Beispiel #1
0
    def test_ActionSharing(self):
        parent = BaseNode(name='root')
        model = parent['model'] = BaseNode()
        request = self.layer.new_request()

        action = ActionSharing()
        self.assertFalse(IPrincipalACL.providedBy(model))
        self.assertEqual(action(model, request), u'')

        sharingmodel = parent['sharingmodel'] = SharingNode()
        self.assertTrue(IPrincipalACL.providedBy(sharingmodel))
        self.assertEqual(action(sharingmodel, request), u'')

        with self.layer.authenticated('editor'):
            rule = request.has_permission('manage_permissions', sharingmodel)
            self.assertTrue(isinstance(rule, ACLDenied))
            self.assertEqual(action(sharingmodel, request), u'')

        with self.layer.authenticated('manager'):
            rule = request.has_permission('manage_permissions', sharingmodel)
            self.assertTrue(isinstance(rule, ACLAllowed))

            rendered = action(sharingmodel, request)
            self.checkOutput(
                """
            ...<a
            id="toolbaraction-share"
            href="http://example.com/root/sharingmodel/sharing"
            ajax:bind="click"
            ajax:target="http://example.com/root/sharingmodel"
            ajax:action="sharing:#content:inner"
            ajax:path="href"
            ><span class="glyphicon glyphicon-share"></span
            >&nbsp;Sharing</a>...
            """, rendered)
Beispiel #2
0
 def aggregated_roles(self):
     aggregated = dict()
     model = self
     while model:
         if not IPrincipalACL.providedBy(model):
             model = model.parent
             continue
         for id, roles in model.principal_roles.items():
             if aggregated.get(id):
                 aggregated[id].update(roles)
             else:
                 aggregated[id] = set(roles)
         model = model.parent
     return aggregated
Beispiel #3
0
 def aggregated_roles(self):
     aggregated = dict()
     model = self
     while model:
         if not IPrincipalACL.providedBy(model):
             model = model.parent
             continue
         for id, roles in model.principal_roles.items():
             if aggregated.get(id):
                 aggregated[id].update(roles)
             else:
                 aggregated[id] = set(roles)
         model = model.parent
     return aggregated
Beispiel #4
0
 def display(self):
     return IPrincipalACL.providedBy(self.model) \
         and self.permitted('manage_permissions')
Beispiel #5
0
    def test_PrincipalACL(self):
        # PrincipalACL is an abstract class. Directly use causes an error
        @plumbing(PrincipalACL)
        class PrincipalACLNode(BaseNode):
            pass

        node = PrincipalACLNode()
        err = self.expect_error(NotImplementedError, lambda: node.__acl__)
        expected = (
            'Abstract ``PrincipalACL`` does not implement ``principal_roles``.'
        )
        self.assertEqual(str(err), expected)

        # Concrete PrincipalACL implementation. Implements principal_roles
        # property
        class MyPrincipalACL(PrincipalACL):
            @default
            @instance_property
            def principal_roles(self):
                return dict()

        @plumbing(MyPrincipalACL)
        class MyPrincipalACLNode(BaseNode):
            pass

        node = MyPrincipalACLNode()
        self.assertTrue(IPrincipalACL.providedBy(node))

        node.principal_roles['someuser'] = ['manager']
        node.principal_roles['otheruser'] = ['editor']
        node.principal_roles['group:some_group'] = ['editor', 'manager']

        def find_rule(acl, who):
            for rule in acl:
                if rule[1] == who:
                    return rule

        rule = find_rule(node.__acl__, 'someuser')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'someuser')
        self.assertEqual(sorted(rule[2]), sorted([
            'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state',
            'view', 'paste', 'manage_permissions', 'delete'
        ]))

        rule = find_rule(node.__acl__, 'otheruser')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'otheruser')
        self.assertEqual(sorted(rule[2]), sorted([
            'edit', 'add', 'list', 'view'
        ]))

        rule = find_rule(node.__acl__, 'group:some_group')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'group:some_group')
        self.assertEqual(sorted(rule[2]), sorted([
            'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state',
            'view', 'paste', 'manage_permissions', 'delete'
        ]))

        rule = find_rule(node.__acl__, 'system.Authenticated')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'system.Authenticated')
        self.assertEqual(rule[2], ['view'])

        rule = find_rule(node.__acl__, 'role:viewer')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'role:viewer')
        self.assertEqual(sorted(rule[2]), sorted(['view', 'list']))

        rule = node.__acl__[-1]
        self.assertEqual(rule[0], 'Deny')
        self.assertEqual(rule[1], 'system.Everyone')
        self.assertEqual(rule[2], ALL_PERMISSIONS)

        # PrincipalACL role inheritance
        child = node['child'] = MyPrincipalACLNode()
        child.principal_roles['someuser'] = ['editor']

        rule = find_rule(child.__acl__, 'someuser')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'someuser')
        self.assertEqual(sorted(rule[2]), sorted([
            'edit', 'add', 'list', 'view'
        ]))

        rule = find_rule(child.__acl__, 'system.Authenticated')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'system.Authenticated')
        self.assertEqual(rule[2], ['view'])

        rule = find_rule(child.__acl__, 'role:viewer')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'role:viewer')
        self.assertEqual(sorted(rule[2]), sorted(['view', 'list']))

        rule = child.__acl__[-1]
        self.assertEqual(rule[0], 'Deny')
        self.assertEqual(rule[1], 'system.Everyone')
        self.assertEqual(rule[2], ALL_PERMISSIONS)

        subchild = child['child'] = MyPrincipalACLNode()
        subchild.role_inheritance = True
        subchild.principal_roles['otheruser'] = ['admin']
        self.assertEqual(subchild.aggregated_roles_for('inexistent'), [])
        self.assertEqual(
            sorted(subchild.aggregated_roles_for('someuser')),
            sorted(['manager', 'editor'])
        )
        self.assertEqual(
            sorted(subchild.aggregated_roles_for('otheruser')),
            sorted(['admin', 'editor'])
        )

        rule = find_rule(subchild.__acl__, 'someuser')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'someuser')
        self.assertEqual(sorted(rule[2]), sorted([
            'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state',
            'view', 'paste', 'manage_permissions', 'delete'
        ]))

        rule = find_rule(subchild.__acl__, 'otheruser')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'otheruser')
        self.assertEqual(sorted(rule[2]), sorted([
            'cut', 'edit', 'copy', 'list', 'add', 'change_state', 'view',
            'paste', 'manage_permissions', 'delete'
        ]))

        rule = find_rule(subchild.__acl__, 'group:some_group')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'group:some_group')
        self.assertEqual(sorted(rule[2]), sorted([
            'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state',
            'view', 'paste', 'manage_permissions', 'delete'
        ]))

        rule = find_rule(subchild.__acl__, 'system.Authenticated')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'system.Authenticated')
        self.assertEqual(rule[2], ['view'])

        rule = subchild.__acl__[-1]
        self.assertEqual(rule[0], 'Deny')
        self.assertEqual(rule[1], 'system.Everyone')
        self.assertEqual(rule[2], ALL_PERMISSIONS)

        # Principal roles get inherited even if some parent does not provide
        # principal roles
        child = node['no_principal_roles'] = BaseNode()
        subchild = child['no_principal_roles'] = MyPrincipalACLNode()
        self.assertEqual(
            sorted(subchild.aggregated_roles_for('group:some_group')),
            sorted(['manager', 'editor'])
        )

        # If principal role found which is not provided by plumbing endpoint
        # acl, this role does not grant any permissions
        node = MyPrincipalACLNode()
        node.principal_roles['someuser'] = ['inexistent_role']

        rule = find_rule(node.__acl__, 'someuser')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'someuser')
        self.assertEqual(rule[2], [])

        rule = find_rule(node.__acl__, 'system.Authenticated')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'system.Authenticated')
        self.assertEqual(rule[2], ['view'])

        rule = find_rule(node.__acl__, 'role:viewer')
        self.assertEqual(rule[0], 'Allow')
        self.assertEqual(rule[1], 'role:viewer')
        self.assertEqual(sorted(rule[2]), sorted(['view', 'list']))

        rule = node.__acl__[-1]
        self.assertEqual(rule[0], 'Deny')
        self.assertEqual(rule[1], 'system.Everyone')
        self.assertEqual(rule[2], ALL_PERMISSIONS)
        self.assertEqual(
            node.__acl__[-1],
            ('Deny', 'system.Everyone', ALL_PERMISSIONS)
        )
Beispiel #6
0
 def display(self):
     return IPrincipalACL.providedBy(self.model) \
         and self.permitted('manage_permissions')