From b579da6a594c9a072fecdf65253b8485e0c13685 Mon Sep 17 00:00:00 2001 From: Harsha Kethineni Date: Mon, 25 Sep 2017 11:29:58 -0500 Subject: [PATCH] superuser searches don't have permissions in filter --- api/handlers/dataexplorerhandler.py | 9 +++--- test/unit_tests/python/test_dataexplorer.py | 35 +++++++++++++++++---- 2 files changed, 34 insertions(+), 10 deletions(-) diff --git a/api/handlers/dataexplorerhandler.py b/api/handlers/dataexplorerhandler.py index ce76e26da..2979bcc9b 100644 --- a/api/handlers/dataexplorerhandler.py +++ b/api/handlers/dataexplorerhandler.py @@ -375,8 +375,8 @@ def _parse_request(self, request_type='search'): else: modified_filters.append(f) - # Add permissions filter to list if user is not requesting all data - if not request.get('all_data', False): + # Add permissions filter to list if user is not requesting all data or is superuser + if not request.get('all_data', False) and not self.superuser_request: modified_filters.append({'term': {'permissions._id': self.uid}}) # Parse and "validate" search_string, allowed to be non-existent @@ -396,8 +396,9 @@ def aggregate_field_values(self): field_name = self.request.json_body['field_name'] except (KeyError, ValueError): self.abort(400, 'Field name is required') - - filters = [{'term': {'permissions._id': self.uid}}] + filters = [] + if not self.superuser_request: + filters = [{'term': {'permissions._id': self.uid}}] try: field = config.es.get(index='data_explorer_fields', id=field_name, doc_type='flywheel_field') except TransportError as e: diff --git a/test/unit_tests/python/test_dataexplorer.py b/test/unit_tests/python/test_dataexplorer.py index ca9be3c20..b8361d097 100644 --- a/test/unit_tests/python/test_dataexplorer.py +++ b/test/unit_tests/python/test_dataexplorer.py @@ -47,8 +47,7 @@ def test_search(as_public, as_drone, es): 'must': {'match': {'_all': 'search'}}, 'filter': {'bool': {'must': [ {'terms': {filter_key + '.raw': filter_value}}, - {'range': filter_range}, - {'term': {'permissions._id': None}} + {'range': filter_range} ]}}, }}, 'aggs': {'by_container': {'terms': @@ -146,6 +145,30 @@ def test_search(as_public, as_drone, es): assert r.ok assert r.json['results'] == formatted_file_results + # Drone search without self.uid and all_data set to false + es.search.return_value = {'hits': {'hits': copy.deepcopy(raw_file_results)}} + r = as_drone.post('/dataexplorer/search', json={'return_type': cont_type, 'all_data': False, 'search_string': search_str, 'filters': [ + {'terms': {filter_key: filter_value}}, + {'range': filter_range}, + ]}) + es.search.assert_called_with( + body={ + '_source': deh.SOURCE[cont_type], + 'query': {'bool': { + 'must': {'match': {'_all': search_str}}, + 'filter': {'bool': {'must': [ + {'term': {'container_type': cont_type}}, + {'terms': {filter_key + '.raw': filter_value}}, + {'range': filter_range}, + ]}} + }}, + 'script_fields': {'info_exists': deh.INFO_EXISTS_SCRIPT}, + 'size': 100}, + doc_type='flywheel', + index='data_explorer') + assert r.ok + assert r.json['results'] == formatted_file_results + # file search w/ search null filter es.search.return_value = {'hits': {'hits': copy.deepcopy(raw_file_results)}} r = as_drone.post('/dataexplorer/search', json={'return_type': cont_type, 'all_data': True, 'filters': [ @@ -350,7 +373,7 @@ def test_aggregate_field_values(as_public, as_drone, es): r = as_drone.post('/dataexplorer/search/fields/aggregate', json={'field_name': field_name}) es.search.assert_called_with( body={'aggs': {'results': {'terms': {'field': field_name + '.raw', 'size': 15, 'missing': 'null'}}}, - 'query': {'bool': {'filter': [{'term': {'permissions._id': None}}], 'must': {'match_all': {}}}}, + 'query': {'bool': {'must': {'match_all': {}}}}, 'size': 0}, doc_type='flywheel', index='data_explorer') @@ -361,7 +384,7 @@ def test_aggregate_field_values(as_public, as_drone, es): r = as_drone.post('/dataexplorer/search/fields/aggregate', json={'field_name': field_name, 'search_string': search_str}) es.search.assert_called_with( body={'aggs': {'results': {'terms': {'field': field_name + '.raw', 'size': 15, 'missing': 'null'}}}, - 'query': {'bool': {'filter': [{'term': {'permissions._id': None}}], 'must': {'match': {'field': search_str}}}}, + 'query': {'bool': {'must': {'match': {'field': search_str}}}}, 'size': 0}, doc_type='flywheel', index='data_explorer') @@ -373,7 +396,7 @@ def test_aggregate_field_values(as_public, as_drone, es): r = as_drone.post('/dataexplorer/search/fields/aggregate', json={'field_name': field_name}) es.search.assert_called_with( body={'aggs': {'results': {'stats': {'field': field_name}}}, - 'query': {'bool': {'filter': [{'term': {'permissions._id': None}}], 'must': {'match_all': {}}}}, + 'query': {'bool': {'must': {'match_all': {}}}}, 'size': 0}, doc_type='flywheel', index='data_explorer') @@ -384,7 +407,7 @@ def test_aggregate_field_values(as_public, as_drone, es): r = as_drone.post('/dataexplorer/search/fields/aggregate', json={'field_name': field_name, 'search_string': search_str}) es.search.assert_called_with( body={'aggs': {'results': {'stats': {'field': field_name}}}, - 'query': {'bool': {'filter': [{'term': {'permissions._id': None}}], 'must': {'match': {'field': search_str}}}}, + 'query': {'bool': {'must': {'match': {'field': search_str}}}}, 'size': 0}, doc_type='flywheel', index='data_explorer')