def _set_private(self, bool_flag):
if bool_flag:
role_developer = ProjectRole.by_name('Developer')
role_creator = ProjectRole.by_user(self.reported_by, upsert=True)
_allow_all = lambda role, perms: [ACE.allow(role._id, perm) for perm in perms]
# maintain existing access for developers and the ticket creator,
# but revoke all access for everyone else
self.acl = _allow_all(role_developer, security.all_allowed(self, role_developer)) \
+ _allow_all(role_creator, security.all_allowed(self, role_creator)) \
+ [DENY_ALL]
else:
self.acl = []
def _set_private(self, bool_flag):
if bool_flag:
role_developer = ProjectRole.by_name("Developer")
role_creator = ProjectRole.by_user(self.reported_by, upsert=True)
def _allow_all(role, perms):
return [ACE.allow(role._id, perm) for perm in perms]
# maintain existing access for developers and the ticket creator,
# but revoke all access for everyone else
acl = _allow_all(role_developer, security.all_allowed(self, role_developer))
if role_creator != ProjectRole.anonymous():
acl += _allow_all(role_creator, security.all_allowed(self, role_creator))
acl += [DENY_ALL]
self.acl = acl
else:
self.acl = []
def install(self, project):
pr = ProjectRole.by_user(c.user)
if pr:
self.config.acl = [
ACE.allow(pr._id, perm) for perm in self.permissions
]
def test_private_ticket(self):
from allura.model import ProjectRole
from allura.model import ACE, DENY_ALL
from allura.lib.security import Credentials, has_access
from allura.websetup import bootstrap
admin = c.user
creator = bootstrap.create_user('Not a Project Admin')
developer = bootstrap.create_user('Project Developer')
observer = bootstrap.create_user('Random Non-Project User')
anon = User(_id=None, username='******',
display_name='Anonymous')
t = Ticket(summary='my ticket', ticket_num=3,
reported_by_id=creator._id)
assert creator == t.reported_by
role_admin = ProjectRole.by_name('Admin')._id
role_developer = ProjectRole.by_name('Developer')._id
role_creator = ProjectRole.by_user(t.reported_by, upsert=True)._id
ProjectRole.by_user(
developer, upsert=True).roles.append(role_developer)
ThreadLocalORMSession.flush_all()
cred = Credentials.get().clear()
t.private = True
assert_equal(t.acl, [
ACE.allow(role_developer, 'save_searches'),
ACE.allow(role_developer, 'read'),
ACE.allow(role_developer, 'create'),
ACE.allow(role_developer, 'update'),
ACE.allow(role_developer, 'unmoderated_post'),
ACE.allow(role_developer, 'post'),
ACE.allow(role_developer, 'moderate'),
ACE.allow(role_developer, 'delete'),
ACE.allow(role_creator, 'read'),
ACE.allow(role_creator, 'post'),
ACE.allow(role_creator, 'create'),
ACE.allow(role_creator, 'unmoderated_post'),
DENY_ALL])
assert has_access(t, 'read', user=admin)()
assert has_access(t, 'create', user=admin)()
assert has_access(t, 'update', user=admin)()
assert has_access(t, 'read', user=creator)()
assert has_access(t, 'post', user=creator)()
assert has_access(t, 'unmoderated_post', user=creator)()
assert has_access(t, 'create', user=creator)()
assert not has_access(t, 'update', user=creator)()
assert has_access(t, 'read', user=developer)()
assert has_access(t, 'create', user=developer)()
assert has_access(t, 'update', user=developer)()
assert not has_access(t, 'read', user=observer)()
assert not has_access(t, 'create', user=observer)()
assert not has_access(t, 'update', user=observer)()
assert not has_access(t, 'read', user=anon)()
assert not has_access(t, 'create', user=anon)()
assert not has_access(t, 'update', user=anon)()
t.private = False
assert t.acl == []
assert has_access(t, 'read', user=admin)()
assert has_access(t, 'create', user=admin)()
assert has_access(t, 'update', user=admin)()
assert has_access(t, 'read', user=developer)()
assert has_access(t, 'create', user=developer)()
assert has_access(t, 'update', user=developer)()
assert has_access(t, 'read', user=creator)()
assert has_access(t, 'unmoderated_post', user=creator)()
assert has_access(t, 'create', user=creator)()
assert not has_access(t, 'update', user=creator)()
assert has_access(t, 'read', user=observer)()
assert has_access(t, 'read', user=anon)()
def install(self, project):
pr = ProjectRole.by_user(c.user)
if pr:
self.config.acl = [
ACE.allow(pr._id, perm)
for perm in self.permissions]
def test_private_ticket(self):
from allura.model import ProjectRole
from allura.model import ACE, DENY_ALL
from allura.lib.security import Credentials, has_access
from allura.websetup import bootstrap
admin = c.user
creator = bootstrap.create_user('Not a Project Admin')
developer = bootstrap.create_user('Project Developer')
observer = bootstrap.create_user('Random Non-Project User')
anon = User(_id=None, username='******',
display_name='Anonymous')
t = Ticket(summary='my ticket', ticket_num=3,
reported_by_id=creator._id)
assert creator == t.reported_by
role_admin = ProjectRole.by_name('Admin')._id
role_developer = ProjectRole.by_name('Developer')._id
role_creator = ProjectRole.by_user(t.reported_by, upsert=True)._id
ProjectRole.by_user(
developer, upsert=True).roles.append(role_developer)
ThreadLocalORMSession.flush_all()
cred = Credentials.get().clear()
t.private = True
assert_equal(t.acl, [
ACE.allow(role_developer, 'save_searches'),
ACE.allow(role_developer, 'read'),
ACE.allow(role_developer, 'create'),
ACE.allow(role_developer, 'update'),
ACE.allow(role_developer, 'unmoderated_post'),
ACE.allow(role_developer, 'post'),
ACE.allow(role_developer, 'moderate'),
ACE.allow(role_developer, 'delete'),
ACE.allow(role_creator, 'read'),
ACE.allow(role_creator, 'post'),
ACE.allow(role_creator, 'create'),
ACE.allow(role_creator, 'unmoderated_post'),
DENY_ALL])
assert has_access(t, 'read', user=admin)()
assert has_access(t, 'create', user=admin)()
assert has_access(t, 'update', user=admin)()
assert has_access(t, 'read', user=creator)()
assert has_access(t, 'post', user=creator)()
assert has_access(t, 'unmoderated_post', user=creator)()
assert has_access(t, 'create', user=creator)()
assert not has_access(t, 'update', user=creator)()
assert has_access(t, 'read', user=developer)()
assert has_access(t, 'create', user=developer)()
assert has_access(t, 'update', user=developer)()
assert not has_access(t, 'read', user=observer)()
assert not has_access(t, 'create', user=observer)()
assert not has_access(t, 'update', user=observer)()
assert not has_access(t, 'read', user=anon)()
assert not has_access(t, 'create', user=anon)()
assert not has_access(t, 'update', user=anon)()
t.private = False
assert t.acl == []
assert has_access(t, 'read', user=admin)()
assert has_access(t, 'create', user=admin)()
assert has_access(t, 'update', user=admin)()
assert has_access(t, 'read', user=developer)()
assert has_access(t, 'create', user=developer)()
assert has_access(t, 'update', user=developer)()
assert has_access(t, 'read', user=creator)()
assert has_access(t, 'unmoderated_post', user=creator)()
assert has_access(t, 'create', user=creator)()
assert not has_access(t, 'update', user=creator)()
assert has_access(t, 'read', user=observer)()
assert has_access(t, 'read', user=anon)()
