def test_deny_access_for_single_user(self):
     wiki = c.project.app_instance('wiki')
     user = M.User.by_username('test-user')
     assert has_access(wiki, 'read', user)()
     wiki.acl.append(M.ACE.deny(M.ProjectRole.by_user(user, upsert=True)._id, 'read', 'Spammer'))
     Credentials.get().clear()
     assert not has_access(wiki, 'read', user)()
def test_make_app_admin_only():
    h.set_context("test", "wiki", neighborhood="Projects")
    anon = M.User.anonymous()
    dev = M.User.query.get(username="******")
    admin = M.User.query.get(username="******")
    c.project.add_user(dev, ["Developer"])
    ThreadLocalORMSession.flush_all()
    Credentials.get().clear()
    assert has_access(c.app, "read", user=anon)()
    assert has_access(c.app, "read", user=dev)()
    assert has_access(c.app, "read", user=admin)()
    assert not has_access(c.app, "create", user=anon)()
    assert has_access(c.app, "create", user=dev)()
    assert has_access(c.app, "create", user=admin)()
    assert c.app.is_visible_to(anon)
    assert c.app.is_visible_to(dev)
    assert c.app.is_visible_to(admin)
    h.make_app_admin_only(c.app)
    ThreadLocalORMSession.flush_all()
    Credentials.get().clear()
    assert not has_access(c.app, "read", user=anon)()
    assert not has_access(c.app, "read", user=dev)()
    assert has_access(c.app, "read", user=admin)()
    assert not has_access(c.app, "create", user=anon)()
    assert not has_access(c.app, "create", user=dev)()
    assert has_access(c.app, "create", user=admin)()
    assert not c.app.is_visible_to(anon)
    assert not c.app.is_visible_to(dev)
    assert c.app.is_visible_to(admin)
Beispiel #3
0
def test_make_app_admin_only():
    h.set_context('test', 'wiki', neighborhood='Projects')
    anon = M.User.anonymous()
    dev = M.User.query.get(username='******')
    admin = M.User.query.get(username='******')
    c.project.add_user(dev, ['Developer'])
    ThreadLocalORMSession.flush_all()
    Credentials.get().clear()
    assert has_access(c.app, 'read', user=anon)()
    assert has_access(c.app, 'read', user=dev)()
    assert has_access(c.app, 'read', user=admin)()
    assert not has_access(c.app, 'create', user=anon)()
    assert has_access(c.app, 'create', user=dev)()
    assert has_access(c.app, 'create', user=admin)()
    assert c.app.is_visible_to(anon)
    assert c.app.is_visible_to(dev)
    assert c.app.is_visible_to(admin)
    h.make_app_admin_only(c.app)
    ThreadLocalORMSession.flush_all()
    Credentials.get().clear()
    assert not has_access(c.app, 'read', user=anon)()
    assert not has_access(c.app, 'read', user=dev)()
    assert has_access(c.app, 'read', user=admin)()
    assert not has_access(c.app, 'create', user=anon)()
    assert not has_access(c.app, 'create', user=dev)()
    assert has_access(c.app, 'create', user=admin)()
    assert not c.app.is_visible_to(anon)
    assert not c.app.is_visible_to(dev)
    assert c.app.is_visible_to(admin)
Beispiel #4
0
 def test_deny_access_for_single_user(self):
     wiki = c.project.app_instance('wiki')
     user = M.User.by_username('test-user')
     assert has_access(wiki, 'read', user)()
     wiki.acl.append(
         M.ACE.deny(
             M.ProjectRole.by_user(user, upsert=True)._id, 'read',
             'Spammer'))
     Credentials.get().clear()
     assert not has_access(wiki, 'read', user)()
    def prepare_context(self, context):
        response = super(ProjectList, self).prepare_context(context)
        cred = Credentials.get()
        projects = response['projects']
        cred.load_user_roles(c.user._id, *[p._id for p in projects])
        cred.load_project_roles(*[p._id for p in projects])
        if response['sitemaps'] is None:
            response['sitemaps'] = M.Project.menus(projects)
        if response['icon_urls'] is None:
            response['icon_urls'] = M.Project.icon_urls(projects)
        if response['accolades_index'] is None:
            response['accolades_index'] = M.Project.accolades_index(projects)

        if type(response['columns']) == unicode:
            response['columns'] = int(response['columns'])

        true_list = ['true', 't', '1', 'yes', 'y']
        if type(response['show_proj_icon']) == unicode:
            if response['show_proj_icon'].lower() in true_list:
                response['show_proj_icon'] = True
            else:
                response['show_proj_icon'] = False
        if type(response['show_download_button']) == unicode:
            if response['show_download_button'].lower() in true_list:
                response['show_download_button'] = True
            else:
                response['show_download_button'] = False
        if type(response['show_awards_banner']) == unicode:
            if response['show_awards_banner'].lower() in true_list:
                response['show_awards_banner'] = True
            else:
                response['show_awards_banner'] = False

        return response
Beispiel #6
0
    def prepare_context(self, context):
        response = super(ProjectList, self).prepare_context(context)
        cred = Credentials.get()
        projects = response['projects']
        cred.load_user_roles(c.user._id, *[p._id for p in projects])
        cred.load_project_roles(*[p._id for p in projects])
        if response['sitemaps'] is None:
            response['sitemaps'] = M.Project.menus(projects)
        if response['icon_urls'] is None:
            response['icon_urls'] = M.Project.icon_urls(projects)
        if response['accolades_index'] is None:
            response['accolades_index'] = M.Project.accolades_index(projects)

        if type(response['columns']) == unicode:
            response['columns'] = int(response['columns'])

        true_list = ['true', 't', '1', 'yes', 'y']
        if type(response['show_proj_icon']) == unicode:
            if response['show_proj_icon'].lower() in true_list:
                response['show_proj_icon'] = True
            else:
                response['show_proj_icon'] = False
        if type(response['show_download_button']) == unicode:
            if response['show_download_button'].lower() in true_list:
                response['show_download_button'] = True
            else:
                response['show_download_button'] = False
        if type(response['show_awards_banner']) == unicode:
            if response['show_awards_banner'].lower() in true_list:
                response['show_awards_banner'] = True
            else:
                response['show_awards_banner'] = False

        return response
Beispiel #7
0
    def zarkov_event(self, event_type, user=None, neighborhood=None, project=None, app=None, extra=None):
        context = dict(user=None, neighborhood=None, project=None, tool=None, mount_point=None, is_project_member=False)

        if not config.get("zarkov.host"):
            return

        user = user or getattr(c, "user", None)
        project = project or getattr(c, "project", None)
        app = app or getattr(c, "app", None)
        if user:
            context["user"] = user.username
        if project:
            context.update(project=project.shortname, neighborhood=project.neighborhood.url_prefix.strip("/"))
            if user:
                cred = Credentials.get()
                if cred is not None:
                    for pr in cred.user_roles(user._id, project._id).reaching_roles:
                        if pr.get("name") and pr.get("name")[0] != "*":
                            context["is_project_member"] = True
        if app:
            context.update(tool=app.config.tool_name, mount_point=app.config.options.mount_point)

        try:
            if self._zarkov is None:
                self._zarkov = ZarkovClient(config.get("zarkov.host", "tcp://127.0.0.1:6543"))
            self._zarkov.event(event_type, context, extra)
        except Exception, ex:
            self._zarkov = None
            log.error("Error sending zarkov event(%r): %r", ex, dict(type=event_type, context=context, extra=extra))
Beispiel #8
0
    def test_private_ticket(self):
        from pylons import c
        from allura.model import ProjectRole, User
        from allura.model import ACE, ALL_PERMISSIONS, DENY_ALL
        from allura.lib.security import Credentials, has_access
        from allura.websetup import bootstrap

        admin = c.user
        creator = bootstrap.create_user('Not a Project Admin')
        developer = bootstrap.create_user('Project Developer')
        observer = bootstrap.create_user('Random Non-Project User')
        anon = User(_id=None, username='******', display_name='Anonymous')
        t = Ticket(summary='my ticket',
                   ticket_num=3,
                   reported_by_id=creator._id)

        assert creator == t.reported_by
        role_admin = ProjectRole.by_name('Admin')._id
        role_developer = ProjectRole.by_name('Developer')._id
        role_creator = t.reported_by.project_role()._id
        developer.project_role().roles.append(role_developer)
        cred = Credentials.get().clear()

        t.private = True
        assert t.acl == [
            ACE.allow(role_developer, ALL_PERMISSIONS),
            ACE.allow(role_creator, ALL_PERMISSIONS), DENY_ALL
        ]
        assert has_access(t, 'read', user=admin)()
        assert has_access(t, 'create', user=admin)()
        assert has_access(t, 'update', user=admin)()
        assert has_access(t, 'read', user=creator)()
        assert has_access(t, 'create', user=creator)()
        assert has_access(t, 'update', user=creator)()
        assert has_access(t, 'read', user=developer)()
        assert has_access(t, 'create', user=developer)()
        assert has_access(t, 'update', user=developer)()
        assert not has_access(t, 'read', user=observer)()
        assert not has_access(t, 'create', user=observer)()
        assert not has_access(t, 'update', user=observer)()
        assert not has_access(t, 'read', user=anon)()
        assert not has_access(t, 'create', user=anon)()
        assert not has_access(t, 'update', user=anon)()

        t.private = False
        assert t.acl == []
        assert has_access(t, 'read', user=admin)()
        assert has_access(t, 'create', user=admin)()
        assert has_access(t, 'update', user=admin)()
        assert has_access(t, 'read', user=developer)()
        assert has_access(t, 'create', user=developer)()
        assert has_access(t, 'update', user=developer)()
        assert has_access(t, 'read', user=creator)()
        assert has_access(t, 'unmoderated_post', user=creator)()
        assert not has_access(t, 'create', user=creator)()
        assert not has_access(t, 'update', user=creator)()
        assert has_access(t, 'read', user=observer)()
        assert has_access(t, 'read', user=anon)()
Beispiel #9
0
    def test_private_ticket(self):
        from pylons import c
        from allura.model import ProjectRole, User
        from allura.model import ACE, ALL_PERMISSIONS, DENY_ALL
        from allura.lib.security import Credentials, has_access
        from allura.websetup import bootstrap

        admin = c.user
        creator = bootstrap.create_user('Not a Project Admin')
        developer = bootstrap.create_user('Project Developer')
        observer = bootstrap.create_user('Random Non-Project User')
        anon = User(_id=None, username='******',
                    display_name='Anonymous')
        t = Ticket(summary='my ticket', ticket_num=3, reported_by_id=creator._id)

        assert creator == t.reported_by
        role_admin = ProjectRole.by_name('Admin')._id
        role_developer = ProjectRole.by_name('Developer')._id
        role_creator = t.reported_by.project_role()._id
        developer.project_role().roles.append(role_developer)
        cred = Credentials.get().clear()

        t.private = True
        assert t.acl == [ACE.allow(role_developer, ALL_PERMISSIONS),
                         ACE.allow(role_creator, ALL_PERMISSIONS),
                         DENY_ALL]
        assert has_access(t, 'read', user=admin)()
        assert has_access(t, 'create', user=admin)()
        assert has_access(t, 'update', user=admin)()
        assert has_access(t, 'read', user=creator)()
        assert has_access(t, 'create', user=creator)()
        assert has_access(t, 'update', user=creator)()
        assert has_access(t, 'read', user=developer)()
        assert has_access(t, 'create', user=developer)()
        assert has_access(t, 'update', user=developer)()
        assert not has_access(t, 'read', user=observer)()
        assert not has_access(t, 'create', user=observer)()
        assert not has_access(t, 'update', user=observer)()
        assert not has_access(t, 'read', user=anon)()
        assert not has_access(t, 'create', user=anon)()
        assert not has_access(t, 'update', user=anon)()

        t.private = False
        assert t.acl == []
        assert has_access(t, 'read', user=admin)()
        assert has_access(t, 'create', user=admin)()
        assert has_access(t, 'update', user=admin)()
        assert has_access(t, 'read', user=developer)()
        assert has_access(t, 'create', user=developer)()
        assert has_access(t, 'update', user=developer)()
        assert has_access(t, 'read', user=creator)()
        assert has_access(t, 'unmoderated_post', user=creator)()
        assert not has_access(t, 'create', user=creator)()
        assert not has_access(t, 'update', user=creator)()
        assert has_access(t, 'read', user=observer)()
        assert has_access(t, 'read', user=anon)()
Beispiel #10
0
 def new_projects(self, **kwargs):
     start_dt = kwargs.pop('start-dt', '')
     end_dt = kwargs.pop('end-dt', '')
     try:
         start_dt = datetime.strptime(start_dt, '%Y/%m/%d %H:%M:%S')
     except ValueError:
         start_dt = datetime.utcnow() + timedelta(days=1)
     try:
         end_dt = datetime.strptime(end_dt, '%Y/%m/%d %H:%M:%S')
     except ValueError:
         end_dt = start_dt - timedelta(days=3) if not end_dt else end_dt
     start = bson.ObjectId.from_datetime(start_dt)
     end = bson.ObjectId.from_datetime(end_dt)
     nb = M.Neighborhood.query.get(name='Users')
     projects = (M.Project.query.find({
         'neighborhood_id': {
             '$ne': nb._id
         },
         'deleted': False,
         '_id': {
             '$lt': start,
             '$gt': end
         },
     }).sort('_id', -1)).all()
     # pre-populate roles cache, so we won't query mongo for roles for every project
     # when getting admins with p.admins() in a template
     Credentials.get().load_project_roles(*[p._id for p in projects])
     step = start_dt - end_dt
     params = request.params.copy()
     params['start-dt'] = (start_dt + step).strftime('%Y/%m/%d %H:%M:%S')
     params['end-dt'] = (end_dt + step).strftime('%Y/%m/%d %H:%M:%S')
     newer_url = tg.url(params=params).lstrip('/')
     params['start-dt'] = (start_dt - step).strftime('%Y/%m/%d %H:%M:%S')
     params['end-dt'] = (end_dt - step).strftime('%Y/%m/%d %H:%M:%S')
     older_url = tg.url(params=params).lstrip('/')
     return {
         'projects': projects,
         'newer_url': newer_url,
         'older_url': older_url,
         'window_start': start_dt,
         'window_end': end_dt,
     }
Beispiel #11
0
 def new_projects(self, **kwargs):
     start_dt = kwargs.pop('start-dt', '')
     end_dt = kwargs.pop('end-dt', '')
     try:
         start_dt = datetime.strptime(start_dt, '%Y/%m/%d %H:%M:%S')
     except ValueError:
         start_dt = datetime.utcnow() + timedelta(days=1)
     try:
         end_dt = datetime.strptime(end_dt, '%Y/%m/%d %H:%M:%S')
     except ValueError:
         end_dt = start_dt - timedelta(days=3) if not end_dt else end_dt
     start = bson.ObjectId.from_datetime(start_dt)
     end = bson.ObjectId.from_datetime(end_dt)
     nb = M.Neighborhood.query.get(name='Users')
     projects = (M.Project.query.find({
         'neighborhood_id': {'$ne': nb._id},
         'deleted': False,
         '_id': {'$lt': start, '$gt': end},
     }).sort('_id', -1)).all()
     # pre-populate roles cache, so we won't query mongo for roles for every project
     # when getting admins with p.admins() in a template
     Credentials.get().load_project_roles(*[p._id for p in projects])
     step = start_dt - end_dt
     params = request.params.copy()
     params['start-dt'] = (start_dt + step).strftime('%Y/%m/%d %H:%M:%S')
     params['end-dt'] = (end_dt + step).strftime('%Y/%m/%d %H:%M:%S')
     newer_url = tg.url(params=params).lstrip('/')
     params['start-dt'] = (start_dt - step).strftime('%Y/%m/%d %H:%M:%S')
     params['end-dt'] = (end_dt - step).strftime('%Y/%m/%d %H:%M:%S')
     older_url = tg.url(params=params).lstrip('/')
     return {
         'projects': projects,
         'newer_url': newer_url,
         'older_url': older_url,
         'window_start': start_dt,
         'window_end': end_dt,
     }
    def zarkov_event(self,
                     event_type,
                     user=None,
                     neighborhood=None,
                     project=None,
                     app=None,
                     extra=None):
        context = dict(user=None,
                       neighborhood=None,
                       project=None,
                       tool=None,
                       mount_point=None,
                       is_project_member=False)

        if not zmq:
            return

        user = user or getattr(c, 'user', None)
        project = project or getattr(c, 'project', None)
        app = app or getattr(c, 'app', None)
        if user: context['user'] = user.username
        if project:
            context.update(
                project=project.shortname,
                neighborhood=project.neighborhood.url_prefix.strip('/'))
            if user:
                cred = Credentials.get()
                if cred is not None:
                    for pr in cred.user_roles(user._id,
                                              project._id).reaching_roles:
                        if pr.get('name') and pr.get('name')[0] != '*':
                            context['is_project_member'] = True
        if app:
            context.update(tool=app.config.tool_name,
                           mount_point=app.config.options.mount_point)

        try:
            if self._zarkov is None:
                self._zarkov = ZarkovClient(
                    config.get('zarkov.host', 'tcp://127.0.0.1:6543'))
            self._zarkov.event(event_type, context, extra)
        except Exception, ex:
            self._zarkov = None
            log.error('Error sending zarkov event(%r): %r', ex,
                      dict(type=event_type, context=context, extra=extra))
Beispiel #13
0
    def prepare_context(self, context):
        response = super(ProjectList, self).prepare_context(context)
        cred = Credentials.get()
        projects = response['projects']
        cred.load_user_roles(c.user._id, *[p._id for p in projects])
        cred.load_project_roles(*[p._id for p in projects])

        for opt in ['show_proj_icon', 'show_download_button', 'show_awards_banner']:
            response[opt] = asbool(response[opt])

        if response['icon_urls'] is None and response['show_proj_icon']:
            response['icon_urls'] = M.Project.icon_urls(projects)
        if response['accolades_index'] is None and response['show_awards_banner']:
            response['accolades_index'] = M.Project.accolades_index(projects)

        if type(response['columns']) == unicode:
            response['columns'] = int(response['columns'])

        return response
Beispiel #14
0
    def zarkov_event(
        self, event_type,
        user=None, neighborhood=None, project=None, app=None,
        extra=None):
        context = dict(
            user=None,
            neighborhood=None, project=None, tool=None,
            mount_point=None,
            is_project_member=False)

        if not zmq:
            return

        user = user or getattr(c, 'user', None)
        project = project or getattr(c, 'project', None)
        app = app or getattr(c, 'app', None)
        if user: context['user'] = user.username
        if project:
            context.update(
                project=project.shortname,
                neighborhood=project.neighborhood.url_prefix.strip('/'))
            if user:
                cred = Credentials.get()
                if cred is not None:
                    for pr in cred.user_roles(user._id, project._id).reaching_roles:
                        if pr.name and pr.name[0] != '*':
                            context['is_project_member'] = True
        if app:
            context.update(
                tool=app.config.tool_name,
                mount_point=app.config.options.mount_point)

        try:
            if self._zarkov is None:
                self._zarkov = ZarkovClient(
                    config.get('zarkov.host', 'tcp://127.0.0.1:6543'))
            self._zarkov.event(event_type, context, extra)
        except Exception, ex:
            self._zarkov = None
            log.error('Error sending zarkov event(%r): %r', ex, dict(
                    type=event_type, context=context, extra=extra))
Beispiel #15
0
def _add_to_group(user, role):
    M.ProjectRole.by_user(user, upsert=True).roles.append(role._id)
    ThreadLocalODMSession.flush_all()
    Credentials.get().clear()
 def credentials(self):
     return Credentials.get()
Beispiel #17
0
    def test_private_ticket(self):
        from allura.model import ProjectRole
        from allura.model import ACE, DENY_ALL
        from allura.lib.security import Credentials, has_access
        from allura.websetup import bootstrap

        admin = c.user
        creator = bootstrap.create_user('Not a Project Admin')
        developer = bootstrap.create_user('Project Developer')
        observer = bootstrap.create_user('Random Non-Project User')
        anon = User(_id=None, username='******',
                    display_name='Anonymous')
        t = Ticket(summary='my ticket', ticket_num=3,
                   reported_by_id=creator._id)

        assert creator == t.reported_by
        role_admin = ProjectRole.by_name('Admin')._id
        role_developer = ProjectRole.by_name('Developer')._id
        role_creator = ProjectRole.by_user(t.reported_by, upsert=True)._id
        ProjectRole.by_user(
            developer, upsert=True).roles.append(role_developer)
        ThreadLocalORMSession.flush_all()
        cred = Credentials.get().clear()

        t.private = True
        assert_equal(t.acl, [
            ACE.allow(role_developer, 'save_searches'),
            ACE.allow(role_developer, 'read'),
            ACE.allow(role_developer, 'create'),
            ACE.allow(role_developer, 'update'),
            ACE.allow(role_developer, 'unmoderated_post'),
            ACE.allow(role_developer, 'post'),
            ACE.allow(role_developer, 'moderate'),
            ACE.allow(role_developer, 'delete'),
            ACE.allow(role_creator, 'read'),
            ACE.allow(role_creator, 'post'),
            ACE.allow(role_creator, 'create'),
            ACE.allow(role_creator, 'unmoderated_post'),
            DENY_ALL])
        assert has_access(t, 'read', user=admin)()
        assert has_access(t, 'create', user=admin)()
        assert has_access(t, 'update', user=admin)()
        assert has_access(t, 'read', user=creator)()
        assert has_access(t, 'post', user=creator)()
        assert has_access(t, 'unmoderated_post', user=creator)()
        assert has_access(t, 'create', user=creator)()
        assert not has_access(t, 'update', user=creator)()
        assert has_access(t, 'read', user=developer)()
        assert has_access(t, 'create', user=developer)()
        assert has_access(t, 'update', user=developer)()
        assert not has_access(t, 'read', user=observer)()
        assert not has_access(t, 'create', user=observer)()
        assert not has_access(t, 'update', user=observer)()
        assert not has_access(t, 'read', user=anon)()
        assert not has_access(t, 'create', user=anon)()
        assert not has_access(t, 'update', user=anon)()

        t.private = False
        assert t.acl == []
        assert has_access(t, 'read', user=admin)()
        assert has_access(t, 'create', user=admin)()
        assert has_access(t, 'update', user=admin)()
        assert has_access(t, 'read', user=developer)()
        assert has_access(t, 'create', user=developer)()
        assert has_access(t, 'update', user=developer)()
        assert has_access(t, 'read', user=creator)()
        assert has_access(t, 'unmoderated_post', user=creator)()
        assert has_access(t, 'create', user=creator)()
        assert not has_access(t, 'update', user=creator)()
        assert has_access(t, 'read', user=observer)()
        assert has_access(t, 'read', user=anon)()
Beispiel #18
0
 def credentials(self):
     return Credentials.get()
def _add_to_group(user, role):
    user.project_role().roles.append(role._id)
    ThreadLocalODMSession.flush_all()
    Credentials.get().clear()
def _deny(obj, role, perm):
    obj.acl.insert(0, M.ACE.deny(role._id, perm))
    ThreadLocalODMSession.flush_all()
    Credentials.get().clear()
def _add_to_group(user, role):
    M.ProjectRole.by_user(user, upsert=True).roles.append(role._id)
    ThreadLocalODMSession.flush_all()
    Credentials.get().clear()
Beispiel #22
0
    def test_private_ticket(self):
        from allura.model import ProjectRole
        from allura.model import ACE, DENY_ALL
        from allura.lib.security import Credentials, has_access
        from allura.websetup import bootstrap

        admin = c.user
        creator = bootstrap.create_user('Not a Project Admin')
        developer = bootstrap.create_user('Project Developer')
        observer = bootstrap.create_user('Random Non-Project User')
        anon = User(_id=None, username='******',
                    display_name='Anonymous')
        t = Ticket(summary='my ticket', ticket_num=3,
                   reported_by_id=creator._id)

        assert creator == t.reported_by
        role_admin = ProjectRole.by_name('Admin')._id
        role_developer = ProjectRole.by_name('Developer')._id
        role_creator = ProjectRole.by_user(t.reported_by, upsert=True)._id
        ProjectRole.by_user(
            developer, upsert=True).roles.append(role_developer)
        ThreadLocalORMSession.flush_all()
        cred = Credentials.get().clear()

        t.private = True
        assert_equal(t.acl, [
            ACE.allow(role_developer, 'save_searches'),
            ACE.allow(role_developer, 'read'),
            ACE.allow(role_developer, 'create'),
            ACE.allow(role_developer, 'update'),
            ACE.allow(role_developer, 'unmoderated_post'),
            ACE.allow(role_developer, 'post'),
            ACE.allow(role_developer, 'moderate'),
            ACE.allow(role_developer, 'delete'),
            ACE.allow(role_creator, 'read'),
            ACE.allow(role_creator, 'post'),
            ACE.allow(role_creator, 'create'),
            ACE.allow(role_creator, 'unmoderated_post'),
            DENY_ALL])
        assert has_access(t, 'read', user=admin)()
        assert has_access(t, 'create', user=admin)()
        assert has_access(t, 'update', user=admin)()
        assert has_access(t, 'read', user=creator)()
        assert has_access(t, 'post', user=creator)()
        assert has_access(t, 'unmoderated_post', user=creator)()
        assert has_access(t, 'create', user=creator)()
        assert not has_access(t, 'update', user=creator)()
        assert has_access(t, 'read', user=developer)()
        assert has_access(t, 'create', user=developer)()
        assert has_access(t, 'update', user=developer)()
        assert not has_access(t, 'read', user=observer)()
        assert not has_access(t, 'create', user=observer)()
        assert not has_access(t, 'update', user=observer)()
        assert not has_access(t, 'read', user=anon)()
        assert not has_access(t, 'create', user=anon)()
        assert not has_access(t, 'update', user=anon)()

        t.private = False
        assert t.acl == []
        assert has_access(t, 'read', user=admin)()
        assert has_access(t, 'create', user=admin)()
        assert has_access(t, 'update', user=admin)()
        assert has_access(t, 'read', user=developer)()
        assert has_access(t, 'create', user=developer)()
        assert has_access(t, 'update', user=developer)()
        assert has_access(t, 'read', user=creator)()
        assert has_access(t, 'unmoderated_post', user=creator)()
        assert has_access(t, 'create', user=creator)()
        assert not has_access(t, 'update', user=creator)()
        assert has_access(t, 'read', user=observer)()
        assert has_access(t, 'read', user=anon)()
Beispiel #23
0
def _deny(obj, role, perm):
    obj.acl.insert(0, M.ACE.deny(role._id, perm))
    ThreadLocalODMSession.flush_all()
    Credentials.get().clear()