add restricted users to the client/site that they are adding to the system

2021-11-07 07:56:12 -05:00 · 2021-11-07 07:56:12 -05:00 · b079eebe79
parent 363e48a1e8
commit b079eebe79
2 changed files with 40 additions and 0 deletions
--- a/api/tacticalrmm/clients/tests.py
+++ b/api/tacticalrmm/clients/tests.py
@ -839,3 +839,35 @@ class TestClientPermissions(TacticalTestCase):

        self.check_authorized("delete", url)
        self.check_not_authorized("delete", unauthorized_url)
+
+    def test_restricted_user_creating_clients(self):
+        from accounts.models import User
+
+        # when a user that is limited to a specific subset of clients creates a client. It should allow access to that client
+        client = baker.make("clients.Client")
+        user = self.create_user_with_roles(["can_manage_clients"])
+        self.client.force_authenticate(user=user)  # type: ignore
+        user.role.can_view_clients.set([client])
+
+        data = {"client": {"name": "New Client"}, "site": {"name": "New Site"}}
+
+        self.client.post(f"{base_url}/", data, format="json")
+
+        # make sure two clients are allowed now
+        self.assertEqual(User.objects.get(id=user.id).role.can_view_clients.count(), 2)
+
+    def test_restricted_user_creating_sites(self):
+        from accounts.models import User
+
+        # when a user that is limited to a specific subset of clients creates a client. It should allow access to that client
+        site = baker.make("clients.Site")
+        user = self.create_user_with_roles(["can_manage_sites"])
+        self.client.force_authenticate(user=user)  # type: ignore
+        user.role.can_view_sites.set([site])
+
+        data = {"site": {"client": site.client.id, "name": "New Site"}}
+
+        self.client.post(f"{base_url}/sites/", data, format="json")
+
+        # make sure two sites are allowed now
+        self.assertEqual(User.objects.get(id=user.id).role.can_view_sites.count(), 2)
--- a/api/tacticalrmm/clients/views.py
+++ b/api/tacticalrmm/clients/views.py
@ -76,6 +76,10 @@ class GetAddClients(APIView):
                serializer.is_valid(raise_exception=True)
                serializer.save()

+        # add user to allowed clients in role if restricted user created the client
+        if request.user.role and request.user.role.can_view_clients.exists():
+            request.user.role.can_view_clients.add(client)
+
        return Response(f"{client.name} was added")


@ -167,6 +171,10 @@ class GetAddSites(APIView):
                serializer.is_valid(raise_exception=True)
                serializer.save()

+        # add user to allowed sites in role if restricted user created the client
+        if request.user.role and request.user.role.can_view_sites.exists():
+            request.user.role.can_view_sites.add(site)
+
        return Response(f"Site {site.name} was added!")