def _set_private(self, bool_flag): if bool_flag: role_developer = ProjectRole.by_name('Developer') role_creator = ProjectRole.by_user(self.reported_by, upsert=True) _allow_all = lambda role, perms: [ACE.allow(role._id, perm) for perm in perms] # maintain existing access for developers and the ticket creator, # but revoke all access for everyone else self.acl = _allow_all(role_developer, security.all_allowed(self, role_developer)) \ + _allow_all(role_creator, security.all_allowed(self, role_creator)) \ + [DENY_ALL] else: self.acl = []
def _set_private(self, bool_flag): if bool_flag: role_developer = ProjectRole.by_name("Developer") role_creator = ProjectRole.by_user(self.reported_by, upsert=True) def _allow_all(role, perms): return [ACE.allow(role._id, perm) for perm in perms] # maintain existing access for developers and the ticket creator, # but revoke all access for everyone else acl = _allow_all(role_developer, security.all_allowed(self, role_developer)) if role_creator != ProjectRole.anonymous(): acl += _allow_all(role_creator, security.all_allowed(self, role_creator)) acl += [DENY_ALL] self.acl = acl else: self.acl = []
def install(self, project): pr = ProjectRole.by_user(c.user) if pr: self.config.acl = [ ACE.allow(pr._id, perm) for perm in self.permissions ]
def test_private_ticket(self): from allura.model import ProjectRole from allura.model import ACE, DENY_ALL from allura.lib.security import Credentials, has_access from allura.websetup import bootstrap admin = c.user creator = bootstrap.create_user('Not a Project Admin') developer = bootstrap.create_user('Project Developer') observer = bootstrap.create_user('Random Non-Project User') anon = User(_id=None, username='******', display_name='Anonymous') t = Ticket(summary='my ticket', ticket_num=3, reported_by_id=creator._id) assert creator == t.reported_by role_admin = ProjectRole.by_name('Admin')._id role_developer = ProjectRole.by_name('Developer')._id role_creator = ProjectRole.by_user(t.reported_by, upsert=True)._id ProjectRole.by_user( developer, upsert=True).roles.append(role_developer) ThreadLocalORMSession.flush_all() cred = Credentials.get().clear() t.private = True assert_equal(t.acl, [ ACE.allow(role_developer, 'save_searches'), ACE.allow(role_developer, 'read'), ACE.allow(role_developer, 'create'), ACE.allow(role_developer, 'update'), ACE.allow(role_developer, 'unmoderated_post'), ACE.allow(role_developer, 'post'), ACE.allow(role_developer, 'moderate'), ACE.allow(role_developer, 'delete'), ACE.allow(role_creator, 'read'), ACE.allow(role_creator, 'post'), ACE.allow(role_creator, 'create'), ACE.allow(role_creator, 'unmoderated_post'), DENY_ALL]) assert has_access(t, 'read', user=admin)() assert has_access(t, 'create', user=admin)() assert has_access(t, 'update', user=admin)() assert has_access(t, 'read', user=creator)() assert has_access(t, 'post', user=creator)() assert has_access(t, 'unmoderated_post', user=creator)() assert has_access(t, 'create', user=creator)() assert not has_access(t, 'update', user=creator)() assert has_access(t, 'read', user=developer)() assert has_access(t, 'create', user=developer)() assert has_access(t, 'update', user=developer)() assert not has_access(t, 'read', user=observer)() assert not has_access(t, 'create', user=observer)() assert not has_access(t, 'update', user=observer)() assert not has_access(t, 'read', user=anon)() assert not has_access(t, 'create', user=anon)() assert not has_access(t, 'update', user=anon)() t.private = False assert t.acl == [] assert has_access(t, 'read', user=admin)() assert has_access(t, 'create', user=admin)() assert has_access(t, 'update', user=admin)() assert has_access(t, 'read', user=developer)() assert has_access(t, 'create', user=developer)() assert has_access(t, 'update', user=developer)() assert has_access(t, 'read', user=creator)() assert has_access(t, 'unmoderated_post', user=creator)() assert has_access(t, 'create', user=creator)() assert not has_access(t, 'update', user=creator)() assert has_access(t, 'read', user=observer)() assert has_access(t, 'read', user=anon)()
def install(self, project): pr = ProjectRole.by_user(c.user) if pr: self.config.acl = [ ACE.allow(pr._id, perm) for perm in self.permissions]
def test_private_ticket(self): from allura.model import ProjectRole from allura.model import ACE, DENY_ALL from allura.lib.security import Credentials, has_access from allura.websetup import bootstrap admin = c.user creator = bootstrap.create_user('Not a Project Admin') developer = bootstrap.create_user('Project Developer') observer = bootstrap.create_user('Random Non-Project User') anon = User(_id=None, username='******', display_name='Anonymous') t = Ticket(summary='my ticket', ticket_num=3, reported_by_id=creator._id) assert creator == t.reported_by role_admin = ProjectRole.by_name('Admin')._id role_developer = ProjectRole.by_name('Developer')._id role_creator = ProjectRole.by_user(t.reported_by, upsert=True)._id ProjectRole.by_user( developer, upsert=True).roles.append(role_developer) ThreadLocalORMSession.flush_all() cred = Credentials.get().clear() t.private = True assert_equal(t.acl, [ ACE.allow(role_developer, 'save_searches'), ACE.allow(role_developer, 'read'), ACE.allow(role_developer, 'create'), ACE.allow(role_developer, 'update'), ACE.allow(role_developer, 'unmoderated_post'), ACE.allow(role_developer, 'post'), ACE.allow(role_developer, 'moderate'), ACE.allow(role_developer, 'delete'), ACE.allow(role_creator, 'read'), ACE.allow(role_creator, 'post'), ACE.allow(role_creator, 'create'), ACE.allow(role_creator, 'unmoderated_post'), DENY_ALL]) assert has_access(t, 'read', user=admin)() assert has_access(t, 'create', user=admin)() assert has_access(t, 'update', user=admin)() assert has_access(t, 'read', user=creator)() assert has_access(t, 'post', user=creator)() assert has_access(t, 'unmoderated_post', user=creator)() assert has_access(t, 'create', user=creator)() assert not has_access(t, 'update', user=creator)() assert has_access(t, 'read', user=developer)() assert has_access(t, 'create', user=developer)() assert has_access(t, 'update', user=developer)() assert not has_access(t, 'read', user=observer)() assert not has_access(t, 'create', user=observer)() assert not has_access(t, 'update', user=observer)() assert not has_access(t, 'read', user=anon)() assert not has_access(t, 'create', user=anon)() assert not has_access(t, 'update', user=anon)() t.private = False assert t.acl == [] assert has_access(t, 'read', user=admin)() assert has_access(t, 'create', user=admin)() assert has_access(t, 'update', user=admin)() assert has_access(t, 'read', user=developer)() assert has_access(t, 'create', user=developer)() assert has_access(t, 'update', user=developer)() assert has_access(t, 'read', user=creator)() assert has_access(t, 'unmoderated_post', user=creator)() assert has_access(t, 'create', user=creator)() assert not has_access(t, 'update', user=creator)() assert has_access(t, 'read', user=observer)() assert has_access(t, 'read', user=anon)()