Merge remote-tracking branch 'origin/edr_integration'

openprocurement · May 22, 2017 · 3555803 · 3555803
2 parents b2d154f + 371a71c
commit 3555803
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 15 deletions.
diff --git a/src/openprocurement/api/models.py b/src/openprocurement/api/models.py
@@ -466,7 +466,7 @@ class Options:
         'contractSigned', 'contractArrangements', 'contractSchedule',
         'contractAnnexe', 'contractGuarantees', 'subContract',
         'eligibilityCriteria', 'contractProforma', 'commercialProposal',
-        'qualificationDocuments', 'eligibilityDocuments',
+        'qualificationDocuments', 'eligibilityDocuments', 'registerExtract',
     ])
     title = StringType(required=True)  # A title of the document.
     title_en = StringType()

diff --git a/src/openprocurement/api/tests/auth.ini b/src/openprocurement/api/tests/auth.ini
@@ -24,4 +24,8 @@ broker2t = broker2t,2t
 reviewer = reviewer
 
 [admins]
-test = token
+test = token
+
+[bots]
+bot = bot
+
diff --git a/src/openprocurement/api/tests/award.py b/src/openprocurement/api/tests/award.py
@@ -2218,6 +2218,43 @@ def test_patch_tender_award_document(self):
         self.assertEqual(response.content_type, 'application/json')
         self.assertEqual(response.json['errors'][0]["description"], "Can't update document in current (complete) tender status")
 
+    def test_create_award_document_bot(self):
+        self.app.authorization = ('Basic', ('bot', 'bot'))
+        response = self.app.post('/tenders/{}/awards/{}/documents'.format(
+            self.tender_id, self.award_id), upload_files=[('file', 'edr_request.yaml', 'content')])
+        self.assertEqual(response.status, '201 Created')
+        self.assertEqual(response.content_type, 'application/json')
+        doc_id = response.json["data"]['id']
+        self.assertIn(doc_id, response.headers['Location'])
+        self.assertEqual('edr_request.yaml', response.json["data"]["title"])
+        if self.docservice:
+            self.assertIn('Signature=', response.json["data"]["url"])
+            self.assertIn('KeyID=', response.json["data"]["url"])
+            self.assertNotIn('Expires=', response.json["data"]["url"])
+            key = response.json["data"]["url"].split('/')[-1].split('?')[0]
+            tender = self.db.get(self.tender_id)
+            self.assertIn(key, tender['awards'][-1]['documents'][-1]["url"])
+            self.assertIn('Signature=', tender['awards'][-1]['documents'][-1]["url"])
+            self.assertIn('KeyID=', tender['awards'][-1]['documents'][-1]["url"])
+            self.assertNotIn('Expires=', tender['awards'][-1]['documents'][-1]["url"])
+
+    def test_patch_not_author(self):
+        authorization = self.app.authorization
+        self.app.authorization = ('Basic', ('bot', 'bot'))
+        response = self.app.post('/tenders/{}/awards/{}/documents?acc_token={}'.format(self.tender_id, self.award_id, self.tender_token),
+                                 upload_files=[('file', 'name.doc', 'content')])
+        self.assertEqual(response.status, '201 Created')
+        self.assertEqual(response.content_type, 'application/json')
+        doc_id = response.json["data"]['id']
+        self.assertIn(doc_id, response.headers['Location'])
+
+        self.app.authorization = authorization
+        response = self.app.patch_json('/tenders/{}/awards/{}/documents/{}'.format(self.tender_id, self.award_id, doc_id),
+                                       {"data": {"description": "document description"}}, status=403)
+        self.assertEqual(response.status, '403 Forbidden')
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(response.json['errors'][0]["description"], "Can update document only author")
+
 
 class TenderAwardDocumentWithDSResourceTest(TenderAwardDocumentResourceTest):
     docservice = True

diff --git a/src/openprocurement/api/tests/tender.py b/src/openprocurement/api/tests/tender.py
@@ -1519,6 +1519,28 @@ def test_tender_Administrator_change(self):
         self.assertEqual(response.content_type, 'application/json')
         self.assertEqual(response.json['data']['mode'], u'test')
 
+    def test_patch_not_author(self):
+        response = self.app.post_json('/tenders', {'data': test_tender_data})
+        self.assertEqual(response.status, '201 Created')
+        tender = response.json['data']
+        owner_token = response.json['access']['token']
+
+        authorization = self.app.authorization
+        self.app.authorization = ('Basic', ('bot', 'bot'))
+
+        response = self.app.post('/tenders/{}/documents'.format(tender['id']),
+                                 upload_files=[('file', 'name.doc', 'content')])
+        self.assertEqual(response.status, '201 Created')
+        self.assertEqual(response.content_type, 'application/json')
+        doc_id = response.json["data"]['id']
+        self.assertIn(doc_id, response.headers['Location'])
+
+        self.app.authorization = authorization
+        response = self.app.patch_json('/tenders/{}/documents/{}?acc_token={}'.format(tender['id'], doc_id, owner_token),
+                                       {"data": {"description": "document description"}}, status=403)
+        self.assertEqual(response.status, '403 Forbidden')
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(response.json['errors'][0]["description"], "Can update document only author")
 
 class TenderProcessTest(BaseTenderWebTest):
     setUp = BaseWebTest.setUp

diff --git a/src/openprocurement/api/traversal.py b/src/openprocurement/api/traversal.py
@@ -30,6 +30,7 @@ class Root(object):
         (Allow, 'g:Administrator', 'edit_tender'),
         (Allow, 'g:Administrator', 'edit_bid'),
         (Allow, 'g:admins', ALL_PERMISSIONS),
+        (Allow, 'g:bots', 'upload_tender_documents')
     ]
 
     def __init__(self, request):

diff --git a/src/openprocurement/api/views/award_document.py b/src/openprocurement/api/views/award_document.py
@@ -33,6 +33,10 @@ def validate_award_document(self, operation):
             self.request.errors.add('body', 'data', 'Can {} document only in active lot status'.format(operation))
             self.request.errors.status = 403
             return
+        if operation == 'update' and self.request.authenticated_role != (self.context.author or 'tender_owner'):
+            self.request.errors.add('url', 'role', 'Can update document only author')
+            self.request.errors.status = 403
+            return
         return True
 
     @json_view(permission='view_tender')
@@ -47,13 +51,14 @@ def collection_get(self):
             ]).values(), key=lambda i: i['dateModified'])
         return {'data': collection_data}
 
-    @json_view(validators=(validate_file_upload,), permission='edit_tender')
+    @json_view(validators=(validate_file_upload,), permission='upload_tender_documents')
     def collection_post(self):
         """Tender Award Document Upload
         """
         if not self.validate_award_document('add'):
             return
         document = upload_file(self.request)
+        document.author = self.request.authenticated_role
         self.context.documents.append(document)
         if save_tender(self.request):
             self.LOGGER.info('Created tender award document {}'.format(document.id),

diff --git a/src/openprocurement/api/views/tender_document.py b/src/openprocurement/api/views/tender_document.py
@@ -24,6 +24,19 @@
             description="Tender related binary files (PDFs, etc.)")
 class TenderDocumentResource(APIResource):
 
+    def validate_document(self, operation):
+        if self.request.authenticated_role != 'auction' and self.request.validated['tender_status'] != 'active.enquiries' or \
+           self.request.authenticated_role == 'auction' and self.request.validated['tender_status'] not in ['active.auction', 'active.qualification']:
+            self.request.errors.add('body', 'data', 'Can\'t {operation} document in current ({tender_status}) tender status'.format(
+                operation=operation, tender_status=self.request.validated['tender_status']))
+            self.request.errors.status = 403
+            return
+        if operation == 'update' and self.request.authenticated_role != (self.context.author or 'tender_owner'):
+            self.request.errors.add('url', 'role', 'Can update document only author')
+            self.request.errors.status = 403
+            return
+        return True
+
     @json_view(permission='view_tender')
     def collection_get(self):
         """Tender Documents List"""
@@ -39,12 +52,10 @@ def collection_get(self):
     @json_view(permission='upload_tender_documents', validators=(validate_file_upload,))
     def collection_post(self):
         """Tender Document Upload"""
-        if self.request.authenticated_role != 'auction' and self.request.validated['tender_status'] != 'active.enquiries' or \
-           self.request.authenticated_role == 'auction' and self.request.validated['tender_status'] not in ['active.auction', 'active.qualification']:
-            self.request.errors.add('body', 'data', 'Can\'t add document in current ({}) tender status'.format(self.request.validated['tender_status']))
-            self.request.errors.status = 403
+        if not self.validate_document('add'):
             return
         document = upload_file(self.request)
+        document.author = self.request.authenticated_role
         self.context.documents.append(document)
         if save_tender(self.request):
             self.LOGGER.info('Created tender document {}'.format(document.id),
@@ -71,10 +82,7 @@ def get(self):
     @json_view(permission='upload_tender_documents', validators=(validate_file_update,))
     def put(self):
         """Tender Document Update"""
-        if self.request.authenticated_role != 'auction' and self.request.validated['tender_status'] != 'active.enquiries' or \
-           self.request.authenticated_role == 'auction' and self.request.validated['tender_status'] not in ['active.auction', 'active.qualification']:
-            self.request.errors.add('body', 'data', 'Can\'t update document in current ({}) tender status'.format(self.request.validated['tender_status']))
-            self.request.errors.status = 403
+        if not self.validate_document('update'):
             return
         document = upload_file(self.request)
         self.request.validated['tender'].documents.append(document)
@@ -86,10 +94,7 @@ def put(self):
     @json_view(content_type="application/json", permission='upload_tender_documents', validators=(validate_patch_document_data,))
     def patch(self):
         """Tender Document Update"""
-        if self.request.authenticated_role != 'auction' and self.request.validated['tender_status'] != 'active.enquiries' or \
-           self.request.authenticated_role == 'auction' and self.request.validated['tender_status'] not in ['active.auction', 'active.qualification']:
-            self.request.errors.add('body', 'data', 'Can\'t update document in current ({}) tender status'.format(self.request.validated['tender_status']))
-            self.request.errors.status = 403
+        if not self.validate_document('update'):
             return
         if apply_patch(self.request, src=self.request.context.serialize()):
             update_file_content_type(self.request)