def test_error_when_no_access_to_meeting_dossier(self, browser):
with self.login(self.administrator):
RoleAssignmentManager(
self.committee_container).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['Reader']))
RoleAssignmentManager(self.committee).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['CommitteeResponsible', 'Editor']))
# Let regular_user have no access to meeting_dossier
self.meeting_dossier.__ac_local_roles_block__ = True
agenda_item = self.schedule_proposal(self.meeting,
self.submitted_proposal)
agenda_item.decide()
self.login(self.regular_user, browser)
with browser.expect_http_error(code=403):
browser.open(
self.agenda_item_url(agenda_item, 'generate_excerpt'),
data={'excerpt_title': 'Excerption \xc3\x84nderungen'})
expected_messages = {
u'messages': [{
u'messageTitle': u'Error',
u'message':
u'Insufficient privileges to add a document to the meeting dossier.',
u'messageClass': u'error',
}],
}
self.assertEquals(expected_messages, browser.json)
def test_guarded_by_modify_portal_content(self):
self.login(self.regular_user)
self.assertIn(self.transition, self.get_workflow_transitions_for(self.task))
RoleAssignmentManager(self.portal).add_or_update_assignment(
SharingRoleAssignment(self.reader_user.getId(), ['Reader']),
)
RoleAssignmentManager(self.dossier).add_or_update_assignment(
SharingRoleAssignment(self.reader_user.getId(), ['Reader']),
)
self.login(self.reader_user)
self.assertNotIn(self.transition, self.get_workflow_transitions_for(self.task))
def test_update_roles_preserves_unmanaged_roles(self):
assignments = [
SharingRoleAssignment('foo', ['Contributor', 'Administrator']),
SharingRoleAssignment('org-unit-1_users', ['Contributor'])
]
RoleAssignmentManager(self.committee).reset(assignments)
CommitteeRoles(self.committee).update(
'foo', previous_principal='org-unit-1_users')
local_roles = dict(self.committee.get_local_roles())
self.assertItemsEqual(
['Administrator', 'CommitteeResponsible', 'Contributor'],
local_roles['foo'])
self.assertItemsEqual(['Contributor'], local_roles['org-unit-1_users'])
def test_remove_role_assignments_and_updates_local_roles(self, browser):
self.login(self.administrator, browser=browser)
manager = RoleAssignmentManager(self.empty_dossier)
manager.add_or_update_assignment(
SharingRoleAssignment(
self.regular_user.id, ['Reader', 'Editor', 'Contributor']))
data = json.dumps({
"entries": [
{"id": self.regular_user.id,
"roles": {"Contributor": False,
"Editor": False,
"Reader": False,
"Reviewer": False,
"Publisher": False},
"type": "user"},
],
"inherit": True})
browser.open(self.empty_dossier, data, view='@sharing', method='POST',
headers={'Accept': 'application/json',
'Content-Type': 'application/json'})
self.assertEquals(
(('robert.ziegler', ('Owner',)),),
self.empty_dossier.get_local_roles())
self.assertEquals(
[],
RoleAssignmentManager(self.empty_dossier).storage._storage())
def test_subdossiers_the_user_cannot_view_can_also_block_deactivation(
self, browser):
with self.login(self.dossier_manager):
# Protect self.subsubdossier so it cannot be seen by an 'Editor' of self.subdossier
self.assertFalse(
getattr(self.subsubdossier, '__ac_local_roles_block__', False))
dossier_protector = IProtectDossier(self.subsubdossier)
dossier_protector.dossier_manager = self.dossier_manager.getId()
dossier_protector.reading = [self.secretariat_user.getId()]
dossier_protector.protect()
self.assertTrue(
getattr(self.subsubdossier, '__ac_local_roles_block__', False))
self.assertFalse(
api.user.has_permission('View',
user=self.regular_user,
obj=self.subsubdossier),
'This test does not actually test what it says on the tin, if self.regular_user can see self.subsubdossier.',
)
# Grant self.regular_user 'Editor' on self.subdossier so the action to deactivate is presented to the user
RoleAssignmentManager(self.subdossier).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['Reader', 'Contributor', 'Editor']))
self.login(self.regular_user, browser)
self.deactivate(self.subdossier, browser)
expected_msgs = [
u"The Dossier 2016 contains a subdossier "
u"which can't be deactivated by the user."
]
self.assert_errors(self.subdossier, browser, expected_msgs)
def test_add_recursive_documents_and_subdossiers_local_roles(
self, browser):
self.login(self.regular_user, browser)
RoleAssignmentManager(
self.subdossiertemplate).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['Reader', 'Contributor', 'Editor']))
browser.open(self.leaf_repofolder)
factoriesmenu.add('Dossier with template')
token = browser.css(
'input[name="form.widgets.template"]').first.attrib.get('value')
browser.fill({'form.widgets.template': token}).submit()
browser.click_on('Save')
dossier = browser.context
self.assertEqual('Bauvorhaben klein', dossier.title)
subdossier = dossier.listFolderContents()[1]
self.assertEqual(
[u'Werkst\xe4tte', u'Anfragen'],
[obj.title for obj in dossier.listFolderContents()],
"The content of the subdossiertemplate is not correct!")
expected_role_assignments = [{
'cause':
3,
'reference':
None,
'roles': ['Reader', 'Contributor', 'Editor'],
'principal':
'kathi.barfuss',
}]
role_assignments = RoleAssignmentManager(subdossier).storage._storage()
self.assertEqual(expected_role_assignments, role_assignments)
def test_update_localroles_if_user_has_changed_protection_fields(
self, browser):
self.login(self.dossier_manager, browser)
browser.open(self.leaf_repofolder)
factoriesmenu.add(u'Business Case Dossier')
browser.fill({'Title': 'My Dossier'})
form = browser.find_form_by_field('Reading')
form.find_widget('Reading and writing').fill(self.regular_user.getId())
browser.click_on('Save')
new_dossier = browser.context
RoleAssignmentManager(new_dossier).add_or_update_assignment(
SharingRoleAssignment('projekt_a', ['Contributor']))
self.assert_local_roles(
IProtectDossier(new_dossier).READING_AND_WRITING_ROLES,
self.regular_user.getId(), new_dossier)
self.assert_local_roles(['Contributor'], 'projekt_a', new_dossier)
browser.open(new_dossier, view="@@edit")
browser.fill({'Title': 'My new Dossier'})
form = browser.find_form_by_field('Reading')
form.find_widget('Reading and writing').fill([])
form.find_widget('Reading').fill([self.regular_user.getId()])
browser.click_on('Save')
self.assert_local_roles(
IProtectDossier(new_dossier).READING_ROLES,
self.regular_user.getId(), new_dossier)
self.assert_local_roles([], 'projekt_a', new_dossier)
def assign_owner_role_on_creation(workspace, event):
"""The creator of the workspace should have the WorkspaceOwner role,
so that the she / he can access the workspace.
"""
owner_userid = workspace.Creator()
assignment = SharingRoleAssignment(owner_userid, ['WorkspaceOwner'])
RoleAssignmentManager(workspace).add_or_update_assignment(assignment)
def create_org_unit_inbox(self):
container = create(Builder('inbox_container').titled(u'Inboxes'))
RoleAssignmentManager(container).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['Reader', 'Contributor', 'Editor']))
return create(
Builder('inbox').titled(u'Inbox').within(container).having(
responsible_org_unit='fa'))
def test_user_has_permission_if_dossier_manager_on_repo(self):
self.login(self.regular_user)
RoleAssignmentManager(self.leaf_repofolder).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['DossierManager']))
self.assertTrue(
api.user.has_permission('opengever.dossier: Protect dossier',
obj=self.dossier))
def test_reader_of_parent_can_still_view_closed_task(self, browser):
with self.login(self.regular_user):
RoleAssignmentManager(self.portal).add_or_update_assignment(
SharingRoleAssignment(self.reader_user.getId(), ['Reader']), )
RoleAssignmentManager(self.dossier).add_or_update_assignment(
SharingRoleAssignment(self.reader_user.getId(), ['Reader']), )
self.login(self.reader_user, browser)
browser.open(self.task, view='tabbedview_view-overview')
expected_actions = []
self.assertEqual(expected_actions, browser.css('#action-menu a').text)
with self.login(self.dossier_responsible, browser=browser):
self.set_workflow_state('task-state-tested-and-closed',
self.subtask)
self.set_workflow_state('task-state-resolved', self.task)
browser.open(self.task, view='tabbedview_view-overview')
expected_actions = []
self.assertEqual(expected_actions, browser.css('#action-menu a').text)
def grant(self, *roles, **kwargs):
user_id = kwargs.get('user_id', TEST_USER_ID)
context = kwargs.get('on', None)
if context is None:
setRoles(self.portal, user_id, list(roles))
else:
RoleAssignmentManager(context).add_or_update_assignment(
SharingRoleAssignment(user_id, list(roles)))
transaction.commit()
def test_check_protect_dossier_consistency_returns_no_messages_if_no_inconsistency(
self):
self.login(self.dossier_manager)
RoleAssignmentManager(self.empty_dossier).add_or_update_assignment(
SharingRoleAssignment(self.dossier_responsible.id, ['Reader']))
RoleAssignmentManager(self.empty_dossier).add_or_update_assignment(
SharingRoleAssignment(self.dossier_responsible.id, [
'Reader', 'Editor', 'Contributor', 'Reviewer', 'Publisher',
'DossierManager', 'Owner'
]))
dossier_protector = IProtectDossier(self.empty_dossier)
dossier_protector.dossier_manager = self.dossier_manager.getId()
dossier_protector.reading = [self.dossier_responsible.id]
dossier_protector.protect()
view = getMultiAdapter((self.empty_dossier, self.request),
name="check_protect_dossier_consistency")
self.assertIsNone(json.loads(view()).get('messages'))
def test_responsible_can_edit_related_documents_that_are_inside_a_task(
self, browser):
self.login(self.administrator, browser=browser)
api.content.disable_roles_acquisition(obj=self.dossier)
RoleAssignmentManager(self.dossier).add_or_update_assignment(
SharingRoleAssignment(self.administrator.getId(),
['Reader', 'Contributor', 'Editor']))
self.task.responsible = self.secretariat_user.id
notify(ObjectModifiedEvent(self.task))
self.login(self.secretariat_user, browser=browser)
browser.open(self.taskdocument, view='edit')
def test_check_protect_dossier_consistency_returns_error_msg_if_inconsistent(
self):
self.login(self.dossier_manager)
dossier_protector = IProtectDossier(self.dossier)
dossier_protector.reading = [self.regular_user.getId()]
dossier_protector.protect()
RoleAssignmentManager(self.dossier).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['DossierManager']))
view = getMultiAdapter((self.dossier, self.request),
name="check_protect_dossier_consistency")
self.assertEqual(1, len(json.loads(view()).get('messages')))
def test_upload_box_is_also_shown_in_a_resolved_task(self, browser):
self.login(self.regular_user, browser)
self.set_workflow_state('task-state-tested-and-closed', self.task)
RoleAssignmentManager(self.dossier).add_or_update_assignment(
SharingRoleAssignment('kathi.barfuss',
['Reader', 'Contributor', 'Editor']))
manager = queryMultiAdapter((self.taskdocument, self.request),
ICheckinCheckoutManager)
manager.checkout()
browser.open(self.taskdocument)
self.assertGreater(len(browser.css('#uploadbox')), 0,
'Uploadbox is not displayed, but should.')
def _update_role_settings(self, new_settings, reindex=True):
"""Replaced because we need our own permission manager stuff.
"""
assignments = []
principals_to_clear = []
for s in new_settings:
principal = s['id']
selected_roles = frozenset(s['roles'])
if not selected_roles:
principals_to_clear.append(principal)
continue
assignments.append(SharingRoleAssignment(principal,
selected_roles))
manager = RoleAssignmentManager(self.context)
if assignments:
manager.reset(assignments)
else:
manager.clear_by_cause_and_principals(ASSIGNMENT_VIA_SHARING,
principals_to_clear)
def setUp(self):
super(TestMyInvitationsView, self).setUp()
self.login(self.workspace_admin)
self.storage = getUtility(IInvitationStorage)
self.workspace2 = create(Builder('workspace')
.within(self.workspace_root)
.titled(u'Second workspace'))
self.storage.add_invitation(
self.workspace, self.regular_user.getId(),
self.workspace_admin.getId(), 'WorkspaceGuest')
self.storage.add_invitation(
self.workspace2, self.regular_user.getId(),
self.workspace_admin.getId(), 'WorkspaceGuest')
self.storage.add_invitation(
self.workspace2, self.workspace_guest.getId(),
self.workspace_admin.getId(), 'WorkspaceGuest')
RoleAssignmentManager(self.workspace_root).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['WorkspacesUser']))
def test_sharing_view_extends_information(self, browser):
self.login(self.administrator, browser=browser)
manager = RoleAssignmentManager(self.empty_dossier)
manager.add_or_update_assignment(
TaskRoleAssignment(
self.regular_user.id, ['Contributor'], self.task))
manager.add_or_update_assignment(
SharingRoleAssignment(
self.regular_user.id, ['Reader', 'Editor', 'Contributor']))
browser.open(self.empty_dossier, view='@sharing',
method='Get', headers={'Accept': 'application/json'})
entries = browser.json['entries']
self.assertEquals(
{u'automatic_roles': {u'Contributor': True,
u'Editor': False,
u'Publisher': False,
u'Reader': False,
u'Reviewer': False},
u'computed_roles': {u'Contributor': True,
u'Editor': True,
u'Publisher': False,
u'Reader': True,
u'Reviewer': False},
u'disabled': False,
u'id': u'kathi.barfuss',
u'login': u'kathi.barfuss',
u'roles': {u'Contributor': True,
u'Editor': True,
u'Publisher': False,
u'Reader': True,
u'Reviewer': False},
u'title': u'B\xe4rfuss K\xe4thi',
u'type': u'user',
u'url': u'http://nohost/plone/@@user-details-plain/kathi.barfuss'},
[item for item in entries if item['id'] == self.regular_user.id][0])
def __iter__(self):
for item in self.previous:
pathkey = self.pathkey(*item.keys())[0]
roleskey = self.roleskey(*item.keys())[0]
if not pathkey or not roleskey or \
roleskey not in item: # not enough info
yield item
continue
obj = self.context.unrestrictedTraverse(item[pathkey].lstrip('/'),
None)
if obj is None: # path doesn't exist
yield item
continue
if IRoleManager.providedBy(obj):
for principal, roles in item[roleskey].items():
if roles:
RoleAssignmentManager(obj).add_or_update_assignment(
SharingRoleAssignment(principal, roles))
yield item
def _assign_roles_to_development_users_group(self, roles, obj):
assignment = SharingRoleAssignment(DEVELOPMENT_USERS_GROUP, roles)
RoleAssignmentManager(obj).add_or_update_assignment(assignment)
def update_inherit(self, status=True, reindex=True):
"""Method Wrapper for the super method, to allow notify a
corresponding event. Needed for adding a Journalentry after a
change of the inheritance
"""
user = api.user.get_current()
is_administrator = user.has_role('Administrator') or user.has_role(
'Manager')
# Modifying local roles needs the "Sharing page: Delegate roles"
# permission as well as "Modify portal content". However, we don't
# want to give the "Role Manager" Role "Modify portal content",
# so we circumvent the permission check here by temporarily assuming
# the owner's roles. [lgraf]
context = self.context
portal_membership = getToolByName(context, 'portal_membership')
block = not status
oldblock = bool(
getattr(aq_base(context), '__ac_local_roles_block__', False))
if block == oldblock:
return False
# store the real user
user = portal_membership.getAuthenticatedMember()
# assume the manger user security context
old_sm = getSecurityManager()
owner = getToolByName(
context, 'portal_url').getPortalObject().getWrappedOwner()
newSecurityManager(self.context, owner)
if block and not is_administrator:
# If user has inherited local roles and removes inheritance,
# locally set roles he inherited before
# to avoid definitive lose of access (refs #11945)
# For administrators and managers we skip those fallback, because
# the access for those users is ensured by the global roles. So we
# can avoid local_roles assigned to a specific users, which we say
# should not be used usually.
context_roles = user.getRolesInContext(context)
global_roles = user.getRoles()
local_roles = [r for r in context_roles if r not in global_roles]
if local_roles:
assignment = SharingRoleAssignment(user.getId(), local_roles)
RoleAssignmentManager(
self.context).add_or_update_assignment(assignment)
context.__ac_local_roles_block__ = True if block else None
# Restore the old security manager
setSecurityManager(old_sm)
if reindex:
context.reindexObjectSecurity()
if not block:
notify(LocalRolesAcquisitionActivated(self.context))
else:
notify(LocalRolesAcquisitionBlocked(self.context))
return True
def create_single_inbox(self):
inbox = create(Builder('inbox').titled(u'Inbox'))
RoleAssignmentManager(inbox).add_or_update_assignment(
SharingRoleAssignment(self.regular_user.getId(),
['Reader', 'Contributor', 'Editor']))
return inbox
