def test_grant_basic_roles_on_groups(self):
user = User(email="*****@*****.**", password="******")
group = Group(name="Test Group")
user.groups.add(group)
self.session.add(user)
self.session.flush()
security.grant_role(group, "admin")
assert security.has_role(group, "admin")
assert security.get_roles(group) == ['admin']
assert security.get_principals(Admin) == [group]
assert security.has_role(user, Admin)
assert security.has_permission(user, "read")
assert security.has_permission(user, "write")
assert security.has_permission(user, "manage")
security.ungrant_role(group, "admin")
assert not security.has_role(group, "admin")
assert security.get_roles(group) == []
assert security.get_principals(Admin) == []
assert not security.has_role(user, "admin")
assert not security.has_permission(user, "read")
assert not security.has_permission(user, "write")
assert not security.has_permission(user, "manage")
def test_api_post(self):
kwargs = dict(
email='*****@*****.**',
password='******',
can_login=True,
)
u = User(**kwargs)
self.session.add(u)
self.session.commit()
rv = self.client.post(
'/user/api/login',
data=json.dumps(kwargs),
content_type='application/json',
)
assert rv.status_code == 200
assert rv.json == {
'email': '*****@*****.**',
'username': '******',
'fullname': 'Unknown',
'next_url': '',
}
rv = self.client.post('/user/api/logout')
assert rv.status_code == 200
def init_user():
user = User(first_name="Joe",
last_name="User",
email=TEST_EMAIL,
password=TEST_PASSWORD)
db.session.add(user)
db.session.flush()
def test_grant_basic_roles_on_groups(session: Session) -> None:
user = User(email="*****@*****.**", password="******")
group = Group(name="Test Group")
# pyre-fixme[16]: `User` has no attribute `groups`.
user.groups.add(group)
session.add(user)
session.flush()
security.grant_role(group, "admin")
assert security.has_role(group, "admin")
assert security.get_roles(group) == ["admin"]
assert security.get_principals(Admin) == [group]
assert security.has_role(user, Admin)
assert security.has_permission(user, "read")
assert security.has_permission(user, "write")
assert security.has_permission(user, "manage")
security.ungrant_role(group, "admin")
assert not security.has_role(group, "admin")
assert security.get_roles(group) == []
assert security.get_principals(Admin) == []
assert not security.has_role(user, "admin")
assert not security.has_permission(user, "read")
assert not security.has_permission(user, "write")
assert not security.has_permission(user, "manage")
def test_has_role_authenticated(app: Application, session: Session) -> None:
anon = app.login_manager.anonymous_user()
user = User(email="*****@*****.**", password="******")
session.add(user)
session.flush()
assert not security.has_role(anon, Authenticated)
assert security.has_role(user, Authenticated)
def test_has_role_authenticated(self):
anon = self.app.login_manager.anonymous_user()
user = User(email="*****@*****.**", password="******")
self.session.add(user)
self.session.flush()
assert not security.has_role(anon, Authenticated)
assert security.has_role(user, Authenticated)
def test_grant_basic_roles(self):
user = User(email="*****@*****.**", password="******")
self.session.add(user)
self.session.flush()
# everybody always has role Anonymous
assert security.has_role(user, Anonymous)
security.grant_role(user, Admin)
assert security.has_role(user, Admin)
assert security.get_roles(user) == [Admin]
assert security.get_roles(user) == ['admin']
assert security.get_principals(Admin) == [user]
# clear roles cache for better coverage: has_permission uses
# _fill_role_cache_batch(), get_roles uses _fill_role_cache()
delattr(user, '__roles_cache__')
assert security.has_permission(user, "read")
assert security.has_permission(user, "write")
assert security.has_permission(user, "manage")
security.ungrant_role(user, "admin")
assert not security.has_role(user, "admin")
assert security.get_roles(user) == []
assert security.get_principals(Admin) == []
assert not security.has_permission(user, "read")
assert not security.has_permission(user, "write")
assert not security.has_permission(user, "manage")
def test_has_permission_custom_roles(self):
user = User(email="*****@*****.**", password="******")
self.session.add(user)
self.session.flush()
role = Role('custom_role')
permission = Permission('custom permission')
assert not security.has_permission(user, permission, roles=role)
security.grant_role(user, role)
assert not security.has_permission(user, permission)
assert security.has_permission(user, permission, roles=role)
# Permission always granted if Anonymous role
assert security.has_permission(user, permission, roles=Anonymous)
# test convert legacy permission & implicit mapping
security.grant_role(user, 'reader')
assert security.has_permission(user, 'read')
assert not security.has_permission(user, 'write')
assert not security.has_permission(user, 'manage')
security.grant_role(user, 'writer')
assert security.has_permission(user, 'read')
assert security.has_permission(user, 'write')
assert not security.has_permission(user, 'manage')
security.grant_role(user, 'manager')
assert security.has_permission(user, 'read')
assert security.has_permission(user, 'write')
assert security.has_permission(user, 'manage')
def setUp(self):
BaseTestCase.setUp(self)
self.user = User(
email=u'*****@*****.**',
first_name=u'John', last_name=u'Doe', can_login=True)
self.session.add(self.user)
self.session.commit()
def test_has_permission_custom_roles(session: Session) -> None:
user = User(email="*****@*****.**", password="******")
session.add(user)
session.flush()
role = Role("custom_role")
permission = Permission("custom permission")
assert not security.has_permission(user, permission, roles=role)
security.grant_role(user, role)
assert not security.has_permission(user, permission)
assert security.has_permission(user, permission, roles=role)
# Permission always granted if Anonymous role
assert security.has_permission(user, permission, roles=Anonymous)
# test convert legacy permission & implicit mapping
security.grant_role(user, "reader")
assert security.has_permission(user, "read")
assert not security.has_permission(user, "write")
assert not security.has_permission(user, "manage")
security.grant_role(user, "writer")
assert security.has_permission(user, "read")
assert security.has_permission(user, "write")
assert not security.has_permission(user, "manage")
security.grant_role(user, "manager")
assert security.has_permission(user, "read")
assert security.has_permission(user, "write")
assert security.has_permission(user, "manage")
def test_login_post(session: Session, client: FlaskClient) -> None:
kwargs = {
"email": "*****@*****.**",
"password": "******",
"can_login": True
}
user = User(**kwargs)
session.add(user)
session.flush()
response = client.post("/user/login", data=kwargs)
assert response.status_code == 302
# wrong password
d = dict(kwargs)
d["password"] = "******"
response = client.post("/user/login", data=d)
assert response.status_code == 401
# login disabled
# pyre-fixme[8]: Attribute has type `Column`; used as `bool`.
user.can_login = False
session.flush()
response = client.post("/user/login", data=kwargs)
assert response.status_code == 401
def createuser(email, password, role=None, name=None, first_name=None):
"""Create new user."""
email = text_type(email)
if User.query.filter(User.email == email).count() > 0:
print("A user with email '{}' already exists, aborting.".format(email))
return
if password is None:
password = prompt_pass('Password')
user = User(
email=email,
password=password,
last_name=name,
first_name=first_name,
can_login=True,
)
db.session.add(user)
if role in ('admin',):
# FIXME: add other valid roles
security = get_service('security')
security.grant_role(user, role)
db.session.commit()
print("User {} added".format(email))
def test_login_post(self):
kwargs = dict(email=u'*****@*****.**',
password='******',
can_login=True)
u = User(**kwargs)
self.session.add(u)
self.session.commit()
rv = self.client.post('/user/login', data=kwargs)
self.assertEquals(rv.status_code, 302,
"expected 302, got:" + rv.status)
# wrong password
d = dict(kwargs)
d['password'] = '******'
rv = self.client.post('/user/login', data=d)
self.assertEquals(rv.status_code, 401,
"expected 401, got:" + rv.status)
# login disabled
u.can_login = False
self.session.commit()
rv = self.client.post('/user/login', data=kwargs)
self.assertEquals(rv.status_code, 401,
"expected 401, got:" + rv.status)
def setUp(self):
super(TestNotificationViews, self).setUp()
self.user = User(email=u'*****@*****.**',
password='******',
can_login=True)
self.session.add(self.user)
self.session.commit()
def test(self):
contact = DummyContact(first_name="John")
assert contact.creator is None
assert contact.owner is None
user = User()
contact.owner = user
contact.creator = user
def setUp(self):
super(NotificationTestCase, self).setUp()
self.user = User(email=u'*****@*****.**',
password='******',
can_login=True)
self.session.add(self.user)
self.community.set_membership(self.user, WRITER)
self.session.commit()
def finalize_validate():
config_file = os.path.join(current_app.instance_path, 'config.py')
logging_file = os.path.join(current_app.instance_path, 'logging.yml')
assert not os.path.exists(config_file)
config = cmd_config.DefaultConfig(logging_file='logging.yml')
config.SQLALCHEMY_DATABASE_URI = session_get('db')['uri']
redis_uri = session_get('redis')['uri']
config.REDIS_URI = redis_uri
config.BROKER_URL = redis_uri
config.CELERY_RESULT_BACKEND = redis_uri
d = session_get('site_info')
config.SITE_NAME = d['sitename']
config.MAIL_SENDER = d['mailsender']
is_production = d['server_mode'] == u'production'
config.PRODUCTION = is_production
config.DEBUG = not is_production
config.DEBUG_TB_ENABLED = config.DEBUG
config.CELERY_ALWAYS_EAGER = not is_production
cmd_config.write_config(config_file, config)
cmd_config.maybe_write_logging(logging_file)
admin_account = session_get('admin_account')
# create a new app that will be configured with new config, to create database
# and admin_user
setup_app = current_app._get_current_object()
app = setup_app.__class__(
setup_app.import_name,
static_url_path=setup_app.static_url_path,
static_folder=setup_app.static_folder,
template_folder=setup_app.template_folder,
instance_path=setup_app.instance_path,
)
with app.test_request_context('/setup/finalize'):
app.create_db()
db_session = app.db.session()
admin = User(email=admin_account['email'],
password=admin_account['password'],
last_name=admin_account['name'],
first_name=admin_account['firstname'],
can_login=True)
db_session.add(admin)
security = get_service('security')
security.grant_role(admin, Admin)
db_session.commit()
session_clear()
response = make_response(
render_template('setupwizard/done.html',
config_file=config_file,
logging_file=logging_file), 200)
return response
def finalize_validate():
config_file = Path(current_app.instance_path) / "config.py"
logging_file = Path(current_app.instance_path) / "logging.yml"
assert not config_file.exists()
config = cmd_config.DefaultConfig(logging_file="logging.yml")
config.SQLALCHEMY_DATABASE_URI = session_get("db")["uri"]
redis_uri = session_get("redis")["uri"]
config.REDIS_URI = redis_uri
config.BROKER_URL = redis_uri
config.CELERY_RESULT_BACKEND = redis_uri
d = session_get("site_info")
config.SITE_NAME = d["sitename"]
config.MAIL_SENDER = d["mailsender"]
is_production = d["server_mode"] == "production"
config.PRODUCTION = is_production
config.DEBUG = not is_production
config.DEBUG_TB_ENABLED = config.DEBUG
config.CELERY_ALWAYS_EAGER = not is_production
cmd_config.write_config(config_file, config)
cmd_config.maybe_write_logging(logging_file)
admin_account = session_get("admin_account")
# create a new app that will be configured with new config,
# to create database and admin_user
setup_app = unwrap(current_app)
app = setup_app.__class__(
setup_app.import_name,
static_url_path=setup_app.static_url_path,
static_folder=setup_app.static_folder,
template_folder=setup_app.template_folder,
instance_path=setup_app.instance_path,
)
with app.test_request_context("/setup/finalize"):
app.create_db()
db_session = db.session()
admin = User(
email=admin_account["email"],
password=admin_account["password"],
last_name=admin_account["name"],
first_name=admin_account["firstname"],
can_login=True,
)
db_session.add(admin)
security = get_service("security")
security.grant_role(admin, Admin)
db_session.commit()
session_clear()
return render_template("setupwizard/done.html",
config_file=config_file,
logging_file=logging_file)
def test_user(self):
user = User(first_name=u"John",
last_name=u"Test User",
email=u"*****@*****.**",
password="******")
check_editable(user)
assert u"John Test User" == user.name
assert u"John Test User" == text_type(user)
def create_db(self):
from abilian.core.models.subjects import User
db.create_all()
if User.query.get(0) is None:
root = User(id=0, last_name=u'SYSTEM', email=u'*****@*****.**',
can_login=False)
db.session.add(root)
db.session.commit()
def test_status_update(self):
user = User(first_name=u"John",
last_name=u"Test User",
email=u"*****@*****.**",
password="******")
#self.assertEquals(len(user.messages), 0)
message = Message()
message.author = user
check_editable(message)
def test_community_indexed(app, db, req_ctx):
index_service = app.services["indexing"]
index_service.start()
security_service = app.services["security"]
security_service.start()
obj_types = (Community.entity_type,)
user_no_community = User(email="*****@*****.**")
db.session.add(user_no_community)
community1 = Community(name="My Community")
db.session.add(community1)
community2 = Community(name="Other community")
db.session.add(community2)
user = User(email="*****@*****.**")
db.session.add(user)
community1.set_membership(user, READER)
user_c2 = User(email="*****@*****.**")
db.session.add(user_c2)
community2.set_membership(user_c2, READER)
db.session.commit()
with login(user_no_community):
res = index_service.search("community", object_types=obj_types)
assert len(res) == 0
with login(user):
res = index_service.search("community", object_types=obj_types)
assert len(res) == 1
hit = res[0]
assert hit["object_key"] == community1.object_key
with login(user_c2):
res = index_service.search("community", object_types=obj_types)
assert len(res) == 1
hit = res[0]
assert hit["object_key"] == community2.object_key
def user(db: SQLAlchemy) -> User:
user = User(
first_name="Joe",
last_name="Test",
email="*****@*****.**",
password="******",
can_login=True,
)
db.session.add(user)
db.session.flush()
return user
def setUp(self):
super(CommunityIndexingTestCase, self).setUp()
self.svc = self.app.services['indexing']
self.user = User(
email=u'*****@*****.**', password='******', can_login=True)
self.session.add(self.user)
self.community.set_membership(self.user, READER)
self.c2 = Community(name=u'Other community')
self.session.add(self.c2)
self.user_c2 = User(
email=u'*****@*****.**', password='******', can_login=True)
self.session.add(self.user_c2)
self.c2.set_membership(self.user_c2, READER)
self.user_no_community = User(
email=u'*****@*****.**',
password='******',
can_login=True)
self.session.add(self.user_no_community)
self.session.commit()
def community2(db):
community = Community(name="Another Community")
db.session.add(community)
user = User(email="*****@*****.**", password="******", can_login=True)
db.session.add(user)
community.set_membership(user, READER)
community.test_user = user
db.session.flush()
return community
def test_has_permission_on_objects(self):
has_permission = security.has_permission
user = User(email="*****@*****.**", password="******")
group = Group(name="Test Group")
user.groups.add(group)
obj = DummyModel(creator=user, owner=user)
self.session.add_all([user, obj])
self.session.flush()
# global role provides permissions on any object
security.grant_role(user, Reader)
assert has_permission(user, READ, obj=obj)
assert not has_permission(user, WRITE, obj=obj)
security.grant_role(user, Writer, obj=obj)
assert has_permission(user, WRITE, obj=obj)
# permission assignment
security.ungrant_role(user, Reader)
security.ungrant_role(user, Writer, object=obj)
security.grant_role(user, Authenticated)
assert not has_permission(user, READ, obj=obj)
assert not has_permission(user, WRITE, obj=obj)
pa = PermissionAssignment(
role=Authenticated,
permission=READ,
object=obj,
)
self.session.add(pa)
self.session.flush()
assert has_permission(user, READ, obj=obj)
assert not has_permission(user, WRITE, obj=obj)
self.session.delete(pa)
self.session.flush()
assert not has_permission(user, READ, obj=obj)
# Owner / Creator
for role in (Owner, Creator):
pa = PermissionAssignment(role=role, permission=READ, object=obj)
self.session.add(pa)
self.session.flush()
assert has_permission(user, READ, obj=obj)
self.session.delete(pa)
self.session.flush()
assert not has_permission(user, READ, obj=obj)
# test when object is *not* in session (newly created objects have id=None
# for instance)
obj = DummyModel()
assert security.has_role(user, Reader, object=obj) is False
def test_non_ascii_password():
"""Ensure we can store and test non-ascii password without any
UnicodeEncodeError."""
user = User()
user.set_password('Hé')
if not isinstance(user.password, text_type):
# when actually retrieved from database, it should be Unicode
user.password = text_type(user.password)
assert user.authenticate('Hé')
def create_root_user(self):
from abilian.core.models.subjects import User
user = User.query.get(0)
if user is None:
user = User(id=0,
last_name="SYSTEM",
email="*****@*****.**",
can_login=False)
db.session.add(user)
db.session.commit()
return user
def admin_user(db: SQLAlchemy) -> User:
user = User(
first_name="Jim",
last_name="Admin",
email="*****@*****.**",
password="******",
can_login=True,
)
user.is_admin = True
db.session.add(user)
db.session.flush()
return user
def test_user_follow():
# id is provided by DB (which is not used in this test), and is required for
# having in (user1 != user2) == True
user1 = User(
id=1,
first_name="John",
last_name="Test User 1",
email="*****@*****.**",
password="******",
)
user2 = User(
id=2,
first_name="Joe",
last_name="Test User 2",
email="*****@*****.**",
password="******",
)
assert len(user1.followers) == 0
assert len(user1.followees) == 0
assert len(user2.followers) == 0
assert len(user2.followees) == 0
user1.follow(user2)
assert user1.is_following(user2)
assert len(user2.followers) == 1
assert len(user1.followees) == 1
assert len(user2.followees) == 0
assert len(user1.followers) == 0
assert user2 in user1.followees
user1.unfollow(user2)
assert not user1.is_following(user2)
assert len(user1.followers) == 0
assert len(user1.followees) == 0
assert len(user2.followers) == 0
assert len(user2.followees) == 0
assert user2 not in user1.followers
