[#2863] When retrieving eHerkenning-cases, filter on either vestigingsnummer or rsin/kvk, but not both

Author: alextreme

src/open_inwoner/cms/cases/views/mixins.py

@@ -49,11 +49,11 @@ class CaseAccessMixin(AccessMixin):
 
     def dispatch(self, request, *args, **kwargs):
         if not request.user.is_authenticated:
-            logger.debug("CaseAccessMixin - permission denied: user not authenticated")
+            logger.info("CaseAccessMixin - permission denied: user not authenticated")
             return self.handle_no_permission()
 
         if not request.user.bsn and not request.user.kvk:
-            logger.debug(
+            logger.info(
                 "CaseAccessMixin - permission denied: user doesn't have a bsn or kvk number"
             )
             return self.handle_no_permission()
@@ -71,8 +71,8 @@ def dispatch(self, request, *args, **kwargs):
                     if not client.fetch_roles_for_case_and_bsn(
                         self.case.url, request.user.bsn
                     ):
-                        logger.debug(
-                            f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
+                        logger.info(
+                            f"CaseAccessMixin - permission denied via bsn: no role for the case {self.case.url}"
                         )
                         return self.handle_no_permission()
                 elif request.user.kvk:
@@ -82,39 +82,37 @@ def dispatch(self, request, *args, **kwargs):
                         identifier = self.request.user.rsin
 
                     vestigingsnummer = get_kvk_branch_number(self.request.session)
-                    if (
-                        vestigingsnummer
-                        and not client.fetch_roles_for_case_and_vestigingsnummer(
+                    if vestigingsnummer:
+                        if not client.fetch_roles_for_case_and_vestigingsnummer(
                             self.case.url, vestigingsnummer
-                        )
-                    ):
-                        logger.debug(
-                            f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
-                        )
-                        return self.handle_no_permission()
-
-                    if not client.fetch_roles_for_case_and_kvk_or_rsin(
-                        self.case.url, identifier
-                    ):
-                        logger.debug(
-                            f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
-                        )
-                        return self.handle_no_permission()
+                        ):
+                            logger.info(
+                                f"CaseAccessMixin - permission denied via vestigingsnummer: no role for the case {self.case.url}"
+                            )
+                            return self.handle_no_permission()
+                    else:
+                        if not client.fetch_roles_for_case_and_kvk_or_rsin(
+                            self.case.url, identifier
+                        ):
+                            logger.info(
+                                f"CaseAccessMixin - permission denied via kvk/rsin: no role for the case {self.case.url}"
+                            )
+                            return self.handle_no_permission()
 
                 # resolve case-type
                 catalogi_client = api_group.catalogi_client
                 self.case.zaaktype = catalogi_client.fetch_single_case_type(
                     self.case.zaaktype
                 )
                 if not self.case.zaaktype:
-                    logger.debug(
+                    logger.info(
                         f"CaseAccessMixin - permission denied: no case type for case {self.case.url}"
                     )
                     return self.handle_no_permission()
 
                 # check if case + case-type are visible
                 if not is_zaak_visible(self.case):
-                    logger.debug(
+                    logger.info(
                         f"CaseAccessMixin - permission denied: case {self.case.url} is not visible"
                     )
                     return self.handle_no_permission()
@@ -135,7 +133,7 @@ def dispatch(self, request, *args, **kwargs):
             and not request.user.bsn
             and not request.user.kvk
         ):
-            logger.debug(
+            logger.info(
                 "OuterCaseAccessMixin - permission denied: user doesn't have a bsn or kvk number"
             )
             return self.handle_no_permission()

src/open_inwoner/cms/products/tests/test_plugin_categories.py

@@ -665,7 +665,6 @@ def test_categories_based_on_cases_for_eherkenning_user_with_vestigingsnummer(
                 furl(f"{ZAKEN_ROOT}zaken")
                 .add(
                     {
-                        "rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": identifier,
                         "maximaleVertrouwelijkheidaanduiding": VertrouwelijkheidsAanduidingen.beperkt_openbaar,
                         "rol__betrokkeneIdentificatie__vestiging__vestigingsNummer": "1234",
                     }

src/open_inwoner/openzaak/clients.py

@@ -79,14 +79,18 @@ def fetch_cases(
             return self.fetch_cases_by_bsn(
                 user_bsn, max_requests=max_requests, identificatie=identificatie
             )
-
+        if vestigingsnummer:
+            return self.fetch_cases_for_company(
+                max_requests=max_requests,
+                zaak_identificatie=identificatie,
+                vestigingsnummer=vestigingsnummer,
+            )
         if user_kvk or user_rsin:
             user_kvk_or_rsin = user_rsin if user_rsin else user_kvk
-            return self.fetch_cases_by_kvk_or_rsin(
-                user_kvk_or_rsin,
+            return self.fetch_cases_for_company(
+                kvk_or_rsin=user_kvk_or_rsin,
                 max_requests=max_requests,
                 zaak_identificatie=identificatie,
-                vestigingsnummer=vestigingsnummer,
             )
         return []
 
@@ -142,36 +146,41 @@ def fetch_cases_by_bsn(
         "{self.base_url}:cases:{kvk_or_rsin}:{vestigingsnummer}:{max_requests}:{zaak_identificatie}",
         timeout=settings.CACHE_ZGW_ZAKEN_TIMEOUT,
     )
-    def fetch_cases_by_kvk_or_rsin(
+    def fetch_cases_for_company(
         self,
-        kvk_or_rsin: str | None,
+        kvk_or_rsin: str | None = None,
         max_requests: int | None = 4,
         zaak_identificatie: str | None = None,
         vestigingsnummer: str | None = None,
     ) -> list[Zaak]:
         """
         retrieve cases for particular company with allowed confidentiality level
 
+        :param kvk_or_rsin: - used to filter the cases by a KVK number or RSIN (configured via OpenZaakConfig)
         :param max_requests: - used to limit the number of requests to list_zaken resource.
         :param zaak_identificatie: - used to filter the cases by a unique Zaak identification number
         :param vestigingsnummer: - used to filter the cases by a vestigingsnummer
         """
-        if not kvk_or_rsin:
-            return []
 
         config = OpenZaakConfig.get_solo()
 
         params = {
-            "rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": kvk_or_rsin,
             "maximaleVertrouwelijkheidaanduiding": config.zaak_max_confidentiality,
         }
-
         if vestigingsnummer:
             params.update(
                 {
                     "rol__betrokkeneIdentificatie__vestiging__vestigingsNummer": vestigingsnummer,
                 }
             )
+        elif kvk_or_rsin:
+            params.update(
+                {
+                    "rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": kvk_or_rsin,
+                }
+            )
+        else:
+            return []
 
         if zaak_identificatie:
             params.update({"identificatie": zaak_identificatie})

src/open_inwoner/openzaak/tests/test_case_detail.py

@@ -1596,22 +1596,46 @@ def test_no_access_when_no_roles_are_found_for_user_kvk_or_rsin(self, m):
                 )
 
     @set_kvk_branch_number_in_session("1234")
-    def test_no_access_as_vestiging_when_no_roles_are_found_for_user_kvk_or_rsin(
-        self, m
-    ):
+    def test_access_as_vestiging_when_only_role_for_vestiging(self, m):
         """
         Just having a role with betrokkeneType vestiging that matches for a case
-        is not sufficient to have access
+        is sufficient to have access.
         """
         self.client.force_login(user=self.eherkenning_user)
 
+        # Requires manually setting mocks to avoid default roles on case
         m.get(self.zaak["url"], json=self.zaak)
         m.get(self.zaaktype["url"], json=self.zaaktype)
         m.get(
             f"{ZAKEN_ROOT}rollen?zaak={self.zaak['url']}",
             # no main branch roles for our user found
             json=paginated_response([self.eherkenning_user_role_kvk_vestiging]),
         )
+        m.get(f"{ZAKEN_ROOT}zaakinformatieobjecten?zaak={self.zaak['url']}", json=[])
+        m.get(
+            f"{ZAKEN_ROOT}statussen?zaak={self.zaak['url']}",
+            json=paginated_response([self.status_new]),
+        )
+        m.get(
+            f"{ZAKEN_ROOT}statussen/3da89990-c7fc-476a-ad13-c9023450083c",
+            json=self.status_new,
+        )
+        m.get(
+            f"{CONTACTMOMENTEN_ROOT}objectcontactmomenten?object={self.zaak['url']}",
+            json=paginated_response([]),
+        )
+        m.get(
+            f"{CATALOGI_ROOT}statustypen?zaaktype={self.zaaktype['url']}",
+            json=paginated_response(
+                [
+                    self.status_type_new,
+                    self.status_type_finish,
+                ]
+            ),
+        )
+        m.get(self.status_type_new["url"], json=self.status_type_new)
+        m.get(self.result["url"], json=self.result)
+        m.get(self.resultaattype_with_naam["url"], json=self.resultaattype_with_naam)
 
         for fetch_eherkenning_zaken_with_rsin in [True, False]:
             with self.subTest(
@@ -1624,10 +1648,8 @@ def test_no_access_as_vestiging_when_no_roles_are_found_for_user_kvk_or_rsin(
 
                 response = self.client.get(self.case_detail_url)
 
-                self.assertTemplateUsed("pages/cases/403.html")
-                self.assertContains(
-                    response, _("Sorry, you don't have access to this page (403)")
-                )
+                self.assertEquals(response.status_code, 200)
+                self.assertContains(response, self.zaak["identificatie"])
 
     @set_kvk_branch_number_in_session("1234")
     def test_no_access_as_vestiging_when_no_roles_are_found_for_vestigingsnummer(
@@ -1665,6 +1687,7 @@ def test_no_access_as_vestiging_when_no_roles_are_found_for_vestigingsnummer(
                     response, _("Sorry, you don't have access to this page (403)")
                 )
 
+    @set_kvk_branch_number_in_session(value=None)
     def test_no_access_if_fetch_eherkenning_zaken_with_rsin_and_user_has_no_rsin(
         self, m
     ):