Skip to content

Testing Tricks

Tips for local development and debugging in Alan Home.

Frontend: Impersonating another user

The app resolves the current user via useAuthenticatedUser() in frontend/apps/eu-home-app/utils/auth.ts, which calls GET /alaners/authenticated. The backend resolves the caller from current_auth_context.effective_principal.id.

To impersonate someone else, change the queryFn URL in useAuthenticatedUser():

// By integer ID
const response = await apiClient("/alaners/42");

// By Slack handle, GitHub handle, or email
const response = await apiClient("/alaners/john.doe");

The backend endpoints GET /alaners/<int:alaner_id> and GET /alaners/<string:slack_or_github_handle_or_email> (in alan_home/api/alaners/blueprint.py) return the same AlanerFullSchema without auth-context checks. Since the result is cached under ["users", "authenticated"], the entire app will behave as if you are that user.

Warning

Don't commit this change. It's a local-only trick.

Backend: Bypassing or granting permissions

1. Automatic local bypass

can_actor_bypass_permissions() in shared/iam/helpers.py returns True when OAuth is disabled and the request comes from an authorized network:

def can_actor_bypass_permissions() -> bool:
    return not is_oauth_enabled() and is_from_authorized_location()

In local dev with OAuth disabled, permission checks via has_permission may already be skipped. To verify, add a log or breakpoint in can_actor_bypass_permissions() and confirm it returns True.

2. Temporarily edit the permission checker

For endpoints decorated with @enforce_policy, you can make the policy's evaluate() method return True:

# In the relevant AccessPolicy subclass
@classmethod
def evaluate(cls, **kwargs) -> bool:
    return True  # temporary bypass

For code using has_permission() (in shared/iam/permissions.py), short-circuit the function:

def has_permission(user, requested_permissions, stack_level=2) -> bool:
    return True  # temporary bypass

Warning

These are temporary local edits. Don't commit them.

3. Grant yourself the permission in DB

Use the role management system (RoleGrant / RoleRequest models in user_lifecycle/models/) to grant yourself the needed EmployeePermission. You can either:

  • Use the role management UI in Alan Home (if available for the permission)
  • Insert a RoleGrant directly in your local database, setting grantee_alaner_id to your alaner ID, role_id to the target role, and appropriate starts_at / ends_at values