def test_wrapped_field_checker(self): f1 = Text(title=u'alpha') f1 = ProxyFactory(f1) f2 = Text(title=u'alpha') f2 = Struct(f2) f2 = ProxyFactory(f2) self.assertEquals(getChecker(f1), getChecker(f2)) self.failIf(getChecker(f1) is _defaultChecker) self.failIf(getChecker(f2) is _defaultChecker)
def test_set_permissions(self): expected_set_permissions = { 'launchpad.View': set(('active', 'delivery_url', 'event_types', 'registrant_id', 'secret')), } webhook = self.factory.makeWebhook() checker = getChecker(webhook) self.checkPermissions(expected_set_permissions, checker.set_permissions, 'set')
def get_interaction(obj): """Extract interaction from a proxied object""" try: checker = getChecker(obj) except TypeError: return if isinstance(checker, Checker): return checker.interaction else: return thread_local.interaction
def test_get_permissions(self): expected_get_permissions = { 'launchpad.View': set(('active', 'date_created', 'date_last_modified', 'deliveries', 'delivery_url', 'destroySelf', 'event_types', 'getDelivery', 'id', 'ping', 'registrant', 'registrant_id', 'secret', 'setSecret', 'target')), } webhook = self.factory.makeWebhook() checker = getChecker(webhook) self.checkPermissions(expected_get_permissions, checker.get_permissions, 'get')
def test_set_permissions(self): expected_get_permissions = { 'launchpad.Admin': set(('direction_approved', 'priority')), 'launchpad.AnyAllowedPerson': set(('whiteboard', )), 'launchpad.Edit': set(( 'approver', 'assignee', 'definition_status', 'distribution', 'drafter', 'implementation_status', 'man_days', 'milestone', 'name', 'product', 'specurl', 'summary', 'superseded_by', 'title')), } specification = self.factory.makeSpecification() checker = getChecker(specification) self.checkPermissions( expected_get_permissions, checker.set_permissions, 'set')
def test(self): bug = self.factory.makeBug() info = bug.getSubscriptionInfo() checker = getChecker(info) # BugSubscriptionInfo objects are immutable. self.assertEqual({}, checker.set_permissions) # All attributes require launchpad.View. permissions = set(checker.get_permissions.itervalues()) self.assertContentEqual(["launchpad.View"], permissions) # The security adapter for launchpad.View lets anyone reference the # attributes unless the bug is private, in which case only explicit # subscribers are permitted. adapter = queryAdapter(info, IAuthorization, "launchpad.View") self.assertIsInstance( adapter, PublicToAllOrPrivateToExplicitSubscribersForBugTask)
def test_get_permissions(self): expected_get_permissions = { CheckerPublic: set(('id', 'information_type', 'private', 'userCanView')), 'launchpad.LimitedView': set(('all_blocked', 'all_deps', 'approver', 'approverID', 'assignee', 'assigneeID', 'bugs', 'completer', 'createDependency', 'date_completed', 'date_goal_decided', 'date_goal_proposed', 'date_started', 'datecreated', 'definition_status', 'dependencies', 'direction_approved', 'distribution', 'distroseries', 'drafter', 'drafterID', 'getBranchLink', 'getDelta', 'getAllowedInformationTypes', 'getDependencies', 'getBlockedSpecs', 'getLinkedBugTasks', 'getSprintSpecification', 'getSubscriptionByName', 'goal', 'goal_decider', 'goal_proposer', 'goalstatus', 'has_accepted_goal', 'implementation_status', 'informational', 'isSubscribed', 'is_blocked', 'is_complete', 'is_incomplete', 'is_started', 'lifecycle_status', 'linkBranch', 'linkSprint', 'linked_branches', 'man_days', 'milestone', 'name', 'notificationRecipientAddresses', 'owner', 'priority', 'product', 'productseries', 'removeDependency', 'specurl', 'sprint_links', 'sprints', 'starter', 'subscribe', 'subscribers', 'subscription', 'subscriptions', 'summary', 'superseded_by', 'target', 'title', 'unlinkBranch', 'unlinkSprint', 'unsubscribe', 'updateLifecycleStatus', 'validateMove', 'whiteboard', 'work_items', 'workitems_text')), 'launchpad.Edit': set(('newWorkItem', 'proposeGoal', 'retarget', 'setDefinitionStatus', 'setImplementationStatus', 'setTarget', 'transitionToInformationType', 'updateWorkItems')), 'launchpad.Driver': set(('acceptBy', 'declineBy')), 'launchpad.AnyAllowedPerson': set(('unlinkBug', 'linkBug', 'setWorkItems')), } specification = self.factory.makeSpecification() checker = getChecker(specification) self.checkPermissions(expected_get_permissions, checker.get_permissions, 'get')
def test_get_permissions(self): expected_get_permissions = { CheckerPublic: set(( 'id', 'information_type', 'private', 'userCanView')), 'launchpad.LimitedView': set(( 'all_blocked', 'all_deps', 'approver', 'approverID', 'assignee', 'assigneeID', 'bug_links', 'bugs', 'completer', 'createDependency', 'date_completed', 'date_goal_decided', 'date_goal_proposed', 'date_started', 'datecreated', 'definition_status', 'dependencies', 'direction_approved', 'distribution', 'distroseries', 'drafter', 'drafterID', 'getBranchLink', 'getDelta', 'getAllowedInformationTypes', 'getDependencies', 'getBlockedSpecs', 'getLinkedBugTasks', 'getSprintSpecification', 'getSubscriptionByName', 'goal', 'goal_decider', 'goal_proposer', 'goalstatus', 'has_accepted_goal', 'implementation_status', 'informational', 'isSubscribed', 'is_blocked', 'is_complete', 'is_incomplete', 'is_started', 'lifecycle_status', 'linkBranch', 'linkSprint', 'linked_branches', 'man_days', 'milestone', 'name', 'notificationRecipientAddresses', 'owner', 'priority', 'product', 'productseries', 'removeDependency', 'specurl', 'sprint_links', 'sprints', 'starter', 'subscribe', 'subscribers', 'subscription', 'subscriptions', 'summary', 'superseded_by', 'target', 'title', 'unlinkBranch', 'unlinkSprint', 'unsubscribe', 'updateLifecycleStatus', 'validateMove', 'whiteboard', 'work_items', 'workitems_text')), 'launchpad.Edit': set(( 'newWorkItem', 'proposeGoal', 'retarget', 'setDefinitionStatus', 'setImplementationStatus', 'setTarget', 'transitionToInformationType', 'updateWorkItems')), 'launchpad.Driver': set(('acceptBy', 'declineBy')), 'launchpad.AnyAllowedPerson': set(( 'unlinkBug', 'linkBug', 'setWorkItems')), } specification = self.factory.makeSpecification() checker = getChecker(specification) self.checkPermissions( expected_get_permissions, checker.get_permissions, 'get')
def test_set_permissions(self): checker = getChecker(self.public_series) self.checkPermissions( self.expected_set_permissions, checker.set_permissions, 'set')
def apply_security(ti): domain_model, descriptor_model = ti.domain_model, ti.descriptor_model type_key = naming.polymorphic_identity(domain_model) log.debug("APPLY SECURITY: %s %s", type_key, domain_model) # first, "inherit" security settings of super classes i.e. equivalent of # something like <require like_class=".domain.Doc" /> for c in domain_model.__bases__: if c is object: continue log.debug(" LIKE_CLASS: %s", c) protectLikeUnto(domain_model, c) # !+DECL permissions here--for CUSTOM types only, and SINCE r9946--override # what is defined in domain.zcml, as opposed to vice-versa (probably # because CUSTOM types are setup at a later stage). # So (for CUSTOM types only?) we use the parametrized # bungeni.{type_key}.{Mode} as the view/edit permission: pv_type = "zope.Public" # view permission, for type pe_type = "zope.Public" # edit permission, for type if descriptor_model.scope == "custom": pv_type = "bungeni.%s.View" % (type_key) pe_type = "bungeni.%s.Edit" % (type_key) # !+SCHEMA_FIELDS(mr, oct-2012) all this seems superfluous anyway, as is # (always?) overwritten further down? Switch to base loop on superset of # names (dir(cls)?) and then decide ONCE on various criteria how to # protect the name. _view_protected = set() # remember names protected for view _edit_protected = set() # remember names protected for edit # sorted (for clearer logging) list of attr names that are BOTH defined # by the db mapped-table schema AND have a dedicated UI Field. dts_attrs = [ n for n in ti.derived_table_schema.names(all=True) ] df_attrs = [ f.get("name") for f in descriptor_model.fields ] attrs = sorted(set(dts_attrs).union(set(df_attrs))) log.debug(" DTS+Fields: %s, %s", ti.derived_table_schema.__name__, descriptor_model.__name__) for n in attrs: # !+DECL special cases, do not override domain.zcml... if n in ("response_text",): continue _view_protected.add(n); _edit_protected.add(n) pv = pv_type pe = pe_type model_field = descriptor_model.get(n) if model_field: if descriptor_model.scope != "custom": # !+DECL proceed as before for now pv = model_field.view_permission # always "zope.Public" pe = model_field.edit_permission # always "zope.ManageContent" # !+DECL parametrize all permissions by type AND mode, ensure to grant # to appropriate roles. What about non-workflows or non-catalyzed types? protectName(domain_model, n, pv) protectSetAttribute(domain_model, n, pe) DTS = n in dts_attrs and "dts" or " " DF = n in df_attrs and "df" or " " log.debug(" %s %s [%s] view:%s edit:%s %x", DTS, DF, n, pv, pe, id(model_field)) if n not in domain_model.__dict__: log.debug(" ---- [%s] !+SCHEMA_FIELDS not in %s.__dict__", n, domain_model) # container attributes (never a UI Field for these) log.debug(" __dict__: %s" % (domain_model)) for k in sorted(domain_model.__dict__.keys()): # !+ if IManagedContainer.providedBy(v): ? v = domain_model.__dict__[k] if isinstance(v, ManagedContainerDescriptor): if k in _view_protected: log.debug(" ---- %s RESETTING...", k) _view_protected.add(k) log.debug(" managed %s view:%s" % (k, "zope.Public")) elif isinstance(v, orm.attributes.InstrumentedAttribute): if k in _view_protected: log.debug(" ---- %s RESETTING...", k) _view_protected.add(k) log.debug(" instrumented [%s] view:%s", k, "zope.Public") else: log.debug(" ---- [%s] !+SCHEMA_FIELD IN __dict__ but NOT " "instrumented OR managed", k) continue if k not in attrs: log.debug(" ---- [%s] !+SCHEMA_FIELDS not in attrs", k) protectName(domain_model, k, "zope.Public") #!+pv_type # Dump permission_id required to getattr/setattr for "custom" types. # We only dump the security settings for "custom" types as it only these # are processed AFTER that domain.zcml has been executed (for other types, # loaded earlier during app startup, it is the settings in domain.zcml # (executed later during app startup) that ends up applying. if descriptor_model.scope == "custom": from zope.security import proxy, checker dmc = checker.getChecker(proxy.ProxyFactory(domain_model())) log.debug(" checker: %s", dmc) for n in sorted(_view_protected.union(["response_text"])): g = dmc.get_permissions.get(n) s = dmc.set_permissions.get(n) #dmc.setattr_permission_id(n) log.debug(" [%s] get:%s set:%s", n, getattr(g, "__name__", g), s)
def test_set_permissions(self): checker = getChecker(self.public_projectgroup_milestone) self.checkPermissions(self.expected_set_permissions, checker.set_permissions, 'set')
def test_set_permissions(self): milestone = self.factory.makeMilestone() checker = getChecker(milestone) self.checkPermissions(self.expected_set_permissions, checker.set_permissions, 'set')
def test_set_permissions(self): checker = getChecker(self.public_projectgroup_milestone) self.checkPermissions( self.expected_set_permissions, checker.set_permissions, 'set')
def test_set_permissions(self): milestone = self.factory.makeMilestone() checker = getChecker(milestone) self.checkPermissions( self.expected_set_permissions, checker.set_permissions, 'set')