def test_model_guard_controller_read():
role = Role()
role.grant('read', SomeModel)
identity = Identity([role])
ctx = Context()
ctx.identity = identity
compare(SomeModelGuardController().read(SomeModels.one.id, ctx), SomeModels.one)
def test_permissions_with_subject_list():
guard = Guard()
role = Role()
role.grant('index', Store)
identity = Identity([role])
assert_true(guard.can(identity, 'index', [Store()]))
assert_true(guard.can(identity, 'index', []))
def test_create_permission():
with db(), fixtures(Products, fixture_loader=fixture_loader):
ctx = Context()
role = Role()
role.grant(ControllerActions.create, Product)
ctx.identity = Identity([role])
c = ProductController()
c.create({'name': u'Red Pants', 'product_type_id': ProductTypes.pants.id, 'store_id': Stores.virtusize.id}, ctx)
def test_model_guard_controller_index_unauthorized():
role = Role()
role.grant('something_else', SomeModel)
identity = Identity([role])
ctx = Context()
ctx.identity = identity
SomeModelGuardController().index(ctx)
def test_index_permission():
with db(), fixtures(Products, fixture_loader=fixture_loader):
ctx = Context()
role = Role()
role.grant(ControllerActions.index, Product)
ctx.identity = Identity([role])
c = ProductController()
c.index(ctx)
def test_update_permission():
with db(), fixtures(Products, fixture_loader=fixture_loader):
ctx = Context()
role = Role()
role.grant(ControllerActions.update, Product)
ctx.identity = Identity([role])
c = ProductController()
c.update(1, {'name': u'Blue Shirt', 'product_type_id': ProductTypes.shirt.id}, ctx)
def test_model_guard_controller_index():
role = Role()
role.grant('index', SomeModel)
identity = Identity([role])
ctx = Context()
ctx.identity = identity
assert_equal(len(SomeModelGuardController().index(ctx)), 2)
assert_equal(len(SomeModelGuardController().index(ctx=ctx)), 2)
def test_base_controller_authorize_successful():
bc = BaseController()
model = SomeModel()
bc.guard = Guard()
bc.model = SomeModel
ctx = Context()
role = Role()
role.grant('read', SomeModel)
ctx.identity = Identity([role])
bc.authorize(ctx, 'read', model)
def test_permissions_without_conditions():
guard = Guard()
role = Role()
role.grant('read', Store)
identity = Identity([role])
assert_true(guard.can(identity, 'read', Store))
assert_true(guard.can(identity, 'read', Store()))
assert_false(guard.cannot(identity, 'read', Store))
assert_false(guard.cannot(identity, 'read', Store()))
def test_empty_list_index_permission():
with db(), fixtures(Products, fixture_loader=fixture_loader):
ctx = Context()
role = Role()
role.grant(ControllerActions.index, Product)
role.grant(ControllerActions.delete, Product)
ctx.identity = Identity([role])
c = ProductController()
c.delete(1, ctx)
compare(c.index(ctx), [])
def test_model_guard_controller_index_wrong_model():
class OtherModel(Model):
pass
role = Role()
role.grant('read', OtherModel)
identity = Identity([role])
ctx = Context()
ctx.identity = identity
SomeModelGuardController().index(ctx)
def test_permissions_with_is_the_same_condition():
guard = Guard()
role = Role()
role.grant('check_for_something', Store, is_the_same_condition)
identity = Identity([role])
identity.something = 'check'
store = Store()
store.something = 'check'
assert_true(guard.can(identity, 'check_for_something', store))
store.something = 2
assert_false(guard.can(identity, 'check_for_somethingone', store))
store.something = True
assert_false(guard.can(identity, 'check_for_somethingone', store))
def test_predicate():
guard = Guard()
store = Store(owner_id=1)
role = Role()
role.grant('delete', Store, condition=lambda store, identity: identity.id == store.owner_id)
valid_identity = Identity([role])
valid_identity.id = 1
invalid_identity = Identity([role])
invalid_identity.id = 2
assert_true(guard.can(valid_identity, 'delete', store))
assert_false(guard.can(invalid_identity, 'delete', store))
def test_role_inheritance():
role = Role()
role.grant(['read', 'write'], Store)
another_role = Role(inherit=[role])
another_role.grant(['update', 'delete', 'query'], Store)
assert_equal(len(role.permissions), 2)
assert_equal(len(another_role.permissions), 5)
def test_exclude_action_filter():
dct = {
'name': 'John',
'full_name': 'John Doe',
'secret': 123
}
role = Role()
role.grant('read_secrets', 'user')
valid_identity = Identity([role])
invalid_identity = Identity([])
ctx = Context()
ctx.subject = 'user'
ctx.identity = valid_identity
result = ExcludeActionFilter(
exclude=['secret'],
action='read_secrets',
guard=Guard()
).filter(dct, ctx)
assert_true('secret' in result)
assert_equal(result['secret'], 123)
ctx.identity = invalid_identity
result = ExcludeActionFilter(
exclude=['secret'],
action='read_secrets',
guard=Guard()
).filter(dct, ctx)
assert_false('secret' in result)
def test_guard_with_multiple_roles():
guard = Guard()
role = Role()
role.grant('read', Store)
role.grant('write', Store)
role2 = Role()
role2.grant('delete', 'product')
identity = Identity([role, role2])
assert_true(guard.can(identity, 'read', Store))
assert_false(guard.can(identity, 'read', 'anything'))
assert_false(guard.can(identity, 'write', 'something'))
assert_true(guard.can(identity, 'write', Store))
assert_false(guard.can(identity, 'delete', Store))
assert_true(guard.can(identity, 'delete', 'product'))
assert_false(guard.can(identity, 'write', 'product'))
def test_idendity():
role = Role()
role.grant('read', Store)
i = Identity([role])
assert_equal(len(i.roles), 1)
compare(i.roles[0], role)
role = Role()
role.grant('write', Store)
i.roles.append(role)
assert_equal(len(i.roles), 2)
compare(i.roles[1], role)
def test_basic_role():
role = Role()
role.grant('read', Store)
assert_equal(len(role.permissions), 1)
def test_multiple_actions_role():
role = Role()
role.grant(['read', 'write'], Store)
assert_equal(len(role.permissions), 2)
