Skip to content

Commit 0960e2f

Browse files
committed
[#2863] When retrieving eHerkenning-cases, filter on either vestigingsnummer or rsin/kvk, but not both
1 parent 944ba71 commit 0960e2f

File tree

5 files changed

+186
-107
lines changed

5 files changed

+186
-107
lines changed

src/open_inwoner/cms/cases/views/mixins.py

+22-24
Original file line numberDiff line numberDiff line change
@@ -49,11 +49,11 @@ class CaseAccessMixin(AccessMixin):
4949

5050
def dispatch(self, request, *args, **kwargs):
5151
if not request.user.is_authenticated:
52-
logger.debug("CaseAccessMixin - permission denied: user not authenticated")
52+
logger.info("CaseAccessMixin - permission denied: user not authenticated")
5353
return self.handle_no_permission()
5454

5555
if not request.user.bsn and not request.user.kvk:
56-
logger.debug(
56+
logger.info(
5757
"CaseAccessMixin - permission denied: user doesn't have a bsn or kvk number"
5858
)
5959
return self.handle_no_permission()
@@ -71,8 +71,8 @@ def dispatch(self, request, *args, **kwargs):
7171
if not client.fetch_roles_for_case_and_bsn(
7272
self.case.url, request.user.bsn
7373
):
74-
logger.debug(
75-
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
74+
logger.info(
75+
f"CaseAccessMixin - permission denied via bsn: no role for the case {self.case.url}"
7676
)
7777
return self.handle_no_permission()
7878
elif request.user.kvk:
@@ -82,39 +82,37 @@ def dispatch(self, request, *args, **kwargs):
8282
identifier = self.request.user.rsin
8383

8484
vestigingsnummer = get_kvk_branch_number(self.request.session)
85-
if (
86-
vestigingsnummer
87-
and not client.fetch_roles_for_case_and_vestigingsnummer(
85+
if vestigingsnummer:
86+
if not client.fetch_roles_for_case_and_vestigingsnummer(
8887
self.case.url, vestigingsnummer
89-
)
90-
):
91-
logger.debug(
92-
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
93-
)
94-
return self.handle_no_permission()
95-
96-
if not client.fetch_roles_for_case_and_kvk_or_rsin(
97-
self.case.url, identifier
98-
):
99-
logger.debug(
100-
f"CaseAccessMixin - permission denied: no role for the case {self.case.url}"
101-
)
102-
return self.handle_no_permission()
88+
):
89+
logger.info(
90+
f"CaseAccessMixin - permission denied via vestigingsnummer: no role for the case {self.case.url}"
91+
)
92+
return self.handle_no_permission()
93+
else:
94+
if not client.fetch_roles_for_case_and_kvk_or_rsin(
95+
self.case.url, identifier
96+
):
97+
logger.info(
98+
f"CaseAccessMixin - permission denied via kvk/rsin: no role for the case {self.case.url}"
99+
)
100+
return self.handle_no_permission()
103101

104102
# resolve case-type
105103
catalogi_client = api_group.catalogi_client
106104
self.case.zaaktype = catalogi_client.fetch_single_case_type(
107105
self.case.zaaktype
108106
)
109107
if not self.case.zaaktype:
110-
logger.debug(
108+
logger.info(
111109
f"CaseAccessMixin - permission denied: no case type for case {self.case.url}"
112110
)
113111
return self.handle_no_permission()
114112

115113
# check if case + case-type are visible
116114
if not is_zaak_visible(self.case):
117-
logger.debug(
115+
logger.info(
118116
f"CaseAccessMixin - permission denied: case {self.case.url} is not visible"
119117
)
120118
return self.handle_no_permission()
@@ -135,7 +133,7 @@ def dispatch(self, request, *args, **kwargs):
135133
and not request.user.bsn
136134
and not request.user.kvk
137135
):
138-
logger.debug(
136+
logger.info(
139137
"OuterCaseAccessMixin - permission denied: user doesn't have a bsn or kvk number"
140138
)
141139
return self.handle_no_permission()

src/open_inwoner/cms/products/tests/test_plugin_categories.py

-1
Original file line numberDiff line numberDiff line change
@@ -665,7 +665,6 @@ def test_categories_based_on_cases_for_eherkenning_user_with_vestigingsnummer(
665665
furl(f"{ZAKEN_ROOT}zaken")
666666
.add(
667667
{
668-
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": identifier,
669668
"maximaleVertrouwelijkheidaanduiding": VertrouwelijkheidsAanduidingen.beperkt_openbaar,
670669
"rol__betrokkeneIdentificatie__vestiging__vestigingsNummer": "1234",
671670
}

src/open_inwoner/openzaak/clients.py

+19-10
Original file line numberDiff line numberDiff line change
@@ -79,14 +79,18 @@ def fetch_cases(
7979
return self.fetch_cases_by_bsn(
8080
user_bsn, max_requests=max_requests, identificatie=identificatie
8181
)
82-
82+
if vestigingsnummer:
83+
return self.fetch_cases_for_company(
84+
max_requests=max_requests,
85+
zaak_identificatie=identificatie,
86+
vestigingsnummer=vestigingsnummer,
87+
)
8388
if user_kvk or user_rsin:
8489
user_kvk_or_rsin = user_rsin if user_rsin else user_kvk
85-
return self.fetch_cases_by_kvk_or_rsin(
86-
user_kvk_or_rsin,
90+
return self.fetch_cases_for_company(
91+
kvk_or_rsin=user_kvk_or_rsin,
8792
max_requests=max_requests,
8893
zaak_identificatie=identificatie,
89-
vestigingsnummer=vestigingsnummer,
9094
)
9195
return []
9296

@@ -142,36 +146,41 @@ def fetch_cases_by_bsn(
142146
"{self.base_url}:cases:{kvk_or_rsin}:{vestigingsnummer}:{max_requests}:{zaak_identificatie}",
143147
timeout=settings.CACHE_ZGW_ZAKEN_TIMEOUT,
144148
)
145-
def fetch_cases_by_kvk_or_rsin(
149+
def fetch_cases_for_company(
146150
self,
147-
kvk_or_rsin: str | None,
151+
kvk_or_rsin: str | None = None,
148152
max_requests: int | None = 4,
149153
zaak_identificatie: str | None = None,
150154
vestigingsnummer: str | None = None,
151155
) -> list[Zaak]:
152156
"""
153157
retrieve cases for particular company with allowed confidentiality level
154158
159+
:param kvk_or_rsin: - used to filter the cases by a KVK number or RSIN (configured via OpenZaakConfig)
155160
:param max_requests: - used to limit the number of requests to list_zaken resource.
156161
:param zaak_identificatie: - used to filter the cases by a unique Zaak identification number
157162
:param vestigingsnummer: - used to filter the cases by a vestigingsnummer
158163
"""
159-
if not kvk_or_rsin:
160-
return []
161164

162165
config = OpenZaakConfig.get_solo()
163166

164167
params = {
165-
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": kvk_or_rsin,
166168
"maximaleVertrouwelijkheidaanduiding": config.zaak_max_confidentiality,
167169
}
168-
169170
if vestigingsnummer:
170171
params.update(
171172
{
172173
"rol__betrokkeneIdentificatie__vestiging__vestigingsNummer": vestigingsnummer,
173174
}
174175
)
176+
elif kvk_or_rsin:
177+
params.update(
178+
{
179+
"rol__betrokkeneIdentificatie__nietNatuurlijkPersoon__innNnpId": kvk_or_rsin,
180+
}
181+
)
182+
else:
183+
return []
175184

176185
if zaak_identificatie:
177186
params.update({"identificatie": zaak_identificatie})

src/open_inwoner/openzaak/tests/test_case_detail.py

+31-8
Original file line numberDiff line numberDiff line change
@@ -1596,22 +1596,46 @@ def test_no_access_when_no_roles_are_found_for_user_kvk_or_rsin(self, m):
15961596
)
15971597

15981598
@set_kvk_branch_number_in_session("1234")
1599-
def test_no_access_as_vestiging_when_no_roles_are_found_for_user_kvk_or_rsin(
1600-
self, m
1601-
):
1599+
def test_access_as_vestiging_when_only_role_for_vestiging(self, m):
16021600
"""
16031601
Just having a role with betrokkeneType vestiging that matches for a case
1604-
is not sufficient to have access
1602+
is sufficient to have access.
16051603
"""
16061604
self.client.force_login(user=self.eherkenning_user)
16071605

1606+
# Requires manually setting mocks to avoid default roles on case
16081607
m.get(self.zaak["url"], json=self.zaak)
16091608
m.get(self.zaaktype["url"], json=self.zaaktype)
16101609
m.get(
16111610
f"{ZAKEN_ROOT}rollen?zaak={self.zaak['url']}",
16121611
# no main branch roles for our user found
16131612
json=paginated_response([self.eherkenning_user_role_kvk_vestiging]),
16141613
)
1614+
m.get(f"{ZAKEN_ROOT}zaakinformatieobjecten?zaak={self.zaak['url']}", json=[])
1615+
m.get(
1616+
f"{ZAKEN_ROOT}statussen?zaak={self.zaak['url']}",
1617+
json=paginated_response([self.status_new]),
1618+
)
1619+
m.get(
1620+
f"{ZAKEN_ROOT}statussen/3da89990-c7fc-476a-ad13-c9023450083c",
1621+
json=self.status_new,
1622+
)
1623+
m.get(
1624+
f"{CONTACTMOMENTEN_ROOT}objectcontactmomenten?object={self.zaak['url']}",
1625+
json=paginated_response([]),
1626+
)
1627+
m.get(
1628+
f"{CATALOGI_ROOT}statustypen?zaaktype={self.zaaktype['url']}",
1629+
json=paginated_response(
1630+
[
1631+
self.status_type_new,
1632+
self.status_type_finish,
1633+
]
1634+
),
1635+
)
1636+
m.get(self.status_type_new["url"], json=self.status_type_new)
1637+
m.get(self.result["url"], json=self.result)
1638+
m.get(self.resultaattype_with_naam["url"], json=self.resultaattype_with_naam)
16151639

16161640
for fetch_eherkenning_zaken_with_rsin in [True, False]:
16171641
with self.subTest(
@@ -1624,10 +1648,8 @@ def test_no_access_as_vestiging_when_no_roles_are_found_for_user_kvk_or_rsin(
16241648

16251649
response = self.client.get(self.case_detail_url)
16261650

1627-
self.assertTemplateUsed("pages/cases/403.html")
1628-
self.assertContains(
1629-
response, _("Sorry, you don't have access to this page (403)")
1630-
)
1651+
self.assertEquals(response.status_code, 200)
1652+
self.assertContains(response, self.zaak["identificatie"])
16311653

16321654
@set_kvk_branch_number_in_session("1234")
16331655
def test_no_access_as_vestiging_when_no_roles_are_found_for_vestigingsnummer(
@@ -1665,6 +1687,7 @@ def test_no_access_as_vestiging_when_no_roles_are_found_for_vestigingsnummer(
16651687
response, _("Sorry, you don't have access to this page (403)")
16661688
)
16671689

1690+
@set_kvk_branch_number_in_session(value=None)
16681691
def test_no_access_if_fetch_eherkenning_zaken_with_rsin_and_user_has_no_rsin(
16691692
self, m
16701693
):

0 commit comments

Comments
 (0)