Location filter for non-admin web users

Lech_Rozanski · May 26, 2014, 2:40pm

Hello,

I have encountered the following problem. We use commtrack location
filters in all of our reports, and everything works correctly, unless
the logged in web user does not have admin privileges. I noticed in

github.com

dimagi/commcare-hq/blob/master/corehq/apps/locations/resources/v0_1.py#L28


      
          )
          
          
from ..models import SQLLocation
          from ..permissions import user_can_access_location_id
          
          

          
def get_location_or_not_exist(location_id, domain):
              try:
                  return SQLLocation.objects.get(location_id=location_id, domain=domain)
              except SQLLocation.DoesNotExist:
                  raise object_does_not_exist('Location', location_id)
          
          

          
@location_safe
          class LocationResource(HqBaseResource):
              type = "location"
              uuid = fields.CharField(attribute='location_id', readonly=True, unique=True)
              location_type = fields.CharField(attribute='location_type', readonly=True)
              is_archived = fields.BooleanField(attribute='is_archived', readonly=True)
              can_edit = fields.BooleanField(readonly=True)
              name = fields.CharField(attribute='name', readonly=True, unique=True)

that the filters are indeed restricted only to administrators. Is this
necessary, or could I change it to 'LoginAndDomainAuthentication', or
perhaps 'RequirePermissionAuthentication'? If the latter is preferred,
what would be the best permission to use in order to make sure all web
users would be granted access to the resource?

Regards
Lech

Rowena_Luk · May 26, 2014, 7:06pm

in my opinion, the commtrack location filtering of web reports should work
for all web users, even with no permissions.

note that this is separate from the ability to register a web user with a
location - which should only apply to those who have permissions to
register web users - or the ability to turn on location filtering for a
given domain - which should only apply to administrators.

···

On Mon, May 26, 2014 at 7:40 AM, Lech Różański wrote:

Hello,

I have encountered the following problem. We use commtrack location
filters in all of our reports, and everything works correctly, unless the
logged in web user does not have admin privileges. I noticed in
commcare-hq/corehq/apps/locations/resources/v0_1.py at master · dimagi/commcare-hq · GitHub the filters are indeed restricted only to administrators. Is this
necessary, or could I change it to 'LoginAndDomainAuthentication', or
perhaps 'RequirePermissionAuthentication'? If the latter is preferred, what
would be the best permission to use in order to make sure all web users
would be granted access to the resource?

Regards
Lech

--

You received this message because you are subscribed to the Google Groups
"CommCare Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to commcare-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Rowena Luk
VP of Strategy
Dimagi, Inc.

Skype: rowenaluk
Phone: +1 857 919 5178

czue · May 27, 2014, 1:02am

Hi Lech,

···

> On Mon, May 26, 2014 at 7:40 AM, Lech Różański wrote: > >> Hello, >> >> I have encountered the following problem. We use commtrack location >> filters in all of our reports, and everything works correctly, unless the >> logged in web user does not have admin privileges. I noticed in >> https://github.com/dimagi/commcare-hq/blob/master/corehq/apps/locations/resources/v0_1.py#L28that the filters are indeed restricted only to administrators. Is this >> necessary, or could I change it to 'LoginAndDomainAuthentication', or >> perhaps 'RequirePermissionAuthentication'? If the latter is preferred, what >> would be the best permission to use in order to make sure all web users >> would be granted access to the resource? >> > I agree with you and Rowena. I can't see any scenario where read-access to the list of locations would require any special permissions, so I think simply the LoginAndDomainAuthentication is appropriate. Feel free to make and PR the change.

cheers,
Cory