Merge pull request #3157 from kobotoolbox/3153-fix-user-in-kobocat-proxy-request

noliveleger · web-flow · commit 8dccba46d5f0 · 2021-05-14T11:02:57.000-04:00
Fix kobocat proxy request user
diff --git a/jsapp/js/actions.es6 b/jsapp/js/actions.es6
@@ -539,7 +539,7 @@ actions.resources.duplicateSubmission.listen((uid, sid, duplicatedSubmission) =>
       actions.resources.loadAsset({id: uid});
     })
     .fail((response) => {
-      alertify.error(t('Failed to duplciate submisson'));
+      alertify.error(t('Failed to duplicate submisson'));
       actions.resources.duplicateSubmission.failed(response);
     });
 });
diff --git a/jsapp/js/components/modalForms/submission.es6 b/jsapp/js/components/modalForms/submission.es6
@@ -457,6 +457,7 @@ class Submission extends React.Component {
               }
 
               {this.userCan('change_submissions', this.props.asset) &&
+                      this.userCan('add_submissions', this.props.asset) &&
                 <a
                   onClick={this.duplicateSubmission.bind(this)}
                   className='kobo-button kobo-button--blue submission-duplicate__button'
diff --git a/kpi/deployment_backends/kobocat_backend.py b/kpi/deployment_backends/kobocat_backend.py
@@ -664,24 +664,24 @@ def format_openrosa_datetime(dt: Optional[datetime] = None) -> str:
         return dt.isoformat('T', 'milliseconds')
 
     def duplicate_submission(
-        self, requesting_user_id: int, instance_id: int
+        self, requesting_user: 'auth.User', instance_id: int
     ) -> dict:
         """
-        Dupicates a single submission proxied through kobocat. The submission
+        Duplicates a single submission proxied through kobocat. The submission
         with the given `instance_id` is duplicated and the `start`, `end` and
         `instanceID` parameters of the submission are reset before being posted
         to kobocat.
 
         Args:
-            requesting_user_id (int)
+            requesting_user ('auth.User')
             instance_id (int)
 
         Returns:
             dict: message response from kobocat and uuid of created submission
             if successful
         """
         params = self.validate_submission_list_params(
-            requesting_user_id,
+            requesting_user.id,
             format_type=INSTANCE_FORMAT_TYPE_XML,
             instance_ids=[instance_id],
         )
@@ -711,12 +711,12 @@ def duplicate_submission(
             method='POST', url=self.submission_url, files=files
         )
         kc_response = self.__kobocat_proxy_request(
-            kc_request, user=self.asset.owner
+            kc_request, user=requesting_user
         )
 
         if kc_response.status_code == status.HTTP_201_CREATED:
             return next(
-                self.get_submissions(requesting_user_id, query={'_uuid': _uuid})
+                self.get_submissions(requesting_user.id, query={'_uuid': _uuid})
             )
         else:
             raise KobocatDuplicateSubmissionException
@@ -775,7 +775,7 @@ def set_validation_statuses(self, data, user, method):
         return self.__prepare_as_drf_response_signature(kc_response)
 
     def bulk_update_submissions(
-        self, request_data: dict, requesting_user_id: int
+        self, request_data: dict, requesting_user: 'auth.User'
     ) -> dict:
         """
         Allows for bulk updating of submissions proxied through kobocat. A
@@ -788,15 +788,15 @@ def bulk_update_submissions(
         Args:
             request_data (dict): must contain a list of `submission_ids` and at
                 least one other key:value field for updating the submissions
-            requesting_user_id (int)
+            requesting_user ('auth.User')
 
         Returns:
             dict: formatted dict to be passed to a Response object
         """
         payload = self.__prepare_bulk_update_payload(request_data)
         kwargs = {'instance_ids': payload.pop('submission_ids')}
         params = self.validate_submission_list_params(
-            requesting_user_id, format_type=INSTANCE_FORMAT_TYPE_XML, **kwargs
+            requesting_user.id, format_type=INSTANCE_FORMAT_TYPE_XML, **kwargs
         )
         submissions = list(self.__get_submissions_in_xml(**params))
         validated_submissions = self.__validate_bulk_update_submissions(
@@ -865,7 +865,7 @@ def bulk_update_submissions(
                 method='POST', url=self.submission_url, files=files
             )
             kc_response = self.__kobocat_proxy_request(
-                kc_request, user=self.asset.owner
+                kc_request, user=requesting_user
             )
 
             kc_responses.append(
diff --git a/kpi/deployment_backends/mock_backend.py b/kpi/deployment_backends/mock_backend.py
@@ -207,7 +207,7 @@ def get_submissions(self, requesting_user_id,
         return submissions
 
     def duplicate_submission(
-        self, requesting_user_id: int, instance_id: int, **kwargs: dict
+        self, requesting_user: 'auth.User', instance_id: int, **kwargs: dict
     ) -> dict:
         # TODO: Make this operate on XML somehow and reuse code from
         # KobocatDeploymentBackend, to catch issues like #3054
@@ -268,7 +268,7 @@ def __prepare_bulk_update_response(kc_responses: list) -> dict:
         }
 
     def bulk_update_submissions(
-        self, request_data: dict, requesting_user_id: int
+        self, request_data: dict, requesting_user: 'auth.User'
     ) -> dict:
         payload = self.__prepare_bulk_update_payload(request_data)
         all_submissions = copy.copy(self.asset._deployment_data['submissions'])
diff --git a/kpi/permissions.py b/kpi/permissions.py
@@ -262,7 +262,10 @@ class EditSubmissionPermission(SubmissionPermission):
 class DuplicateSubmissionPermission(SubmissionPermission):
     perms_map = {
         'GET': ['%(app_label)s.view_%(model_name)s'],
-        'POST': ['%(app_label)s.change_%(model_name)s'],
+        'POST': [
+            '%(app_label)s.add_%(model_name)s',
+            '%(app_label)s.change_%(model_name)s',
+        ],
     }
 
 
diff --git a/kpi/tests/api/v2/test_api_submissions.py b/kpi/tests/api/v2/test_api_submissions.py
@@ -11,6 +11,7 @@
 from rest_framework import status
 
 from kpi.constants import (
+    PERM_ADD_SUBMISSIONS,
     PERM_CHANGE_ASSET,
     PERM_CHANGE_SUBMISSIONS,
     PERM_DELETE_SUBMISSIONS,
@@ -532,8 +533,23 @@ def test_duplicate_submission_by_anotheruser_shared_view_only_not_allowed(self):
         response = self.client.post(self.submission_url, {'format': 'json'})
         assert response.status_code == status.HTTP_403_FORBIDDEN
 
-    def test_duplicate_submission_by_anotheruser_shared_allowed(self):
-        self._share_with_another_user(view_only=False)
+    def test_duplicate_submission_by_anotheruser_shared_change_not_allowed(self):
+        self.asset.assign_perm(self.anotheruser, PERM_CHANGE_SUBMISSIONS)
+        self._log_in_as_another_user()
+        response = self.client.post(self.submission_url, {'format': 'json'})
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_duplicate_submission_by_anotheruser_shared_add_not_allowed(self):
+        for perm in [PERM_VIEW_SUBMISSIONS, PERM_ADD_SUBMISSIONS]:
+            self.asset.assign_perm(self.anotheruser, perm)
+        self._log_in_as_another_user()
+        response = self.client.post(self.submission_url, {'format': 'json'})
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_duplicate_submission_by_anotheruser_shared_add_and_change_allowed(self):
+        # user needs both `add_submissions` and `change_submissions` permissions
+        for perm in [PERM_CHANGE_SUBMISSIONS, PERM_ADD_SUBMISSIONS]:
+            self.asset.assign_perm(self.anotheruser, perm)
         self._log_in_as_another_user()
         response = self.client.post(self.submission_url, {'format': 'json'})
         assert response.status_code == status.HTTP_201_CREATED
diff --git a/kpi/views/v2/data.py b/kpi/views/v2/data.py
@@ -3,6 +3,7 @@
 from django.http import Http404
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import (
+    exceptions,
     renderers,
     serializers,
     status,
@@ -13,7 +14,11 @@
 from rest_framework.response import Response
 from rest_framework_extensions.mixins import NestedViewSetMixin
 
-from kpi.constants import INSTANCE_FORMAT_TYPE_JSON
+from kpi.constants import (
+    INSTANCE_FORMAT_TYPE_JSON,
+    PERM_ADD_SUBMISSIONS,
+    PERM_CHANGE_SUBMISSIONS,
+)
 from kpi.exceptions import ObjectDeploymentDoesNotExist
 from kpi.models import Asset
 from kpi.paginators import DataPagination
@@ -287,7 +292,7 @@ def bulk(self, request, *args, **kwargs):
                                                           request.user)
         elif request.method == 'PATCH':
             json_response = deployment.bulk_update_submissions(
-                dict(request.data), request.user.id
+                dict(request.data), request.user
             )
         return Response(**json_response)
 
@@ -367,7 +372,7 @@ def duplicate(self, request, pk, *args, **kwargs):
         """
         deployment = self._get_deployment()
         duplicate_response = deployment.duplicate_submission(
-            requesting_user_id=request.user.id, instance_id=positive_int(pk)
+            requesting_user=request.user, instance_id=positive_int(pk)
         )
         return Response(duplicate_response, status=status.HTTP_201_CREATED)
 
diff --git a/locale b/locale
@@ -1 +1 @@
-Subproject commit edbed4494fe2aa5c1117c8ef881da441f836d3a9
+Subproject commit ddfbcf28622a9de1c0a762fffd766e47ae0ef8fa

Original file line number	Diff line number	Diff line change
`@@ -457,6 +457,7 @@ class Submission extends React.Component {`
`457`	`457`	`}`
`458`	`458`
`459`	`459`	`{this.userCan('change_submissions', this.props.asset) &&`
	`460`	`+ this.userCan('add_submissions', this.props.asset) &&`
`460`	`461`	`<a`
`461`	`462`	`onClick={this.duplicateSubmission.bind(this)}`
`462`	`463`	`className='kobo-button kobo-button--blue submission-duplicate__button'`