def test_permission_policy_generators(app, anyuser_identity,
authenticated_identity,
superuser_identity,
system_process_identity):
"""Test permission policies with given Identities."""
policy = TestRDMPermissionPolicy
# TODO: add to fixture
rest_record = RDMRecord.create({}, access={}, parent=RDMParent.create({}))
rest_record.access.protection.set("restricted", "restricted")
rest_record.parent.access.owners.add({'user': 1})
# TODO: add to fixture
pub_record = RDMRecord.create({}, access={}, parent=RDMParent.create({}))
pub_record.access.protection.set("public", "public")
pub_record.parent.access.owners.add({'user': 21})
assert policy(action='search').allows(anyuser_identity)
assert policy(action='search').allows(system_process_identity)
assert policy(action='create').allows(authenticated_identity)
assert policy(action='create').allows(system_process_identity)
assert isinstance(policy(action='update').generators[0], Disable)
assert isinstance(policy(action='delete').generators[0], Disable)
assert policy(action='read').generators[0].needs(record=rest_record) == {
UserNeed(1)
}
assert policy(action='read').generators[0].needs(record=pub_record) == {
system_process, any_user
}
assert policy(action='read_files').generators[0].needs(
record=rest_record) == {UserNeed(1)}
assert isinstance(policy(action='update_files').generators[0], Disable)
assert policy(action='read_draft').generators[0].needs(
record=rest_record) == [UserNeed(1)]
assert policy(action='update_draft').generators[0].needs(
record=rest_record) == [UserNeed(1)]
assert policy(action='delete_draft').generators[0].needs(
record=rest_record) == [UserNeed(1)]
assert policy(action='read_draft_files').generators[0].needs(
record=rest_record) == [UserNeed(1)]
assert policy(action='read_update_files').generators[0].needs(
record=rest_record) == [UserNeed(1)]
assert policy(action='publish').generators[0].needs(
record=rest_record) == [UserNeed(1)]
assert policy(action='manage').generators[0].needs(record=rest_record) == [
UserNeed(1)
]
def test_grant_tokens_dumper(app, db, minimal_record, location):
"""Test grant token dumper extension implementation."""
dumper = ElasticsearchDumper(
extensions=[GrantTokensDumperExt("access.grant_tokens")])
data = {
"access": {
"grants": [
{
"subject": "user",
"id": "1",
"level": "view"
},
{
"subject": "user",
"id": "2",
"level": "manage"
},
]
}
}
# Create the parent record
parent = RDMParent.create(data)
parent.commit()
db.session.commit()
grant1 = parent.access.grants[0]
grant2 = parent.access.grants[1]
# Dump it
dump = parent.dumps(dumper=dumper)
assert len(dump["access"]["grant_tokens"]) == 2
assert grant1.to_token() in dump["access"]["grant_tokens"]
assert grant2.to_token() in dump["access"]["grant_tokens"]
# Load it
new_record = RDMParent.loads(dump, loader=dumper)
assert "grant_tokens" not in new_record["access"]
assert "grant_tokens" not in new_record["access"]
def _owned_record():
data = {
"access": {
"owned_by": [
{"user": 16},
{"user": 17},
]
}
}
record = RDMRecord.create({}, access={})
record.parent = RDMParent(data)
return record
def _owned_record():
parent = RDMParent.create({})
parent.access.owners.add({"user": 16})
parent.access.owners.add({"user": 17})
record = RDMRecord.create({}, parent=parent)
return record