def testRevoke(self):
subject, role, target = 'subject', perms.Role.CATALOG_EDITOR, 'xyz.com'
perms.Grant(subject, role, target)
with test_utils.Login('subject'):
self.assertTrue(perms.CheckAccess(role, target))
perms.Revoke(subject, role, target)
self.assertFalse(perms.CheckAccess(role, target))
def testPost_CreateDomain(self):
self.assertIsNone(domains.Domain.Get('bar.com'))
with test_utils.DomainLogin('first_bar_user', 'bar.com'):
response = self.DoCreateDomainPost('bar.com')
self.assertTrue('welcome=1' in response.headers['Location'])
self.assertTrue(domains.Domain.Get('bar.com'))
# The current user should have been granted administrative rights
self.assertTrue(perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'bar.com'))
def CreateDomain(self, domain_name, user):
if domains.Domain.Get(domain_name):
raise base_handler.Error(403,
'Domain %r already exists.' % domain_name)
domains.Domain.Put(domain_name)
utils.SetAndTest(
lambda: perms.Grant(user.id, perms.Role.DOMAIN_ADMIN, domain_name),
lambda: perms.CheckAccess(perms.Role.DOMAIN_ADMIN, domain_name,
user))
def _GetNavbarContext(self, user):
get_domains = lambda role: sorted(
perms.GetAccessibleDomains(user, role))
return user and {
'admin_domains': get_domains(perms.Role.DOMAIN_ADMIN),
'catalog_domains': get_domains(perms.Role.CATALOG_EDITOR),
'creator_domains': get_domains(perms.Role.MAP_CREATOR),
'domain_exists': domains.Domain.Get(user.email_domain),
'is_admin': perms.CheckAccess(perms.Role.ADMIN)
} or {}
def testDomainAdminRole(self):
with test_utils.RootLogin():
perms.Grant('xyz.com', perms.Role.DOMAIN_ADMIN, 'xyz.com')
perms.Grant('outside_friend', perms.Role.DOMAIN_ADMIN, 'xyz.com')
with test_utils.DomainLogin('insider', 'xyz.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.DomainLogin('outside_friend', 'not-xyz.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.Login('stranger'):
self.assertFalse(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.DomainLogin('stranger_with_ga_domain', 'not-xyz.com'):
self.assertFalse(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.RootLogin():
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
def testMapCreatorDomains(self):
"""Verifies that the map_creator_domains setting is respected."""
perms.Grant('foo.com', perms.Role.MAP_CREATOR, 'xyz.com')
# All users at foo.com have the CREATOR role for xyz.com.
with test_utils.DomainLogin('insider', 'foo.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'xyz.com'))
self.assertFalse(perms.CheckAccess(perms.Role.ADMIN))
model.Map.Create({}, 'xyz.com')
# Users in bar.com don't have the CREATOR role.
with test_utils.DomainLogin('outsider', 'bar.com'):
self.assertFalse(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'xyz.com'))
self.assertRaises(perms.AuthorizationError, model.Map.Create, {},
'xyz.com')
# All users in gmail.test get MAP_CREATOR.
perms.Grant('gmail.test', perms.Role.MAP_CREATOR, 'gmail.test')
with test_utils.Login('gmail_user'):
self.assertTrue(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'gmail.test'))
def testNotSignedIn(self):
m = test_utils.CreateMap()
self.assertFalse(perms.CheckAccess(perms.Role.MAP_EDITOR, target=m))
def GetRolesForMap(map_object):
"""Gets the set of all roles that the current user has for a MapModel."""
return {
r
for r in perms.MAP_ROLES if perms.CheckAccess(r, target=map_object)
}