Merge pull request #723 from Ilhasoft/fix/repository_user_authorization

Fix/repository user authorization
weni-ai · Jul 18, 2022 · e10aaf6 · e10aaf6
2 parents c3cb112 + a06454d
commit e10aaf6
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 7 deletions.
diff --git a/bothub/common/models.py b/bothub/common/models.py
@@ -906,16 +906,18 @@ def get_specific_version_id(self, repository_version, language=None):
     def get_user_authorization(self, user):
         if user.is_anonymous:
             return RepositoryAuthorization(repository=self)
-        get, created = RepositoryAuthorization.objects.get_or_create(
+        repo_auth, created = RepositoryAuthorization.objects.get_or_create(
             user=user.repository_owner, repository=self
         )
         if self.owner.is_organization:
-            org_role = self.owner.organization.get_organization_authorization(user).role
-            if get.role != org_role and get.role == 0:
-                get.role = org_role
-                get.save()
-
-        return get
+            org_auth = self.owner.organization.get_organization_authorization(user)
+
+            # Excluding ROLE_TRANSLATE as it does not correspond to the same role in the client app (connect).
+            # todo: update this conditional with corresponding role rule
+            if repo_auth.role < org_auth.role and org_auth.role < RepositoryAuthorization.ROLE_TRANSLATE:
+                repo_auth.role = org_auth.role
+                repo_auth.save(update_fields=['role'])
+        return repo_auth
 
     def get_absolute_url(self):
         return "{}dashboard/{}/{}/".format(

diff --git a/bothub/common/tests.py b/bothub/common/tests.py
@@ -15,6 +15,8 @@
     RepositoryQueueTask,
     QAKnowledgeBase,
     QAtext,
+    Organization,
+    OrganizationAuthorization
 )
 from .models import RepositoryAuthorization
 from .models import RepositoryEntity
@@ -544,6 +546,7 @@ class RepositoryAuthorizationTestCase(TestCase):
     def setUp(self):
         self.owner = User.objects.create_user("owner@user.com", "owner")
         self.user = User.objects.create_user("fake@user.com", "user")
+        self.collaborator = User.objects.create_user("colaborator@user.com", "collaborator")
 
         self.repository = Repository.objects.create(
             owner=self.owner.repository_owner, name="Test", slug="test"
@@ -554,6 +557,12 @@ def setUp(self):
             slug="private",
             is_private=True,
         )
+        self.organization = Organization.objects.create(name="Weni")
+        self.organization_repository = Repository.objects.create(
+            owner=self.organization,
+            name="Organization Repository",
+            slug="organization_repository"
+        )
 
     def test_admin_level(self):
         authorization = self.repository.get_user_authorization(self.owner)
@@ -682,6 +691,50 @@ def test_role_contributor_can_contribute(self):
         authorization_user.save()
         self.assertTrue(authorization_user.can_contribute)
 
+    def test_organization_auth_over_repository_auth(self):
+        """
+        Tests that a User's authorization role is of the highest level possible in a Repository,
+        either using the RepositoryAuthorization or the OrganizationAuthorization.
+        The expected behavior is that the organization's authorization role should be passed to the repository's authorization for that user.
+        """
+
+        # The role that the user should inherit from the organization authorization inside the repository.
+        initial_organization_role = OrganizationAuthorization.ROLE_ADMIN
+
+        # Set user's role to a low level at the Repository
+        collaborator_repository_auth, created = RepositoryAuthorization.objects.get_or_create(
+            user=self.collaborator, repository=self.organization_repository, role=RepositoryAuthorization.ROLE_USER
+        )
+        # Set user's role to a high level at the Organization
+        collaborator_organization_auth = self.organization.organization_authorizations.create(
+            user=self.collaborator, role=initial_organization_role
+        )
+
+        # Validate that their access level corresponds to their role in the Organization and not the Repository, as it is higher at this point.
+        user_authorization = self.organization_repository.get_user_authorization(self.collaborator)
+        self.assertEqual(user_authorization.role, collaborator_organization_auth.role)
+
+        # Lower their level inside the Organization
+        collaborator_organization_auth.role = OrganizationAuthorization.ROLE_NOT_SETTED
+        collaborator_organization_auth.save()
+
+        # Validate that the repository authorization level was updated.
+        collaborator_repository_auth.refresh_from_db()
+        self.assertEqual(collaborator_repository_auth.role, initial_organization_role)
+
+        # Validate that the user's level is now the Repository's and not the Organization's, as it is higher.
+        user_authorization = self.organization_repository.get_user_authorization(self.collaborator)
+        self.assertEqual(user_authorization.role, collaborator_repository_auth.role)
+
+        # Verify that org auth with (role >= 4) will not update the repository's authorization
+
+        # Set user's role to ROLE_TRANSLATE level at the Organization
+        collaborator_organization_auth.role = OrganizationAuthorization.ROLE_TRANSLATE
+        collaborator_organization_auth.save()
+
+        user_authorization = self.organization_repository.get_user_authorization(self.collaborator)
+        self.assertEqual(user_authorization.role, collaborator_repository_auth.role)
+
 
 class RepositoryVersionTrainingTestCase(TestCase):
     def setUp(self):