def test_removeRoleFromPrincipal_existing(self):
root = FauxPAS()
zrm = self._makeOne(id='remove_existing').__of__(root)
zrm.addRole('test')
zrm.assignRoleToPrincipal('test', 'foo')
zrm.assignRoleToPrincipal('test', 'bar')
zrm.assignRoleToPrincipal('test', 'baz')
assigned = [x[0] for x in zrm.listAssignedPrincipals('test')]
self.assertEqual(len(assigned), 3)
self.failUnless('foo' in assigned)
self.failUnless('bar' in assigned)
self.failUnless('baz' in assigned)
removed = zrm.removeRoleFromPrincipal('test', 'bar')
self.failUnless(removed)
assigned = [x[0] for x in zrm.listAssignedPrincipals('test')]
self.assertEqual(len(assigned), 2)
self.failUnless('foo' in assigned)
self.failIf('bar' in assigned)
self.failUnless('baz' in assigned)
def test_manage_removeRoles_POST_permissions(self):
ROLE_ID = 'myrole'
root = FauxPAS()
zrm = self._makeOne(id='remove_existing').__of__(root)
zrm = self._makeOne()
zrm.addRole(ROLE_ID)
req, res = makeRequestAndResponse()
req.set('REQUEST_METHOD', 'GET')
req.set('method', 'GET')
req.set('SESSION', {})
self.assertRaises(Forbidden,
zrm.manage_removeRoles, [ROLE_ID],
RESPONSE=res,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
req.set('method', 'POST')
self.assertRaises(Forbidden,
zrm.manage_removeRoles, [ROLE_ID],
RESPONSE=res,
REQUEST=req)
req.form['csrf_token'] = 'deadbeef'
req.SESSION['_csrft_'] = 'deadbeef'
zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)
def test_roles_for_control_panel(self):
"""There's a special case, the users control panel for which
we should never grant to users the roles they have got through
the groups they belong.
In that intent, the control panels view pushes
'__ignore_group_roles__' = True
in the request.
"""
root = FauxPAS()
# Add a minimal PluginRegistry with a mock IGroupsPlugin, because the
# roles plugin depends on it:
root._setObject('plugins', PluginRegistry(_PLUGIN_TYPE_INFO))
root._setObject('groups', FauxGroupsPlugin())
root['plugins'].activatePlugin(IGroupsPlugin, 'groups')
garm = self._makeOne('garm').__of__(root)
# 2 roles
garm.addRole('foo_role')
garm.addRole('bar_role')
# Group 'somegroup' has 'bar_role'
garm.assignRoleToPrincipal('bar_role', 'somegroup')
# 'johndoe' has 'foo_role'
johndoe = DummyUser('johndoe', ('somegroup',))
garm.assignRoleToPrincipal('foo_role', 'johndoe')
# 'johndoe' should have 'foo_role' and 'bar_roles'
got = garm.getRolesForPrincipal(johndoe)
expected = ['foo_role', 'bar_role']
self.assertEqual(set(got), set(expected))
# For the users control panel, johndoe has only the 'foo_role'
garm.REQUEST.set('__ignore_group_roles__', True)
got = garm.getRolesForPrincipal(johndoe)
self.assertEqual(got, ('foo_role',))
# Confirm we can get only the inherited roles
garm.REQUEST.set('__ignore_group_roles__', False)
garm.REQUEST.set('__ignore_direct_roles__', True)
got = garm.getRolesForPrincipal(johndoe)
self.assertEqual(got, ('bar_role',))
return
def test_assignRoleToPrincipal_already(self):
root = FauxPAS()
zrm = self._makeOne(id='assign_already').__of__(root)
zrm.addRole('test')
zrm.assignRoleToPrincipal('test', 'foo')
new = zrm.assignRoleToPrincipal('test', 'foo')
self.failIf(new)
assigned = [x[0] for x in zrm.listAssignedPrincipals('test')]
self.assertEqual(len(assigned), 1)
self.assertEqual(assigned[0], 'foo')
def test_removeRole_POST_permissions(self):
ROLE_ID = 'myrole'
root = FauxPAS()
zrm = self._makeOne(id='remove_existing').__of__(root)
zrm = self._makeOne()
zrm.addRole(ROLE_ID)
req, res = makeRequestAndResponse()
req.set('REQUEST_METHOD', 'GET')
req.set('method', 'GET')
self.assertRaises(Forbidden, zrm.removeRole, ROLE_ID, REQUEST=req)
# Works with a POST
req.set('REQUEST_METHOD', 'POST')
req.set('method', 'POST')
zrm.removeRole(ROLE_ID, REQUEST=req)
def test_removeRoleFromPrincipal_noop(self):
root = FauxPAS()
zrm = self._makeOne(id='remove_noop').__of__(root)
zrm.addRole('test')
zrm.assignRoleToPrincipal('test', 'foo')
zrm.assignRoleToPrincipal('test', 'baz')
assigned = [x[0] for x in zrm.listAssignedPrincipals('test')]
self.assertEqual(len(assigned), 2)
self.assertTrue('foo' in assigned)
self.assertTrue('baz' in assigned)
removed = zrm.removeRoleFromPrincipal('test', 'bar')
self.assertFalse(removed)
def test_multiplePrincipalsPerGroup(self):
pas = FauxPAS()
zgm = self._makeOne().__of__(pas)
zgm.addGroup('group1')
zgm.addGroup('group2')
user1 = DummyUser('userid1')
user2 = DummyUser('userid2')
zgm.addPrincipalToGroup(user1.getId(), 'group1')
zgm.addPrincipalToGroup(user1.getId(), 'group2')
zgm.addPrincipalToGroup(user2.getId(), 'group2')
group_ids = zgm.listGroupIds()
self.assertEqual(len(group_ids), 2)
principals = zgm.listAssignedPrincipals('group2')
self.assertEqual(principals, [('userid1', 'userid1'),
('userid2', 'userid2')])
def test_manage_removeRoleFromPricipal_POS_permissionsT(self):
USER_ID = 'testuser'
ROLE_ID = 'myrole'
root = FauxPAS()
zrm = self._makeOne(id='remove_existing').__of__(root)
zrm = self._makeOne()
zrm.addRole(ROLE_ID)
req, res = makeRequestAndResponse()
req.set('REQUEST_METHOD', 'GET')
req.set('method', 'GET')
self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals,
ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
req.set('method', 'POST')
zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID], RESPONSE=res,
REQUEST=req)
def test_assignRoleToPrincipal_POST_permissions(self):
USER_ID = 'testuser'
ROLE_ID = 'myrole'
root = FauxPAS()
zrm = self._makeOne(id='remove_existing').__of__(root)
zrm = self._makeOne()
zrm.addRole(ROLE_ID)
req, res = makeRequestAndResponse()
# Fails with a GET
req.set('REQUEST_METHOD', 'GET')
req.set('method', 'GET')
self.assertRaises(Forbidden, zrm.assignRoleToPrincipal,
ROLE_ID, USER_ID, REQUEST=req)
# Works with a POST
req.set('REQUEST_METHOD', 'POST')
req.set('method', 'POST')
zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req)
def test_roles_for_control_panel(self):
"""There's a special case, the users control panel for which
we should never grant to users the roles they have got through
the groups they belong.
In that intent, the control panels view pushes
'__ignore_group_roles__' = True
in the request.
"""
root = FauxPAS()
# Add a minimal PluginRegistry with a mock IGroupsPlugin, because the
# roles plugin depends on it:
root._setObject('plugins', PluginRegistry(_PLUGIN_TYPE_INFO))
root._setObject('groups', FauxGroupsPlugin())
root['plugins'].activatePlugin(IGroupsPlugin, 'groups')
garm = self._makeOne('garm').__of__(root)
# 2 roles
garm.addRole('foo_role')
garm.addRole('bar_role')
# Group 'somegroup' has 'bar_role'
garm.assignRoleToPrincipal('bar_role', 'somegroup')
# 'johndoe' has 'foo_role'
johndoe = DummyUser('johndoe', ('somegroup', ))
garm.assignRoleToPrincipal('foo_role', 'johndoe')
# 'johndoe' should have 'foo_role' and 'bar_roles'
got = garm.getRolesForPrincipal(johndoe)
expected = ['foo_role', 'bar_role']
self.assertEqual(set(got), set(expected))
# For the users control panel, johndoe has only the 'foo_role'
garm.REQUEST.set('__ignore_group_roles__', True)
got = garm.getRolesForPrincipal(johndoe)
self.assertEqual(got, ('foo_role', ))
# Confirm we can get only the inherited roles
garm.REQUEST.set('__ignore_group_roles__', False)
garm.REQUEST.set('__ignore_direct_roles__', True)
got = garm.getRolesForPrincipal(johndoe)
self.assertEqual(got, ('bar_role', ))
return
def testPOSTProtections(self):
from zExceptions import Forbidden
USER_ID = 'testuser'
ROLE_ID = 'myrole'
root = FauxPAS()
zrm = self._makeOne(id='remove_existing').__of__(root)
zrm = self._makeOne()
zrm.addRole(ROLE_ID)
user = DummyUser(USER_ID)
req, res = makeRequestAndResponse()
# Fails with a GET
# test assignRoleToPrincipal
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.assignRoleToPrincipal,
ROLE_ID,
USER_ID,
REQUEST=req)
# Works with a POST
req.set('REQUEST_METHOD', 'POST')
zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req)
# test removeRoleFromPricipal
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.removeRoleFromPrincipal,
ROLE_ID,
USER_ID,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.removeRoleFromPrincipal(ROLE_ID, USER_ID, REQUEST=req)
# test removeRole
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden, zrm.removeRole, ROLE_ID, REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.removeRole(ROLE_ID, REQUEST=req)
# Readd the role for the manage_* methods
zrm.addRole(ROLE_ID)
# test manage_assignRoleToPrincipal
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.manage_assignRoleToPrincipals,
ROLE_ID, [USER_ID],
RESPONSE=res,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.manage_assignRoleToPrincipals(ROLE_ID, [USER_ID],
RESPONSE=res,
REQUEST=req)
# test manage_removeRoleFromPricipal
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.manage_removeRoleFromPrincipals,
ROLE_ID, [USER_ID],
RESPONSE=res,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID],
RESPONSE=res,
REQUEST=req)
# test manage_removeRoles
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.manage_removeRoles, [ROLE_ID],
RESPONSE=res,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)
