def _filterResult(self, result): """ Filter recent activity eliminating those tags the user doesn't have L{Operation.READ_TAG_VALUE} permissions for. @param result: A C{list} of C{(Tag.path, TagValue.objectID, AboutTagValue.value, TagValue.value, User.username, value.creationTime)} 6-tuples with the information about the recent tag values. @return: Same items in result minus the tags the user is not allowed to read. """ if not result: return [] pathsAndOperations = set( (path, Operation.READ_TAG_VALUE) for path, objectID, about, value, username, time in result) deniedOperations = checkPermissions(self._user, pathsAndOperations) deniedPaths = set(path for path, operation in deniedOperations) # FIXME: There's a potential problem with the filtering, which is that # we only ever fetch N recent items from the database, but with # filtering we might return N-M items (where M is the number of # inaccessible items). return [(path, objectID, about, value, username, time) for path, objectID, about, value, username, time in result if path not in deniedPaths]
def testCheckUserWithImplicitNestedNamespacePath(self): """ L{checkPermissions} does a recursive check to find the parent L{Namespace} when a path includes many unknown segments. """ values = [(u'username/nested/namespace', Operation.CREATE_NAMESPACE)] self.assertEqual([], checkPermissions(self.user, values))
def getTagsByObjects(self, objectIDs, permission=None): """See L{ObjectAPI.getTagsByObjects}. @param permission: Optionally, the permission the user must have for the L{Tag.path} to be included in the return result. Default is L{Operation.READ_TAG_VALUE}. """ if permission is None: permission = Operation.READ_TAG_VALUE # We have to call getTagsByObjects first, since we don't know which # Tag's the user has the requested permission for. tagPaths = self._api.getTagsByObjects(objectIDs) if tagPaths: pathsAndOperations = set() for objectID, paths in tagPaths.iteritems(): for path in paths: pathsAndOperations.add((path, permission)) deniedOperations = checkPermissions(self._user, pathsAndOperations) deniedPaths = set([path for path, operation in deniedOperations]) if not deniedPaths: return tagPaths result = {} for objectID, paths in tagPaths.iteritems(): allowedPaths = [ path for path in paths if path not in deniedPaths ] if allowedPaths: result[objectID] = allowedPaths return result else: return {}
def _filterResult(self, result): """ Filter recent activity eliminating those tags the user doesn't have L{Operation.READ_TAG_VALUE} permissions for. @param result: A C{list} of C{(Tag.path, TagValue.objectID, AboutTagValue.value, TagValue.value, User.username, value.creationTime)} 6-tuples with the information about the recent tag values. @return: Same items in result minus the tags the user is not allowed to read. """ if not result: return [] pathsAndOperations = set( (path, Operation.READ_TAG_VALUE) for path, objectID, about, value, username, time in result) deniedOperations = checkPermissions(self._user, pathsAndOperations) deniedPaths = set(path for path, operation in deniedOperations) # FIXME: There's a potential problem with the filtering, which is that # we only ever fetch N recent items from the database, but with # filtering we might return N-M items (where M is the number of # inaccessible items). return [(path, objectID, about, value, username, time) for path, objectID, about, value, username, time in result if path not in deniedPaths]
def getTagsByObjects(self, objectIDs, permission=None): """See L{ObjectAPI.getTagsByObjects}. @param permission: Optionally, the permission the user must have for the L{Tag.path} to be included in the return result. Default is L{Operation.READ_TAG_VALUE}. """ if permission is None: permission = Operation.READ_TAG_VALUE # We have to call getTagsByObjects first, since we don't know which # Tag's the user has the requested permission for. tagPaths = self._api.getTagsByObjects(objectIDs) if tagPaths: pathsAndOperations = set() for objectID, paths in tagPaths.iteritems(): for path in paths: pathsAndOperations.add((path, permission)) deniedOperations = checkPermissions(self._user, pathsAndOperations) deniedPaths = set([path for path, operation in deniedOperations]) if not deniedPaths: return tagPaths result = {} for objectID, paths in tagPaths.iteritems(): allowedPaths = [path for path in paths if path not in deniedPaths] if allowedPaths: result[objectID] = allowedPaths return result else: return {}
def testCheckUserWithImplicitNestedNamespacePath(self): """ L{checkPermissions} does a recursive check to find the parent L{Namespace} when a path includes many unknown segments. """ values = [(u'username/nested/namespace', Operation.CREATE_NAMESPACE)] self.assertEqual([], checkPermissions(self.user, values))
def testCheckUserWithImplicitTagPath(self): """ L{checkPermissions} ignores an unknown path when a L{Operation.WRITE_TAG_VALUE} operation is requested and when the user has L{Operation.CREATE_NAMESPACE} access on the parent L{Namespace}. """ values = [(u'username/unknown', Operation.WRITE_TAG_VALUE)] self.assertEqual([], checkPermissions(self.user, values))
def testCheckUserWithFluidDBSlashIDVirtualPath(self): """ An L{UnknownPathError} is not raised when the special C{fluiddb/id} virtual tag is encountered and L{Tag}-related permission checks always succeed. """ values = [(u'fluiddb/id', Operation.READ_TAG_VALUE)] self.assertEqual([], checkPermissions(self.user, values))
def testCheckUpdateUserIsAllowedForTheOwnUser(self): """ L{checkPermissions} allows C{UPDATE_USER} access for normal users if the requesting user is the same modified user. """ values = [(u'username', Operation.UPDATE_USER)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([], deniedOperations)
def testCheckUserWithFluidDBSlashIDVirtualPath(self): """ An L{UnknownPathError} is not raised when the special C{fluiddb/id} virtual tag is encountered and L{Tag}-related permission checks always succeed. """ values = [(u'fluiddb/id', Operation.READ_TAG_VALUE)] self.assertEqual([], checkPermissions(self.user, values))
def testCheckCreateObjectIsAlwaysGrantedForNormalUser(self): """ L{checkPermissions} always grants C{CREATE_OBJECT} access for normal users. """ values = [(u'', Operation.CREATE_OBJECT)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([], deniedOperations)
def testCheckCreateObjectIsAlwaysGrantedForNormalUser(self): """ L{checkPermissions} always grants C{CREATE_OBJECT} access for normal users. """ values = [(u'', Operation.CREATE_OBJECT)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([], deniedOperations)
def testCheckUserWithImplicitTagPath(self): """ L{checkPermissions} ignores an unknown path when a L{Operation.WRITE_TAG_VALUE} operation is requested and when the user has L{Operation.CREATE_NAMESPACE} access on the parent L{Namespace}. """ values = [(u'username/unknown', Operation.WRITE_TAG_VALUE)] self.assertEqual([], checkPermissions(self.user, values))
def testCheckUpdateUserIsAllowedForTheOwnUser(self): """ L{checkPermissions} allows C{UPDATE_USER} access for normal users if the requesting user is the same modified user. """ values = [(u'username', Operation.UPDATE_USER)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([], deniedOperations)
def testCheckDeleteRootNamespaceIsAlwaysDeniedForNormalUser(self): """ L{checkPermissions} always denies C{DELETE_NAMESPACE} access on the root namespace for normal users. """ values = [(u'username', Operation.DELETE_NAMESPACE)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([(u'username', Operation.DELETE_NAMESPACE)], deniedOperations)
def testCheckCreateUserIsAlwaysDeniedForAnonymousUser(self): """ L{checkPermissions} always denies C{CREATE_USER} access for anonymous users. """ anonymous = self.system.users[u'anon'] values = [(u'anon', Operation.CREATE_USER)] deniedOperations = checkPermissions(anonymous, values) self.assertEqual([(u'anon', Operation.CREATE_USER)], deniedOperations)
def testCheckUserWithImplicitNamespacePath(self): """ L{checkPermissions} ignores an unknown path when a L{Operation.CREATE_NAMESPACE} operation is requested and when the user has L{Operation.CREATE_NAMESPACE} access on the final existing parent's L{Namespace}. """ values = [(u'username/namespace', Operation.CREATE_NAMESPACE)] self.assertEqual([], checkPermissions(self.user, values))
def testCheckCreateUserIsAlwaysDeniedForNormalUser(self): """ L{checkPermissions} always denies C{CREATE_USER} access for normal users. """ values = [(u'username', Operation.CREATE_USER)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([(u'username', Operation.CREATE_USER)], deniedOperations)
def testCheckDeleteRootNamespaceIsAlwaysDeniedForNormalUser(self): """ L{checkPermissions} always denies C{DELETE_NAMESPACE} access on the root namespace for normal users. """ values = [(u'username', Operation.DELETE_NAMESPACE)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([(u'username', Operation.DELETE_NAMESPACE)], deniedOperations)
def testCheckCreateUserIsAlwaysDeniedForNormalUser(self): """ L{checkPermissions} always denies C{CREATE_USER} access for normal users. """ values = [(u'username', Operation.CREATE_USER)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([(u'username', Operation.CREATE_USER)], deniedOperations)
def testCheckUserWithImplicitNamespacePath(self): """ L{checkPermissions} ignores an unknown path when a L{Operation.CREATE_NAMESPACE} operation is requested and when the user has L{Operation.CREATE_NAMESPACE} access on the final existing parent's L{Namespace}. """ values = [(u'username/namespace', Operation.CREATE_NAMESPACE)] self.assertEqual([], checkPermissions(self.user, values))
def testCheckUserWithImplicitTagAndNamespace(self): """ L{checkPermissions} ignores an unknown path when a L{Operation.WRITE_TAG_VALUE} operation is requested and when the user has L{Operation.CREATE_NAMESPACE} access on the final existing parent's L{Namespace}. """ values = set([(u'username/tag', Operation.WRITE_TAG_VALUE), (u'username/namespace/tag', Operation.WRITE_TAG_VALUE)]) self.assertEqual([], checkPermissions(self.user, values))
def testCheckDeleteRootNamespaceIsAlwaysDeniedForAnonymous(self): """ L{checkPermissions} always denies C{DELETE_NAMESPACE} access on the root namespace for anonymous users. """ anonymous = self.system.users[u'anon'] values = [(u'anon', Operation.DELETE_NAMESPACE)] deniedOperations = checkPermissions(anonymous, values) self.assertEqual([(u'anon', Operation.DELETE_NAMESPACE)], deniedOperations)
def testCheckAnonymousWithImplicitPath(self): """ L{checkPermissions} denies prevents L{Role.ANONYMOUS} L{User}s from implicitly creating tags because the anoymous user is not allowed to perform L{Operation.WRITE_TAG_VALUE} operations. """ anonymous = self.system.users[u'anon'] values = [(u'anon/path', Operation.WRITE_TAG_VALUE)] self.assertEqual([(u'anon/path', Operation.WRITE_TAG_VALUE)], checkPermissions(anonymous, values))
def testCheckAnonymousWithImplicitPath(self): """ L{checkPermissions} denies prevents L{Role.ANONYMOUS} L{User}s from implicitly creating tags because the anoymous user is not allowed to perform L{Operation.WRITE_TAG_VALUE} operations. """ anonymous = self.system.users[u'anon'] values = [(u'anon/path', Operation.WRITE_TAG_VALUE)] self.assertEqual([(u'anon/path', Operation.WRITE_TAG_VALUE)], checkPermissions(anonymous, values))
def testCheckUserWithImplicitTagAndNamespace(self): """ L{checkPermissions} ignores an unknown path when a L{Operation.WRITE_TAG_VALUE} operation is requested and when the user has L{Operation.CREATE_NAMESPACE} access on the final existing parent's L{Namespace}. """ values = set([(u'username/tag', Operation.WRITE_TAG_VALUE), (u'username/namespace/tag', Operation.WRITE_TAG_VALUE)]) self.assertEqual([], checkPermissions(self.user, values))
def testCheckCreateUserIsAlwaysDeniedForAnonymousUser(self): """ L{checkPermissions} always denies C{CREATE_USER} access for anonymous users. """ anonymous = self.system.users[u'anon'] values = [(u'anon', Operation.CREATE_USER)] deniedOperations = checkPermissions(anonymous, values) self.assertEqual([(u'anon', Operation.CREATE_USER)], deniedOperations)
def testCheckDeleteRootNamespaceIsAlwaysDeniedForAnonymous(self): """ L{checkPermissions} always denies C{DELETE_NAMESPACE} access on the root namespace for anonymous users. """ anonymous = self.system.users[u'anon'] values = [(u'anon', Operation.DELETE_NAMESPACE)] deniedOperations = checkPermissions(anonymous, values) self.assertEqual([(u'anon', Operation.DELETE_NAMESPACE)], deniedOperations)
def create(self, value=None): """See L{ObjectAPI.create}. @raises PermissionDeniedError: Raised if the user is not authorized to create objects. """ pathsAndOperations = [(None, Operation.CREATE_OBJECT)] deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.create(value)
def testCheckUpdateUserIsDeniedForOtherNormalUsers(self): """ L{checkPermissions} denies C{UPDATE_USER} access for normal users except the own user. """ UserAPI().create([(u'otheruser', u'password', u'User', u'*****@*****.**')]) values = [(u'otheruser', Operation.UPDATE_USER)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([(u'otheruser', Operation.UPDATE_USER)], deniedOperations)
def testCheckUserManagerHasAccessToPerformUserOperations(self): """ L{checkPermissions} always allows user L{Operation}s for L{Role.USER_MANAGER} users. """ self.user.role = Role.USER_MANAGER values = [(u'username', Operation.CREATE_USER), (u'username', Operation.UPDATE_USER), (u'username', Operation.DELETE_USER)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([], deniedOperations)
def testCheckUpdateUserIsDeniedForOtherNormalUsers(self): """ L{checkPermissions} denies C{UPDATE_USER} access for normal users except the own user. """ UserAPI().create([(u'otheruser', u'password', u'User', u'*****@*****.**')]) values = [(u'otheruser', Operation.UPDATE_USER)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([(u'otheruser', Operation.UPDATE_USER)], deniedOperations)
def create(self, value=None): """See L{ObjectAPI.create}. @raises PermissionDeniedError: Raised if the user is not authorized to create objects. """ pathsAndOperations = [(None, Operation.CREATE_OBJECT)] deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.create(value)
def testCheckUserManagerHasAccessToPerformUserOperations(self): """ L{checkPermissions} always allows user L{Operation}s for L{Role.USER_MANAGER} users. """ self.user.role = Role.USER_MANAGER values = [(u'username', Operation.CREATE_USER), (u'username', Operation.UPDATE_USER), (u'username', Operation.DELETE_USER)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([], deniedOperations)
def testCheckClosedPermissionWithException(self): """ L{checkPermissions} grants access when the policy is C{Policy.OPEN} and the L{User.id} is in the exceptions list. """ TagAPI(self.user).create([(u'username/tag', u'description')]) self.permissions.set([(u'username/tag', Operation.UPDATE_TAG, Policy.CLOSED, [u'username'])]) values = [(u'username/tag', Operation.UPDATE_TAG)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([], deniedOperations)
def testCheckClosedPermissionWithException(self): """ L{checkPermissions} grants access when the policy is C{Policy.OPEN} and the L{User.id} is in the exceptions list. """ TagAPI(self.user).create([(u'username/tag', u'description')]) self.permissions.set([(u'username/tag', Operation.UPDATE_TAG, Policy.CLOSED, [u'username'])]) values = [(u'username/tag', Operation.UPDATE_TAG)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([], deniedOperations)
def set(self, values): """See L{UserAPI.set}. @raises PermissionDeniedError: Raised if the user is not a superuser and tries to set values for a L{User}. """ actions = [(username, Operation.UPDATE_USER) for username, password, fullname, email, role in values] deniedActions = checkPermissions(self._user, actions) if deniedActions: raise PermissionDeniedError(self._user.username, deniedActions) return self._api.set(values)
def set(self, values): """See L{UserAPI.set}. @raises PermissionDeniedError: Raised if the user is not a superuser and tries to set values for a L{User}. """ actions = [(username, Operation.UPDATE_USER) for username, password, fullname, email, role in values] deniedActions = checkPermissions(self._user, actions) if deniedActions: raise PermissionDeniedError(self._user.username, deniedActions) return self._api.set(values)
def set(self, values): """See L{TagAPI.set}. @raises PermissionDeniedError: Raised if the user is not authorized to update L{Tag}s. """ pathsAndOperations = [(path, Operation.UPDATE_TAG) for path in values.iterkeys()] deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.set(values)
def create(self, values): """See L{TagAPI.create}. @raises PermissionDeniedError: Raised if the user is not authorized to create L{Tag}s. """ pathsAndOperations = [(getParentPath(path), Operation.CREATE_NAMESPACE) for path, description in values] deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.create(values)
def create(self, values): """See L{TagAPI.create}. @raises PermissionDeniedError: Raised if the user is not authorized to create L{Tag}s. """ pathsAndOperations = [(getParentPath(path), Operation.CREATE_NAMESPACE) for path, description in values] deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.create(values)
def set(self, values): """See L{TagAPI.set}. @raises PermissionDeniedError: Raised if the user is not authorized to update L{Tag}s. """ pathsAndOperations = [(path, Operation.UPDATE_TAG) for path in values.iterkeys()] deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.set(values)
def testCheckUserWithMissingPermission(self): """ L{checkPermissions} denies the operation if, for some reason, a permission is not available for the entity being requested. """ TagAPI(self.user).create([(u'username/tag', u'description')]) # FIXME: don't use data functions here. [(tag, permission)] = getTagPermissions([u'username/tag']) self.store.remove(permission) values = [(u'username/tag', Operation.UPDATE_TAG)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([(u'username/tag', Operation.UPDATE_TAG)], deniedOperations)
def create(self, values, createPrivateNamespace=None): """See L{UserAPI.create}. @raises PermissionDeniedError: Raised if the user is not a superuser and tries to create a new L{User}. """ actions = [(username, Operation.CREATE_USER) for username, password, fullname, email in values] deniedActions = checkPermissions(self._user, actions) if deniedActions: raise PermissionDeniedError(self._user.username, deniedActions) return self._api.create(values, createPrivateNamespace=createPrivateNamespace)
def delete(self, usernames): """See L{UserAPI.delete}. @raises PermissionDeniedError: Raised if the user is not a superuser and tries to delete a L{User}. """ if isgenerator(usernames): usernames = list(usernames) actions = [(username, Operation.DELETE_USER) for username in usernames] deniedActions = checkPermissions(self._user, actions) if deniedActions: raise PermissionDeniedError(self._user.username, deniedActions) return self._api.delete(usernames)
def testCheckUserWithMissingPermission(self): """ L{checkPermissions} denies the operation if, for some reason, a permission is not available for the entity being requested. """ TagAPI(self.user).create([(u'username/tag', u'description')]) # FIXME: don't use data functions here. [(tag, permission)] = getTagPermissions([u'username/tag']) self.store.remove(permission) values = [(u'username/tag', Operation.UPDATE_TAG)] deniedOperations = checkPermissions(self.user, values) self.assertEqual([(u'username/tag', Operation.UPDATE_TAG)], deniedOperations)
def delete(self, paths): """See L{TagAPI.delete}. @raises PermissionDeniedError: Raised if the user is not authorized to delete L{Tag}s. """ if isgenerator(paths): paths = list(paths) pathsAndOperations = [(path, Operation.DELETE_TAG) for path in paths] deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.delete(paths)
def delete(self, paths): """See L{TagAPI.delete}. @raises PermissionDeniedError: Raised if the user is not authorized to delete L{Tag}s. """ if isgenerator(paths): paths = list(paths) pathsAndOperations = [(path, Operation.DELETE_TAG) for path in paths] deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.delete(paths)
def delete(self, usernames): """See L{UserAPI.delete}. @raises PermissionDeniedError: Raised if the user is not a superuser and tries to delete a L{User}. """ if isgenerator(usernames): usernames = list(usernames) actions = [(username, Operation.DELETE_USER) for username in usernames] deniedActions = checkPermissions(self._user, actions) if deniedActions: raise PermissionDeniedError(self._user.username, deniedActions) return self._api.delete(usernames)
def create(self, values, createPrivateNamespace=None): """See L{UserAPI.create}. @raises PermissionDeniedError: Raised if the user is not a superuser and tries to create a new L{User}. """ actions = [(username, Operation.CREATE_USER) for username, password, fullname, email in values] deniedActions = checkPermissions(self._user, actions) if deniedActions: raise PermissionDeniedError(self._user.username, deniedActions) return self._api.create(values, createPrivateNamespace=createPrivateNamespace)
def delete(self, values): """See L{TagValueAPI.delete}. @raise PermissionDeniedError: Raised if the user is not authorized to delete L{TagValue}s. """ if isgenerator(values): values = list(values) pathsAndOperations = set((path, Operation.DELETE_TAG_VALUE) for _, path, in values) deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.delete(values)
def set(self, values): """See L{TagValueAPI.set}. @raise PermissionDeniedError: Raised if the user is not authorized to create or update L{TagValue}s. """ pathsAndOperations = set() for tagValues in values.itervalues(): pathsAndOperations.update((path, Operation.WRITE_TAG_VALUE) for path in tagValues.iterkeys()) deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.set(values)
def testCheckAnonymousWithMissingPermission(self): """ L{checkPermissions} denies the operations, for some reason, a permission is not available for the entity being requested. """ anonymous = self.system.users[u'anon'] TagAPI(self.user).create([(u'username/tag', u'description')]) values = [(u'username/tag', Operation.READ_TAG_VALUE)] # FIXME: don't use data functions here. [(tag, permission)] = getTagPermissions([u'username/tag']) self.store.remove(permission) deniedOperations = checkPermissions(anonymous, values) self.assertEqual([(u'username/tag', Operation.READ_TAG_VALUE)], deniedOperations)
def testCheckAnonymousWithMissingPermission(self): """ L{checkPermissions} denies the operations, for some reason, a permission is not available for the entity being requested. """ anonymous = self.system.users[u'anon'] TagAPI(self.user).create([(u'username/tag', u'description')]) values = [(u'username/tag', Operation.READ_TAG_VALUE)] # FIXME: don't use data functions here. [(tag, permission)] = getTagPermissions([u'username/tag']) self.store.remove(permission) deniedOperations = checkPermissions(anonymous, values) self.assertEqual([(u'username/tag', Operation.READ_TAG_VALUE)], deniedOperations)
def testCheckWithSuperuser(self): """ L{checkPermissions} always grants access if the user is superuser. """ TagAPI(self.user).create([(u'username/path', u'description')]) NamespaceAPI(self.user).create([(u'username/path', u'description')]) superuser = self.system.users[u'fluiddb'] # Close all permissions for the tag values = [(u'username/path', operation, Policy.CLOSED, []) for operation in Operation.PATH_OPERATIONS] self.permissions.set(values) values = [(u'username/path', operation) for operation in Operation.PATH_OPERATIONS] deniedOperations = checkPermissions(superuser, values) self.assertEqual([], deniedOperations)
def getRecent(self, limit=None, olderThan=None, newerThan=None, filterTags=None, additionalTags=None): """See L{CommentAPI.getRecent}. @raise PermissionDeniedError: If the user lacks READ_TAG_VALUE permissions on any of the tag paths in additionalTags. """ if additionalTags is not None: pathsAndOperations = set((path, Operation.READ_TAG_VALUE) for path in additionalTags) deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.getRecent(limit, olderThan, newerThan, filterTags, additionalTags)
def testCheckWithSuperuser(self): """ L{checkPermissions} always grants access if the user is superuser. """ TagAPI(self.user).create([(u'username/path', u'description')]) NamespaceAPI(self.user).create([(u'username/path', u'description')]) superuser = self.system.users[u'fluiddb'] # Close all permissions for the tag values = [(u'username/path', operation, Policy.CLOSED, []) for operation in Operation.PATH_OPERATIONS] self.permissions.set(values) values = [(u'username/path', operation) for operation in Operation.PATH_OPERATIONS] deniedOperations = checkPermissions(superuser, values) self.assertEqual([], deniedOperations)
def getTagsForObjects(self, objectIDs): """See L{ObjectAPI.getTagsForObjects}.""" # We have to call getTagsForObjects first, since we don't know which # L{Tag}s the user has L{Operation.READ_TAG_VALUE} permission for. tagPaths = self._api.getTagsForObjects(objectIDs) if tagPaths: pathsAndOperations = set() for path in tagPaths: pathsAndOperations.add((path, Operation.READ_TAG_VALUE)) deniedOperations = checkPermissions(self._user, pathsAndOperations) deniedPaths = set([path for path, operation in deniedOperations]) if not deniedPaths: return tagPaths else: return [path for path in tagPaths if path not in deniedPaths] else: return []
def create(self, values): """See L{NamespaceAPI.create}. @raise PermissionDeniedError: Raised if the user is not authorized to create L{Namespace}s. """ paths = [] pathsAndOperations = [] for path, description in values: parentPath = getParentPath(path) pathsAndOperations.append((parentPath, Operation.CREATE_NAMESPACE)) paths.append(path) deniedOperations = checkPermissions(self._user, pathsAndOperations) if deniedOperations: raise PermissionDeniedError(self._user.username, deniedOperations) return self._api.create(values)