def validate_registration(self, req):
if req.authname and req.authname != 'anonymous':
return
username = AccountManager(self.env).handle_username_casing(
req.args.get('username', '').strip())
# NOTE: We can't use 'get_user_permissions(username)' here
# as this always returns a list - even if the user doesn't exist.
# In this case the permissions of "anonymous" are returned.
#
# Also note that we can't simply compare the result of
# 'get_user_permissions(username)' to some known set of permission,
# i.e. "get_user_permissions('authenticated') as this is always
# false when 'username' is the name of an existing permission group.
#
# And again obfuscate whether an existing user or group name
# was responsible for rejection of this username.
for (perm_user, perm_action) in \
perm.PermissionSystem(self.env).get_all_permissions():
if perm_user.lower() == username.lower():
raise RegistrationError(N_(
"Another account or group already exists, who's name "
"differs from %s only by case or is identical."),
tag.b(username)
)
def _do_create(self, req):
mgr = AccountManager(self.env)
user = req.args.get('user')
if not user:
req.hdf['registration.error'] = 'Username cannot be empty.'
return
if mgr.has_user(user):
req.hdf['registration.error'] = \
'Another account with that name already exists.'
return
# disallow registration of accounts which have existing permissions
permission_system = perm.PermissionSystem(self.env)
if permission_system.get_user_permissions(user) != \
permission_system.get_user_permissions('authenticated'):
req.hdf['registration.error'] = \
'Another account with that name already exists.'
return
password = req.args.get('password')
if not password:
req.hdf['registration.error'] = 'Password cannot be empty.'
return
if password != req.args.get('password_confirm'):
req.hdf['registration.error'] = 'The passwords must match.'
return
mgr.set_password(user, password)
req.redirect(self.env.href.login())
def setUp(self):
from trac.core import ComponentMeta
self.env = EnvironmentStub(enable=[
perm.PermissionSystem, perm.DefaultPermissionStore,
TestPermissionRequestor
])
self.perm = perm.PermissionSystem(self.env)
def setUp(self):
super(ProductPermissionPolicyTestCase, self).setUp()
self.global_env.config.set('trac', 'permission_policies',
'DefaultPermissionPolicy')
self.permsys = perm.PermissionSystem(self.env)
self.global_perm_admin = perm.PermissionAdmin(self.global_env)
self.product_perm_admin = perm.PermissionAdmin(self.env)
def setUp(self):
self.env = EnvironmentStub(enable=[perm.DefaultPermissionStore,
perm.DefaultPermissionPolicy,
TestPermissionRequestor])
self.perm_system = perm.PermissionSystem(self.env)
# by-pass DefaultPermissionPolicy cache:
perm.DefaultPermissionPolicy.CACHE_EXPIRY = -1
self.perm_system.grant_permission('testuser', 'TEST_MODIFY')
self.perm_system.grant_permission('testuser', 'TEST_ADMIN')
self.perm = perm.PermissionCache(self.env, 'testuser')
def setUp(self):
self.env = EnvironmentStub(
enable=[perm.DefaultPermissionStore, perm.DefaultPermissionPolicy
] + self.permission_requestors)
self.env.config.set('trac', 'permission_policies',
'DefaultPermissionPolicy')
self.perm_system = perm.PermissionSystem(self.env)
# by-pass DefaultPermissionPolicy cache:
perm.DefaultPermissionPolicy.CACHE_EXPIRY = -1
self.perm_system.grant_permission('testuser', 'TEST_MODIFY')
self.perm_system.grant_permission('testuser', 'TEST_ADMIN')
self.perm = perm.PermissionCache(self.env, 'testuser')
def setUp(self):
self.env = EnvironmentStub(enable=['trac.*', 'itteco.*'])
self.env.config.set('trac', 'permission_policies',
'CalendarSystem, DefaultPermissionPolicy')
self.itteco_env = IttecoEvnSetup(self.env)
self.itteco_env.upgrade_environment(self.env.get_db_cnx())
self.calendar_system = CalendarSystem(self.env)
self.perm_system = perm.PermissionSystem(self.env)
self.perm = perm.PermissionCache(self.env, 'testuser')
def _create_user(req, env, check_permissions=True):
mgr = AccountManager(env)
user = req.args.get('user')
if not user:
raise TracError('Username cannot be empty.')
if mgr.has_user(user):
raise TracError('Another account with that name already exists.')
if check_permissions:
# disallow registration of accounts which have existing permissions
permission_system = perm.PermissionSystem(env)
if permission_system.get_user_permissions(user) != \
permission_system.get_user_permissions('authenticated'):
raise TracError('Another account with that name already exists.')
password = req.args.get('password')
if not password:
raise TracError('Password cannot be empty.')
if password != req.args.get('password_confirm'):
raise TracError('The passwords must match.')
mgr.set_password(user, password)
db = env.get_db_cnx()
cursor = db.cursor()
cursor.execute(
"SELECT count(*) FROM session "
"WHERE sid=%s AND authenticated=1", (user, ))
exists, = cursor.fetchone()
if not exists:
cursor.execute(
"INSERT INTO session "
"(sid, authenticated, last_visit) "
"VALUES (%s, 1, 0)", (user, ))
for key in ('name', 'email'):
value = req.args.get(key)
if not value:
continue
cursor.execute(
"UPDATE session_attribute SET value=%s "
"WHERE name=%s AND sid=%s AND authenticated=1", (value, key, user))
if not cursor.rowcount:
cursor.execute(
"INSERT INTO session_attribute "
"(sid,authenticated,name,value) "
"VALUES (%s,1,%s,%s)", (user, key, value))
db.commit()
def test_policy_chaining(self):
self.env.config.set('trac', 'permission_policies', 'TestPermissionPolicy,DefaultPermissionPolicy')
self.policy.grant('testuser', ['TEST_MODIFY'])
system = perm.PermissionSystem(self.env)
system.grant_permission('testuser', 'TEST_ADMIN')
self.assertEqual(list(system.policies),
[self.policy,
perm.DefaultPermissionPolicy(self.env)])
self.assertEqual('TEST_MODIFY' in self.perm, True)
self.assertEqual('TEST_ADMIN' in self.perm, True)
self.assertEqual(self.policy.results,
{('testuser', 'TEST_MODIFY'): True,
('testuser', 'TEST_ADMIN'): None})
def test_new_product_perm(self):
"""Only product owner and TRAC_ADMIN will access new product
"""
newproduct = Product(self.global_env)
newproduct.prefix = 'NEW'
newproduct.name = 'New product'
newproduct.owner = 'owneruser'
newproduct.insert()
env = ProductEnvironment(self.global_env, newproduct)
self.global_perm_admin._do_add('adminuser', 'TRAC_ADMIN')
admin_perm = perm.PermissionCache(env, 'adminuser')
owner_perm = perm.PermissionCache(env, 'owneruser')
user_perm = perm.PermissionCache(env, 'testuser')
global_permsys = perm.PermissionSystem(self.global_env)
permsys = perm.PermissionSystem(env)
self.assertEquals({'EMAIL_VIEW': True, 'TEST_ADMIN': True,
'TEST_CREATE': True, 'TEST_DELETE': True,
'TEST_MODIFY': True, 'TRAC_ADMIN' : True},
global_permsys.get_user_permissions('adminuser'))
self.assertEquals({}, global_permsys.get_user_permissions('owneruser'))
self.assertEquals({}, global_permsys.get_user_permissions('testuser'))
self.assertEquals({}, permsys.get_user_permissions('adminuser'))
self.assertEquals({}, permsys.get_user_permissions('owneruser'))
self.assertEquals({}, permsys.get_user_permissions('testuser'))
all_actions = self.permsys.get_actions()
all_actions.remove('TRAC_ADMIN')
for action in all_actions:
self.assertTrue(admin_perm.has_permission(action))
self.assertTrue(owner_perm.has_permission(action))
self.assertFalse(user_perm.has_permission(action))
self.assertTrue(admin_perm.has_permission('TRAC_ADMIN'))
self.assertFalse(owner_perm.has_permission('TRAC_ADMIN'))
self.assertFalse(user_perm.has_permission('TRAC_ADMIN'))
def setUp(self):
self.env = EnvironmentStub()
self.env.clear_component_registry()
decisions = []
self.decisions = decisions
class PermissionPolicy1(Component):
implements(perm.IPermissionPolicy)
def __init__(self):
self.call_count = 0
def check_permission(self, action, username, resource, perm):
self.call_count += 1
decision = None
if 'ACTION_2' in perm(resource):
decision = None
elif action == 'ACTION_1':
decision = username == 'user1'
decisions.append(('policy1', action, decision))
return decision
class PermissionPolicy2(Component):
implements(perm.IPermissionPolicy)
def __init__(self):
self.call_count = 0
def check_permission(self, action, username, resource, perm):
self.call_count += 1
decision = None
if action == 'ACTION_2':
decision = username == 'user2'
decisions.append(('policy2', action, decision))
return decision
self.env.enable_component(PermissionPolicy1)
self.env.enable_component(PermissionPolicy2)
self.env.config.set('trac', 'permission_policies',
'PermissionPolicy1, PermissionPolicy2')
self.ps = perm.PermissionSystem(self.env)
def grant_perm(self, username, *actions):
permsys = perm.PermissionSystem(self.env)
for action in actions:
permsys.grant_permission(username, action)
def setUp(self):
self.__class__.decisions = []
self.env = EnvironmentStub(enable=self.permission_policies)
self.env.config.set('trac', 'permission_policies',
'PermissionPolicy1, PermissionPolicy2')
self.ps = perm.PermissionSystem(self.env)
def setUp(self):
self.env = EnvironmentStub(enable=[
perm.PermissionSystem, perm.DefaultPermissionGroupProvider,
perm.DefaultPermissionStore
] + self.permission_requestors)
self.perm = perm.PermissionSystem(self.env)
def _create_user(req, env, check_permissions=True):
acctmgr = AccountManager(env)
username = acctmgr.handle_username_casing(req.args.get('username').strip())
name = req.args.get('name')
email = req.args.get('email').strip()
account = {
'username': username,
'name': name,
'email': email,
}
error = TracError('')
error.account = account
if not username:
error.message = _("Username cannot be empty.")
raise error
# Prohibit some user names that are important for Trac and therefor
# reserved, even if they're not in the permission store for some reason.
if username in ['authenticated', 'anonymous']:
error.message = _("Username %s is not allowed.") % username
raise error
# NOTE: A user may exist in the password store but not in the permission
# store. I.e. this happens, when the user (from the password store)
# never logged in into Trac. So we have to perform this test here
# and cannot just check for the user being in the permission store.
# And obfuscate whether an existing user or group name
# was responsible for rejection of this user name.
if acctmgr.has_user(username):
error.message = _(
"Another account or group named %s already exists.") % username
raise error
# Check whether there is also a user or a group with that name.
if check_permissions:
# NOTE: We can't use 'get_user_permissions(username)' here
# as this always returns a list - even if the user doesn't exist.
# In this case the permissions of "anonymous" are returned.
#
# Also note that we can't simply compare the result of
# 'get_user_permissions(username)' to some known set of permission,
# i.e. "get_user_permissions('authenticated') as this is always
# false when 'username' is the name of an existing permission group.
#
# And again obfuscate whether an existing user or group name
# was responsible for rejection of this username.
for (perm_user, perm_action) in \
perm.PermissionSystem(env).get_all_permissions():
if perm_user == username:
error.message = _(
"Another account or group named %s already exists.") \
% username
raise error
# Always exclude some special characters, i.e.
# ':' can't be used in HtPasswdStore
# '[' and ']' can't be used in SvnServePasswordStore
blacklist = acctmgr.username_char_blacklist
if containsAny(username, blacklist):
pretty_blacklist = ''
for c in blacklist:
if pretty_blacklist == '':
pretty_blacklist = tag(' \'', tag.b(c), '\'')
else:
pretty_blacklist = tag(pretty_blacklist, ', \'', tag.b(c),
'\'')
error.message = tag(
_("The username must not contain any of these characters:"),
pretty_blacklist)
raise error
# Validation of username passed.
password = req.args.get('password')
if not password:
error.message = _("Password cannot be empty.")
raise error
if password != req.args.get('password_confirm'):
error.message = _("The passwords must match.")
raise error
# Validation of password passed.
if if_enabled(EmailVerificationModule) and acctmgr.verify_email:
if not email:
error.message = _("You must specify a valid email address.")
raise error
elif not re.match('^[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,6}$',
email, re.IGNORECASE):
error.message = _("""The email address specified appears to be
invalid. Please specify a valid email address.
""")
raise error
elif acctmgr.has_email(email):
error.message = _("""The email address specified is already in
use. Please specify a different one.
""")
raise error
# Validation of email address passed.
acctmgr.set_password(username, password)
# INSERT new sid, needed as foreign key in some db schemata later on,
# at least for PostgreSQL.
db = env.get_db_cnx()
cursor = db.cursor()
cursor.execute(
"""
SELECT COUNT(*)
FROM session
WHERE sid=%s
""", (username, ))
exists = cursor.fetchone()
if not exists:
cursor.execute(
"""
INSERT INTO session
(sid,authenticated,last_visit)
VALUES (%s,0,0)
""", (username, ))
for attribute in ('name', 'email'):
value = req.args.get(attribute)
if not value:
continue
set_user_attribute(env, username, attribute, value)
def setUp(self):
self.env = EnvironmentStub(enable=[perm.PermissionSystem,
perm.DefaultPermissionStore,
TestPermissionRequestor])
self.perm = perm.PermissionSystem(self.env)
