def test_validation(): rest_api = Role('rest_api') rest_api.lockdown(Bicycle)\ .writeable_by(Bicycle.owner == ContextParam('user'))\ .validate(Bicycle.owner, Bicycle.owner == ContextParam('user'))\ .validate(Bicycle.serial, lambda b, f, v: v.startswith('a')) with test_database(test_db, [User, Group, Bicycle]): b = Bicycle.create() u1 = User.create(username='******') u2 = User.create(username='******') lockdown_context.role = rest_api try: b.owner = u1 assert False, 'should have thrown exception' except: pass lockdown_context.user = u1.id try: b.owner = u2 assert False, 'should have thrown exception' except: pass lockdown_context.user = u1.id b.owner = u1 b.serial = 'a' try: b.serial = 'b' assert False, 'should have thrown exception' except LockdownException: pass
def test_lockdown_user(): lockdown_context.role = None lockdown_context.user = None lockdown_context.group = None rest_api = Role('rest_api') rest_api.lockdown(Bicycle) \ .field_writeable_by(Bicycle.owner, Bicycle.owner == ContextParam('user')) with test_database(test_db, [User, Group, Bicycle]): u = User.create(username='******') u2 = User.create(username='******') g = Group.create(name='test') b = Bicycle.create(owner=u, group=g) lockdown_context.role = rest_api assert b.is_field_writeable(Bicycle.owner) is False lockdown_context.user = 10 assert b.is_field_writeable(Bicycle.owner) is False try: b.owner = u2 assert False, 'should have thrown' except: pass lockdown_context.user = u.id assert b.is_field_writeable(Bicycle.owner) is True
def test_insert(): lockdown_context.role = None lockdown_context.user = None lockdown_context.group = None rest_api = Role('rest_api') rest_api.lockdown(BigWheel) \ .writeable_by(BigWheel.owner == ContextParam('user'))\ .validate(BigWheel.owner, BigWheel.owner == ContextParam('user')) \ .field_writeable_by(BigWheel.serial, BigWheel.owner == ContextParam('user')) with test_database(test_db, [User, Group, BigWheel]): u1 = User.create(username='******') u2 = User.create(username='******') g = Group.create(name='test') # set the role/user before inserting lockdown_context.role = rest_api lockdown_context.user = u1.id try: bwheel = BigWheel() bwheel.owner = u2 bwheel.group = g bwheel.serial = '1' assert False, 'should have failed' except LockdownException: pass # insert should work fine since object validates bwheel = BigWheel() bwheel.owner = u1 bwheel.group = g bwheel.serial = '1' bwheel.save() b = BigWheel.get() assert b.modified is not None assert b.created is not None assert b.serial == '1' assert b.owner == u1 assert b.group == g
def test_is_readable_writable_field(): lockdown_context.role = None lockdown_context.user = None lockdown_context.group = None rest_api = Role('rest_api') rest_api.lockdown(BaseModel)\ .field_writeable_by(BaseModel.created, NO_ONE)\ .field_writeable_by(BaseModel.modified, NO_ONE) rest_api.lockdown(Bicycle) \ .field_readable_by(Bicycle.serial, Bicycle.group == ContextParam('group')) \ .field_writeable_by(Bicycle.serial, Bicycle.owner == ContextParam('user')) with test_database(test_db, [User, Group, Bicycle]): u = User.create(username='******') g = Group.create(name='test') b = Bicycle.create(owner=u, group=g) lockdown_context.role = rest_api assert b.is_field_readable(Bicycle.serial) is False assert b.is_field_writeable(Bicycle.serial) is False assert b.is_field_writeable(Bicycle.modified) is False assert b.is_field_writeable(Bicycle.created) is False lockdown_context.group = 10 lockdown_context.user = 10 assert b.is_field_readable(Bicycle.serial) is False assert b.is_field_writeable(Bicycle.serial) is False lockdown_context.group = g.id assert b.is_field_readable(Bicycle.serial) is True assert b.is_field_writeable(Bicycle.serial) is False lockdown_context.user = u.id assert b.is_field_readable(Bicycle.serial) is True assert b.is_field_writeable(Bicycle.serial) is True
def test_readable_writable(): lockdown_context.role = None lockdown_context.user = None lockdown_context.group = None rest_api = Role('rest_api') ldown = rest_api.lockdown(Bicycle) \ .readable_by(Bicycle.group == ContextParam('group')) \ .writeable_by(Bicycle.owner == ContextParam('user')) with test_database(test_db, [User, Group, Bicycle]): u = User.create(username='******') g = Group.create(name='test') b = Bicycle.create(owner=u, group=g) assert b.is_readable() is True assert b.is_writable() is True lockdown_context.role = rest_api assert b.is_readable() is False assert b.is_writable() is False lockdown_context.group = 10 lockdown_context.user = 10 assert b.is_readable() is False assert b.is_writable() is False lockdown_context.group = g.id assert b.is_readable() is True assert b.is_writable() is False lockdown_context.user = u.id assert b.is_readable() is True assert b.is_writable() is True
def test_save(): lockdown_context.role = None lockdown_context.user = None lockdown_context.group = None rest_api = Role('rest_api') rest_api.lockdown(Bicycle) \ .field_readable_by(Bicycle.serial, Bicycle.group == ContextParam('group')) \ .field_writeable_by(Bicycle.serial, Bicycle.owner == ContextParam('user')) with test_database(test_db, [User, Group, Bicycle]): u = User.create(username='******') g = Group.create(name='test') b = Bicycle.create(owner=u, group=g, serial='1') lockdown_context.role = rest_api try: b.serial = '10' assert False, 'should have thrown' except: pass assert b.serial == '1' b = Bicycle.get() assert b.serial is None, 'cant read this field, no group' lockdown_context.group = g.id b = Bicycle.get() assert b.serial == '1', 'now this field can be read, should be 1 still' lockdown_context.user = u.id b.serial = '10' b.save() b = Bicycle.get() assert b.serial == '10'
def test_no_one(): lockdown_context.role = None lockdown_context.user = None lockdown_context.group = None rest_api = Role('rest_api') rest_api.lockdown(Bicycle).readable_by(NO_ONE).writeable_by(NO_ONE) with test_database(test_db, [User, Group, Bicycle]): u = User.create(username='******') g = Group.create(name='test') b = Bicycle.create(owner=u, group=g) lockdown_context.role = rest_api assert b.is_readable() is False assert b.is_writable() is False lockdown_context.group = g.id lockdown_context.user = u.id assert b.is_readable() is False assert b.is_writable() is False