def setUp(self):
self.env = EnvironmentStub(
enable=['trac.*', 'tractags.*'])
self.env.path = tempfile.mkdtemp()
self.tag_s = TagSystem(self.env)
self.tag_rh = TagRequestHandler(self.env)
self.db = self.env.get_db_cnx()
setup = TagSetup(self.env)
# Current tractags schema is setup with enabled component anyway.
# Revert these changes for getting a clean setup.
self._revert_tractags_schema_init()
setup.upgrade_environment(self.db)
perms = PermissionSystem(self.env)
# Revoke default permissions, because more diversity is required here.
perms.revoke_permission('anonymous', 'TAGS_VIEW')
perms.revoke_permission('authenticated', 'TAGS_MODIFY')
perms.grant_permission('reader', 'TAGS_VIEW')
perms.grant_permission('writer', 'TAGS_MODIFY')
perms.grant_permission('admin', 'TAGS_ADMIN')
self.anonymous = PermissionCache(self.env)
self.reader = PermissionCache(self.env, 'reader')
self.writer = PermissionCache(self.env, 'writer')
self.admin = PermissionCache(self.env, 'admin')
self.href = Href('/trac')
self.abs_href = Href('http://example.org/trac')
def setUp(self):
self.env = EnvironmentStub(
enable=['trac.*', 'tractags.*'])
self.env.path = tempfile.mkdtemp()
self.db = self.env.get_db_cnx()
setup = TagSetup(self.env)
# Current tractags schema is setup with enabled component anyway.
# Revert these changes for getting a clean setup.
self._revert_tractags_schema_init()
setup.upgrade_environment(self.db)
self.tag_s = TagSystem(self.env)
self.tag_rh = TagRequestHandler(self.env)
perms = PermissionSystem(self.env)
# Revoke default permissions, because more diversity is required here.
perms.revoke_permission('anonymous', 'TAGS_VIEW')
perms.revoke_permission('authenticated', 'TAGS_MODIFY')
perms.grant_permission('reader', 'TAGS_VIEW')
perms.grant_permission('writer', 'TAGS_MODIFY')
perms.grant_permission('admin', 'TAGS_ADMIN')
self.anonymous = PermissionCache(self.env)
self.reader = PermissionCache(self.env, 'reader')
self.writer = PermissionCache(self.env, 'writer')
self.admin = PermissionCache(self.env, 'admin')
self.href = Href('/trac')
self.abs_href = Href('http://example.org/trac')
def test_change_milestone_requires_milestone_view(self):
"""Changing ticket milestone requires MILESTONE_VIEW."""
perm_sys = PermissionSystem(self.env)
perm_sys.revoke_permission('anonymous', 'MILESTONE_VIEW')
perm_sys.grant_permission('user_w_mv', 'MILESTONE_VIEW')
self._insert_ticket(summary='the summary')
def make_req(authname):
return MockRequest(self.env, authname=authname, method='GET',
path_info='/ticket/1')
def get_milestone_field(fields):
for field in fields:
if 'milestone' == field['name']:
return field
req = make_req('user')
self.assertTrue(self.ticket_module.match_request(req))
data = self.ticket_module.process_request(req)[1]
milestone_field = get_milestone_field(data['fields'])
self.assertFalse(milestone_field['editable'])
self.assertEqual([], milestone_field['optgroups'][0]['options'])
self.assertEqual([], milestone_field['optgroups'][1]['options'])
req = make_req('user_w_mv')
self.assertTrue(self.ticket_module.match_request(req))
data = self.ticket_module.process_request(req)[1]
milestone_field = get_milestone_field(data['fields'])
self.assertTrue(milestone_field['editable'])
self.assertEqual([], milestone_field['optgroups'][0]['options'])
self.assertEqual(['milestone1', 'milestone2',
'milestone3', 'milestone4'],
milestone_field['optgroups'][1]['options'])
def test_add_comment_requires_ticket_append(self):
"""Adding a ticket comment requires TICKET_APPEND."""
ps = PermissionSystem(self.env)
ps.revoke_permission('authenticated', 'TICKET_MODIFY')
ps.grant_permission('user1', 'TICKET_APPEND')
ps.grant_permission('user2', 'TICKET_CHGPROP')
ticket = self._insert_ticket(summary='the summary')
comment = 'the comment'
def make_req(authname):
change_time = Ticket(self.env, 1)['changetime']
return MockRequest(
self.env, authname=authname,
method='POST', path_info='/ticket/1',
args={'comment': comment, 'action': 'leave', 'submit': True,
'view_time': unicode(to_utimestamp(change_time))})
req = make_req('user1')
self.assertTrue(self.ticket_module.match_request(req))
self.assertRaises(RequestDone, self.ticket_module.process_request,
req)
self.assertEqual([], req.chrome['warnings'])
self.assertEqual(comment,
ticket.get_change(1)['fields']['comment']['new'])
req = make_req('user2')
self.assertTrue(self.ticket_module.match_request(req))
self.ticket_module.process_request(req)
self.assertEqual(1, len(req.chrome['warnings']))
self.assertEqual("No permissions to add a comment.",
unicode(req.chrome['warnings'][0]))
def remove_permissions(self, permissions):
perm = PermissionSystem(self.env)
for agent, p in permissions.items():
if '*' in p:
p = [ i for i, j in perm.get_user_permissions(agent).items() if j]
for permission in p:
try:
perm.revoke_permission(agent, permission)
except:
continue
def remove_permissions(self, permissions):
perm = PermissionSystem(self.env)
for agent, p in permissions.items():
if '*' in p:
p = [
i for i, j in perm.get_user_permissions(agent).items() if j
]
for permission in p:
try:
perm.revoke_permission(agent, permission)
except:
continue
def update_trac_permissions(self, group, env):
if self.dummy_run:
self.note("Would update Trac permissions for group '%s'" %
group.acronym)
else:
self.note("Updating Trac permissions for group '%s'" %
group.acronym)
mgr = PermissionSystem(env)
permission_list = mgr.get_all_permissions()
permission_list = [(u, a) for (u, a) in permission_list
if not u in ['anonymous', 'authenticated']]
permissions = {}
for user, action in permission_list:
if not user in permissions:
permissions[user] = []
permissions[user].append(action)
roles = (list(
group.role_set.filter(name_id__in=set([
'chair',
'secr',
'ad',
'trac-admin',
] + group.features.admin_roles))) + list(
self.secretariat.role_set.filter(name_id__in=[
'trac-admin',
])))
users = []
for role in roles:
user = role.email.address.lower()
users.append(user)
if not user in permissions:
try:
mgr.grant_permission(user, 'TRAC_ADMIN')
self.note(" Granting admin permission for %s" % user)
except TracError as e:
self.log("While adding admin permission for %s: %s" (
user, e))
for user in permissions:
if not user in users:
if 'TRAC_ADMIN' in permissions[user]:
try:
self.note(" Revoking admin permission for %s" %
user)
mgr.revoke_permission(user, 'TRAC_ADMIN')
except TracError as e:
self.log(
"While revoking admin permission for %s: %s" (
user, e))
def test_milestone_redirects_to_roadmap(self):
"""The path /milestone redirects to /roadmap."""
def test_milestone_redirect(authname=None):
req = MockRequest(self.env, method='GET', path_info='/milestone',
authname=authname)
with self.assertRaises(RequestDone):
self.mmodule.process_request(req)
self.assertEqual('http://example.org/trac.cgi/roadmap',
req.headers_sent['Location'])
self.assertEqual('302 Found', req._status)
return req
# Redirects for user with MILESTONE_VIEW
req = test_milestone_redirect()
self.assertIn('MILESTONE_VIEW', req.perm)
# Redirects for user without MILESTONE_VIEW
perm_sys = PermissionSystem(self.env)
perm_sys.revoke_permission('anonymous', 'MILESTONE_VIEW')
req = test_milestone_redirect('user1')
self.assertNotIn('MILESTONE_VIEW', req.perm)
def process_admin_request(self, req, cat, page, path_info):
perm = PermissionSystem(self.env)
perms = perm.get_all_permissions()
subject = req.args.get('subject')
action = req.args.get('action')
group = req.args.get('group')
if req.method == 'POST':
# Grant permission to subject
if req.args.get('add') and subject and action:
if action not in perm.get_actions():
raise TracError('Unknown action')
perm.grant_permission(subject, action)
req.redirect(self.env.href.admin(cat, page))
# Add subject to group
elif req.args.get('add') and subject and group:
perm.grant_permission(subject, group)
req.redirect(self.env.href.admin(cat, page))
# Remove permissions action
elif req.args.get('remove') and req.args.get('sel'):
sel = req.args.get('sel')
sel = isinstance(sel, list) and sel or [sel]
for key in sel:
subject, action = key.split(':', 1)
if (subject, action) in perms:
perm.revoke_permission(subject, action)
req.redirect(self.env.href.admin(cat, page))
perms.sort(lambda a, b: cmp(a[0], b[0]))
req.hdf['admin.actions'] = perm.get_actions()
req.hdf['admin.perms'] = [{'subject': p[0],
'action': p[1],
'key': '%s:%s' % p
} for p in perms]
return 'admin_perm.cs', None
def render_admin_panel(self, req, cat, page, path_info):
perm = PermissionSystem(self.env)
all_actions = perm.get_actions()
if req.method == 'POST':
subject = req.args.get('subject', '').strip()
target = req.args.get('target', '').strip()
action = req.args.get('action')
group = req.args.get('group', '').strip()
if subject and subject.isupper() or \
group and group.isupper() or \
target and target.isupper():
raise TracError(
_("All upper-cased tokens are reserved for "
"permission names."))
# Grant permission to subject
if 'add' in req.args and subject and action:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
if action not in all_actions:
raise TracError(_("Unknown action"))
req.perm.require(action)
try:
perm.grant_permission(subject, action)
except TracError as e:
add_warning(req, e)
else:
add_notice(
req,
_(
"The subject %(subject)s has been "
"granted the permission %(action)s.",
subject=subject,
action=action))
# Add subject to group
elif 'add' in req.args and subject and group:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
for action in perm.get_user_permissions(group):
req.perm.require(
action,
message=_(
"The subject %(subject)s was not added to "
"the group %(group)s because the group has "
"%(perm)s permission and users cannot grant "
"permissions they don't possess.",
subject=subject,
group=group,
perm=action))
try:
perm.grant_permission(subject, group)
except TracError as e:
add_warning(req, e)
else:
add_notice(
req,
_(
"The subject %(subject)s has been "
"added to the group %(group)s.",
subject=subject,
group=group))
# Copy permissions to subject
elif 'copy' in req.args and subject and target:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
subject_permissions = perm.get_users_dict().get(subject, [])
if not subject_permissions:
add_warning(
req,
_(
"The subject %(subject)s does not "
"have any permissions.",
subject=subject))
for action in subject_permissions:
if action not in all_actions: # plugin disabled?
self.log.warning(
"Skipped granting %s to %s: "
"permission unavailable.", action, target)
else:
if action not in req.perm:
add_warning(
req,
_(
"The permission %(action)s was "
"not granted to %(subject)s "
"because users cannot grant "
"permissions they don't possess.",
action=action,
subject=subject))
continue
try:
perm.grant_permission(target, action)
except PermissionExistsError:
pass
else:
add_notice(
req,
_(
"The subject %(subject)s has "
"been granted the permission "
"%(action)s.",
subject=target,
action=action))
req.redirect(req.href.admin(cat, page))
# Remove permissions action
elif 'remove' in req.args and 'sel' in req.args:
req.perm('admin', 'general/perm').require('PERMISSION_REVOKE')
for key in req.args.getlist('sel'):
subject, action = key.split(':', 1)
subject = unicode_from_base64(subject)
action = unicode_from_base64(action)
if (subject, action) in perm.get_all_permissions():
perm.revoke_permission(subject, action)
add_notice(req,
_("The selected permissions have been "
"revoked."))
req.redirect(req.href.admin(cat, page))
return 'admin_perms.html', {
'actions': all_actions,
'allowed_actions': [a for a in all_actions if a in req.perm],
'perms': perm.get_users_dict(),
'groups': perm.get_groups_dict(),
'unicode_to_base64': unicode_to_base64
}
class TagModelTestCase(unittest.TestCase):
def setUp(self):
self.env = EnvironmentStub(default_data=True,
enable=['trac.*', 'tractags.*'])
self.env.path = tempfile.mkdtemp()
self.perms = PermissionSystem(self.env)
self.req = Mock(authname='editor')
self.check_perm = WikiTagProvider(self.env).check_permission
setup = TagSetup(self.env)
# Current tractags schema is setup with enabled component anyway.
# Revert these changes for getting default permissions inserted.
self._revert_tractags_schema_init()
setup.upgrade_environment()
# Populate table with initial test data.
self.env.db_transaction("""
INSERT INTO tags (tagspace, name, tag)
VALUES ('wiki', 'WikiStart', 'tag1')
""")
self.realm = 'wiki'
def tearDown(self):
self.env.shutdown()
shutil.rmtree(self.env.path)
# Helpers
def _revert_tractags_schema_init(self):
with self.env.db_transaction as db:
db("DROP TABLE IF EXISTS tags")
db("DROP TABLE IF EXISTS tags_change")
db("DELETE FROM system WHERE name='tags_version'")
db("DELETE FROM permission WHERE action %s" % db.like(),
('TAGS_%',))
def _tags(self):
tags = {}
for name, tag in self.env.db_query("""
SELECT name,tag FROM tags
"""):
if name in tags:
tags[name].add(tag)
else:
tags[name] = set([tag])
return tags
# Tests
def test_get_tags(self):
resource = Resource(self.realm, 'WikiStart')
self.assertEquals([tag for tag in resource_tags(self.env, resource)],
['tag1'])
def test_get_tagged_resource_no_perm(self):
self.perms.revoke_permission('anonymous', 'WIKI_VIEW')
perm = PermissionCache(self.env)
tags = set(['tag1'])
# Don't yield resource without permission - 'WIKI_VIEW' here.
self.assertEqual([(res, tags) for res, tags
in tagged_resources(self.env, self.check_perm, perm,
self.realm, tags)], [])
def test_get_tagged_resource(self):
perm = PermissionCache(self.env)
resource = Resource(self.realm, 'WikiStart')
tags = set(['tag1'])
self.assertEqual([(res, tags) for res, tags
in tagged_resources(self.env, self.check_perm, perm,
self.realm, tags)],
[(resource, tags)])
def test_reparent(self):
resource = Resource(self.realm, 'TaggedPage')
old_name = 'WikiStart'
tag_resource(self.env, resource, 'WikiStart', self.req.authname)
self.assertEquals(dict(TaggedPage=set(['tag1'])), self._tags())
def test_tag_changes(self):
# Add previously untagged resource.
resource = Resource(self.realm, 'TaggedPage')
tags = set(['tag1'])
tag_resource(self.env, resource, author=self.req.authname, tags=tags)
self.assertEquals(dict(TaggedPage=tags, WikiStart=tags), self._tags())
# Add new tag to already tagged resource.
resource = Resource(self.realm, 'WikiStart')
tags = set(['tag1', 'tag2'])
tag_resource(self.env, resource, author=self.req.authname, tags=tags)
self.assertEquals(dict(TaggedPage=set(['tag1']), WikiStart=tags),
self._tags())
# Exchange tags for already tagged resource.
tags = set(['tag1', 'tag3'])
tag_resource(self.env, resource, author=self.req.authname, tags=tags)
self.assertEquals(dict(TaggedPage=set(['tag1']), WikiStart=tags),
self._tags())
# Delete a subset of tags for already tagged resource.
tags = set(['tag3'])
tag_resource(self.env, resource, author=self.req.authname, tags=tags)
self.assertEquals(dict(TaggedPage=set(['tag1']), WikiStart=tags),
self._tags())
# Empty tag iterable deletes all resource tag references.
tags = tuple()
tag_resource(self.env, resource, author=self.req.authname, tags=tags)
self.assertEquals(dict(TaggedPage=set(['tag1'])), self._tags())
def runTest(self):
"""Tests for the Copy Permissions functionality
added in http://trac.edgewall.org/ticket/11099."""
checkbox_value = lambda s, p: '%s:%s' % (unicode_to_base64(s),
unicode_to_base64(p))
grant_msg = "The subject %s has been granted the permission %s\."
def grant_permission(subject, action):
tc.formvalue('addperm', 'gp_subject', subject)
tc.formvalue('addperm', 'action', action)
tc.submit()
tc.find(grant_msg % (subject, action))
tc.find(checkbox_value(subject, action))
env = self._testenv.get_trac_environment()
# Copy permissions from subject to target
self._tester.go_to_admin('Permissions')
perm_sys = PermissionSystem(env)
anon_perms = perm_sys.store.get_user_permissions('anonymous')
for perm in anon_perms:
tc.find(checkbox_value('anonymous', perm))
tc.notfind(checkbox_value('user1', perm))
tc.formvalue('copyperm', 'cp_subject', 'anonymous')
tc.formvalue('copyperm', 'cp_target', 'user1')
tc.submit()
for perm in anon_perms:
tc.find("The subject user1 has been granted the permission %s\."
% perm)
tc.find(checkbox_value('user1', perm))
# Subject doesn't have any permissions
tc.notfind(checkbox_value('noperms', ''))
tc.formvalue('copyperm', 'cp_subject', 'noperms')
tc.formvalue('copyperm', 'cp_target', 'user1')
tc.submit()
tc.find("The subject noperms does not have any permissions\.")
# Subject belongs to group but doesn't directly have any permissions
grant_permission('group1', 'TICKET_VIEW')
tc.formvalue('addsubj', 'sg_subject', 'noperms')
tc.formvalue('addsubj', 'sg_group', 'group1')
tc.submit()
tc.find("The subject noperms has been added to the group group1\.")
tc.formvalue('copyperm', 'cp_subject', 'noperms')
tc.formvalue('copyperm', 'cp_target', 'user1')
tc.submit()
tc.find("The subject noperms does not have any permissions\.")
# Target uses reserved all upper-case form
tc.formvalue('copyperm', 'cp_subject', 'noperms')
tc.formvalue('copyperm', 'cp_target', 'USER1')
tc.submit()
tc.find("All upper-cased tokens are reserved for permission names\.")
self._tester.go_to_admin("Permissions")
# Subject users reserved all upper-case form
tc.formvalue('copyperm', 'cp_subject', 'USER1')
tc.formvalue('copyperm', 'cp_target', 'noperms')
tc.submit()
tc.find("All upper-cased tokens are reserved for permission names\.")
self._tester.go_to_admin("Permissions")
# Target already possess one of the permissions
anon_perms = perm_sys.store.get_user_permissions('anonymous')
for perm in anon_perms:
tc.notfind(checkbox_value('user2', perm))
grant_permission('user2', anon_perms[0])
tc.formvalue('copyperm', 'cp_subject', 'anonymous')
tc.formvalue('copyperm', 'cp_target', 'user2')
tc.submit()
tc.notfind("The subject <em>user2</em> has been granted the "
"permission %s\." % anon_perms[0])
for perm in anon_perms[1:]:
tc.find("The subject user2 has been granted the permission %s\."
% perm)
tc.find(checkbox_value('user2', perm))
# Subject has a permission that is no longer defined
try:
env.db_transaction("INSERT INTO permission VALUES (%s,%s)",
('anonymous', 'NOTDEFINED_PERMISSION'))
except env.db_exc.IntegrityError:
pass
env.config.touch() # invalidate permission cache
tc.reload()
tc.find(checkbox_value('anonymous', 'NOTDEFINED_PERMISSION'))
perm_sys = PermissionSystem(env)
anon_perms = perm_sys.store.get_user_permissions('anonymous')
for perm in anon_perms:
tc.notfind(checkbox_value('user3', perm))
tc.formvalue('copyperm', 'cp_subject', 'anonymous')
tc.formvalue('copyperm', 'cp_target', 'user3')
tc.submit()
for perm in anon_perms:
msg = grant_msg % ('user3', perm)
if perm == 'NOTDEFINED_PERMISSION':
tc.notfind(msg)
tc.notfind(checkbox_value('user3', perm))
else:
tc.find(msg)
tc.find(checkbox_value('user3', perm))
perm_sys.revoke_permission('anonymous', 'NOTDEFINED_PERMISSION')
# Actor doesn't posses permission
grant_permission('anonymous', 'PERMISSION_GRANT')
grant_permission('user3', 'TRAC_ADMIN')
self._tester.logout()
self._tester.go_to_admin("Permissions")
try:
tc.formvalue('copyperm', 'cp_subject', 'user3')
tc.formvalue('copyperm', 'cp_target', 'user4')
tc.submit()
perm_sys = PermissionSystem(env)
for perm in [perm[1] for perm in perm_sys.get_all_permissions()
if perm[0] == 'user3'
and perm[1] != 'TRAC_ADMIN']:
tc.find(grant_msg % ('user4', perm))
tc.notfind("The permission TRAC_ADMIN was not granted to user4 "
"because users cannot grant permissions they don't "
"possess.")
finally:
self._testenv.revoke_perm('anonymous', 'PERMISSION_GRANT')
self._tester.login('admin')
def render_admin_panel(self, req, cat, page, path_info):
perm = PermissionSystem(self.env)
all_permissions = perm.get_all_permissions()
all_actions = perm.get_actions()
if req.method == 'POST':
subject = req.args.get('subject', '').strip()
action = req.args.get('action')
group = req.args.get('group', '').strip()
if subject and subject.isupper() or \
group and group.isupper():
raise TracError(
_('All upper-cased tokens are reserved for '
'permission names'))
# Grant permission to subject
if req.args.get('add') and subject and action:
req.perm.require('PERMISSION_GRANT')
if action not in all_actions:
raise TracError(_('Unknown action'))
req.perm.require(action)
if (subject, action) not in all_permissions:
perm.grant_permission(subject, action)
add_notice(
req,
_(
'The subject %(subject)s has been '
'granted the permission %(action)s.',
subject=subject,
action=action))
req.redirect(req.href.admin(cat, page))
else:
add_warning(
req,
_(
'The permission %(action)s was already '
'granted to %(subject)s.',
action=action,
subject=subject))
# Add subject to group
elif req.args.get('add') and subject and group:
req.perm.require('PERMISSION_GRANT')
for action in perm.get_user_permissions(group):
if not action in all_actions: # plugin disabled?
self.env.log.warn("Adding %s to group %s: " \
"Permission %s unavailable, skipping perm check." \
% (subject, group, action))
else:
req.perm.require(action)
if (subject, group) not in all_permissions:
perm.grant_permission(subject, group)
add_notice(
req,
_(
'The subject %(subject)s has been added '
'to the group %(group)s.',
subject=subject,
group=group))
req.redirect(req.href.admin(cat, page))
else:
add_warning(
req,
_(
'The subject %(subject)s was already '
'added to the group %(group)s.',
subject=subject,
group=group))
# Remove permissions action
elif req.args.get('remove') and req.args.get('sel'):
req.perm.require('PERMISSION_REVOKE')
sel = req.args.get('sel')
sel = sel if isinstance(sel, list) else [sel]
for key in sel:
subject, action = key.split(':', 1)
subject = unicode_from_base64(subject)
action = unicode_from_base64(action)
if (subject, action) in perm.get_all_permissions():
perm.revoke_permission(subject, action)
add_notice(req,
_('The selected permissions have been '
'revoked.'))
req.redirect(req.href.admin(cat, page))
perms = [perm for perm in all_permissions if perm[1].isupper()]
groups = [perm for perm in all_permissions if not perm[1].isupper()]
return 'admin_perms.html', {
'actions': all_actions,
'perms': perms,
'groups': groups,
'unicode_to_base64': unicode_to_base64
}
def runTest(self):
"""Tests for the Copy Permissions functionality
added in http://trac.edgewall.org/ticket/11099."""
checkbox_value = lambda s, p: '%s:%s' % (unicode_to_base64(s),
unicode_to_base64(p))
grant_msg = "The subject %s has been granted the permission %s\."
def grant_permission(subject, action):
tc.formvalue('addperm', 'gp_subject', subject)
tc.formvalue('addperm', 'action', action)
tc.submit()
tc.find(grant_msg % (subject, action))
tc.find(checkbox_value(subject, action))
env = self._testenv.get_trac_environment()
# Copy permissions from subject to target
self._tester.go_to_admin('Permissions')
perm_sys = PermissionSystem(env)
anon_perms = perm_sys.store.get_user_permissions('anonymous')
for perm in anon_perms:
tc.find(checkbox_value('anonymous', perm))
tc.notfind(checkbox_value('user1', perm))
tc.formvalue('copyperm', 'cp_subject', 'anonymous')
tc.formvalue('copyperm', 'cp_target', 'user1')
tc.submit()
for perm in anon_perms:
tc.find("The subject user1 has been granted the permission %s\." %
perm)
tc.find(checkbox_value('user1', perm))
# Subject doesn't have any permissions
tc.notfind(checkbox_value('noperms', ''))
tc.formvalue('copyperm', 'cp_subject', 'noperms')
tc.formvalue('copyperm', 'cp_target', 'user1')
tc.submit()
tc.find("The subject noperms does not have any permissions\.")
# Subject belongs to group but doesn't directly have any permissions
grant_permission('group1', 'TICKET_VIEW')
tc.formvalue('addsubj', 'sg_subject', 'noperms')
tc.formvalue('addsubj', 'sg_group', 'group1')
tc.submit()
tc.find("The subject noperms has been added to the group group1\.")
tc.formvalue('copyperm', 'cp_subject', 'noperms')
tc.formvalue('copyperm', 'cp_target', 'user1')
tc.submit()
tc.find("The subject noperms does not have any permissions\.")
# Target uses reserved all upper-case form
tc.formvalue('copyperm', 'cp_subject', 'noperms')
tc.formvalue('copyperm', 'cp_target', 'USER1')
tc.submit()
tc.find("All upper-cased tokens are reserved for permission names\.")
self._tester.go_to_admin("Permissions")
# Subject users reserved all upper-case form
tc.formvalue('copyperm', 'cp_subject', 'USER1')
tc.formvalue('copyperm', 'cp_target', 'noperms')
tc.submit()
tc.find("All upper-cased tokens are reserved for permission names\.")
self._tester.go_to_admin("Permissions")
# Target already possess one of the permissions
anon_perms = perm_sys.store.get_user_permissions('anonymous')
for perm in anon_perms:
tc.notfind(checkbox_value('user2', perm))
grant_permission('user2', anon_perms[0])
tc.formvalue('copyperm', 'cp_subject', 'anonymous')
tc.formvalue('copyperm', 'cp_target', 'user2')
tc.submit()
tc.notfind("The subject <em>user2</em> has been granted the "
"permission %s\." % anon_perms[0])
for perm in anon_perms[1:]:
tc.find("The subject user2 has been granted the permission %s\." %
perm)
tc.find(checkbox_value('user2', perm))
# Subject has a permission that is no longer defined
try:
env.db_transaction("INSERT INTO permission VALUES (%s,%s)",
('anonymous', 'NOTDEFINED_PERMISSION'))
except env.db_exc.IntegrityError:
pass
env.config.touch() # invalidate permission cache
tc.reload()
tc.find(checkbox_value('anonymous', 'NOTDEFINED_PERMISSION'))
perm_sys = PermissionSystem(env)
anon_perms = perm_sys.store.get_user_permissions('anonymous')
for perm in anon_perms:
tc.notfind(checkbox_value('user3', perm))
tc.formvalue('copyperm', 'cp_subject', 'anonymous')
tc.formvalue('copyperm', 'cp_target', 'user3')
tc.submit()
for perm in anon_perms:
msg = grant_msg % ('user3', perm)
if perm == 'NOTDEFINED_PERMISSION':
tc.notfind(msg)
tc.notfind(checkbox_value('user3', perm))
else:
tc.find(msg)
tc.find(checkbox_value('user3', perm))
perm_sys.revoke_permission('anonymous', 'NOTDEFINED_PERMISSION')
# Actor doesn't posses permission
grant_permission('anonymous', 'PERMISSION_GRANT')
grant_permission('user3', 'TRAC_ADMIN')
self._tester.logout()
self._tester.go_to_admin("Permissions")
try:
tc.formvalue('copyperm', 'cp_subject', 'user3')
tc.formvalue('copyperm', 'cp_target', 'user4')
tc.submit()
perm_sys = PermissionSystem(env)
for perm in [
perm[1] for perm in perm_sys.get_all_permissions()
if perm[0] == 'user3' and perm[1] != 'TRAC_ADMIN'
]:
tc.find(grant_msg % ('user4', perm))
tc.notfind("The permission TRAC_ADMIN was not granted to user4 "
"because users cannot grant permissions they don't "
"possess.")
finally:
self._testenv.revoke_perm('anonymous', 'PERMISSION_GRANT')
self._tester.login('admin')
def render_admin_panel(self, req, cat, page, path_info):
perm = PermissionSystem(self.env)
all_permissions = perm.get_all_permissions()
all_actions = perm.get_actions()
if req.method == 'POST':
subject = req.args.get('subject', '').strip()
action = req.args.get('action')
group = req.args.get('group', '').strip()
if subject and subject.isupper() or \
group and group.isupper():
raise TracError(_('All upper-cased tokens are reserved for '
'permission names'))
# Grant permission to subject
if req.args.get('add') and subject and action:
req.perm.require('PERMISSION_GRANT')
if action not in all_actions:
raise TracError(_('Unknown action'))
req.perm.require(action)
if (subject, action) not in all_permissions:
perm.grant_permission(subject, action)
add_notice(req, _('The subject %(subject)s has been '
'granted the permission %(action)s.',
subject=subject, action=action))
req.redirect(req.href.admin(cat, page))
else:
add_warning(req, _('The permission %(action)s was already '
'granted to %(subject)s.',
action=action, subject=subject))
# Add subject to group
elif req.args.get('add') and subject and group:
req.perm.require('PERMISSION_GRANT')
for action in perm.get_user_permissions(group):
if not action in all_actions: # plugin disabled?
self.env.log.warn("Adding %s to group %s: " \
"Permission %s unavailable, skipping perm check." \
% (subject, group, action))
else:
req.perm.require(action)
if (subject, group) not in all_permissions:
perm.grant_permission(subject, group)
add_notice(req, _('The subject %(subject)s has been added '
'to the group %(group)s.',
subject=subject, group=group))
req.redirect(req.href.admin(cat, page))
else:
add_warning(req, _('The subject %(subject)s was already '
'added to the group %(group)s.',
subject=subject, group=group))
# Remove permissions action
elif req.args.get('remove') and req.args.get('sel'):
req.perm.require('PERMISSION_REVOKE')
sel = req.args.get('sel')
sel = isinstance(sel, list) and sel or [sel]
for key in sel:
subject, action = key.split(':', 1)
if (subject, action) in perm.get_all_permissions():
perm.revoke_permission(subject, action)
add_notice(req, _('The selected permissions have been '
'revoked.'))
req.redirect(req.href.admin(cat, page))
return 'admin_perms.html', {
'actions': all_actions,
'perms': all_permissions
}
def render_admin_panel(self, req, cat, page, path_info):
perm = PermissionSystem(self.env)
all_permissions = perm.get_all_permissions()
all_actions = perm.get_actions()
if req.method == 'POST':
subject = req.args.get('subject', '').strip()
target = req.args.get('target', '').strip()
action = req.args.get('action')
group = req.args.get('group', '').strip()
if subject and subject.isupper() or \
group and group.isupper() or \
target and target.isupper():
raise TracError(_("All upper-cased tokens are reserved for "
"permission names."))
# Grant permission to subject
if req.args.get('add') and subject and action:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
if action not in all_actions:
raise TracError(_("Unknown action"))
req.perm.require(action)
if (subject, action) not in all_permissions:
perm.grant_permission(subject, action)
add_notice(req, _("The subject %(subject)s has been "
"granted the permission %(action)s.",
subject=subject, action=action))
req.redirect(req.href.admin(cat, page))
else:
add_warning(req, _("The permission %(action)s was already "
"granted to %(subject)s.",
action=action, subject=subject))
# Add subject to group
elif req.args.get('add') and subject and group:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
for action in perm.get_user_permissions(group):
if not action in all_actions: # plugin disabled?
self.env.log.warn("Adding %s to group %s: "
"Permission %s unavailable, skipping perm check.",
subject, group, action)
else:
req.perm.require(action,
message=_("The subject %(subject)s was not added "
"to the group %(group)s because the "
"group has %(perm)s permission and "
"users cannot grant permissions they "
"don't possess.", subject=subject,
group=group, perm=action))
if (subject, group) not in all_permissions:
perm.grant_permission(subject, group)
add_notice(req, _("The subject %(subject)s has been added "
"to the group %(group)s.",
subject=subject, group=group))
req.redirect(req.href.admin(cat, page))
else:
add_warning(req, _("The subject %(subject)s was already "
"added to the group %(group)s.",
subject=subject, group=group))
# Copy permissions to subject
elif req.args.get('copy') and subject and target:
req.perm.require('PERMISSION_GRANT')
subject_permissions = [i[1] for i in all_permissions
if i[0] == subject and
i[1].isupper()]
if not subject_permissions:
add_warning(req,_("The subject %(subject)s does not "
"have any permissions.",
subject=subject))
for action in subject_permissions:
if (target, action) in all_permissions:
continue
if not action in all_actions: # plugin disabled?
self.env.log.warn("Skipped granting %s to %s: "
"permission unavailable.",
action, target)
else:
if action not in req.perm:
add_warning(req,
_("The permission %(action)s was "
"not granted to %(subject)s "
"because users cannot grant "
"permissions they don't possess.",
action=action, subject=subject))
continue
perm.grant_permission(target, action)
add_notice(req, _("The subject %(subject)s has "
"been granted the permission "
"%(action)s.",
subject=target, action=action))
req.redirect(req.href.admin(cat, page))
# Remove permissions action
elif req.args.get('remove') and req.args.get('sel'):
req.perm('admin', 'general/perm').require('PERMISSION_REVOKE')
sel = req.args.get('sel')
sel = sel if isinstance(sel, list) else [sel]
for key in sel:
subject, action = key.split(':', 1)
subject = unicode_from_base64(subject)
action = unicode_from_base64(action)
if (subject, action) in perm.get_all_permissions():
perm.revoke_permission(subject, action)
add_notice(req, _("The selected permissions have been "
"revoked."))
req.redirect(req.href.admin(cat, page))
return 'admin_perms.html', {
'actions': all_actions,
'perms': perm.get_users_dict(),
'groups': perm.get_groups_dict(),
'unicode_to_base64': unicode_to_base64
}
def render_admin_panel(self, req, cat, page, path_info):
perm = PermissionSystem(self.env)
all_permissions = perm.get_all_permissions()
all_actions = perm.get_actions()
if req.method == 'POST':
subject = req.args.get('subject', '').strip()
target = req.args.get('target', '').strip()
action = req.args.get('action')
group = req.args.get('group', '').strip()
if subject and subject.isupper() or \
group and group.isupper() or \
target and target.isupper():
raise TracError(
_("All upper-cased tokens are reserved for "
"permission names."))
# Grant permission to subject
if req.args.get('add') and subject and action:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
if action not in all_actions:
raise TracError(_("Unknown action"))
req.perm.require(action)
if (subject, action) not in all_permissions:
perm.grant_permission(subject, action)
add_notice(
req,
_(
"The subject %(subject)s has been "
"granted the permission %(action)s.",
subject=subject,
action=action))
req.redirect(req.href.admin(cat, page))
else:
add_warning(
req,
_(
"The permission %(action)s was already "
"granted to %(subject)s.",
action=action,
subject=subject))
# Add subject to group
elif req.args.get('add') and subject and group:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
for action in perm.get_user_permissions(group):
if not action in all_actions: # plugin disabled?
self.env.log.warn(
"Adding %s to group %s: "
"Permission %s unavailable, skipping perm check.",
subject, group, action)
else:
req.perm.require(
action,
message=_(
"The subject %(subject)s was not added "
"to the group %(group)s because the "
"group has %(perm)s permission and "
"users cannot grant permissions they "
"don't possess.",
subject=subject,
group=group,
perm=action))
if (subject, group) not in all_permissions:
perm.grant_permission(subject, group)
add_notice(
req,
_(
"The subject %(subject)s has been added "
"to the group %(group)s.",
subject=subject,
group=group))
req.redirect(req.href.admin(cat, page))
else:
add_warning(
req,
_(
"The subject %(subject)s was already "
"added to the group %(group)s.",
subject=subject,
group=group))
# Copy permissions to subject
elif req.args.get('copy') and subject and target:
req.perm.require('PERMISSION_GRANT')
subject_permissions = [
i[1] for i in all_permissions
if i[0] == subject and i[1].isupper()
]
if not subject_permissions:
add_warning(
req,
_(
"The subject %(subject)s does not "
"have any permissions.",
subject=subject))
for action in subject_permissions:
if (target, action) in all_permissions:
continue
if not action in all_actions: # plugin disabled?
self.env.log.warn(
"Skipped granting %s to %s: "
"permission unavailable.", action, target)
else:
if action not in req.perm:
add_warning(
req,
_(
"The permission %(action)s was "
"not granted to %(subject)s "
"because users cannot grant "
"permissions they don't possess.",
action=action,
subject=subject))
continue
perm.grant_permission(target, action)
add_notice(
req,
_(
"The subject %(subject)s has "
"been granted the permission "
"%(action)s.",
subject=target,
action=action))
req.redirect(req.href.admin(cat, page))
# Remove permissions action
elif req.args.get('remove') and req.args.get('sel'):
req.perm('admin', 'general/perm').require('PERMISSION_REVOKE')
sel = req.args.get('sel')
sel = sel if isinstance(sel, list) else [sel]
for key in sel:
subject, action = key.split(':', 1)
subject = unicode_from_base64(subject)
action = unicode_from_base64(action)
if (subject, action) in perm.get_all_permissions():
perm.revoke_permission(subject, action)
add_notice(req,
_("The selected permissions have been "
"revoked."))
req.redirect(req.href.admin(cat, page))
perms = [perm for perm in all_permissions if perm[1].isupper()]
groups = [perm for perm in all_permissions if not perm[1].isupper()]
return 'admin_perms.html', {
'actions': all_actions,
'perms': perms,
'groups': groups,
'unicode_to_base64': unicode_to_base64
}
