def test_fallback_to_anonymous_user(self):
repo = Repository(owner=self._human_a, name='Node isnt web scale')
repo.save()
self.assertTrue(self._human_a.has_perm('read', repo))
self.assertFalse(self._human_b.has_perm('read', repo))
assign('read', get_anonymous_user(), repo)
self.assertTrue(self._human_b.has_perm('read', repo))
def save(self):
super(GroupForm, self).save()
user = db.User.objects.get(username=self.data['user'])
assign('change_group', user, self.instance)
assign('delete_group', user, self.instance)
self.instance.user_set.add(user)
return self.instance
def test_remove_perm(self):
assign('contenttypes.change_contenttype', self.user, self.ctype)
self.assertTrue(self.user.has_perm('contenttypes.change_contenttype',
self.ctype))
remove_perm('contenttypes.change_contenttype', self.user, self.ctype)
self.assertFalse(self.user.has_perm('contenttypes.change_contenttype',
self.ctype))
def test_create_minimal_nodeset(self):
'''Test adding a new NodeSet with required fields only
'''
dataset = DataSet.objects.create()
InvestigationLink.objects.create(data_set=dataset,
investigation=self.investigation)
assign("read_%s" % dataset._meta.module_name, self.user, dataset)
nodeset_data = {
'name': 'nodeset1',
'study': make_api_uri('study', self.study.uuid),
'assay': make_api_uri('assay', self.assay.uuid),
'is_implicit': True
}
nodeset_uri = make_api_uri('nodeset')
self.assertEqual(NodeSet.objects.count(), 0)
response = self.api_client.post(nodeset_uri,
format='json',
data=nodeset_data,
authentication=self.get_credentials())
self.assertHttpCreated(response)
self.assertEqual(NodeSet.objects.count(), 1)
nodeset = NodeSet.objects.get(name=nodeset_data['name'])
self.assertEqual(nodeset.get_owner(), self.user)
def test_perms_single(self):
perm = 'contenttypes.change_contenttype'
assign(perm, self.group1, self.obj1)
self.assertEqual(
set(get_objects_for_group(self.group1, perm)),
set(get_objects_for_group(self.group1, [perm]))
)
def test_group_remove_perm(self):
# assign perm first
assign("change_keycard", self.group, self.keycard)
remove_perm("change_keycard", self.group, self.keycard)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_keycard", self.keycard))
def test_klass_as_model(self):
assign('contenttypes.change_contenttype', self.group1, self.obj1)
objects = get_objects_for_group(self.group1,
['contenttypes.change_contenttype'],
ContentType)
self.assertEqual([obj.name for obj in objects], [self.obj1.name])
def save(self, *args, **kwargs):
"""
Give the user proper permissions so django guardian can check them
"""
from guardian.shortcuts import assign
super(TeamMember, self).save(*args, **kwargs)
assign(PERMISSION_NAMES[self.permission - 1], self.user, self.team)
def test_attach_perms(self):
self.user1.groups.add(self.group1)
self.user2.groups.add(self.group2)
self.user3.groups.add(self.group3)
assign("change_contenttype", self.group1, self.obj1)
assign("change_contenttype", self.group2, self.obj1)
assign("delete_contenttype", self.group3, self.obj2)
assign("delete_contenttype", self.user2, self.obj1)
assign("change_contenttype", self.user3, self.obj2)
# Check contenttype1
result = get_users_with_perms(self.obj1, attach_perms=True)
expected = {
self.user1: ["change_contenttype"],
self.user2: ["change_contenttype", "delete_contenttype"],
}
self.assertEqual(result.keys(), expected.keys())
for key, perms in result.iteritems():
self.assertEqual(set(perms), set(expected[key]))
# Check contenttype2
result = get_users_with_perms(self.obj2, attach_perms=True)
expected = {
self.user3: ["change_contenttype", "delete_contenttype"],
}
self.assertEqual(result.keys(), expected.keys())
for key, perms in result.iteritems():
self.assertEqual(set(perms), set(expected[key]))
def test_klass_as_model(self):
assign('contenttypes.change_contenttype', self.user, self.ctype)
objects = get_objects_for_user(self.user,
['contenttypes.change_contenttype'],
ContentType)
self.assertEqual([obj.name for obj in objects], [self.ctype.name])
def test_group_remove_perm(self):
# assign perm first
assign("change_contenttype", self.group, self.ctype)
remove_perm("change_contenttype", self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_contenttype", self.ctype))
def test_author_only_set_once(self):
path = reverse('publicweb_decision_create',
args=[self.bettysorg.slug, Decision.PROPOSAL_STATUS])
post_dict = {
'status': Decision.PROPOSAL_STATUS,
'description': 'Lorem Ipsum'
}
response = self.client.post(path, post_dict)
self.assertRedirects(
response,
reverse('publicweb_item_list',
args=[self.bettysorg.slug, 'proposal']))
decision = Decision.objects.get(description='Lorem Ipsum')
self.assertEqual(decision.author, self.user)
self.user = self.login('charlie')
#allow charlie to edit
assign('edit_decisions_feedback', self.user, self.bettysorg)
path = reverse('publicweb_decision_update', args=[decision.id])
post_dict = {
'status': Decision.PROPOSAL_STATUS,
'description': 'ullamcorper nunc'
}
response = self.client.post(path, post_dict)
self.assertRedirects(
response,
reverse('publicweb_item_list',
args=[self.bettysorg.slug, 'proposal']))
decision = Decision.objects.get(description='ullamcorper nunc')
self.assertNotEqual(decision.author, self.user)
def test_with_perm_get_survey_by_uuid(self):
self._create_user_and_login('alice', 'alice')
assign('view_xform', self.user, self.xform)
response = self.client.get(self.url)
self.assertEquals(response.status_code, 302)
self.assertEquals(self.base_url + self.survey_url,
response['Location'])
def check_permissions(self):
"""
Checks that all permissions are set correctly for the users.
:return: A set of users whose permissions was wrong.
"""
changed_users = set()
for user in User.objects.all():
if not user.username == 'AnonymousUser':
all_permissions = get_perms(
user, user.get_profile()) + get_perms(user, user)
for model, perms in PERMISSIONS.items():
if model == 'profile':
perm_object = user.get_profile()
else:
perm_object = user
for perm in perms:
if perm not in all_permissions:
assign(perm, user, perm_object)
changed_users.add(user)
return changed_users
def test_group_assing(self):
assign("change_contenttype", self.group, self.ctype)
assign("delete_contenttype", self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_contenttype", self.ctype))
self.assertTrue(check.has_perm("delete_contenttype", self.ctype))
def test_emails_contain_extra_header_info(self):
users_orgs = Organization.active.get_for_user(self.user)
self.assertGreaterEqual(len(users_orgs), 2)
decision = self.make_decision(organization=users_orgs[0])
outbox = getattr(mail, 'outbox')
self.assertTrue(outbox)
self.assertTrue(outbox[0].extra_headers)
self.assertEqual(outbox[0].extra_headers['Message-ID'], decision.get_message_id())
mail.outbox = []
decision = self.update_decision_through_browser(decision.id)
outbox = getattr(mail, 'outbox')
self.assertTrue(outbox)
self.assertTrue(outbox[0].extra_headers)
self.assertEqual(outbox[0].extra_headers['Message-ID'], decision.get_message_id())
mail.outbox = []
feedback = self.create_feedback_through_browser(decision.id)
outbox = getattr(mail, 'outbox')
self.assertTrue(outbox)
self.assertTrue(outbox[0].extra_headers)
self.assertEqual(outbox[0].extra_headers['Message-ID'], feedback.get_message_id())
self.assertEqual(outbox[0].extra_headers['In-Reply-To'], feedback.decision.get_message_id())
mail.outbox = []
self.login('charlie')
assign('edit_decisions_feedback', self.user, self.bettysorg)
feedback = self.update_feedback_through_browser(feedback.id)
outbox = getattr(mail, 'outbox')
self.assertTrue(outbox)
self.assertTrue(outbox[0].extra_headers)
self.assertEqual(outbox[0].extra_headers['Message-ID'], feedback.get_message_id())
self.assertEqual(outbox[0].extra_headers['In-Reply-To'], feedback.decision.get_message_id())
def save(self, commit=True):
self.instance = super(CustomOrganizationUserAddForm, self).save(commit=commit)
if self.cleaned_data['is_editor']:
assign('edit_decisions_feedback', self.instance.user, self.instance.organization)
else:
remove_perm('edit_decisions_feedback', self.instance.user, self.instance.organization)
return self.instance
def test_without_group_users_no_result(self):
self.user1.groups.add(self.group1)
assign("change_contenttype", self.group1, self.obj1)
result = get_users_with_perms(self.obj1, attach_perms=True,
with_group_users=False)
expected = {}
self.assertEqual(result, expected)
def test_clean_perms(self):
# assign obj perms
target_perms = {
self.target_user1: ["change_user"],
self.target_group1: ["delete_group"],
self.target_obj1: ["change_contenttype", "delete_contenttype"],
self.target_obj2: ["change_contenttype"],
}
obj_perms_count = sum([len(val) for key, val in target_perms.items()])
for target, perms in target_perms.items():
target.__old_pk = target.pk # Store pkeys
for perm in perms:
assign(perm, self.user, target)
# Remove targets
for target, perms in target_perms.items():
target.delete()
# Clean orphans
removed = clean_orphan_obj_perms()
self.assertEqual(removed, obj_perms_count)
# Recreate targets and check if user has no permissions
for target, perms in target_perms.items():
target.pk = target.__old_pk
target.save()
for perm in perms:
self.assertFalse(self.user.has_perm(perm, target))
def test_image_operations_as_authorised_users(self):
# create a campaign & deployment that ONLY bill can see
bills_campaign = mommy.make_one("catamidb.Campaign", id=3, short_name="cp__1")
bills_deployment = mommy.make_recipe("catamidb.Deployment3", id=3, campaign=bills_campaign)
bills_image = mommy.make_recipe("catamidb.Image3", id=3, deployment=bills_deployment)
assign("view_campaign", self.user_bill, bills_campaign)
# check that bill can see via the API
response = self.bill_api_client.get(self.image_url, format="json")
self.assertValidJSONResponse(response)
self.assertEqual(len(self.deserialize(response)["objects"]), 3)
# check that bill can get to the object itself
response = self.bill_api_client.get(self.image_url + "3/", format="json")
self.assertValidJSONResponse(response)
# check that bob can not see - now we know tastypie API has correct
# permission validation
response = self.bob_api_client.get(self.image_url, format="json")
self.assertValidJSONResponse(response)
self.assertEqual(len(self.deserialize(response)["objects"]), 2)
# check bob can NOT get to the hidden object
response = self.bob_api_client.get(self.image_url + "3/", format="json")
self.assertHttpUnauthorized(response)
# check that anonymous can see public ones as well
response = self.anon_api_client.get(self.image_url, format="json")
self.assertValidJSONResponse(response)
self.assertEqual(len(self.deserialize(response)["objects"]), 2)
# check anonymous can NOT get to the hidden object
response = self.anon_api_client.get(self.image_url + "3/", format="json")
self.assertHttpUnauthorized(response)
def test_clean_perms_command(self):
"""
Same test as the one above but rather function directly, we call
management command instead.
"""
# assign obj perms
target_perms = {
self.target_user1: ["change_user"],
self.target_group1: ["delete_group"],
self.target_obj1: ["change_contenttype", "delete_contenttype"],
self.target_obj2: ["change_contenttype"],
}
for target, perms in target_perms.items():
target.__old_pk = target.pk # Store pkeys
for perm in perms:
assign(perm, self.user, target)
# Remove targets
for target, perms in target_perms.items():
target.delete()
# Clean orphans
call_command("clean_orphan_obj_perms", verbosity=0)
# Recreate targets and check if user has no permissions
for target, perms in target_perms.items():
target.pk = target.__old_pk
target.save()
for perm in perms:
self.assertFalse(self.user.has_perm(perm, target))
def test_disallow_map_if_user_permission_revoked(self):
self._create_user_and_login('alice')
assign('change_xform', self.user, self.xform)
response = self.client.get(self.url)
remove_perm('change_xform', self.user, self.xform)
response = self.client.get(self.url)
self.assertEqual(response.status_code, 403)
def save(self, *args, **kw):
#TODO: abort save if sent
if self.pk is not None:
orig = Request.objects.get(pk=self.pk)
if orig.private != self.private:
logger.info("request %s privacy changed to=%s from=%s" % (self.slug, self.private, orig.private))
group, g_created = Group.objects.get_or_create(name='public')
if self.private == True:
remove_perm(Request.get_permission_name('view'), group, self)
logger.info('request %s permissions changed: removed from public' % (self.slug))
else:
assign(Request.get_permission_name('view'), group, self)
logger.info('request %s permissions changed: added to public' % (self.slug))
if self.contacts is not None and self.contacts.count() > 0 and self.contacts.all()[0].get_related_agencies().count() > 0:
self.agency = self.contacts.all()[0].get_related_agencies()[0]
self.government = self.agency.government
else:
self.agency = None
self.government = None
else:
self.status = 'I'
#code = "LOOKUP:" + User.objects.make_random_password(length=64)
code = '2016' + '_payroll_' + self.agency.name.replace(' ','')
#while Request.objects.filter(thread_lookup=code):
# code = User.objects.make_random_password(length=64)
self.thread_lookup = code
super(Request, self).save(*args, **kw)
def assign_permission(new_groups, objects, perm):
groups = Group.objects.all()
for obj in objects:
for group in groups:
remove_perm(perm, group, obj)
for new_group in new_groups:
assign(perm, new_group, obj)
def add_change_profile_perm(sender, instance, created, raw, using, **kwargs):
""" Adds 'change_profile' permission to created user objects """
if created:
try:
assign('change_profile', instance, instance.get_profile())
except:
pass # Anonymous user
def test_get_nodeset_list_for_given_study_and_assay(self):
'''Test retrieving a list of NodeSets for given study and assay.
'''
nodeset1 = NodeSet.objects.create(name='ns1',
study=self.study,
assay=self.assay,
node_count=1,
is_implicit=True,
solr_query=simplejson.dumps(
self.query))
assign("read_%s" % nodeset1._meta.module_name, self.user, nodeset1)
nodeset2 = NodeSet.objects.create(name='ns2',
study=self.study2,
assay=self.assay2,
node_count=1,
is_implicit=True,
solr_query=simplejson.dumps(
self.query))
assign("read_%s" % nodeset2._meta.module_name, self.user2, nodeset2)
response = self.api_client.get(self.nodeset_uri,
format='json',
authentication=self.get_credentials(),
data={
'study__uuid': self.study.uuid,
'assay__uuid': self.assay.uuid
})
self.assertValidJSONResponse(response)
data = self.deserialize(response)['objects']
self.assertEqual(len(data), 1)
self.assertEqual(data[0]['name'], nodeset1.name)
def test_inactive_user_blocked(self):
t = Thing(name='Test thing')
t.save()
self.user.is_active = False
self.user.save()
assign('change_thing', self.user, t)
self.assertFalse(self.user.has_perm('tests.change_thing', t))
def test_group_remove_perm(self):
# assign perm first
assign("change_flatpage", self.group, self.flatpage)
remove_perm("change_flatpage", self.group, self.flatpage)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_flatpage", self.flatpage))
def test_object_permissions_win_over_group(self):
t = Thing(name='Test thing')
t.save()
perm = Permission.objects.get(codename="add_thing")
self.group.permissions.add(perm)
perm = Permission.objects.get(codename="change_thing")
self.group.permissions.add(perm)
perm = Permission.objects.get(codename="delete_thing")
self.group.permissions.add(perm)
self.user.save()
self.assertTrue(self.user.has_perm('tests.change_thing'))
self.assertTrue(self.user.has_perm('tests.add_thing'))
self.assertTrue(self.user.has_perm('tests.delete_thing'))
self.assertTrue(self.user.has_perm('tests.change_thing', t))
self.assertTrue(self.user.has_perm('tests.add_thing', t))
self.assertTrue(self.user.has_perm('tests.delete_thing', t))
assign('change_thing', self.group, t) # per-object permission
self.assertTrue(self.user.has_perm('tests.change_thing', t))
self.assertFalse(self.user.has_perm('tests.add_thing', t))
self.assertFalse(self.user.has_perm('tests.delete_thing', t))
def reqedit(request, reqid=None):
'''
controller for individual numerical requirement edit page
'''
req = get_object_or_404(NumericalRequirement, pk=reqid)
# get my urls
urls = {}
urls = getsiteurls(urls)
urls = getexpurls(urls)
if request.method == 'POST':
cancel = request.POST.get('cancel', None)
if cancel:
urls['reqview']=reverse('pimms.apps.exp.views.reqview', args=(req.id, ))
return HttpResponseRedirect(urls['reqview'])
else:
reqform = RequirementForm(request.POST, instance=req)
if reqform.is_valid():
req = reqform.save(commit=False)
req.author = request.user
req.save()
# assign permissions to access this requirement
assign('manage_req', request.user, req)
return HttpResponseRedirect(urls['reqlist']) # Redirect after POST
else:
return render_to_response('exp/reqedit.html', {'reqform': reqform, 'urls':urls}, context_instance=RequestContext(request))
else:
reqform = RequirementForm(instance=req) # An unbound form
return render_to_response('exp/reqedit.html', {'reqform': reqform, 'urls':urls},
context_instance=RequestContext(request))
def assign_user_to_page(page, user, can_add=False, can_change=False,
can_delete=False, can_change_advanced_settings=False,
can_publish=False, can_change_permissions=False,
can_view=False, grant_all=False, global_permission=False):
"""
Assigns given user to page, and gives him requested permissions.
See docs/extending_poser/api_reference.rst for more info
"""
if grant_all and not global_permission:
# shortcut to grant all permissions
return assign_user_to_page(page, user, True, True, True, True,
True, True, True)
data = {
'add_page': can_add,
'change_page': can_change,
'delete_page': can_delete,
'change_advanced_settings_page': can_change_advanced_settings,
'publish_page': can_publish,
'change_permissions_page': can_change_permissions,
'view_page': can_view,
}
for perm in data.iterkeys():
if data[perm] is False:
continue
assign(perm, user, page)
def save(self, commit=True):
"""
Saves granted permissions and removes those switched off.
"""
member, project = self.membership.member, self.membership.project
granted_perms = self.cleaned_data['permissions']
logging.info("Granted perms: %s" % granted_perms)
member_perms = get_perms(member, project)
# Grant permissions
for perm in granted_perms:
if perm not in member_perms:
assign(perm, member, project)
self._message('info', _("Permission added: %s" % perm))
# Remove permissions
for perm in member_perms:
if perm not in granted_perms:
remove_perm(perm, member, project)
# notify user if perm is still granted by member's groups
groups_with_perm = member.groups.filter(
groupobjectpermission__permission__codename=perm)
if groups_with_perm:
messages.warning(self.request, _("Permission %(perm)s is "
"still granted for %(user)s as following group(s) "
"has/have it: %(groups)s" % {
'perm': perm,
'user': member,
'groups': ', '.join(
(str(group) for group in groups_with_perm)
)
}))
self._message('warning', _("Permission removed: %s" % perm))
def set_perm(request, username, id_string):
xform = get_object_or_404(XForm,
user__username=username, id_string=id_string)
try:
perm_type = request.POST['perm_type']
for_user = request.POST['for_user']
except KeyError:
return HttpResponseBadRequest()
if perm_type in ['edit', 'view', 'remove']:
user = User.objects.get(username=for_user)
if perm_type == 'edit':
assign('change_xform', user, xform)
elif perm_type == 'view':
assign('view_xform', user, xform)
elif perm_type == 'remove':
remove_perm('change_xform', user, xform)
remove_perm('view_xform', user, xform)
elif perm_type == 'link':
if for_user == 'all':
MetaData.public_link(xform, True)
elif for_user == 'none':
MetaData.public_link(xform, False)
elif for_user == 'toggle':
current = MetaData.public_link(xform)
MetaData.public_link(xform, not current)
return HttpResponseRedirect(reverse(show, kwargs={
'username': username,
'id_string': id_string
}))
def save(self, commit=True):
self.instance = super(CustomOrganizationUserAddForm, self).save(commit=commit)
if self.cleaned_data["is_editor"]:
assign("edit_decisions_feedback", self.instance.user, self.instance.organization)
else:
remove_perm("edit_decisions_feedback", self.instance.user, self.instance.organization)
return self.instance
def assign_forum_permissions(request, id, gid):
if not request.user.is_superuser:
return HttpResponseForbidden()
obj = get_object_or_404(Forum, id=id)
group = get_object_or_404(Group, id=gid)
obj_permissions = get_perms_for_model(Forum).exclude(
codename__in=['add_forum', 'can_views_forums'])
ctype = ContentType.objects.get_for_model(obj)
perms = []
for group_perm in GroupObjectPermission.objects.filter(group=group,
content_type=ctype,
object_pk=obj.id):
perms.append(group_perm.permission)
#print perms
PermissionsForm = get_permissions_form(obj_permissions.select_related(),
initial=perms)
if request.method == 'POST':
form = PermissionsForm(request.POST)
if form.is_valid():
for perm in obj_permissions:
remove_perm(perm.codename, group, obj)
for perm in form.cleaned_data['perms']:
assign(perm.codename, group, obj)
else:
form = PermissionsForm()
return render(request, 'forum/frontend/edit_permissions.html', {
'forum': obj,
'group': group,
'form': form,
})
def test_attach_perms(self):
self.user1.groups.add(self.group1)
self.user2.groups.add(self.group2)
self.user3.groups.add(self.group3)
assign("change_contenttype", self.group1, self.obj1)
assign("change_contenttype", self.group2, self.obj1)
assign("delete_contenttype", self.group3, self.obj2)
assign("delete_contenttype", self.user2, self.obj1)
assign("change_contenttype", self.user3, self.obj2)
# Check contenttype1
result = get_users_with_perms(self.obj1, attach_perms=True)
expected = {
self.user1: ["change_contenttype"],
self.user2: ["change_contenttype", "delete_contenttype"],
}
self.assertEqual(result.keys(), expected.keys())
for key, perms in result.iteritems():
self.assertEqual(set(perms), set(expected[key]))
# Check contenttype2
result = get_users_with_perms(self.obj2, attach_perms=True)
expected = {
self.user3: ["change_contenttype", "delete_contenttype"],
}
self.assertEqual(result.keys(), expected.keys())
for key, perms in result.iteritems():
self.assertEqual(set(perms), set(expected[key]))
def auto_create_project_group(instance, created, **kwargs):
name = PROJECT_GROUP_TEMPLATE.format(instance.name)
group, created = Group.objects.get_or_create(name=name)
# TODO change this to queue up an email rather than doing it in process..
if created:
assign('view_project', group, instance)
try:
kwargs = {
'subject':
'{0}Project "{1}" Created'.format(
settings.EMAIL_SUBJECT_PREFIX, name),
'message':
'The "{0}" Project Group has been created. This is '
'a reminder to setup any permissions for the '
'associated users.'.format(name),
'from_email':
settings.NO_REPLY_EMAIL,
'recipient_list': [settings.SUPPORT_EMAIL],
}
# Since we aren't passing the fail_silently kwarg to the send_mail
# method, it will throw any errors back in our face so we catch
# them here and log them rather than letting it propogate.
send_mail(**kwargs)
except Exception:
log.exception("Error sending project group notification email")
log.info('Autocreate project group {0}'.format(group))
def test_group_assing(self):
assign("change_contenttype", self.group, self.ctype)
assign("delete_contenttype", self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_contenttype", self.ctype))
self.assertTrue(check.has_perm("delete_contenttype", self.ctype))
def test_clean_perms(self):
# assign obj perms
target_perms = {
self.target_user1: ["change_user"],
self.target_group1: ["delete_group"],
self.target_obj1: ["change_contenttype", "delete_contenttype"],
self.target_obj2: ["change_contenttype"],
}
obj_perms_count = sum([len(val) for key, val in target_perms.items()])
for target, perms in target_perms.items():
target.__old_pk = target.pk # Store pkeys
for perm in perms:
assign(perm, self.user, target)
# Remove targets
for target, perms in target_perms.items():
target.delete()
# Clean orphans
removed = clean_orphan_obj_perms()
self.assertEqual(removed, obj_perms_count)
# Recreate targets and check if user has no permissions
for target, perms in target_perms.items():
target.pk = target.__old_pk
target.save()
for perm in perms:
self.assertFalse(self.user.has_perm(perm, target))
def test_published(self):
concept = DataConcept(published=True)
concept.save()
DataConceptField(concept=concept, field=self.is_manager).save()
DataConceptField(concept=concept, field=self.salary).save()
# Published, not specific to any user
self.assertEqual([x.pk for x in DataConcept.objects.published()], [])
self.is_manager.published = True
self.is_manager.save()
self.salary.published = True
self.salary.save()
# Now published, it will appear
self.assertEqual([x.pk for x in DataConcept.objects.published()], [1])
user1 = User.objects.create_user('user1', 'user1')
# Nothing since user1 cannot view either datafield
self.assertEqual([x.pk for x in DataConcept.objects.published(user1)], [])
assign('avocado.view_datafield', user1, self.is_manager)
# Still nothing since user1 has no permission for salary
self.assertEqual([x.pk for x in DataConcept.objects.published(user1)], [])
assign('avocado.view_datafield', user1, self.salary)
# Now user1 can see the concept
self.assertEqual([x.pk for x in DataConcept.objects.published(user1)], [1])
user2 = User.objects.create_user('user2', 'user2')
# `user2` is not assigned
self.assertEqual([x.pk for x in DataConcept.objects.published(user2)], [])
def test_clean_perms_command(self):
"""
Same test as the one above but rather function directly, we call
management command instead.
"""
# assign obj perms
target_perms = {
self.target_user1: ["change_user"],
self.target_group1: ["delete_group"],
self.target_obj1: ["change_contenttype", "delete_contenttype"],
self.target_obj2: ["change_contenttype"],
}
for target, perms in target_perms.items():
target.__old_pk = target.pk # Store pkeys
for perm in perms:
assign(perm, self.user, target)
# Remove targets
for target, perms in target_perms.items():
target.delete()
# Clean orphans
call_command("clean_orphan_obj_perms", verbosity=0)
# Recreate targets and check if user has no permissions
for target, perms in target_perms.items():
target.pk = target.__old_pk
target.save()
for perm in perms:
self.assertFalse(self.user.has_perm(perm, target))
def test_group_assing(self):
assign("change_keycard", self.group, self.keycard)
assign("delete_keycard", self.group, self.keycard)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_keycard", self.keycard))
self.assertTrue(check.has_perm("delete_keycard", self.keycard))
def assign_permission(new_groups, objects, perm):
groups = Group.objects.all()
for obj in objects:
for group in groups:
remove_perm(perm, group, obj)
for new_group in new_groups:
assign(perm, new_group, obj)
def test_disallow_if_user_permission_revoked(self):
self._create_user_and_login('alice')
assign('change_xform', self.user, self.xform)
response = self.client.get(self.url)
remove_perm('change_xform', self.user, self.xform)
response = self.client.get(self.url)
self.assertEqual(response.status_code, 403)
def create_profile_and_userdetail(self, user):
userDetail = UserDetail()
userDetail.user = user
userDetail.save()
userena_profile = UserenaSignup.objects.create_userena_profile(user)
# All users have an empty profile
profile_model = get_profile_model()
try:
new_profile = user.get_profile()
except profile_model.DoesNotExist:
new_profile = profile_model(user=user)
new_profile.save(using=self._db)
# Give permissions to view and change profile
for perm in ASSIGNED_PERMISSIONS['profile']:
assign(perm[0], user, new_profile)
# Give permissions to view and change itself
for perm in ASSIGNED_PERMISSIONS['user']:
assign(perm[0], user, user)
if settings.USERENA_ACTIVATION_REQUIRED:
userena_profile.send_activation_email()
return user
def add_change_profile_perm(sender, instance, created, raw, using, **kwargs):
""" Adds 'change_profile' permission to created user objects """
if created:
try:
assign('change_profile', instance, instance.get_profile())
except:
pass # Anonymous user
def test_inactive_user_blocked(self):
t = Thing(name='Test thing')
t.save()
self.user.is_active = False
self.user.save()
assign('change_thing', self.user, t)
self.assertFalse(self.user.has_perm('tests.change_thing', t))
def test_decision_create_restricted(self):
'''
Decision create should be restricted to those with the organizations editor permission
'''
#first remove the permission
remove_perm('edit_decisions_feedback', self.betty, self.bettysorg)
#assert that creating a decision gives a 403
path = reverse('publicweb_decision_create',
args=[self.bettysorg.slug, Decision.PROPOSAL_STATUS])
response = self.client.get(path)
self.assertEquals(response.status_code, 403)
#give perm
assign('edit_decisions_feedback', self.betty, self.bettysorg)
# get a 200
response = self.client.get(path)
self.assertEquals(response.status_code, 200)
# confirm 403 for different org
bettys_unauthed_org = Organization.objects.get_for_user(self.betty)[1]
path = reverse(
'publicweb_decision_create',
args=[bettys_unauthed_org.slug, Decision.PROPOSAL_STATUS])
response = self.client.get(path)
self.assertEquals(response.status_code, 403)
def test_object_permissions_win_over_group(self):
t = Thing(name='Test thing')
t.save()
perm = Permission.objects.get(codename="add_thing")
self.group.permissions.add(perm)
perm = Permission.objects.get(codename="change_thing")
self.group.permissions.add(perm)
perm = Permission.objects.get(codename="delete_thing")
self.group.permissions.add(perm)
self.user.save()
self.assertTrue(self.user.has_perm('tests.change_thing'))
self.assertTrue(self.user.has_perm('tests.add_thing'))
self.assertTrue(self.user.has_perm('tests.delete_thing'))
self.assertTrue(self.user.has_perm('tests.change_thing', t))
self.assertTrue(self.user.has_perm('tests.add_thing', t))
self.assertTrue(self.user.has_perm('tests.delete_thing', t))
assign('change_thing', self.group, t) # per-object permission
self.assertTrue(self.user.has_perm('tests.change_thing', t))
self.assertFalse(self.user.has_perm('tests.add_thing', t))
self.assertFalse(self.user.has_perm('tests.delete_thing', t))
def test_scorecard_pdf(self):
# add standard to the season
self.setUpStandardsForSeason(self.rwanda_2010)
# create a scorecard
scorecard = Scorecard.objects.create(season=self.rwanda_2010, wetmill=self.nasho,
created_by=self.admin, modified_by=self.admin)
# try to get a pdf report, remember this user haven't any permission
self.login(self.viewer)
response = self.client.get(reverse('scorecards.scorecard_pdf', args=[scorecard.id]))
# should be redirected, you don't have permission fella..
self.assertEquals(302, response.status_code)
self.client.logout()
# lets upgrade this user to be a viewer
assign('wetmills.wetmill_report_view', self.viewer)
self.login(self.viewer)
response = self.client.get(reverse('scorecards.scorecard_pdf', args=[scorecard.id]))
# it works!
self.assertEquals(200, response.status_code)
self.client.logout()
# try again with a strong dude! Admin...
self.login(self.admin)
response = self.client.get(reverse('scorecards.scorecard_pdf', args=[scorecard.id]))
# everybody! open the doors and pay respect to the admin
self.assertEquals(200, response.status_code)
def test_group_remove_perm_global(self):
# assign perm first
perm = "contenttypes.change_contenttype"
assign(perm, self.group)
remove_perm(perm, self.group)
group_perms = GroupPermissionList.objects.get(group=self.group).permission_list
self.assertFalse(perm in group_perms)
def test_get_sorted_nodeset_list(self):
'''Get a list of NodeSets with sorting params applied (e.g., order_by=name)
'''
nodeset1 = NodeSet.objects.create(name='ns1',
study=self.study,
assay=self.assay,
node_count=1,
is_implicit=True,
solr_query=simplejson.dumps(
self.query))
assign("read_%s" % nodeset1._meta.module_name, self.user, nodeset1)
nodeset2 = NodeSet.objects.create(name='ns2',
study=self.study2,
assay=self.assay2,
node_count=1,
is_implicit=True,
solr_query=simplejson.dumps(
self.query))
assign("read_%s" % nodeset2._meta.module_name, self.user, nodeset2)
response = self.api_client.get(self.nodeset_uri,
format='json',
authentication=self.get_credentials(),
data={'order_by': 'name'})
self.assertValidJSONResponse(response)
data = self.deserialize(response)['objects']
self.assertEqual(len(data), 2)
self.assertEqual(data[0]['name'], nodeset1.name)
def save(self, *args, **kwargs):
if not self.slug:
# Subdomains can't have underscores in them.
self.slug = slugify(self.name).replace('_', '-')
if self.slug == '':
raise Exception(_("Model must have slug"))
super(Project, self).save(*args, **kwargs)
for owner in self.users.all():
assign('view_project', owner, self)
# Add exceptions here for safety
try:
self.sync_supported_versions()
except Exception:
log.error('failed to sync supported versions', exc_info=True)
try:
symlink(project=self.slug)
except Exception:
log.error('failed to symlink project', exc_info=True)
try:
update_static_metadata(project_pk=self.pk)
except Exception:
log.error('failed to update static metadata', exc_info=True)
try:
branch = self.default_branch or self.vcs_repo().fallback_branch
if not self.versions.filter(slug='latest').exists():
self.versions.create(slug='latest', verbose_name='latest', machine=True, type='branch', active=True, identifier=branch)
# if not self.versions.filter(slug='stable').exists():
# self.versions.create(slug='stable', verbose_name='stable', type='branch', active=True, identifier=branch)
except Exception:
log.error('Error creating default branches', exc_info=True)
def test_get_analysis_list_for_given_dataset(self):
'''Test retrieving a list of Analysis instances for a given dataset.
'''
analysis1 = Analysis.objects.create(name='a1',
project=self.project,
data_set=self.dataset,
workflow=self.workflow)
assign("read_%s" % Analysis._meta.module_name, self.user, analysis1)
analysis2 = Analysis.objects.create(name='a2',
project=self.project,
data_set=self.dataset2,
workflow=self.workflow)
assign("read_%s" % Analysis._meta.module_name, self.user, analysis2)
analysis_uri = make_api_uri(Analysis._meta.module_name)
response = self.api_client.get(
analysis_uri,
format='json',
data={'data_set__uuid': self.dataset.uuid},
authentication=self.get_credentials())
self.assertValidJSONResponse(response)
data = self.deserialize(response)['objects']
self.assertEqual(len(data), 1)
self.assertKeys(data[0],
['uuid', 'name', 'creation_date', 'resource_uri'])
self.assertEqual(data[0]['name'], analysis1.name)
def test_user_has_access_on_model_with_metaclass(self):
"""
Test to the fix issues of comparaison made via type()
in the decorator. In the case of a `Model` implementing
a custom metaclass, the decorator fail because type
doesn't return `ModelBase`
"""
perm = "auth.change_user"
class TestMeta(ModelBase):
pass
class ProxyUser(User):
class Meta:
proxy = True
app_label = "auth"
__metaclass__ = TestMeta
joe, created = ProxyUser.objects.get_or_create(username="******")
assign(perm, self.user, obj=joe)
request = self._get_request(self.user)
@permission_required_or_403(perm, (ProxyUser, "username", "username"))
def dummy_view(request, username):
return HttpResponse("dummy_view")
response = dummy_view(request, username="******")
self.assertEqual(response.status_code, 200)
self.assertEqual(response.content, "dummy_view")
def save(self, *args, **kw):
#TODO: abort save if sent
if self.pk is not None:
orig = Request.objects.get(pk=self.pk)
if orig.private != self.private:
logger.info("request %s privacy changed to=%s from=%s" % (self.slug, self.private, orig.private))
group, g_created = Group.objects.get_or_create(name='public')
if self.private == True:
remove_perm(Request.get_permission_name('view'), group, self)
logger.info('request %s permissions changed: removed from public' % (self.slug))
else:
assign(Request.get_permission_name('view'), group, self)
logger.info('request %s permissions changed: added to public' % (self.slug))
#import pdb;pdb.set_trace()
if self.contacts is not None and self.contacts.count() > 0 and self.contacts.all()[0].get_related_agencies().count() > 0:
self.agency = self.contacts.all()[0].get_related_agencies()[0]
self.government = self.agency.government
else:
self.agency = None
self.government = None
else:
self.status = 'I'
code = "LOOKUP:" + User.objects.make_random_password(length=64)
while Request.objects.filter(thread_lookup=code):
code = User.objects.make_random_password(length=64)
self.thread_lookup = code
super(Request, self).save(*args, **kw)
def test_remove_perm(self):
assign('guardian.change_keyvalue', self.user, self.keyval)
self.assertTrue(self.user.has_perm('guardian.change_keyvalue',
self.keyval))
remove_perm('guardian.change_keyvalue', self.user, self.keyval)
self.assertFalse(self.user.has_perm('guardian.change_keyvalue',
self.keyval))
def test_group_assing(self):
assign("change_flatpage", self.group, self.flatpage)
assign("delete_flatpage", self.group, self.flatpage)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_flatpage", self.flatpage))
self.assertTrue(check.has_perm("delete_flatpage", self.flatpage))
def add_collaborator_(request, pk):
data = {'valid': False}
tl = Timeline.objects.get(pk=pk)
if tl.created_by != request.user:
return render_json_response(data)
if request.method == "POST":
username = request.POST.get('username', '')
try:
user = User.objects.get(username=username)
if user.has_perm('collaborator', tl):
data['info'] = u'用户 "%s" 已经添加过' % username
return render_json_response(data)
except:
data['info'] = u'用户 "%s" 不存在' % username
return render_json_response(data)
assign('collaborator', user, tl)
return render_json_response({
'valid':
True,
'obj': {
'pk': user.pk,
'username': user.username
},
'html':
render_string(COLLABORATOR_ROW_TMPL, {'o': user})
})
return render_json_response(data)
