def test_groups_from_users(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
self.assertEqual(list_groups('bob', root), ['group:bobsgroup'])
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
self.assertEqual(
set(list_groups('bob', root)),
set(['group:bobsgroup', 'role:editor'])
)
self.assertEqual(
set(list_groups('bob', child)),
set(['group:bobsgroup', 'role:editor', 'group:foogroup'])
)
def test_apply(self, extra_principals, root):
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
request = DummyRequest()
request.params['apply'] = ''
share_node(root, request)
assert (request.session.pop_flash('info') == ['No changes were made.'])
assert list_groups('bob', root) == []
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = '1'
request.params['role::bob::role:editor'] = '1'
request.params['orig-role::bob::role:owner'] = ''
request.params['orig-role::bob::role:editor'] = ''
share_node(root, request)
assert (request.session.pop_flash('success') == [
'Your changes have been saved.'
])
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = '1'
request.params['orig-role::bob::role:admin'] = ''
with raises(Forbidden):
share_node(root, request)
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
def test_apply(self, extra_principals, root):
from kotti.security import get_principals
from kotti.security import list_groups
from kotti.views.users import UsersManage
request = DummyRequest()
bob = get_principals()[u'bob']
request.params['apply'] = u''
UsersManage(root, request)()
assert (request.session.pop_flash('info') == [u'No changes were made.'])
assert list_groups('bob') == []
bob.groups = [u'role:special']
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
UsersManage(root, request)()
assert (request.session.pop_flash('success') ==
[u'Your changes have been saved.'])
assert (
set(list_groups('bob')) ==
{'role:owner', 'role:editor', 'role:special'}
)
def test_apply(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params['apply'] = u''
share_node(root, request)
self.assertEqual(request.session.pop_flash('info'),
[u'No changes made.'])
self.assertEqual(list_groups('bob', root), [])
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
self.assertEqual(request.session.pop_flash('success'),
[u'Your changes have been saved.'])
self.assertEqual(set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
def test_apply(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params["apply"] = u""
share_node(root, request)
self.assertEqual(request.session.pop_flash("info"), [u"No changes made."])
self.assertEqual(list_groups("bob", root), [])
set_groups("bob", root, ["role:special"])
request.params["role::bob::role:owner"] = u"1"
request.params["role::bob::role:editor"] = u"1"
request.params["orig-role::bob::role:owner"] = u""
request.params["orig-role::bob::role:editor"] = u""
share_node(root, request)
self.assertEqual(request.session.pop_flash("success"), [u"Your changes have been saved."])
self.assertEqual(set(list_groups("bob", root)), set(["role:owner", "role:editor", "role:special"]))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params["role::bob::role:admin"] = u"1"
request.params["orig-role::bob::role:admin"] = u""
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(set(list_groups("bob", root)), set(["role:owner", "role:editor", "role:special"]))
def test_inherit(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
self.assertEqual(list_groups('bob', child), [])
set_groups('bob', root, ['role:editor'])
self.assertEqual(list_groups('bob', child), ['role:editor'])
# Groups from the child are added:
set_groups('bob', child, ['group:somegroup'])
self.assertEqual(
set(list_groups('bob', child)),
set(['group:somegroup', 'role:editor'])
)
# We can ask to list only those groups that are defined locally:
self.assertEqual(
list_groups_raw(u'bob', child), set(['group:somegroup']))
def test_apply(self):
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params['apply'] = u''
share_node(root, request)
self.assertEqual(
request.session.pop_flash('notice'), [u'No changes made.'])
self.assertEqual(list_groups('bob', root), [])
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
self.assertEqual(
request.session.pop_flash('success'),
[u'Your changes have been saved.'])
self.assertEqual(
set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(
set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
def test_apply(self):
from kotti.resources import get_root
from kotti.security import get_principals
from kotti.security import list_groups
from kotti.tests.test_node_views import TestNodeShare
from kotti.views.users import users_manage
root = get_root()
request = DummyRequest()
TestNodeShare.add_some_principals()
bob = get_principals()[u'bob']
request.params['apply'] = u''
users_manage(root, request)
self.assertEqual(request.session.pop_flash('info'),
[u'No changes made.'])
self.assertEqual(list_groups('bob'), [])
bob.groups = [u'role:special']
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
users_manage(root, request)
self.assertEqual(request.session.pop_flash('success'),
[u'Your changes have been saved.'])
self.assertEqual(
set(list_groups('bob')),
set(['role:owner', 'role:editor', 'role:special'])
)
def test_apply(self):
from kotti.resources import get_root
from kotti.security import get_principals
from kotti.security import list_groups
from kotti.tests.test_node_views import TestNodeShare
from kotti.views.users import users_manage
root = get_root()
request = DummyRequest()
TestNodeShare.add_some_principals()
bob = get_principals()[u'bob']
request.params['apply'] = u''
users_manage(root, request)
self.assertEqual(request.session.pop_flash('info'),
[u'No changes made.'])
self.assertEqual(list_groups('bob'), [])
bob.groups = [u'role:special']
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
users_manage(root, request)
self.assertEqual(request.session.pop_flash('success'),
[u'Your changes have been saved.'])
self.assertEqual(set(list_groups('bob')),
set(['role:owner', 'role:editor', 'role:special']))
def test_apply(self, extra_principals, root):
from kotti.security import get_principals
from kotti.security import list_groups
from kotti.views.users import UsersManage
request = DummyRequest()
bob = get_principals()['bob']
request.params['apply'] = ''
UsersManage(root, request)()
assert (request.session.pop_flash('info') == ['No changes were made.'])
assert list_groups('bob') == []
bob.groups = ['role:special']
request.params['role::bob::role:owner'] = '1'
request.params['role::bob::role:editor'] = '1'
request.params['orig-role::bob::role:owner'] = ''
request.params['orig-role::bob::role:editor'] = ''
UsersManage(root, request)()
assert (request.session.pop_flash('success') == [
'Your changes have been saved.'
])
assert (set(list_groups('bob')) == {
'role:owner', 'role:editor', 'role:special'
})
def test_apply(self, extra_principals):
from kotti.resources import get_root
from kotti.security import get_principals
from kotti.security import list_groups
from kotti.views.users import users_manage
root = get_root()
request = DummyRequest()
bob = get_principals()[u'bob']
request.params['apply'] = u''
users_manage(root, request)
assert (request.session.pop_flash('info') == [u'No changes made.'])
assert list_groups('bob') == []
bob.groups = [u'role:special']
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
users_manage(root, request)
assert (request.session.pop_flash('success') ==
[u'Your changes have been saved.'])
assert (
set(list_groups('bob')) ==
set(['role:owner', 'role:editor', 'role:special'])
)
def test_apply(self, extra_principals, root):
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
request = DummyRequest()
request.params['apply'] = u''
share_node(root, request)
assert (request.session.pop_flash('info') == [
u'No changes were made.'
])
assert list_groups('bob', root) == []
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
assert (request.session.pop_flash('success') == [
u'Your changes have been saved.'
])
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
with raises(Forbidden):
share_node(root, request)
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
def test_apply(self, extra_principals, root):
from kotti.security import get_principals
from kotti.security import list_groups
from kotti.views.users import UsersManage
request = DummyRequest()
bob = get_principals()["bob"]
request.params["apply"] = ""
UsersManage(root, request)()
assert request.session.pop_flash("info") == ["No changes were made."]
assert list_groups("bob") == []
bob.groups = ["role:special"]
request.params["role::bob::role:owner"] = "1"
request.params["role::bob::role:editor"] = "1"
request.params["orig-role::bob::role:owner"] = ""
request.params["orig-role::bob::role:editor"] = ""
UsersManage(root, request)()
assert request.session.pop_flash("success") == [
"Your changes have been saved."
]
assert set(list_groups("bob")) == {
"role:owner", "role:editor", "role:special"
}
def test_simple(self):
root = get_root()
set_groups('bob', root, ['role:editor'])
self.assertEqual(
list_groups('bob', root), ['role:editor'])
self.assertEqual(
list_groups_raw('bob', root), ['role:editor'])
def test_owner(self):
session = DBSession()
self.config.testing_securitypolicy(userid=u'bob')
root = get_root()
child = root[u'child'] = Content()
session.flush()
self.assertEqual(child.owner, u'bob')
self.assertEqual(list_groups(u'bob', child), [u'role:owner'])
clear_request_cache()
# The event listener does not set the role again for subitems:
grandchild = child[u'grandchild'] = Content()
session.flush()
self.assertEqual(grandchild.owner, u'bob')
self.assertEqual(list_groups(u'bob', grandchild), [u'role:owner'])
self.assertEqual(len(list_groups_raw(u'bob', grandchild)), 0)
def test_overwrite_and_delete(self, db_session, root):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == {'role:editor'}
set_groups('bob', root, ['role:admin'])
assert list_groups('bob', root) == ['role:admin']
assert list_groups_raw(u'bob', root) == {'role:admin'}
set_groups('bob', root)
assert list_groups('bob', root) == []
assert get_root() is root
def test_simple(self, db_session, root):
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == set(['role:editor'])
def test_root_default(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
root = get_root()
self.assertEqual(list_groups('admin', root), ['role:admin'])
self.assertEqual(list_groups_raw(u'admin', root), set([]))
def test_root_default(self, db_session):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
root = get_root()
assert list_groups('admin', root) == ['role:admin']
assert list_groups_raw(u'admin', root) == set([])
def test_overwrite_and_delete(self, db_session, root):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == set(['role:editor'])
set_groups('bob', root, ['role:admin'])
assert list_groups('bob', root) == ['role:admin']
assert list_groups_raw(u'bob', root) == set(['role:admin'])
set_groups('bob', root)
assert list_groups('bob', root) == []
assert get_root() is root
def test_root_default(self, db_session):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
root = get_root()
assert list_groups('admin', root) == ['role:admin']
assert list_groups_raw(u'admin', root) == set([])
def test_overwrite_and_delete(self, db_session, root):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups("bob", root, ["role:editor"])
assert list_groups("bob", root) == ["role:editor"]
assert list_groups_raw("bob", root) == {"role:editor"}
set_groups("bob", root, ["role:admin"])
assert list_groups("bob", root) == ["role:admin"]
assert list_groups_raw("bob", root) == {"role:admin"}
set_groups("bob", root)
assert list_groups("bob", root) == []
assert get_root() is root
def test_simple(self, db_session, root):
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups("bob", root, ["role:editor"])
assert list_groups("bob", root) == ["role:editor"]
assert list_groups_raw("bob", root) == {"role:editor"}
def test_root_default(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
root = get_root()
self.assertEqual(list_groups('admin', root), ['role:admin'])
self.assertEqual(list_groups_raw(u'admin', root), set([]))
def test_simple(self, db_session, root):
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == {'role:editor'}
def test_inherit(self):
session = DBSession()
root = get_root()
child = root[u'child'] = Node()
session.flush()
self.assertEqual(list_groups('bob', child), [])
set_groups('bob', root, ['role:editor'])
self.assertEqual(list_groups('bob', child), ['role:editor'])
# Groups from the child are added:
set_groups('bob', child, ['group:somegroup'])
self.assertEqual(
set(list_groups('bob', child)),
set(['group:somegroup', 'role:editor']))
# We can ask to list only those groups that are defined locally:
self.assertEqual(list_groups_raw('bob', child), ['group:somegroup'])
def test_overwrite_and_delete(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
self.assertEqual(list_groups('bob', root), ['role:editor'])
self.assertEqual(list_groups_raw(u'bob', root), set(['role:editor']))
set_groups('bob', root, ['role:admin'])
self.assertEqual(list_groups('bob', root), ['role:admin'])
self.assertEqual(list_groups_raw(u'bob', root), set(['role:admin']))
set_groups('bob', root)
self.assertEqual(list_groups('bob', root), [])
self.assertTrue(get_root() is root)
def test_groups_from_users(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
child = root[u'child'] = Node()
db_session.flush()
assert list_groups('bob', root) == ['group:bobsgroup']
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
assert (set(list_groups('bob', root)) == set(
['group:bobsgroup', 'role:editor']))
assert (set(list_groups('bob', child)) == set(
['group:bobsgroup', 'role:editor', 'group:foogroup']))
def test_groups_from_users(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
child = root[u'child'] = Node()
db_session.flush()
assert list_groups('bob', root) == ['group:bobsgroup']
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
assert (set(list_groups('bob', root)) ==
set(['group:bobsgroup', 'role:editor']))
assert (set(list_groups('bob', child)) ==
set(['group:bobsgroup', 'role:editor', 'group:foogroup']))
def test_simple(self, db_session):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == set(['role:editor'])
def test_simple(self, db_session):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == set(['role:editor'])
def test_simple(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
self.assertEqual(list_groups('bob', root), ['role:editor'])
self.assertEqual(list_groups_raw(u'bob', root), set(['role:editor']))
def test_groups_from_users(self):
self.make_bob()
session = DBSession()
root = get_root()
child = root[u'child'] = Node()
session.flush()
self.assertEqual(list_groups('bob', root), ['group:bobsgroup'])
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
self.assertEqual(
set(list_groups('bob', root)),
set(['group:bobsgroup', 'role:editor']))
self.assertEqual(
set(list_groups('bob', child)),
set(['group:bobsgroup', 'role:editor', 'group:foogroup']))
def test_inherit(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
child = root["child"] = Node()
db_session.flush()
assert list_groups("bob", child) == []
set_groups("bob", root, ["role:editor"])
assert list_groups("bob", child) == ["role:editor"]
# Groups from the child are added:
set_groups("bob", child, ["group:somegroup"])
assert set(list_groups("bob", child)) == {"group:somegroup", "role:editor"}
# We can ask to list only those groups that are defined locally:
assert list_groups_raw("bob", child) == {"group:somegroup"}
def test_owner(self, root, db_session, events, dummy_request):
from kotti.resources import Content
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.util import clear_cache
child = root['child'] = Content()
db_session.flush()
assert child.owner == 'bob'
assert list_groups('bob', child) == ['role:owner']
clear_cache()
# The event listener does not set the role again for subitems:
grandchild = child['grandchild'] = Content()
db_session.flush()
assert grandchild.owner == 'bob'
assert list_groups('bob', grandchild) == ['role:owner']
assert len(list_groups_raw('bob', grandchild)) == 0
def test_owner(self, root, db_session, events, dummy_request):
from kotti.resources import Content
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.util import clear_cache
child = root[u'child'] = Content()
db_session.flush()
assert child.owner == u'bob'
assert list_groups(u'bob', child) == [u'role:owner']
clear_cache()
# The event listener does not set the role again for subitems:
grandchild = child[u'grandchild'] = Content()
db_session.flush()
assert grandchild.owner == u'bob'
assert list_groups(u'bob', grandchild) == [u'role:owner']
assert len(list_groups_raw(u'bob', grandchild)) == 0
def test_inherit(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
child = root[u'child'] = Node()
db_session.flush()
assert list_groups('bob', child) == []
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', child) == ['role:editor']
# Groups from the child are added:
set_groups('bob', child, ['group:somegroup'])
assert (set(list_groups('bob',
child)) == {'group:somegroup', 'role:editor'})
# We can ask to list only those groups that are defined locally:
assert list_groups_raw(u'bob', child) == {'group:somegroup'}
def test_groups_from_users(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
child = root["child"] = Node()
db_session.flush()
assert list_groups("bob", root) == ["group:bobsgroup"]
set_groups("group:bobsgroup", root, ["role:editor"])
set_groups("role:editor", child, ["group:foogroup"])
assert set(list_groups("bob", root)) == {"group:bobsgroup", "role:editor"}
assert set(list_groups("bob", child)) == {
"group:bobsgroup",
"role:editor",
"group:foogroup",
}
def set_owner(event):
obj, request = event.object, event.request
if request is not None and isinstance(obj, Node) and obj.owner is None:
userid = authenticated_userid(request)
if userid is not None:
# Set owner metadata:
obj.owner = userid
# Add owner role for userid if it's not inherited already:
if u'role:owner' not in list_groups(userid, obj):
groups = list_groups_raw(userid, obj) | set([u'role:owner'])
set_groups(userid, obj, groups)
def test_owner(self, root, db_session, events, dummy_request):
from kotti.resources import Content
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.util import clear_cache
with patch('kotti.events.authenticated_userid', return_value='bob'):
child = root[u'child'] = Content()
db_session.flush()
assert child.owner == u'bob'
assert list_groups(u'bob', child) == [u'role:owner']
clear_cache()
# The event listener does not set the role again for subitems:
with patch('kotti.events.authenticated_userid', return_value='bob'):
grandchild = child[u'grandchild'] = Content()
db_session.flush()
assert grandchild.owner == u'bob'
assert list_groups(u'bob', grandchild) == [u'role:owner']
assert len(list_groups_raw(u'bob', grandchild)) == 0
def set_owner(event):
obj, request = event.object, event.request
if request is not None and isinstance(obj, Node) and obj.owner is None:
userid = authenticated_userid(request)
if userid is not None:
userid = unicode(userid)
# Set owner metadata:
obj.owner = userid
# Add owner role for userid if it's not inherited already:
if u'role:owner' not in list_groups(userid, obj):
groups = list_groups_raw(userid, obj) | set([u'role:owner'])
set_groups(userid, obj, groups)
def test_simple(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
self.assertEqual(
list_groups('bob', root), ['role:editor'])
self.assertEqual(
list_groups_raw(u'bob', root), set(['role:editor']))
def test_inherit(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
child = root[u'child'] = Node()
db_session.flush()
assert list_groups('bob', child) == []
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', child) == ['role:editor']
# Groups from the child are added:
set_groups('bob', child, ['group:somegroup'])
assert (
set(list_groups('bob', child)) ==
set(['group:somegroup', 'role:editor'])
)
# We can ask to list only those groups that are defined locally:
assert list_groups_raw(u'bob', child) == set(['group:somegroup'])
def test_groups_from_users(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
self.assertEqual(list_groups('bob', root), ['group:bobsgroup'])
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
self.assertEqual(set(list_groups('bob', root)),
set(['group:bobsgroup', 'role:editor']))
self.assertEqual(
set(list_groups('bob', child)),
set(['group:bobsgroup', 'role:editor', 'group:foogroup']))
def test_apply(self, extra_principals, root):
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
request = DummyRequest()
request.params["apply"] = ""
request.params["csrf_token"] = request.session.get_csrf_token()
share_node(root, request)
assert request.session.pop_flash("info") == ["No changes were made."]
assert list_groups("bob", root) == []
set_groups("bob", root, ["role:special"])
request.params["role::bob::role:owner"] = "1"
request.params["role::bob::role:editor"] = "1"
request.params["orig-role::bob::role:owner"] = ""
request.params["orig-role::bob::role:editor"] = ""
share_node(root, request)
assert request.session.pop_flash("success") == ["Your changes have been saved."]
assert set(list_groups("bob", root)) == {
"role:owner",
"role:editor",
"role:special",
}
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params["role::bob::role:admin"] = "1"
request.params["orig-role::bob::role:admin"] = ""
with raises(Forbidden):
share_node(root, request)
assert set(list_groups("bob", root)) == {
"role:owner",
"role:editor",
"role:special",
}
def test_apply(self, extra_principals, root):
from kotti.security import get_principals
from kotti.security import list_groups
from kotti.views.users import UsersManage
request = DummyRequest()
bob = get_principals()["bob"]
request.params["apply"] = ""
UsersManage(root, request)()
assert request.session.pop_flash("info") == ["No changes were made."]
assert list_groups("bob") == []
bob.groups = ["role:special"]
request.params["role::bob::role:owner"] = "1"
request.params["role::bob::role:editor"] = "1"
request.params["orig-role::bob::role:owner"] = ""
request.params["orig-role::bob::role:editor"] = ""
UsersManage(root, request)()
assert request.session.pop_flash("success") == ["Your changes have been saved."]
assert set(list_groups("bob")) == {"role:owner", "role:editor", "role:special"}
def test_owner(self, get_current_request, authenticated_userid):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Content
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.util import clear_cache
get_current_request.return_value = not None
authenticated_userid.return_value = 'bob'
root = get_root()
child = root[u'child'] = Content()
DBSession.flush()
self.assertEqual(child.owner, u'bob')
self.assertEqual(list_groups(u'bob', child), [u'role:owner'])
clear_cache()
# The event listener does not set the role again for subitems:
grandchild = child[u'grandchild'] = Content()
DBSession.flush()
self.assertEqual(grandchild.owner, u'bob')
self.assertEqual(list_groups(u'bob', grandchild), [u'role:owner'])
self.assertEqual(len(list_groups_raw(u'bob', grandchild)), 0)
def test_overwrite_and_delete(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
self.assertEqual(
list_groups('bob', root), ['role:editor'])
self.assertEqual(
list_groups_raw(u'bob', root), set(['role:editor']))
set_groups('bob', root, ['role:admin'])
self.assertEqual(
list_groups('bob', root), ['role:admin'])
self.assertEqual(
list_groups_raw(u'bob', root), set(['role:admin']))
set_groups('bob', root)
self.assertEqual(
list_groups('bob', root), [])
self.assertTrue(get_root() is root)
def test_owner(self, get_current_request, authenticated_userid):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Content
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.util import clear_cache
get_current_request.return_value = not None
authenticated_userid.return_value = 'bob'
root = get_root()
child = root[u'child'] = Content()
DBSession.flush()
self.assertEqual(child.owner, u'bob')
self.assertEqual(list_groups(u'bob', child), [u'role:owner'])
clear_cache()
# The event listener does not set the role again for subitems:
grandchild = child[u'grandchild'] = Content()
DBSession.flush()
self.assertEqual(grandchild.owner, u'bob')
self.assertEqual(list_groups(u'bob', grandchild), [u'role:owner'])
self.assertEqual(len(list_groups_raw(u'bob', grandchild)), 0)
def test_owner(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Content
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.util import clear_cache
session = DBSession()
self.config.testing_securitypolicy(userid='bob')
root = get_root()
child = root[u'child'] = Content()
session.flush()
self.assertEqual(child.owner, u'bob')
self.assertEqual(list_groups(u'bob', child), [u'role:owner'])
clear_cache()
# The event listener does not set the role again for subitems:
grandchild = child[u'grandchild'] = Content()
session.flush()
self.assertEqual(grandchild.owner, u'bob')
self.assertEqual(list_groups(u'bob', grandchild), [u'role:owner'])
self.assertEqual(len(list_groups_raw(u'bob', grandchild)), 0)
def test_owner(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Content
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.util import clear_cache
session = DBSession()
self.config.testing_securitypolicy(userid='bob')
root = get_root()
child = root[u'child'] = Content()
session.flush()
self.assertEqual(child.owner, u'bob')
self.assertEqual(list_groups(u'bob', child), [u'role:owner'])
clear_cache()
# The event listener does not set the role again for subitems:
grandchild = child[u'grandchild'] = Content()
session.flush()
self.assertEqual(grandchild.owner, u'bob')
self.assertEqual(list_groups(u'bob', grandchild), [u'role:owner'])
self.assertEqual(len(list_groups_raw(u'bob', grandchild)), 0)
def test_owner(self, db_session, events, dummy_request):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Content
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.util import clear_cache
root = get_root()
with patch('kotti.events.authenticated_userid', return_value='bob'):
child = root[u'child'] = Content()
DBSession.flush()
assert child.owner == u'bob'
assert list_groups(u'bob', child) == [u'role:owner']
clear_cache()
# The event listener does not set the role again for subitems:
with patch('kotti.events.authenticated_userid', return_value='bob'):
grandchild = child[u'grandchild'] = Content()
DBSession.flush()
assert grandchild.owner == u'bob'
assert list_groups(u'bob', grandchild) == [u'role:owner']
assert len(list_groups_raw(u'bob', grandchild)) == 0
def test_nested_groups(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_ext
self.add_some_groups()
root = get_root()
child = root[u'child']
grandchild = child[u'grandchild']
# Check bob's groups on every level:
self.assertEqual(list_groups('bob', root), ['group:bobsgroup'])
self.assertEqual(
set(list_groups('bob', child)),
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
self.assertEqual(
set(list_groups('bob', grandchild)),
set([
'group:bobsgroup', 'group:franksgroup', 'role:editor',
'role:owner'
]))
# Check group:franksgroup groups on every level:
self.assertEqual(set(list_groups('frank', root)),
set(['group:franksgroup', 'role:editor']))
self.assertEqual(set(list_groups('frank', child)),
set(['group:franksgroup', 'role:editor']))
self.assertEqual(
set(list_groups('frank', grandchild)),
set([
'group:franksgroup', 'role:editor', 'role:owner',
'group:bobsgroup'
]))
# Sometimes it's useful to know which of the groups were
# inherited, that's what 'list_groups_ext' is for:
groups, inherited = list_groups_ext('bob', root)
self.assertEqual(groups, ['group:bobsgroup'])
self.assertEqual(inherited, [])
groups, inherited = list_groups_ext('bob', child)
self.assertEqual(
set(groups),
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
self.assertEqual(
set(inherited),
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
groups, inherited = list_groups_ext('group:bobsgroup', child)
self.assertEqual(set(groups), set(['group:franksgroup',
'role:editor']))
self.assertEqual(inherited, ['role:editor'])
groups, inherited = list_groups_ext('group:franksgroup', grandchild)
self.assertEqual(set(groups),
set(['group:bobsgroup', 'role:owner', 'role:editor']))
self.assertEqual(inherited, ['role:editor'])
def test_inherit(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
self.assertEqual(list_groups('bob', child), [])
set_groups('bob', root, ['role:editor'])
self.assertEqual(list_groups('bob', child), ['role:editor'])
# Groups from the child are added:
set_groups('bob', child, ['group:somegroup'])
self.assertEqual(set(list_groups('bob', child)),
set(['group:somegroup', 'role:editor']))
# We can ask to list only those groups that are defined locally:
self.assertEqual(list_groups_raw(u'bob', child),
set(['group:somegroup']))
def test_nested_groups(self):
self.add_some_groups()
root = get_root()
child = root[u'child']
grandchild = child[u'grandchild']
# Check bob's groups on every level:
self.assertEqual(list_groups('bob', root), ['group:bobsgroup'])
self.assertEqual(
set(list_groups('bob', child)),
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
self.assertEqual(
set(list_groups('bob', grandchild)),
set([
'group:bobsgroup', 'group:franksgroup', 'role:editor',
'role:owner'
]))
# Check group:franksgroup groups on every level:
self.assertEqual(
set(list_groups('frank', root)),
set(['group:franksgroup', 'role:editor']))
self.assertEqual(
set(list_groups('frank', child)),
set(['group:franksgroup', 'role:editor']))
self.assertEqual(
set(list_groups('frank', grandchild)),
set([
'group:franksgroup', 'role:editor', 'role:owner',
'group:bobsgroup'
]))
# Sometimes it's useful to know which of the groups were
# inherited, that's what 'list_groups_ext' is for:
groups, inherited = list_groups_ext('bob', root)
self.assertEqual(groups, ['group:bobsgroup'])
self.assertEqual(inherited, [])
groups, inherited = list_groups_ext('bob', child)
self.assertEqual(
set(groups),
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
self.assertEqual(
set(inherited),
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
groups, inherited = list_groups_ext('group:bobsgroup', child)
self.assertEqual(
set(groups), set(['group:franksgroup', 'role:editor']))
self.assertEqual(inherited, ['role:editor'])
groups, inherited = list_groups_ext('group:franksgroup', grandchild)
self.assertEqual(
set(groups), set(['group:bobsgroup', 'role:owner', 'role:editor']))
self.assertEqual(inherited, ['role:editor'])
def test_nested_groups(self, db_session, root):
from kotti.security import list_groups
from kotti.security import list_groups_ext
self.add_some_groups(db_session, root)
child = root["child"]
grandchild = child["grandchild"]
# Check bob's groups on every level:
assert list_groups("bob", root) == ["group:bobsgroup"]
assert set(list_groups("bob", child)) == {
"group:bobsgroup",
"group:franksgroup",
"role:editor",
}
assert set(list_groups("bob", grandchild)) == {
"group:bobsgroup",
"group:franksgroup",
"role:editor",
"role:owner",
}
# Check group:franksgroup groups on every level:
assert set(list_groups("frank",
root)) == {"group:franksgroup", "role:editor"}
assert set(list_groups("frank",
child)) == {"group:franksgroup", "role:editor"}
assert set(list_groups("frank", grandchild)) == {
"group:franksgroup",
"role:editor",
"role:owner",
"group:bobsgroup",
}
# Sometimes it's useful to know which of the groups were
# inherited, that's what 'list_groups_ext' is for:
groups, inherited = list_groups_ext("bob", root)
assert groups == ["group:bobsgroup"]
assert inherited == []
groups, inherited = list_groups_ext("bob", child)
assert set(groups) == {
"group:bobsgroup", "group:franksgroup", "role:editor"
}
assert set(inherited) == {
"group:bobsgroup", "group:franksgroup", "role:editor"
}
groups, inherited = list_groups_ext("group:bobsgroup", child)
assert set(groups) == {"group:franksgroup", "role:editor"}
assert inherited == ["role:editor"]
groups, inherited = list_groups_ext("group:franksgroup", grandchild)
assert set(groups) == {"group:bobsgroup", "role:owner", "role:editor"}
assert inherited == ["role:editor"]
def set_owner(event):
"""Set ``owner`` of the object that triggered the event.
:param event: event that trigerred this handler.
:type event: :class:`ObjectInsert`
"""
obj, request = event.object, event.request
if request is not None and isinstance(obj, Node) and obj.owner is None:
userid = request.authenticated_userid
if userid is not None:
userid = unicode(userid)
# Set owner metadata:
obj.owner = userid
# Add owner role for userid if it's not inherited already:
if u'role:owner' not in list_groups(userid, obj):
groups = list_groups_raw(userid, obj) | set([u'role:owner'])
set_groups(userid, obj, groups)
def set_owner(event):
"""Set ``owner`` of the object that triggered the event.
:param event: event that trigerred this handler.
:type event: :class:`ObjectInsert`
"""
obj, request = event.object, event.request
if request is not None and isinstance(obj, Node) and obj.owner is None:
userid = request.authenticated_userid
if userid is not None:
userid = unicode(userid)
# Set owner metadata:
obj.owner = userid
# Add owner role for userid if it's not inherited already:
if u'role:owner' not in list_groups(userid, obj):
groups = list_groups_raw(userid, obj) | set([u'role:owner'])
set_groups(userid, obj, groups)
def test_nested_groups(self, db_session):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_ext
self.add_some_groups()
root = get_root()
child = root[u'child']
grandchild = child[u'grandchild']
# Check bob's groups on every level:
assert list_groups('bob', root) == ['group:bobsgroup']
assert (set(list_groups('bob', child)) ==
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
assert (set(list_groups('bob', grandchild)) ==
set(['group:bobsgroup', 'group:franksgroup', 'role:editor',
'role:owner']))
# Check group:franksgroup groups on every level:
assert (set(list_groups('frank', root)) ==
set(['group:franksgroup', 'role:editor']))
assert (set(list_groups('frank', child)) ==
set(['group:franksgroup', 'role:editor']))
assert (set(list_groups('frank', grandchild)) ==
set(['group:franksgroup', 'role:editor', 'role:owner',
'group:bobsgroup']))
# Sometimes it's useful to know which of the groups were
# inherited, that's what 'list_groups_ext' is for:
groups, inherited = list_groups_ext('bob', root)
assert groups == ['group:bobsgroup']
assert inherited == []
groups, inherited = list_groups_ext('bob', child)
assert (set(groups) ==
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
assert (set(inherited) ==
set(['group:bobsgroup', 'group:franksgroup', 'role:editor']))
groups, inherited = list_groups_ext('group:bobsgroup', child)
assert set(groups) == set(['group:franksgroup', 'role:editor'])
assert inherited == ['role:editor']
groups, inherited = list_groups_ext('group:franksgroup', grandchild)
assert (set(groups) ==
set(['group:bobsgroup', 'role:owner', 'role:editor']))
assert inherited == ['role:editor']