def test_disallow_map_if_user_permission_revoked(self): self._create_user_and_login('alice') assign('change_xform', self.user, self.xform) response = self.client.get(self.url) remove_perm('change_xform', self.user, self.xform) response = self.client.get(self.url) self.assertEqual(response.status_code, 403)
def form_valid(self, form): """ Comprobar validez del formulario. :param form:formulario recibido. :return:URL de redireccion correcta. """ super(RolUpdate, self).form_valid(form) # eliminamos permisos anteriores. self.object.permissions.clear() choosed_perms = get_selected_perms(self.request.POST) for permname in choosed_perms: perm = Permission.objects.get(codename=permname) self.object.permissions.add(perm) # actualizamos los permisos de los miembros de equipos que tienen este rol. team_members_set = self.object.miembroequipo_set.all() for team_member in team_members_set: user = team_member.usuario project = team_member.proyecto # borramos todos los permisos que tiene asociado el usuario en el proyecto. for perm in get_perms(user, project): # no eliminar el permiso view_project. if perm != 'view_project': remove_perm(perm, user, project) all_roles = team_member.roles.all() for role in all_roles: # desacociamos al usuario de los demas roles con los que contaba (para que se eliminen los permisos anteriores). team_member.roles.remove(role) # volvemos a agregar para que se copien los permisos actualizados. team_member.roles.add(role) return HttpResponseRedirect(self.get_success_url())
def save(self, *args, **kw): #TODO: abort save if sent if self.pk is not None: orig = Request.objects.get(pk=self.pk) if orig.private != self.private: logger.info("request %s privacy changed to=%s from=%s" % (self.slug, self.private, orig.private)) group, g_created = Group.objects.get_or_create(name='public') if self.private == True: remove_perm(Request.get_permission_name('view'), group, self) logger.info('request %s permissions changed: removed from public' % (self.slug)) else: assign(Request.get_permission_name('view'), group, self) logger.info('request %s permissions changed: added to public' % (self.slug)) #import pdb;pdb.set_trace() if self.contacts is not None and self.contacts.count() > 0 and self.contacts.all()[0].get_related_agencies().count() > 0: self.agency = self.contacts.all()[0].get_related_agencies()[0] self.government = self.agency.government else: self.agency = None self.government = None else: self.status = 'I' code = "LOOKUP:" + User.objects.make_random_password(length=64) while Request.objects.filter(thread_lookup=code): code = User.objects.make_random_password(length=64) self.thread_lookup = code super(Request, self).save(*args, **kw)
def test_group_remove_perm(self): # assign perm first assign_perm("change_contenttype", self.group, self.ctype) remove_perm("change_contenttype", self.group, self.ctype) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_contenttype", self.ctype))
def test_group_remove_perm(self): # assign perm first assign("change_keycard", self.group, self.keycard) remove_perm("change_keycard", self.group, self.keycard) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_keycard", self.keycard))
def test_remove_perm(self): assign_perm('contenttypes.change_contenttype', self.user, self.ctype) self.assertTrue( self.user.has_perm('contenttypes.change_contenttype', self.ctype)) remove_perm('contenttypes.change_contenttype', self.user, self.ctype) self.assertFalse( self.user.has_perm('contenttypes.change_contenttype', self.ctype))
def test_unpublished_layer(self): """With resource publishing""" layer = Layer.objects.filter(alternate='geonode:CA')[0] layer.is_published = False layer.save() user = get_user_model().objects.get(username='******') self.client.login(username='******', password='******') # 404 if layer is unpublished response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 404) # 404 if layer is unpublished but user has permission but does not belong to the group assign_perm('publish_resourcebase', user, layer.get_self_resource()) response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 404) # 200 if layer is unpublished and user is owner remove_perm('publish_resourcebase', user, layer.get_self_resource()) layer.owner = user layer.save() response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) # 200 if layer is published layer.is_published = True layer.save() response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) layer.is_published = True layer.save()
def form_valid(self, form): ''' # actualiza los miembros del equipo del proyecto que se hayan especifico #:param form: formulario de edición del proyecto ''' self.object = form.save() formset = self.TeamMemberInlineFormSet(self.request.POST, instance=self.object) if formset.is_valid(): # borramos todos los permisos asociados al usuario en el proyecto antes de volver a asignar los nuevos proyecto = self.object for form in formset: if form.has_changed(): #solo los formularios con cambios efectuados user = form.cleaned_data['usuario'] if('usuario' in form.changed_data and 'usuario' in form.initial): #si se cambia el usuario, borrar permisos del usuario anterior original_user = get_object_or_404(User, pk=form.initial['usuario']) for perm in get_perms(original_user, proyecto): remove_perm(perm, original_user, proyecto) else: for perm in get_perms(user, proyecto): remove_perm(perm, user, proyecto) formset.save() return HttpResponseRedirect(reverse('project_list')) return render(self.request, self.get_template_names(), {'form': form, 'formset': formset}, context_instance=RequestContext(self.request))
def perform_destroy(self, instance): model_cls = self.get_model_cls() app_label = model_cls._meta.app_label model_name = model_cls._meta.model_name for perm in instance['permissions']: remove_perm('%s.%s_%s' % (app_label, perm, model_name), instance[self.get_user_or_group()])
def test_map_download(self): """Test the correct permissions on layers on map download""" create_models(type='map') create_maplayers() # Get a Map the_map = Map.objects.get(title='GeoNode Default Map') # Get a MapLayer and set the parameters as it is local and not a background # and leave it alone in the map map_layer = the_map.layer_set.get(name='geonode:CA') map_layer.local = True map_layer.group = 'overlay' map_layer.save() the_map.layer_set.all().delete() the_map.layer_set.add(map_layer) # Get the Layer and set the permissions for bobby to it and the map bobby = Profile.objects.get(username='******') the_layer = Layer.objects.get(typename='geonode:CA') remove_perm('download_resourcebase', bobby, the_layer.get_self_resource()) remove_perm('download_resourcebase', Group.objects.get(name='anonymous'), the_layer.get_self_resource()) assign_perm('view_resourcebase', bobby, the_layer.get_self_resource()) assign_perm('download_resourcebase', bobby, the_map.get_self_resource()) self.client.login(username='******', password='******') response = self.client.get(reverse('map_download', args=(the_map.id,))) self.assertTrue('Could not find downloadable layers for this map' in response.content)
def test_view_permissions_for_logged_in_user(self): # check that user is not allowed to see information document document = Document.objects.get() response = self.app.get( reverse("information_pages:view_information", args=[document.url_title]), user=self.user, status=403 ) self.assertEqual(response.status_code, 403) # grant view permission to that user assign_perm(InformationDocument.VIEW_PERMISSION_NAME, self.user, document) response = self.app.get( reverse("information_pages:view_information", args=[document.url_title]), user=self.user ) self.assertEqual(response.status_code, 200) remove_perm(InformationDocument.VIEW_PERMISSION_NAME, self.user, document) # check that user is not allowed to see page anymore response = self.app.get( reverse("information_pages:view_information", args=[document.url_title]), user=self.user, status=403 ) self.assertEqual(response.status_code, 403) # add user to test group and test that he is now allowed to see that document self.user.groups.add(self.group) self.user.save() response = self.app.get( reverse("information_pages:view_information", args=[document.url_title]), user=self.user ) self.assertEqual(response.status_code, 200)
def view_solutions(request, quiz_id): if request.method == 'GET': quiz = get_object_or_404(Quiz, pk=quiz_id) u = request.user p = u.profile # Make sure student has already answered the quiz try: answer_sheet = AnswerSheet.objects.get(quiz=quiz, owner=p) except AnswerSheet.DoesNotExist: answer_sheet = None if answer_sheet is None or not answer_sheet.submitted: return HttpResponseForbidden() # After student views the answer, he cannot change his answers answer_sheet.confirmed = True answer_sheet.save() # Remove student's permission to change answers perm = 'attempt_quiz' if request.user.has_perm(perm, quiz): remove_perm(perm, u, quiz) questions = Question.objects.filter(quiz=quiz) student_answers = answer_sheet.answers.all() # Build a map between question_id and answer answers = {a.question_id: a.answer for a in student_answers} for question in questions: question.answer = answers[question.id] context = {'questions': questions} return render(request, 'quizzes/view_solutions.html', context)
def shares_edit(message): data = json.loads(message['data']) workspace = get_object_or_404(Project, pk=data['workspace_id']) user = get_object_or_404(User, username=data['username']) perms = data.get('permissions', '').split(',') if not message.user.has_perm('falkor.can_edit_shares', workspace): return if user == workspace.user: Group("user-%s" % message.user.pk).send(create_event('notifications', {'level': 'info', 'message': 'you cannot change permissions of the owner'})) return permissions = ['can_open_ide'] print 'ERR', user, perms for perm in permissions: if perm in perms: print 'Adding', perm, 'for', user assign_perm(perm, user, workspace) else: print 'Removing', perm, 'for', user remove_perm(perm, user, workspace) cli = docker_cli() get_workspace_full(cli, message.user, workspace) Group("user-%s" % message.user.pk).send(create_event('workspaces.select', model_to_dict(workspace)))
def test_create_permissions_for_anonymous_user(self): anonymous_user = get_anonymous_user() # check that anonymous user is not allowed to see that document response = self.app.get(reverse("information_pages:create"), user=anonymous_user, status=403) self.assertEqual(response.status_code, 403) # allow anonymous users to see that document and test that assign_perm("information_pages.add_informationdocument", anonymous_user) assign_perm("information_pages.change_informationdocument", anonymous_user) # it should work now response = self.app.get(reverse("information_pages:create"), user=anonymous_user) self.assertEqual(response.status_code, 200) remove_perm("information_pages.add_informationdocument", anonymous_user) remove_perm("information_pages.change_informationdocument", anonymous_user) # check that anonymous user is not allowed to see page anymore response = self.app.get(reverse("information_pages:create"), user=anonymous_user, status=403) self.assertEqual(response.status_code, 403) # test the same with group anonymous_user.groups.add(self.group) anonymous_user.save() response = self.app.get(reverse("information_pages:create")) self.assertEqual(response.status_code, 200)
def post(self, request, format=None, **kwargs): host = get_object_or_404(Host, pk=kwargs['pk']) serializer = host_serializers.HostOwnerSerializer(data=request.data) if serializer.is_valid(): user_list = serializer.data.get('users') group_list = serializer.data.get('groups') if user_list: users = User.objects.none() for username in user_list: users |= User.objects.filter(username__iexact=username) for user in users: remove_perm('hosts.is_owner_host', user, host) if group_list: groups = Group.objects.none() for groupname in group_list: groups |= Group.objects.filter(name__iexact=groupname) for group in groups: remove_perm('hosts.is_owner_host', group, host) return Response(serializer.data, status=status.HTTP_200_OK) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def test_permissions(self): """ Generic method to test permissions for each resource """ if not self._error_check_permissions(): # Just succeed immediately if necessary return self.client.login(username='******', password='******') endpoint = self.permission_tests['endpoint'].format(self.obj.pk) # Iterate over the methods / permissions for perm_type in self.permission_tests['permission_types']: # Should fail now - no permission method = perm_type['method'] response = getattr(self.client, method)(endpoint, perm_type.get('data', {})) self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) # Assign permission assign_perm(self.permission_tests['permission'] % perm_type['perm'], self.user, self.obj) # Should work now - permission granted response = getattr(self.client, method)(endpoint, perm_type.get('data', {})) expected_code = perm_type.get('code', status.HTTP_200_OK) self.assertEqual(response.status_code, expected_code) # Remove permission remove_perm(self.permission_tests['permission'] % perm_type['perm'], self.user, self.obj)
def test_unpublished_layer(self): """Test unpublished layer behaviour""" user = get_user_model().objects.get(username='******') self.client.login(username='******', password='******') # default (RESOURCE_PUBLISHING=False) # access to layer detail page gives 200 if layer is published or # unpublished response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) layer = Layer.objects.filter(title='CA')[0] layer.is_published = False layer.save() response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) # with resource publishing with self.settings(RESOURCE_PUBLISHING=True): # 404 if layer is unpublished response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 404) # 200 if layer is unpublished but user has permission assign_perm('publish_resourcebase', user, layer.get_self_resource()) response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) # 200 if layer is published layer.is_published = True layer.save() remove_perm('publish_resourcebase', user, layer.get_self_resource()) response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) layer.is_published = True layer.save()
def test_group_remove_perm(self): # assign perm first assign("change_flatpage", self.group, self.flatpage) remove_perm("change_flatpage", self.group, self.flatpage) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_flatpage", self.flatpage))
def test_users_with_model_perms_attach_perms(self): for perm in CloudAccount.model_permissions: users = shortcuts.get_users_with_model_perms( CloudAccount, attach_perms=True, with_group_users=False, with_superusers=False, ) self.assertIsInstance(users, dict) self.assertEqual(len(users), 0) assign_perm('cloud.%s_cloudaccount' % perm, self.user) users = shortcuts.get_users_with_model_perms( CloudAccount, attach_perms=True, with_group_users=False, with_superusers=False, ) self.assertIsInstance(users, dict) self.assertEqual(len(users), 1) self.assertTrue(self.user in users) self.assertEqual(users[self.user], ['%s_cloudaccount' % perm]) remove_perm('cloud.%s_cloudaccount' % perm, self.user)
def set_free_resources(self, user): '' manager = self.get_managers()[0] for resource in self.resources_by_user(user): remove_perm('view_resourcebase', manager, resource) AppMember.objects.get(app=self, user=user).delete()
def save(self, commit=True): """ Saves granted permissions and removes those switched off. """ member, project = self.membership.member, self.membership.project granted_perms = self.cleaned_data['permissions'] logging.info("Granted perms: %s" % granted_perms) member_perms = get_perms(member, project) # Grant permissions for perm in granted_perms: if perm not in member_perms: assign(perm, member, project) self._message('info', _("Permission added: %s" % perm)) # Remove permissions for perm in member_perms: if perm not in granted_perms: remove_perm(perm, member, project) # notify user if perm is still granted by member's groups groups_with_perm = member.groups.filter( groupobjectpermission__permission__codename=perm) if groups_with_perm: messages.warning(self.request, _("Permission %(perm)s is " "still granted for %(user)s as following group(s) " "has/have it: %(groups)s" % { 'perm': perm, 'user': member, 'groups': ', '.join( (str(group) for group in groups_with_perm) ) })) self._message('warning', _("Permission removed: %s" % perm))
def test_group_remove_perm_global(self): # assign perm first perm = "contenttypes.change_contenttype" assign(perm, self.group) remove_perm(perm, self.group) group_perms = GroupPermissionList.objects.get(group=self.group).permission_list self.assertFalse(perm in group_perms)
def assign_permission(new_groups, objects, perm): groups = Group.objects.all() for obj in objects: for group in groups: remove_perm(perm, group, obj) for new_group in new_groups: assign(perm, new_group, obj)
def form_valid(self, form): old_course = models.Course.objects.get(pk=form.instance.pk) initial_instructors = list(old_course.instructors.all()) initial_students = list(old_course.students.all()) response = super(CourseUpdate, self).form_valid(form) instructors = form.instance.instructors.all() students = form.instance.students.all() # print(initial_instructors) # print(instructors) # print(initial_students) # print(students) # Revoke permissions for user in initial_instructors: remove_perm('change_course', user, form.instance) remove_perm('view_course', user, form.instance) remove_perm('instruct_course', user, form.instance) for user in initial_students: remove_perm('view_course', user, form.instance) remove_perm('enroll_course', user, form.instance) # Assign permissions for user in instructors: assign_perm('change_course', user, form.instance) assign_perm('view_course', user, form.instance) assign_perm('instruct_course', user, form.instance) for user in students: assign_perm('view_course', user, form.instance) assign_perm('enroll_course', user, form.instance) return response
def save_model(self, request, obj, form, change): new_flag = obj._state.adding if request.user.is_authenticated: obj.updated_by = request.user if new_flag: obj.created_by = request.user super().save_model(request, obj, form, change) if new_flag: logger.info("User(%i) creating Project(%i) %s", request.user.id, obj.id, obj.name) else: logger.info("User(%i) updating Project(%i) %s", request.user.id, obj.id, obj.name) if 'custom_permissions' in form.data: if 'worker_permissions' in form.data: existing_groups = set(get_groups_with_perms(obj)) form_groups = set(form.cleaned_data['worker_permissions']) groups_to_add = form_groups.difference(existing_groups) groups_to_remove = existing_groups.difference(form_groups) for group in groups_to_add: assign_perm('can_work_on', group, obj) for group in groups_to_remove: remove_perm('can_work_on', group, obj) else: for group in get_groups_with_perms(obj): remove_perm('can_work_on', group, obj)
def save(self, commit=True): self.instance = super(CustomOrganizationUserAddForm, self).save(commit=commit) if self.cleaned_data["is_editor"]: assign("edit_decisions_feedback", self.instance.user, self.instance.organization) else: remove_perm("edit_decisions_feedback", self.instance.user, self.instance.organization) return self.instance
def add_user_to_sheet(request, slug): sheet = get_object_or_404(Sheet, slug=slug) form_by_username = AddUserForm(request.POST or None) groups = UserAPI.get_groups_and_users_dict().keys() by_username_valid = form_by_username.is_valid() if by_username_valid: users = list() username = form_by_username.cleaned_data['username'] if username: users.append(get_object_or_404(User, username=username)) for group in groups: selected_users_pk = form_by_username.cleaned_data[group] for pk in selected_users_pk: users.append(get_object_or_404(User, pk=pk)) for user in users: if user != request.user: remove_perm('sheets.change_sheet', user, sheet) assign_perm('sheets.view_sheet', user, sheet) if form_by_username.cleaned_data['role'] == 'T': assign_perm('sheets.change_sheet', user, sheet) else: MarkAPI.create_marks_for_student(sheet, user) return redirect('sheet_detail', slug=slug) return render(request, 'add_user_to_sheet.html', { 'form_by_username': form_by_username, 'sheet': sheet })
def update(self, request, pk): """ Add or remove permissions """ if not request.user.is_authenticated(): return Response( status=403, data={ 'detail': 'Authentication required', }, ) required_params = ['user', ] for param in required_params: if param not in request.DATA: return Response( status=400, data={ 'detail': 'Parameter required {param}'.format( param=param, ), }, ) check_list = get_object_or_404(CheckList, id=pk) if not request.user.has_perm('api.change_checklist', check_list): return Response( status=403, data={ 'detail': 'Permission denied', }, ) user = get_object_or_404(User, id=request.DATA.get('user'), ) if user.id == check_list.owner.id: return Response( status=400, data={ 'detail': "Owner permissions can't be changed", }, ) if user.has_perm('api.change_checklist', check_list): remove_perm('api.view_checklist', user, check_list) remove_perm('api.change_checklist', user, check_list) else: assign_perm('api.view_checklist', user, check_list) assign_perm('api.change_checklist', user, check_list) return Response( status=200, data={ 'change_checklist': user.has_perm( 'api.change_checklist', check_list ), 'detail': 'Permissions updated', 'view_checklist': user.has_perm( 'api.view_checklist', check_list ), }, )
def test_remove_perm(self): assign('guardian.change_keyvalue', self.user, self.keyval) self.assertTrue(self.user.has_perm('guardian.change_keyvalue', self.keyval)) remove_perm('guardian.change_keyvalue', self.user, self.keyval) self.assertFalse(self.user.has_perm('guardian.change_keyvalue', self.keyval))
def test_view_permissions_for_anonymous_user(self): anonymous_user = get_anonymous_user() document = Document.objects.get() # check that anonymous user is not allowed to see that document response = self.app.get( reverse("information_pages:view_information", args=[document.url_title]), user=anonymous_user, status=403 ) self.assertEqual(response.status_code, 403) # allow anonymous users to see that document and test that assign_perm(InformationDocument.VIEW_PERMISSION_NAME, anonymous_user, document) # it should work now response = self.app.get( reverse("information_pages:view_information", args=[document.url_title]), user=anonymous_user ) self.assertEqual(response.status_code, 200) remove_perm(InformationDocument.VIEW_PERMISSION_NAME, anonymous_user, document) # check that anonymous user is not allowed to see page anymore response = self.app.get( reverse("information_pages:view_information", args=[document.url_title]), user=anonymous_user, status=403 ) self.assertEqual(response.status_code, 403) # test the same with group anonymous_user.groups.add(self.group) anonymous_user.save() response = self.app.get( reverse("information_pages:view_information", args=[document.url_title]), user=anonymous_user ) self.assertEqual(response.status_code, 200)
def set_privacy(self, privacy_level): # TODO: Check for results of the assign_perm and remove_perm calls anon = get_anonymous_user() retval = True if privacy_level == Grow.PRIVACY_PUBLISHED: self.published = True assign_perm('view_grow', anon, self) elif privacy_level == Grow.PRIVACY_HIDDEN: self.published = False print self.published assign_perm('view_grow', anon, self) elif privacy_level == Grow.PRIVACY_PRIVATE: self.published = False remove_perm('view_grow', anon, self) else: retval = False self.save() return retval
def delete_project_locus_lists(request, project_guid): project = get_project_and_check_permissions(project_guid, request.user, CAN_EDIT) request_json = json.loads(request.body) locus_lists = LocusList.objects.filter( guid__in=request_json['locusListGuids']) for locus_list in locus_lists: remove_perm(user_or_group=project.can_view_group, perm=CAN_VIEW, obj=locus_list) return create_json_response({ 'locusListGuids': [ locus_list['locusListGuid'] for locus_list in get_sorted_project_locus_lists( project, request.user) ], })
def save(self, commit=True): """ Saves granted permissions and removes those switched off. """ group, project = self.team.group, self.team.project granted_perms = self.cleaned_data['permissions'] team_perms = get_perms(group, project) # Grant permissions for perm in granted_perms: if perm not in team_perms: assign(perm, group, project) self._message('info', _("Permission added: %s" % perm)) # Remove permissions for perm in team_perms: if perm not in granted_perms: remove_perm(perm, group, project) self._message('warning', _("Permission removed: %s" % perm))
def change_permission_owner(self): owner_permissions = [ 'view_expressionstudy', 'change_expressionstudy', 'delete_expressionstudy' ] if self.initial_owner: # If update, remove permission, else do nothing if self.initial_owner != self.created_by: initial_owner_permission = get_user_perms(self.initial_owner, self) for permission in owner_permissions: if permission in initial_owner_permission: remove_perm(permission, self.initial_owner, self) user_permissions = get_user_perms(self.created_by, self) for permission in owner_permissions: if permission not in user_permissions: assign_perm(permission, self.created_by, self)
def test_can_see_link_details(self): extra_sub_item = baker.make(MenuItem, parent=self.root_menu_item, title_en="name", link="link123") assign_perm(MenuItem.EDIT_PERMISSION_NAME, self.user, extra_sub_item) response = self.app.get(reverse('menu_items_index'), user=self.user) self.assertEqual(response.status_code, 200) self.assertIn("(<i>Link:</i> link123)", response.body.decode('utf-8')) remove_perm(MenuItem.EDIT_PERMISSION_NAME, self.user, extra_sub_item) response = self.app.get(reverse('menu_items_index'), user=self.user) self.assertEqual(response.status_code, 200) self.assertNotIn("(<i>Link:</i> link123)", response.body.decode('utf-8'))
def update_viewer_groups_permissions(self, *, exclude_jobs=None): """ Update the permissions for the algorithm jobs viewers groups to view this image. Parameters ---------- exclude_jobs Exclude these results from being considered. This is useful when a many to many relationship is being cleared to remove this image from the results image set, and is used when the pre_clear signal is sent. """ if exclude_jobs is None: exclude_jobs = [] algorithm_jobs_groups = (Q(job__inputs__image=self) | Q( job__outputs__image=self)) & ~Q(job__in=exclude_jobs) reader_studies_groups = Q( editors_of_readerstudy__images__id__exact=self.pk) | Q( readers_of_readerstudy__images__id__exact=self.pk) archive_groups = (Q(editors_of_archive__images__id__exact=self.pk) | Q(uploaders_of_archive__images__id__exact=self.pk) | Q(users_of_archive__images__id__exact=self.pk)) expected_groups = { *Group.objects.filter(algorithm_jobs_groups | reader_studies_groups | archive_groups).distinct() } current_groups = get_groups_with_perms(self, attach_perms=True) current_groups = { group for group, perms in current_groups.items() if "view_image" in perms } groups_missing_perms = expected_groups - current_groups groups_with_extra_perms = current_groups - expected_groups for g in groups_missing_perms: assign_perm("view_image", g, self) for g in groups_with_extra_perms: remove_perm("view_image", g, self)
def test_v1_user_not_authorized_run_playbook_tags( self, mock_task_run_playbook_delay): """ Ensure an unauthorized user can't override tags. """ mock_task_run_playbook_delay.return_value = celery.result.AsyncResult( id='fake-id') url = '/api/v1/playbooks/%s/run/' % self.playbook.name self.client.credentials(HTTP_AUTHORIZATION='Token ' + self.user_authorized_token.key) # Testing only tags permission remove_perm('playbook.can_override_only_tags', self.user_authorized, self.playbook) data = { 'only_tags': u'deploy,test', } response = self.client.post(url, data, format='json') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) assign_perm('playbook.can_override_only_tags', self.user_authorized, self.playbook) # Testing skip tags permission remove_perm('playbook.can_override_skip_tags', self.user_authorized, self.playbook) data = { 'skip_tags': u'base,test', } response = self.client.post(url, data, format='json') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) assign_perm('playbook.can_override_skip_tags', self.user_authorized, self.playbook) # Testing extra_vars permission remove_perm('playbook.can_override_extra_vars', self.user_authorized, self.playbook) data = { 'extra_vars': u'env=test', } response = self.client.post(url, data, format='json') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) assign_perm('playbook.can_override_extra_vars', self.user_authorized, self.playbook) # Testing subset permission remove_perm('playbook.can_override_subset', self.user_authorized, self.playbook) data = { 'subset': u'localhost', } response = self.client.post(url, data, format='json') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) assign_perm('playbook.can_override_subset', self.user_authorized, self.playbook)
def delete(self, request, group_name, user_name): """ Removes a maintainer form the group Args: request: Django rest framework request group_name:Group name from the request user_name: User name from the request Returns: Http status of the request """ try: if user_name is None: return BossHTTPError('Missing username parameter in post.', ErrorCodes.INVALID_URL) group = Group.objects.get(name=group_name) bgroup = BossGroup.objects.get(group=group) # Check the users permissions. if request.user.has_perm("maintain_group", bgroup): usr = User.objects.get(username=user_name) status = usr.has_perm('maintain_group', bgroup) if status is False: return BossHTTPError( 'The user {} does not have the {} permission on the group {}' .format(usr.username, 'maintain_group', group_name), ErrorCodes.MISSING_PERMISSION) else: remove_perm('maintain_group', usr, bgroup) return HttpResponse(status=204) else: return BossHTTPError( 'The user {} does not have the {} permission on the group {}' .format(request.user.username, 'maintain_group', group_name), ErrorCodes.MISSING_PERMISSION) except Group.DoesNotExist: return BossGroupNotFoundError(group_name) except User.DoesNotExist: return BossUserNotFoundError(user_name)
def test_permission_required_views(self, client): rius = RawImageUploadSessionFactory() image_file = ImageFileFactory(image_type="DZI") u = UserFactory() for view_name, kwargs, permission, obj in [ ( "raw-image-upload-session-detail", { "pk": rius.pk }, "view_rawimageuploadsession", rius, ), ( "osd-image-detail", { "pk": image_file.image.pk }, "view_image", image_file.image, ), ]: response = get_view_for_user( client=client, viewname=f"cases:{view_name}", reverse_kwargs=kwargs, user=u, ) assert response.status_code == 403 assign_perm(permission, u, obj) response = get_view_for_user( client=client, viewname=f"cases:{view_name}", reverse_kwargs=kwargs, user=u, ) assert response.status_code == 200 remove_perm(permission, u, obj)
def set_perms(obj, fields, suffix, perms): """ Set group perms on an object To be mainly used in form operations, from which the cleaned data of fields are obtained Check if group is in new perms and not in old, and assign, or vice versa :param obj: the record object for which to get permissions :param fields: the permission names to categorize :param suffix: an additional string that, when appended on the field name, will give us the perm name :param perms: :return: a dictionary of fields: groups list """ old_perms = get_perms(obj, fields, suffix) for field in fields: for group in perms[field]: if group not in old_perms[field]: assign_perm(field + suffix, group, obj) for group in old_perms[field]: if group not in perms[field]: remove_perm(field + suffix, group, obj)
def remove_permissions(self, request, pk=None, *args, **kwargs): queryset = Good.objects.all() good = get_object_or_404(queryset, pk=pk) serializer = self.get_serializer(data=request.data) if serializer.is_valid(raise_exception=True): user_or_group = [] if serializer.data['users']: user_or_group.extend( [User.objects.get(pk=u) for u in serializer.data['users']]) if serializer.data['groups']: user_or_group.extend([ Group.objects.get(pk=g) for g in serializer.data['groups'] ]) for permission in serializer.data['permissions']: for obj in user_or_group: remove_perm(self.permission_type.get(permission), obj, good) return Response(status=status.HTTP_200_OK) return Response(status=status.HTTP_400_BAD_REQUEST)
def setPermissionUserObject(user, object, permissions=[], mode='add'): """ Assign or remove guardian permissions to user for object :param user: Auth user or group model obj. :param object: Django model obj to apply or remove permissions. :param permissions: Default: '[]'. A List of permission to add/remove to object for user. :param mode: Default: 'add'. Mode work, 'add' or 'remove'. :return: None """ if not isinstance(permissions, list): permissions = [permissions] for perm in permissions: if mode == 'add': assign_perm(perm, user, object) elif mode == 'remove': remove_perm(perm, user, object)
def assign_permissions(self): # Editors and users can view this algorithm assign_perm(f"view_{self._meta.model_name}", self.editors_group, self) assign_perm(f"view_{self._meta.model_name}", self.users_group, self) # Editors and users can execute this algorithm assign_perm(f"execute_{self._meta.model_name}", self.editors_group, self) assign_perm(f"execute_{self._meta.model_name}", self.users_group, self) # Editors can change this algorithm assign_perm(f"change_{self._meta.model_name}", self.editors_group, self) reg_and_anon = Group.objects.get( name=settings.REGISTERED_AND_ANON_USERS_GROUP_NAME) if self.public: assign_perm(f"view_{self._meta.model_name}", reg_and_anon, self) else: remove_perm(f"view_{self._meta.model_name}", reg_and_anon, self)
def assign_permissions_to_owner(*args, **kwargs): graph = kwargs.get("instance", None) raw = kwargs.get("raw", False) if not raw: if graph: owner = graph.owner aux = {'graph': graph, 'schema': graph.schema, 'data': graph.data} for permission_type in aux: for permission in PERMISSIONS[permission_type].keys(): assign_perm(permission, owner, aux[permission_type]) anonymous = User.objects.get(id=settings.ANONYMOUS_USER_ID) if graph.public: for permission, obj in aux.items(): assign_perm("view_%s" % permission, anonymous, obj) else: for permission, obj in aux.items(): perm = "view_%s" % permission if anonymous.has_perm(perm, obj): remove_perm(perm, anonymous, obj)
def test_user_permissions_in_resource_endpoint(api_client, resource_in_unit, user, group): """ Tests that resource endpoint returns a permissions dict with correct values. """ api_client.force_authenticate(user=user) # normal user, reservable = True _check_permissions_dict(api_client, resource_in_unit, is_admin=False, can_make_reservations=True, can_ignore_opening_hours=False) # normal user, reservable = False resource_in_unit.reservable = False resource_in_unit.save() _check_permissions_dict(api_client, resource_in_unit, is_admin=False, can_make_reservations=False, can_ignore_opening_hours=False) # admin, reservable = False user.is_general_admin = True user.save() api_client.force_authenticate(user=user) _check_permissions_dict(api_client, resource_in_unit, is_admin=True, can_make_reservations=True, can_ignore_opening_hours=True) user.is_general_admin = False user.save() # user has explicit permission to make reservation user.groups.add(group) assign_perm('unit:can_make_reservations', group, resource_in_unit.unit) api_client.force_authenticate(user=user) _check_permissions_dict(api_client, resource_in_unit, is_admin=False, can_make_reservations=True, can_ignore_opening_hours=False) remove_perm('unit:can_make_reservations', group, resource_in_unit.unit) resource_group = resource_in_unit.groups.create(name='rg1') assign_perm('group:can_make_reservations', group, resource_group) api_client.force_authenticate(user=user) _check_permissions_dict(api_client, resource_in_unit, is_admin=False, can_make_reservations=True, can_ignore_opening_hours=False) assign_perm('unit:can_ignore_opening_hours', group, resource_in_unit.unit) api_client.force_authenticate(user=user) _check_permissions_dict(api_client, resource_in_unit, is_admin=False, can_make_reservations=True, can_ignore_opening_hours=True)
def setpermissions(self, lvl): """ Give the right groups permissions to this object object needs to be saved before setting perms""" admingroup = self.challenge.admins_group participantsgroup = self.challenge.participants_group self.persist_if_needed() if lvl == self.ALL: assign_perm("view_ComicSiteModel", admingroup, self) assign_perm("view_ComicSiteModel", participantsgroup, self) elif lvl == self.REGISTERED_ONLY: assign_perm("view_ComicSiteModel", admingroup, self) assign_perm("view_ComicSiteModel", participantsgroup, self) elif lvl == self.ADMIN_ONLY: assign_perm("view_ComicSiteModel", admingroup, self) remove_perm("view_ComicSiteModel", participantsgroup, self) else: raise ValueError( f"Unknown permissions level '{lvl}'. " "I don't know which groups to give permissions to this object")
def test_feedback_create_restricted(self): ''' Feedback create should be restricted to those with the organizations editor permission ''' #setup decision = self.create_and_return_decision() #first remove the permission remove_perm('edit_decisions_feedback', self.betty, self.bettysorg) #assert that creating feedback gives a 403 path = reverse('publicweb_feedback_create', args=[decision.id]) response = self.client.get(path) self.assertEquals(response.status_code, 403) #give perm assign('edit_decisions_feedback', self.betty, self.bettysorg) # get a 200 response = self.client.get(path) self.assertEquals(response.status_code, 200)
def form_valid(self, form): """ Update object-level permissions: remove all existing, then reassign. """ groups_perms_dict = get_groups_with_perms(self.object, attach_perms=True) for group, perms_list in groups_perms_dict.items(): for perm in perms_list: remove_perm(perm, group, self.object) assign_perm('can_manage_queue', form.cleaned_data['managing_group'], self.object) assign_perm('can_handle_queue', form.cleaned_data['managing_group'], self.object) assign_perm('can_view_queue', form.cleaned_data['managing_group'], self.object) for group in form.cleaned_data['response_groups'].all(): assign_perm('can_handle_queue', group, self.object) assign_perm('can_view_queue', group, self.object) return super().form_valid(form)
def remove_invitations_officer(request, stream_id, officer_id): stream = get_object_or_404(ProductionStream.objects.ongoing(), pk=stream_id) checker = ObjectPermissionChecker(request.user) if not checker.has_perm('can_perform_supervisory_actions', stream): return redirect(reverse('production:production', args=(stream.id, ))) if getattr(stream.invitations_officer, 'id', 0) == int(officer_id): officer = stream.invitations_officer stream.invitations_officer = None stream.save() if officer not in [stream.officer, stream.supervisor]: # Remove Officer from stream if not assigned anymore remove_perm('can_work_for_stream', officer.user, stream) messages.success( request, 'Invitations Officer {officer} has been removed.'.format( officer=officer)) return redirect(reverse('production:production', args=(stream.id, )))
def manage_project(request, project_id=""): user = request.user id = project_id project = Project.objects.get(pk=id) if (user.has_perm('manage_proj', project) == False): raise PopupException('Sorry, you have not right to manage the project!') user_perms = get_users_with_perms(project, attach_perms=True) allusers = json.dumps(list(get_allusers())) page_errors = None if request.method == 'POST': for key in request.POST: value = request.POST[key] for key, value in request.POST.iteritems(): m = re.match(r'.+_proj@', key) if m: keylist = re.split(r'@', key) keyperm = keylist[0] keyuser = User.objects.get(pk=keylist[1]) if user_perms.has_key(keyuser): if keyperm in user_perms[keyuser]: user_perms[keyuser].remove(keyperm) else: assign_perm(keyperm, keyuser, project) else: assign_perm(keyperm, keyuser, project) for key, value in user_perms.items(): if value != []: for item in value: remove_perm(item, key, project) return HttpResponseRedirect(urlresolvers.reverse('list_projects')) else: try: project = Project.objects.get(id=id) except Exception: raise Http404 return render("ansible/manage_project.html", request, { 'action': urlresolvers.reverse('manage_project', kwargs={'project_id': id}), 'project': project, 'user_perms': user_perms, 'allusers': allusers, 'page_errors': page_errors, 'request': request, })
def set_box_permissions(self, groups): permcodenames = [] for node in Box._meta.permissions: permcodenames.append(node[0]) for groupname, level in groups: if groupname.startswith('group-'): group = groupname.replace('group-', '', 1) group = Group.objects.get(pk=group) level = int(level) - 1 if level == 0: for perm in permcodenames: remove_perm(perm, group, self) else: for perm in permcodenames[:level]: assign_perm(perm, group, self) for perm in permcodenames[level:]: remove_perm(perm, group, self)
def update_permission(user_or_group: Union[User, Group], obj: Model, perm: str, action: str): content_type = ContentType.objects.get_for_model(obj) # Get or create permission try: permission = Permission.objects.get(content_type=content_type, codename=perm) except Permission.DoesNotExist: name = perm.replace('_', '').title() permission = Permission.objects.create( name='Can %s %s' % (name, obj._meta.verbose_name_raw), content_type=content_type, codename=perm ) if action == ACTION_ASSIGN: assign_perm(permission, user_or_group, obj) else: remove_perm(permission, user_or_group, obj)
def create_object_permissions(sender, instance, **kwargs): if kwargs["action"] == "pre_add": perms = [] for j in kwargs["model"].objects.filter(pk__in=kwargs["pk_set"]): perms.extend(j.groups_allowed.all()) for x in perms: assign_perm("change_" + instance.__class__.__name__.lower(), x, instance) assign_perm("delete_" + instance.__class__.__name__.lower(), x, instance) elif kwargs["action"] == "post_remove": perms = [] perms_keep = [] for j in kwargs["model"].objects.filter(pk__in=kwargs["pk_set"]): perms.extend(j.groups_allowed.all()) for u in instance.collection.all(): perms_keep.extend(u.groups_allowed.all()) rm_perms = set(perms) - set(perms_keep) for x in rm_perms: remove_perm("change_" + instance.__class__.__name__.lower(), x, instance) remove_perm("delete_" + instance.__class__.__name__.lower(), x, instance)
def test_unpublished_layer(self): """Test unpublished layer behaviour""" user = get_user_model().objects.get(username='******') self.client.login(username='******', password='******') # default (RESOURCE_PUBLISHING=False) # access to layer detail page gives 200 if layer is published or # unpublished response = self.client.get( reverse('layer_detail', args=('geonode:CA', ))) self.failUnlessEqual(response.status_code, 200) layer = Layer.objects.filter(title='CA')[0] layer.is_published = False layer.save() response = self.client.get( reverse('layer_detail', args=('geonode:CA', ))) self.failUnlessEqual(response.status_code, 200) # with resource publishing with self.settings(RESOURCE_PUBLISHING=True): # 404 if layer is unpublished response = self.client.get( reverse('layer_detail', args=('geonode:CA', ))) self.failUnlessEqual(response.status_code, 404) # 200 if layer is unpublished but user has permission assign_perm('publish_resourcebase', user, layer.get_self_resource()) response = self.client.get( reverse('layer_detail', args=('geonode:CA', ))) self.failUnlessEqual(response.status_code, 200) # 200 if layer is published layer.is_published = True layer.save() remove_perm('publish_resourcebase', user, layer.get_self_resource()) response = self.client.get( reverse('layer_detail', args=('geonode:CA', ))) self.failUnlessEqual(response.status_code, 200) layer.is_published = True layer.save()
def change_permission(request, graph_slug): if request.is_ajax(): graph = get_object_or_404(Graph, slug=graph_slug) user_id = request.GET['user_id'] object_str = request.GET['object_str'] permission_str = request.GET['permission_str'] user = get_object_or_404(User, id=user_id) # Owner permissions cannot be deleted if user == graph.owner: return HttpResponse("owner", status=500) aux = {'graph': graph, 'schema': graph.schema, 'data': graph.data} if permission_str in PERMISSIONS[object_str]: if permission_str in guardian.get_perms(user, aux[object_str]): guardian.remove_perm(permission_str, user, aux[object_str]) else: guardian.assign(permission_str, user, aux[object_str]) else: raise ValueError("Unknown %s permission: %s" % (object_str, permission_str)) return HttpResponse(simplejson.dumps({}))
def test_non_superuser_normal_site_subset_layers(self): """ Test that a non superuser, that can see different layers on different sites, can see the correct subset of layer on a normal site """ # Remove some view permissions for bobby anonymous_group = Group.objects.get(name='anonymous') for layer in Layer.objects.all()[:3]: remove_perm('view_resourcebase', self.bobby, layer.get_self_resource()) remove_perm('view_resourcebase', anonymous_group, layer.get_self_resource()) self.client.login(username='******', password='******') response = self.client.get(self.api_layer_url) self.assertEquals(len(json.loads(response.content)['objects']), 5) # now test with superuser self.client.logout() self.client.login(username=self.user, password=self.passwd) response = self.client.get(self.api_layer_url) self.assertEquals(len(json.loads(response.content)['objects']), 7)
def set_owners(self, new_owners): old_owners = get_users_with_perms(self, only_with_perms_in=['owner']) removed_owners = [] added_owners = [] # Remove old owners for old_owner in old_owners: if old_owner not in new_owners: remove_perm('owner', old_owner, self) removed_owners.append(old_owner) # Add new owners for new_owner in new_owners: if new_owner not in old_owners: assign_perm('owner', new_owner, self) added_owners.append(new_owner) # Return the owners added/removed so they can be emailed return removed_owners, added_owners
def test_groups_with_model_perms(self): for perm in CloudAccount.model_permissions: groups = shortcuts.get_groups_with_model_perms( CloudAccount, attach_perms=False, ) self.assertEqual(groups.count(), 0) assign_perm('cloud.%s_cloudaccount' % perm, self.group) groups = shortcuts.get_groups_with_model_perms( CloudAccount, attach_perms=False, ) self.assertEqual(groups.count(), 1) self.assertEqual(groups.first(), self.group) remove_perm('cloud.%s_cloudaccount' % perm, self.group)
def _disable_owner_write_permissions(self): for perm in get_perms(self.resource.owner, self.resource.get_self_resource()): remove_perm(perm, self.resource.owner, self.resource.get_self_resource()) for perm in get_perms(self.resource.owner, self.resource): remove_perm(perm, self.resource.owner, self.resource) for perm in self.resource.BASE_PERMISSIONS.get( 'read') + self.resource.BASE_PERMISSIONS.get('download'): if not settings.RESOURCE_PUBLISHING and not settings.ADMIN_MODERATE_UPLOADS: assign_perm(perm, self.resource.owner, self.resource.get_self_resource()) elif perm not in { 'change_resourcebase_permissions', 'publish_resourcebase' }: assign_perm(perm, self.resource.owner, self.resource.get_self_resource())
def set_publication_permissions(self): """Sets all permissions as needed for publication. - removes edit, share and delete permission from everyone - add read permission for everyone """ # Remove edit, share and delete permission from everyone users = get_users_with_perms(self) for u in users: for perm in ['publish_surface', 'share_surface', 'change_surface', 'delete_surface']: remove_perm(perm, u, self) # Add read permission for everyone assign_perm('view_surface', get_default_group(), self) from guardian.shortcuts import get_perms # TODO for unknown reasons, when not in Docker, the published surfaces are still changeable # Here "remove_perm" does not work. We do not allow this. See GH 704. if 'change_surface' in get_perms(self.creator, self): raise PublicationException("Withdrawing permissions for publication did not work!")