def revoke_permission(self, username, action):
# DefaultPermissionPolicy will cache permissions for 5 seconds so we
# need to reset the cache
DefaultPermissionPolicy(self.env).permission_cache = {}
PermissionSystem(self.env).revoke_permission(username, action)
assert action not in PermissionSystem(
self.env).get_user_permissions(username)
def setUp(self):
self.env = EnvironmentStub(enable=['trac.*', 'bitten.*'])
self.env.path = tempfile.mkdtemp()
# Create tables
db = self.env.get_db_cnx()
cursor = db.cursor()
connector, _ = DatabaseManager(self.env)._get_connector()
for table in schema:
for stmt in connector.to_sql(table):
cursor.execute(stmt)
# Set up permissions
self.env.config.set('trac', 'permission_store',
'DefaultPermissionStore')
PermissionSystem(self.env).grant_permission('joe', 'BUILD_CREATE')
PermissionSystem(self.env).grant_permission('joe', 'BUILD_DELETE')
PermissionSystem(self.env).grant_permission('joe', 'BUILD_MODIFY')
if DefaultPermissionPolicy is not None and hasattr(
DefaultPermissionPolicy, "CACHE_EXPIRY"):
self.old_perm_cache_expiry = DefaultPermissionPolicy.CACHE_EXPIRY
DefaultPermissionPolicy.CACHE_EXPIRY = -1
# Hook up a dummy repository
self.repos = Mock(get_node=lambda path, rev=None: Mock(
get_history=lambda: [], isdir=True),
normalize_path=lambda path: path,
sync=lambda: None)
self.env.get_repository = lambda authname=None: self.repos
def runTest(self):
"""Test for regression of http://trac.edgewall.org/ticket/11069
The permissions list should only be populated with permissions that
the user can grant."""
self._tester.go_to_front()
self._tester.logout()
self._tester.login('user')
self._testenv.grant_perm('user', 'PERMISSION_GRANT')
env = self._testenv.get_trac_environment()
from trac.perm import PermissionSystem
user_perms = PermissionSystem(env).get_user_permissions('user')
all_actions = PermissionSystem(env).get_actions()
try:
self._tester.go_to_admin("Permissions")
for action in all_actions:
option = r"<option>%s</option>" % action
if action in user_perms and user_perms[action] is True:
tc.find(option)
else:
tc.notfind(option)
finally:
self._testenv.revoke_perm('user', 'PERMISSION_GRANT')
self._tester.go_to_front()
self._tester.logout()
self._tester.login('admin')
def get_permission_actions(self):
def expand_action(action):
actions = set([])
if isinstance(action, list):
for a in action:
actions = actions | expand_action(a)
return actions
elif isinstance(action, tuple):
actions.add(action[0])
actions = actions | expand_action(action[1])
return actions
else:
return set([action])
try:
if self.recursing: return []
except:
pass
actions = ['NONE', 'INHERIT']
#Work only in master project
if self.env != get_master_env(self.env): return actions
self.recursing = True
known_actions = set(actions)
for requestor in [
r for r in PermissionSystem(self.env).requestors
if r is not self
]:
known_actions = known_actions | expand_action(
requestor.get_permission_actions())
try:
del self.recursing
except:
pass
projects = get_project_list(self.env)
for project, project_path, project_url, env in projects:
for requestor in [
r for r in PermissionSystem(env).requestors
if r is not self
]:
#if requestor == self: continue
for action in requestor.get_permission_actions():
#if action not in actions: actions.append(action)
if isinstance(action, tuple):
if action[0] not in known_actions:
actions.append(action)
known_actions.add(action[0])
else:
if action not in known_actions:
actions.append(action)
known_actions.add(action)
#Return permissions from all projects if this is master project
return list(actions)
def has_permission(self, username, action):
# DefaultPermissionPolicy will cache permissions for 5 seconds so we
# need to reset the cache
DefaultPermissionPolicy(self.env).permission_cache = {}
if AgiloTicketSystem.is_trac_1_0():
del PermissionSystem(self.env).store._all_permissions
return PermissionSystem(self.env).check_permission(action, username)
def process_admin_request(self, req, cat, page, path_info):
envs = DatamoverSystem(self.env).all_environments()
permissions = PermissionSystem(self.env).get_all_permissions()
if req.method == 'POST':
source_type = req.args.get('source')
if not source_type or source_type not in ('permission', 'all'):
raise TracError, "Source type not specified or invalid"
source = req.args.get(source_type)
dest = req.args.get('destination')
action = None
if 'copy' in req.args.keys():
action = 'copy'
elif 'move' in req.args.keys():
action = 'move'
else:
raise TracError, 'Action not specified or invalid'
action_verb = {'copy': 'Copied', 'move': 'Moved'}[action]
perm_filter = None
if source_type == 'permission':
in_permissions = [
tuple(p.split(':', 2)) for p in req.args.getlist('perm')
]
perm_filter = lambda p: p in in_permissions
elif source_type == 'all':
perm_filter = lambda p: True
try:
sel_permissions = [p for p in permissions if perm_filter(p)]
dest_env = _open_environment(dest)
for perm in sel_permissions:
# revoke first in case it's already there
# also, go directly to the store to bypass validity checks
PermissionSystem(dest_env).store.revoke_permission(
perm[0], perm[1])
PermissionSystem(dest_env).store.grant_permission(
perm[0], perm[1])
if action == 'move':
for perm in sel_permissions:
PermissionSystem(self.env).revoke_permission(
perm[0], perm[1])
req.hdf['datamover.message'] = '%s permissions %s' % (
action_verb, ', '.join(
["%s:%s" % (u, a) for u, a in sel_permissions]))
except TracError, e:
req.hdf[
'datamover.message'] = "An error has occured: \n" + str(e)
self.log.warn(req.hdf['datamover.message'], exc_info=True)
def setUp(self):
self.env = EnvironmentStub(enable=['trac.*', 'bitten.*'])
self.env.path = tempfile.mkdtemp()
# Create tables
db = self.env.get_db_cnx()
cursor = db.cursor()
connector, _ = DatabaseManager(self.env)._get_connector()
for table in schema:
for stmt in connector.to_sql(table):
cursor.execute(stmt)
# Set up permissions
self.env.config.set('trac', 'permission_store',
'DefaultPermissionStore')
PermissionSystem(self.env).grant_permission('joe', 'BUILD_CREATE')
PermissionSystem(self.env).grant_permission('joe', 'BUILD_DELETE')
PermissionSystem(self.env).grant_permission('joe', 'BUILD_MODIFY')
if DefaultPermissionPolicy is not None and hasattr(
DefaultPermissionPolicy, "CACHE_EXPIRY"):
self.old_perm_cache_expiry = DefaultPermissionPolicy.CACHE_EXPIRY
DefaultPermissionPolicy.CACHE_EXPIRY = -1
# Hook up a dummy repository
self.repos = Mock(get_node=lambda path, rev=None: Mock(
get_history=lambda: [], isdir=True),
normalize_path=lambda path: path,
sync=lambda: None,
resource=Resource('repository', None))
self.env.get_repository = lambda authname=None: self.repos # 0.11
try: # 0.12+
from trac.core import Component, implements
from trac.versioncontrol.api import IRepositoryConnector, \
IRepositoryProvider
class DummyRepos(Component):
implements(IRepositoryConnector, IRepositoryProvider)
def get_supported_types(self):
yield ('dummy', 9)
def get_repository(this, repos_type, repos_dir, params):
return self.repos # Note: 'this' vs 'self' usage
def get_repositories(self):
yield ('', {'dir': 'dummy_dir', 'type': 'dummy'})
self.dummy = DummyRepos
except ImportError:
self.dummy = None # not supported, will use get_repository()
def setUp(self):
self._mp_setup()
self.global_env = self.env
self.env = ProductEnvironment(self.global_env, self.default_product)
self.global_env.enable_component(TestRequestSpy)
self.env.enable_component(TestRequestSpy)
TestRequestSpy(self.global_env).testMatch = self._assert_product_match
PermissionSystem(self.global_env).grant_permission(
'testuser', 'PRODUCT_CREATE')
PermissionSystem(self.global_env).grant_permission(
'testuser', 'PRODUCT_VIEW')
PermissionSystem(self.global_env).grant_permission(
'testuser', 'PRODUCT_MODIFY')
def setUp(self):
self.env = EnvironmentStub(default_data=True,
enable=['trac.*', 'tractags.*'])
self.env.path = tempfile.mkdtemp()
self.perms = PermissionSystem(self.env)
setup = TagSetup(self.env)
# Current tractags schema is setup with enabled component anyway.
# Revert these changes for getting default permissions inserted.
self._revert_tractags_schema_init()
setup.upgrade_environment()
self.provider = TicketTagProvider(self.env)
self.realm = 'ticket'
self.tag_sys = TagSystem(self.env)
self.tags = ['tag1', 'tag2']
# Populate tables with initial test data.
self._create_ticket(self.tags)
# Mock an anonymous request.
self.anon_req = Mock()
self.anon_req.perm = PermissionCache(self.env)
self.req = Mock(authname='editor')
self.req.authname = 'editor'
self.req.perm = PermissionCache(self.env, username='******')
def setUp(self):
self.env = EnvironmentStub(default_data=True)
self.perm_sys = PermissionSystem(self.env)
self.ctlr = TicketSystem(self.env).action_controllers[0]
self.ticket = Ticket(self.env)
self.ticket['status'] = 'new'
self.ticket.insert()
with self.env.db_transaction as db:
for user in ('user1', 'user2', 'user3', 'user4'):
db("INSERT INTO session VALUES (%s, %s, %s)", (user, 1, 0))
permissions = [
('user1', 'TICKET_EDIT_CC'),
('user2', 'TICKET_EDIT_CC'),
('user2', 'TICKET_BATCH_MODIFY'),
('user3', 'TICKET_ADMIN'),
('user4', 'TICKET_VIEW'),
('user1', 'group1'),
('user2', 'group1'),
('user2', 'group2'),
('user3', 'group2'),
('user4', 'group3')
]
for perm in permissions:
self.perm_sys.grant_permission(*perm)
self.req = Mock(authname='user1', args={},
perm=PermissionCache(self.env, 'user0'))
self.expected = """\
def check_permission(self, action, username, resource, perm):
if resource is None or action.split('_')[0] != resource.realm.upper():
return None
from tractags.api import TagSystem
class FakeRequest(object):
def __init__(self, perm):
self.perm = perm
permission = action.lower().split('_')[1]
req = FakeRequest(perm)
tags = TagSystem(self.env).get_tags(None, resource)
# Explicitly denied?
if ':-'.join((username, permission)) in tags:
return False
# Find all granted permissions for the requesting user from
# tagged permissions by expanding any meta action as well.
if action in set(
PermissionSystem(self.env).expand_actions([
'_'.join([resource.realm, t.split(':')[1]]).upper()
for t in tags if t.split(':')[0] == username
])):
return True
def setUp(self):
self.env = EnvironmentStub(default_data=True,
enable=['trac.*', 'tractags.*'])
self.env.path = tempfile.mkdtemp()
self.perms = PermissionSystem(self.env)
self.db = self.env.get_db_cnx()
setup = TagSetup(self.env)
# Current tractags schema is setup with enabled component anyway.
# Revert these changes for getting default permissions inserted.
self._revert_tractags_schema_init()
setup.upgrade_environment(self.db)
self.provider = TicketTagProvider(self.env)
self.realm = 'ticket'
self.tag_sys = TagSystem(self.env)
self.tags = ['tag1']
cursor = self.db.cursor()
# Populate table with initial test data, not synced with tickets yet.
cursor.execute("""
INSERT INTO tags
(tagspace, name, tag)
VALUES ('ticket', '1', 'deleted')""")
self.realm = 'ticket'
self._create_ticket(self.tags)
self.req = Mock()
# Mock an anonymous request.
self.req.perm = PermissionCache(self.env)
def test_complete_milestone_retarget_tickets(self):
name = 'milestone1'
target = 'milestone2'
insert_ticket(self.env, summary='Ticket 1', milestone=name)
insert_ticket(self.env, summary='Ticket 2', milestone=name)
ps = PermissionSystem(self.env)
ps.grant_permission('user1', 'TICKET_ADMIN')
ps.grant_permission('user1', 'MILESTONE_MODIFY')
req = MockRequest(self.env, authname='user1', method='POST',
path_info='/admin/ticket/milestones/%s' % name,
args=dict(action='edit', save='Submit changes', name=name,
description='', retarget='on', target=target,
comment='', completed='on',
completeddate='May 20, 2020, 9:07:52 PM'))
mod = AdminModule(self.env)
self.assertTrue(mod.match_request(req))
with self.assertRaises(RequestDone):
mod.process_request(req)
self.assertEqual(2, len(req.chrome['notices']))
self.assertEqual(
'The open tickets associated with milestone "milestone1" '
'have been retargeted to milestone "milestone2".',
req.chrome['notices'][0])
self.assertEqual('Your changes have been saved.',
req.chrome['notices'][1])
self.assertEqual([], req.chrome['warnings'])
self.assertEqual(['303 See Other'], req.status_sent)
self.assertEqual('http://example.org/trac.cgi/admin/ticket/milestones',
req.headers_sent['Location'])
self.assertTrue(Milestone(self.env, name).is_completed)
self.assertEqual(target, Ticket(self.env, 1)['milestone'])
self.assertEqual(target, Ticket(self.env, 2)['milestone'])
def test_user_with_ticket_admin_can_view(self):
"""User with MILESTONE_VIEW and TICKET_ADMIN can view."""
PermissionSystem(self.env).grant_permission('user1', 'TICKET_ADMIN')
req = MockRequest(self.env, authname='user1')
rv = MilestoneAdminPanel(self.env).get_admin_panels(req)
self.assertEqual([('ticket', "Ticket System", 'milestones',
"Milestones")], list(rv))
def test_view_config_paging(self):
config = BuildConfig(self.env, name='test', path='trunk')
config.insert()
platform = TargetPlatform(self.env, config='test', name='any')
platform.insert()
PermissionSystem(self.env).grant_permission('joe', 'BUILD_VIEW')
req = Mock(method='GET',
base_path='',
cgi_location='',
path_info='/build/test',
href=Href('/trac'),
args={},
chrome={},
authname='joe',
perm=PermissionCache(self.env, 'joe'))
root = Mock(get_entries=lambda: ['foo'],
get_history=lambda: [('trunk', rev, 'edit')
for rev in range(123, 110, -1)])
self.repos = Mock(get_node=lambda path, rev=None: root,
sync=lambda: None,
normalize_path=lambda path: path,
normalize_rev=lambda rev: rev,
youngest_rev=123)
self.repos.authz = Mock(has_permission=lambda path: True,
assert_permission=lambda path: None)
module = BuildConfigController(self.env)
assert module.match_request(req)
_, data, _ = module.process_request(req)
if req.chrome:
self.assertEqual('/trac/build/test?page=2',
req.chrome['links']['next'][0]['href'])
def _grant_permission(self, username, action):
from trac.perm import DefaultPermissionPolicy, PermissionSystem
if self._has_permission(username, action):
return
DefaultPermissionPolicy(self.env).permission_cache = {}
PermissionSystem(self.env).grant_permission(username, action)
assert self._has_permission(username, action)
def test_new_blog_post(self):
PermissionSystem(self.env).grant_permission('user', 'BLOG_ADMIN')
req = MockRequest(self.env,
method='POST',
path_info='/blog/create',
authname='user',
args={
'name': 'new_post',
'title': 'New post',
'author': 'user',
'body': 'The body',
'action': 'new',
'blog-save': ''
})
module = FullBlogModule(self.env)
self.assertTrue(module.match_request(req))
self.assertRaises(RequestDone, module.process_request, req)
self.assertEquals('http://example.org/trac.cgi/blog/new_post',
req.headers_sent['Location'])
self.assertEquals([], req.chrome['warnings'])
posts = get_blog_posts(self.env)
self.assertEquals(1, len(posts))
self.assertEquals('New post', posts[0][4])
def _do_users(self, req):
perm = PermissionSystem(self.env)
listing_enabled = self.account_manager.supports('get_users')
create_enabled = self.account_manager.supports('set_password')
delete_enabled = self.account_manager.supports('delete_user')
req.hdf['listing_enabled'] = listing_enabled
req.hdf['create_enabled'] = create_enabled
req.hdf['delete_enabled'] = delete_enabled
if req.method == 'POST':
if req.args.get('add'):
if create_enabled:
try:
_create_user(req, self.env, check_permissions=False)
except TracError, e:
req.hdf['registration.error'] = e.message
else:
req.hdf['registration_error'] = 'The password store does ' \
'not support creating users'
elif req.args.get('remove'):
if delete_enabled:
sel = req.args.get('sel')
sel = isinstance(sel, list) and sel or [sel]
for account in sel:
self.account_manager.delete_user(account)
else:
req.hdf['deletion_error'] = 'The password store does not ' \
'support deleting users'
def _ticket_change_subscribers(subscriber, candidates):
if not candidates:
return
if not isinstance(candidates, (list, set, tuple)):
candidates = [candidates]
# Get members of permission groups
groups = PermissionSystem(subscriber.env).get_groups_dict()
for cc in set(candidates):
if cc in groups:
candidates.remove(cc)
candidates.update(groups[cc])
matcher = RecipientMatcher(subscriber.env)
klass = subscriber.__class__.__name__
sids = set()
for candidate in candidates:
recipient = matcher.match_recipient(candidate)
if not recipient:
continue
sid, auth, addr = recipient
# Default subscription
for s in subscriber.default_subscriptions():
yield s[0], s[1], sid, auth, addr, s[2], s[3], s[4]
if sid:
sids.add((sid, auth))
for s in Subscription.find_by_sids_and_class(subscriber.env, sids, klass):
yield s.subscription_tuple()
def _do_notice(self, req):
perm = PermissionSystem(self.env)
perms = perm.get_all_permissions()
self._get_notice_options()
(userinfos, groupinfos) = self._get_infos(perms)
if req.method == 'POST':
if req.args.get('fill'):
self._set_notice_options(req)
if req.args.get('use_ldap'):
self._fill_from_ldap(userinfos, groupinfos)
if req.args.get('use_file'):
self._fill_from_file(req, userinfos, groupinfos)
if req.args.get('change'):
self._fill_from_fields(req, userinfos, groupinfos)
if req.args.get('rmuser'):
self._rm_user(req, userinfos, groupinfos)
(userinfos, groupinfos) = self._get_infos(perms)
if req.args.get('rminfo'):
self._rm_info(req, userinfos, groupinfos)
if req.args.get('rmall'):
self._rm_all(req, userinfos, groupinfos)
(userinfos, groupinfos) = self._get_infos(perms)
if (len(userinfos) > 0) or (len(groupinfos) > 0):
self.error_message = "As long as permissions are defined for users/group, " + \
"they cannot be delete from this list."
if req.args.get('extract'):
self._extract_groups(req, userinfos, groupinfos)
req.hdf['admin.userinfos'] = userinfos
req.hdf['admin.groupinfos'] = groupinfos
req.hdf['admin.options'] = self.options
if self.error_message:
req.hdf['admin.error_message'] = self.error_message
return 'admin_notice.cs', None
def test_add_comment_requires_ticket_append(self):
"""Adding a ticket comment requires TICKET_APPEND."""
ps = PermissionSystem(self.env)
ps.revoke_permission('authenticated', 'TICKET_MODIFY')
ps.grant_permission('user1', 'TICKET_APPEND')
ps.grant_permission('user2', 'TICKET_CHGPROP')
ticket = self._insert_ticket(summary='the summary')
comment = 'the comment'
def make_req(authname):
change_time = Ticket(self.env, 1)['changetime']
return MockRequest(
self.env, authname=authname,
method='POST', path_info='/ticket/1',
args={'comment': comment, 'action': 'leave', 'submit': True,
'view_time': unicode(to_utimestamp(change_time))})
req = make_req('user1')
self.assertTrue(self.ticket_module.match_request(req))
self.assertRaises(RequestDone, self.ticket_module.process_request,
req)
self.assertEqual([], req.chrome['warnings'])
self.assertEqual(comment,
ticket.get_change(1)['fields']['comment']['new'])
req = make_req('user2')
self.assertTrue(self.ticket_module.match_request(req))
self.ticket_module.process_request(req)
self.assertEqual(1, len(req.chrome['warnings']))
self.assertEqual("No permissions to add a comment.",
unicode(req.chrome['warnings'][0]))
def setUp(self):
self.env = EnvironmentStub(default_data=True,
enable=['trac.*', 'tractags.*'])
self.env.path = tempfile.mkdtemp()
self.perms = PermissionSystem(self.env)
self.tag_s = TagSystem(self.env)
self.tag_wp = WikiTagProvider(self.env)
self.db = self.env.get_db_cnx()
setup = TagSetup(self.env)
# Current tractags schema is partially setup with enabled component.
# Revert these changes for getting a clean setup.
self._revert_tractags_schema_init()
setup.upgrade_environment(self.db)
cursor = self.db.cursor()
# Populate table with initial test data.
cursor.execute("""
INSERT INTO tags
(tagspace, name, tag)
VALUES ('wiki', 'WikiStart', 'tag1')
""")
self.req = Mock()
# Mock an anonymous request.
self.req.perm = PermissionCache(self.env)
self.realm = 'wiki'
self.tags = ['tag1']
def setUp(self):
self.env = EnvironmentStub(enable=[
'trac.*', 'acct_mgr.api.*', 'acct_mgr.admin.*', 'acct_mgr.db.*',
'acct_mgr.register.*', 'acct_mgr.pwhash.HtDigestHashMethod',
'acct_mgr.tests.admin.BadCheck', 'acct_mgr.tests.admin.DummyCheck'
])
self.env.path = tempfile.mkdtemp()
self.perm = PermissionSystem(self.env)
# Create a user reference in the permission system.
self.perm.grant_permission('admin', 'ACCTMGR_ADMIN')
# Prepare a generic request object for admin actions.
self.req = Mock(authname='admin',
method='GET',
args=dict(),
abs_href=self.env.abs_href,
chrome=dict(notices=[], warnings=[]),
href=self.env.abs_href,
locale='',
redirect=lambda x: None,
session=dict(),
tz='')
self.req.perm = PermissionCache(self.env, 'admin')
self.acctmgr = AccountManager(self.env)
def test_preview_comment_validate_max_comment_size(self):
"""The [ticket] max_comment_size attribute is validated during
ticket comment edit preview.
"""
perm_sys = PermissionSystem(self.env)
perm_sys.grant_permission('user1', 'TICKET_VIEW')
perm_sys.grant_permission('user1', 'TICKET_APPEND')
self.env.config.set('ticket', 'max_comment_size', 5)
ticket = self._insert_ticket(summary='the summary')
ticket.save_changes('user1', '12345')
req = MockRequest(self.env,
method='POST',
authname='user1',
path_info='/ticket/%d' % ticket.id,
args={
'id': '1',
'preview_comment': True,
'cnum_edit': '1',
'edited_comment': '123456'
})
self.assertTrue(self.ticket_module.match_request(req))
self.ticket_module.process_request(req)
self.assertEqual(
"The ticket comment is invalid: Must be less than or "
"equal to 5 characters", unicode(req.chrome['warnings'][0]))
def _to_users(self, users_perms_and_groups, ticket):
"""Finds all users contained in the list of `users_perms_and_groups`
by recursive lookup of users when a `group` is encountered.
"""
ps = PermissionSystem(self.env)
groups = ps.get_groups_dict()
def append_owners(users_perms_and_groups):
for user_perm_or_group in users_perms_and_groups:
if user_perm_or_group == 'authenticated':
owners.update({u[0] for u in self.env.get_known_users()})
elif user_perm_or_group.isupper():
perm = user_perm_or_group
for user in ps.get_users_with_permission(perm):
if perm in PermissionCache(self.env, user,
ticket.resource):
owners.add(user)
elif user_perm_or_group not in groups:
owners.add(user_perm_or_group)
else:
append_owners(groups[user_perm_or_group])
owners = set()
append_owners(users_perms_and_groups)
return sorted(owners)
def setUp(self):
self.env = EnvironmentStub(default_data=True)
self.perm_sys = PermissionSystem(self.env)
self.ctlr = TicketSystem(self.env).action_controllers[0]
self.req1 = MockRequest(self.env, authname='user1')
self.req2 = MockRequest(self.env, authname='user2')
self.ticket = insert_ticket(self.env, status='invalid')
def setUp(self):
BaseProductAdminPanelTestCase.setUp(self)
self.global_env.config.set('multiproduct', 'admin_blacklist',
'testcat1:panel1,testcat3:panel2')
self.env.config.set('multiproduct', 'admin_blacklist',
'testcat1:panel3,testcat3:panel1,testcat2:*')
global_permsys = PermissionSystem(self.global_env)
permsys = PermissionSystem(self.env)
global_permsys.grant_permission('adminuser', 'TRAC_ADMIN')
global_permsys.grant_permission('prodadmin', 'PRODUCT_ADMIN')
global_permsys.grant_permission('testuser', 'TEST_ADMIN')
permsys.grant_permission('prodadmin', 'PRODUCT_ADMIN')
permsys.grant_permission('testuser', 'TEST_ADMIN')
self.req = self._get_request_obj()
def check_permission(self, action, username, resource, perm):
if ConfigObj is None:
self.log.error('configobj package not found')
return None
if self.authz_file and not self.authz_mtime or \
os.path.getmtime(self.get_authz_file()) > self.authz_mtime:
self.parse_authz()
resource_key = self.normalise_resource(resource)
self.log.debug('Checking %s on %s', action, resource_key)
permissions = self.authz_permissions(resource_key, username)
if permissions is None:
return None # no match, can't decide
elif permissions == ['']:
return False # all actions are denied
# FIXME: expand all permissions once for all
ps = PermissionSystem(self.env)
for deny, perms in groupby(permissions,
key=lambda p: p.startswith('!')):
if deny and action in ps.expand_actions([p[1:] for p in perms]):
return False # action is explicitly denied
elif action in ps.expand_actions(perms):
return True # action is explicitly granted
return None # no match for action, can't decide
def setUp(self):
tmpdir = os.path.realpath(tempfile.gettempdir())
self.env = EnvironmentStub(enable=['trac.*', AuthzPolicy], path=tmpdir)
self.env.config.set('trac', 'permission_policies',
'AuthzPolicy, DefaultPermissionPolicy')
self.env.config.set('ticket', 'restrict_owner', True)
self.perm_sys = PermissionSystem(self.env)
self.env.insert_known_users([
('user1', '', ''), ('user2', '', ''),
('user3', '', ''), ('user4', '', '')
])
self.perm_sys.grant_permission('user1', 'TICKET_MODIFY')
self.perm_sys.grant_permission('user2', 'TICKET_VIEW')
self.perm_sys.grant_permission('user3', 'TICKET_MODIFY')
self.perm_sys.grant_permission('user4', 'TICKET_MODIFY')
self.authz_file = os.path.join(tmpdir, 'trac-authz-policy')
create_file(self.authz_file)
self.env.config.set('authz_policy', 'authz_file', self.authz_file)
self.ctlr = TicketSystem(self.env).action_controllers[0]
self.req1 = Mock(authname='user1', args={},
perm=PermissionCache(self.env, 'user1'))
self.ticket = Ticket(self.env)
self.ticket['status'] = 'new'
self.ticket.insert()
def test_change_milestone_requires_milestone_view(self):
"""Changing ticket milestone requires MILESTONE_VIEW."""
perm_sys = PermissionSystem(self.env)
perm_sys.revoke_permission('anonymous', 'MILESTONE_VIEW')
perm_sys.grant_permission('user_w_mv', 'MILESTONE_VIEW')
self._insert_ticket(summary='the summary')
def make_req(authname):
return MockRequest(self.env, authname=authname, method='GET',
path_info='/ticket/1')
def get_milestone_field(fields):
for field in fields:
if 'milestone' == field['name']:
return field
req = make_req('user')
self.assertTrue(self.ticket_module.match_request(req))
data = self.ticket_module.process_request(req)[1]
milestone_field = get_milestone_field(data['fields'])
self.assertFalse(milestone_field['editable'])
self.assertEqual([], milestone_field['optgroups'][0]['options'])
self.assertEqual([], milestone_field['optgroups'][1]['options'])
req = make_req('user_w_mv')
self.assertTrue(self.ticket_module.match_request(req))
data = self.ticket_module.process_request(req)[1]
milestone_field = get_milestone_field(data['fields'])
self.assertTrue(milestone_field['editable'])
self.assertEqual([], milestone_field['optgroups'][0]['options'])
self.assertEqual(['milestone1', 'milestone2',
'milestone3', 'milestone4'],
milestone_field['optgroups'][1]['options'])
