Commit d3421ec
* Fix domain list filtering by DomainOrg permissions
- Add scope_queryset method to DomainBasedPermission class
- Filter Domain querysets based on DomainOrg associations (user, group, org_id)
- Superusers see all domains, unauthenticated users see none
- Update existing test_user_list_domain_permissions to verify filtering
- Add 10 comprehensive test cases covering user isolation, org-based visibility,
group-based access, superuser permissions, default domain handling,
deduplication, basic auth, and model guard functionality
Fixes #1101
* fix: address review findings in domain list filtering
- Replace `if group_pks:` with `user.groups.exists()` in both
`_has_domain_access` and `scope_queryset` to avoid evaluating a lazy
QuerySet in boolean context.
- Add `domain_org_factory` fixture for creating DomainOrg entries with
cleanup, following the `domain_factory` pattern.
- Rewrite `test_group_based_domain_visibility` and
`test_domain_deduplication` to use API fixtures (`gen_group`,
`domain_factory`, `GroupsUsersApi`) instead of direct ORM writes that
are invisible to the API server.
- Remove unused fixture parameters (`gen_user`, `django_user_model`)
and replace Mock with SimpleNamespace in `test_scope_queryset_model_guard`.
* style: fix ruff format and import sorting in review fixes
* style: fix all ruff violations in test_domain_based_permissions
- Sort imports (I001)
- Remove unused variable assignments (F841)
- Rename test_user_permissions_without_orgId to snake_case (N802)
- Add noqa for unused monitor_task fixture param (ARG001)
- Reformat to ruff line-length 120
* style: fix import grouping in test_scope_queryset_model_guard
Separate third-party (django) from first-party (pulp_service) imports
per ruff I001 with project config.
* fix: add transactional_db to domain_org_factory fixture
The fixture performs ORM writes that must be visible to the API server
running in a separate process. Using transactional_db ensures the
changes are committed rather than wrapped in a rolled-back transaction.
* fix: use API-only approach for group and dedup tests
Remove domain_org_factory and all direct ORM access from tests.
Instead, rely on the post_save signal that auto-creates DomainOrg
entries (with group and org_id) when a domain is created via the API.
This eliminates cross-process DB visibility issues entirely.
* perf: avoid double query on user.groups in permission checks
Use group_pks.exists() instead of user.groups.exists() to reuse the
same queryset rather than issuing two separate queries against
user.groups.
* perf: materialize group_pks with list() to avoid extra query
Use list() to fetch group PKs in a single query. The if check is then
a Python truthiness test on a list, avoiding the extra EXISTS query
that group_pks.exists() would issue.
* fix: use basic auth for superuser domain list test
The superuser test was using anonymous_user + x-rh-identity header,
which authenticates via RHTermsBasedRegistryAuthentication and does
not set is_superuser=True on the user object. Use basic auth instead
so the request authenticates as the actual Django superuser and
scope_queryset correctly bypasses filtering.
* fix: restore Domain import needed by scope_queryset
The upstream ruff cleanup removed the Domain import since the original
code didn't reference it directly. But scope_queryset uses
qs.model is not Domain, so the import is required.
Co-authored-by: Alcove <alcove@localhost>
Co-authored-by: André "decko" de Brito <decko@redhat.com>
1 parent ddb0a0b commit d3421ec
2 files changed
Lines changed: 509 additions & 18 deletions
File tree
- pulp_service/pulp_service
- app
- tests/functional
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| 11 | + | |
11 | 12 | | |
12 | 13 | | |
13 | 14 | | |
| |||
31 | 32 | | |
32 | 33 | | |
33 | 34 | | |
34 | | - | |
35 | | - | |
| 35 | + | |
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
| |||
123 | 123 | | |
124 | 124 | | |
125 | 125 | | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
126 | 156 | | |
127 | 157 | | |
128 | 158 | | |
| |||
0 commit comments