Skip to content

Commit

Permalink
Merge pull request #1488 from maykinmedia/issue/2863-filter-eherkenni…
Browse files Browse the repository at this point in the history 
…ng-cases-or-not-and

[#2863] When retrieving eHerkenning-cases, filter on either vestigingsnummer or rsin/kvk, but not both
  • Loading branch information
@alextreme
alextreme authored Nov 20, 2024
2 parents 4915dad + 74d168e commit a30a379
Show file tree
Hide file tree
Showing 5 changed files with 186 additions and 107 deletions.
46 changes: 22 additions & 24 deletions src/open_inwoner/cms/cases/views/mixins.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,11 +49,11 @@ class CaseAccessMixin(AccessMixin):

def dispatch(self, request, *args, **kwargs):
if not request.user.is_authenticated:
logger.debug("CaseAccessMixin - permission denied: user not authenticated")
logger.info("CaseAccessMixin - permission denied: user not authenticated")
return self.handle_no_permission()

if not request.user.bsn and not request.user.kvk:
logger.debug(
logger.info(
"CaseAccessMixin - permission denied: user doesn't have a bsn or kvk number"
)
return self.handle_no_permission()
Expand All @@ -71,8 +71,8 @@ def dispatch(self, request, *args, **kwargs):
if not client.fetch_roles_for_case_and_bsn(
self.case.url, request.user.bsn
):
logger.debug(
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
logger.info(
f"CaseAccessMixin - permission denied via bsn: no role for the case {self.case.url}"
)
return self.handle_no_permission()
elif request.user.kvk:
Expand All @@ -82,39 +82,37 @@ def dispatch(self, request, *args, **kwargs):
identifier = self.request.user.rsin

vestigingsnummer = get_kvk_branch_number(self.request.session)
if (
vestigingsnummer
and not client.fetch_roles_for_case_and_vestigingsnummer(
if vestigingsnummer:
if not client.fetch_roles_for_case_and_vestigingsnummer(
self.case.url, vestigingsnummer
)
):
logger.debug(
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
)
return self.handle_no_permission()

if not client.fetch_roles_for_case_and_kvk_or_rsin(
self.case.url, identifier
):
logger.debug(
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
)
return self.handle_no_permission()
):
logger.info(
f"CaseAccessMixin - permission denied via vestigingsnummer: no role for the case {self.case.url}"
)
return self.handle_no_permission()
else:
if not client.fetch_roles_for_case_and_kvk_or_rsin(
self.case.url, identifier
):
logger.info(
f"CaseAccessMixin - permission denied via kvk/rsin: no role for the case {self.case.url}"
)
return self.handle_no_permission()

# resolve case-type
catalogi_client = api_group.catalogi_client
self.case.zaaktype = catalogi_client.fetch_single_case_type(
self.case.zaaktype
)
if not self.case.zaaktype:
logger.debug(
logger.info(
f"CaseAccessMixin - permission denied: no case type for case {self.case.url}"
)
return self.handle_no_permission()

# check if case + case-type are visible
if not is_zaak_visible(self.case):
logger.debug(
logger.info(
f"CaseAccessMixin - permission denied: case {self.case.url} is not visible"
)
return self.handle_no_permission()
Expand All @@ -135,7 +133,7 @@ def dispatch(self, request, *args, **kwargs):
and not request.user.bsn
and not request.user.kvk
):
logger.debug(
logger.info(
"OuterCaseAccessMixin - permission denied: user doesn't have a bsn or kvk number"
)
return self.handle_no_permission()
Expand Down
1 change: 0 additions & 1 deletion src/open_inwoner/cms/products/tests/test_plugin_categories.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -665,7 +665,6 @@ def test_categories_based_on_cases_for_eherkenning_user_with_vestigingsnummer(
furl(f"{ZAKEN_ROOT}zaken")
.add(
{
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": identifier,
"maximaleVertrouwelijkheidaanduiding": VertrouwelijkheidsAanduidingen.beperkt_openbaar,
"rol__betrokkeneIdentificatie__vestiging__vestigingsNummer": "1234",
}
Expand Down
29 changes: 19 additions & 10 deletions src/open_inwoner/openzaak/clients.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,14 +79,18 @@ def fetch_cases(
return self.fetch_cases_by_bsn(
user_bsn, max_requests=max_requests, identificatie=identificatie
)

if vestigingsnummer:
return self.fetch_cases_for_company(
max_requests=max_requests,
zaak_identificatie=identificatie,
vestigingsnummer=vestigingsnummer,
)
if user_kvk or user_rsin:
user_kvk_or_rsin = user_rsin if user_rsin else user_kvk
return self.fetch_cases_by_kvk_or_rsin(
user_kvk_or_rsin,
return self.fetch_cases_for_company(
kvk_or_rsin=user_kvk_or_rsin,
max_requests=max_requests,
zaak_identificatie=identificatie,
vestigingsnummer=vestigingsnummer,
)
return []

Expand Down Expand Up @@ -142,36 +146,41 @@ def fetch_cases_by_bsn(
"{self.base_url}:cases:{kvk_or_rsin}:{vestigingsnummer}:{max_requests}:{zaak_identificatie}",
timeout=settings.CACHE_ZGW_ZAKEN_TIMEOUT,
)
def fetch_cases_by_kvk_or_rsin(
def fetch_cases_for_company(
self,
kvk_or_rsin: str | None,
kvk_or_rsin: str | None = None,
max_requests: int | None = 4,
zaak_identificatie: str | None = None,
vestigingsnummer: str | None = None,
) -> list[Zaak]:
"""
retrieve cases for particular company with allowed confidentiality level
:param kvk_or_rsin: - used to filter the cases by a KVK number or RSIN (configured via OpenZaakConfig)
:param max_requests: - used to limit the number of requests to list_zaken resource.
:param zaak_identificatie: - used to filter the cases by a unique Zaak identification number
:param vestigingsnummer: - used to filter the cases by a vestigingsnummer
"""
if not kvk_or_rsin:
return []

config = OpenZaakConfig.get_solo()

params = {
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": kvk_or_rsin,
"maximaleVertrouwelijkheidaanduiding": config.zaak_max_confidentiality,
}

if vestigingsnummer:
params.update(
{
"rol__betrokkeneIdentificatie__vestiging__vestigingsNummer": vestigingsnummer,
}
)
elif kvk_or_rsin:
params.update(
{
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": kvk_or_rsin,
}
)
else:
return []

if zaak_identificatie:
params.update({"identificatie": zaak_identificatie})
Expand Down
39 changes: 31 additions & 8 deletions src/open_inwoner/openzaak/tests/test_case_detail.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1641,22 +1641,46 @@ def test_no_access_when_no_roles_are_found_for_user_kvk_or_rsin(self, m):
)

@set_kvk_branch_number_in_session("1234")
def test_no_access_as_vestiging_when_no_roles_are_found_for_user_kvk_or_rsin(
self, m
):
def test_access_as_vestiging_when_only_role_for_vestiging(self, m):
"""
Just having a role with betrokkeneType vestiging that matches for a case
is not sufficient to have access
is sufficient to have access.
"""
self.client.force_login(user=self.eherkenning_user)

# Requires manually setting mocks to avoid default roles on case
m.get(self.zaak["url"], json=self.zaak)
m.get(self.zaaktype["url"], json=self.zaaktype)
m.get(
f"{ZAKEN_ROOT}rollen?zaak={self.zaak['url']}",
# no main branch roles for our user found
json=paginated_response([self.eherkenning_user_role_kvk_vestiging]),
)
m.get(f"{ZAKEN_ROOT}zaakinformatieobjecten?zaak={self.zaak['url']}", json=[])
m.get(
f"{ZAKEN_ROOT}statussen?zaak={self.zaak['url']}",
json=paginated_response([self.status_new]),
)
m.get(
f"{ZAKEN_ROOT}statussen/3da89990-c7fc-476a-ad13-c9023450083c",
json=self.status_new,
)
m.get(
f"{CONTACTMOMENTEN_ROOT}objectcontactmomenten?object={self.zaak['url']}",
json=paginated_response([]),
)
m.get(
f"{CATALOGI_ROOT}statustypen?zaaktype={self.zaaktype['url']}",
json=paginated_response(
[
self.status_type_new,
self.status_type_finish,
]
),
)
m.get(self.status_type_new["url"], json=self.status_type_new)
m.get(self.result["url"], json=self.result)
m.get(self.resultaattype_with_naam["url"], json=self.resultaattype_with_naam)

for fetch_eherkenning_zaken_with_rsin in [True, False]:
with self.subTest(
Expand All @@ -1669,10 +1693,8 @@ def test_no_access_as_vestiging_when_no_roles_are_found_for_user_kvk_or_rsin(

response = self.client.get(self.case_detail_url)

self.assertTemplateUsed("pages/cases/403.html")
self.assertContains(
response, _("Sorry, you don't have access to this page (403)")
)
self.assertEquals(response.status_code, 200)
self.assertContains(response, self.zaak["identificatie"])

@set_kvk_branch_number_in_session("1234")
def test_no_access_as_vestiging_when_no_roles_are_found_for_vestigingsnummer(
Expand Down Expand Up @@ -1710,6 +1732,7 @@ def test_no_access_as_vestiging_when_no_roles_are_found_for_vestigingsnummer(
response, _("Sorry, you don't have access to this page (403)")
)

@set_kvk_branch_number_in_session(value=None)
def test_no_access_if_fetch_eherkenning_zaken_with_rsin_and_user_has_no_rsin(
self, m
):
Expand Down
Loading

0 comments on commit a30a379

Please sign in to comment.