views: Disabling edit/delete buttons for items of other organisation

* NEW Fixes issue when edit/delete buttons are displayed for users of other organisations.

Signed-off-by: Aly Badr <aly.badr@rero.ch>

rero_ils/modules/documents/templates/rero_ils/detailed_view_documents.html

@@ -210,7 +210,7 @@ <h6 class="dropdown-header">{{ _('Select a Pickup Location') }}</h6>
                 {% endif %}
               </div>
               <div class="col-12 col-sm-9 d-flex flex-column">
-                {% if current_user|can_edit %}
+                {% if current_user |user_access_item_permission(item) %}
                   {% with
                     href_update=url_for('records/items.index', path=item.pid, document=record.pid),
                     href_delete='/api/items/' + item.pid,

rero_ils/modules/ext.py

@@ -44,7 +44,7 @@
 from .patrons.listener import enrich_patron_data, listener_item_at_desk
 from ..filter import admin_menu_is_visible, format_date_filter, jsondumps, \
     resource_can_create, text_to_id, to_pretty_json
-from ..permissions import can_edit
+from ..permissions import can_edit, user_access_item_permission
 
 
 class REROILSAPP(object):
@@ -57,6 +57,8 @@ def __init__(self, app=None):
             app.add_template_filter(format_date_filter, name='format_date')
             app.add_template_filter(to_pretty_json, name='tojson_pretty')
             app.add_template_filter(can_edit, name='can_edit')
+            app.add_template_filter(user_access_item_permission,
+                name='user_access_item_permission')
             app.add_template_filter(text_to_id, name='text_to_id')
             app.add_template_filter(jsondumps, name='jsondumps')
             app.add_template_filter(

rero_ils/permissions.py

@@ -48,6 +48,17 @@ def login_and_librarian():
 librarian_permission = DynamicPermission(RoleNeed('librarian'))
 
 
+def user_access_item_permission(user=None, item=None):
+    """User has librarian role and logged in and in same item organisation."""
+    if not user:
+        user = current_user
+    if item:
+        patron = Patron.get_patron_by_user(user)
+        if patron.organisation_pid == item.organisation_pid:
+            return user.is_authenticated and librarian_permission.can()
+    return False
+
+
 def can_edit(user=None):
     """User has editor role."""
     if not user:

tests/fixtures/circulation.py

@@ -91,7 +91,6 @@ def patron_martigny_no_email(
         patron_type_children_martigny,
         patron_martigny_data):
     """Create Martigny patron without sending reset password instruction."""
-    patron_martigny_data['roles'] == ['patron']
     ptrn = Patron.create(
         data=patron_martigny_data,
         delete_pid=False,
@@ -110,7 +109,6 @@ def librarian_martigny_no_email(
         patron_type_children_martigny,
         librarian_martigny_data):
     """Create Martigny librarian without sending reset password instruction."""
-    librarian_martigny_data['roles'] == ['librarian']
     ptrn = Patron.create(
         data=librarian_martigny_data,
         delete_pid=False,

tests/ui/test_permissions.py

@@ -0,0 +1,47 @@
+# This file is part of RERO ILS.
+# Copyright (C) 2017 RERO.
+#
+# RERO ILS is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+#
+# RERO ILS is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with RERO ILS; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+# MA 02111-1307, USA.
+#
+# In applying this license, RERO does not
+# waive the privileges and immunities granted to it by virtue of its status
+# as an Intergovernmental Organization or submit itself to any jurisdiction.
+
+"""Test permissions."""
+
+from utils import login_user
+from rero_ils.permissions import user_access_item_permission
+
+
+def test_user_access_item_permission_librarian(
+        client, json_header,
+        librarian_martigny_no_email, item_lib_martigny):
+    """Test user_access_item_permission."""
+
+    assert not user_access_item_permission()
+    login_user(client, librarian_martigny_no_email)
+    assert not user_access_item_permission()
+    assert user_access_item_permission(item=item_lib_martigny)
+
+
+def test_user_access_item_permission_patron(
+        client, json_header,
+        patron_martigny_no_email, item_lib_martigny):
+    """Test user_access_item_permission."""
+
+    login_user(client, patron_martigny_no_email)
+    assert not user_access_item_permission()
+    assert not user_access_item_permission(item=item_lib_martigny)

tests/utils.py

@@ -27,6 +27,7 @@
 import json
 
 import mock
+from invenio_accounts.testutils import login_user_via_view
 from invenio_circulation.api import get_loan_for_item
 from invenio_search import current_search
 from six.moves.urllib.parse import parse_qs, urlparse
@@ -49,6 +50,12 @@ class VerifyRecordPermissionPatch(object):
     status_code = 200
 
 
+def login_user(client, user):
+    """Sign in user."""
+    user.user.password_plaintext = user.get('email')
+    login_user_via_view(client, user=user.user)
+
+
 def get_json(response):
     """Get JSON from response."""
     return json.loads(response.get_data(as_text=True))