Merge branch 'release/0.7.0'

libris · Dec 13, 2017 · b88df3c · b88df3c
2 parents 3ff8cf9 + 93d177b
commit b88df3c
Show file tree

Hide file tree

Showing 16 changed files with 422 additions and 137 deletions.
diff --git a/README.rst b/README.rst
@@ -182,6 +182,14 @@ DB Models
 Changelog
 =========
 
+v. 0.7.0
+--------
+
+* Preserve permissions created by others than [email protected] superuser
+* Revised API endpoint for deleting permissions; now allowing cataloging admins to
+  delete permissions on their collections (`#123 <https://github.com/libris/xl_auth/issues/123>`_)
+
+
 v. 0.6.4
 --------
 

diff --git a/messages.pot b/messages.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: xl_auth 0.6.3\n"
+"Project-Id-Version: xl_auth 0.6.4\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2017-12-11 15:45+0100\n"
+"POT-Creation-Date: 2017-12-13 11:18+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
@@ -76,7 +76,7 @@ msgstr ""
 
 #: tests/end2end/test_collection_editing.py:164 tests/end2end/test_user_editing.py:203
 #: tests/end2end/test_user_editing.py:231 xl_auth/templates/collections/home.html:48
-#: xl_auth/templates/permissions/home.html:35
+#: xl_auth/templates/permissions/home.html:45
 msgid "Edit"
 msgstr ""
 
@@ -98,15 +98,15 @@ msgstr ""
 
 #: tests/end2end/test_collection_view.py:61 tests/end2end/test_collection_view.py:89
 #: tests/end2end/test_collection_view.py:124 tests/end2end/test_collection_view.py:153
-#: tests/end2end/test_collection_view.py:184 tests/end2end/test_permission_deleting.py:25
-#: tests/end2end/test_permission_deleting.py:52 tests/end2end/test_permission_editing.py:29
-#: tests/end2end/test_permission_editing.py:63 tests/end2end/test_permission_editing.py:90
-#: tests/end2end/test_permission_registering.py:25 tests/end2end/test_permission_registering.py:58
-#: tests/end2end/test_permission_registering.py:85 tests/end2end/test_user_editing.py:197
-#: tests/end2end/test_user_view.py:72 tests/end2end/test_user_view.py:98
-#: xl_auth/templates/collections/view.html:70 xl_auth/templates/nav.html:28
-#: xl_auth/templates/permissions/home.html:4 xl_auth/templates/users/inspect.html:66
-#: xl_auth/templates/users/view.html:54
+#: tests/end2end/test_collection_view.py:184 tests/end2end/test_permission_deleting.py:26
+#: tests/end2end/test_permission_deleting.py:66 tests/end2end/test_permission_deleting.py:100
+#: tests/end2end/test_permission_editing.py:29 tests/end2end/test_permission_editing.py:63
+#: tests/end2end/test_permission_editing.py:90 tests/end2end/test_permission_registering.py:25
+#: tests/end2end/test_permission_registering.py:58 tests/end2end/test_permission_registering.py:85
+#: tests/end2end/test_user_editing.py:197 tests/end2end/test_user_view.py:72
+#: tests/end2end/test_user_view.py:98 xl_auth/templates/collections/view.html:70
+#: xl_auth/templates/nav.html:28 xl_auth/templates/permissions/home.html:4
+#: xl_auth/templates/users/inspect.html:66 xl_auth/templates/users/view.html:54
 msgid "Permissions"
 msgstr ""
 
@@ -134,15 +134,34 @@ msgstr ""
 msgid "New Client"
 msgstr ""
 
-#: tests/end2end/test_permission_deleting.py:31 xl_auth/templates/permissions/edit.html:7
-msgid "Delete Permission"
+#: tests/end2end/test_permission_deleting.py:33 xl_auth/templates/permissions/delete.html:5
+msgid "Acknowledge Deletion"
+msgstr ""
+
+#: tests/end2end/test_permission_deleting.py:34 xl_auth/templates/permissions/delete.html:7
+#, python-format
+msgid "Delete permission for \"%(username)s\" on collection \"%(code)s\"?"
 msgstr ""
 
-#: tests/end2end/test_permission_deleting.py:34 xl_auth/permission/views.py:93
+#: tests/end2end/test_permission_deleting.py:43 tests/end2end/test_permission_deleting.py:81
+#: xl_auth/permission/views.py:95
 #, python-format
 msgid "Successfully deleted permissions for \"%(username)s\" on collection \"%(code)s\"."
 msgstr ""
 
+#: tests/end2end/test_permission_deleting.py:110 tests/forms/test_client_edit.py:23
+#: tests/forms/test_client_register.py:25 tests/forms/test_collection_edit.py:67
+#: tests/forms/test_collection_register.py:79 tests/forms/test_permission_delete.py:50
+#: tests/forms/test_permission_edit.py:86 tests/forms/test_permission_register.py:80
+#: tests/forms/test_user_administer.py:53 tests/forms/test_user_change_password.py:45
+#: tests/forms/test_user_edit_details.py:34 tests/forms/test_user_register.py:53
+#: xl_auth/collection/forms.py:41 xl_auth/collection/forms.py:73 xl_auth/oauth/client/forms.py:40
+#: xl_auth/oauth/client/forms.py:67 xl_auth/permission/forms.py:62 xl_auth/permission/forms.py:103
+#: xl_auth/permission/forms.py:159 xl_auth/user/forms.py:72 xl_auth/user/forms.py:125
+#: xl_auth/user/forms.py:151 xl_auth/user/forms.py:179
+msgid "You do not have sufficient privileges for this operation."
+msgstr ""
+
 #: tests/end2end/test_permission_editing.py:40 xl_auth/permission/views.py:69
 #, python-format
 msgid "Updated permissions for \"%(username)s\" on collection \"%(code)s\"."
@@ -222,8 +241,8 @@ msgstr ""
 
 #: tests/end2end/test_user_editing.py:52 xl_auth/templates/collections/view.html:9
 #: xl_auth/templates/collections/view.html:97 xl_auth/templates/collections/view.html:100
-#: xl_auth/templates/collections/view.html:103 xl_auth/templates/permissions/home.html:30
-#: xl_auth/templates/permissions/home.html:31 xl_auth/templates/permissions/home.html:32
+#: xl_auth/templates/collections/view.html:103 xl_auth/templates/permissions/home.html:40
+#: xl_auth/templates/permissions/home.html:41 xl_auth/templates/permissions/home.html:42
 #: xl_auth/templates/users/home.html:38 xl_auth/templates/users/home.html:91
 #: xl_auth/templates/users/inspect.html:15 xl_auth/templates/users/inspect.html:18
 #: xl_auth/templates/users/inspect.html:21 xl_auth/templates/users/inspect.html:88
@@ -240,8 +259,8 @@ msgstr ""
 
 #: tests/end2end/test_user_editing.py:52 xl_auth/templates/collections/view.html:9
 #: xl_auth/templates/collections/view.html:97 xl_auth/templates/collections/view.html:100
-#: xl_auth/templates/collections/view.html:103 xl_auth/templates/permissions/home.html:30
-#: xl_auth/templates/permissions/home.html:31 xl_auth/templates/permissions/home.html:32
+#: xl_auth/templates/collections/view.html:103 xl_auth/templates/permissions/home.html:40
+#: xl_auth/templates/permissions/home.html:41 xl_auth/templates/permissions/home.html:42
 #: xl_auth/templates/users/home.html:38 xl_auth/templates/users/home.html:91
 #: xl_auth/templates/users/inspect.html:15 xl_auth/templates/users/inspect.html:18
 #: xl_auth/templates/users/inspect.html:21 xl_auth/templates/users/inspect.html:88
@@ -277,8 +296,9 @@ msgstr ""
 #: tests/end2end/test_user_editing.py:178 tests/end2end/test_user_editing.py:182
 #: tests/end2end/test_user_inspection.py:63 tests/end2end/test_user_view.py:48
 #: tests/forms/test_permission_edit.py:62 tests/forms/test_permission_register.py:46
-#: xl_auth/permission/forms.py:41 xl_auth/user/views.py:90 xl_auth/user/views.py:109
-#: xl_auth/user/views.py:144 xl_auth/user/views.py:171 xl_auth/user/views.py:199
+#: xl_auth/permission/forms.py:41 xl_auth/permission/forms.py:143 xl_auth/user/views.py:89
+#: xl_auth/user/views.py:108 xl_auth/user/views.py:143 xl_auth/user/views.py:170
+#: xl_auth/user/views.py:198
 #, python-format
 msgid "User ID \"%(user_id)s\" does not exist"
 msgstr ""
@@ -318,18 +338,6 @@ msgstr ""
 msgid "You will only see permissions for those collections that you are cataloging admin for."
 msgstr ""
 
-#: tests/forms/test_client_edit.py:23 tests/forms/test_client_register.py:25
-#: tests/forms/test_collection_edit.py:67 tests/forms/test_collection_register.py:79
-#: tests/forms/test_permission_edit.py:86 tests/forms/test_permission_register.py:80
-#: tests/forms/test_user_administer.py:53 tests/forms/test_user_change_password.py:45
-#: tests/forms/test_user_edit_details.py:34 tests/forms/test_user_register.py:53
-#: xl_auth/collection/forms.py:41 xl_auth/collection/forms.py:73 xl_auth/oauth/client/forms.py:40
-#: xl_auth/oauth/client/forms.py:67 xl_auth/permission/forms.py:62 xl_auth/permission/forms.py:103
-#: xl_auth/user/forms.py:72 xl_auth/user/forms.py:125 xl_auth/user/forms.py:151
-#: xl_auth/user/forms.py:179
-msgid "You do not have sufficient privileges for this operation."
-msgstr ""
-
 #: tests/forms/test_client_edit.py:58 tests/forms/test_client_register.py:60
 msgid "Field must be between 3 and 64 characters long."
 msgstr ""
@@ -350,12 +358,18 @@ msgstr ""
 msgid "Field must be between 1 and 5 characters long."
 msgstr ""
 
-#: tests/forms/test_permission_edit.py:22 xl_auth/permission/forms.py:107
-#: xl_auth/permission/views.py:62 xl_auth/permission/views.py:88
+#: tests/forms/test_permission_delete.py:20 tests/forms/test_permission_edit.py:22
+#: xl_auth/permission/forms.py:107 xl_auth/permission/forms.py:163 xl_auth/permission/views.py:62
+#: xl_auth/permission/views.py:85
 #, python-format
 msgid "Permission ID \"%(permission_id)s\" does not exist"
 msgstr ""
 
+#: tests/forms/test_permission_delete.py:31 tests/forms/test_permission_delete.py:41
+#, python-format
+msgid "Invalid value, must be one of: %(values)s."
+msgstr ""
+
 #: tests/forms/test_permission_edit.py:73 tests/forms/test_permission_register.py:56
 #: xl_auth/permission/forms.py:48
 #, python-format
@@ -420,7 +434,7 @@ msgstr ""
 msgid "Scope"
 msgstr ""
 
-#: xl_auth/oauth/forms.py:15
+#: xl_auth/oauth/forms.py:15 xl_auth/templates/permissions/delete.html:19
 msgid "Confirm"
 msgstr ""
 
@@ -568,7 +582,7 @@ msgid "Edit Existing Collection"
 msgstr ""
 
 #: xl_auth/templates/collections/edit.html:29 xl_auth/templates/oauth/clients/edit.html:44
-#: xl_auth/templates/permissions/edit.html:35 xl_auth/templates/public/reset_password.html:22
+#: xl_auth/templates/permissions/edit.html:32 xl_auth/templates/public/reset_password.html:22
 #: xl_auth/templates/users/administer.html:25 xl_auth/templates/users/change_password.html:21
 #: xl_auth/templates/users/edit_details.html:17
 msgid "Save"
@@ -602,6 +616,7 @@ msgstr ""
 
 #: xl_auth/templates/collections/home.html:37 xl_auth/templates/collections/home.html:83
 #: xl_auth/templates/collections/view.html:14 xl_auth/templates/collections/view.html:26
+#: xl_auth/templates/permissions/home.html:29 xl_auth/templates/permissions/home.html:35
 #: xl_auth/templates/users/home.html:32 xl_auth/templates/users/home.html:85
 #: xl_auth/templates/users/profile.html:60
 msgid "View"
@@ -754,14 +769,18 @@ msgstr ""
 msgid "Delete Token"
 msgstr ""
 
-#: xl_auth/templates/permissions/edit.html:8
+#: xl_auth/templates/permissions/edit.html:5
 msgid "Edit Existing Permission"
 msgstr ""
 
 #: xl_auth/templates/permissions/home.html:9
 msgid "Existing Permissions"
 msgstr ""
 
+#: xl_auth/templates/permissions/home.html:49
+msgid "Delete Permission"
+msgstr ""
+
 #: xl_auth/templates/permissions/register.html:5
 msgid "Register New Permission"
 msgstr ""
@@ -1052,26 +1071,26 @@ msgid ""
 "href=\"mailto:[email protected]\">[email protected]</a>!</small></p>"
 msgstr ""
 
-#: xl_auth/user/views.py:41
+#: xl_auth/user/views.py:40
 msgid "ToS approved."
 msgstr ""
 
-#: xl_auth/user/views.py:73
+#: xl_auth/user/views.py:72
 #, python-format
 msgid "User \"%(username)s\" registered and emailed with a password reset link."
 msgstr ""
 
-#: xl_auth/user/views.py:77
+#: xl_auth/user/views.py:76
 #, python-format
 msgid "User \"%(username)s\" registered."
 msgstr ""
 
-#: xl_auth/user/views.py:153 xl_auth/user/views.py:177
+#: xl_auth/user/views.py:152 xl_auth/user/views.py:176
 #, python-format
 msgid "Thank you for updating user details for \"%(username)s\"."
 msgstr ""
 
-#: xl_auth/user/views.py:206
+#: xl_auth/user/views.py:205
 #, python-format
 msgid "Thank you for changing password for \"%(username)s\"."
 msgstr ""

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "xl_auth",
-  "version": "0.6.4",
+  "version": "0.7.0",
   "author": "National Library of Sweden",
   "license": "Apache-2.0",
   "description": "Authorization and OAuth2 provider for LibrisXL",

diff --git a/tests/end2end/test_permission_deleting.py b/tests/end2end/test_permission_deleting.py
@@ -8,10 +8,11 @@
 
 from xl_auth.permission.models import Permission
 
+from ..factories import PermissionFactory
+
 
-# noinspection PyUnusedLocal
 def test_superuser_can_delete_existing_permission(superuser, permission, testapp):
-    """Delete existing permission."""
+    """Delete existing permission as superuser."""
     old_count = len(Permission.query.all())
     # Goes to homepage
     res = testapp.get('/')
@@ -23,21 +24,68 @@ def test_superuser_can_delete_existing_permission(superuser, permission, testapp
     res = form.submit().follow()
     # Clicks Permissions button
     res = res.click(_('Permissions'))
-    # Clicks Edit button on a permission
-    res = res.click(href=url_for('permission.edit', permission_id=permission.id))
     # Clicks Delete button on a permission
     permission_user_email = permission.user.email
     permission_collection_code = permission.collection.code
-    res = res.click(_('Delete Permission')).follow()
+    res = res.click(href=url_for('permission.delete', permission_id=permission.id) +
+                    '\?next=' + url_for('permission.home'))
     assert res.status_code == 200
+    assert _('Acknowledge Deletion') in res
+    assert _('Delete permission for "%(username)s" on collection "%(code)s"?',
+             username=permission_user_email, code=permission_collection_code) in res
+    form = res.forms['deletePermissionForm']
+    form['acknowledged'] = 'y'
+    res = form.submit()
+    assert res.status_code == 302
+    assert url_for('permission.home') in res.location
+    res = res.follow()
+    # Permission was deleted, so number of permissions are 1 less than initial state
+    assert _('Successfully deleted permissions for "%(username)s" on collection "%(code)s".',
+             username=permission_user_email, code=permission_collection_code) in res
+    assert len(Permission.query.all()) == old_count - 1
+
+
+def test_cataloging_admin_can_delete_existing_permission(user, permission, superuser, testapp):
+    """Delete existing permission as cataloging admin for a collection."""
+    PermissionFactory(user=user, collection=permission.collection,
+                      cataloging_admin=True).save_as(superuser)
+    assert user.is_cataloging_admin_for(permission.collection) is True
+    old_count = len(Permission.query.all())
+    permission_user_email = permission.user.email
+    permission_collection_code = permission.collection.code
+    # Goes to homepage
+    res = testapp.get('/')
+    # Fills out login form
+    form = res.forms['loginForm']
+    form['username'] = user.email
+    form['password'] = 'myPrecious'
+    # Submits
+    res = form.submit().follow()
+
+    # We see no Permissions button
+    assert res.lxml.xpath("//a[contains(@text,'{0}')]".format(_('Permissions'))) == []
+
+    # Try to go there directly
+    testapp.get('/permissions/', status=403)
+
+    # Try to delete a specific permission directly
+    res = testapp.get(url_for('permission.delete', permission_id=permission.id))
+    form = res.forms['deletePermissionForm']
+    form['acknowledged'] = 'y'
+    res = form.submit()
+    assert res.status_code == 302
+    assert url_for('public.home') in res.location
+    res = res.follow()
+
     # Permission was deleted, so number of permissions are 1 less than initial state
     assert _('Successfully deleted permissions for "%(username)s" on collection "%(code)s".',
              username=permission_user_email, code=permission_collection_code) in res
     assert len(Permission.query.all()) == old_count - 1
 
 
 def test_user_cannot_delete_permission(user, permission, testapp):
-    """Attempt to delete a permission."""
+    """Attempt to delete a permission as non-cataloging admin user."""
+    assert user.is_cataloging_admin_for(permission.collection) is False
     old_count = len(Permission.query.all())
     # Goes to homepage
     res = testapp.get('/')
@@ -54,8 +102,12 @@ def test_user_cannot_delete_permission(user, permission, testapp):
     # Try to go there directly
     testapp.get('/permissions/', status=403)
 
-    # Try to delete
-    testapp.delete('/permissions/delete/1', status=403)
+    # Try to delete a specific permission directly
+    res = testapp.get(url_for('permission.delete', permission_id=permission.id))
+    form = res.forms['deletePermissionForm']
+    form['acknowledged'] = 'y'
+    res = form.submit()
+    assert _('You do not have sufficient privileges for this operation.') in res
 
     # Nothing was deleted
     assert len(Permission.query.all()) == old_count