def test_grant_basic_roles_on_groups(self):
user = User(email="*****@*****.**", password="******")
group = Group(name="Test Group")
user.groups.add(group)
self.session.add(user)
self.session.flush()
security.grant_role(group, "admin")
assert security.has_role(group, "admin")
assert security.get_roles(group) == ['admin']
assert security.get_principals(Admin) == [group]
assert security.has_role(user, Admin)
assert security.has_permission(user, "read")
assert security.has_permission(user, "write")
assert security.has_permission(user, "manage")
security.ungrant_role(group, "admin")
assert not security.has_role(group, "admin")
assert security.get_roles(group) == []
assert security.get_principals(Admin) == []
assert not security.has_role(user, "admin")
assert not security.has_permission(user, "read")
assert not security.has_permission(user, "write")
assert not security.has_permission(user, "manage")
def test_grant_basic_roles_on_groups(session: Session) -> None:
user = User(email="*****@*****.**", password="******")
group = Group(name="Test Group")
# pyre-fixme[16]: `User` has no attribute `groups`.
user.groups.add(group)
session.add(user)
session.flush()
security.grant_role(group, "admin")
assert security.has_role(group, "admin")
assert security.get_roles(group) == ["admin"]
assert security.get_principals(Admin) == [group]
assert security.has_role(user, Admin)
assert security.has_permission(user, "read")
assert security.has_permission(user, "write")
assert security.has_permission(user, "manage")
security.ungrant_role(group, "admin")
assert not security.has_role(group, "admin")
assert security.get_roles(group) == []
assert security.get_principals(Admin) == []
assert not security.has_role(user, "admin")
assert not security.has_permission(user, "read")
assert not security.has_permission(user, "write")
assert not security.has_permission(user, "manage")
def test_has_permission_on_objects(self):
has_permission = security.has_permission
user = User(email="*****@*****.**", password="******")
group = Group(name="Test Group")
user.groups.add(group)
obj = DummyModel(creator=user, owner=user)
self.session.add_all([user, obj])
self.session.flush()
# global role provides permissions on any object
security.grant_role(user, Reader)
assert has_permission(user, READ, obj=obj)
assert not has_permission(user, WRITE, obj=obj)
security.grant_role(user, Writer, obj=obj)
assert has_permission(user, WRITE, obj=obj)
# permission assignment
security.ungrant_role(user, Reader)
security.ungrant_role(user, Writer, object=obj)
security.grant_role(user, Authenticated)
assert not has_permission(user, READ, obj=obj)
assert not has_permission(user, WRITE, obj=obj)
pa = PermissionAssignment(
role=Authenticated,
permission=READ,
object=obj,
)
self.session.add(pa)
self.session.flush()
assert has_permission(user, READ, obj=obj)
assert not has_permission(user, WRITE, obj=obj)
self.session.delete(pa)
self.session.flush()
assert not has_permission(user, READ, obj=obj)
# Owner / Creator
for role in (Owner, Creator):
pa = PermissionAssignment(role=role, permission=READ, object=obj)
self.session.add(pa)
self.session.flush()
assert has_permission(user, READ, obj=obj)
self.session.delete(pa)
self.session.flush()
assert not has_permission(user, READ, obj=obj)
# test when object is *not* in session (newly created objects have id=None
# for instance)
obj = DummyModel()
assert security.has_role(user, Reader, object=obj) is False
def test_group(self):
user = User(first_name=u"John",
last_name=u"Test User",
email=u"*****@*****.**",
password="******")
group = Group(name=u"Group 1")
user.join(group)
assert user.is_member_of(group)
assert len(group.members) == 1
assert len(user.groups) == 1
assert group.members == {user}
assert user.groups == {group}
user.leave(group)
assert not user.is_member_of(group)
assert len(group.members) == 0
assert len(user.groups) == 0
def test_grant_roles_on_objects(self):
user = User(email="*****@*****.**", password="******")
user2 = User(email="*****@*****.**", password="******")
group = Group(name="Test Group")
user.groups.add(group)
obj = DummyModel()
self.session.add_all([user, user2, obj])
self.session.flush()
security.grant_role(user, 'global_role')
security.grant_role(user, "reader", obj)
assert security.has_role(user, "reader", obj)
assert security.get_roles(user, obj) == ['reader']
assert security.get_principals(Reader) == []
assert security.get_principals(Reader, object=obj) == [user]
assert security.has_permission(user, "read", obj)
assert not security.has_permission(user, "write", obj)
assert not security.has_permission(user, "manage", obj)
# test get_roles "global": object roles should not appear
assert security.get_roles(user) == ['global_role']
# global role is valid on all object
assert security.has_role(user, 'global_role', obj)
security.ungrant_role(user, "reader", obj)
assert not security.has_role(user, "reader", obj)
assert security.get_roles(user, obj) == []
assert security.has_role(user, 'global_role', obj)
assert not security.has_permission(user, "read", obj)
assert not security.has_permission(user, "write", obj)
assert not security.has_permission(user, "manage", obj)
# owner / creator roles
assert security.get_principals(Owner, object=obj) == []
assert security.get_principals(Creator, object=obj) == []
old_owner = obj.owner
old_creator = obj.creator
obj.owner = user
assert security.get_roles(user, obj) == [Owner]
assert security.get_principals(Owner, object=obj) == [user]
assert security.get_principals(Creator, object=obj) == []
# if user2 has Admin role e gets the rights no matter Creator/Ownership
security.grant_role(user2, Admin)
assert security.has_role(user2, (Owner, Creator), obj)
assert security.has_role(user, (Owner, Creator), obj)
obj.owner = old_owner
obj.creator = user
assert security.get_roles(user, obj) == [Creator]
assert security.get_principals(Owner, object=obj) == []
assert security.get_principals(Creator, object=obj) == [user]
obj.creator = old_creator
# permissions through group membership
security.grant_role(group, "manager", obj)
assert security.has_role(group, "manager", obj)
assert security.get_roles(group, obj) == ['manager']
# group membership: user hasn't role set, but has permissions
assert security.get_roles(user, obj, no_group_roles=True) == []
assert security.has_permission(user, "read", obj)
assert security.has_permission(user, "write", obj)
assert security.has_permission(user, "manage", obj)
group.members.remove(user)
self.session.flush()
assert not security.has_role(user, "manager", obj)
assert security.get_roles(user, obj) == []
assert not security.has_permission(user, "read", obj)
assert not security.has_permission(user, "write", obj)
assert not security.has_permission(user, "manage", obj)
security.ungrant_role(group, "manager", obj)
assert not security.has_role(group, "manager", obj)
assert security.get_roles(group, obj) == []
# when called on unmapped instance
new_obj = DummyModel()
assert not security.has_permission(user, READ, new_obj)
def create_group():
d = get_params(Group.__editable__)
group = Group(**d)
db.session.add(group)
db.session.commit()
return make_json_response(group, 201)