def test_access_model_loads():
access_model = RoleBasedAccessModel.from_rawdata(ROLES_PERMISSIONS)
roles_with_permissions = set(access_model.roles.keys())
all_roles = set(UserRole)
assert not all_roles.difference(roles_with_permissions)
def access_model():
def can_update_inputs(context):
current_data = context["current"]
candidate_data = context["candidate"]
diffs = jsondiff.diff(current_data, candidate_data)
if "workbench" in diffs:
try:
for node in diffs["workbench"]:
# can ONLY modify `inputs` fields set as ReadAndWrite
access = current_data["workbench"][node]["inputAccess"]
inputs = diffs["workbench"][node]["inputs"]
for key in inputs:
if access.get(key) != "ReadAndWrite":
return False
return True
except KeyError:
pass
return False
return len(diffs) == 0 # no changes
# -----------
fake_roles_permissions = {
UserRole.ANONYMOUS: {
"can": [
"studies.templates.read",
"study.start",
"study.stop",
{
"name": "study.pipeline.node.inputs.update",
"check": can_update_inputs,
},
]
},
UserRole.USER: {
"can": [
"study.node.create",
"study.node.delete",
"study.node.rename",
"study.node.start",
"study.node.data.push",
"study.node.data.delete",
"study.edge.create",
"study.edge.delete",
],
"inherits": [UserRole.ANONYMOUS],
},
UserRole.TESTER: {
"can": ["study.nodestree.uuid.read", "study.logger.debug.read"],
# This double inheritance is done intentionally redundant
"inherits": [UserRole.USER, UserRole.ANONYMOUS],
},
}
# RBAC: Role Based Access Control
rbac = RoleBasedAccessModel.from_rawdata(fake_roles_permissions)
return rbac