def _filterResult(self, result):
"""
Filter recent activity eliminating those tags the user doesn't have
L{Operation.READ_TAG_VALUE} permissions for.
@param result: A C{list} of C{(Tag.path, TagValue.objectID,
AboutTagValue.value, TagValue.value, User.username,
value.creationTime)} 6-tuples with the information about the
recent tag values.
@return: Same items in result minus the tags the user is not allowed to
read.
"""
if not result:
return []
pathsAndOperations = set(
(path, Operation.READ_TAG_VALUE)
for path, objectID, about, value, username, time in result)
deniedOperations = checkPermissions(self._user, pathsAndOperations)
deniedPaths = set(path for path, operation in deniedOperations)
# FIXME: There's a potential problem with the filtering, which is that
# we only ever fetch N recent items from the database, but with
# filtering we might return N-M items (where M is the number of
# inaccessible items).
return [(path, objectID, about, value, username, time)
for path, objectID, about, value, username, time in result
if path not in deniedPaths]
def testCheckUserWithImplicitNestedNamespacePath(self):
"""
L{checkPermissions} does a recursive check to find the parent
L{Namespace} when a path includes many unknown segments.
"""
values = [(u'username/nested/namespace', Operation.CREATE_NAMESPACE)]
self.assertEqual([], checkPermissions(self.user, values))
def getTagsByObjects(self, objectIDs, permission=None):
"""See L{ObjectAPI.getTagsByObjects}.
@param permission: Optionally, the permission the user must have for
the L{Tag.path} to be included in the return result. Default is
L{Operation.READ_TAG_VALUE}.
"""
if permission is None:
permission = Operation.READ_TAG_VALUE
# We have to call getTagsByObjects first, since we don't know which
# Tag's the user has the requested permission for.
tagPaths = self._api.getTagsByObjects(objectIDs)
if tagPaths:
pathsAndOperations = set()
for objectID, paths in tagPaths.iteritems():
for path in paths:
pathsAndOperations.add((path, permission))
deniedOperations = checkPermissions(self._user, pathsAndOperations)
deniedPaths = set([path for path, operation in deniedOperations])
if not deniedPaths:
return tagPaths
result = {}
for objectID, paths in tagPaths.iteritems():
allowedPaths = [
path for path in paths if path not in deniedPaths
]
if allowedPaths:
result[objectID] = allowedPaths
return result
else:
return {}
def _filterResult(self, result):
"""
Filter recent activity eliminating those tags the user doesn't have
L{Operation.READ_TAG_VALUE} permissions for.
@param result: A C{list} of C{(Tag.path, TagValue.objectID,
AboutTagValue.value, TagValue.value, User.username,
value.creationTime)} 6-tuples with the information about the
recent tag values.
@return: Same items in result minus the tags the user is not allowed to
read.
"""
if not result:
return []
pathsAndOperations = set(
(path, Operation.READ_TAG_VALUE) for
path, objectID, about, value, username, time in result)
deniedOperations = checkPermissions(self._user, pathsAndOperations)
deniedPaths = set(path for path, operation in deniedOperations)
# FIXME: There's a potential problem with the filtering, which is that
# we only ever fetch N recent items from the database, but with
# filtering we might return N-M items (where M is the number of
# inaccessible items).
return [(path, objectID, about, value, username, time)
for path, objectID, about, value, username, time in result
if path not in deniedPaths]
def getTagsByObjects(self, objectIDs, permission=None):
"""See L{ObjectAPI.getTagsByObjects}.
@param permission: Optionally, the permission the user must have for
the L{Tag.path} to be included in the return result. Default is
L{Operation.READ_TAG_VALUE}.
"""
if permission is None:
permission = Operation.READ_TAG_VALUE
# We have to call getTagsByObjects first, since we don't know which
# Tag's the user has the requested permission for.
tagPaths = self._api.getTagsByObjects(objectIDs)
if tagPaths:
pathsAndOperations = set()
for objectID, paths in tagPaths.iteritems():
for path in paths:
pathsAndOperations.add((path, permission))
deniedOperations = checkPermissions(self._user, pathsAndOperations)
deniedPaths = set([path for path, operation in deniedOperations])
if not deniedPaths:
return tagPaths
result = {}
for objectID, paths in tagPaths.iteritems():
allowedPaths = [path for path in paths
if path not in deniedPaths]
if allowedPaths:
result[objectID] = allowedPaths
return result
else:
return {}
def testCheckUserWithImplicitNestedNamespacePath(self):
"""
L{checkPermissions} does a recursive check to find the parent
L{Namespace} when a path includes many unknown segments.
"""
values = [(u'username/nested/namespace', Operation.CREATE_NAMESPACE)]
self.assertEqual([], checkPermissions(self.user, values))
def testCheckUserWithImplicitTagPath(self):
"""
L{checkPermissions} ignores an unknown path when a
L{Operation.WRITE_TAG_VALUE} operation is requested and when the user
has L{Operation.CREATE_NAMESPACE} access on the parent L{Namespace}.
"""
values = [(u'username/unknown', Operation.WRITE_TAG_VALUE)]
self.assertEqual([], checkPermissions(self.user, values))
def testCheckUserWithFluidDBSlashIDVirtualPath(self):
"""
An L{UnknownPathError} is not raised when the special C{fluiddb/id}
virtual tag is encountered and L{Tag}-related permission checks always
succeed.
"""
values = [(u'fluiddb/id', Operation.READ_TAG_VALUE)]
self.assertEqual([], checkPermissions(self.user, values))
def testCheckUpdateUserIsAllowedForTheOwnUser(self):
"""
L{checkPermissions} allows C{UPDATE_USER} access for normal
users if the requesting user is the same modified user.
"""
values = [(u'username', Operation.UPDATE_USER)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([], deniedOperations)
def testCheckUserWithFluidDBSlashIDVirtualPath(self):
"""
An L{UnknownPathError} is not raised when the special C{fluiddb/id}
virtual tag is encountered and L{Tag}-related permission checks always
succeed.
"""
values = [(u'fluiddb/id', Operation.READ_TAG_VALUE)]
self.assertEqual([], checkPermissions(self.user, values))
def testCheckCreateObjectIsAlwaysGrantedForNormalUser(self):
"""
L{checkPermissions} always grants C{CREATE_OBJECT} access for
normal users.
"""
values = [(u'', Operation.CREATE_OBJECT)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([], deniedOperations)
def testCheckCreateObjectIsAlwaysGrantedForNormalUser(self):
"""
L{checkPermissions} always grants C{CREATE_OBJECT} access for
normal users.
"""
values = [(u'', Operation.CREATE_OBJECT)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([], deniedOperations)
def testCheckUserWithImplicitTagPath(self):
"""
L{checkPermissions} ignores an unknown path when a
L{Operation.WRITE_TAG_VALUE} operation is requested and when the user
has L{Operation.CREATE_NAMESPACE} access on the parent L{Namespace}.
"""
values = [(u'username/unknown', Operation.WRITE_TAG_VALUE)]
self.assertEqual([], checkPermissions(self.user, values))
def testCheckUpdateUserIsAllowedForTheOwnUser(self):
"""
L{checkPermissions} allows C{UPDATE_USER} access for normal
users if the requesting user is the same modified user.
"""
values = [(u'username', Operation.UPDATE_USER)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([], deniedOperations)
def testCheckDeleteRootNamespaceIsAlwaysDeniedForNormalUser(self):
"""
L{checkPermissions} always denies C{DELETE_NAMESPACE} access on the
root namespace for normal users.
"""
values = [(u'username', Operation.DELETE_NAMESPACE)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([(u'username', Operation.DELETE_NAMESPACE)],
deniedOperations)
def testCheckCreateUserIsAlwaysDeniedForAnonymousUser(self):
"""
L{checkPermissions} always denies C{CREATE_USER} access for
anonymous users.
"""
anonymous = self.system.users[u'anon']
values = [(u'anon', Operation.CREATE_USER)]
deniedOperations = checkPermissions(anonymous, values)
self.assertEqual([(u'anon', Operation.CREATE_USER)], deniedOperations)
def testCheckUserWithImplicitNamespacePath(self):
"""
L{checkPermissions} ignores an unknown path when a
L{Operation.CREATE_NAMESPACE} operation is requested and when the user
has L{Operation.CREATE_NAMESPACE} access on the final existing
parent's L{Namespace}.
"""
values = [(u'username/namespace', Operation.CREATE_NAMESPACE)]
self.assertEqual([], checkPermissions(self.user, values))
def testCheckCreateUserIsAlwaysDeniedForNormalUser(self):
"""
L{checkPermissions} always denies C{CREATE_USER} access for normal
users.
"""
values = [(u'username', Operation.CREATE_USER)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([(u'username', Operation.CREATE_USER)],
deniedOperations)
def testCheckDeleteRootNamespaceIsAlwaysDeniedForNormalUser(self):
"""
L{checkPermissions} always denies C{DELETE_NAMESPACE} access on the
root namespace for normal users.
"""
values = [(u'username', Operation.DELETE_NAMESPACE)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([(u'username', Operation.DELETE_NAMESPACE)],
deniedOperations)
def testCheckCreateUserIsAlwaysDeniedForNormalUser(self):
"""
L{checkPermissions} always denies C{CREATE_USER} access for normal
users.
"""
values = [(u'username', Operation.CREATE_USER)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([(u'username', Operation.CREATE_USER)],
deniedOperations)
def testCheckUserWithImplicitNamespacePath(self):
"""
L{checkPermissions} ignores an unknown path when a
L{Operation.CREATE_NAMESPACE} operation is requested and when the user
has L{Operation.CREATE_NAMESPACE} access on the final existing
parent's L{Namespace}.
"""
values = [(u'username/namespace', Operation.CREATE_NAMESPACE)]
self.assertEqual([], checkPermissions(self.user, values))
def testCheckUserWithImplicitTagAndNamespace(self):
"""
L{checkPermissions} ignores an unknown path when a
L{Operation.WRITE_TAG_VALUE} operation is requested and when the user
has L{Operation.CREATE_NAMESPACE} access on the final existing
parent's L{Namespace}.
"""
values = set([(u'username/tag', Operation.WRITE_TAG_VALUE),
(u'username/namespace/tag', Operation.WRITE_TAG_VALUE)])
self.assertEqual([], checkPermissions(self.user, values))
def testCheckDeleteRootNamespaceIsAlwaysDeniedForAnonymous(self):
"""
L{checkPermissions} always denies C{DELETE_NAMESPACE} access on the
root namespace for anonymous users.
"""
anonymous = self.system.users[u'anon']
values = [(u'anon', Operation.DELETE_NAMESPACE)]
deniedOperations = checkPermissions(anonymous, values)
self.assertEqual([(u'anon', Operation.DELETE_NAMESPACE)],
deniedOperations)
def testCheckAnonymousWithImplicitPath(self):
"""
L{checkPermissions} denies prevents L{Role.ANONYMOUS} L{User}s from
implicitly creating tags because the anoymous user is not allowed to
perform L{Operation.WRITE_TAG_VALUE} operations.
"""
anonymous = self.system.users[u'anon']
values = [(u'anon/path', Operation.WRITE_TAG_VALUE)]
self.assertEqual([(u'anon/path', Operation.WRITE_TAG_VALUE)],
checkPermissions(anonymous, values))
def testCheckAnonymousWithImplicitPath(self):
"""
L{checkPermissions} denies prevents L{Role.ANONYMOUS} L{User}s from
implicitly creating tags because the anoymous user is not allowed to
perform L{Operation.WRITE_TAG_VALUE} operations.
"""
anonymous = self.system.users[u'anon']
values = [(u'anon/path', Operation.WRITE_TAG_VALUE)]
self.assertEqual([(u'anon/path', Operation.WRITE_TAG_VALUE)],
checkPermissions(anonymous, values))
def testCheckUserWithImplicitTagAndNamespace(self):
"""
L{checkPermissions} ignores an unknown path when a
L{Operation.WRITE_TAG_VALUE} operation is requested and when the user
has L{Operation.CREATE_NAMESPACE} access on the final existing
parent's L{Namespace}.
"""
values = set([(u'username/tag', Operation.WRITE_TAG_VALUE),
(u'username/namespace/tag', Operation.WRITE_TAG_VALUE)])
self.assertEqual([], checkPermissions(self.user, values))
def testCheckCreateUserIsAlwaysDeniedForAnonymousUser(self):
"""
L{checkPermissions} always denies C{CREATE_USER} access for
anonymous users.
"""
anonymous = self.system.users[u'anon']
values = [(u'anon', Operation.CREATE_USER)]
deniedOperations = checkPermissions(anonymous, values)
self.assertEqual([(u'anon', Operation.CREATE_USER)],
deniedOperations)
def testCheckDeleteRootNamespaceIsAlwaysDeniedForAnonymous(self):
"""
L{checkPermissions} always denies C{DELETE_NAMESPACE} access on the
root namespace for anonymous users.
"""
anonymous = self.system.users[u'anon']
values = [(u'anon', Operation.DELETE_NAMESPACE)]
deniedOperations = checkPermissions(anonymous, values)
self.assertEqual([(u'anon', Operation.DELETE_NAMESPACE)],
deniedOperations)
def create(self, value=None):
"""See L{ObjectAPI.create}.
@raises PermissionDeniedError: Raised if the user is not authorized to
create objects.
"""
pathsAndOperations = [(None, Operation.CREATE_OBJECT)]
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.create(value)
def testCheckUpdateUserIsDeniedForOtherNormalUsers(self):
"""
L{checkPermissions} denies C{UPDATE_USER} access for normal
users except the own user.
"""
UserAPI().create([(u'otheruser', u'password', u'User',
u'*****@*****.**')])
values = [(u'otheruser', Operation.UPDATE_USER)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([(u'otheruser', Operation.UPDATE_USER)],
deniedOperations)
def testCheckUserManagerHasAccessToPerformUserOperations(self):
"""
L{checkPermissions} always allows user L{Operation}s for
L{Role.USER_MANAGER} users.
"""
self.user.role = Role.USER_MANAGER
values = [(u'username', Operation.CREATE_USER),
(u'username', Operation.UPDATE_USER),
(u'username', Operation.DELETE_USER)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([], deniedOperations)
def testCheckUpdateUserIsDeniedForOtherNormalUsers(self):
"""
L{checkPermissions} denies C{UPDATE_USER} access for normal
users except the own user.
"""
UserAPI().create([(u'otheruser', u'password', u'User',
u'*****@*****.**')])
values = [(u'otheruser', Operation.UPDATE_USER)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([(u'otheruser', Operation.UPDATE_USER)],
deniedOperations)
def create(self, value=None):
"""See L{ObjectAPI.create}.
@raises PermissionDeniedError: Raised if the user is not authorized to
create objects.
"""
pathsAndOperations = [(None, Operation.CREATE_OBJECT)]
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.create(value)
def testCheckUserManagerHasAccessToPerformUserOperations(self):
"""
L{checkPermissions} always allows user L{Operation}s for
L{Role.USER_MANAGER} users.
"""
self.user.role = Role.USER_MANAGER
values = [(u'username', Operation.CREATE_USER),
(u'username', Operation.UPDATE_USER),
(u'username', Operation.DELETE_USER)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([], deniedOperations)
def testCheckClosedPermissionWithException(self):
"""
L{checkPermissions} grants access when the policy is C{Policy.OPEN}
and the L{User.id} is in the exceptions list.
"""
TagAPI(self.user).create([(u'username/tag', u'description')])
self.permissions.set([(u'username/tag', Operation.UPDATE_TAG,
Policy.CLOSED, [u'username'])])
values = [(u'username/tag', Operation.UPDATE_TAG)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([], deniedOperations)
def testCheckClosedPermissionWithException(self):
"""
L{checkPermissions} grants access when the policy is C{Policy.OPEN}
and the L{User.id} is in the exceptions list.
"""
TagAPI(self.user).create([(u'username/tag', u'description')])
self.permissions.set([(u'username/tag', Operation.UPDATE_TAG,
Policy.CLOSED, [u'username'])])
values = [(u'username/tag', Operation.UPDATE_TAG)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([], deniedOperations)
def set(self, values):
"""See L{UserAPI.set}.
@raises PermissionDeniedError: Raised if the user is not a superuser
and tries to set values for a L{User}.
"""
actions = [(username, Operation.UPDATE_USER)
for username, password, fullname, email, role in values]
deniedActions = checkPermissions(self._user, actions)
if deniedActions:
raise PermissionDeniedError(self._user.username, deniedActions)
return self._api.set(values)
def set(self, values):
"""See L{UserAPI.set}.
@raises PermissionDeniedError: Raised if the user is not a superuser
and tries to set values for a L{User}.
"""
actions = [(username, Operation.UPDATE_USER)
for username, password, fullname, email, role in values]
deniedActions = checkPermissions(self._user, actions)
if deniedActions:
raise PermissionDeniedError(self._user.username, deniedActions)
return self._api.set(values)
def set(self, values):
"""See L{TagAPI.set}.
@raises PermissionDeniedError: Raised if the user is not authorized to
update L{Tag}s.
"""
pathsAndOperations = [(path, Operation.UPDATE_TAG)
for path in values.iterkeys()]
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.set(values)
def create(self, values):
"""See L{TagAPI.create}.
@raises PermissionDeniedError: Raised if the user is not authorized to
create L{Tag}s.
"""
pathsAndOperations = [(getParentPath(path), Operation.CREATE_NAMESPACE)
for path, description in values]
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.create(values)
def create(self, values):
"""See L{TagAPI.create}.
@raises PermissionDeniedError: Raised if the user is not authorized to
create L{Tag}s.
"""
pathsAndOperations = [(getParentPath(path), Operation.CREATE_NAMESPACE)
for path, description in values]
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.create(values)
def set(self, values):
"""See L{TagAPI.set}.
@raises PermissionDeniedError: Raised if the user is not authorized to
update L{Tag}s.
"""
pathsAndOperations = [(path, Operation.UPDATE_TAG)
for path in values.iterkeys()]
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.set(values)
def testCheckUserWithMissingPermission(self):
"""
L{checkPermissions} denies the operation if, for some
reason, a permission is not available for the entity being requested.
"""
TagAPI(self.user).create([(u'username/tag', u'description')])
# FIXME: don't use data functions here.
[(tag, permission)] = getTagPermissions([u'username/tag'])
self.store.remove(permission)
values = [(u'username/tag', Operation.UPDATE_TAG)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([(u'username/tag', Operation.UPDATE_TAG)],
deniedOperations)
def create(self, values, createPrivateNamespace=None):
"""See L{UserAPI.create}.
@raises PermissionDeniedError: Raised if the user is not a
superuser and tries to create a new L{User}.
"""
actions = [(username, Operation.CREATE_USER)
for username, password, fullname, email in values]
deniedActions = checkPermissions(self._user, actions)
if deniedActions:
raise PermissionDeniedError(self._user.username, deniedActions)
return self._api.create(values,
createPrivateNamespace=createPrivateNamespace)
def delete(self, usernames):
"""See L{UserAPI.delete}.
@raises PermissionDeniedError: Raised if the user is not a superuser
and tries to delete a L{User}.
"""
if isgenerator(usernames):
usernames = list(usernames)
actions = [(username, Operation.DELETE_USER) for username in usernames]
deniedActions = checkPermissions(self._user, actions)
if deniedActions:
raise PermissionDeniedError(self._user.username, deniedActions)
return self._api.delete(usernames)
def testCheckUserWithMissingPermission(self):
"""
L{checkPermissions} denies the operation if, for some
reason, a permission is not available for the entity being requested.
"""
TagAPI(self.user).create([(u'username/tag', u'description')])
# FIXME: don't use data functions here.
[(tag, permission)] = getTagPermissions([u'username/tag'])
self.store.remove(permission)
values = [(u'username/tag', Operation.UPDATE_TAG)]
deniedOperations = checkPermissions(self.user, values)
self.assertEqual([(u'username/tag', Operation.UPDATE_TAG)],
deniedOperations)
def delete(self, paths):
"""See L{TagAPI.delete}.
@raises PermissionDeniedError: Raised if the user is not authorized to
delete L{Tag}s.
"""
if isgenerator(paths):
paths = list(paths)
pathsAndOperations = [(path, Operation.DELETE_TAG) for path in paths]
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.delete(paths)
def delete(self, paths):
"""See L{TagAPI.delete}.
@raises PermissionDeniedError: Raised if the user is not authorized to
delete L{Tag}s.
"""
if isgenerator(paths):
paths = list(paths)
pathsAndOperations = [(path, Operation.DELETE_TAG) for path in paths]
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.delete(paths)
def delete(self, usernames):
"""See L{UserAPI.delete}.
@raises PermissionDeniedError: Raised if the user is not a superuser
and tries to delete a L{User}.
"""
if isgenerator(usernames):
usernames = list(usernames)
actions = [(username, Operation.DELETE_USER) for username in usernames]
deniedActions = checkPermissions(self._user, actions)
if deniedActions:
raise PermissionDeniedError(self._user.username, deniedActions)
return self._api.delete(usernames)
def create(self, values, createPrivateNamespace=None):
"""See L{UserAPI.create}.
@raises PermissionDeniedError: Raised if the user is not a
superuser and tries to create a new L{User}.
"""
actions = [(username, Operation.CREATE_USER)
for username, password, fullname, email in values]
deniedActions = checkPermissions(self._user, actions)
if deniedActions:
raise PermissionDeniedError(self._user.username, deniedActions)
return self._api.create(values,
createPrivateNamespace=createPrivateNamespace)
def delete(self, values):
"""See L{TagValueAPI.delete}.
@raise PermissionDeniedError: Raised if the user is not authorized to
delete L{TagValue}s.
"""
if isgenerator(values):
values = list(values)
pathsAndOperations = set((path, Operation.DELETE_TAG_VALUE)
for _, path, in values)
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.delete(values)
def set(self, values):
"""See L{TagValueAPI.set}.
@raise PermissionDeniedError: Raised if the user is not authorized to
create or update L{TagValue}s.
"""
pathsAndOperations = set()
for tagValues in values.itervalues():
pathsAndOperations.update((path, Operation.WRITE_TAG_VALUE)
for path in tagValues.iterkeys())
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.set(values)
def testCheckAnonymousWithMissingPermission(self):
"""
L{checkPermissions} denies the operations, for some
reason, a permission is not available for the entity being requested.
"""
anonymous = self.system.users[u'anon']
TagAPI(self.user).create([(u'username/tag', u'description')])
values = [(u'username/tag', Operation.READ_TAG_VALUE)]
# FIXME: don't use data functions here.
[(tag, permission)] = getTagPermissions([u'username/tag'])
self.store.remove(permission)
deniedOperations = checkPermissions(anonymous, values)
self.assertEqual([(u'username/tag', Operation.READ_TAG_VALUE)],
deniedOperations)
def testCheckAnonymousWithMissingPermission(self):
"""
L{checkPermissions} denies the operations, for some
reason, a permission is not available for the entity being requested.
"""
anonymous = self.system.users[u'anon']
TagAPI(self.user).create([(u'username/tag', u'description')])
values = [(u'username/tag', Operation.READ_TAG_VALUE)]
# FIXME: don't use data functions here.
[(tag, permission)] = getTagPermissions([u'username/tag'])
self.store.remove(permission)
deniedOperations = checkPermissions(anonymous, values)
self.assertEqual([(u'username/tag', Operation.READ_TAG_VALUE)],
deniedOperations)
def testCheckWithSuperuser(self):
"""
L{checkPermissions} always grants access if the user is superuser.
"""
TagAPI(self.user).create([(u'username/path', u'description')])
NamespaceAPI(self.user).create([(u'username/path', u'description')])
superuser = self.system.users[u'fluiddb']
# Close all permissions for the tag
values = [(u'username/path', operation, Policy.CLOSED, [])
for operation in Operation.PATH_OPERATIONS]
self.permissions.set(values)
values = [(u'username/path', operation)
for operation in Operation.PATH_OPERATIONS]
deniedOperations = checkPermissions(superuser, values)
self.assertEqual([], deniedOperations)
def getRecent(self, limit=None, olderThan=None, newerThan=None,
filterTags=None, additionalTags=None):
"""See L{CommentAPI.getRecent}.
@raise PermissionDeniedError: If the user lacks READ_TAG_VALUE
permissions on any of the tag paths in additionalTags.
"""
if additionalTags is not None:
pathsAndOperations = set((path, Operation.READ_TAG_VALUE)
for path in additionalTags)
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username,
deniedOperations)
return self._api.getRecent(limit, olderThan, newerThan, filterTags,
additionalTags)
def testCheckWithSuperuser(self):
"""
L{checkPermissions} always grants access if the user is superuser.
"""
TagAPI(self.user).create([(u'username/path', u'description')])
NamespaceAPI(self.user).create([(u'username/path', u'description')])
superuser = self.system.users[u'fluiddb']
# Close all permissions for the tag
values = [(u'username/path', operation, Policy.CLOSED, [])
for operation in Operation.PATH_OPERATIONS]
self.permissions.set(values)
values = [(u'username/path', operation)
for operation in Operation.PATH_OPERATIONS]
deniedOperations = checkPermissions(superuser, values)
self.assertEqual([], deniedOperations)
def getTagsForObjects(self, objectIDs):
"""See L{ObjectAPI.getTagsForObjects}."""
# We have to call getTagsForObjects first, since we don't know which
# L{Tag}s the user has L{Operation.READ_TAG_VALUE} permission for.
tagPaths = self._api.getTagsForObjects(objectIDs)
if tagPaths:
pathsAndOperations = set()
for path in tagPaths:
pathsAndOperations.add((path, Operation.READ_TAG_VALUE))
deniedOperations = checkPermissions(self._user, pathsAndOperations)
deniedPaths = set([path for path, operation in deniedOperations])
if not deniedPaths:
return tagPaths
else:
return [path for path in tagPaths if path not in deniedPaths]
else:
return []
def create(self, values):
"""See L{NamespaceAPI.create}.
@raise PermissionDeniedError: Raised if the user is not authorized to
create L{Namespace}s.
"""
paths = []
pathsAndOperations = []
for path, description in values:
parentPath = getParentPath(path)
pathsAndOperations.append((parentPath, Operation.CREATE_NAMESPACE))
paths.append(path)
deniedOperations = checkPermissions(self._user, pathsAndOperations)
if deniedOperations:
raise PermissionDeniedError(self._user.username, deniedOperations)
return self._api.create(values)
