def test_relation_types_definition_index_variable(self):
book = BookFixture(Book, generate_m2m={'authors': (2, 2)}).create_one()
get_nodeset_for_queryset(Store.objects.filter(pk=book.pk), sync=True)
user = User.objects.filter(
pk__in=book.authors.values('user')).latest('pk')
perm = Permission.objects.get(content_type__app_label='auth',
codename='change_user')
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(User),
relation_types=[{
'AUTHOR': None
}, {
'BOOK': None
}, {
'{0:AUTHORS}': None
}, {
'USER': None
}])
access_rule.permissions.add(perm)
user.user_permissions.add(perm)
objects = utils.get_objects_for_user(user, 'auth.change_user')
self.assertEqual({user}, set(objects))
self.assertNotEqual(User.objects.count(), objects.count())
def test_any_permissions(self):
groups = Group.objects.bulk_create(
[Group(name=name) for name in ['group1', 'group2', 'group3']])
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Group),
relation_types=[{
'GROUPS': None
}])
perms = Permission.objects.filter(
content_type__app_label='auth',
codename__in=['add_group', 'change_group'])
access_rule.permissions.add(*perms)
self.user1.user_permissions.add(*perms)
self.user1.groups.add(*groups)
objects = utils.get_objects_for_user(
self.user1, ['auth.add_group', 'auth.delete_group'],
any_perm=False)
self.assertEqual(set(), set(objects))
objects = utils.get_objects_for_user(
self.user1, ['auth.add_group', 'auth.delete_group'], any_perm=True)
self.assertEqual(set(groups), set(objects))
def test_multiple_permissions_to_check_use_groups(self):
self.group.permissions.add(
Permission.objects.get(content_type__app_label='auth',
codename='add_group'))
self.user1.user_permissions.add(
Permission.objects.get(content_type__app_label='auth',
codename='change_group'))
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Group),
relation_types=[{
'GROUPS': None
}])
access_rule.permissions.add(*Permission.objects.filter(
content_type__app_label='auth',
codename__in=['add_group', 'change_group']))
self.user1.groups.add(self.group)
objects = utils.get_objects_for_user(
self.user1, ['auth.add_group', 'auth.change_group'],
use_groups=True)
self.assertEqual(set(self.user1.groups.all()), set(objects))
self.user1.groups.remove(self.group)
objects = utils.get_objects_for_user(
self.user1, ['auth.add_group', 'auth.change_group'],
use_groups=False)
self.assertEqual(set(), set(objects))
def test_multiple_permissions_to_check_requires_staff(self):
groups = Group.objects.bulk_create(
[Group(name=name) for name in ['group1', 'group2', 'group3']])
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Group),
requires_staff=True,
relation_types=[{
'GROUPS': None
}])
perms = Permission.objects.filter(
content_type__app_label='auth',
codename__in=['add_group', 'delete_group'])
access_rule.permissions.add(*perms)
self.user1.user_permissions.add(*perms)
self.user1.groups.add(*groups)
self.user1.is_staff = True
get_node_for_object(self.user1).sync(
) # Sync node in order to write `is_staff` property
objects = utils.get_objects_for_user(
self.user1, ['auth.add_group', 'auth.delete_group'])
self.assertEqual(set(groups), set(objects))
self.user2.user_permissions.add(*perms)
self.user2.groups.add(*groups)
self.assertFalse(self.user2.is_staff)
objects = utils.get_objects_for_user(
self.user2, ['auth.add_group', 'auth.delete_group'])
self.assertEqual(set(), set(objects))
def test_with_superuser_false(self):
BookFixture(Book, follow_fk=True, generate_m2m={
'authors': (1, 1)
}).create(count=2)
user = User.objects.latest('pk')
user.is_superuser = True
# `with_superuser=False` requires defined access rules - should yield no results!
self.assertEqual(
set(Book.objects.none()),
set(
utils.get_objects_for_user(user, ['testapp.change_book'],
Book.objects.all(),
with_superuser=False)))
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(user),
ctype_target=utils.get_content_type(Book),
relation_types=[{
'AUTHOR': None
}, {
'BOOK': None
}])
perm = Permission.objects.get(content_type__app_label='testapp',
codename='change_book')
access_rule.permissions.add(perm)
user.user_permissions.add(perm)
objects = utils.get_objects_for_user(user, ['testapp.change_book'],
Book.objects.all(),
with_superuser=False)
self.assertEqual(set(user.author.book_set.all()), set(objects))
def test_check_permissions_app_label_single(self):
perm = 'testapp.add_book'
book = BookFixture(Book).create_one()
self.assertEqual(utils.check_permissions_app_label(perm),
(utils.get_content_type(book), {'add_book'}))
self.assertEqual(utils.check_permissions_app_label(perm),
(utils.get_content_type(Book), {'add_book'}))
def setUp(self):
Group.objects.bulk_create(
[Group(name=name) for name in ['group1', 'group2', 'group3']])
class GroupSerializer(ModelSerializer):
class Meta:
model = Group
fields = '__all__'
class GroupViewSet(ModelViewSet):
queryset = Group.objects.all()
serializer_class = GroupSerializer
permission_classes = [DjangoObjectPermissions]
filter_backends = [ChemoPermissionsFilter]
self.user = User.objects.create_user(username='******',
password='******')
self.perm = Permission.objects.create(
content_type=get_content_type(Group),
name='Can view group',
codename='view_group')
self.access_rule = AccessRule.objects.create(
ctype_source=get_content_type(User),
ctype_target=get_content_type(Group),
is_active=True,
relation_types=[{
'GROUPS': None
}])
self.view = GroupViewSet
self.patched_settings = modify_settings(
AUTHENTICATION_BACKENDS={'append': self.backend})
self.patched_settings.enable()
def test_field_is_json_serializable(self):
instance = AccessRule.objects.create(
ctype_source=get_content_type(USER_MODEL),
ctype_target=get_content_type(USER_MODEL),
relation_types=[{
'GROUPS': None
}])
json = serializers.serialize('json', [instance])
self.assertIsJSON(json)
def test_check_permissions_app_label_sequence(self):
perms = ['testapp.add_book', 'testapp.change_book']
book = BookFixture(Book).create_one()
ctype, codenames = utils.check_permissions_app_label(perms)
self.assertEqual(ctype, utils.get_content_type(book))
self.assertEqual(sorted(codenames), ['add_book', 'change_book'])
def test_single_perm(self):
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Book),
relation_types=[{
'AUTHOR': None
}, {
'BOOK': None
}])
perm = Permission.objects.get(content_type__app_label='testapp',
codename='view_book')
access_rule.permissions.add(perm)
self.user1.user_permissions.add(perm)
users = utils.get_users_with_perms(obj=self.book,
permissions='view_book')
self.assertEqual(set(users), {self.user1})
def test_checker_has_perm_authorized_user(self):
author = AuthorFixture(Author).create_one()
user = author.user
perm = Permission.objects.get(
content_type=utils.get_content_type(author),
codename='change_author')
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(user),
ctype_target=utils.get_content_type(author),
relation_types=[{
'AUTHOR': None
}])
user.user_permissions.add(perm)
access_rule.permissions.add(perm)
checker = utils.GraphPermissionChecker(user)
self.assertTrue(checker.has_perm(perm.codename, author))
def test_klass_as_queryset(self):
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Group),
relation_types=[{
'GROUPS': None
}])
perm = Permission.objects.get(content_type__app_label='auth',
codename='change_group')
access_rule.permissions.add(perm)
self.user1.user_permissions.add(perm)
self.user1.groups.add(self.group)
objects = utils.get_objects_for_user(self.user1, ['auth.change_group'],
Group.objects.all())
self.assertEqual([obj.name for obj in objects], [self.group.name])
def test_single_permission_to_check(self):
groups = Group.objects.bulk_create(
[Group(name=name) for name in ['group1', 'group2', 'group3']])
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Group),
relation_types=[{
'GROUPS': None
}])
perm = Permission.objects.get(content_type__app_label='auth',
codename='change_group')
access_rule.permissions.add(perm)
self.user1.user_permissions.add(perm)
self.user1.groups.add(*groups)
objects = utils.get_objects_for_user(self.user1, 'auth.change_group')
self.assertEqual(len(groups), len(objects))
self.assertEqual(set(groups), set(objects))
def post_process_instance(self, instance, commit):
Tag.objects.get_or_create(content_type=get_content_type(instance),
object_pk=instance.pk,
defaults={
'tag':
random.choice(
('sci-fi', 'drama', 'fantasy',
'romance', 'self help', 'satire'))
})
return instance
def test_multiple_perms(self):
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Book),
relation_types=[{
'AUTHOR': None
}, {
'BOOK': None
}])
perms = Permission.objects.filter(
content_type__app_label='testapp',
codename__in=['view_book', 'change_book'])
access_rule.permissions.add(*perms)
self.user1.user_permissions.add(*perms)
self.user2.user_permissions.add(
perms.get(codename='change_book')) # Should not be in result set
users = utils.get_users_with_perms(
obj=self.book, permissions=['change_book', 'view_book'])
self.assertEqual(set(users), {self.user1})
def test_extra_perms_single(self):
group = Group.objects.create(name='a group')
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Group),
relation_types=[{
'GROUPS': None
}])
access_rule.permissions.add(
Permission.objects.get(content_type__app_label='auth',
codename='add_group'))
self.user1.groups.add(group)
objects = utils.get_objects_for_user(self.user1, 'auth.add_group')
self.assertEqual(set(), set(objects))
objects = utils.get_objects_for_user(self.user1,
'auth.add_group',
extra_perms='auth.add_group')
self.assertEqual({group}, set(objects))
def test_checker_has_perm_authorized_group(self):
group = Group.objects.create(name='test group')
user = User.objects.create_user(username='******',
password='******')
perm = Permission.objects.get(
content_type=utils.get_content_type(user), codename='change_user')
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(group),
ctype_target=utils.get_content_type(user),
relation_types=[{
'USER_SET': None
}])
user.groups.add(group)
group.permissions.add(perm)
access_rule.permissions.add(perm)
checker = utils.GraphPermissionChecker(group)
# self.assertTrue(checker.has_perm(perm.codename, user))
self.assertRaises(NotImplementedError, checker.has_perm, perm.codename,
user)
def test_permissions_single(self):
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Group),
relation_types=[{
'GROUPS': None
}])
perm = Permission.objects.get(content_type__app_label='auth',
codename='change_group')
access_rule.permissions.add(perm)
self.user1.user_permissions.add(perm)
self.user1.groups.add(self.group)
self.assertEqual(
set(self.user1.groups.all()),
set(utils.get_objects_for_user(self.user1, 'auth.change_group')))
self.assertEqual(
set(self.user1.groups.all()),
set(utils.get_objects_for_user(self.user1, ['auth.change_group'])))
def test_relation_types_target_props(self):
groups = Group.objects.bulk_create(
[Group(name=name) for name in ['group1', 'group2']])
access_rule = AccessRule.objects.create(
ctype_source=utils.get_content_type(User),
ctype_target=utils.get_content_type(Group),
relation_types=[{
'GROUPS': {
'name': 'group1'
}
}])
perm = Permission.objects.get(content_type__app_label='auth',
codename='add_group')
access_rule.permissions.add(perm)
self.user1.user_permissions.add(perm)
self.user1.groups.add(*groups)
objects = utils.get_objects_for_user(self.user1, 'auth.add_group')
self.assertEqual({Group.objects.get(name='group1')}, set(objects))
def test_get_content_type_from_class(self):
self.assertEqual(utils.get_content_type(User),
ContentType.objects.get_for_model(User))
def test_get_content_type_from_instance(self):
user = User.objects.create_user(username='******',
password='******')
self.assertEqual(utils.get_content_type(user),
ContentType.objects.get_for_model(User))
