Merge pull request #111 from unicef/bugfix/248879-user_role-permission-second-fix

sergey-misuk-valor · web-flow · commit 21a87822211f · 2025-05-26T15:27:24.000+03:00
AB#248879: UserRole permission
diff --git a/src/country_workspace/workspaces/forms.py b/src/country_workspace/workspaces/forms.py
@@ -1,3 +1,4 @@
+from operator import attrgetter
 from typing import TYPE_CHECKING, Any
 
 from dateutil.utils import today
@@ -9,11 +10,12 @@
 from django.utils.translation import gettext_lazy as _
 from django_select2 import forms as s2forms
 
-from ..models import Program
+from ..models import Program, Office, User
 from ..state import state
 from .config import conf
 
 if TYPE_CHECKING:
+    from collections.abc import Iterable
     from django.contrib.auth.base_user import AbstractBaseUser
 
 
@@ -65,6 +67,23 @@ def media(self) -> forms.Media:
         )
 
 
+def get_available_programs(office: Office, user: User) -> QuerySet[Program]:
+    program_qs = office.programs.filter(enabled=True)
+
+    if not user.is_superuser:
+        roles = tuple(user.roles.filter(Q(expires=None) | Q(expires__gt=today()), country_office=office))
+        if (roles_count := len(roles)) > 0:
+            # if there is only one role with program_id == None, user can access all programs,
+            # otherwise we allow access to programs assigned to roles
+            if roles_count > 1 or roles[0].program_id:
+                program_ids: "Iterable[int]" = filter(None, map(attrgetter("program_id"), roles))
+                program_qs = program_qs.filter(id__in=program_ids)
+        else:
+            program_qs = Program.objects.none()
+
+    return program_qs.order_by("name").all()
+
+
 class SelectProgramForm(forms.Form):
     program = forms.ModelChoiceField(
         label=_("Program"),
@@ -86,11 +105,4 @@ def __init__(self, *args: "Any", **kwargs: "Any") -> None:
         self.request = kwargs.pop("request")
         super().__init__(*args, **kwargs)
         if state.tenant:
-            program_qs = state.tenant.programs.filter(enabled=True)
-            if not state.request.user.is_superuser:
-                roles = state.request.user.roles.filter(Q(expires=None) | Q(expires__gt=today()))
-                has_all_programs_access = roles.filter(program=None).exists()
-                if not has_all_programs_access:
-                    program_qs = program_qs.filter(id__in=roles.values("program_id"))
-
-            self.fields["program"].queryset = program_qs.order_by("name").all()
+            self.fields["program"].queryset = get_available_programs(state.tenant, state.request.user)
diff --git a/tests/workspace/test_forms/test_get_available_programs.py b/tests/workspace/test_forms/test_get_available_programs.py
@@ -0,0 +1,75 @@
+import pytest
+
+from country_workspace.models import Office, User, Program, UserRole
+from country_workspace.workspaces.forms import get_available_programs
+from testutils.factories import OfficeFactory, UserFactory, ProgramFactory, UserRoleFactory, SuperUserFactory
+
+
+@pytest.fixture
+def office() -> Office:
+    return OfficeFactory()
+
+
+@pytest.fixture
+def program0(office: Office) -> Program:
+    return ProgramFactory(country_office=office)
+
+
+@pytest.fixture
+def program1(office: Office) -> Program:
+    return ProgramFactory(country_office=office)
+
+
+@pytest.fixture
+def all_programs(program0: Program, program1: Program) -> tuple[Program, ...]:
+    return program0, program1
+
+
+@pytest.fixture
+def user() -> User:
+    return UserFactory()
+
+
+@pytest.fixture
+def single_program_role(office: Office, user: User, program0: Program) -> UserRole:
+    return UserRoleFactory(user=user, country_office=office, program=program0)
+
+
+@pytest.fixture
+def none_program_role(office: Office, user: User) -> Program:
+    return UserRoleFactory(country_office=office, user=user)
+
+
+@pytest.fixture
+def super_user() -> User:
+    return SuperUserFactory()
+
+
+def test_no_roles(office: Office, all_programs: tuple[Program, ...], user: User) -> None:
+    assert get_available_programs(office, user).count() == 0
+
+
+def test_single_program_role(
+    office: Office, all_programs: tuple[Program, ...], single_program_role: UserRole, user: User
+) -> None:
+    assert get_available_programs(office, user).count() == 1
+
+
+def test_none_program_role(
+    office: Office, all_programs: tuple[Program, ...], none_program_role: Program, user: User
+) -> None:
+    assert get_available_programs(office, user).count() == len(all_programs)
+
+
+def test_single_program_role_and_none_program_role(
+    office: Office,
+    all_programs: tuple[Program, ...],
+    single_program_role: UserRole,
+    none_program_role: UserRole,
+    user: User,
+) -> None:
+    assert get_available_programs(office, user).count() == 1
+
+
+def test_super_user(office: Office, all_programs: tuple[Program, ...], program1: Program, super_user: User) -> None:
+    assert get_available_programs(office, super_user).count() == len(all_programs)
