Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#2863] When retrieving eHerkenning-cases, filter on either vestigingsnummer or rsin/kvk, but not both #1488

Merged
merged 1 commit into from
Nov 20, 2024
Merged

[#2863] When retrieving eHerkenning-cases, filter on either vestigingsnummer or rsin/kvk, but not both #1488

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 22 additions & 24 deletions src/open_inwoner/cms/cases/views/mixins.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,11 +49,11 @@ class CaseAccessMixin(AccessMixin):

def dispatch(self, request, *args, **kwargs):
if not request.user.is_authenticated:
logger.debug("CaseAccessMixin - permission denied: user not authenticated")
logger.info("CaseAccessMixin - permission denied: user not authenticated")
return self.handle_no_permission()

if not request.user.bsn and not request.user.kvk:
logger.debug(
logger.info(
"CaseAccessMixin - permission denied: user doesn't have a bsn or kvk number"
)
return self.handle_no_permission()
Expand All @@ -71,8 +71,8 @@ def dispatch(self, request, *args, **kwargs):
if not client.fetch_roles_for_case_and_bsn(
self.case.url, request.user.bsn
):
logger.debug(
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
logger.info(
f"CaseAccessMixin - permission denied via bsn: no role for the case {self.case.url}"
)
return self.handle_no_permission()
elif request.user.kvk:
Expand All @@ -82,39 +82,37 @@ def dispatch(self, request, *args, **kwargs):
identifier = self.request.user.rsin

vestigingsnummer = get_kvk_branch_number(self.request.session)
if (
vestigingsnummer
and not client.fetch_roles_for_case_and_vestigingsnummer(
if vestigingsnummer:
if not client.fetch_roles_for_case_and_vestigingsnummer(
self.case.url, vestigingsnummer
)
):
logger.debug(
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
)
return self.handle_no_permission()

if not client.fetch_roles_for_case_and_kvk_or_rsin(
self.case.url, identifier
):
logger.debug(
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
)
return self.handle_no_permission()
):
logger.info(
f"CaseAccessMixin - permission denied via vestigingsnummer: no role for the case {self.case.url}"
)
return self.handle_no_permission()
else:
if not client.fetch_roles_for_case_and_kvk_or_rsin(
self.case.url, identifier
):
logger.info(
f"CaseAccessMixin - permission denied via kvk/rsin: no role for the case {self.case.url}"
)
return self.handle_no_permission()

# resolve case-type
catalogi_client = api_group.catalogi_client
self.case.zaaktype = catalogi_client.fetch_single_case_type(
self.case.zaaktype
)
if not self.case.zaaktype:
logger.debug(
logger.info(
f"CaseAccessMixin - permission denied: no case type for case {self.case.url}"
)
return self.handle_no_permission()

# check if case + case-type are visible
if not is_zaak_visible(self.case):
logger.debug(
logger.info(
f"CaseAccessMixin - permission denied: case {self.case.url} is not visible"
)
return self.handle_no_permission()
Expand All @@ -135,7 +133,7 @@ def dispatch(self, request, *args, **kwargs):
and not request.user.bsn
and not request.user.kvk
):
logger.debug(
logger.info(
"OuterCaseAccessMixin - permission denied: user doesn't have a bsn or kvk number"
)
return self.handle_no_permission()
Expand Down
1 change: 0 additions & 1 deletion src/open_inwoner/cms/products/tests/test_plugin_categories.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -665,7 +665,6 @@ def test_categories_based_on_cases_for_eherkenning_user_with_vestigingsnummer(
furl(f"{ZAKEN_ROOT}zaken")
.add(
{
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": identifier,
"maximaleVertrouwelijkheidaanduiding": VertrouwelijkheidsAanduidingen.beperkt_openbaar,
"rol__betrokkeneIdentificatie__vestiging__vestigingsNummer": "1234",
}
Expand Down
29 changes: 19 additions & 10 deletions src/open_inwoner/openzaak/clients.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,14 +79,18 @@ def fetch_cases(
return self.fetch_cases_by_bsn(
user_bsn, max_requests=max_requests, identificatie=identificatie
)

if vestigingsnummer:
return self.fetch_cases_for_company(
max_requests=max_requests,
zaak_identificatie=identificatie,
vestigingsnummer=vestigingsnummer,
)
if user_kvk or user_rsin:
user_kvk_or_rsin = user_rsin if user_rsin else user_kvk
return self.fetch_cases_by_kvk_or_rsin(
user_kvk_or_rsin,
return self.fetch_cases_for_company(
kvk_or_rsin=user_kvk_or_rsin,
max_requests=max_requests,
zaak_identificatie=identificatie,
vestigingsnummer=vestigingsnummer,
)
return []

Expand Down Expand Up @@ -142,36 +146,41 @@ def fetch_cases_by_bsn(
"{self.base_url}:cases:{kvk_or_rsin}:{vestigingsnummer}:{max_requests}:{zaak_identificatie}",
timeout=settings.CACHE_ZGW_ZAKEN_TIMEOUT,
)
def fetch_cases_by_kvk_or_rsin(
def fetch_cases_for_company(
self,
kvk_or_rsin: str | None,
kvk_or_rsin: str | None = None,
max_requests: int | None = 4,
zaak_identificatie: str | None = None,
vestigingsnummer: str | None = None,
) -> list[Zaak]:
"""
retrieve cases for particular company with allowed confidentiality level

:param kvk_or_rsin: - used to filter the cases by a KVK number or RSIN (configured via OpenZaakConfig)
:param max_requests: - used to limit the number of requests to list_zaken resource.
:param zaak_identificatie: - used to filter the cases by a unique Zaak identification number
:param vestigingsnummer: - used to filter the cases by a vestigingsnummer
"""
if not kvk_or_rsin:
return []

config = OpenZaakConfig.get_solo()

params = {
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": kvk_or_rsin,
"maximaleVertrouwelijkheidaanduiding": config.zaak_max_confidentiality,
}

if vestigingsnummer:
params.update(
{
"rol__betrokkeneIdentificatie__vestiging__vestigingsNummer": vestigingsnummer,
}
)
elif kvk_or_rsin:
params.update(
{
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": kvk_or_rsin,
}
)
else:
return []

if zaak_identificatie:
params.update({"identificatie": zaak_identificatie})
Expand Down
39 changes: 31 additions & 8 deletions src/open_inwoner/openzaak/tests/test_case_detail.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1641,22 +1641,46 @@ def test_no_access_when_no_roles_are_found_for_user_kvk_or_rsin(self, m):
)

@set_kvk_branch_number_in_session("1234")
def test_no_access_as_vestiging_when_no_roles_are_found_for_user_kvk_or_rsin(
self, m
):
def test_access_as_vestiging_when_only_role_for_vestiging(self, m):
"""
Just having a role with betrokkeneType vestiging that matches for a case
is not sufficient to have access
is sufficient to have access.
"""
self.client.force_login(user=self.eherkenning_user)

# Requires manually setting mocks to avoid default roles on case
m.get(self.zaak["url"], json=self.zaak)
m.get(self.zaaktype["url"], json=self.zaaktype)
m.get(
f"{ZAKEN_ROOT}rollen?zaak={self.zaak['url']}",
# no main branch roles for our user found
json=paginated_response([self.eherkenning_user_role_kvk_vestiging]),
)
m.get(f"{ZAKEN_ROOT}zaakinformatieobjecten?zaak={self.zaak['url']}", json=[])
m.get(
f"{ZAKEN_ROOT}statussen?zaak={self.zaak['url']}",
json=paginated_response([self.status_new]),
)
m.get(
f"{ZAKEN_ROOT}statussen/3da89990-c7fc-476a-ad13-c9023450083c",
json=self.status_new,
)
m.get(
f"{CONTACTMOMENTEN_ROOT}objectcontactmomenten?object={self.zaak['url']}",
json=paginated_response([]),
)
m.get(
f"{CATALOGI_ROOT}statustypen?zaaktype={self.zaaktype['url']}",
json=paginated_response(
[
self.status_type_new,
self.status_type_finish,
]
),
)
m.get(self.status_type_new["url"], json=self.status_type_new)
m.get(self.result["url"], json=self.result)
m.get(self.resultaattype_with_naam["url"], json=self.resultaattype_with_naam)

for fetch_eherkenning_zaken_with_rsin in [True, False]:
with self.subTest(
Expand All @@ -1669,10 +1693,8 @@ def test_no_access_as_vestiging_when_no_roles_are_found_for_user_kvk_or_rsin(

response = self.client.get(self.case_detail_url)

self.assertTemplateUsed("pages/cases/403.html")
self.assertContains(
response, _("Sorry, you don't have access to this page (403)")
)
self.assertEquals(response.status_code, 200)
self.assertContains(response, self.zaak["identificatie"])

@set_kvk_branch_number_in_session("1234")
def test_no_access_as_vestiging_when_no_roles_are_found_for_vestigingsnummer(
Expand Down Expand Up @@ -1710,6 +1732,7 @@ def test_no_access_as_vestiging_when_no_roles_are_found_for_vestigingsnummer(
response, _("Sorry, you don't have access to this page (403)")
)

@set_kvk_branch_number_in_session(value=None)
def test_no_access_if_fetch_eherkenning_zaken_with_rsin_and_user_has_no_rsin(
self, m
):
Expand Down
Loading
Loading