWER, status.HTTP_403_FORBIDDEN), + (LegacyAccessControlRole.NONE, status.HTTP_403_FORBIDDEN), ], ) def test_reset_slack_integration_permissions( diff --git a/engine/apps/slack/tests/test_scenario_steps/test_alert_group_actions.py b/engine/apps/slack/tests/test_scenario_steps/test_alert_group_actions.py index 75517f30..0732f6ff 100644 --- a/engine/apps/slack/tests/test_scenario_steps/test_alert_group_actions.py +++ b/engine/apps/slack/tests/test_scenario_steps/test_alert_group_actions.py @@ -83,12 +83,13 @@ def _get_payload(action_type="button", **kwargs): @pytest.mark.parametrize("step_class", ALERT_GROUP_ACTIONS_STEPS) +@pytest.mark.parametrize("role", (LegacyAccessControlRole.VIEWER, LegacyAccessControlRole.NONE)) @pytest.mark.django_db def test_alert_group_actions_unauthorized( - step_class, make_organization_and_user_with_slack_identities, make_alert_receive_channel, make_alert_group + step_class, make_organization_and_user_with_slack_identities, make_alert_receive_channel, make_alert_group, role ): organization, user, slack_team_identity, slack_user_identity = make_organization_and_user_with_slack_identities( - role=LegacyAccessControlRole.VIEWER + role=role ) alert_receive_channel = make_alert_receive_channel(organization) diff --git a/engine/apps/user_management/migrations/0016_alter_user_role.py b/engine/apps/user_management/migrations/0016_alter_user_role.py new file mode 100644 index 00000000..e6b8f1d8 --- /dev/null +++ b/engine/apps/user_management/migrations/0016_alter_user_role.py @@ -0,0 +1,18 @@ +# Generated by Django 3.2.20 on 2023-10-18 18:10 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('user_management', '0015_auto_20230926_2203'), + ] + + operations = [ + migrations.AlterField( + model_name='user', + name='role', + field=models.PositiveSmallIntegerField(choices=[(0, 'ADMIN'), (1, 'EDITOR'), (2, 'VIEWER'), (3, 'NONE')]), + ), + ] diff --git a/engine/apps/user_management/models/user.py b/engine/apps/user_management/models/user.py index 996b8427..e387f9d4 100644 --- a/engine/apps/user_management/models/user.py +++ b/engine/apps/user_management/models/user.py @@ -88,7 +88,7 @@ class UserManager(models.Manager["User"]): email=user["email"], name=user["name"], username=user["login"], - role=LegacyAccessControlRole[user["role"].upper()], + role=getattr(LegacyAccessControlRole, user["role"].upper(), LegacyAccessControlRole.NONE), avatar_url=user["avatarUrl"], permissions=user["permissions"], ) @@ -120,7 +120,7 @@ class UserManager(models.Manager["User"]): users_to_update = [] for user in organization.users.filter(user_id__in=existing_user_ids): grafana_user = grafana_users[user.user_id] - g_user_role = LegacyAccessControlRole[grafana_user["role"].upper()] + g_user_role = getattr(LegacyAccessControlRole, grafana_user["role"].upper(), LegacyAccessControlRole.NONE) if ( user.email != grafana_user["email"] diff --git a/engine/apps/user_management/tests/test_sync.py b/engine/apps/user_management/tests/test_sync.py index c63d8639..ac7eb99d 100644 --- a/engine/apps/user_management/tests/test_sync.py +++ b/engine/apps/user_management/tests/test_sync.py @@ -5,6 +5,7 @@ from django.conf import settings from django.test import override_settings from apps.alerts.models import AlertReceiveChannel +from apps.api.permissions import LegacyAccessControlRole from apps.grafana_plugin.helpers.client import GcomAPIClient, GrafanaAPIClient from apps.user_management.models import Team, User from apps.user_management.sync import check_grafana_incident_is_enabled, cleanup_organization, sync_organization @@ -62,6 +63,43 @@ def test_sync_users_for_organization(make_organization, make_user_for_organizati ) +@pytest.mark.django_db +def test_sync_users_for_organization_role_none(make_organization, make_user_for_organization): + organization = make_organization(grafana_url="https://test.test") + users = tuple(make_user_for_organization(organization, user_id=user_id) for user_id in (1, 2)) + + api_users = tuple( + { + "userId": user_id, + "email": "test@test.test", + "name": "Test", + "login": "test", + "role": "None", + "avatarUrl": "/test/1234", + "permissions": [], + } + for user_id in (2, 3) + ) + + User.objects.sync_for_organization(organization, api_users=api_users) + + assert organization.users.count() == 2 + + # check that excess users are deleted + assert not organization.users.filter(pk=users[0].pk).exists() + + # check that existing users are updated + updated_user = organization.users.filter(pk=users[1].pk).first() + assert updated_user is not None + assert updated_user.role == LegacyAccessControlRole.NONE + + # check that missing users are created + created_user = organization.users.filter(user_id=api_users[1]["userId"]).first() + assert created_user is not None + assert created_user.user_id == api_users[1]["userId"] + assert created_user.role == LegacyAccessControlRole.NONE + + @pytest.mark.django_db def test_sync_teams_for_organization(make_organization, make_team): organization = make_organization() diff --git a/engine/conftest.py b/engine/conftest.py index 270b1ec2..ae810e51 100644 --- a/engine/conftest.py +++ b/engine/conftest.py @@ -279,6 +279,7 @@ def get_user_permission_role_mapping_from_frontend_plugin_json() -> RoleMapping: plugin_json: PluginJSON = json.load(fp) role_mapping: RoleMapping = { + LegacyAccessControlRole.NONE: [], LegacyAccessControlRole.VIEWER: [], LegacyAccessControlRole.EDITOR: [], LegacyAccessControlRole.ADMIN: [],