def test_apply(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params['apply'] = u''
share_node(root, request)
self.assertEqual(request.session.pop_flash('info'),
[u'No changes made.'])
self.assertEqual(list_groups('bob', root), [])
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
self.assertEqual(request.session.pop_flash('success'),
[u'Your changes have been saved.'])
self.assertEqual(set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
def test_apply(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params["apply"] = u""
share_node(root, request)
self.assertEqual(request.session.pop_flash("info"), [u"No changes made."])
self.assertEqual(list_groups("bob", root), [])
set_groups("bob", root, ["role:special"])
request.params["role::bob::role:owner"] = u"1"
request.params["role::bob::role:editor"] = u"1"
request.params["orig-role::bob::role:owner"] = u""
request.params["orig-role::bob::role:editor"] = u""
share_node(root, request)
self.assertEqual(request.session.pop_flash("success"), [u"Your changes have been saved."])
self.assertEqual(set(list_groups("bob", root)), set(["role:owner", "role:editor", "role:special"]))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params["role::bob::role:admin"] = u"1"
request.params["orig-role::bob::role:admin"] = u""
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(set(list_groups("bob", root)), set(["role:owner", "role:editor", "role:special"]))
def test_apply(self):
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params['apply'] = u''
share_node(root, request)
self.assertEqual(
request.session.pop_flash('notice'), [u'No changes made.'])
self.assertEqual(list_groups('bob', root), [])
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
self.assertEqual(
request.session.pop_flash('success'),
[u'Your changes have been saved.'])
self.assertEqual(
set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(
set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
def test_search(self, extra_principals, root, db_session):
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.testing import DummyRequest
from kotti.views.users import share_node
request = DummyRequest()
P = get_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params['search'] = ''
request.params['query'] = 'Bob'
entries = share_node(root, request)['entries']
assert len(entries) == 2
assert entries[0][0] == P['bob']
assert entries[0][1] == ([], [])
assert entries[1][0] == P['group:bobsgroup']
assert entries[1][1] == ([], [])
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups('bob', root, ['role:editor'])
db_session.flush()
P['group:bobsgroup'].groups = ['role:admin']
db_session.flush()
entries = share_node(root, request)['entries']
assert len(entries) == 2
assert entries[0][0] == P['bob']
assert entries[0][1] == (['role:editor'], [])
assert entries[1][0] == P['group:bobsgroup']
assert entries[1][1] == (['role:admin'], ['role:admin'])
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params['query'] = 'Weeee'
entries = share_node(root, request)['entries']
assert len(entries) == 1
assert entries[0][0] == P['bob']
assert entries[0][1] == (['role:editor'], [])
assert (request.session.pop_flash('info') == [
'No users or groups were found.'
])
# It does not, however, include entries that have local group
# assignments only:
set_groups('frank', root, ['group:franksgroup'])
request.params['query'] = 'Weeee'
entries = share_node(root, request)['entries']
assert len(entries) == 1
assert entries[0][0] == P['bob']
def test_search(self):
from kotti.resources import get_root
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
P = get_principals()
self.add_some_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params['search'] = u''
request.params['query'] = u'Bob'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 2)
self.assertEqual(entries[0][0], P['bob'])
self.assertEqual(entries[0][1], ([], []))
self.assertEqual(entries[1][0], P['group:bobsgroup'])
self.assertEqual(entries[1][1], ([], []))
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups(u'bob', root, [u'role:editor'])
P[u'group:bobsgroup'].groups = [u'role:admin']
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 2)
self.assertEqual(entries[0][0], P['bob'])
self.assertEqual(entries[0][1], ([u'role:editor'], []))
self.assertEqual(entries[1][0], P['group:bobsgroup'])
self.assertEqual(entries[1][1], ([u'role:admin'], [u'role:admin']))
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params['query'] = u'Weeee'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0][0], P[u'bob'])
self.assertEqual(entries[0][1], ([u'role:editor'], []))
self.assertEqual(request.session.pop_flash('info'),
[u'No users or groups found.'])
# It does not, however, include entries that have local group
# assignments only:
set_groups(u'frank', root, [u'group:franksgroup'])
request.params['query'] = u'Weeee'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0][0], P['bob'])
def test_search(self, extra_principals, root, db_session):
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.testing import DummyRequest
from kotti.views.users import share_node
request = DummyRequest()
P = get_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params['search'] = ''
request.params['query'] = 'Bob'
entries = share_node(root, request)['entries']
assert len(entries) == 2
assert entries[0][0] == P['bob']
assert entries[0][1] == ([], [])
assert entries[1][0] == P['group:bobsgroup']
assert entries[1][1] == ([], [])
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups('bob', root, ['role:editor'])
db_session.flush()
P['group:bobsgroup'].groups = ['role:admin']
db_session.flush()
entries = share_node(root, request)['entries']
assert len(entries) == 2
assert entries[0][0] == P['bob']
assert entries[0][1] == (['role:editor'], [])
assert entries[1][0] == P['group:bobsgroup']
assert entries[1][1] == (['role:admin'], ['role:admin'])
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params['query'] = 'Weeee'
entries = share_node(root, request)['entries']
assert len(entries) == 1
assert entries[0][0] == P['bob']
assert entries[0][1] == (['role:editor'], [])
assert (request.session.pop_flash('info') ==
['No users or groups were found.'])
# It does not, however, include entries that have local group
# assignments only:
set_groups('frank', root, ['group:franksgroup'])
request.params['query'] = 'Weeee'
entries = share_node(root, request)['entries']
assert len(entries) == 1
assert entries[0][0] == P['bob']
def test_search(self):
from kotti.resources import get_root
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
P = get_principals()
self.add_some_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params['search'] = u''
request.params['query'] = u'Bob'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 2)
self.assertEqual(entries[0][0], P['bob'])
self.assertEqual(entries[0][1], ([], []))
self.assertEqual(entries[1][0], P['group:bobsgroup'])
self.assertEqual(entries[1][1], ([], []))
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups(u'bob', root, [u'role:editor'])
P[u'group:bobsgroup'].groups = [u'role:admin']
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 2)
self.assertEqual(entries[0][0], P['bob'])
self.assertEqual(entries[0][1], ([u'role:editor'], []))
self.assertEqual(entries[1][0], P['group:bobsgroup'])
self.assertEqual(entries[1][1], ([u'role:admin'], [u'role:admin']))
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params['query'] = u'Weeee'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0][0], P[u'bob'])
self.assertEqual(entries[0][1], ([u'role:editor'], []))
self.assertEqual(request.session.pop_flash('info'),
[u'No users or groups found.'])
# It does not, however, include entries that have local group
# assignments only:
set_groups(u'frank', root, [u'group:franksgroup'])
request.params['query'] = u'Weeee'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0][0], P['bob'])
def test_search(self, extra_principals, root, db_session):
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.testing import DummyRequest
from kotti.views.users import share_node
request = DummyRequest()
P = get_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params["search"] = ""
request.params["query"] = "Bob"
entries = share_node(root, request)["entries"]
assert len(entries) == 2
assert entries[0][0] == P["bob"]
assert entries[0][1] == ([], [])
assert entries[1][0] == P["group:bobsgroup"]
assert entries[1][1] == ([], [])
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups("bob", root, ["role:editor"])
db_session.flush()
P["group:bobsgroup"].groups = ["role:admin"]
db_session.flush()
entries = share_node(root, request)["entries"]
assert len(entries) == 2
assert entries[0][0] == P["bob"]
assert entries[0][1] == (["role:editor"], [])
assert entries[1][0] == P["group:bobsgroup"]
assert entries[1][1] == (["role:admin"], ["role:admin"])
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params["query"] = "Weeee"
entries = share_node(root, request)["entries"]
assert len(entries) == 1
assert entries[0][0] == P["bob"]
assert entries[0][1] == (["role:editor"], [])
assert request.session.pop_flash("info") == ["No users or groups were found."]
# It does not, however, include entries that have local group
# assignments only:
set_groups("frank", root, ["group:franksgroup"])
request.params["query"] = "Weeee"
entries = share_node(root, request)["entries"]
assert len(entries) == 1
assert entries[0][0] == P["bob"]
def test_csrf(self, extra_principals, root, dummy_request):
""" Test if a CSRF token is present and checked on submission """
from kotti.views.users import share_node
result = share_node(root, dummy_request)
assert 'csrf_token' in result
dummy_request.params['apply'] = ''
with raises(HTTPBadRequest):
share_node(root, dummy_request)
dummy_request.params['csrf_token'] = dummy_request.session.get_csrf_token() # noqa
result = share_node(root, dummy_request)
assert result['csrf_token'] == dummy_request.session.get_csrf_token()
def test_csrf(self, extra_principals, root, dummy_request):
""" Test if a CSRF token is present and checked on submission """
from kotti.views.users import share_node
result = share_node(root, dummy_request)
assert 'csrf_token' in result
dummy_request.params['apply'] = ''
with raises(HTTPBadRequest):
share_node(root, dummy_request)
dummy_request.params[
'csrf_token'] = dummy_request.session.get_csrf_token() # noqa
result = share_node(root, dummy_request)
assert result['csrf_token'] == dummy_request.session.get_csrf_token()
def test_roles(self, root):
from kotti.views.users import share_node
from kotti.security import SHARING_ROLES
# The 'share_node' view will return a list of available roles
# as defined in 'kotti.security.SHARING_ROLES'
request = DummyRequest()
assert ([r.name for r in share_node(root, request)['available_roles']
] == SHARING_ROLES)
def test_roles(self, root):
from kotti.views.users import share_node
from kotti.security import SHARING_ROLES
# The 'share_node' view will return a list of available roles
# as defined in 'kotti.security.SHARING_ROLES'
request = DummyRequest()
assert ([r.name for r in share_node(root, request)['available_roles']
] == SHARING_ROLES)
def test_roles(self):
from kotti.views.users import share_node
from kotti.resources import get_root
from kotti.security import SHARING_ROLES
# The 'share_node' view will return a list of available roles
# as defined in 'kotti.security.SHARING_ROLES'
root = get_root()
request = DummyRequest()
self.assertEqual([r.name for r in share_node(root, request)["available_roles"]], SHARING_ROLES)
def test_roles(self):
from kotti.views.users import share_node
from kotti.resources import get_root
from kotti.security import SHARING_ROLES
# The 'share_node' view will return a list of available roles
# as defined in 'kotti.security.SHARING_ROLES'
root = get_root()
request = DummyRequest()
self.assertEqual(
[r.name for r in share_node(root, request)['available_roles']],
SHARING_ROLES)
def test_apply(self, extra_principals, root):
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
request = DummyRequest()
request.params['apply'] = ''
share_node(root, request)
assert (request.session.pop_flash('info') == ['No changes were made.'])
assert list_groups('bob', root) == []
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = '1'
request.params['role::bob::role:editor'] = '1'
request.params['orig-role::bob::role:owner'] = ''
request.params['orig-role::bob::role:editor'] = ''
share_node(root, request)
assert (request.session.pop_flash('success') == [
'Your changes have been saved.'
])
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = '1'
request.params['orig-role::bob::role:admin'] = ''
with raises(Forbidden):
share_node(root, request)
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
def test_apply(self, extra_principals, root):
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
request = DummyRequest()
request.params['apply'] = u''
share_node(root, request)
assert (request.session.pop_flash('info') == [
u'No changes were made.'
])
assert list_groups('bob', root) == []
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
assert (request.session.pop_flash('success') == [
u'Your changes have been saved.'
])
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
with raises(Forbidden):
share_node(root, request)
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
def test_apply(self, extra_principals, root):
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
request = DummyRequest()
request.params["apply"] = ""
request.params["csrf_token"] = request.session.get_csrf_token()
share_node(root, request)
assert request.session.pop_flash("info") == ["No changes were made."]
assert list_groups("bob", root) == []
set_groups("bob", root, ["role:special"])
request.params["role::bob::role:owner"] = "1"
request.params["role::bob::role:editor"] = "1"
request.params["orig-role::bob::role:owner"] = ""
request.params["orig-role::bob::role:editor"] = ""
share_node(root, request)
assert request.session.pop_flash("success") == ["Your changes have been saved."]
assert set(list_groups("bob", root)) == {
"role:owner",
"role:editor",
"role:special",
}
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params["role::bob::role:admin"] = "1"
request.params["orig-role::bob::role:admin"] = ""
with raises(Forbidden):
share_node(root, request)
assert set(list_groups("bob", root)) == {
"role:owner",
"role:editor",
"role:special",
}
