def test_effective_principals_calls_groupfinder_with_userid_and_request():
groupfinder = Mock()
groupfinder.return_value = []
request = testing.DummyRequest()
auth.effective_principals('acct:[email protected]',
request,
groupfinder=groupfinder)
groupfinder.assert_called_with('acct:[email protected]', request)
def test_effective_principals_returns_client_id_as_consumer(get_by_userid):
"""
If the request has a client ID it's returned as a "consumer:" principal.
"""
request = MagicMock(client=MagicMock(client_id="test_id"))
get_by_userid.return_value = MagicMock(admin=False, staff=False)
assert auth.effective_principals("jiji", request) == ["consumer:test_id"]
def test_effective_principals_returns_client_id_as_consumer(get_by_userid):
"""
If the request has a client ID it's returned as a "consumer:" principal.
"""
request = MagicMock(client=MagicMock(client_id="test_id"))
get_by_userid.return_value = MagicMock(admin=False, staff=False)
assert auth.effective_principals("jiji", request) == ["consumer:test_id"]
def test_effective_principals_returns_no_principals(get_by_userid):
"""It should return no principals if no client, admin or staff.
If the request has no client and the user is not an admin or staff member,
then it should return no principals.
"""
request = MagicMock(client=None)
get_by_userid.return_value = MagicMock(admin=False, staff=False)
assert auth.effective_principals("jiji", request) == []
def test_effective_principals_returns_no_principals(get_by_userid):
"""It should return no principals if no client, admin or staff.
If the request has no client and the user is not an admin or staff member,
then it should return no principals.
"""
request = MagicMock(client=None)
get_by_userid.return_value = MagicMock(admin=False, staff=False)
assert auth.effective_principals("jiji", request) == []
def test_effective_principals_includes_everyone():
"""
Even if the groupfinder returns None, implying that the userid is not
recognised, `security.Everyone` should be included in the list of effective
principals.
"""
groupfinder = lambda userid, request: None
request = testing.DummyRequest()
result = auth.effective_principals('acct:[email protected]',
request,
groupfinder=groupfinder)
assert result == [security.Everyone]
def generate_notifications(request, annotation, action):
# Only send notifications when new annotations are created
if action != 'create':
return
# If the annotation doesn't have a parent, we can't find its parent, or we
# have no idea who the author of the parent is, then we can't send a
# notification email.
parent_id = annotation.parent_id
if parent_id is None:
return
parent = storage.fetch_annotation(request, parent_id)
if parent is None or 'user' not in parent:
return
# We don't send replies to the author of the parent unless they're going to
# be able to read it. That means there must be some overlap between the set
# of effective principals of the parent's author, and the read permissions
# of the reply.
child_read_permissions = annotation.get('permissions', {}).get('read', [])
parent_principals = auth.effective_principals(parent['user'], request)
read_principals = translate_annotation_principals(child_read_permissions)
if not set(parent_principals).intersection(read_principals):
return
# Store the parent values as additional data
data = {
'parent': parent
}
subscriptions = Subscriptions.get_active_subscriptions_for_a_type(
types.REPLY_TYPE)
for subscription in subscriptions:
data['subscription'] = subscription.__json__(request)
# Validate annotation
if check_conditions(annotation, data):
try:
subject, text, html, recipients = render_reply_notification(
request,
annotation,
parent)
yield subject, text, html, recipients
# ToDo: proper exception handling here
except TemplateRenderException:
log.exception('Failed to render subscription'
' template %s', subscription)
except:
log.exception('Unknown error when trying to render'
' subscription template %s', subscription)
def generate_notifications(request, annotation, action):
# Only send notifications when new annotations are created
if action != 'create':
return
# If the annotation doesn't have a parent, we can't find its parent, or we
# have no idea who the author of the parent is, then we can't send a
# notification email.
parent_id = annotation.parent_id
if parent_id is None:
return
parent = storage.fetch_annotation(request, parent_id)
if parent is None or 'user' not in parent:
return
# We don't send replies to the author of the parent unless they're going to
# be able to read it. That means there must be some overlap between the set
# of effective principals of the parent's author, and the read permissions
# of the reply.
child_read_permissions = annotation.get('permissions', {}).get('read', [])
parent_principals = auth.effective_principals(parent['user'], request)
read_principals = translate_annotation_principals(child_read_permissions)
if not set(parent_principals).intersection(read_principals):
return
# Store the parent values as additional data
data = {
'parent': parent
}
subscriptions = Subscriptions.get_active_subscriptions_for_a_type(
types.REPLY_TYPE)
for subscription in subscriptions:
data['subscription'] = subscription.__json__(request)
# Validate annotation
if check_conditions(annotation, data):
try:
subject, text, html, recipients = render_reply_notification(
request,
annotation,
parent)
yield subject, text, html, recipients
# ToDo: proper exception handling here
except TemplateRenderException:
log.exception('Failed to render subscription'
' template %s', subscription)
except:
log.exception('Unknown error when trying to render'
' subscription template %s', subscription)
def test_effective_principals_includes_authenticated_and_userid():
"""
If the groupfinder returns the empty list, implying that the userid is
recognised but is a member of no groups, `security.Authenticated` and the
passed userid should be included in the list of effective principals.
"""
groupfinder = lambda userid, request: []
request = testing.DummyRequest()
result = auth.effective_principals('acct:[email protected]',
request,
groupfinder=groupfinder)
assert set(result) == set([security.Everyone,
security.Authenticated,
'acct:[email protected]'])
def test_effective_principals_includes_returned_groupfinder_principals():
"""
If the groupfinder returns groups, these should be included in the list of
effective principals.
"""
groupfinder = lambda userid, request: ['group:foo', 'group:bar']
request = testing.DummyRequest()
result = auth.effective_principals('acct:[email protected]',
request,
groupfinder=groupfinder)
assert set(result) == set([security.Everyone,
security.Authenticated,
'acct:[email protected]',
'group:foo',
'group:bar'])
def test_effective_principals_client_id_and_admin_and_staff(get_by_userid):
request = MagicMock(client=MagicMock(client_id="test_id"))
get_by_userid.return_value = MagicMock(admin=True, staff=True)
assert auth.effective_principals(
"jiji", request) == ["consumer:test_id", "group:admin", "group:staff"]
def test_effective_principals_with_staff_user(get_by_userid):
"""If the user is staff it should return a "group:staff" principal."""
request = MagicMock(client=None)
get_by_userid.return_value = MagicMock(admin=False, staff=True)
assert auth.effective_principals("jiji", request) == ["group:staff"]
def test_effective_principals_client_id_and_admin_and_staff(get_by_userid):
request = MagicMock(client=MagicMock(client_id="test_id"))
get_by_userid.return_value = MagicMock(admin=True, staff=True)
assert auth.effective_principals("jiji", request) == [
"consumer:test_id", "group:admin", "group:staff"]
def test_effective_principals_with_staff_user(get_by_userid):
"""If the user is staff it should return a "group:staff" principal."""
request = MagicMock(client=None)
get_by_userid.return_value = MagicMock(admin=False, staff=True)
assert auth.effective_principals("jiji", request) == ["group:staff"]
