def test_decorators(self) :
god = User(username='******', email_address='*****@*****.**')
god.save()
group, created= TgGroup.objects.get_or_create(group_name='group',
display_name='Our Group',
place=None, level='member', user=god)
group.to_security_context()
b = group.create_OurPost(god, title='test decorator')
from apps.plus_permissions.models import get_interface_map
i_editor = get_interface_map(OurPost)['Editor']
@secure_resource(OurPost, required_interfaces=['Editor'])
def foo(request, resource, *args, **kwargs) :
resource.title = "blah"
return True
class FakeRequest :
def __init__(self, user) :
self.user = user
u = User(username='******',email_address='*****@*****.**')
u.save()
self.assertFalse(has_access(u, b, 'OurPost.Editor'))
self.assertEquals(HttpResponseForbidden, foo(FakeRequest(u), b.id).__class__)
b.get_inner().get_security_context().add_arbitrary_agent(u, 'OurPost.Editor', god)
self.assertTrue(foo(FakeRequest(u), b.id))
def view_wiki_page(request, group, page_name, template_name="plus_wiki/wiki.html", current_app='plus_groups', **kwargs):
try:
obj = WikiPage.objects.plus_get(request.user, name=page_name, in_agent=group.get_ref())
except WikiPage.DoesNotExist:
raise Http404
version_list = Version.objects.get_for_object(obj._inner)
version = Version.objects.get_for_date(obj._inner, datetime.now())
contributors = get_contributors(request.user, obj)
contributors = [TemplateSecureWrapper(contributor) for contributor in contributors]
can_comment = False
try:
obj.comment
can_comment = True
except :
pass # no permission
try:
obj.get_all_sliders
perms_bool = True
except PlusPermissionsNoAccessException:
perms_bool = False
edit = has_access(request.user, obj, 'WikiPage.Editor')
return render_to_response(template_name, {
'page':TemplateSecureWrapper(obj),
'version':version,
'contributors':contributors,
'can_comment':can_comment,
'version_list':version_list,
'tags':get_tags(request.user, obj),
'permissions':perms_bool,
'can_edit': edit,
'comparable':version_list.count()>1}, context_instance=RequestContext(request, current_app=current_app))
def home(request, success_url=None):
"""
Let's base homepage on the microblog personal now.
"""
if not request.user.is_authenticated():
return render_to_response(
"home/clients/%s/home.html" % settings.PROJECT_THEME, {}, context_instance=RequestContext(request)
)
twitter_account = twitter_account_for_user(request.user)
template_name = "home/clients/%s/home_logged_in.html" % settings.PROJECT_THEME
form_class = TweetForm
if request.method == "POST":
form = form_class(request.user, request.POST)
if form.is_valid():
text = form.cleaned_data["text"]
form.save()
if request.POST.get("pub2twitter", False):
twitter_account.PostUpdate(text)
if success_url is None:
success_url = reverse("home")
return HttpResponseRedirect(success_url)
reply = None
else:
reply = request.GET.get("reply", None)
form = form_class()
if reply:
form.fields["text"].initial = u"@%s " % reply
tweets = FeedItem.feed_manager.get_for(request.user).order_by("-sent")
global_tweets = FeedItem.feed_manager.all_permissioned(request.user)
all_members_group = get_all_members_group()
if has_access(request.user, None, "Application.Accept", all_members_group.get_security_context()):
has_accept = True
else:
has_accept = False
return render_to_response(
template_name,
{
"head_title": "Home",
"head_title_status": "",
"form": form,
"reply": reply,
"tweets": tweets,
"global_tweets": global_tweets,
"twitter_authorized": twitter_verify_credentials(twitter_account),
"site_members_group": all_members_group,
"has_accept": has_accept,
},
context_instance=RequestContext(request),
)
def home(request, success_url=None):
"""
Let's base homepage on the microblog personal now.
"""
if not request.user.is_authenticated():
return render_to_response('home/clients/%s/home.html' %
settings.PROJECT_THEME, {},
context_instance=RequestContext(request))
twitter_account = twitter_account_for_user(request.user)
template_name = "home/clients/%s/home_logged_in.html" % settings.PROJECT_THEME
form_class = TweetForm
if request.method == "POST":
form = form_class(request.user, request.POST)
if form.is_valid():
text = form.cleaned_data['text']
form.save()
if request.POST.get("pub2twitter", False):
twitter_account.PostUpdate(text)
if success_url is None:
success_url = reverse('home')
return HttpResponseRedirect(success_url)
reply = None
else:
reply = request.GET.get("reply", None)
form = form_class()
if reply:
form.fields['text'].initial = u"@%s " % reply
tweets = FeedItem.feed_manager.get_for(request.user).order_by("-sent")
global_tweets = FeedItem.feed_manager.all_permissioned(request.user)
all_members_group = get_all_members_group()
if has_access(request.user, None, 'Application.Accept',
all_members_group.get_security_context()):
has_accept = True
else:
has_accept = False
return render_to_response(
template_name, {
"head_title": "Home",
"head_title_status": '',
"form": form,
"reply": reply,
"tweets": tweets,
"global_tweets": global_tweets,
"twitter_authorized": twitter_verify_credentials(twitter_account),
"site_members_group": all_members_group,
"has_accept": has_accept
},
context_instance=RequestContext(request))
def view_resource(request,
group,
resource_name,
template_name="plus_resources/view.html",
current_app='plus_groups',
**kwargs):
if not group:
raise Http404(_('This group does not exist'))
try:
obj = Resource.objects.plus_get(request.user,
name=resource_name,
in_agent=group.get_ref())
except Resource.DoesNotExist:
raise Http404
if not request.user.is_authenticated():
request.user = get_anon_user()
try:
obj.get_all_sliders
perms_bool = True
except PlusPermissionsNoAccessException:
perms_bool = False
try:
obj.comment
can_comment = True
except PlusPermissionsNoAccessException:
can_comment = False
edit = has_access(request.user, obj, 'Resource.Editor')
tags = get_tags_for_object(obj, request.user)
if obj.get_inner().created_by:
created_by = obj.get_inner().created_by.get_display_name()
else:
created_by = None
return render_to_response(template_name, {
'upload': TemplateSecureWrapper(obj),
'page_title': obj.title,
'created_by': created_by,
'permissions': perms_bool,
'can_comment': can_comment,
'can_edit': edit,
'tags': tags
},
context_instance=RequestContext(
request, current_app=current_app))
def view_resource(request, group, resource_name, template_name="plus_resources/view.html",
current_app='plus_groups', **kwargs):
if not group :
raise Http404(_('This group does not exist'))
try:
obj = Resource.objects.plus_get(request.user, name=resource_name, in_agent=group.get_ref())
except Resource.DoesNotExist:
raise Http404
if not request.user.is_authenticated():
request.user = get_anon_user()
try:
obj.get_all_sliders
perms_bool = True
except PlusPermissionsNoAccessException:
perms_bool = False
try :
obj.comment
can_comment=True
except PlusPermissionsNoAccessException:
can_comment=False
edit = has_access(request.user, obj, 'Resource.Editor')
tags = get_tags_for_object(obj, request.user)
if obj.get_inner().created_by :
created_by = obj.get_inner().created_by.get_display_name()
else :
created_by = None
return render_to_response(template_name, {
'upload' : TemplateSecureWrapper(obj),
'page_title' : obj.title,
'created_by' : created_by,
'permissions' : perms_bool,
'can_comment' : can_comment,
'can_edit' : edit,
'tags': tags
}, context_instance=RequestContext(request, current_app=current_app))
def view_wiki_page(request, group, page_name, template_name="plus_wiki/wiki.html", current_app='plus_groups', **kwargs):
if not group :
raise Http404(_('This group does not exist'))
try:
obj = WikiPage.objects.plus_get(request.user, name=page_name, in_agent=group.get_ref())
except WikiPage.DoesNotExist:
raise Http404
if obj.stub :
# we don't want to show the wikipage at this point, but what do we do instead?
request.user.message_set.create(message=_('The page you tried to visit has not yet been published by the creator.')%{})
return HttpResponseRedirect(reverse(current_app + ':group', args=[group.id]))
version_list = Version.objects.get_for_object(obj._inner)
try:
version = Version.objects.get_for_date(obj._inner, datetime.now())
except Version.DoesNotExist :
# XXX this isn't a solution ... we need to know WHY the version doesn't exist,
# but will hide the error page from the user
raise Http404
contributors = get_contributors(request.user, obj)
contributors = [TemplateSecureWrapper(contributor) for contributor in contributors]
can_comment = False
try:
obj.comment
can_comment = True
except :
pass # no permission
try:
obj.get_all_sliders
perms_bool = True
except PlusPermissionsNoAccessException:
perms_bool = False
edit = has_access(request.user, obj, 'WikiPage.Editor')
group_id = obj.get_inner().in_agent.obj.id
group_display_name = obj.get_inner().in_agent.obj.get_display_name()
created_by = obj.get_inner().created_by
# get this here because if we find ourselves on a page without access to group,
# getting the obj.in_agent.id in the template blows up
return render_to_response(template_name, {
'page':TemplateSecureWrapper(obj),
'group_id':group_id,
'group_display_name':group_display_name,
'created_by':created_by,
'version':version,
'contributors':contributors,
'can_comment':can_comment,
'version_list':version_list,
'tags': get_tags_for_object(obj, request.user),
'permissions':perms_bool,
'can_edit': edit,
'comparable':version_list.count()>1,
'pages_listings_args':listing_args('home', 'home', ''),
}, context_instance=RequestContext(request, current_app=current_app))
def view_wiki_page(request,
group,
page_name,
template_name="plus_wiki/wiki.html",
current_app='plus_groups',
**kwargs):
if not group:
raise Http404(_('This group does not exist'))
try:
obj = WikiPage.objects.plus_get(request.user,
name=page_name,
in_agent=group.get_ref())
except WikiPage.DoesNotExist:
raise Http404
if obj.stub:
# we don't want to show the wikipage at this point, but what do we do instead?
request.user.message_set.create(message=_(
'The page you tried to visit has not yet been published by the creator.'
) % {})
return HttpResponseRedirect(
reverse(current_app + ':group', args=[group.id]))
version_list = Version.objects.get_for_object(obj._inner)
try:
version = Version.objects.get_for_date(obj._inner, datetime.now())
except Version.DoesNotExist:
# XXX this isn't a solution ... we need to know WHY the version doesn't exist,
# but will hide the error page from the user
raise Http404
contributors = get_contributors(request.user, obj)
contributors = [
TemplateSecureWrapper(contributor) for contributor in contributors
]
can_comment = False
try:
obj.comment
can_comment = True
except:
pass # no permission
try:
obj.get_all_sliders
perms_bool = True
except PlusPermissionsNoAccessException:
perms_bool = False
edit = has_access(request.user, obj, 'WikiPage.Editor')
group_id = obj.get_inner().in_agent.obj.id
group_display_name = obj.get_inner().in_agent.obj.get_display_name()
created_by = obj.get_inner().created_by
# get this here because if we find ourselves on a page without access to group,
# getting the obj.in_agent.id in the template blows up
return render_to_response(
template_name, {
'page': TemplateSecureWrapper(obj),
'group_id': group_id,
'group_display_name': group_display_name,
'created_by': created_by,
'version': version,
'contributors': contributors,
'can_comment': can_comment,
'version_list': version_list,
'tags': get_tags_for_object(obj, request.user),
'permissions': perms_bool,
'can_edit': edit,
'comparable': version_list.count() > 1,
'pages_listings_args': listing_args('home', 'home', ''),
},
context_instance=RequestContext(request, current_app=current_app))
def test_access(self) :
""" Starting with security_contexts"""
nahia = User(username='******', email_address='*****@*****.**')
nahia.save()
adam = get_admin_user()
kx, created = TgGroup.objects.get_or_create(group_name='kingsX', display_name='Hub Kings Cross',
level='member', user=adam)
kxsc = kx.to_security_context()
blog = kx.create_OurPost(title='my blog', creator=adam)
blog.save()
# assert that the blog post acquires it's security context from Kings Cross
self.assertEquals(blog.get_inner().get_security_context().id, kx.get_security_context().id)
# confirm that there's an OurPost.Viewer interface for Kings Cross
self.assertTrue( kx.get_tag_for_interface("OurPost.Viewer"))
# but nahia has no access to the blog
self.assertFalse(has_access(nahia, blog, "OurPost.Viewer"))
# now lets add this user to the tag
tag = kx.get_tag_for_interface("OurPost.Viewer")
tag.add_agents([nahia.get_ref()])
# so now nahia has access
self.assertTrue( has_access(nahia, blog, "OurPost.Viewer"))
# but tuba doesn't
tuba = User(username='******', email_address='*****@*****.**')
tuba.save()
self.assertFalse( has_access(tuba, blog, "OurPost.Viewer"))
# however, we presumably want to give kings cross *members* access to it
tag.add_agents([kx.get_ref()])
self.assertTrue( has_access(kx, blog, "OurPost.Viewer"))
# so if we add tuba to kings cross
kx.add_member(tuba)
# she now has access
self.assertTrue( has_access(tuba, blog, "OurPost.Viewer"))
# Now we test that a second blog-post that's created starts with similar access
blog2 = kx.create_OurPost(creator=adam, title='second post')
blog2.save()
self.assertTrue(has_access(tuba, blog2, "OurPost.Viewer"))
# but we assume that not everyone got an editor interface
self.assertFalse(has_access(tuba, blog2, "OurPost.Editor"))
# add an arbitrary agent and remove her agaiin
blog._inner.get_security_context().add_arbitrary_agent(tuba, 'OurPost.Editor', adam)
self.assertTrue(has_access(tuba, blog, "OurPost.Editor"))
blog._inner.get_security_context().remove_arbitrary_agent(tuba, 'OurPost.Editor', adam)
self.assertFalse(has_access(tuba, blog, "OurPost.Editor"))
#test moving the sliders around
members_group = blog._inner.get_security_context().context_agent.obj
admin_group = blog._inner.get_security_context().context_admin.obj
#set the slider so that members of KX have the Editor interface
blog._inner.get_security_context().move_slider(members_group, 'OurPost.Editor', adam)
#check that the slider level actually changed
level = blog._inner.get_security_context().get_slider_level('OurPost.Editor')
self.assertTrue(level==members_group)
#and check that tuba has access
self.assertTrue(has_access(tuba, blog, "OurPost.Editor"))
#now remove tuba from the members group
members_group.remove_member(tuba)
self.assertFalse(has_access(tuba, blog, "OurPost.Editor"))
#and re-add her
members_group.add_member(tuba)
self.assertTrue(has_access(tuba, blog, "OurPost.Editor"))
#raise the requirement to the admin group
blog.get_inner().get_security_context().move_slider(admin_group, 'OurPost.Editor', adam)
level = blog.get_inner().get_security_context().get_slider_level('OurPost.Editor')
#check the slider changed and that adam can now access while tuba cannot
self.assertTrue(level==admin_group)
self.assertFalse(has_access(tuba, blog, "OurPost.Editor"))
self.assertTrue(has_access(adam, blog, "OurPost.Editor"))
#use the move_sliders interface which should be called by the UI and check that constraints are enforced correctly
# this should fail validation because editor can't be higher than viewer
def move_sliders(slider_dict, type_name, user):
blog._inner.get_security_context().move_sliders(slider_dict, type_name, user=user)
anonymous_group = get_anonymous_group()
self.assertRaises(InvalidSliderConfiguration, move_sliders, {'OurPost.Editor':members_group, 'OurPost.Viewer':admin_group}, 'OurPost', adam)
# so should this because Editor can't be anonymous
self.assertRaises(InvalidSliderConfiguration, move_sliders, {'OurPost.Editor':anonymous_group, 'OurPost.Viewer':anonymous_group}, 'OurPost', adam)
# check that nothing changed
level = blog._inner.get_security_context().get_slider_level('OurPost.Editor')
self.assertTrue(level==admin_group)
# this should validate
blog._inner.get_security_context().move_sliders({'OurPost.Editor':members_group, 'OurPost.Viewer':members_group}, 'OurPost', adam)
# and levels should be changed
level = blog._inner.get_security_context().get_slider_level('OurPost.Editor')
self.assertTrue(level==members_group)
level = blog._inner.get_security_context().get_slider_level('OurPost.Viewer')
self.assertTrue(level==members_group)
# so now we're going to give tuba special permissions on this blog post ONLY
# so first make the blog post a custom context
sc2 = blog2.create_custom_security_context()
# assert now that blog2's security context is NOT the same as blog's
self.assertNotEquals(blog2._inner.get_security_context(), blog._inner.get_security_context())
# but that the admin and agent are
self.assertEquals(blog2._inner.get_security_context().context_agent, blog._inner.get_security_context().context_agent)
self.assertEquals(blog2._inner.get_security_context().context_admin, blog._inner.get_security_context().context_admin)
# another kings cross host
elenor = User(username='******', email_address='*****@*****.**')
elenor.save()
# who doesn't have access
self.assertFalse(has_access(elenor, blog2, 'OurPost.Editor'))
# so we add her to the tag
sc2.add_arbitrary_agent(elenor, 'OurPost.Editor', adam)
# and she now has access
self.assertTrue(has_access(elenor, blog2, "OurPost.Editor"))
# let's take her away again and check she loses access
blog2.remove_arbitrary_agent(elenor, 'OurPost.Editor', adam)
self.assertFalse(has_access(elenor, blog2, "OurPost.Editor"))
# and if we add elinor to kx
kx.add_member(elenor)
# so should have same access
self.assertTrue(has_access(elenor, blog, "OurPost.Editor"))
print e
pass
try :
group.change_avatar
can_change_avatar = True
except Exception, e:
pass
try :
dummy = group.delete
can_delete = True
except :
pass
if has_access(request.user, None, 'Application.Accept', group._inner.get_security_context()):
has_accept = True
else:
has_accept = False
tweets = FeedItem.feed_manager.get_from_permissioned(group, request.user)
try:
group.get_all_sliders
perms_bool = True
except PlusPermissionsNoAccessException:
perms_bool = False
if kwargs['type'] == 'hub':
type_name = hub_name()
else: