def test_attachment_acls(dummy_event, dummy_user, create_user):
from .schemas import ACLSchema
class TestSchema(ACLSchema, mm.Schema):
pass
folder = AttachmentFolder(title='Dummy Folder',
description='a dummy folder')
attachment = Attachment(folder=folder,
user=dummy_user,
title='Dummy Attachment',
type=AttachmentType.link,
link_url='https://example.com')
attachment.folder.object = dummy_event
def assert_acl(expected_read_acl):
__tracebackhide__ = True
data = schema.dump(attachment)
read_acl = data['_access'].pop('read', None)
assert data == {
'_access': {
'delete': ['IndicoAdmin'],
'owner': ['IndicoAdmin'],
'update': ['IndicoAdmin']
}
}
if read_acl is not None:
read_acl = set(read_acl)
assert read_acl == expected_read_acl
schema = TestSchema()
u1 = create_user(1, email='*****@*****.**')
u2 = create_user(2, email='*****@*****.**')
u3 = create_user(3, email='*****@*****.**')
# event is inheriting public, so no acl
assert_acl(None)
# event is protected and the acl is empty (nobody has regular access)
dummy_event.protection_mode = ProtectionMode.protected
assert_acl({'IndicoAdmin'})
dummy_event.update_principal(u1, read_access=True)
dummy_event.category.update_principal(u2, read_access=True)
dummy_event.category.parent.update_principal(u3, read_access=True)
# self-protected, so no acl inherited
assert_acl({'IndicoAdmin', 'User:1'})
# event is inheriting from public categories, so there is no acl
dummy_event.protection_mode = ProtectionMode.inheriting
assert_acl(None)
# event it itself public, so no acl here as well
dummy_event.protection_mode = ProtectionMode.public
assert_acl(None)
# inheriting, so all parent acl entries
dummy_event.protection_mode = ProtectionMode.inheriting
dummy_event.category.parent.protection_mode = ProtectionMode.protected
assert_acl({'IndicoAdmin', 'User:1', 'User:2', 'User:3'})
# category protected, so no parent category acl inherited
dummy_event.category.protection_mode = ProtectionMode.protected
assert_acl({'IndicoAdmin', 'User:1', 'User:2'})
# parent category acl entry is a manager, that one is inherited
dummy_event.category.parent.update_principal(u3, full_access=True)
assert_acl({'IndicoAdmin', 'User:1', 'User:2', 'User:3'})
# attachment self-protected, only the category/event manager has access
folder.update_principal(u2, read_access=True)
attachment.protection_mode = ProtectionMode.protected
assert_acl({'IndicoAdmin', 'User:3'})
# the user in the attachment acl has access as well
attachment.update_principal(u1, read_access=True)
attachment.protection_mode = ProtectionMode.protected
assert_acl({'IndicoAdmin', 'User:3', 'User:1'})
# attachment inheriting from self-protected folder - only the folder acl is used
attachment.protection_mode = ProtectionMode.inheriting
folder.protection_mode = ProtectionMode.protected
assert_acl({'IndicoAdmin', 'User:3', 'User:2'})
