def setUp(self): super(FilteringRestrictedItemsTest, self).setUp() # without explicit re-registration of the default policy unit tests # failed when running 'python setup.py test' self._register_default_policy() # get rid of default media Media.query.delete() self.private_media = Media.example(slug=u'private') self.public_media = Media.example(slug=u'public') self.permission_system = MediaCorePermissionSystem(self.pylons_config) self.media_query = Media.query user = self._create_user_without_groups() self.perm = UserPermissions(user, self.permission_system)
def test_non_editors_are_redirect_to_home_page_after_login(self): user = User.example() perm = MediaCorePermissionSystem.permissions_for_user(user, config) assert_false(perm.contains_permission(u'edit')) assert_false(perm.contains_permission(u'admin')) response = self.call_post_login(user) assert_equals('http://server.example:80/', response.location)
def test_non_editors_are_redirect_to_home_page_after_login(self): user = User.example() perm = MediaCorePermissionSystem.permissions_for_user(user, config) assert_false(perm.contains_permission(u'edit')) assert_false(perm.contains_permission(u'admin')) response = self.call_post_login(user) redirect_path = urlparse.urlsplit(response.location)[2] # .path in 2.5+ assert_equals('/', redirect_path)
def _create_user_with_admin_permission_only(self): admin_perm = DBSession.query(Permission).filter(Permission.permission_name == u'admin').one() second_admin_group = Group.example(name=u'Second admin group') admin_perm.groups.append(second_admin_group) admin = User.example(groups=[second_admin_group]) DBSession.commit() perm = MediaCorePermissionSystem.permissions_for_user(admin, config) assert_true(perm.contains_permission(u'admin')) assert_false(perm.contains_permission(u'edit')) return admin
def _create_user_with_admin_permission_only(self): admin_perm = DBSession.query(Permission).filter( Permission.permission_name == u'admin').one() second_admin_group = Group.example(name=u'Second admin group') admin_perm.groups.append(second_admin_group) admin = User.example(groups=[second_admin_group]) DBSession.commit() perm = MediaCorePermissionSystem.permissions_for_user(admin, config) assert_true(perm.contains_permission(u'admin')) assert_false(perm.contains_permission(u'edit')) return admin
def set_authenticated_user(self, user, wsgi_environ=None): if wsgi_environ is None: wsgi_environ = pylons.request.environ identity = wsgi_environ.setdefault('repoze.who.identity', {}) identity.update({ 'user': user, 'repoze.who.userid': user.user_id, }) perm = MediaCorePermissionSystem.permissions_for_request(wsgi_environ, self.pylons_config) wsgi_environ['mediacore.perm'] = perm pylons.request.perm = perm
def set_authenticated_user(self, user, wsgi_environ=None): if wsgi_environ is None: wsgi_environ = pylons.request.environ if (user is None) and ('repoze.who.identity' in wsgi_environ): del wsgi_environ['repoze.who.identity'] elif user is not None: identity = wsgi_environ.setdefault('repoze.who.identity', {}) identity.update({ 'user': user, 'repoze.who.userid': user.id, }) perm = MediaCorePermissionSystem.permissions_for_request(wsgi_environ, self.pylons_config) wsgi_environ['mediacore.perm'] = perm pylons.request.perm = perm
def viewable_media(query): permission_system = MediaCorePermissionSystem(config) return permission_system.filter_restricted_items(query, u'view', request.perm)
def assert_user_groups(self, groups, user): perm = MediaCorePermissionSystem.permissions_for_user(user, self.pylons_config) assert_equals(set(groups), set(perm.groups))
def _create_user_with_edit_permission_only(self): editor = User.example(groups=[self.editor_group()]) perm = MediaCorePermissionSystem.permissions_for_user(editor, config) assert_true(perm.contains_permission(u'edit')) assert_false(perm.contains_permission(u'admin')) return editor
class FilteringRestrictedItemsTest(DBTestCase): def setUp(self): super(FilteringRestrictedItemsTest, self).setUp() # without explicit re-registration of the default policy unit tests # failed when running 'python setup.py test' self._register_default_policy() # get rid of default media Media.query.delete() self.private_media = Media.example(slug=u'private') self.public_media = Media.example(slug=u'public') self.permission_system = MediaCorePermissionSystem(self.pylons_config) self.media_query = Media.query user = self._create_user_without_groups() self.perm = UserPermissions(user, self.permission_system) def _register_default_policy(self): PermissionPolicies.register(GroupBasedPermissionsPolicy) def _create_user_without_groups(self): user = User() user.user_name = u'joe' user.email_address = u'*****@*****.**' user.display_name = u'Joe' user.groups = [] DBSession.add(user) DBSession.flush() return user # --- tests --------------------------------------------------------------- def test_can_use_policies_to_return_only_accessible_items(self): assert_equals(2, self.media_query.count()) fake_policy = self._fake_view_policy(lambda media: (u'public' in media.slug)) self.permission_system.policies = [fake_policy] results = self._media_query_results(u'view') assert_equals(1, results.count()) assert_equals(self.public_media, list(results)[0]) # --- tests with access filtering ----------------------------------------- def test_can_add_filter_criteria_to_base_query(self): self.permission_system.policies = [ self._fake_view_policy_with_query_conditions() ] results = self._media_query_results(u'view') assert_equals(1, results.count()) assert_equals(self.private_media, list(results)[0]) assert_equals(0, self._media_query_results(u'unknown').count()) def test_only_adds_filter_criteria_to_query_if_all_policies_agree(self): self.permission_system.policies = [ self._fake_view_policy_with_query_conditions(), self._fake_view_policy(lambda media: (u'public' in media.slug)) ] results = self._media_query_results(u'view') assert_equals(1, results.count()) assert_equals(self.public_media, list(results)[0]) def test_policies_can_return_true_as_a_shortcut_to_prevent_further_result_filtering( self): class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): return True self.permission_system.policies = [FakePolicy()] results = self._media_query_results(u'view') assert_equals(2, results.count()) def test_policies_can_return_false_to_suppress_all_items(self): class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): return False self.permission_system.policies = [FakePolicy()] results = self._media_query_results(u'view') assert_equals(0, results.count()) def test_policies_can_return_none_as_access_condition(self): class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): return None self.permission_system.policies = [FakePolicy()] results = self._media_query_results(u'view') assert_equals(0, results.count()) self.permission_system.policies = [ FakePolicy(), self._fake_view_policy_with_query_conditions() ] results = self._media_query_results(u'view') assert_equals(1, results.count()) def test_policies_can_return_query_and_condition(self): test_self = self class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): query = query.filter(Media.id == test_self.private_media.id) return None, query self.permission_system.policies = [FakePolicy()] results = self._media_query_results(u'view') assert_equals(1, results.count()) assert_equals(self.private_media, results.first()) # --- helpers ------------------------------------------------------------- def _media_query_results(self, permission): return self.permission_system.filter_restricted_items( self.media_query, permission, self.perm) def _fake_view_policy(self, condition): class FakeViewPolicy(IPermissionPolicy): permissions = (u'view', ) def permits(self, permission, user_permissions, resource): media = resource.data['media'] return condition(media) return FakeViewPolicy() def _fake_view_policy_with_query_conditions(self): test_self = self class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def permits(self, permission, user_permissions, resource): return (resource.data['media'].id == test_self.public_media.id) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): return (Media.id == test_self.private_media.id) return FakePolicy()
def __call__(self, environ, start_response): environ['mediacore.perm'] = \ MediaCorePermissionSystem.permissions_for_request(environ, self.config) return self.app(environ, start_response)
class FilteringRestrictedItemsTest(DBTestCase): def setUp(self): super(FilteringRestrictedItemsTest, self).setUp() # without explicit re-registration of the default policy unit tests # failed when running 'python setup.py test' self._register_default_policy() # get rid of default media Media.query.delete() self.private_media = Media.example(slug=u'private') self.public_media = Media.example(slug=u'public') self.permission_system = MediaCorePermissionSystem(self.pylons_config) self.media_query = Media.query user = self._create_user_without_groups() self.perm = UserPermissions(user, self.permission_system) def _register_default_policy(self): PermissionPolicies.register(GroupBasedPermissionsPolicy) def _create_user_without_groups(self): user = User() user.user_name = u'joe' user.email_address = u'*****@*****.**' user.display_name = u'Joe' user.groups = [] DBSession.add(user) DBSession.flush() return user # --- tests --------------------------------------------------------------- def test_can_use_policies_to_return_only_accessible_items(self): assert_equals(2, self.media_query.count()) fake_policy = self._fake_view_policy(lambda media: (u'public' in media.slug)) self.permission_system.policies = [fake_policy] results = self._media_query_results(u'view') assert_equals(1, results.count()) assert_equals(self.public_media, list(results)[0]) # --- tests with access filtering ----------------------------------------- def test_can_add_filter_criteria_to_base_query(self): self.permission_system.policies = [ self._fake_view_policy_with_query_conditions() ] results = self._media_query_results(u'view') assert_equals(1, results.count()) assert_equals(self.private_media, list(results)[0]) assert_equals(0, self._media_query_results(u'unknown').count()) def test_only_adds_filter_criteria_to_query_if_all_policies_agree(self): self.permission_system.policies = [ self._fake_view_policy_with_query_conditions(), self._fake_view_policy(lambda media: (u'public' in media.slug)) ] results = self._media_query_results(u'view') assert_equals(1, results.count()) assert_equals(self.public_media, list(results)[0]) def test_policies_can_return_true_as_a_shortcut_to_prevent_further_result_filtering(self): class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): return True self.permission_system.policies = [FakePolicy()] results = self._media_query_results(u'view') assert_equals(2, results.count()) def test_policies_can_return_false_to_suppress_all_items(self): class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): return False self.permission_system.policies = [FakePolicy()] results = self._media_query_results(u'view') assert_equals(0, results.count()) def test_policies_can_return_none_as_access_condition(self): class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): return None self.permission_system.policies = [FakePolicy()] results = self._media_query_results(u'view') assert_equals(0, results.count()) self.permission_system.policies = [ FakePolicy(), self._fake_view_policy_with_query_conditions() ] results = self._media_query_results(u'view') assert_equals(1, results.count()) def test_policies_can_return_query_and_condition(self): test_self = self class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): query = query.filter(Media.id == test_self.private_media.id) return None, query self.permission_system.policies = [FakePolicy()] results = self._media_query_results(u'view') assert_equals(1, results.count()) assert_equals(self.private_media, results.first()) # --- helpers ------------------------------------------------------------- def _media_query_results(self, permission): return self.permission_system.filter_restricted_items(self.media_query, permission, self.perm) def _fake_view_policy(self, condition): class FakeViewPolicy(IPermissionPolicy): permissions = (u'view', ) def permits(self, permission, user_permissions, resource): media = resource.data['media'] return condition(media) return FakeViewPolicy() def _fake_view_policy_with_query_conditions(self): test_self = self class FakePolicy(IPermissionPolicy): permissions = (u'view', ) def permits(self, permission, user_permissions, resource): return (resource.data['media'].id == test_self.public_media.id) def can_apply_access_restrictions_to_query(self, query, permission): return True def access_condition_for_query(self, query, permission, perm): return (Media.id == test_self.private_media.id) return FakePolicy()
def perm(self): system = MediaCorePermissionSystem(self.pylons_config) system.policies = [self.policy] user = DBSession.query(User).filter(User.user_name == u'admin').one() return UserPermissions(user, system)