def test_permissions(): """Iterates over all users checking its permissions.""" for i in range(users_number): identity = FakeIdentity(UserNeed(users[i].id)) # Allowed permission permission_allowed_both = DynamicPermission( ActionNeed('action{0}'.format( (i % actions_users_number) + actions_roles_number)), ActionNeed('action{0}'.format(i % actions_roles_number)) ) assert permission_allowed_both.allows(identity) # Not allowed action user permission_not_allowed_user = DynamicPermission( ActionNeed('action{0}'.format( (i + 1) % actions_users_number + actions_roles_number)) ) assert not permission_not_allowed_user.allows(identity) # Not allowed action role permission_not_allowed_role = DynamicPermission( ActionNeed('action{0}'.format( (i + 1) % actions_roles_number)) ) assert not permission_not_allowed_role.allows(identity)
def test_invenio_access_permission_cache_redis(app): """Caching the user using redis.""" cache = RedisCache() InvenioAccess(app, cache=cache) with app.test_request_context(): user_can_all = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') db.session.add(user_can_all) db.session.add(user_can_open) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.flush() identity_open = FakeIdentity(UserNeed(user_can_open.id)) permission_open = DynamicPermission(ActionNeed('open')) assert not permission_open.allows(identity_open) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1)]), set([]) ) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.flush() permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_open) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) )
def test_invenio_access_permission_cache(app): """Caching the user using memory caching.""" cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): user_can_all = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') user_can_open_1 = User(email='*****@*****.**') db.session.add(user_can_all) db.session.add(user_can_open) db.session.add(user_can_open_1) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.flush() permission_open = DynamicPermission(ActionNeed('open')) identity_open = FakeIdentity(UserNeed(user_can_open.id)) assert not permission_open.allows(identity_open) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1)]), set([]) ) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.flush() permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_open) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) db.session.add(ActionUsers(action='open', argument=1, user=user_can_open_1)) db.session.flush() identity_open_1 = FakeIdentity(UserNeed(user_can_open_1.id)) permission_open_1 = DynamicPermission( ParameterizedActionNeed('open', '1')) assert not permission_open.allows(identity_open_1) assert permission_open_1.allows(identity_open_1) assert current_access.get_action_cache('open::1') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=3)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) )
def test_invenio_access_permissions_deny(app): """User without any provides can't access to a place limited to user 0""" with app.test_request_context(): permission = DynamicPermission(UserNeed(0)) fake_identity = FakeIdentity() assert not permission.allows(fake_identity)
def test_invenio_access_permission_for_users(app): """User can access to an action allowed/denied to the user""" InvenioAccess(app) with app.test_request_context(): db.session.begin(nested=True) user_can_all = User(email='*****@*****.**') user_can_read = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') db.session.add(user_can_all) db.session.add(user_can_read) db.session.add(user_can_open) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.add(ActionUsers(action='read', user=user_can_all)) db.session.add(ActionUsers(action='read', user=user_can_read)) db.session.commit() permission_open = DynamicPermission(ActionNeed('open')) permission_read = DynamicPermission(ActionNeed('read')) identity_all = FakeIdentity(UserNeed(user_can_all.id)) identity_read = FakeIdentity(UserNeed(user_can_read.id)) identity_open = FakeIdentity(UserNeed(user_can_open.id)) assert permission_open.allows(identity_all) assert permission_read.allows(identity_all) assert permission_open.allows(identity_open) assert not permission_read.allows(identity_open) assert not permission_open.allows(identity_read) assert permission_read.allows(identity_read)
def test_invenio_access_permission_for_roles(app): """User with a role can access to an action allowed to the role""" with app.test_request_context(): admin_role = Role(name='admin') reader_role = Role(name='reader') opener_role = Role(name='opener') db.session.add(admin_role) db.session.add(reader_role) db.session.add(opener_role) db.session.add(ActionRoles(action='open', role=admin_role)) db.session.add(ActionRoles(action='open', role=opener_role)) db.session.add(ActionRoles(action='read', role=admin_role)) db.session.add(ActionRoles(action='read', role=reader_role)) db.session.flush() permission_open = DynamicPermission(ActionNeed('open')) permission_read = DynamicPermission(ActionNeed('read')) identity_all = FakeIdentity(RoleNeed('admin')) identity_read = FakeIdentity(RoleNeed('reader')) identity_open = FakeIdentity(RoleNeed('opener')) assert permission_open.allows(identity_all) assert permission_read.allows(identity_all) assert permission_open.allows(identity_open) assert not permission_read.allows(identity_open) assert not permission_open.allows(identity_read) assert permission_read.allows(identity_read)
def test_invenio_access_permission_cache_system_roles_updates(app): """Testing ActionSystemRoles cache with inserts/updates/deletes.""" # This test case is doing the same of user test case but using # system roles. cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): system_role_1 = SystemRoleNeed('system_role_1') system_role_2 = SystemRoleNeed('system_role_2') system_role_3 = SystemRoleNeed('system_role_3') system_role_4 = SystemRoleNeed('system_role_4') system_role_5 = SystemRoleNeed('system_role_5') system_role_6 = SystemRoleNeed('system_role_6') current_access.system_roles = { 'system_role_1': system_role_1, 'system_role_2': system_role_2, 'system_role_3': system_role_3, 'system_role_4': system_role_4, 'system_role_5': system_role_5, 'system_role_6': system_role_6, } # Creation of some data to test. db.session.add(ActionSystemRoles(action='open', role_name=system_role_1.value)) db.session.add(ActionSystemRoles(action='write', role_name=system_role_4.value)) db.session.flush() # Creation of identities to test. identity_fake_1 = FakeIdentity(system_role_1) identity_fake_2 = FakeIdentity(system_role_2) identity_fake_3 = FakeIdentity(system_role_3) identity_fake_4 = FakeIdentity(system_role_4) identity_fake_5 = FakeIdentity(system_role_5) identity_fake_6 = FakeIdentity(system_role_6) # Test if system_role_1 can open. In this case, the cache should store # only this object. permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_1) assert current_access.get_action_cache('open') == ( set([system_role_1]), set([]) ) # Test if system_role_2 can write. In this case, the cache should # have this new object and the previous one (Open is allowed to # system_role_1) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_4) assert current_access.get_action_cache('write') == ( set([system_role_4]), set([]) ) assert current_access.get_action_cache('open') == ( set([system_role_1]), set([]) ) # If we add a new system role to the action open, the open action in # cache should be removed but it should still containing the write # entry. db.session.add(ActionSystemRoles(action='open', role_name=system_role_2.value)) db.session.flush() assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_2) assert current_access.get_action_cache('open') == ( set([system_role_1, system_role_2]), set([]) ) assert current_access.get_action_cache('write') == ( set([system_role_4]), set([]) ) # Test if the new role is added to the action 'open' permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_4) assert current_access.get_action_cache('open') == ( set([system_role_1, system_role_2]), set([]) ) assert current_access.get_action_cache('write') == ( set([system_role_4]), set([]) ) # If we update an action swapping a role, the cache containing the # action, should be removed. role_4_action_write = ActionSystemRoles.query.filter( ActionSystemRoles.action == 'write' and ActionSystemRoles.role_name == system_role_4.value).first() role_4_action_write.role_name = system_role_3.value db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is not None assert current_access.get_action_cache('open') == ( set([system_role_1, system_role_2]), set([]) ) # Test if the system_role_3 can write now. permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_4) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_3) assert current_access.get_action_cache('write') == ( set([system_role_3]), set([]) ) assert current_access.get_action_cache('open') == ( set([system_role_1, system_role_2]), set([]) ) # If we remove a role from an action, the cache should clear the # action item. cust_action_write = ActionSystemRoles.query.filter( ActionSystemRoles.action == 'write' and ActionSystemRoles.role_name == system_role_3).first() db.session.delete(cust_action_write) db.session.flush() assert current_access.get_action_cache('write') is None # If no one is allowed to perform an action then everybody is allowed. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_3) assert current_access.get_action_cache('write') == ( set([]), set([]) ) db.session.add(ActionSystemRoles(action='write', role_name=system_role_5.value)) db.session.flush() permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_5) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_3) assert current_access.get_action_cache('write') == ( set([system_role_5]), set([]) ) assert current_access.get_action_cache('open') == ( set([system_role_1, system_role_2]), set([]) ) # If you update the name of an existing action, the previous action # and the new action should be remove from cache. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_5) assert current_access.get_action_cache('write') == ( set([system_role_5]), set([]) ) assert current_access.get_action_cache('open') == ( set([system_role_1, system_role_2]), set([]) ) role_5_action_write = ActionSystemRoles.query.filter( ActionSystemRoles.action == 'write' and ActionSystemRoles.role_name == system_role_5.value).first() role_5_action_write.action = 'open' db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_1) assert current_access.get_action_cache('open') == ( set([system_role_1, system_role_2, system_role_5]), set([]) ) db.session.add(ActionSystemRoles(action='write', role_name=system_role_4.value)) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_5) assert current_access.get_action_cache('write') == ( set([system_role_4]), set([]) ) db.session.add(ActionSystemRoles(action='open', argument='1', role_name=system_role_6.value)) db.session.flush() permission_open_1 = DynamicPermission( ParameterizedActionNeed('open', '1')) assert not permission_open.allows(identity_fake_6) assert permission_open_1.allows(identity_fake_6) assert current_access.get_action_cache('open::1') == ( set([system_role_1, system_role_2, system_role_5, system_role_6]), set([]) ) user_6_action_open_1 = ActionSystemRoles.query.filter_by( action='open', argument='1', role_name=system_role_6.value).first() user_6_action_open_1.argument = '2' db.session.flush() assert current_access.get_action_cache('open::1') is None assert current_access.get_action_cache('open::2') is None permission_open_2 = DynamicPermission( ParameterizedActionNeed('open', '2')) assert permission_open_2.allows(identity_fake_6) assert current_access.get_action_cache('open::2') == ( set([system_role_1, system_role_2, system_role_5, system_role_6]), set([]) ) # open action cache should remain as before assert current_access.get_action_cache('open') == ( set([system_role_1, system_role_2, system_role_5]), set([]) )
def test_invenio_access_permission_cache_roles_updates(app): """Testing ActionRoles cache with inserts/updates/deletes.""" # This test case is doing the same of user test case but using roles. cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): # Creation of some data to test. role_1 = Role(name='role_1') role_2 = Role(name='role_2') role_3 = Role(name='role_3') role_4 = Role(name='role_4') role_5 = Role(name='role_5') role_6 = Role(name='role_6') db.session.add(role_1) db.session.add(role_2) db.session.add(role_3) db.session.add(role_4) db.session.add(role_5) db.session.add(role_6) db.session.add(ActionRoles(action='open', role=role_1)) db.session.add(ActionRoles(action='write', role=role_4)) db.session.flush() # Creation of identities to test. identity_fake_role_1 = FakeIdentity(RoleNeed(role_1.name)) identity_fake_role_2 = FakeIdentity(RoleNeed(role_2.name)) identity_fake_role_3 = FakeIdentity(RoleNeed(role_3.name)) identity_fake_role_4 = FakeIdentity(RoleNeed(role_4.name)) identity_fake_role_5 = FakeIdentity(RoleNeed(role_5.name)) identity_fake_role_6 = FakeIdentity(RoleNeed(role_6.name)) # Test if role 1 can open. In this case, the cache should store only # this object. permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_1) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name)]), set([]) ) # Test if role 4 can write. In this case, the cache should have this # new object and the previous one (Open is allowed to role_1) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_4) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name)]), set([]) ) # If we add a new role to the action open, the open action in cache # should be removed but it should still containing the write entry. db.session.add(ActionRoles(action='open', role=role_2)) db.session.flush() assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_2) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) # Test if the new role is added to the action 'open' permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_4) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) # If we update an action swapping a role, the cache containing the # action, should be removed. role_4_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_4).first() role_4_action_write.role = role_3 db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is not None assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # Test if the role_3 can write now. permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_4) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_3.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # If we remove a role from an action, the cache should clear the # action item. role_3_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_3).first() db.session.delete(role_3_action_write) db.session.flush() assert current_access.get_action_cache('write') is None # If no one is allowed to perform an action then everybody is allowed. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([]), set([]) ) db.session.add(ActionRoles(action='write', role=role_5)) db.session.flush() permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_5) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_5.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # If you update the name of an existing action, the previous action # and the new action should be remove from cache. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_5) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_5.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) role_5_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_5).first() role_5_action_write.action = 'open' db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_1) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name)]), set([]) ) db.session.add(ActionRoles(action='write', role=role_4)) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_5) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) db.session.add(ActionRoles(action='open', argument='1', role=role_6)) db.session.flush() permission_open_1 = DynamicPermission( ParameterizedActionNeed('open', '1')) assert not permission_open.allows(identity_fake_role_6) assert permission_open_1.allows(identity_fake_role_6) assert current_access.get_action_cache('open::1') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name), Need(method='role', value=role_6.name)]), set([]) ) user_6_action_open_1 = ActionRoles.query.filter_by( action='open', argument='1', role_id=role_6.id).first() user_6_action_open_1.argument = '2' db.session.flush() assert current_access.get_action_cache('open::1') is None assert current_access.get_action_cache('open::2') is None permission_open_2 = DynamicPermission( ParameterizedActionNeed('open', '2')) assert permission_open_2.allows(identity_fake_role_6) assert current_access.get_action_cache('open::2') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name), Need(method='role', value=role_6.name)]), set([]) ) # open action cache should remain as before assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name)]), set([]) )
def test_invenio_access_permission_cache_users_updates(app): """Testing ActionUsers cache with inserts/updates/deletes.""" cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): # Creation of some data to test. user_1 = User(email='*****@*****.**') user_2 = User(email='*****@*****.**') user_3 = User(email='*****@*****.**') user_4 = User(email='*****@*****.**') user_5 = User(email='*****@*****.**') user_6 = User(email='*****@*****.**') db.session.add(user_1) db.session.add(user_2) db.session.add(user_3) db.session.add(user_4) db.session.add(user_5) db.session.add(user_6) db.session.add(ActionUsers(action='open', user=user_1)) db.session.add(ActionUsers(action='write', user=user_4)) db.session.flush() # Creation identities to test. identity_user_1 = FakeIdentity(UserNeed(user_1.id)) identity_user_2 = FakeIdentity(UserNeed(user_2.id)) identity_user_3 = FakeIdentity(UserNeed(user_3.id)) identity_user_4 = FakeIdentity(UserNeed(user_4.id)) identity_user_5 = FakeIdentity(UserNeed(user_5.id)) identity_user_6 = FakeIdentity(UserNeed(user_6.id)) # Test if user 1 can open. In this case, the cache should store only # this object. permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_user_1) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1)]), set([]) ) # Test if user 4 can write. In this case, the cache should have this # new object and the previous one (Open is allowed to user_1) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_4) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=4)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1)]), set([]) ) # If we add a new user to the action open, the open action in cache # should be removed but it should still containing the write entry. db.session.add(ActionUsers(action='open', user=user_2)) db.session.flush() assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_user_2) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=4)]), set([]) ) # Test if the new user is added to the action 'open' permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_4) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=4)]), set([]) ) # If we update an action swapping a user, the cache containing the # action, should be removed. user_4_action_write = ActionUsers.query.filter( ActionUsers.action == 'write' and ActionUsers.user == user_4).first() user_4_action_write.user = user_3 db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) # Test if the user_3 can now write. permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_user_4) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_3) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=3)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) # If we remove a user from an action, the cache should clear the # action item. user_3_action_write = ActionUsers.query.filter( ActionUsers.action == 'write' and ActionUsers.user == user_3).first() db.session.delete(user_3_action_write) db.session.flush() assert current_access.get_action_cache('write') is None # If no one is allowed to perform an action then everybody is allowed. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_3) assert current_access.get_action_cache('write') == ( set([]), set([]) ) db.session.add(ActionUsers(action='write', user=user_5)) db.session.flush() permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_5) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_user_3) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=5)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) # If you update the name of an existing action, the previous action # and the new action should be remove from cache. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_5) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=5)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) user_5_action_write = ActionUsers.query.filter( ActionUsers.action == 'write' and ActionUsers.user == user_5).first() user_5_action_write.action = 'open' db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_user_1) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=5)]), set([]) ) db.session.add(ActionUsers(action='write', user=user_4)) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_user_5) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=4)]), set([]) ) db.session.add(ActionUsers(action='open', argument='1', user=user_6)) db.session.flush() permission_open_1 = DynamicPermission( ParameterizedActionNeed('open', '1')) assert not permission_open.allows(identity_user_6) assert permission_open_1.allows(identity_user_6) assert current_access.get_action_cache('open::1') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=5), Need(method='id', value=6)]), set([]) ) user_6_action_open_1 = ActionUsers.query.filter_by( action='open', argument='1', user_id=user_6.id).first() user_6_action_open_1.argument = '2' db.session.flush() assert current_access.get_action_cache('open::1') is None assert current_access.get_action_cache('open::2') is None permission_open_2 = DynamicPermission( ParameterizedActionNeed('open', '2')) assert permission_open_2.allows(identity_user_6) assert current_access.get_action_cache('open::2') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=5), Need(method='id', value=6)]), set([]) ) # open action cache should remain as before assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=5)]), set([]) )
def test_invenio_access_argument_permission_for_users(app): """User can access to an action allowed/denied with argument to the user""" InvenioAccess(app) with app.test_request_context(): db.session.begin(nested=True) superuser = User(email='*****@*****.**') user_can_all = User(email='*****@*****.**') user_can_argument_dummy = User(email='*****@*****.**') db.session.add(superuser) db.session.add(user_can_all) db.session.add(user_can_argument_dummy) db.session.add(ActionUsers(action='superuser-access', user=superuser)) db.session.add(ActionUsers(action='argument1', user=user_can_all)) db.session.add(ActionUsers(action='argument1', argument='other', user=user_can_all)) db.session.add(ActionUsers(action='argument1', argument='dummy', user=user_can_argument_dummy)) db.session.add(ActionUsers(action='argument2', argument='other', user=user_can_all)) db.session.commit() permission_argument1 = DynamicPermission(ActionNeed('argument1')) permission_argument1_dummy = DynamicPermission( ParameterizedActionNeed('argument1', 'dummy')) permission_argument1_other = DynamicPermission( ParameterizedActionNeed('argument1', 'other')) permission_argument2 = DynamicPermission(ActionNeed('argument2')) permission_argument2_dummy = DynamicPermission( ParameterizedActionNeed('argument2', 'dummy')) permission_argument2_other = DynamicPermission( ParameterizedActionNeed('argument2', 'other')) identity_superuser = FakeIdentity(UserNeed(superuser.id)) identity_all = FakeIdentity(UserNeed(user_can_all.id)) identity_unknown = AnonymousIdentity() identity_argument_dummy = FakeIdentity( UserNeed(user_can_argument_dummy.id)) # tests for super user assert permission_argument1.allows(identity_superuser) assert permission_argument1_dummy.allows(identity_superuser) assert permission_argument1_other.allows(identity_superuser) assert permission_argument2.allows(identity_superuser) assert permission_argument2_dummy.allows(identity_superuser) assert permission_argument2_other.allows(identity_superuser) # first tests for permissions with argument assert permission_argument1.allows(identity_all) assert permission_argument1_dummy.allows(identity_all) assert permission_argument1_other.allows(identity_all) assert not permission_argument1.allows(identity_argument_dummy) assert permission_argument1_dummy.allows(identity_argument_dummy) assert not permission_argument1_other.allows(identity_argument_dummy) assert not permission_argument1.allows(identity_unknown) assert not permission_argument1_dummy.allows(identity_unknown) assert not permission_argument1_other.allows(identity_unknown) # second tests for permissions with arguments # assert permission_argument2.allows(identity_all) # assert permission_argument2_dummy.allows(identity_all) assert permission_argument2_other.allows(identity_all) # assert permission_argument2.allows(identity_argument_dummy) # assert permission_argument2_dummy.allows(identity_argument_dummy) assert not permission_argument2_other.allows(identity_argument_dummy) # assert permission_argument2.allows(identity_unknown) # assert permission_argument2_dummy.allows(identity_unknown) assert not permission_argument2_other.allows(identity_unknown)
def test_invenio_access_permission_for_users(app): """User can access to an action allowed/denied to the user""" InvenioAccess(app) with app.test_request_context(): db.session.begin(nested=True) superuser = User(email='*****@*****.**') user_can_all = User(email='*****@*****.**') user_can_read = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') db.session.add(superuser) db.session.add(user_can_all) db.session.add(user_can_read) db.session.add(user_can_open) db.session.add(ActionUsers(action='superuser-access', user=superuser)) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.add(ActionUsers(action='read', user=user_can_all)) db.session.add(ActionUsers(action='read', user=user_can_read)) db.session.add(ActionUsers(action='not_logged', user=user_can_all)) db.session.commit() permission_open = DynamicPermission(ActionNeed('open')) permission_read = DynamicPermission(ActionNeed('read')) permission_not_logged = DynamicPermission(ActionNeed('not_logged')) identity_superuser = FakeIdentity(UserNeed(superuser.id)) identity_all = FakeIdentity(UserNeed(user_can_all.id)) identity_read = FakeIdentity(UserNeed(user_can_read.id)) identity_open = FakeIdentity(UserNeed(user_can_open.id)) identity_unknown = AnonymousIdentity() # global permissions assert permission_open.allows(identity_superuser) assert permission_read.allows(identity_superuser) assert permission_open.allows(identity_all) assert permission_read.allows(identity_all) assert permission_not_logged.allows(identity_all) assert permission_open.allows(identity_open) assert not permission_read.allows(identity_open) assert not permission_not_logged.allows(identity_open) assert not permission_open.allows(identity_read) assert permission_read.allows(identity_read) assert not permission_not_logged.allows(identity_read) assert not permission_open.allows(identity_unknown) assert not permission_read.allows(identity_unknown)