Add new `ADMIN_SCANNERS_*` permissions (#13240)

2020-01-14 11:09:02 +01:00 · 2020-01-14 11:09:02 +01:00 · 719cf27f1a
--- a/src/olympia/constants/permissions.py
+++ b/src/olympia/constants/permissions.py
@ -80,6 +80,12 @@ ABUSEREPORTS_EDIT = AclPermission('AbuseReports', 'Edit')
 # Can submit language packs. #11788 and #11793
 LANGPACK_SUBMIT = AclPermission('LanguagePack', 'Submit')

+# Can access the scanners results admin.
+ADMIN_SCANNERS_RESULTS_VIEW = AclPermission('Admin', 'ScannersResultsView')
+# Can access the scanners rules admin.
+ADMIN_SCANNERS_RULES_VIEW = AclPermission('Admin', 'ScannersRulesView')
+# Can edit the scanners rules.
+ADMIN_SCANNERS_RULES_EDIT = AclPermission('Admin', 'ScannersRulesEdit')

 # All permissions, for easy introspection
 PERMISSIONS_LIST = [
@ -137,10 +143,11 @@ DJANGO_PERMISSIONS_MAPPING.update({

    'reviewers.delete_reviewerscore': ADMIN_ADVANCED,

-    'scanners.add_scannerrule': ADMIN_ADVANCED,
-    'scanners.change_scannerrule': ADMIN_ADVANCED,
-    'scanners.delete_scannerrule': ADMIN_ADVANCED,
-    'scanners.view_scannerresult': ADMIN_ADVANCED,
+    'scanners.add_scannerrule': ADMIN_SCANNERS_RULES_EDIT,
+    'scanners.change_scannerrule': ADMIN_SCANNERS_RULES_EDIT,
+    'scanners.delete_scannerrule': ADMIN_SCANNERS_RULES_EDIT,
+    'scanners.view_scannerrule': ADMIN_SCANNERS_RULES_VIEW,
+    'scanners.view_scannerresult': ADMIN_SCANNERS_RESULTS_VIEW,

    'users.change_userprofile': USERS_EDIT,
    'users.delete_userprofile': ADMIN_ADVANCED,
--- a/src/olympia/scanners/admin.py
+++ b/src/olympia/scanners/admin.py
@ -13,6 +13,7 @@ from django.utils.translation import ugettext
 from urllib.parse import urljoin

 from olympia import amo
+from olympia.access import acl
 from olympia.addons.models import Addon
 from olympia.amo.urlresolvers import reverse
 from olympia.constants.scanners import (
@ -178,6 +179,20 @@ class ScannerResultAdmin(admin.ModelAdmin):
    def has_change_permission(self, request, obj=None):
        return False

+    def get_list_display(self, request):
+        fields = super().get_list_display(request)
+        return self._excludes_admin_fields(request=request, fields=fields)
+
+    def get_fields(self, request, obj=None):
+        fields = super().get_fields(request, obj)
+        return self._excludes_admin_fields(request=request, fields=fields)
+
+    def _excludes_admin_fields(self, request, fields):
+        is_admin = acl.action_allowed(request, amo.permissions.ADMIN_ADVANCED)
+        if not is_admin:
+            return list(filter(lambda x: x != 'result_actions', fields))
+        return fields
+
    def formatted_addon(self, obj):
        if obj.version:
            return format_html(
@ -258,7 +273,8 @@ class ScannerResultAdmin(admin.ModelAdmin):
    formatted_matched_rules_with_files.short_description = 'Matched rules'

    def handle_true_positive(self, request, pk, *args, **kwargs):
-        if request.method != "POST":
+        is_admin = acl.action_allowed(request, amo.permissions.ADMIN_ADVANCED)
+        if not is_admin or request.method != "POST":
            raise Http404

        result = self.get_object(request, pk)
@ -273,7 +289,8 @@ class ScannerResultAdmin(admin.ModelAdmin):
        return redirect('admin:scanners_scannerresult_changelist')

    def handle_false_positive(self, request, pk, *args, **kwargs):
-        if request.method != "POST":
+        is_admin = acl.action_allowed(request, amo.permissions.ADMIN_ADVANCED)
+        if not is_admin or request.method != "POST":
            raise Http404

        result = self.get_object(request, pk)
@ -307,7 +324,8 @@ class ScannerResultAdmin(admin.ModelAdmin):
        )

    def handle_revert(self, request, pk, *args, **kwargs):
-        if request.method != "POST":
+        is_admin = acl.action_allowed(request, amo.permissions.ADMIN_ADVANCED)
+        if not is_admin or request.method != "POST":
            raise Http404

        result = self.get_object(request, pk)
--- a/src/olympia/scanners/tests/test_admin.py
+++ b/src/olympia/scanners/tests/test_admin.py
@ -39,7 +39,7 @@ class TestScannerResultAdmin(TestCase):
        super().setUp()

        self.user = user_factory()
-        self.grant_permission(self.user, 'Admin:Advanced')
+        self.grant_permission(self.user, 'Admin:*')
        self.client.login(email=self.user.email)
        self.list_url = reverse('admin:scanners_scannerresult_changelist')

@ -48,8 +48,31 @@ class TestScannerResultAdmin(TestCase):
        )

    def test_list_view(self):
+        rule = ScannerRule.objects.create(name='rule', scanner=CUSTOMS)
+        ScannerResult.objects.create(
+            scanner=CUSTOMS,
+            version=addon_factory().current_version,
+            results={'matchedRules': [rule.name]}
+        )
        response = self.client.get(self.list_url)
        assert response.status_code == 200
+        html = pq(response.content)
+        assert html('.column-result_actions').length == 1
+
+    def test_list_view_for_non_admins(self):
+        rule = ScannerRule.objects.create(name='rule', scanner=CUSTOMS)
+        ScannerResult.objects.create(
+            scanner=CUSTOMS,
+            version=addon_factory().current_version,
+            results={'matchedRules': [rule.name]}
+        )
+        user = user_factory()
+        self.grant_permission(user, 'Admin:ScannersResultsView')
+        self.client.login(email=user.email)
+        response = self.client.get(self.list_url)
+        assert response.status_code == 200
+        html = pq(response.content)
+        assert html('.column-result_actions').length == 0

    def test_list_view_is_restricted(self):
        user = user_factory()
@ -462,13 +485,52 @@ class TestScannerResultAdmin(TestCase):
        # A confirmation message should also appear.
        assert html('.messagelist .info').length == 1

+    def test_handle_true_positive_and_non_admin_user(self):
+        result = ScannerResult(scanner=CUSTOMS)
+        user = user_factory()
+        self.grant_permission(user, 'Admin:ScannersResultsView')
+        self.client.login(email=user.email)
+        response = self.client.post(
+            reverse(
+                'admin:scanners_scannerresult_handletruepositive',
+                args=[result.pk],
+            )
+        )
+        assert response.status_code == 404
+
+    def test_handle_false_positive_and_non_admin_user(self):
+        result = ScannerResult(scanner=CUSTOMS)
+        user = user_factory()
+        self.grant_permission(user, 'Admin:ScannersResultsView')
+        self.client.login(email=user.email)
+        response = self.client.post(
+            reverse(
+                'admin:scanners_scannerresult_handlefalsepositive',
+                args=[result.pk],
+            )
+        )
+        assert response.status_code == 404
+
+    def test_handle_revert_report_and_non_admin_user(self):
+        result = ScannerResult(scanner=CUSTOMS)
+        user = user_factory()
+        self.grant_permission(user, 'Admin:ScannersResultsView')
+        self.client.login(email=user.email)
+        response = self.client.post(
+            reverse(
+                'admin:scanners_scannerresult_handlerevert',
+                args=[result.pk],
+            )
+        )
+        assert response.status_code == 404
+

 class TestScannerRuleAdmin(TestCase):
    def setUp(self):
        super().setUp()

        self.user = user_factory()
-        self.grant_permission(self.user, 'Admin:Advanced')
+        self.grant_permission(self.user, 'Admin:*')
        self.client.login(email=self.user.email)
        self.list_url = reverse('admin:scanners_scannerrule_changelist')