Skips meta perms check if not enabled

onadata/apps/api/tests/viewsets/test_data_viewset.py

@@ -243,6 +243,10 @@ def test_returned_data_is_based_on_form_permissions(self):
         profile.require_auth = False
         profile.save()
 
+        # Enable meta perms
+        data_value = "editor-minor|dataentry-minor"
+        MetaData.xform_meta_permission(self.xform, data_value=data_value)
+
         self._assign_user_role(user_alice, DataEntryOnlyRole)
 
         alices_extra = {
@@ -307,6 +311,10 @@ def test_returned_data_is_based_on_form_permissions(self):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(len(response.data), 2)
 
+        # change meta perms
+        data_value = "editor|dataentry-minor"
+        MetaData.xform_meta_permission(self.xform, data_value=data_value)
+
         self._assign_user_role(user_alice, EditorRole)
 
         request = self.factory.get('/', **alices_extra)
@@ -378,6 +386,10 @@ def test_data_entryonly_can_submit_but_not_view(self):
         profile.require_auth = False
         profile.save()
 
+        # Enable meta perms
+        data_value = "editor-minor|dataentry-minor"
+        MetaData.xform_meta_permission(self.xform, data_value=data_value)
+
         DataEntryOnlyRole.add(user_alice, self.xform)
         DataEntryOnlyRole.add(user_alice, self.project)
 

onadata/apps/api/tests/viewsets/test_xform_list_viewset.py

@@ -1,6 +1,7 @@
 import os
 from mock import patch
 
+from django_digest.test import Client as DigestClient
 from django.conf import settings
 from django.test import TransactionTestCase
 from django_digest.test import DigestAuth
@@ -16,6 +17,7 @@
 from onadata.libs.permissions import ReadOnlyRole
 from onadata.libs.utils.export_tools import ExportBuilder
 from onadata.libs.utils.common_tags import GROUP_DELIMETER_TAG
+from onadata.apps.main.models import MetaData
 
 
 class TestXFormListViewSet(TestAbstractViewSet, TransactionTestCase):
@@ -579,7 +581,26 @@ def test_retrieve_xform_manifest_linked_form(self):
         manifest_media_url = "%s?%s=%s" % (media.data['media_url'],
                                            GROUP_DELIMETER_TAG,
                                            ExportBuilder.GROUP_DELIMITER_DOT)
-        self.assertEqual(manifest_media_url, response.data[0]['downloadUrl'])
+        download_url = response.data[0]['downloadUrl']
+        self.assertEqual(manifest_media_url, download_url)
+
+        url = '/bob/xformsMedia/{}/{}.csv?group_delimiter=.'\
+            .format(self.xform.pk, self.metadata.pk)
+        username = 'bob'
+        password = 'bob'
+
+        client = DigestClient()
+        client.set_authorization(username, password, 'Digest')
+
+        req = client.get(url)
+        self.assertEqual(req.status_code, 200)
+
+        # enable meta perms
+        data_value = "editor-minor|dataentry"
+        MetaData.xform_meta_permission(self.xform, data_value=data_value)
+
+        req = client.get(url)
+        self.assertEqual(req.status_code, 401)
 
     def test_xform_3gp_media_type(self):
 

onadata/apps/api/tests/viewsets/test_xform_viewset.py

@@ -4129,6 +4129,9 @@ def test_csv_export_with_meta_perms(self):
             alice_data = {'username': 'alice', 'email': '[email protected]'}
             alice_profile = self._create_user_profile(alice_data)
 
+            data_value = "editor|dataentry-minor"
+            MetaData.xform_meta_permission(self.xform, data_value=data_value)
+
             DataEntryMinorRole.add(alice_profile.user, self.xform)
 
             for i in self.xform.instances.all()[:2]:

onadata/libs/permissions.py

@@ -15,6 +15,7 @@
 from onadata.apps.logger.models import Project
 from onadata.apps.logger.models import XForm
 from onadata.libs.exceptions import NoRecordsPermission
+from onadata.libs.utils.common_tags import XFORM_META_PERMS
 
 # Userprofile Permissions
 CAN_ADD_USERPROFILE = 'add_userprofile'
@@ -365,8 +366,28 @@ def get_team_project_default_permissions(team, project):
     return get_role(perms, project) or ""
 
 
+def _check_meta_perms_enabled(xform):
+    """
+        Check for meta-perms settings in the xform metadata model.
+        :param xform:
+        :return: bool
+    """
+    return xform.metadata_set.filter(data_type=XFORM_META_PERMS).count() > 0
+
+
 def filter_queryset_xform_meta_perms(xform, user, instance_queryset):
-    if user.has_perm(CAN_VIEW_XFORM_ALL, xform) or xform.shared_data:
+    """
+        Check for the specific perms if meta-perms have been enabled
+        CAN_VIEW_XFORM_ALL ==> User should be able to view all the data
+        CAN_VIEW_XFORM_DATA ===> User should be able to view his/her submitted
+        data.  Otherwise should raise forbidden error.
+        :param xform:
+        :param user:
+        :param instance_queryset:
+        :return: data
+    """
+    if user.has_perm(CAN_VIEW_XFORM_ALL, xform) or xform.shared_data  \
+            or not _check_meta_perms_enabled(xform):
         return instance_queryset
     elif user.has_perm(CAN_VIEW_XFORM_DATA, xform):
         return instance_queryset.filter(user=user)
@@ -375,7 +396,18 @@ def filter_queryset_xform_meta_perms(xform, user, instance_queryset):
 
 
 def filter_queryset_xform_meta_perms_sql(xform, user, query):
-    if user.has_perm(CAN_VIEW_XFORM_ALL, xform) or xform.shared_data:
+    """
+        Check for the specific perms if meta-perms have been enabled
+        CAN_VIEW_XFORM_ALL ==> User should be able to view all the data
+        CAN_VIEW_XFORM_DATA ===> User should be able to view his/her submitted
+         data. Otherwise should raise forbidden error.
+        :param xform:
+        :param user:
+        :param instance_queryset:
+        :return: data
+        """
+    if user.has_perm(CAN_VIEW_XFORM_ALL, xform) or xform.shared_data\
+            or not _check_meta_perms_enabled(xform):
         ret_query = query
     elif user.has_perm(CAN_VIEW_XFORM_DATA, xform):
         try: