def test_addPrincipalToGroup(self):
zgm = self._makeOne()
zgm.addGroup('group')
user = DummyUser('userid')
zgm.addPrincipalToGroup(user.getId(), 'group')
groups = zgm.getGroupsForPrincipal(user)
self.assertEqual(groups, ('group',))
def test_addPrincipalToGroup(self):
zgm = self._makeOne()
zgm.addGroup('group')
user = DummyUser('userid')
zgm.addPrincipalToGroup(user.getId(), 'group')
groups = zgm.getGroupsForPrincipal(user)
self.assertEqual(groups, ('group', ))
def test_removeGroupOutFromUnderPrincipal(self):
zgm = self._makeOne()
zgm.addGroup('group')
user = DummyUser('userid')
zgm.addPrincipalToGroup(user.getId(), 'group')
zgm.removeGroup('group')
group_ids = zgm.listGroupIds()
self.assertEqual(len(group_ids), 0)
groups = zgm.getGroupsForPrincipal(user)
self.assertEqual(groups, ())
def test_removeGroupOutFromUnderPrincipal(self):
zgm = self._makeOne()
zgm.addGroup('group')
user = DummyUser('userid')
zgm.addPrincipalToGroup(user.getId(), 'group')
zgm.removeGroup('group')
group_ids = zgm.listGroupIds()
self.assertEqual(len(group_ids), 0)
groups = zgm.getGroupsForPrincipal(user)
self.assertEqual(groups, ())
def test_assignRoleToPrincipal_user(self):
from Products.PluggableAuthService.tests.test_PluggableAuthService \
import FauxRoot
root = FauxRoot()
zrm = self._makeOne(id='assign_user').__of__(root)
zrm.addRole('test1')
zrm.addRole('test2')
user = DummyUser('foo')
roles = zrm.getRolesForPrincipal(user)
self.assertEqual(len(roles), 0)
zrm.assignRoleToPrincipal('test1', 'foo')
roles = zrm.getRolesForPrincipal(user)
self.assertEqual(len(roles), 1)
self.failUnless('test1' in roles)
zrm.assignRoleToPrincipal('test2', 'foo')
roles = zrm.getRolesForPrincipal(user)
self.assertEqual(len(roles), 2)
self.failUnless('test1' in roles)
self.failUnless('test2' in roles)
def test_empty(self):
zrm = self._makeOne()
self.assertEqual(len(zrm.listRoleIds()), 0)
self.assertEqual(len(zrm.enumerateRoles()), 0)
user = DummyUser('userid')
roles = zrm.getRolesForPrincipal(user)
self.assertEqual(len(roles), 0)
def test_empty( self ):
zgm = self._makeOne()
self.assertEqual( len( zgm.listGroupIds() ), 0 )
self.assertEqual( len( zgm.enumerateGroups() ), 0 )
user = DummyUser( 'userid' )
groups = zgm.getGroupsForPrincipal( user )
self.assertEqual( len( groups ), 0 )
def test_multiplePrincipalsPerGroup(self):
pas = FauxPAS()
zgm = self._makeOne().__of__(pas)
zgm.addGroup('group1')
zgm.addGroup('group2')
user1 = DummyUser('userid1')
user2 = DummyUser('userid2')
zgm.addPrincipalToGroup(user1.getId(), 'group1')
zgm.addPrincipalToGroup(user1.getId(), 'group2')
zgm.addPrincipalToGroup(user2.getId(), 'group2')
group_ids = zgm.listGroupIds()
self.assertEqual(len(group_ids), 2)
principals = zgm.listAssignedPrincipals('group2')
self.assertEqual(principals, [('userid1', 'userid1'),
('userid2', 'userid2')])
def testPOSTProtections(self):
from zExceptions import Forbidden
USER_ID = 'testuser'
GROUP_ID = 'testgroup'
zgm = self._makeOne()
zgm.prefix = 'prefixed_'
zgm.addGroup( GROUP_ID )
user = DummyUser( USER_ID )
req, res = makeRequestAndResponse()
# test addPrincipalToGroup
# Fails with a GET
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden, zgm.addPrincipalToGroup,
USER_ID, GROUP_ID, REQUEST=req)
# Works with a POST
req.set('REQUEST_METHOD', 'POST')
zgm.addPrincipalToGroup(USER_ID, GROUP_ID, REQUEST=req)
# test removePrincipalFromGroup
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden, zgm.removePrincipalFromGroup,
USER_ID, GROUP_ID, REQUEST=req)
# Works with a POST
req.set('REQUEST_METHOD', 'POST')
zgm.removePrincipalFromGroup(USER_ID, GROUP_ID, REQUEST=req)
# test manage_addPrincipalsToGroup
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden, zgm.manage_addPrincipalsToGroup,
GROUP_ID, [USER_ID], REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zgm.manage_addPrincipalsToGroup(GROUP_ID, [USER_ID], REQUEST=req)
# test manage_removePrincipalsFromGroup
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden, zgm.manage_removePrincipalsFromGroup,
GROUP_ID, [USER_ID], REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zgm.manage_removePrincipalsFromGroup(GROUP_ID, [USER_ID], REQUEST=req)
# test manage_removeGroup
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden, zgm.manage_removeGroups,
[GROUP_ID], REQUEST=req)
# Works with a POST
req.set('REQUEST_METHOD', 'POST')
zgm.manage_removeGroups([GROUP_ID], REQUEST=req)
def test_removeRole_then_addRole(self):
from Products.PluggableAuthService.tests.test_PluggableAuthService \
import FauxRoot
root = FauxRoot()
zrm = self._makeOne(id='remove_then_add').__of__(root)
user = DummyUser('foo')
zrm.addRole('test')
zrm.assignRoleToPrincipal('test', 'foo')
self.failUnless('test' in zrm.getRolesForPrincipal(user))
zrm.removeRole('test')
zrm.addRole('test')
self.failIf('test' in zrm.getRolesForPrincipal(user))
def test_roles_for_control_panel(self):
"""There's a special case, the users control panel for which
we should never grant to users the roles they have got through
the groups they belong.
In that intent, the control panels view pushes
'__ignore_group_roles__' = True
in the request.
"""
root = FauxPAS()
# Add a minimal PluginRegistry with a mock IGroupsPlugin, because the
# roles plugin depends on it:
root._setObject('plugins', PluginRegistry(_PLUGIN_TYPE_INFO))
root._setObject('groups', FauxGroupsPlugin())
root['plugins'].activatePlugin(IGroupsPlugin, 'groups')
garm = self._makeOne('garm').__of__(root)
# 2 roles
garm.addRole('foo_role')
garm.addRole('bar_role')
# Group 'somegroup' has 'bar_role'
garm.assignRoleToPrincipal('bar_role', 'somegroup')
# 'johndoe' has 'foo_role'
johndoe = DummyUser('johndoe', ('somegroup', ))
garm.assignRoleToPrincipal('foo_role', 'johndoe')
# 'johndoe' should have 'foo_role' and 'bar_roles'
got = garm.getRolesForPrincipal(johndoe)
expected = ['foo_role', 'bar_role']
self.assertEqual(set(got), set(expected))
# For the users control panel, johndoe has only the 'foo_role'
garm.REQUEST.set('__ignore_group_roles__', True)
got = garm.getRolesForPrincipal(johndoe)
self.assertEqual(got, ('foo_role', ))
# Confirm we can get only the inherited roles
garm.REQUEST.set('__ignore_group_roles__', False)
garm.REQUEST.set('__ignore_direct_roles__', True)
got = garm.getRolesForPrincipal(johndoe)
self.assertEqual(got, ('bar_role', ))
return
def test_multiplePrincipalsPerGroup(self):
pas = FauxPAS()
zgm = self._makeOne().__of__(pas)
zgm.addGroup('group1')
zgm.addGroup('group2')
user1 = DummyUser('userid1')
user2 = DummyUser('userid2')
zgm.addPrincipalToGroup(user1.getId(), 'group1')
zgm.addPrincipalToGroup(user1.getId(), 'group2')
zgm.addPrincipalToGroup(user2.getId(), 'group2')
group_ids = zgm.listGroupIds()
self.assertEqual(len(group_ids), 2)
principals = zgm.listAssignedPrincipals('group2')
self.assertEqual(principals, [('userid1', 'userid1'),
('userid2', 'userid2')])
def testPOSTProtections(self):
from zExceptions import Forbidden
USER_ID = 'testuser'
ROLE_ID = 'myrole'
root = FauxPAS()
zrm = self._makeOne(id='remove_existing').__of__(root)
zrm = self._makeOne()
zrm.addRole(ROLE_ID)
user = DummyUser(USER_ID)
req, res = makeRequestAndResponse()
# Fails with a GET
# test assignRoleToPrincipal
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.assignRoleToPrincipal,
ROLE_ID,
USER_ID,
REQUEST=req)
# Works with a POST
req.set('REQUEST_METHOD', 'POST')
zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req)
# test removeRoleFromPricipal
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.removeRoleFromPrincipal,
ROLE_ID,
USER_ID,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.removeRoleFromPrincipal(ROLE_ID, USER_ID, REQUEST=req)
# test removeRole
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden, zrm.removeRole, ROLE_ID, REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.removeRole(ROLE_ID, REQUEST=req)
# Readd the role for the manage_* methods
zrm.addRole(ROLE_ID)
# test manage_assignRoleToPrincipal
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.manage_assignRoleToPrincipals,
ROLE_ID, [USER_ID],
RESPONSE=res,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.manage_assignRoleToPrincipals(ROLE_ID, [USER_ID],
RESPONSE=res,
REQUEST=req)
# test manage_removeRoleFromPricipal
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.manage_removeRoleFromPrincipals,
ROLE_ID, [USER_ID],
RESPONSE=res,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID],
RESPONSE=res,
REQUEST=req)
# test manage_removeRoles
req.set('REQUEST_METHOD', 'GET')
self.assertRaises(Forbidden,
zrm.manage_removeRoles, [ROLE_ID],
RESPONSE=res,
REQUEST=req)
req.set('REQUEST_METHOD', 'POST')
zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)