def test_ongoing_meeting_upcoming_ai(self): m = self._fixture() security.unrestricted_wf_transition_to(m, 'ongoing') security.unrestricted_wf_transition_to(m['ai'], 'upcoming') self.assertEqual(principals_allowed_by_permission(m['ai']['d'], security.VIEW), admin | viewer | moderator) self.assertEqual(principals_allowed_by_permission(m['ai']['d'], security.EDIT), admin | moderator) self.assertEqual(principals_allowed_by_permission(m['ai']['d'], security.DELETE), admin | moderator | owner)
def test_topic_comment_permission(text_topic): """Ensure authed users have comment perms before deletion, not after.""" principals = principals_allowed_by_permission(text_topic, 'comment') assert Authenticated in principals text_topic.is_deleted = True principals = principals_allowed_by_permission(text_topic, 'comment') assert Authenticated not in principals
def test_deleted_topic_permissions_removed(topic): """Ensure that deleted topics lose all permissions except "view".""" topic.is_deleted = True assert principals_allowed_by_permission(topic, "view") == {Everyone} all_permissions = [ perm for (_, _, perm) in topic.__acl__() if perm != "view" ] for permission in all_permissions: assert not principals_allowed_by_permission(topic, permission)
def test_upcoming_meeting_private_ai(self): m = self._fixture() self.assertEqual( principals_allowed_by_permission(m['ai']['d'], security.VIEW), admin | moderator) self.assertEqual( principals_allowed_by_permission(m['ai']['d'], security.EDIT), admin | moderator) self.assertEqual( principals_allowed_by_permission(m['ai']['d'], security.DELETE), admin | moderator)
def test_upcoming_meeting_upcoming_ai(self): m = self._fixture() security.unrestricted_wf_transition_to(m['ai'], 'upcoming') self.assertEqual( principals_allowed_by_permission(m['ai']['d'], security.VIEW), admin | viewer | moderator) self.assertEqual( principals_allowed_by_permission(m['ai']['d'], security.EDIT), admin | moderator) self.assertEqual( principals_allowed_by_permission(m['ai']['d'], security.DELETE), admin | moderator | owner)
def test_removed_comment_view_permission(comment): """Ensure a removed comment can only be viewed by certain users.""" comment.is_removed = True allowed = principals_allowed_by_permission(comment, "view") granted = _principals_granted_permission("comment.remove", comment.topic.group_id) assert allowed == granted | {comment.user_id}
def test_deleted_comment_permissions_removed(comment): """Ensure that deleted comments lose all of the permissions.""" comment.is_deleted = True all_permissions = [perm for (_, _, perm) in comment.__acl__()] for permission in all_permissions: assert not principals_allowed_by_permission(comment, permission)
def outstanding_principals(permission, context, request): """Returns a list of sets of principals, where the attainment of all of the principals in any one of the sets would be sufficient to grant the current user (``request.user``) the `permission` in the given `context`.""" # TODO be able to determine a context based on a route name if has_permission(permission, context, request): return [] principals = principals_allowed_by_permission(context, permission) if not principals: # the permission must not exist at all within this context return ['__unattainable__'] effective = set(effective_principals(request)) outstanding = [] for p in principals: if p in TRUST_MAP: for alternative_principals in TRUST_MAP[p]: diff = set(alternative_principals) - effective if len(diff) > 0 and 'auth:insecure' not in diff: outstanding.append(diff) else: outstanding.append(set([p])) return outstanding
def get_recepients(context, permission="state_change"): """ Get a list of principals that have the permission in context and a email. :param context: Object for that the permission is needed. :type context: :class:`kotti.resources.Node` :param permission: :type permission: str :result: List of principals. :rtype: set """ principal_db = get_principals() recepients = [] for p in principals_allowed_by_permission(context, permission): # set(['role:owner', 'role:editor']) for principal in principal_db.search(groups=u'*%s*' % p).all(): recepients.append(principal) for principal in map_principals_with_local_roles(context): # [ # ( # <Principal u'disko'>, # ( # [u'role:owner', u'group:admins', u'role:admin'], # [u'role:owner', u'group:admins', u'role:admin']))] if p in principal[1][0] or p in principal[1][1]: recepients.append(principal[0]) return set([r for r in recepients if r.email])
def allowed(context, request): from pyramid.security import principals_allowed_by_permission permission = request.params.get('permission', 'view') return { 'has_permission': bool(request.has_permission(permission, context)), 'principals_allowed_by_permission': principals_allowed_by_permission(context, permission), }
def outstanding_principals(permission, context, request): """Returns a list of sets of principals, where the attainment of all of the principals in any one of the sets would be sufficient to grant the current user (``request.user``) the `permission` in the given `context`.""" # TODO be able to determine a context based on a route name if has_permission(permission, context, request): return [] principals = principals_allowed_by_permission(context, permission) if not principals: # the permission must not exist at all within this context return ['__unattainable__'] effective = set(effective_principals(request)) outstanding = [] for p in principals: if p in TRUST_MAP: for alternative_principals in TRUST_MAP[p]: diff = set(alternative_principals) - effective if len(diff) > 0 and 'auth:insecure' not in diff: outstanding.append(diff) else: outstanding.append(set([p])) return outstanding
def test_banned_user_no_message_permission(): """Ensure nobody can message a banned user.""" banned_user = User("Banned_User", "password") banned_user.is_banned = True principals = principals_allowed_by_permission(banned_user, "message") assert not principals
def test_deleted_user_no_message_permission(): """Ensure nobody can message a deleted user.""" deleted_user = User("Deleted_User", "password") deleted_user.is_deleted = True principals = principals_allowed_by_permission(deleted_user, "message") assert not principals
def get_allowed_to_view(object, default): principals = principals_allowed_by_permission(object, 'view') if not principals: # An empty value tells the catalog to match anything, whereas when # there are no principals with permission to view we want for there # to be no matches. principals = ['NO ONE no way NO HOW',] return principals
def get_allowed_to_view(object, default): principals = principals_allowed_by_permission(object, 'view') if not principals: # An empty value tells the catalog to match anything, whereas when # there are no principals with permission to view we want for there # to be no matches. principals = ['NO ONE no way NO HOW',] return principals
def test_comment_reply_locked_thread_permission(comment): """Ensure that only users with lock permission can reply in locked threads.""" comment.topic.is_locked = True allowed = principals_allowed_by_permission(comment, "reply") granted = _principals_granted_permission("topic.lock", comment.topic.group_id) assert allowed == granted
def item_index_data(context, request): uuid = str(context.uuid) properties = context.upgrade_properties() links = context.links(properties) unique_keys = context.unique_keys(properties) principals_allowed = {} for permission in ('view', 'edit', 'audit'): p = principals_allowed_by_permission(context, permission) if p is Everyone: p = [Everyone] principals_allowed[permission] = sorted(p) path = resource_path(context) paths = {path} collection = context.collection if collection.unique_key in unique_keys: paths.update( resource_path(collection, key) for key in unique_keys[collection.unique_key]) for base in (collection, request.root): for key_name in ('accession', 'alias'): if key_name not in unique_keys: continue paths.add(resource_path(base, uuid)) paths.update( resource_path(base, key) for key in unique_keys[key_name]) path = path + '/' embedded = request.embed(path, '@@embedded') object = request.embed(path, '@@object') audit = request.embed(path, '@@audit')['audit'] document = { 'audit': audit, 'embedded': embedded, 'embedded_uuids': sorted(request._embedded_uuids), 'item_type': context.item_type, 'linked_uuids': sorted(request._linked_uuids), 'links': links, 'object': object, 'paths': sorted(paths), 'principals_allowed': principals_allowed, 'properties': properties, 'propsheets': { name: context.propsheets[name] for name in context.propsheets.keys() if name != '' }, 'tid': context.tid, 'unique_keys': unique_keys, 'uuid': uuid, } return document
def get_allowed_to_view(object, default): """ Return a list of all roles allowed to view this object. """ principals = principals_allowed_by_permission(object, VIEW) if not principals: # An empty value tells the catalog to match anything, whereas when # there are no principals with permission to view we want for there # to be no matches. principals = [NEVER_EVER_PRINCIPAL,] return principals
def allowed(context, request): from pyramid.security import principals_allowed_by_permission permission = request.params.get('permission', 'view') return { 'has_permission': bool(request.has_permission(permission, context)), 'principals_allowed_by_permission': principals_allowed_by_permission(context, permission), }
def item_index_data(context, request): uuid = str(context.uuid) properties = context.upgrade_properties() links = context.links(properties) unique_keys = context.unique_keys(properties) principals_allowed = {} for permission in ('view', 'edit', 'audit'): p = principals_allowed_by_permission(context, permission) if p is Everyone: p = [Everyone] principals_allowed[permission] = sorted(p) path = resource_path(context) paths = {path} collection = context.collection if collection.unique_key in unique_keys: paths.update( resource_path(collection, key) for key in unique_keys[collection.unique_key]) for base in (collection, request.root): for key_name in ('accession', 'alias'): if key_name not in unique_keys: continue paths.add(resource_path(base, uuid)) paths.update( resource_path(base, key) for key in unique_keys[key_name]) path = path + '/' embedded = request.embed(path, '@@embedded') object = request.embed(path, '@@object') audit = request.embed(path, '@@audit')['audit'] document = { 'audit': audit, 'embedded': embedded, 'embedded_uuids': sorted(request._embedded_uuids), 'item_type': context.item_type, 'linked_uuids': sorted(request._linked_uuids), 'links': links, 'object': object, 'paths': sorted(paths), 'principals_allowed': principals_allowed, 'properties': properties, 'propsheets': { name: context.propsheets[name] for name in context.propsheets.keys() if name != '' }, 'tid': context.tid, 'unique_keys': unique_keys, 'uuid': uuid, } return document
def authorize(request, annotation, action, user=None): annotation = wrap_annotation(request, annotation) allowed = security.principals_allowed_by_permission(annotation, action) if user is None: principals = request.effective_principals else: principals = [security.Everyone, security.Authenticated, user.id] return set(allowed) & set(principals) != set()
def get_allowed_to_view(obj, default): """ Useful as a KeywordIndex discriminator. Looks up the principals allowed by the ``view`` permission against the object and indexes them if any are found.""" principals = principals_allowed_by_permission(obj, 'view') if not principals: # An empty value tells the catalog to match anything, whereas when # there are no principals with permission to view we want for there # to be no matches. principals = [NoWay()] return principals
def get_allowed_to_view(obj, default): """ Useful as a KeywordIndex discriminator. Looks up the principals allowed by the ``view`` permission against the object and indexes them if any are found.""" principals = principals_allowed_by_permission(obj, 'view') if not principals: # An empty value tells the catalog to match anything, whereas when # there are no principals with permission to view we want for there # to be no matches. principals = [NoWay()] return principals
def get_allowed_to_view(obj, default): """ Return a list of all roles allowed to view this object. """ principals = principals_allowed_by_permission(obj, VIEW) if not principals: # An empty value tells the catalog to match anything, whereas when # there are no principals with permission to view we want for there # to be no matches. principals = [ NEVER_EVER_PRINCIPAL, ] return principals
def _generate_annotation_event(message, socket, annotation, user_nipsad, group_service, formatters): """ Get message about annotation event `message` to be sent to `socket`. Inspects the embedded annotation event and decides whether or not the passed socket should receive notification of the event. Returns None if the socket should not receive any message about this annotation event, otherwise a dict containing information about the event. """ action = message["action"] if action == "read": return None if message["src_client_id"] == socket.client_id: return None # Don't sent annotations from NIPSA'd users to anyone other than that # user. if user_nipsad and socket.authenticated_userid != annotation.userid: return None # The `prepare` function sets the active registry which is an implicit # dependency of some of the authorization logic used to look up annotation # and group permissions. with pyramid.scripting.prepare(registry=socket.registry): notification = { "type": "annotation-notification", "options": { "action": action }, } base_url = socket.registry.settings.get("h.app_url", "http://localhost:5000") links_service = LinksService(base_url, socket.registry) resource = AnnotationContext(annotation, group_service, links_service) # Check whether client is authorized to read this annotation. read_principals = principals_allowed_by_permission(resource, "read") if not set(read_principals).intersection(socket.effective_principals): return None serialized = presenters.AnnotationJSONPresenter( resource, formatters=formatters).asdict() notification["payload"] = [serialized] if action == "delete": notification["payload"] = [{"id": annotation.id}] return notification
def item_index_data(context, request): uuid = str(context.uuid) properties = context.upgrade_properties() links = context.links(properties) unique_keys = context.unique_keys(properties) principals_allowed = {} for permission in ("view", "edit", "audit"): p = principals_allowed_by_permission(context, permission) if p is Everyone: p = [Everyone] principals_allowed[permission] = sorted(p) path = resource_path(context) paths = {path} collection = context.collection if collection.unique_key in unique_keys: paths.update(resource_path(collection, key) for key in unique_keys[collection.unique_key]) for base in (collection, request.root): for key_name in ("accession", "alias"): if key_name not in unique_keys: continue paths.add(resource_path(base, uuid)) paths.update(resource_path(base, key) for key in unique_keys[key_name]) path = path + "/" embedded = request.embed(path, "@@embedded") object = request.embed(path, "@@object") audit = request.embed(path, "@@audit")["audit"] document = { "audit": audit, "embedded": embedded, "embedded_uuids": sorted(request._embedded_uuids), "item_type": context.type_info.item_type, "linked_uuids": sorted(request._linked_uuids), "links": links, "object": object, "paths": sorted(paths), "principals_allowed": principals_allowed, "properties": properties, "propsheets": {name: context.propsheets[name] for name in context.propsheets.keys() if name != ""}, "tid": context.tid, "unique_keys": unique_keys, "uuid": uuid, } return document
def authorize(request, annotation, action, user=None): annotation = wrap_annotation(request, annotation) allowed = security.principals_allowed_by_permission(annotation, action) if user is None: principals = request.session.get('personas', []) else: principals = [user.id] if len(principals): principals.append(security.Authenticated) principals.append(security.Everyone) return set(allowed) & set(principals) != set()
def authorize(request, annotation, action, user=None): annotation = wrap_annotation(request, annotation) allowed = security.principals_allowed_by_permission(annotation, action) if user is None: principals = request.session.get('personas', []) else: principals = [user.id] if len(principals): principals.append(security.Authenticated) principals.append(security.Everyone) return set(allowed) & set(principals) != set()
def calc_principals(context): principals_allowed = {} for permission in ('view', 'edit', 'audit'): principals = principals_allowed_by_permission(context, permission) if principals is Everyone: principals = [Everyone] elif Everyone in principals: principals = [Everyone] elif Authenticated in principals: principals = [Authenticated] # Filter our roles principals_allowed[permission] = [ p for p in sorted(principals) if not p.startswith('role.') ] return principals_allowed
def handle_annotation_event(message, sockets, request, session): id_ = message["annotation_id"] annotation = storage.fetch_annotation(session, id_) if annotation is None: log.warning("received annotation event for missing annotation: %s", id_) return # Find connected clients which are interested in this annotation. matching_sockets = SocketFilter.matching(sockets, annotation, session) try: # Check to see if the generator has any items first_socket = next(matching_sockets) except StopIteration: # Nothing matched return # Create a generator which has the first socket back again matching_sockets = chain( # pylint: disable=redefined-variable-type (first_socket, ), matching_sockets) resource = AnnotationNotificationContext( annotation, group_service=request.find_service(IGroupService), links_service=request.find_service(name="links"), ) read_principals = principals_allowed_by_permission(resource, "read") reply = _generate_annotation_event(session, request, message, resource) annotator_nipsad = request.find_service(name="nipsa").is_flagged( annotation.userid) for socket in matching_sockets: # Don't send notifications back to the person who sent them if message["src_client_id"] == socket.client_id: continue # Only send NIPSA'd annotations to the author if annotator_nipsad and socket.authenticated_userid != annotation.userid: continue # Check whether client is authorized to read this annotation. if not set(read_principals).intersection(socket.effective_principals): continue socket.send_json(reply)
def _getInfo(profile, content): community = context = find_community(content) if context is None: # try for content inside a profile context = find_interface(content, IProfile) if context is None: context_name = context_url = None else: context_name = context.title context_url = resource_path(context) tagger = find_tags(content) if tagger is not None: cloud = list(tagger.getCloud(items=(content.docid,))) tag_counts = sorted(cloud, key=lambda x: x[1], reverse=True)[:3] tags = [x[0] for x in tag_counts] else: tags = () content_type = get_content_type(content) desc = getattr(content, "description", "") short = len(desc) > 80 and "%s..." % desc[:80] or desc if IPosts.providedBy(content): comment_count = len(content.get("comments", ())) else: comment_count = False content_creator = profile.__name__ if IComment.providedBy(content): # my content filter needs to know if a comment was made inside my post content_creator = content.__parent__.__parent__.creator return { "content_type": content_type.getTaggedValue("name"), "userid": profile.__name__, "context_name": context_name, "context_url": context_url, "content_creator": content_creator, "url": resource_path(content), "title": content.title, "description": desc, "short_description": short, "allowed": principals_allowed_by_permission(content, "view"), "comment_count": comment_count, "tags": tags, # XXX "author": profile.title, "profile_url": "/profiles/%s" % profile.__name__, "thumbnail": "/profiles/%s/profile_thumbnail" % profile.__name__, "timestamp": _NOW(), }
def _getInfo(profile, content): community = context = find_community(content) if context is None: # try for content inside a profile context = find_interface(content, IProfile) if context is None: context_name = context_url = None else: context_name = context.title context_url = resource_path(context) tagger = find_tags(content) if tagger is not None: cloud = list(tagger.getCloud(items=(content.docid,))) tag_counts = sorted(cloud, key=lambda x: x[1], reverse=True)[:3] tags = [x[0] for x in tag_counts] else: tags = () content_type = get_content_type(content) desc = getattr(content, 'description', '') short = len(desc) > 256 and '%s...' % desc[:256] or desc if IPosts.providedBy(content): comment_count = len(content.get('comments', ())) else: comment_count = False content_creator = profile.__name__ if IComment.providedBy(content): # my content filter needs to know if a comment was made inside my post content_creator = content.__parent__.__parent__.creator return {'content_type': content_type.getTaggedValue('name'), 'userid': profile.__name__, 'context_name': context_name, 'context_url': context_url, 'content_creator': content_creator, 'url': resource_path(content), 'title': content.title, 'description': desc, 'short_description': short, 'allowed': principals_allowed_by_permission(content, 'view'), 'comment_count': comment_count, 'tags': tags, #XXX 'author': profile.title, 'profile_url': '/profiles/%s' % profile.__name__, 'thumbnail': '/profiles/%s/profile_thumbnail' % profile.__name__, 'timestamp': _NOW(), }
def send_notifications(event): # Extract data action = event.action request = event.request annotation = event.annotation # And for them we need only the creation action if action != 'create': return # Check for authorization. Send notification only for public annotation # XXX: This will be changed and fine grained when # user groups will be introduced if Everyone not in principals_allowed_by_permission(annotation, 'read'): return # Store the parent values as additional data data = { 'parent': parent_values(annotation) } subscriptions = Subscriptions.get_active_subscriptions_for_a_type( request, types.REPLY_TYPE ) for subscription in subscriptions: data['subscription'] = subscription.__json__(request) # Validate annotation if check_conditions(annotation, data): try: # Render e-mail parts tmap = create_template_map(request, annotation, data) text = render(TXT_TEMPLATE, tmap, request).strip() html = render(HTML_TEMPLATE, tmap, request).strip() subject = render(SUBJECT_TEMPLATE, tmap, request).strip() recipients = get_recipients(request, data) send_email(request, subject, text, html, recipients) # ToDo: proper exception handling here except TemplateRenderException: log.exception('Failed to render subscription' ' template %s', subscription) except: log.exception('Unknown error when trying to render' ' subscription template %s', subscription)
def domain_notification(event): if event.action != 'create': return try: annotation = event.annotation request = event.request # Check for authorization. Send notification only for public annotation # XXX: This will be changed and fine grained when # user groups will be introduced allowed = principals_allowed_by_permission(annotation, 'read') if Everyone not in allowed: return uri = annotation['uri'] # TODO: Fetching the page should be done via a webproxy r = requests.get(uri) emails = get_document_owners(r.text) # Now send the notifications url_struct = urlparse(annotation['uri']) domain = url_struct.hostname or url_struct.path domain = re.sub(r'^www.', '', domain) for email in emails: # Domain matching mail_domain = email.split('@')[-1] if mail_domain == domain: try: # Render e-mail parts tmap = create_template_map(request, annotation) text = render(TXT_TEMPLATE, tmap, request).strip() html = render(HTML_TEMPLATE, tmap, request).strip() subject = render(SUBJECT_TEMPLATE, tmap, request).strip() send_email(request, subject, text, html, [email]) # ToDo: proper exception handling here except TemplateRenderException: log.exception('Failed to render domain-mailer template') except: log.exception( 'Unknown error when trying to render' 'domain-mailer template') except: log.exception('Problem with domain notification')
def send_notifications(event): # Extract data action = event.action request = event.request annotation = event.annotation # And for them we need only the creation action if action != 'create': return # Check for authorization. Send notification only for public annotation # XXX: This will be changed and fine grained when # user groups will be introduced if Everyone not in principals_allowed_by_permission(annotation, 'read'): return # Store the parent values as additional data data = {'parent': parent_values(annotation)} subscriptions = Subscriptions.get_active_subscriptions_for_a_type( request, types.REPLY_TYPE) for subscription in subscriptions: data['subscription'] = subscription.__json__(request) # Validate annotation if check_conditions(annotation, data): try: # Render e-mail parts tmap = create_template_map(request, annotation, data) text = render(TXT_TEMPLATE, tmap, request).strip() html = render(HTML_TEMPLATE, tmap, request).strip() subject = render(SUBJECT_TEMPLATE, tmap, request).strip() recipients = get_recipients(request, data) send_email(request, subject, text, html, recipients) # ToDo: proper exception handling here except TemplateRenderException: log.exception('Failed to render subscription' ' template %s', subscription) except: log.exception( 'Unknown error when trying to render' ' subscription template %s', subscription)
def __call__(self, resource, default): permissions = self.permissions if permissions is None: registry = get_current_registry() # XXX lame permissions = get_all_permissions(registry) values = [] for permission in permissions: principals = principals_allowed_by_permission(resource, permission) values.extend([(principal, permission) for principal in principals]) if not values: # An empty value tells the catalog to match anything, whereas # when there are no principals with permission to view we # want for there to be no matches. values = [(NoWay, NoWay)] return values
def __call__(self, resource, default): permissions = self.permissions if permissions is None: registry = get_current_registry() # XXX lame permissions = get_all_permissions(registry) values = [] for permission in permissions: principal_ids = principals_allowed_by_permission( resource, permission) for principal_id in principal_ids: principal_repr = get_principal_repr(principal_id) values.append((principal_repr, permission)) if not values: return default return values
def permissions(self): """ Return a permissions dict for the given annotation. Converts our simple internal annotation storage format into the legacy complex permissions dict format that is still used in some places. """ read = self.annotation.userid if self.annotation.shared: read = 'group:{}'.format(self.annotation.groupid) principals = security.principals_allowed_by_permission( self.annotation_resource, 'read') if security.Everyone in principals: read = 'group:__world__' return {'read': [read], 'admin': [self.annotation.userid], 'update': [self.annotation.userid], 'delete': [self.annotation.userid]}
def __call__(self, wrapper, default): content = wrapper.content permissions = self.permissions if permissions is None: registry = get_current_registry() permissions = get_all_permissions(registry) values = [] for permission in permissions: principals = principals_allowed_by_permission(content, permission) values.extend([(principal, permission) for principal in principals]) if not values: # An empty value tells the catalog to match anything, whereas # when there are no principals with permission to view we # want for there to be no matches. values = [(NoWay, NoWay)] return values
def __call__(self, resource, default): permissions = self.permissions if permissions is None: registry = get_current_registry() # XXX lame permissions = get_all_permissions(registry) values = [] for permission in permissions: principal_ids = principals_allowed_by_permission( resource, permission ) for principal_id in principal_ids: principal_repr = get_principal_repr(principal_id) values.append((principal_repr, permission)) if not values: return default return values
def test_delete(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.DELETE), admin)
def test_delete(self): obj = self._cut() self.assertEqual( principals_allowed_by_permission(obj, security.DELETE), admin)
def test_upcoming_meeting_private_ai(self): m = self._fixture() self.assertEqual(principals_allowed_by_permission(m['ai']['d'], security.VIEW), admin | moderator) self.assertEqual(principals_allowed_by_permission(m['ai']['d'], security.EDIT), admin | moderator) self.assertEqual(principals_allowed_by_permission(m['ai']['d'], security.DELETE), admin | moderator)
def _group_principals(group): if group is None: return [] return principals_allowed_by_permission(group, 'read')
def test_add_agenda_template(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.ADD_AGENDA_TEMPLATE), admin)
def test_view(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.VIEW), admin | owner)
def _group_principals(group, principal): if group is None: return [] principals = principals_allowed_by_permission(group, principal) return principals
def test_edit(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.EDIT), admin | owner)
def test_view(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.VIEW), admin | owner)
def test_add_user(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.ADD_USER), admin)
def _callFUT(self, *arg): from pyramid.security import principals_allowed_by_permission return principals_allowed_by_permission(*arg)
def test_change_password(self): obj = self._cut() self.assertEqual( principals_allowed_by_permission(obj, security.CHANGE_PASSWORD), admin | owner)
def test_manage_server(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.MANAGE_SERVER), admin)
def test_edit(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.EDIT), admin | owner)
def test_change_password(self): obj = self._cut() self.assertEqual(principals_allowed_by_permission(obj, security.CHANGE_PASSWORD), admin | owner)
def test_manage_server(self): obj = self._cut() self.assertEqual( principals_allowed_by_permission(obj, security.MANAGE_SERVER), admin)
def test_delete(self): obj = self._cut() #Currently, there's no way to delete a user. #This has to do with ownership, we need a way to clean it up if we want to remove users. self.assertEqual(principals_allowed_by_permission(obj, security.DELETE), set())