def test_apply(self): from kotti.resources import get_root from kotti.security import list_groups from kotti.security import set_groups from kotti.views.users import share_node root = get_root() request = DummyRequest() self.add_some_principals() request.params['apply'] = u'' share_node(root, request) self.assertEqual(request.session.pop_flash('info'), [u'No changes made.']) self.assertEqual(list_groups('bob', root), []) set_groups('bob', root, ['role:special']) request.params['role::bob::role:owner'] = u'1' request.params['role::bob::role:editor'] = u'1' request.params['orig-role::bob::role:owner'] = u'' request.params['orig-role::bob::role:editor'] = u'' share_node(root, request) self.assertEqual(request.session.pop_flash('success'), [u'Your changes have been saved.']) self.assertEqual(set(list_groups('bob', root)), set(['role:owner', 'role:editor', 'role:special'])) # We cannot set a role that's not displayed, even if we forged # the request: request.params['role::bob::role:admin'] = u'1' request.params['orig-role::bob::role:admin'] = u'' self.assertRaises(Forbidden, share_node, root, request) self.assertEqual(set(list_groups('bob', root)), set(['role:owner', 'role:editor', 'role:special']))
def test_apply(self): from kotti.resources import get_root from kotti.security import list_groups from kotti.security import set_groups from kotti.views.users import share_node root = get_root() request = DummyRequest() self.add_some_principals() request.params["apply"] = u"" share_node(root, request) self.assertEqual(request.session.pop_flash("info"), [u"No changes made."]) self.assertEqual(list_groups("bob", root), []) set_groups("bob", root, ["role:special"]) request.params["role::bob::role:owner"] = u"1" request.params["role::bob::role:editor"] = u"1" request.params["orig-role::bob::role:owner"] = u"" request.params["orig-role::bob::role:editor"] = u"" share_node(root, request) self.assertEqual(request.session.pop_flash("success"), [u"Your changes have been saved."]) self.assertEqual(set(list_groups("bob", root)), set(["role:owner", "role:editor", "role:special"])) # We cannot set a role that's not displayed, even if we forged # the request: request.params["role::bob::role:admin"] = u"1" request.params["orig-role::bob::role:admin"] = u"" self.assertRaises(Forbidden, share_node, root, request) self.assertEqual(set(list_groups("bob", root)), set(["role:owner", "role:editor", "role:special"]))
def test_apply(self): from kotti.views.users import share_node root = get_root() request = DummyRequest() self.add_some_principals() request.params['apply'] = u'' share_node(root, request) self.assertEqual( request.session.pop_flash('notice'), [u'No changes made.']) self.assertEqual(list_groups('bob', root), []) set_groups('bob', root, ['role:special']) request.params['role::bob::role:owner'] = u'1' request.params['role::bob::role:editor'] = u'1' request.params['orig-role::bob::role:owner'] = u'' request.params['orig-role::bob::role:editor'] = u'' share_node(root, request) self.assertEqual( request.session.pop_flash('success'), [u'Your changes have been saved.']) self.assertEqual( set(list_groups('bob', root)), set(['role:owner', 'role:editor', 'role:special'])) # We cannot set a role that's not displayed, even if we forged # the request: request.params['role::bob::role:admin'] = u'1' request.params['orig-role::bob::role:admin'] = u'' self.assertRaises(Forbidden, share_node, root, request) self.assertEqual( set(list_groups('bob', root)), set(['role:owner', 'role:editor', 'role:special']))
def test_search(self, extra_principals, root, db_session): from kotti.security import get_principals from kotti.security import set_groups from kotti.testing import DummyRequest from kotti.views.users import share_node request = DummyRequest() P = get_principals() # Search for "Bob", which will return both the user and the # group, both of which have no roles: request.params['search'] = '' request.params['query'] = 'Bob' entries = share_node(root, request)['entries'] assert len(entries) == 2 assert entries[0][0] == P['bob'] assert entries[0][1] == ([], []) assert entries[1][0] == P['group:bobsgroup'] assert entries[1][1] == ([], []) # We make Bob an Editor in this context, and Bob's Group # becomes global Admin: set_groups('bob', root, ['role:editor']) db_session.flush() P['group:bobsgroup'].groups = ['role:admin'] db_session.flush() entries = share_node(root, request)['entries'] assert len(entries) == 2 assert entries[0][0] == P['bob'] assert entries[0][1] == (['role:editor'], []) assert entries[1][0] == P['group:bobsgroup'] assert entries[1][1] == (['role:admin'], ['role:admin']) # A search that doesn't return any items will still include # entries with existing local roles: request.params['query'] = 'Weeee' entries = share_node(root, request)['entries'] assert len(entries) == 1 assert entries[0][0] == P['bob'] assert entries[0][1] == (['role:editor'], []) assert (request.session.pop_flash('info') == [ 'No users or groups were found.' ]) # It does not, however, include entries that have local group # assignments only: set_groups('frank', root, ['group:franksgroup']) request.params['query'] = 'Weeee' entries = share_node(root, request)['entries'] assert len(entries) == 1 assert entries[0][0] == P['bob']
def test_search(self): from kotti.resources import get_root from kotti.security import get_principals from kotti.security import set_groups from kotti.views.users import share_node root = get_root() request = DummyRequest() P = get_principals() self.add_some_principals() # Search for "Bob", which will return both the user and the # group, both of which have no roles: request.params['search'] = u'' request.params['query'] = u'Bob' entries = share_node(root, request)['entries'] self.assertEqual(len(entries), 2) self.assertEqual(entries[0][0], P['bob']) self.assertEqual(entries[0][1], ([], [])) self.assertEqual(entries[1][0], P['group:bobsgroup']) self.assertEqual(entries[1][1], ([], [])) # We make Bob an Editor in this context, and Bob's Group # becomes global Admin: set_groups(u'bob', root, [u'role:editor']) P[u'group:bobsgroup'].groups = [u'role:admin'] entries = share_node(root, request)['entries'] self.assertEqual(len(entries), 2) self.assertEqual(entries[0][0], P['bob']) self.assertEqual(entries[0][1], ([u'role:editor'], [])) self.assertEqual(entries[1][0], P['group:bobsgroup']) self.assertEqual(entries[1][1], ([u'role:admin'], [u'role:admin'])) # A search that doesn't return any items will still include # entries with existing local roles: request.params['query'] = u'Weeee' entries = share_node(root, request)['entries'] self.assertEqual(len(entries), 1) self.assertEqual(entries[0][0], P[u'bob']) self.assertEqual(entries[0][1], ([u'role:editor'], [])) self.assertEqual(request.session.pop_flash('info'), [u'No users or groups found.']) # It does not, however, include entries that have local group # assignments only: set_groups(u'frank', root, [u'group:franksgroup']) request.params['query'] = u'Weeee' entries = share_node(root, request)['entries'] self.assertEqual(len(entries), 1) self.assertEqual(entries[0][0], P['bob'])
def test_search(self, extra_principals, root, db_session): from kotti.security import get_principals from kotti.security import set_groups from kotti.testing import DummyRequest from kotti.views.users import share_node request = DummyRequest() P = get_principals() # Search for "Bob", which will return both the user and the # group, both of which have no roles: request.params['search'] = '' request.params['query'] = 'Bob' entries = share_node(root, request)['entries'] assert len(entries) == 2 assert entries[0][0] == P['bob'] assert entries[0][1] == ([], []) assert entries[1][0] == P['group:bobsgroup'] assert entries[1][1] == ([], []) # We make Bob an Editor in this context, and Bob's Group # becomes global Admin: set_groups('bob', root, ['role:editor']) db_session.flush() P['group:bobsgroup'].groups = ['role:admin'] db_session.flush() entries = share_node(root, request)['entries'] assert len(entries) == 2 assert entries[0][0] == P['bob'] assert entries[0][1] == (['role:editor'], []) assert entries[1][0] == P['group:bobsgroup'] assert entries[1][1] == (['role:admin'], ['role:admin']) # A search that doesn't return any items will still include # entries with existing local roles: request.params['query'] = 'Weeee' entries = share_node(root, request)['entries'] assert len(entries) == 1 assert entries[0][0] == P['bob'] assert entries[0][1] == (['role:editor'], []) assert (request.session.pop_flash('info') == ['No users or groups were found.']) # It does not, however, include entries that have local group # assignments only: set_groups('frank', root, ['group:franksgroup']) request.params['query'] = 'Weeee' entries = share_node(root, request)['entries'] assert len(entries) == 1 assert entries[0][0] == P['bob']
def test_search(self, extra_principals, root, db_session): from kotti.security import get_principals from kotti.security import set_groups from kotti.testing import DummyRequest from kotti.views.users import share_node request = DummyRequest() P = get_principals() # Search for "Bob", which will return both the user and the # group, both of which have no roles: request.params["search"] = "" request.params["query"] = "Bob" entries = share_node(root, request)["entries"] assert len(entries) == 2 assert entries[0][0] == P["bob"] assert entries[0][1] == ([], []) assert entries[1][0] == P["group:bobsgroup"] assert entries[1][1] == ([], []) # We make Bob an Editor in this context, and Bob's Group # becomes global Admin: set_groups("bob", root, ["role:editor"]) db_session.flush() P["group:bobsgroup"].groups = ["role:admin"] db_session.flush() entries = share_node(root, request)["entries"] assert len(entries) == 2 assert entries[0][0] == P["bob"] assert entries[0][1] == (["role:editor"], []) assert entries[1][0] == P["group:bobsgroup"] assert entries[1][1] == (["role:admin"], ["role:admin"]) # A search that doesn't return any items will still include # entries with existing local roles: request.params["query"] = "Weeee" entries = share_node(root, request)["entries"] assert len(entries) == 1 assert entries[0][0] == P["bob"] assert entries[0][1] == (["role:editor"], []) assert request.session.pop_flash("info") == ["No users or groups were found."] # It does not, however, include entries that have local group # assignments only: set_groups("frank", root, ["group:franksgroup"]) request.params["query"] = "Weeee" entries = share_node(root, request)["entries"] assert len(entries) == 1 assert entries[0][0] == P["bob"]
def test_csrf(self, extra_principals, root, dummy_request): """ Test if a CSRF token is present and checked on submission """ from kotti.views.users import share_node result = share_node(root, dummy_request) assert 'csrf_token' in result dummy_request.params['apply'] = '' with raises(HTTPBadRequest): share_node(root, dummy_request) dummy_request.params['csrf_token'] = dummy_request.session.get_csrf_token() # noqa result = share_node(root, dummy_request) assert result['csrf_token'] == dummy_request.session.get_csrf_token()
def test_csrf(self, extra_principals, root, dummy_request): """ Test if a CSRF token is present and checked on submission """ from kotti.views.users import share_node result = share_node(root, dummy_request) assert 'csrf_token' in result dummy_request.params['apply'] = '' with raises(HTTPBadRequest): share_node(root, dummy_request) dummy_request.params[ 'csrf_token'] = dummy_request.session.get_csrf_token() # noqa result = share_node(root, dummy_request) assert result['csrf_token'] == dummy_request.session.get_csrf_token()
def test_roles(self, root): from kotti.views.users import share_node from kotti.security import SHARING_ROLES # The 'share_node' view will return a list of available roles # as defined in 'kotti.security.SHARING_ROLES' request = DummyRequest() assert ([r.name for r in share_node(root, request)['available_roles'] ] == SHARING_ROLES)
def test_roles(self): from kotti.views.users import share_node from kotti.resources import get_root from kotti.security import SHARING_ROLES # The 'share_node' view will return a list of available roles # as defined in 'kotti.security.SHARING_ROLES' root = get_root() request = DummyRequest() self.assertEqual([r.name for r in share_node(root, request)["available_roles"]], SHARING_ROLES)
def test_roles(self): from kotti.views.users import share_node from kotti.resources import get_root from kotti.security import SHARING_ROLES # The 'share_node' view will return a list of available roles # as defined in 'kotti.security.SHARING_ROLES' root = get_root() request = DummyRequest() self.assertEqual( [r.name for r in share_node(root, request)['available_roles']], SHARING_ROLES)
def test_apply(self, extra_principals, root): from kotti.security import list_groups from kotti.security import set_groups from kotti.views.users import share_node request = DummyRequest() request.params['apply'] = '' share_node(root, request) assert (request.session.pop_flash('info') == ['No changes were made.']) assert list_groups('bob', root) == [] set_groups('bob', root, ['role:special']) request.params['role::bob::role:owner'] = '1' request.params['role::bob::role:editor'] = '1' request.params['orig-role::bob::role:owner'] = '' request.params['orig-role::bob::role:editor'] = '' share_node(root, request) assert (request.session.pop_flash('success') == [ 'Your changes have been saved.' ]) assert (set(list_groups( 'bob', root)) == {'role:owner', 'role:editor', 'role:special'}) # We cannot set a role that's not displayed, even if we forged # the request: request.params['role::bob::role:admin'] = '1' request.params['orig-role::bob::role:admin'] = '' with raises(Forbidden): share_node(root, request) assert (set(list_groups( 'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
def test_apply(self, extra_principals, root): from kotti.security import list_groups from kotti.security import set_groups from kotti.views.users import share_node request = DummyRequest() request.params['apply'] = u'' share_node(root, request) assert (request.session.pop_flash('info') == [ u'No changes were made.' ]) assert list_groups('bob', root) == [] set_groups('bob', root, ['role:special']) request.params['role::bob::role:owner'] = u'1' request.params['role::bob::role:editor'] = u'1' request.params['orig-role::bob::role:owner'] = u'' request.params['orig-role::bob::role:editor'] = u'' share_node(root, request) assert (request.session.pop_flash('success') == [ u'Your changes have been saved.' ]) assert (set(list_groups( 'bob', root)) == {'role:owner', 'role:editor', 'role:special'}) # We cannot set a role that's not displayed, even if we forged # the request: request.params['role::bob::role:admin'] = u'1' request.params['orig-role::bob::role:admin'] = u'' with raises(Forbidden): share_node(root, request) assert (set(list_groups( 'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
def test_apply(self, extra_principals, root): from kotti.security import list_groups from kotti.security import set_groups from kotti.views.users import share_node request = DummyRequest() request.params["apply"] = "" request.params["csrf_token"] = request.session.get_csrf_token() share_node(root, request) assert request.session.pop_flash("info") == ["No changes were made."] assert list_groups("bob", root) == [] set_groups("bob", root, ["role:special"]) request.params["role::bob::role:owner"] = "1" request.params["role::bob::role:editor"] = "1" request.params["orig-role::bob::role:owner"] = "" request.params["orig-role::bob::role:editor"] = "" share_node(root, request) assert request.session.pop_flash("success") == ["Your changes have been saved."] assert set(list_groups("bob", root)) == { "role:owner", "role:editor", "role:special", } # We cannot set a role that's not displayed, even if we forged # the request: request.params["role::bob::role:admin"] = "1" request.params["orig-role::bob::role:admin"] = "" with raises(Forbidden): share_node(root, request) assert set(list_groups("bob", root)) == { "role:owner", "role:editor", "role:special", }