Esempio n. 1
0
def test_requires_decorator():
    az = Authorizer(default_permissions)

    @az.class_role_provider('get_roles')
    class ProtectedUser(User):
        def get_roles(self, user):
            return 'user_admin' if same_user(self, user) else None

        @az.require('user_view')
        def view(self):
            return 'viewed'

        @az.require('user_edit')
        def edit(self):
            return 'edited'

    user = ProtectedUser(1234, ['editor'])
    other_user = ProtectedUser(5678, ['viewer'])

    az.identity_provider(lambda: user)
    az.default_role_provider(lambda u, _: u.roles)

    # These should all pass with no
    assert user.view() == 'viewed'
    assert user.edit() == 'edited'
    assert other_user.view() == 'viewed'

    # This should throw an exception
    with pytest.raises(NotAuthorized):
        other_user.edit()
Esempio n. 2
0
def test_undefined_role():
    az = Authorizer(default_permissions)

    @az.class_role_provider('get_roles')
    class ProtectedUser(User):
        def get_roles(self, user):
            return 'user_admin'

    user = ProtectedUser(1234, ['non-existing-role-name'])
    az.identity_provider(lambda: user)
    az.default_role_provider(lambda u, _: u.roles)
    assert not az.is_allowed('non-existing-permission', user)
    assert not az.is_allowed('user_view', user)
Esempio n. 3
0
def test_undefined_role_strict():
    az = Authorizer(default_permissions, strict=True)

    @az.class_role_provider('get_roles')
    class ProtectedUser(User):
        def get_roles(self, user):
            return 'user_admin'

    user = ProtectedUser(1234, ['non-existing-role-name'])
    az.identity_provider(lambda: user)
    az.default_role_provider(lambda u, _: u.roles)
    with pytest.raises(NotDefinedError):
        az.is_allowed('non-existing-permission', user)
    with pytest.raises(NotDefinedError):
        az.is_allowed('user_view', user)
Esempio n. 4
0
def test_object_permissions():
    az = Authorizer(default_permissions)
    az.identity_provider(lambda: User(1234, ['editor']))
    az.default_role_provider(lambda u, _: u.roles)

    @az.role_provider(Article)
    def role_provider(user, obj):
        return 'admin' if user.id == obj.created_by else 'viewer'

    article = Article(created_by=1234)
    assert az.is_allowed('article_delete', article)
    assert az.is_allowed('article_view', article)

    other_article = Article(created_by=5678)
    assert not az.is_allowed('article_delete', other_article)
    assert az.is_allowed('article_view', other_article)
Esempio n. 5
0
def test_object_permissions():
    az = Authorizer(default_permissions)
    az.identity_provider(lambda: User(1234, ['editor']))
    az.default_role_provider(lambda u, _: u.roles)

    @az.context_role_provider(owner_role)
    class ProtectedArticle(Article):
        pass

    article = ProtectedArticle(created_by=1234)
    assert az.is_allowed('article_delete', article)
    assert az.is_allowed('article_view', article)

    other_article = ProtectedArticle(created_by=5678)
    assert not az.is_allowed('article_delete', other_article)
    assert az.is_allowed('article_view', other_article)
Esempio n. 6
0
def test_object_permissions_set_provider():
    az = Authorizer(default_permissions)
    az.identity_provider(lambda: User(1234, ['editor']))
    az.default_role_provider(lambda u, _: u.roles)

    def get_roles(user, article):
        return ['admin'] if user.id == article.created_by else []

    az.set_role_provider(for_type=Article, provider=get_roles)

    article = Article(created_by=1234)
    assert az.is_allowed('article_delete', article)
    assert az.is_allowed('article_view', article)

    other_article = Article(created_by=5678)
    assert not az.is_allowed('article_delete', other_article)
    assert az.is_allowed('article_view', other_article)
Esempio n. 7
0
def test_object_permissions_named_provider():
    az = Authorizer(default_permissions)
    az.identity_provider(lambda: User(1234, ['editor']))
    az.default_role_provider(lambda u, _: u.roles)

    @az.context_role_provider('get_roles')
    class ProtectedArticle(Article):
        def get_roles(self, user):
            return ['admin'] if user.id == self.created_by else []

    article = ProtectedArticle(created_by=1234)
    assert az.is_allowed('article_delete', article)
    assert az.is_allowed('article_view', article)

    other_article = ProtectedArticle(created_by=5678)
    assert not az.is_allowed('article_delete', other_article)
    assert az.is_allowed('article_view', other_article)
Esempio n. 8
0
def test_object_permissions_without_inheritance():
    az = Authorizer(default_permissions)

    @az.role_provider(User)
    def role_provider(user, ctx):
        return 'user_admin' if same_user(user, ctx) else None

    user = User(1234, ['editor'])
    other_user = User(5678, ['viewer'])

    az.identity_provider(lambda: user)
    az.default_role_provider(lambda u, _: u.roles)

    assert az.is_allowed('user_view', user)
    assert az.is_allowed('user_edit', user)

    assert az.is_allowed('user_view', other_user)
    assert not az.is_allowed('user_edit', other_user)
Esempio n. 9
0
def test_object_permissions_without_inheritance():
    az = Authorizer(default_permissions)

    @az.context_role_provider(lambda u, o: 'user_admin' if same_user(u, o) else None)
    class ProtectedUser(User):
        pass

    user = ProtectedUser(1234, ['editor'])
    other_user = ProtectedUser(5678, ['viewer'])

    az.identity_provider(lambda: user)
    az.default_role_provider(lambda u, _: u.roles)

    assert az.is_allowed('user_view', user)
    assert az.is_allowed('user_edit', user)

    assert az.is_allowed('user_view', other_user)
    assert not az.is_allowed('user_edit', other_user)
Esempio n. 10
0
def test_object_permissions_child_class():
    az = Authorizer(default_permissions)
    az.identity_provider(lambda: User(1234, ['editor']))
    az.default_role_provider(lambda u, _: u.roles)

    @az.role_provider(Article)
    def get_roles(user, article):
        return ['admin'] if user.id == article.created_by else []

    class ChildArticle(Article):
        pass

    article = ChildArticle(created_by=1234)
    assert az.is_allowed('article_delete', article)
    assert az.is_allowed('article_view', article)

    other_article = ChildArticle(created_by=5678)
    assert not az.is_allowed('article_delete', other_article)
    assert az.is_allowed('article_view', other_article)
Esempio n. 11
0
def test_class_role_provider():
    az = Authorizer(default_permissions)

    @az.class_role_provider('get_roles')
    class ProtectedUser(User):
        def get_roles(self, user):
            return 'user_admin' if same_user(self, user) else None

    user = ProtectedUser(1234, ['editor'])
    other_user = ProtectedUser(5678, ['viewer'])

    az.identity_provider(lambda: user)
    az.default_role_provider(lambda u, _: u.roles)

    # These should all pass with no problem
    assert az.is_allowed('user_view', user)
    assert az.is_allowed('user_view', other_user)
    assert az.is_allowed('user_edit', user)

    # This should not be allowed
    assert not az.is_allowed('user_edit', other_user)
Esempio n. 12
0
def test_default_permissions_inherited_no_context(role, permission, allowed):
    az = Authorizer(default_permissions)
    az.identity_provider(lambda: User(1234, [role]))
    az.default_role_provider(lambda u, _: u.roles)
    assert az.is_allowed(permission) == allowed