def test_archive_with_no_unarchive_permission(self): additional_clauses = copy.deepcopy(clauses) additional_clauses['clause'] += [ { 'effect': 'deny', 'object': ['resource/*/*/*'], 'action': ['resource.unarchive'], }, ] policy = Policy.objects.create( name='allow', body=json.dumps(additional_clauses)) assign_user_policies(self.user, policy) expected_success_url = reverse( 'resources:project_list', kwargs={ 'organization': self.project.organization.slug, 'project': self.project.slug, } ) response = self.request(user=self.user) assert response.status_code == 302 assert response.location == expected_success_url self.resource.refresh_from_db() assert self.resource.archived is True
def run(verbose=True, force=False): PERMISSIONS_DIR = settings.BASE_DIR + '/permissions/' if force: models.PermissionSet.objects.all().delete() models.Role.objects.all().delete() models.Policy.objects.all().delete() pols = {} for pol in ['default', 'superuser', 'org-admin', 'org-member', 'project-manager', 'data-collector', 'project-user']: try: pols[pol] = models.Policy.objects.get(name=pol) pols[pol].body = open(PERMISSIONS_DIR + pol + '.json').read() pols[pol].save() except: pols[pol] = models.Policy.objects.create( name=pol, body=open(PERMISSIONS_DIR + pol + '.json').read() ) if not models.Role.objects.filter(name='superuser').exists(): models.Role.objects.create( name='superuser', policies=[pols['default'], pols['superuser']] ) models.assign_user_policies(None, pols['default'])
def assign_policies(user): clauses = { 'clause': [ { "effect": "allow", "object": ["*"], "action": ["org.*"] }, { 'effect': 'allow', 'object': ['organization/*'], 'action': ['org.*', "org.*.*"] }, { 'effect': 'allow', 'object': ['project/*/*'], 'action': ['project.*', 'project.*.*', 'spatial.*'] }, { 'effect': 'allow', 'object': ['spatial/*/*/*'], 'action': ['spatial.*', 'spatial.resources.*'] } ] } policy = Policy.objects.create( name='test-policy', body=json.dumps(clauses)) assign_user_policies(user, policy)
def test_create_private_record_without_permission(self): self.prj.access = 'private' self.prj.save() restricted_clauses = { 'clause': [ { 'effect': 'allow', 'object': ['project.list'], 'action': ['organization/*'] }, { 'effect': 'allow', 'object': ['project.view'], 'action': ['project/*/*'] } ] } restricted_policy = Policy.objects.create( name='restricted', body=json.dumps(restricted_clauses)) assign_user_policies(self.user, restricted_policy) response = self.request(user=self.user, method='POST') assert response.status_code == 403 assert PartyRelationship.objects.count() == 0 assert response.content['detail'] == PermissionDenied.default_detail
def test_login_redirect_from_project_dashboard_to_org_dashboard(self): user = UserFactory.create() assign_user_policies(user, *[]) project = ProjectFactory.create() view = org_views.ProjectDashboard.as_view() request = HttpRequest() request.META['HTTP_REFERER'] = '/account/login/' setattr(request, 'user', user) setattr(request, 'method', 'GET') setattr(request, 'session', 'session') self.messages = FallbackStorage(request) setattr(request, '_messages', self.messages) kwargs = { 'organization': project.organization.slug, 'project': project.slug } def get_full_path(): return '/organizations/{}/projects/{}/'.format( project.organization.slug, project.slug ) setattr(request, 'get_full_path', get_full_path) exp_redirect = reverse('organization:dashboard', kwargs={ 'slug': project.organization.slug}) response = view(request, **kwargs) assert response.status_code == 302 assert exp_redirect == response['location']
def setup(datadir, db): user1 = UserFactory.create(username='******') user2 = UserFactory.create(username='******') user3 = UserFactory.create(username='******') user4 = UserFactory.create(username='******') user5 = UserFactory.create(username='******') PolicyFactory.set_directory(str(datadir)) def_pol = PolicyFactory.create(name='def', file='default-policy.json') org_pol = PolicyFactory.create(name='org', file='org-policy.json') prj_pol = PolicyFactory.create(name='prj', file='project-policy.json') deny_pol = PolicyFactory.create(name='prj', file='deny-policy.json') Action.register(['party.list', 'party.view', 'parcel.list', 'parcel.view', 'party.edit', 'parcel.edit']) assign_user_policies(None, def_pol) user1.assign_policies(def_pol) user2.assign_policies(def_pol, (org_pol, {'organisation': 'Cadasta'})) user3.assign_policies(def_pol, (org_pol, {'organisation': 'Cadasta'}), (prj_pol, {'organisation': 'Cadasta', 'project': 'TestProj'}), (deny_pol, {'organisation': 'Cadasta', 'project': 'Proj2'})) user4.assign_policies(def_pol, (org_pol, {'organisation': 'OtherOrg'})) user5.assign_policies(def_pol, (org_pol, {'organisation': 'Cadasta'}), (prj_pol, {'organisation': 'Cadasta', 'project': 'TestProj2'})) return (user1, user2, user3, user4, user5, def_pol, org_pol, prj_pol, deny_pol)
def test_get_org_with_new_org(self): new_org = OrganizationFactory.create() assign_user_policies(self.user, self.policy) response = self.request(user=self.user, url_kwargs={'slug': new_org.slug}) assert response.status_code == 200 assert response.content == self.render_content(organization=new_org, projects=[])
def assign_policies(user): USER_CLAUSES = { 'clause': [ clause('allow', ['user.list']), clause('allow', ['user.update'], ['user/*']) ] } policy = Policy.objects.create(name='allow', body=json.dumps(USER_CLAUSES)) assign_user_policies(user, policy)
def test_basic_anonymous(datadir, setup): # noqa u1, u2, u3, u4, u5, def_pol, org_pol, prj_pol, deny_pol = setup obj1 = Object('parcel/Cadasta/TestProj/123') assert not AnonymousUser().has_perm('parcel.edit', obj1) assign_user_policies(None, def_pol, (org_pol, {'organisation': 'Cadasta'})) assert AnonymousUser().has_perm('parcel.edit', obj1)
def test_organizations_view_without_permission(self): """ Unregistered users can see organizations.""" # again, not sure why you have to call this explicitly assign_user_policies(None, Policy.objects.get(name='default')) page = OrganizationListPage(self) page.go_to() organization_title = page.get_organization_title_in_table() assert organization_title == 'Organization #0'
def assign_permissions(user, add_pols=None): additional_clauses = copy.deepcopy(clauses) if add_pols: additional_clauses['clause'] += add_pols policy = Policy.objects.create( name='allow', body=json.dumps(additional_clauses)) assign_user_policies(user, policy)
def assign_policies(user): clauses = { 'clause': [ clause('allow', ['org.list']), clause('allow', ['org.*', 'org.*.*'], ['organization/*']) ] } policy = Policy.objects.create( name='allow', body=json.dumps(clauses)) assign_user_policies(user, policy)
def setup_models(self): clauses = { 'clause': [ clause('allow', ['org.create']) ] } self.policy = Policy.objects.create( name='allow', body=json.dumps(clauses)) self.user = UserFactory.create() assign_user_policies(self.user, self.policy)
def setup_models(self): clauses = { 'clause': [ clause('allow', ['user.list']) ] } policy = Policy.objects.create( name='test-default', body=json.dumps(clauses)) self.user = UserFactory.create() assign_user_policies(self.user, policy)
def setup_models(self): clauses = { 'clause': [ clause('allow', ['org.list']), clause('allow', ['org.view'], ['organization/*']) ] } policy = Policy.objects.create( name='test-policy', body=json.dumps(clauses)) self.user = UserFactory.create() assign_user_policies(self.user, policy)
def setUp(self): super().setUp() clauses = { 'clause': [ clause('allow', ['org.*']), clause('allow', ['org.*'], ['organization/*']) ] } policy = Policy.objects.create( name='test-policy-1', body=json.dumps(clauses)) self.user = UserFactory.create() assign_user_policies(self.user, policy)
def setup_models(self): clauses = { 'clause': [ clause('allow', ['org.*']), clause('allow', ['org.*'], ['organization/*']) ] } policy = Policy.objects.create(name='test-policy-1', body=json.dumps(clauses)) self.user = UserFactory.create() assign_user_policies(self.user, policy) self.org = OrganizationFactory.create(name='Org', slug='org') self.project = ProjectFactory.create(organization=self.org)
def test_get_organization_with_authorized_user(self): clauses = { 'clause': [ clause('allow', ['org.*', 'org.*.*'], ['organization/*']), ] } policy = Policy.objects.create(name='test-policy-1', body=json.dumps(clauses)) assign_user_policies(self.user, policy) response = self.request(user=self.user) assert response.status_code == 200 assert response.content['id'] == self.org.id assert 'users' in response.content
def assign_policies(user): clauses = { 'clause': [ { 'effect': 'allow', 'object': ['project/*/*'], 'action': ['project.view_private'] }, ], } policy = Policy.objects.create( name='allow', body=json.dumps(clauses)) assign_user_policies(user, policy)
def test_archive_with_unauthorized_user(self): clauses = { 'clause': [ clause('allow', ['org.update'], ['organization/*']), clause('deny', ['org.archive'], ['organization/*']) ] } policy = Policy.objects.create(name='test-policy-1', body=json.dumps(clauses)) assign_user_policies(self.user, policy) data = {'archived': True} response = self.request(method='PATCH', user=self.user, post_data=data) assert response.status_code == 403 self.org.refresh_from_db() assert self.org.archived is False
def setup_models(self): clauses = { 'clause': [ clause('allow', ['org.*']), clause('allow', ['org.*', 'org.*.*'], ['organization/*']) ] } policy = Policy.objects.create( name='test-policy', body=json.dumps(clauses)) self.user = UserFactory.create() assign_user_policies(self.user, policy) org_users = UserFactory.create_batch(2) self.org = OrganizationFactory.create(slug='org', add_users=org_users)
def test_roles_creation(datadir, setup): # noqa u1, u2, u3, u4, u5, def_pol, org_pol, prj_pol, deny_pol = setup cadasta_org_role = Role.objects.create( name='cadasta_org', policies=[def_pol, org_pol], variables={'organisation': 'Cadasta'} ) cadasta_org_role.save() assert str(cadasta_org_role) == 'cadasta_org' testproj_proj_role = Role.objects.create( name='testproj_proj', policies=[def_pol, org_pol, prj_pol], variables={'organisation': 'Cadasta', 'project': 'TestProj'} ) testproj_proj_role.save() proj2_proj_role = Role.objects.create( name='proj2_proj', policies=[def_pol, org_pol, prj_pol], variables={'organisation': 'Cadasta', 'project': 'Proj2'} ) proj2_proj_role.save() other_org_role = Role.objects.create( name='other_org', policies=[def_pol, org_pol], variables={'organisation': 'OtherOrg'} ) other_org_role.save() assign_user_policies(None, cadasta_org_role) u1.assign_policies(def_pol) u2.assign_policies(cadasta_org_role) u3.assign_policies(testproj_proj_role, (deny_pol, {'organisation': 'Cadasta', 'project': 'Proj2'})) u4.assign_policies(other_org_role) u5.assign_policies(proj2_proj_role) obj1 = Object('parcel/Cadasta/TestProj/123') assert not u1.has_perm('parcel.edit', obj1) assert u2.has_perm('parcel.edit', obj1) assert not u3.has_perm('parcel.edit', obj1) obj2 = Object('parcel/Cadasta/Proj2/114') assert not u1.has_perm('parcel.view', obj2) assert u2.has_perm('parcel.view', obj2) assert u3.has_perm('parcel.view', obj2) obj3 = Object('parcel/SkunkWorks/SR-71/Area51') assert not u1.has_perm('parcel.view', obj3) assert not u2.has_perm('parcel.view', obj3) assert not u3.has_perm('parcel.view', obj3)
def test_create_organization_with_unauthorized_user(self): clauses = { 'clause': [ clause('allow', ['org.list']), clause('allow', ['org.view'], ['organization/*']) ] } policy = Policy.objects.create(name='test-policy-2', body=json.dumps(clauses)) assign_user_policies(self.user, policy) data = {'name': 'new_org', 'description': 'Org description'} response = self.request(method='POST', user=self.user, post_data=data) assert response.status_code == 403 assert Organization.objects.count() == 0 assert response.content['detail'] == PermissionDenied.default_detail
def test_create_private_record_without_permission(self): self.prj.access = "private" self.prj.save() restricted_clauses = { "clause": [ {"effect": "allow", "object": ["project.list"], "action": ["organization/*"]}, {"effect": "allow", "object": ["project.view"], "action": ["project/*/*"]}, ] } restricted_policy = Policy.objects.create(name="restricted", body=json.dumps(restricted_clauses)) assign_user_policies(self.user, restricted_policy) response = self.request(user=self.user, method="POST") assert response.status_code == 403 assert PartyRelationship.objects.count() == 0 assert response.content["detail"] == PermissionDenied.default_detail
def test_permission_filter(self): clauses = { 'clause': [ clause('allow', ['org.list']), clause('allow', ['org.view', 'project.create'], ['organization/*']), clause('deny', ['project.create'], ['organization/unauthorized']) ] } policy = Policy.objects.create(name='deny', body=json.dumps(clauses)) assign_user_policies(self.user, policy) OrganizationFactory.create_from_kwargs([{}, {'slug': 'unauthorized'}]) response = self.request(user=self.user, get_data={'permissions': 'project.create'}) assert response.status_code == 200 assert len(response.content) == 1 assert response.content[0]['slug'] != 'unauthorized'
def test_list_only_one_organization_is_authorized(self): """ It should return all authorized organizations. """ clauses = { 'clause': [ clause('allow', ['org.list']), clause('allow', ['org.view'], ['organization/*']), clause('deny', ['org.view'], ['organization/unauthorized']) ] } policy = Policy.objects.create(name='deny', body=json.dumps(clauses)) assign_user_policies(self.user, policy) OrganizationFactory.create_from_kwargs([{}, {'slug': 'unauthorized'}]) response = self.request(user=self.user) assert response.status_code == 200 assert len(response.content) == 1 assert response.content[0]['slug'] != 'unauthorized'
def test_get_private_project_without_permission(self): self.project.access = 'private' self.project.save() restricted_clauses = { 'clause': [ clause('allow', ['org.list']), clause('allow', ['org.view'], ['organization/*']), clause('allow', ['project.list'], ['organization/*']), clause('allow', ['project.view'], ['project/*/*']) ] } restricted_policy = Policy.objects.create( name='restricted', body=json.dumps(restricted_clauses)) assign_user_policies(self.user, restricted_policy) response = self.request(user=self.user) assert response.status_code == 403 assert response.content['detail'] == PermissionDenied.default_detail
def test_lookup_user_policies_and_roles(datadir, setup): # noqa users, pols, roles = setup sys_admin_p, org_admin_p, proj_mgr_p = pols (sys_admin_r, org_admin_1_r, org_admin_2_r, proj_mgr_1_r, proj_mgr_2_r) = roles assert user_assigned_policies(None) == [] assign_user_policies(None, (org_admin_p, {'org': 'Sandbox'})) assert user_assigned_policies(None) == [(org_admin_p, {'org': 'Sandbox'})] assert users[0].assigned_policies() == [] assert users[1].assigned_policies() == [sys_admin_p] assert users[2].assigned_policies() == [sys_admin_r] assert users[3].assigned_policies() == [org_admin_1_r] assert users[4].assigned_policies() == [org_admin_2_r] assert users[5].assigned_policies() == [org_admin_1_r, org_admin_2_r] assert users[6].assigned_policies() == [org_admin_1_r, proj_mgr_2_r] assert users[7].assigned_policies() == [proj_mgr_1_r] assert users[8].assigned_policies() == [(org_admin_p, {'org': 'Org3'})] assert users[9].assigned_policies() == [(org_admin_p, {'org': 'Org3'}), (proj_mgr_p, {'org': 'Org3', 'proj': 'Proj3'})]
def assign_policies(user): clauses = { 'clause': [ { 'effect': 'allow', 'object': ['project/*/*'], 'action': ['spatial.*', 'tenure_rel.*'] }, { 'effect': 'allow', 'object': ['spatial/*/*/*'], 'action': ['spatial.*', 'spatial.resources.*'] }, { 'effect': 'allow', 'object': ['tenure_rel/*/*/*'], 'action': ['tenure_rel.*', 'tenure_rel.*.*'] } ] } policy = Policy.objects.create( name='allow', body=json.dumps(clauses)) assign_user_policies(user, policy)
def setup_models(self): clauses = {'clause': [clause('allow', ['org.create'])]} self.policy = Policy.objects.create(name='allow', body=json.dumps(clauses)) self.user = UserFactory.create() assign_user_policies(self.user, self.policy)
def test_nonloggedin_user(self): """Verify that a non-logged-in user can only see pages of public projects and that project details are correct.""" assign_user_policies(None, Policy.objects.get(name='default')) self.check_project_pages('nonloggedin', [])
def test_get_org_with_authorized_user(self): assign_user_policies(self.user, self.policy) response = self.request(user=self.user) assert response.status_code == 200 assert response.content == self.render_content( projects=sorted(self.projs, key=lambda p: p.slug))
def setup_models(self): clauses = {'clause': [clause('allow', ['user.list'])]} policy = Policy.objects.create(name='test-default', body=json.dumps(clauses)) self.user = UserFactory.create() assign_user_policies(self.user, policy)
def assign_policies(user): clauses = {'clause': [clause('allow', ['project.*'], ['project/*/*'])]} policy = Policy.objects.create(name='allow', body=json.dumps(clauses)) assign_user_policies(user, policy)
def test_get_org_with_authorized_user(self): assign_user_policies(self.user, self.policy) response = self.request(user=self.user) assert response.status_code == 200 assert response.content == self.expected_content
user=u, policy=p, index=i, organisation=org, project=proj ) elif org is not None: ups = UserPolicyAssignment.objects.create( user=u, policy=p, index=i, organisation=org ) else: ups = UserPolicyAssignment.objects.create( user=u, policy=p, index=i ) ups.save() assign_user_policies(None, default_p) parties = [(proj1, 'Jim Jones'), (proj1, 'Sally Smith'), (proj1, 'Bob Bennett'), (proj2, 'Dave Dawkins'), (proj2, 'Alex Adams'), (proj3, 'Charlie Chapo')] for p, n in parties: party = Party(project=p, name=n) party.save() parcels = [(proj1, '1 Beach Terrace'), (proj1, '5 Sandy Road'), (proj2, '10 Chorley Street'),