def test_permissions(self): for configuration in self.test_configuration: instance = configuration['instance'] for group_name, permission_key in configuration['groups'].items(): group = Group.objects.get(name=group_name) class_permissions_keys = PermissionKey.permission_keys( permission_key, instance.__class__) if permission_key else [] for permission in class_permissions_keys: # See if the group has all of the expected permissions to the instance assert ObjectPermissionChecker(group).has_perm(permission, instance), \ "Group %s expected to have %s permission to instance %s with id %s and key %s but doesn't. %s" % \ (group.name, permission, instance, instance.id, self.key_class.Fab.remove(self.instance_key_lambda(instance)), get_list_or_if_empty( ObjectPermissionChecker(group).get_perms(instance), lambda: 'It has no permissions', lambda lisst: 'It has permissions: %s' % ', '.join(lisst) )) for nopermission in set( PermissionKey.permission_keys( PermissionKey.ALL, instance.__class__)) - set(class_permissions_keys): # Make sure the other permissions are not set assert not ObjectPermissionChecker(group).has_perm(nopermission, instance), \ "Group %s should not have %s permission to instance %s with id %s and key %s but does. %s" % \ (group.name, nopermission, instance, instance.id, self.key_class.Fab.remove(self.instance_key_lambda(instance)), 'It has permissions: %s' % ', '.join(ObjectPermissionChecker(group).get_perms(instance)) ) # Test that any configured users are in the expected group for group_name, user_name in configuration.get('users', {}).items(): user = User.objects.get(username=user_name) group = Group.objects.get(name=group_name) assert_equal( user.groups.filter(name=group).count(), 1, "Expected user %s to be in group %s, but it wasn't. User is in the following groups %s" % (user_name, group_name, ', '.join( user.groups.values_list('name', flat=True))))
def test_permissions(self): for configuration in self.test_configuration: instance = configuration['instance'] for group_name, permission_key in configuration['groups'].items(): group = Group.objects.get(name=group_name) class_permissions_keys = PermissionKey.permission_keys(permission_key, instance.__class__) if permission_key else [] for permission in class_permissions_keys: # See if the group has all of the expected permissions to the instance assert ObjectPermissionChecker(group).has_perm(permission, instance), \ "Group %s expected to have %s permission to instance %s with id %s and key %s but doesn't. %s" % \ (group.name, permission, instance, instance.id, self.key_class.Fab.remove(self.instance_key_lambda(instance)), get_list_or_if_empty( ObjectPermissionChecker(group).get_perms(instance), lambda: 'It has no permissions', lambda lisst: 'It has permissions: %s' % ', '.join(lisst) )) for nopermission in set(PermissionKey.permission_keys(PermissionKey.ALL, instance.__class__)) - set(class_permissions_keys): # Make sure the other permissions are not set assert not ObjectPermissionChecker(group).has_perm(nopermission, instance), \ "Group %s should not have %s permission to instance %s with id %s and key %s but does. %s" % \ (group.name, nopermission, instance, instance.id, self.key_class.Fab.remove(self.instance_key_lambda(instance)), 'It has permissions: %s' % ', '.join(ObjectPermissionChecker(group).get_perms(instance)) ) # Test that any configured users are in the expected group for group_name, user_name in configuration.get('users', {}).items(): user = User.objects.get(username=user_name) group = Group.objects.get(name=group_name) assert_equal(user.groups.filter(name=group).count(), 1, "Expected user %s to be in group %s, but it wasn't. User is in the following groups %s" % (user_name, group_name, ', '.join(user.groups.values_list('name', flat=True))))
def permitted_ids(cls, groups, objects, permission_key=PermissionKey.VIEW): """ Given one or more groups and list of instances return the ids of the objects to which the groups have permission. :param groups: Typically user.groups :param objects: The instances of the cls to test :param objects: The key to check permission for, defaults to View :return: """ # Find the content_type_ids of the resource model and subclass models # Then find the corresponding view ids # This stuff almost never changes, so cache at the model class level it for speed # Get all classes content_type_dict = ContentType.objects.get_for_models( cls, *_all_subclasses(cls)) # split keys/values into two matching lists models_with_content_types, models_content_types = zip( *content_type_dict.iteritems()) content_type_ids = [ content_type.id for content_type in models_content_types ] perm_ids = Permission.objects.filter(codename__in=flat_map( lambda model: PermissionKey.permission_keys(permission_key, model), models_with_content_types)).values_list('id', flat=True) group_ids = [group.id for group in groups] obj_ids = [unicode(obj.id) for obj in objects] from guardian.models import GroupObjectPermission # Find all the objects of this type that this group has permission to access. group_objects = GroupObjectPermission.objects.filter( content_type_id__in=content_type_ids, group__in=group_ids, permission_id__in=perm_ids, object_pk__in=obj_ids) return group_objects.values_list('object_pk', flat=True)
def permitted_ids(cls, groups, objects, permission_key=PermissionKey.VIEW): """ Given one or more groups and list of instances return the ids of the objects to which the groups have permission. :param groups: Typically user.groups :param objects: The instances of the cls to test :param objects: The key to check permission for, defaults to View :return: """ # Find the content_type_ids of the resource model and subclass models # Then find the corresponding view ids # This stuff almost never changes, so cache at the model class level it for speed # Get all classes content_type_dict = ContentType.objects.get_for_models(cls, *_all_subclasses(cls)) # split keys/values into two matching lists models_with_content_types, models_content_types = zip(*content_type_dict.iteritems()) content_type_ids = [content_type.id for content_type in models_content_types] perm_ids = Permission.objects.filter( codename__in=flat_map( lambda model: PermissionKey.permission_keys(permission_key, model), models_with_content_types )).values_list('id', flat=True) group_ids = [group.id for group in groups] obj_ids = [unicode(obj.id) for obj in objects] from guardian.models import GroupObjectPermission # Find all the objects of this type that this group has permission to access. group_objects = GroupObjectPermission.objects.filter( content_type_id__in=content_type_ids, group__in=group_ids, permission_id__in=perm_ids, object_pk__in=obj_ids) return group_objects.values_list('object_pk', flat=True)