Allow users to view networks

Normal users can only view networks they have access to JIRA INFRA-1809 #action In Progress

Allow users to view networks
Normal users can only view networks they have access to JIRA INFRA-1809 #action In Progress
d0ea0a6d · Benjamin Bertrand · d7e80e57 · d0ea0a6d · d0ea0a6d
Commit d0ea0a6d authored 5 years ago by Benjamin Bertrand
--- a/app/network/views.py
+++ b/app/network/views.py
@@ -636,9 +636,15 @@ def retrieve_first_available_ip(network_id):


 @bp.route("/networks")
-@login_groups_accepted("admin")
+@login_groups_accepted("admin", "network")
 def list_networks():
    networks = models.Network.query.all()
+    if not current_user.is_admin:
+        networks = [
+            network
+            for network in networks
+            if current_user.has_access_to_network(network)
+        ]
    return render_template("network/networks.html", networks=networks)



--- a/tests/functional/test_web.py
+++ b/tests/functional/test_web.py
@@ -84,7 +84,7 @@ def test_protected_url_get(url, client):
    assert response.status_code == 200


-@pytest.mark.parametrize("url", ["/network/networks", "/network/scopes"])
+@pytest.mark.parametrize("url", ["/network/scopes"])
 def test_admin_protected_url_get(url, client):
    login(client, "user_rw", "userrw")
    response = client.get(url)
@@ -927,6 +927,41 @@ def test_view_network_restriction(client, network_scope_factory, network_factory
    assert response.status_code == 200


+def test_view_networks(client, network_scope_factory, network_factory):
+    scope = network_scope_factory(name="ProdNetworks", supernet="192.168.0.0/16")
+    network1 = network_factory(
+        address="192.168.1.0/24",
+        first_ip="192.168.1.10",
+        last_ip="192.168.1.250",
+        scope=scope,
+    )
+    network2 = network_factory(
+        address="192.168.2.0/24",
+        first_ip="192.168.2.10",
+        last_ip="192.168.2.250",
+        admin_only=True,
+        scope=scope,
+    )
+    # user_lab doesn't have the permissions to see any network
+    login(client, "user_lab", "userlab")
+    response = client.get(f"/network/networks")
+    assert response.status_code == 200
+    assert network1.vlan_name not in str(response.data)
+    assert network2.vlan_name not in str(response.data)
+    logout(client)
+    # user_prod user has only access to network1
+    login(client, "user_prod", "userprod")
+    response = client.get(f"/network/networks")
+    assert network1.vlan_name in str(response.data)
+    assert network2.vlan_name not in str(response.data)
+    logout(client)
+    # admin can see all networks
+    login(client, "admin", "adminpasswd")
+    response = client.get(f"/network/networks")
+    assert network1.vlan_name in str(response.data)
+    assert network2.vlan_name in str(response.data)
+
+
 def test_retrieve_groups(logged_client, ansible_group_factory):
    response = logged_client.post("/network/_retrieve_groups")
    assert response.get_json()["data"] == []