def test_works_for_non_owner_with_permission(self): d = self.factory.create_dashboard() user = self.factory.create_user() new_name = 'New Name' rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id), data={ 'name': new_name, 'layout': '[]', 'version': d.version }, user=user) self.assertEqual(rv.status_code, 403) AccessPermission.grant(obj=d, access_type=ACCESS_TYPE_MODIFY, grantee=user, grantor=d.user) rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id), data={ 'name': new_name, 'layout': '[]', 'version': d.version }, user=user) self.assertEqual(rv.status_code, 200) self.assertEqual(rv.json['name'], new_name)
def test_works_for_non_owner_with_permission(self): d = self.factory.create_dashboard() user = self.factory.create_user() new_name = "New Name" rv = self.make_request( "post", "/api/dashboards/{0}".format(d.id), data={"name": new_name, "layout": "[]", "version": d.version}, user=user, ) self.assertEqual(rv.status_code, 403) AccessPermission.grant( obj=d, access_type=ACCESS_TYPE_MODIFY, grantee=user, grantor=d.user ) rv = self.make_request( "post", "/api/dashboards/{0}".format(d.id), data={"name": new_name, "layout": "[]", "version": d.version}, user=user, ) self.assertEqual(rv.status_code, 200) self.assertEqual(rv.json["name"], new_name)
def test_returns_true_for_existing_permission(self): query = self.factory.create_query() other_user = self.factory.create_user() AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user) rv = self.make_request("get", "/api/queries/{}/acl/{}".format(query.id, ACCESS_TYPE_MODIFY), user=other_user) self.assertEqual(rv.status_code, 200) self.assertEqual(True, rv.json["response"])
def test_returns_true_for_existing_permission(self): query = self.factory.create_query() other_user = self.factory.create_user() AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user) rv = self.make_request('get', '/api/queries/{}/acl/{}'.format(query.id, ACCESS_TYPE_MODIFY), user=other_user) self.assertEqual(rv.status_code, 200) self.assertEqual(True, rv.json['response'])
def test_returns_existing_object_if_exists(self): q = self.factory.create_query() permission1 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) permission2 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(permission1.id, permission2.id)
def test_returns_permissions(self): query = self.factory.create_query() user = self.factory.user AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) rv = self.make_request('get', '/api/queries/{}/acl'.format(query.id), user=user) self.assertEqual(rv.status_code, 200) self.assertIn('modify', rv.json) self.assertEqual(user.id, rv.json['modify'][0]['id'])
def test_deletes_all_permissions_if_no_type_given(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(2, AccessPermission.revoke(q, self.factory.user))
def test_returns_permissions(self): query = self.factory.create_query() user = self.factory.user AccessPermission.grant( obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user ) rv = self.make_request("get", "/api/queries/{}/acl".format(query.id), user=user) self.assertEqual(rv.status_code, 200) self.assertIn("modify", rv.json) self.assertEqual(user.id, rv.json["modify"][0]["id"])
def test_removes_permission(self): query = self.factory.create_query() user = self.factory.user other_user = self.factory.create_user() data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id} AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user) rv = self.make_request("delete", "/api/queries/{}/acl".format(query.id), user=user, data=data) self.assertEqual(rv.status_code, 200) self.assertFalse(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def test_works_for_non_owner_with_permission(self): d = self.factory.create_dashboard() user = self.factory.create_user() new_name = 'New Name' rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id), data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user) self.assertEqual(rv.status_code, 403) AccessPermission.grant(obj=d, access_type=ACCESS_TYPE_MODIFY, grantee=user, grantor=d.user) rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id), data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user) self.assertEqual(rv.status_code, 200) self.assertEqual(rv.json['name'], new_name)
def post(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) access_type = req['access_type'] if access_type not in ACCESS_TYPES: abort(400, message='Unknown access type.') try: grantee = User.get_by_id_and_org(req['user_id'], self.current_org) except User.DoesNotExist: abort(400, message='User not found.') permission = AccessPermission.grant(obj, access_type, grantee, self.current_user) self.record_event({ 'action': 'grant_permission', 'object_id': object_id, 'object_type': object_type, 'access_type': access_type, 'grantee': grantee.id }) return permission.to_dict()
def post(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) access_type = req['access_type'] if access_type not in ACCESS_TYPES: abort(400, message='Unknown access type.') try: grantee = User.get_by_id_and_org(req['user_id'], self.current_org) except NoResultFound: abort(400, message='User not found.') permission = AccessPermission.grant(obj, access_type, grantee, self.current_user) db.session.commit() self.record_event({ 'action': 'grant_permission', 'object_id': object_id, 'object_type': object_type, 'grantee': grantee.id, 'access_type': access_type, }) return permission.to_dict()
def test_removes_permission_created_by_another_user(self): query = self.factory.create_query() other_user = self.factory.create_user() data = { 'access_type': ACCESS_TYPE_MODIFY, 'user_id': other_user.id } AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user) rv = self.make_request('delete', '/api/queries/{}/acl'.format(query.id), user=self.factory.create_admin(), data=data) self.assertEqual(rv.status_code, 200) self.assertFalse(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def test_deletes_permission(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual( 1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
def test_creates_correct_object(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(permission.object, q) self.assertEqual(permission.grantor, self.factory.user) self.assertEqual(permission.grantee, self.factory.user) self.assertEqual(permission.access_type, ACCESS_TYPE_MODIFY)
def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self): q = self.factory.create_query() first_user = self.factory.create_user() second_user = self.factory.create_user() AccessPermission.grant( obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=first_user, ) AccessPermission.grant( obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=second_user, ) AccessPermission.grant( obj=q, access_type=ACCESS_TYPE_VIEW, grantor=self.factory.user, grantee=second_user, ) self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
def test_removes_permission(self): query = self.factory.create_query() user = self.factory.user other_user = self.factory.create_user() data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id} AccessPermission.grant( obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user, ) rv = self.make_request("delete", "/api/queries/{}/acl".format(query.id), user=user, data=data) self.assertEqual(rv.status_code, 200) self.assertFalse( AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self): q = self.factory.create_query() first_user = self.factory.create_user() second_user = self.factory.create_user() AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=first_user) AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=second_user) AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW, grantor=self.factory.user, grantee=second_user) self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
def test_deletes_permission(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))