Merge pull request #210 from sheagcraig/refactor_ga_access

Refactor and audit access code

api/fixtures/user_fixture.json

@@ -16,5 +16,23 @@
         "groups": [],
         "user_permissions": []
     }
+},
+{
+    "model": "auth.user",
+    "pk": 1,
+    "fields": {
+        "password": "pbkdf2_sha256$30000$g1EC98oJym9p$Qcu1EsYs6gvycsviDQS9ecMER8rdu8GM8RpQAFNjMo4=",
+        "last_login": null,
+        "is_superuser": false,
+        "username": "staff_test_user",
+        "first_name": "",
+        "last_name": "",
+        "email": "",
+        "is_staff": true,
+        "is_active": true,
+        "date_joined": "2018-01-23T14:41:29.940Z",
+        "groups": [],
+        "user_permissions": []
+    }
 }
 ]

inventory/migrations/0008_auto_20161012_2329.py

@@ -15,11 +15,11 @@ def clean_inventory(apps, schema_editor):
     Inventory = apps.get_model("inventory", "Inventory")
     Machine = apps.get_model("server", "Machine")
     for machine in Machine.objects.all():
-        all_inventory = Inventory.objects.all().filter(machine=machine)
+        all_inventory = Inventory.objects.filter(machine=machine)
         if all_inventory.count() != 0:
-            first_inventory = Inventory.objects.all().filter(
+            first_inventory = Inventory.objects.filter(
                 machine=machine)[:1].values_list("id", flat=True)
-            Inventory.objects.all().filter(machine=machine).exclude(pk__in=list(first_inventory)).delete()
+            Inventory.objects.filter(machine=machine).exclude(pk__in=list(first_inventory)).delete()
 
 
 class Migration(migrations.Migration):

inventory/tests/test_inventory.py

@@ -30,12 +30,12 @@ def test_no_access(self):
         response = self.client.get('/inventory/machine/1/')
         self.assertEqual(response.status_code, 403)
 
-    def test_access_404(self):
+    def test_access_403(self):
         self.client.force_login(self.test_user)
 
-        # User should not have access to anything yet (403)
+        # User should not have access to anything yet (404)
         response = self.client.get('/inventory/machine/3/')
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 404)
 
         # Add GA privileges to user and try again
         # Expect 404 since it doesn't exist!

inventory/views.py

@@ -389,7 +389,7 @@ def _get_filtered_queryset(self):
 
     def _get_unique_items(self, details):
         """Use optimized DB methods for getting unique items if possible."""
-        if is_postgres():
+        if utils.is_postgres():
             versions = details.order_by("version").distinct(
                 "version").values_list("version", flat=True)
             paths = details.order_by("path").distinct("path").values_list(
@@ -459,7 +459,7 @@ def get(self, request, *args, **kwargs):
             if group_type != "all":
                 self.components.append(group_id)
 
-            if is_postgres():
+            if utils.is_postgres():
                 apps = [self.get_application_entry(item, queryset) for item in
                         queryset.select_related("application").order_by(
                 ).distinct("application")]
@@ -565,14 +565,14 @@ def inventory_submit(request):
                             path=item.get('path', ''),
                             machine=machine
                         )
-                        if is_postgres():
+                        if utils.is_postgres():
                             inventory_items_to_be_created.append(i_item)
                         else:
                             i_item.save()
                 machine.last_inventory_update = timezone.now()
                 inventory_meta.save()
 
-                if is_postgres():
+                if utils.is_postgres():
                     InventoryItem.objects.bulk_create(
                         inventory_items_to_be_created)
             machine.save()
@@ -598,9 +598,3 @@ def inventory_hash(request, serial):
     else:
         return HttpResponse("MACHINE NOT FOUND")
     return HttpResponse(sha256hash)
-
-
-def is_postgres():
-    postgres_backend = 'django.db.backends.postgresql_psycopg2'
-    db_setting = settings.DATABASES['default']['ENGINE']
-    return db_setting == postgres_backend

licenses/views.py

@@ -1,83 +1,67 @@
-from django.http import HttpResponse, HttpRequest, HttpResponseRedirect
-from django.template import RequestContext, Template, Context
-from django.shortcuts import render, get_object_or_404, redirect
-from django.http import Http404
+import json
+import plistlib
+
 from django.contrib.auth.decorators import login_required, permission_required
+from django.http import (Http404, HttpRequest, HttpResponse, HttpResponseRedirect)
+from django.shortcuts import get_object_or_404, redirect, render
+from django.template import Context, RequestContext, Template
 from django.template.context_processors import csrf
-from forms import *
 
-import plistlib
-import json
-from server.models import *
+from forms import *
 from licenses.models import *
-from server import views as server_views
+from sal.decorators import *
+from server.models import *
 
 
 @login_required
+@required_level(ProfileLevel.global_admin)
 def license_index(request):
-    '''Sal index page for licenses.'''
-    all_licenses = License.objects.all()
-    user = request.user
-    user_level = user.userprofile.level
-    if user_level != 'GA':
-        return redirect(server_views.index)
-    c = {'request': request,
-         'licenses': all_licenses,
-         'user': request.user,
-         'page': 'licenses'}
-    return render(request, 'licenses/index.html', c)
+    """Sal index page for licenses."""
+    context = {'request': request,
+               'licenses': License.objects.all(),
+               'user': request.user,
+               'page': 'licenses'}
+    return render(request, 'licenses/index.html', context)
 
 
 @login_required
+@required_level(ProfileLevel.global_admin)
 def new_license(request):
-    '''Creates a new License object'''
-    c = {}
-    user = request.user
-    user_level = user.userprofile.level
-    if user_level != 'GA':
-        return redirect(server_views.index)
-    c.update(csrf(request))
+    """Creates a new License object"""
     if request.method == 'POST':
         form = LicenseForm(request.POST)
         if form.is_valid():
             form.save()
             return redirect(license_index)
     else:
         form = LicenseForm()
-    c = {'form': form}
 
-    return render(request, 'forms/new_license.html', c)
+    context = {'form': form}
+
+    return render(request, 'forms/new_license.html', context)
 
 
 @login_required
+@required_level(ProfileLevel.global_admin)
 def edit_license(request, license_id):
-    user = request.user
-    user_level = user.userprofile.level
-    if user_level != 'GA':
-        raise Http404
     license = get_object_or_404(License, pk=license_id)
-    c = {}
-    c.update(csrf(request))
 
     if request.method == 'POST':
-
         form = LicenseForm(request.POST, instance=license)
         if form.is_valid():
             license = form.save()
             return redirect(license_index)
     else:
         form = LicenseForm(instance=license)
-    c = {'form': form, 'license': license}
 
-    return render(request, 'forms/edit_license.html', c)
+    context = {'form': form, 'license': license}
+
+    return render(request, 'forms/edit_license.html', context)
 
 
 @login_required
+@required_level(ProfileLevel.global_admin)
 def delete_license(request, license_id):
-    user = request.user
-    user_level = user.userprofile.level
-    if user_level != 'GA':
-        return redirect(index)
     license = get_object_or_404(License, pk=license_id)
     license.delete()
     return redirect(license_index)
@@ -108,7 +92,7 @@ def available(request, key, item_name=''):
                 pass
     else:
         # return everything
-        licenses = License.objects.all().filter(business_unit=business_unit)
+        licenses = License.objects.filter(business_unit=business_unit)
         for license in licenses:
             info[license.item_name] = license.available()