def delete(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) grantee_id = req['user_id'] access_type = req['access_type'] grantee = User.query.get(req['user_id']) if grantee is None: abort(400, message='User not found.') AccessPermission.revoke(obj, grantee, access_type) db.session.commit() self.record_event({ 'action': 'revoke_permission', 'object_id': object_id, 'object_type': object_type, 'access_type': access_type, 'grantee_id': grantee_id })
def delete(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) grantee_id = req["user_id"] access_type = req["access_type"] grantee = User.query.get(req["user_id"]) if grantee is None: abort(400, message="User not found.") AccessPermission.revoke(obj, grantee, access_type) db.session.commit() self.record_event({ "action": "revoke_permission", "object_id": object_id, "object_type": object_type, "access_type": access_type, "grantee_id": grantee_id, })
def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self): q = self.factory.create_query() first_user = self.factory.create_user() second_user = self.factory.create_user() AccessPermission.grant( obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=first_user, ) AccessPermission.grant( obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=second_user, ) AccessPermission.grant( obj=q, access_type=ACCESS_TYPE_VIEW, grantor=self.factory.user, grantee=second_user, ) self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
def test_deletes_permission(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual( 1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
def delete(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) grantee = req['user_id'] access_type = req['access_type'] AccessPermission.revoke(obj, grantee, access_type) self.record_event({ 'action': 'revoke_permission', 'object_id': object_id, 'object_type': object_type, 'access_type': access_type, 'grantee': grantee })
def test_deletes_all_permissions_if_no_type_given(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(2, AccessPermission.revoke(q, self.factory.user))
def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self): q = self.factory.create_query() first_user = self.factory.create_user() second_user = self.factory.create_user() AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=first_user) AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=second_user) AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW, grantor=self.factory.user, grantee=second_user) self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
def test_deletes_nothing_when_no_permission_exists(self): q = self.factory.create_query() self.assertEqual( 0, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
def test_deletes_permission(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
def test_deletes_nothing_when_no_permission_exists(self): q = self.factory.create_query() self.assertEqual(0, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))