def test_02_isolate(self):
"""A user who didn't create a resource cannot access it"""
cat = self.cat
dog = self.dog
holes = hydroshare.create_resource(resource_type='GenericResource',
owner=cat,
title='all about dog holes',
metadata=[],)
# check that resource was created
assertUserResourceState(self, cat, [holes], [], [])
# check that resource is not accessible to others
assertUserResourceState(self, dog, [], [], [])
# metadata should be the same as before
self.assertFalse(holes.raccess.immutable)
self.assertFalse(holes.raccess.published)
self.assertFalse(holes.raccess.discoverable)
self.assertFalse(holes.raccess.public)
self.assertTrue(holes.raccess.shareable)
# protection state for non-owner
self.assertFalse(dog.uaccess.owns_resource(holes))
self.assertFalse(dog.uaccess.can_change_resource(holes))
self.assertFalse(dog.uaccess.can_view_resource(holes))
# composite django state for non-owner
self.assertFalse(dog.uaccess.can_change_resource_flags(holes))
self.assertFalse(dog.uaccess.can_delete_resource(holes))
self.assertFalse(
dog.uaccess.can_share_resource(
holes, PrivilegeCodes.OWNER))
self.assertFalse(
dog.uaccess.can_share_resource(
holes, PrivilegeCodes.CHANGE))
self.assertFalse(
dog.uaccess.can_share_resource(
holes, PrivilegeCodes.VIEW))
# test list access functions for unshare targets
# these return empty because allowing this would violate the last owner
# rule
self.assertTrue(
is_equal_to_as_set(
[], cat.uaccess.get_resource_unshare_users(holes)))
self.assertTrue(
is_equal_to_as_set(
[], dog.uaccess.get_resource_unshare_users(holes)))
def test_01_create(self):
"""Resource creator has appropriate access"""
cat = self.cat
# check that user cat owns and holds nothing
assertUserResourceState(self, cat, [], [], [])
# create a resource
holes = hydroshare.create_resource(resource_type='GenericResource',
owner=cat,
title='all about dog holes',
metadata=[],)
assertUserResourceState(self, cat, [holes], [], [])
# metadata state
self.assertFalse(holes.raccess.immutable)
self.assertFalse(holes.raccess.published)
self.assertFalse(holes.raccess.discoverable)
self.assertFalse(holes.raccess.public)
self.assertTrue(holes.raccess.shareable)
# protection state for owner
self.assertTrue(cat.uaccess.owns_resource(holes))
self.assertTrue(cat.uaccess.can_change_resource(holes))
self.assertTrue(cat.uaccess.can_view_resource(holes))
# composite django state
self.assertTrue(cat.uaccess.can_change_resource_flags(holes))
self.assertTrue(cat.uaccess.can_delete_resource(holes))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.OWNER))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.CHANGE))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.VIEW))
# unsharing with cat would violate owner constraint
self.assertTrue(
is_equal_to_as_set(
[], cat.uaccess.get_resource_unshare_users(holes)))
self.assertFalse(
cat.uaccess.can_unshare_resource_with_user(
holes, cat))
def test_01_create_state(self):
"""User state is correct after creation"""
# check that privileged user was created correctly
self.assertEqual(self.admin.uaccess.user.username, 'admin')
self.assertEqual(self.admin.uaccess.user.first_name, 'administrator')
self.assertTrue(self.admin.is_active)
# start as privileged user
assertUserResourceState(self, self.admin, [], [], [])
# check that unprivileged user was created correctly
self.assertEqual(self.cat.uaccess.user.username, 'cat')
self.assertEqual(self.cat.uaccess.user.first_name, 'not a dog')
self.assertTrue(self.cat.is_active)
# check that user cat owns and holds nothing
assertUserResourceState(self, self.cat, [], [], [])
assertUserGroupState(self, self.cat, [], [], [])
def test_01_create_state(self):
"""User state is correct after creation"""
# check that privileged user was created correctly
self.assertEqual(self.admin.uaccess.user.username, 'admin')
self.assertEqual(self.admin.uaccess.user.first_name, 'administrator')
self.assertTrue(self.admin.is_active)
# start as privileged user
assertUserResourceState(self, self.admin, [], [], [])
# check that unprivileged user was created correctly
self.assertEqual(self.cat.uaccess.user.username, 'cat')
self.assertEqual(self.cat.uaccess.user.first_name, 'not a dog')
self.assertTrue(self.cat.is_active)
# check that user cat owns and holds nothing
assertUserResourceState(self, self.cat, [], [], [])
assertUserGroupState(self, self.cat, [], [], [])
def test_matrix_testing(self):
""" Test that matrix testing routines function as believed """
george = self.george
alva = self.alva
john = self.john
bikes = self.bikes
bikers = self.bikers
harpers = self.harpers
assertResourceUserState(self, bikes, [george], [], [])
assertUserResourceState(self, george, [bikes], [], [])
assertUserResourceState(self, alva, [], [], [])
assertUserResourceState(self, john, [], [], [])
assertUserGroupState(self, george, [harpers, bikers], [], [])
assertUserGroupState(self, alva, [], [], [])
assertUserGroupState(self, john, [], [], [])
george.uaccess.share_resource_with_user(bikes, alva,
PrivilegeCodes.CHANGE)
assertResourceUserState(self, bikes, [george], [alva], [])
assertUserResourceState(self, george, [bikes], [], [])
assertUserResourceState(self, alva, [], [bikes], [])
assertUserResourceState(self, john, [], [], [])
george.uaccess.share_resource_with_user(bikes, john,
PrivilegeCodes.VIEW)
assertResourceUserState(self, bikes, [george], [alva], [john])
assertUserResourceState(self, george, [bikes], [], [])
assertUserResourceState(self, alva, [], [bikes], [])
assertUserResourceState(self, john, [], [], [bikes])
bikes.raccess.immutable = True
bikes.raccess.save()
assertResourceUserState(self, bikes, [george], [],
[alva, john]) # squashes CHANGE
assertUserResourceState(self, george, [bikes], [], [])
# immutable squashes CHANGE
assertUserResourceState(self, alva, [], [], [bikes])
assertUserResourceState(self, john, [], [], [bikes])
assertGroupUserState(self, bikers, [george], [], [])
assertGroupUserState(self, harpers, [george], [], [])
assertUserGroupState(self, george, [bikers, harpers], [], [])
assertUserGroupState(self, alva, [], [], [])
assertUserGroupState(self, john, [], [], [])
george.uaccess.share_group_with_user(bikers, alva,
PrivilegeCodes.CHANGE)
assertGroupUserState(self, bikers, [george], [alva], [])
assertGroupUserState(self, harpers, [george], [], [])
assertUserGroupState(self, george, [bikers, harpers], [], [])
assertUserGroupState(self, alva, [], [bikers], [])
assertUserGroupState(self, john, [], [], [])
george.uaccess.share_group_with_user(bikers, john, PrivilegeCodes.VIEW)
assertGroupUserState(self, bikers, [george], [alva], [john])
assertGroupUserState(self, harpers, [george], [], [])
assertUserGroupState(self, george, [bikers, harpers], [], [])
assertUserGroupState(self, alva, [], [bikers], [])
assertUserGroupState(self, john, [], [], [bikers])
assertResourceGroupState(self, bikes, [], [])
assertGroupResourceState(self, bikers, [], [])
george.uaccess.share_resource_with_group(bikes, bikers,
PrivilegeCodes.CHANGE)
# immutable squashes state
assertResourceGroupState(self, bikes, [], [bikers])
# immutable squashes state
assertGroupResourceState(self, bikers, [], [bikes])
bikes.raccess.immutable = False
bikes.raccess.save()
# without immutable, CHANGE returns
assertResourceGroupState(self, bikes, [bikers], [])
# without immutable, CHANGE returns
assertGroupResourceState(self, bikers, [bikes], [])
def test_share(self):
bikes = self.bikes
harpers = self.harpers
bikers = self.bikers
george = self.george
alva = self.alva
admin = self.admin
john = self.john
assertResourceUserState(self, bikes, [george], [], [])
assertUserResourceState(self, george, [bikes], [], [])
assertUserResourceState(self, alva, [], [], [])
george.uaccess.share_resource_with_user(bikes, alva,
PrivilegeCodes.OWNER)
assertResourceUserState(self, bikes, [george, alva], [], [])
assertUserResourceState(self, george, [bikes], [], [])
assertUserResourceState(self, alva, [bikes], [], [])
# test a user can downgrade (e.g., from OWNER to CHANGE) his/her access
# privilege
alva.uaccess.share_resource_with_user(bikes, alva,
PrivilegeCodes.CHANGE)
assertResourceUserState(self, bikes, [george], [alva], [])
assertUserResourceState(self, george, [bikes], [], [])
assertUserResourceState(self, alva, [], [bikes], [])
# unshare bikes
george.uaccess.unshare_resource_with_user(bikes, alva)
assertResourceUserState(self, bikes, [george], [], [])
assertUserResourceState(self, george, [bikes], [], [])
assertUserResourceState(self, alva, [], [], [])
assertGroupResourceState(self, bikers, [], [])
george.uaccess.share_resource_with_group(bikes, bikers,
PrivilegeCodes.VIEW)
assertGroupResourceState(self, bikers, [], [bikes])
george.uaccess.share_resource_with_group(bikes, harpers,
PrivilegeCodes.CHANGE)
assertGroupResourceState(self, harpers, [bikes], [])
george.uaccess.share_group_with_user(harpers, alva,
PrivilegeCodes.CHANGE)
assertUserGroupState(self, alva, [], [harpers], [])
# isolated from group privilege CHANGE
assertUserResourceState(self, alva, [], [], [])
assertGroupResourceState(self, harpers, [bikes], [])
george.uaccess.unshare_group_with_user(harpers, alva)
# isolated from group privilege CHANGE
assertUserResourceState(self, alva, [], [], [])
george.uaccess.unshare_resource_with_group(bikes, harpers)
assertGroupResourceState(self, harpers, [], [])
# test upgrade privilege by non owners
# let george (owner) grant change privilege to alva (non owner)
george.uaccess.share_resource_with_user(bikes, alva,
PrivilegeCodes.CHANGE)
assertUserResourceState(self, alva, [], [bikes], [])
# let alva (non owner) grant view privilege to john (non owner)
alva.uaccess.share_resource_with_user(bikes, self.john,
PrivilegeCodes.VIEW)
assertUserResourceState(self, john, [], [], [bikes])
assertResourceUserState(self, bikes, [george], [alva], [john])
# let alva (non owner) grant change privilege (upgrade) to john (non
# owner)
alva.uaccess.share_resource_with_user(bikes, self.john,
PrivilegeCodes.CHANGE)
assertUserResourceState(self, john, [], [bikes], [])
assertResourceUserState(self, bikes, [george], [alva, john], [])
# test django admin has ownership permission over any resource when not
# owning a resource
self.assertFalse(admin.uaccess.owns_resource(bikes))
self.assertEqual(bikes.raccess.get_effective_privilege(admin),
PrivilegeCodes.OWNER)
# test django admin can always view/change or delete any resource
self.assertTrue(admin.uaccess.can_view_resource(bikes))
self.assertTrue(admin.uaccess.can_change_resource(bikes))
self.assertTrue(admin.uaccess.can_delete_resource(bikes))
# test django admin can change resource flags
self.assertTrue(admin.uaccess.can_change_resource_flags(bikes))
# test django admin can share any resource with all possible permission
# types
self.assertTrue(
admin.uaccess.can_share_resource(bikes, PrivilegeCodes.OWNER))
self.assertTrue(
admin.uaccess.can_share_resource(bikes, PrivilegeCodes.CHANGE))
self.assertTrue(
admin.uaccess.can_share_resource(bikes, PrivilegeCodes.VIEW))
# test django admin can share a resource with a specific user
admin.uaccess.share_resource_with_user(bikes, alva,
PrivilegeCodes.OWNER)
assertResourceUserState(self, bikes, [george, alva], [john], [])
admin.uaccess.share_resource_with_user(bikes, alva,
PrivilegeCodes.CHANGE)
assertResourceUserState(self, bikes, [george], [john, alva], [])
admin.uaccess.share_resource_with_user(bikes, alva,
PrivilegeCodes.VIEW)
assertResourceUserState(self, bikes, [george], [john], [alva])
# test django admin can unshare a resource with a specific user
admin.uaccess.unshare_resource_with_user(bikes, alva)
assertResourceUserState(self, bikes, [george], [john], [])
# test django admin can share a group with a user
self.assertEqual(bikers.gaccess.members.count(), 1)
self.assertFalse(admin.uaccess.owns_group(bikers))
admin.uaccess.share_group_with_user(bikers, alva, PrivilegeCodes.OWNER)
self.assertEqual(alva.uaccess.owned_groups.count(), 1)
self.assertEqual(bikers.gaccess.members.count(), 2)
# test django admin can share resource with a group
self.assertFalse(
admin.uaccess.can_share_resource_with_group(
bikes, harpers, PrivilegeCodes.OWNER))
self.assertTrue(
admin.uaccess.can_share_resource_with_group(
bikes, harpers, PrivilegeCodes.CHANGE))
admin.uaccess.share_resource_with_group(bikes, harpers,
PrivilegeCodes.CHANGE)
self.assertTrue(bikes in harpers.gaccess.edit_resources)
self.assertTrue(
admin.uaccess.can_share_resource_with_group(
bikes, harpers, PrivilegeCodes.VIEW))
admin.uaccess.share_resource_with_group(bikes, harpers,
PrivilegeCodes.VIEW)
self.assertTrue(bikes in harpers.gaccess.view_resources)
# test django admin can unshare a user with a group
self.assertTrue(admin.uaccess.can_unshare_group_with_user(
bikers, alva))
admin.uaccess.unshare_group_with_user(bikers, alva)
self.assertTrue(bikers.gaccess.members.count(), 1)
self.assertEqual(alva.uaccess.owned_groups.count(), 0)
def test_06_check_flag_immutable(self):
"""Resource owner can set and reset immutable flag"""
cat = self.cat
dog = self.dog
# create a resource
holes = hydroshare.create_resource(resource_type='GenericResource',
owner=cat,
title='all about dog holes',
metadata=[],)
assertUserResourceState(self, cat, [holes], [], [])
assertResourceUserState(self, holes, [cat], [], [])
# metadata state
self.assertFalse(holes.raccess.immutable)
self.assertFalse(holes.raccess.published)
self.assertFalse(holes.raccess.discoverable)
self.assertFalse(holes.raccess.public)
self.assertTrue(holes.raccess.shareable)
# protection state for owner
self.assertTrue(cat.uaccess.owns_resource(holes))
self.assertTrue(cat.uaccess.can_change_resource(holes))
self.assertTrue(cat.uaccess.can_view_resource(holes))
# composite django state
self.assertTrue(cat.uaccess.can_change_resource_flags(holes))
self.assertTrue(cat.uaccess.can_delete_resource(holes))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.OWNER))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.CHANGE))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.VIEW))
# make it immutable: what changes?
holes.raccess.immutable = True
holes.raccess.save()
# metadata state
self.assertTrue(holes.raccess.immutable)
self.assertFalse(holes.raccess.published)
self.assertFalse(holes.raccess.discoverable)
self.assertFalse(holes.raccess.public)
self.assertTrue(holes.raccess.shareable)
assertUserResourceState(self, cat, [holes], [], [])
# protection state for owner
self.assertTrue(cat.uaccess.owns_resource(holes))
self.assertFalse(cat.uaccess.can_change_resource(holes))
self.assertTrue(cat.uaccess.can_view_resource(holes))
# composite django state
self.assertTrue(cat.uaccess.can_change_resource_flags(holes))
self.assertTrue(cat.uaccess.can_delete_resource(holes))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.OWNER))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.CHANGE))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.VIEW))
# django admin access
self.assertFalse(self.admin.uaccess.owns_resource(holes))
self.assertTrue(self.admin.uaccess.can_change_resource(holes))
self.assertTrue(self.admin.uaccess.can_view_resource(holes))
self.assertTrue(self.admin.uaccess.can_change_resource_flags(holes))
self.assertTrue(self.admin.uaccess.can_delete_resource(holes))
self.assertTrue(
self.admin.uaccess.can_share_resource(
holes, PrivilegeCodes.OWNER))
self.assertTrue(
self.admin.uaccess.can_share_resource(
holes, PrivilegeCodes.CHANGE))
self.assertTrue(
self.admin.uaccess.can_share_resource(
holes, PrivilegeCodes.VIEW))
# change squash
self.cat.uaccess.share_resource_with_user(
holes, dog, PrivilegeCodes.CHANGE)
# CHANGE squashed to VIEW
assertUserResourceState(self, dog, [], [], [holes])
# now no longer immutable
holes.raccess.immutable = False
holes.raccess.save()
assertUserResourceState(self, dog, [], [holes], [])
self.cat.uaccess.unshare_resource_with_user(holes, dog)
# metadata state
self.assertFalse(holes.raccess.immutable)
self.assertFalse(holes.raccess.published)
self.assertFalse(holes.raccess.discoverable)
self.assertFalse(holes.raccess.public)
self.assertTrue(holes.raccess.shareable)
# protection state for owner
self.assertTrue(cat.uaccess.owns_resource(holes))
self.assertTrue(cat.uaccess.can_change_resource(holes))
self.assertTrue(cat.uaccess.can_view_resource(holes))
# composite django state
self.assertTrue(cat.uaccess.can_change_resource_flags(holes))
self.assertTrue(cat.uaccess.can_delete_resource(holes))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.OWNER))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.CHANGE))
self.assertTrue(
cat.uaccess.can_share_resource(
holes, PrivilegeCodes.VIEW))
