def _group_implicit_perms(cls, group, resource=None):
group_id, resource_id = cls.entity_resource_id(group, resource)
if group_id == resource_id:
return allowed(Permission.SEE) # Only return SEE, not ALL.
elif resource is None:
return allowed(Permission.CREATE),
return ()
def test_overwrite_and_delete_permissions(self):
"""Assert same objects are used when overwriting permissions."""
# Allow
self.allow(self.entities[0], Permission.SEE, self.resources[0])
access_rule_allow = self.access_model.objects.get(
entity=self.entities[0].id, perm=allowed(Permission.SEE),
resource=self.resources[0].id)
assert access_rule_allow
# Deny
self.deny(self.entities[0], Permission.SEE, self.resources[0])
access_rule_deny = self.access_model.objects.get(
entity=self.entities[0].id, perm=denied(Permission.SEE),
resource=self.resources[0].id)
assert access_rule_deny
# Allow again
self.allow(self.entities[0], Permission.SEE, self.resources[0])
access_rule_allow_again = self.access_model.objects.get(
entity=self.entities[0].id, perm=allowed(Permission.SEE),
resource=self.resources[0].id)
assert access_rule_allow_again
assert access_rule_allow == access_rule_deny == access_rule_allow_again
# Forget
self.forget(self.entities[0], Permission.SEE, self.resources[0])
with pytest.raises(self.access_model.DoesNotExist) as e:
self.access_model.objects.get(
entity=self.entities[0].id, perm=denied(Permission.SEE),
resource=self.resources[0].id)
assert 'matching query does not exist' in str(e.value)
def test_permission_class(self):
"""Test conversions of permissions (allowed, denied)."""
for perm in Permission.ALL:
assert is_allowed(allowed(perm))
assert is_denied(denied(perm))
for perm in Permission.ALLOW_ALL:
assert is_allowed(perm)
for perm in Permission.DENY_ALL:
assert is_denied(perm)
def implicit_perms(cls, entity, resource=None):
"""
Implicit permissions based on IDs.
If the entity has the same id than the resource, then we assume he has
all permissions on the resource.
If resource is None, then the entity has permission to create this
type of resource.
Else, he has no permissions at all.
"""
entity_id, resource_id = cls.entity_resource_id(entity, resource)
if entity_id == resource_id:
return Permission.ALLOW_ALL
elif resource is None:
return allowed(Permission.CREATE),
return ()
def implicit_perms(cls, entity, resource=None):
"""Return some perms (always)."""
return allowed(Permission.SEE), denied(Permission.CHANGE)