def test_initate_and_transition_to_frozen(registry, context):
from substanced.util import get_acl
workflow = registry.content.workflows['sample']
assert workflow.state_of(context) is None
workflow.initialize(context)
assert workflow.state_of(context) is 'participate'
assert ('Allow', 'role:participant', 'create_proposal') in get_acl(context)
request = testing.DummyRequest() # bypass permission check
workflow.transition_to_state(context, request, 'frozen')
assert workflow.state_of(context) is 'frozen'
assert get_acl(context) == []
def test_initate_and_transition_to_frozen(registry, context):
from substanced.util import get_acl
workflow = registry.content.workflows['sample']
assert workflow.state_of(context) is None
workflow.initialize(context)
assert workflow.state_of(context) is 'participate'
assert ('Allow', 'role:participant', 'create_proposal') in get_acl(context)
assert ('Allow', 'role:participant', 'create_document') in get_acl(context)
request = testing.DummyRequest() # bypass permission check
workflow.transition_to_state(context, request, 'frozen')
assert workflow.state_of(context) is 'frozen'
assert get_acl(context) == []
def test_initiate_bplan_private_workflow(registry, context):
from substanced.util import get_acl
workflow = registry.content.workflows['bplan_private']
assert workflow.state_of(context) is None
workflow.initialize(context)
assert workflow.state_of(context) is 'private'
local_acl = get_acl(context)
assert ('Deny', 'system.Anonymous', 'view') in local_acl
def test_initiate_bplan_private_workflow(registry, context):
from substanced.util import get_acl
workflow = registry.content.workflows['bplan_private']
assert workflow.state_of(context) is None
workflow.initialize(context)
assert workflow.state_of(context) is 'private'
local_acl = get_acl(context)
assert ('Deny', 'system.Anonymous', 'view') in local_acl
def test_initiate_bplan_private_workflow(registry, context):
from substanced.util import get_acl
workflow = registry.content.workflows["bplan_private"]
assert workflow.state_of(context) is None
workflow.initialize(context)
assert workflow.state_of(context) is "private"
local_acl = get_acl(context)
assert ("Deny", "system.Anonymous", "view") in local_acl
def test_create_root_with_acl(self, registry):
from adhocracy_core.resources.root import IRootPool
from substanced.util import get_acl
from pyramid.security import Allow
from pyramid.security import ALL_PERMISSIONS
inst = registry.content.create(IRootPool.__identifier__)
acl = get_acl(inst)
assert (Allow, 'system.Anonymous', 'view') in acl
assert (Allow, 'system.Anonymous', 'create_user') in acl
assert (Allow, 'role:god', ALL_PERMISSIONS) == acl[0]
def test_create_root_with_acl(self, registry):
from adhocracy_core.resources.root import IRootPool
from substanced.util import get_acl
from pyramid.security import Allow
from pyramid.security import ALL_PERMISSIONS
inst = registry.content.create(IRootPool.__identifier__)
acl = get_acl(inst)
assert (Allow, 'system.Anonymous', 'view') in acl
assert (Allow, 'system.Anonymous', 'create_user') in acl
assert (Allow, 'role:god', ALL_PERMISSIONS) == acl[0]
def change_acl_callback(content, workflow, transition, request):
new_acl = []
current_acl = get_acl(content, [])
admins = find_service(content, 'principals')['groups']['admins']
recording = content
performer = getattr(recording, 'performer', None)
if performer is None:
return # eyeroll, foil workflow initialization via subscriber
user = performer.user
owner_id = user.__oid__
admins_id = admins.__oid__
for ace in current_acl:
# preserve all permissions defined by other subsystems (like "like")
if ace == DENY_ALL:
continue
_, _, perms = ace
if perms is ALL_PERMISSIONS:
continue
if not is_nonstr_iter(perms):
perms = [perms]
if 'view' in perms or 'yss.indexed' in perms or 'yss.edit' in perms:
continue
new_acl.append(ace)
PRIVATE_ACES = [
(Allow, admins_id, ALL_PERMISSIONS),
(Allow, owner_id, ('view',)),
(Allow, owner_id, ('yss.edit',)),
DENY_ALL,
]
if transition:
# if not initial state
if transition['name'].startswith('Make public'):
new_acl.extend([
(Allow, Everyone, ('view',)),
(Allow, Everyone, ('yss.indexed',)),
(Allow, owner_id, ('yss.edit',)),
])
if transition['name'].startswith('Make private'):
new_acl.extend(PRIVATE_ACES)
if transition['name'].startswith('Make authenticated-only'):
new_acl.extend([
(Allow, admins_id, ALL_PERMISSIONS),
(Allow, 'system.Authenticated', ('view',)),
(Allow, 'system.Authenticated', ('yss.indexed',)),
(Allow, owner_id, ('yss.edit',)),
DENY_ALL,
])
else:
# initial state
new_acl.extend(PRIVATE_ACES)
set_acl(content, new_acl)
def add_path_to_acl_to_objectmap(root):
objectmap = root.__objectmap__
objectmap.path_to_acl = objectmap.family.OO.BTree()
logger.info('Populating path_to_acl in objectmap (expensive evolve step)')
for obj in postorder(root):
oid = objectmap.objectid_for(obj)
path = objectmap.path_for(oid)
upath = _SLASH.join(path)
acl = get_acl(obj, None)
suffix = '(no acl)'
if acl is not None:
objectmap.set_acl(obj, acl)
suffix = '(indexed acl)'
logger.info('%s %s' % (upath, suffix))
def accept_retime(self):
song = self.context
song.timings = song.alt_timings
song.alt_timings = ''
new_acl = []
acl = get_acl(song)
for ace in acl:
if ace[0] == Deny and ace[2] == ['yss.indexed']:
continue
new_acl.append(ace)
set_acl(song, new_acl)
event = ObjectModified(song)
self.request.registry.subscribers((event, song), None)
self.request.session.flash(
'Retime accepted, song will show up in searches, and may now be '
'recorded by everyone. Nice work.', 'info')
return self.request.resource_url(self.context, '@@retime')
def set_acms_for_app_root(app: Router, acms: (dict)=()):
"""
Set the :term:`acm`s for the `app`s root object.
In addition all permissions are granted the god user.
:param app: The pyramid wsgi application
:param acms: :class:`adhocracy_core.schema.ACM` dictionaries.
:term:`acm`s with overriding permissions should be put
before :term:`acm`s with default permissions.
"""
new_acl = [god_all_permission_ace]
for acm in acms:
new_acl += acm_to_acl(acm, app.registry)
root = get_root(app)
old_acl = get_acl(root)
if old_acl == new_acl:
return
set_acl(root, new_acl, app.registry)
transaction.commit()
def set_acms_for_app_root(app: Router, acms: (dict) = ()):
"""
Set the :term:`acm`s for the `app`s root object.
In addition all permissions are granted the god user.
:param app: The pyramid wsgi application
:param acms: :class:`adhocracy_core.schema.ACM` dictionaries.
:term:`acm`s with overriding permissions should be put
before :term:`acm`s with default permissions.
"""
new_acl = [god_all_permission_ace]
for acm in acms:
new_acl += acm_to_acl(acm, app.registry)
root = get_root(app)
old_acl = get_acl(root)
if old_acl == new_acl:
return
set_acl(root, new_acl, app.registry)
transaction.commit()
def set_acms_for_app_root(event):
"""Set/update :term:`acm`s for the root object of the pyramid application.
:param event: this function should be used as a subscriber for the
:class:`pyramid.interfaces.IApplicationCreated` event.
That way everytime the application starts the root `acm`
is updated.
The `root_acm` (:func:`root_acm_asset`) is extended by the :term:`acm`
returned by the :class:`adhocracy_core.authorization.IRootACMExtension`
adapter.
In addition all permissions are granted the god user.
"""
root, closer = get_root(event.app)
acl = [god_all_permission_ace]
acl += _get_root_extension_acl(root, event.app.registry)
acl += _get_root_base_acl()
old_acl = get_acl(root, [])
if old_acl == acl:
return
set_acl(root, acl, event.app.registry)
transaction.commit()
closer()
def set_god_all_permissions(resource: IResource, registry=None) -> bool:
"""Set the god's permissions on the resource."""
old_acl = get_acl(resource)
new_acl = [god_all_permission_ace] + old_acl
set_acl(resource, new_acl, registry)
def set_god_all_permissions(resource: IResource, registry=None) -> bool:
"""Set the god's permissions on the resource."""
old_acl = get_acl(resource)
new_acl = [god_all_permission_ace] + old_acl
set_acl(resource, new_acl, registry)