Example #1
0
    def test_decorators(self) :

        god = User(username='Jupiter', email_address='[email protected]')
        god.save()

        group, created= TgGroup.objects.get_or_create(group_name='group',
                                                      display_name='Our Group', 
                                                      place=None, level='member', user=god)
        group.to_security_context()

        b = group.create_OurPost(god, title='test decorator')
        from apps.plus_permissions.models import get_interface_map
        i_editor = get_interface_map(OurPost)['Editor']

        @secure_resource(OurPost, required_interfaces=['Editor'])
        def foo(request, resource, *args, **kwargs) :
            resource.title = "blah"
            return True

        class FakeRequest :
            def __init__(self, user) :
                self.user = user

        u = User(username='lydia',email_address='[email protected]')
        u.save()

        self.assertFalse(has_access(u, b, 'OurPost.Editor'))

        self.assertEquals(HttpResponseForbidden, foo(FakeRequest(u), b.id).__class__)

        b.get_inner().get_security_context().add_arbitrary_agent(u, 'OurPost.Editor', god)
        self.assertTrue(foo(FakeRequest(u), b.id))
Example #2
0
def view_wiki_page(request, group, page_name, template_name="plus_wiki/wiki.html", current_app='plus_groups', **kwargs):
    try:
        obj = WikiPage.objects.plus_get(request.user, name=page_name, in_agent=group.get_ref())
    except WikiPage.DoesNotExist:
        raise Http404
    version_list = Version.objects.get_for_object(obj._inner)
    version = Version.objects.get_for_date(obj._inner, datetime.now())
    contributors = get_contributors(request.user, obj)
    contributors = [TemplateSecureWrapper(contributor) for contributor in contributors]
    can_comment = False
    try:
        obj.comment
        can_comment = True
    except :
        pass # no permission
    try:
        obj.get_all_sliders
        perms_bool = True
    except PlusPermissionsNoAccessException:
        perms_bool = False
        
    edit = has_access(request.user, obj, 'WikiPage.Editor')
    
    return render_to_response(template_name, {
            'page':TemplateSecureWrapper(obj), 
            'version':version, 
            'contributors':contributors,
            'can_comment':can_comment,
            'version_list':version_list,
            'tags':get_tags(request.user, obj),
            'permissions':perms_bool,
            'can_edit': edit,
            'comparable':version_list.count()>1}, context_instance=RequestContext(request, current_app=current_app))
Example #3
0
def home(request, success_url=None):
    """
    Let's base homepage on the microblog personal now.
    """
    if not request.user.is_authenticated():
        return render_to_response(
            "home/clients/%s/home.html" % settings.PROJECT_THEME, {}, context_instance=RequestContext(request)
        )

    twitter_account = twitter_account_for_user(request.user)
    template_name = "home/clients/%s/home_logged_in.html" % settings.PROJECT_THEME
    form_class = TweetForm

    if request.method == "POST":
        form = form_class(request.user, request.POST)
        if form.is_valid():
            text = form.cleaned_data["text"]
            form.save()
            if request.POST.get("pub2twitter", False):
                twitter_account.PostUpdate(text)
            if success_url is None:
                success_url = reverse("home")
            return HttpResponseRedirect(success_url)
        reply = None
    else:
        reply = request.GET.get("reply", None)
        form = form_class()
        if reply:
            form.fields["text"].initial = u"@%s " % reply

    tweets = FeedItem.feed_manager.get_for(request.user).order_by("-sent")
    global_tweets = FeedItem.feed_manager.all_permissioned(request.user)

    all_members_group = get_all_members_group()

    if has_access(request.user, None, "Application.Accept", all_members_group.get_security_context()):
        has_accept = True
    else:
        has_accept = False

    return render_to_response(
        template_name,
        {
            "head_title": "Home",
            "head_title_status": "",
            "form": form,
            "reply": reply,
            "tweets": tweets,
            "global_tweets": global_tweets,
            "twitter_authorized": twitter_verify_credentials(twitter_account),
            "site_members_group": all_members_group,
            "has_accept": has_accept,
        },
        context_instance=RequestContext(request),
    )
Example #4
0
def view_resource(request, group, resource_name, template_name="plus_resources/view.html",
                   current_app='plus_groups', **kwargs):


    if not group :
        raise Http404(_('This group does not exist'))

    try:
        obj = Resource.objects.plus_get(request.user, name=resource_name, in_agent=group.get_ref())
    except Resource.DoesNotExist:
        raise Http404

    if not request.user.is_authenticated():
        request.user = get_anon_user()


    try:
        obj.get_all_sliders
        perms_bool = True
    except PlusPermissionsNoAccessException:
        perms_bool = False

    try :
        obj.comment
        can_comment=True
    except PlusPermissionsNoAccessException:
        can_comment=False

    edit = has_access(request.user, obj, 'Resource.Editor')
    tags = get_tags_for_object(obj, request.user)

    if obj.get_inner().created_by :
        created_by = obj.get_inner().created_by.get_display_name()
    else :
        created_by = None

    return render_to_response(template_name, {
        'upload' : TemplateSecureWrapper(obj),
        'page_title' : obj.title,
        'created_by' : created_by,
        'permissions' : perms_bool,
        'can_comment' : can_comment,
        'can_edit' : edit,
        'tags': tags
    }, context_instance=RequestContext(request, current_app=current_app))
Example #5
0
def view_wiki_page(request, group, page_name, template_name="plus_wiki/wiki.html", current_app='plus_groups', **kwargs):

    if not group :
        raise Http404(_('This group does not exist'))
    try:
        obj = WikiPage.objects.plus_get(request.user, name=page_name, in_agent=group.get_ref())
    except WikiPage.DoesNotExist:
        raise Http404

    if obj.stub :
        # we don't want to show the wikipage at this point, but what do we do instead?
        request.user.message_set.create(message=_('The page you tried to visit has not yet been published by the creator.')%{})
        return HttpResponseRedirect(reverse(current_app + ':group', args=[group.id]))
        
    version_list = Version.objects.get_for_object(obj._inner)
    try:
        version = Version.objects.get_for_date(obj._inner, datetime.now())
    except Version.DoesNotExist :
        # XXX this isn't a solution ... we need to know WHY the version doesn't exist, 
        # but will hide the error page from the user
        raise Http404

    contributors = get_contributors(request.user, obj)
    contributors = [TemplateSecureWrapper(contributor) for contributor in contributors]
    can_comment = False
    try:
        obj.comment
        can_comment = True
    except :
        pass # no permission
    try:
        obj.get_all_sliders
        perms_bool = True
    except PlusPermissionsNoAccessException:
        perms_bool = False
        
        
    edit = has_access(request.user, obj, 'WikiPage.Editor')

    group_id = obj.get_inner().in_agent.obj.id 
    group_display_name = obj.get_inner().in_agent.obj.get_display_name()
    created_by = obj.get_inner().created_by
    # get this here because if we find ourselves on a page without access to group,
    # getting the obj.in_agent.id in the template blows up


    return render_to_response(template_name, {
            'page':TemplateSecureWrapper(obj), 
            'group_id':group_id,
            'group_display_name':group_display_name,
            'created_by':created_by,
            'version':version, 
            'contributors':contributors,
            'can_comment':can_comment,
            'version_list':version_list,
            'tags': get_tags_for_object(obj, request.user),
            'permissions':perms_bool,
            'can_edit': edit,
            'comparable':version_list.count()>1,
           
            'pages_listings_args':listing_args('home', 'home', ''),

            }, context_instance=RequestContext(request, current_app=current_app))
Example #6
0
    def test_access(self) :
        """ Starting with security_contexts"""

        nahia = User(username='nahia', email_address='[email protected]')
        nahia.save()
        
        adam = get_admin_user()

        kx, created = TgGroup.objects.get_or_create(group_name='kingsX', display_name='Hub Kings Cross', 
                                                level='member', user=adam)
        kxsc = kx.to_security_context()

        blog = kx.create_OurPost(title='my blog', creator=adam)
        blog.save()
        
        # assert that the blog post acquires it's security context from Kings Cross
        self.assertEquals(blog.get_inner().get_security_context().id, kx.get_security_context().id)

        # confirm that there's an OurPost.Viewer interface for Kings Cross
        self.assertTrue( kx.get_tag_for_interface("OurPost.Viewer"))
                
        # but nahia has no access to the blog
        self.assertFalse(has_access(nahia, blog, "OurPost.Viewer"))

        # now lets add this user to the tag
        tag = kx.get_tag_for_interface("OurPost.Viewer")
        tag.add_agents([nahia.get_ref()])

        # so now nahia has access
        self.assertTrue( has_access(nahia, blog, "OurPost.Viewer"))
        
        # but tuba doesn't
        tuba = User(username='tuba', email_address='[email protected]')
        tuba.save()

        self.assertFalse( has_access(tuba, blog, "OurPost.Viewer"))

        # however, we presumably want to give kings cross *members* access to it
        tag.add_agents([kx.get_ref()])
        self.assertTrue( has_access(kx, blog, "OurPost.Viewer"))

        # so if we add tuba to kings cross
        kx.add_member(tuba)

        # she now has access
        self.assertTrue( has_access(tuba, blog, "OurPost.Viewer"))
        
        # Now we test that a second blog-post that's created starts with similar access
        blog2 = kx.create_OurPost(creator=adam, title='second post')
        blog2.save()

        self.assertTrue(has_access(tuba, blog2, "OurPost.Viewer"))
        
        # but we assume that not everyone got an editor interface

        self.assertFalse(has_access(tuba, blog2, "OurPost.Editor"))
        
        # add an arbitrary agent and remove her agaiin 
        blog._inner.get_security_context().add_arbitrary_agent(tuba, 'OurPost.Editor', adam)
        self.assertTrue(has_access(tuba, blog, "OurPost.Editor"))
        blog._inner.get_security_context().remove_arbitrary_agent(tuba, 'OurPost.Editor', adam)
        self.assertFalse(has_access(tuba, blog, "OurPost.Editor"))        

        #test moving the sliders around
        members_group = blog._inner.get_security_context().context_agent.obj
        admin_group = blog._inner.get_security_context().context_admin.obj
        
        #set the slider so that members of KX have the Editor interface
        blog._inner.get_security_context().move_slider(members_group, 'OurPost.Editor', adam)

        #check that the slider level actually changed
        level = blog._inner.get_security_context().get_slider_level('OurPost.Editor')
        self.assertTrue(level==members_group)

        #and check that tuba has access
        self.assertTrue(has_access(tuba, blog, "OurPost.Editor"))

        #now remove tuba from the members group
        members_group.remove_member(tuba)
        self.assertFalse(has_access(tuba, blog, "OurPost.Editor"))        

        #and re-add her
        members_group.add_member(tuba)
        self.assertTrue(has_access(tuba, blog, "OurPost.Editor"))  

        #raise the requirement to the admin group
        blog.get_inner().get_security_context().move_slider(admin_group, 'OurPost.Editor', adam)
        level = blog.get_inner().get_security_context().get_slider_level('OurPost.Editor')

        #check the slider changed and that adam can now access while tuba cannot
        self.assertTrue(level==admin_group)
        self.assertFalse(has_access(tuba, blog, "OurPost.Editor"))
        self.assertTrue(has_access(adam, blog, "OurPost.Editor"))

        #use the move_sliders interface which should be called by the UI and check that constraints are enforced correctly
         # this should fail validation  because editor can't be higher than viewer
        def move_sliders(slider_dict, type_name, user):
            blog._inner.get_security_context().move_sliders(slider_dict, type_name, user=user)
        anonymous_group = get_anonymous_group()
        self.assertRaises(InvalidSliderConfiguration, move_sliders, {'OurPost.Editor':members_group, 'OurPost.Viewer':admin_group},  'OurPost', adam)
         # so should this because Editor can't be anonymous
        self.assertRaises(InvalidSliderConfiguration, move_sliders, {'OurPost.Editor':anonymous_group, 'OurPost.Viewer':anonymous_group},  'OurPost', adam)
         # check that nothing changed
        level = blog._inner.get_security_context().get_slider_level('OurPost.Editor')
        self.assertTrue(level==admin_group)
        
         # this should validate        
        blog._inner.get_security_context().move_sliders({'OurPost.Editor':members_group, 'OurPost.Viewer':members_group}, 'OurPost', adam)
        # and levels should be changed
        level = blog._inner.get_security_context().get_slider_level('OurPost.Editor')
        self.assertTrue(level==members_group)
        level = blog._inner.get_security_context().get_slider_level('OurPost.Viewer')
        self.assertTrue(level==members_group)

        
        # so now we're going to give tuba special permissions on this blog post ONLY
        # so first make the blog post a custom context
        sc2 = blog2.create_custom_security_context()

        # assert now that blog2's security context is NOT the same as blog's
        self.assertNotEquals(blog2._inner.get_security_context(), blog._inner.get_security_context())
        # but that the admin and agent are
        self.assertEquals(blog2._inner.get_security_context().context_agent, blog._inner.get_security_context().context_agent)
        self.assertEquals(blog2._inner.get_security_context().context_admin, blog._inner.get_security_context().context_admin)

        # another kings cross host
        elenor = User(username='elenor', email_address='[email protected]')
        elenor.save()
        
        # who doesn't have access
        self.assertFalse(has_access(elenor, blog2, 'OurPost.Editor'))
        
        # so we add her to the tag
        sc2.add_arbitrary_agent(elenor, 'OurPost.Editor', adam)
        
        # and she now has access
        self.assertTrue(has_access(elenor, blog2, "OurPost.Editor"))

        # let's take her away again and check she loses access
        blog2.remove_arbitrary_agent(elenor, 'OurPost.Editor', adam)
        self.assertFalse(has_access(elenor, blog2, "OurPost.Editor"))

        # and if we add elinor to kx
        kx.add_member(elenor)
        
        # so should have same access
        self.assertTrue(has_access(elenor, blog, "OurPost.Editor"))   
Example #7
0
            print e
            pass

        try :
            group.change_avatar
            can_change_avatar  = True
        except Exception, e:
            pass

        try :
            dummy = group.delete
            can_delete = True
        except :
            pass

        if has_access(request.user, None, 'Application.Accept', group._inner.get_security_context()):
            has_accept = True
        else:
            has_accept = False
    
    tweets = FeedItem.feed_manager.get_from_permissioned(group, request.user)

    try:
        group.get_all_sliders
        perms_bool = True
    except PlusPermissionsNoAccessException:
        perms_bool = False

    if kwargs['type'] == 'hub':
        type_name = hub_name()
    else: