def test_owned_dataset_company_users_with_admin_should_edit(self): org = factories.Organization() fred = factories.User(name='fred') bob = factories.User(name='bob') alice = factories.User(name='alice') member_fred = {'username': fred['name'], 'role': 'admin', 'id': org['id']} helpers.call_action('organization_member_create', **member_fred) member_bob = {'username': bob['name'], 'role': 'admin', 'id': org['id']} helpers.call_action('organization_member_create', **member_bob) dataset = factories.Dataset(user=fred, owner_org=org['name'], managing_users="bob") context = {'model': model, 'user': '******'} params = { 'id': dataset['id'], } result = helpers.call_auth('package_update', context=context, **params) assert result == True context = {'model': model, 'user': '******'} result = helpers.call_auth('package_update', context=context, **params) assert result == True #Alice is not in the organization context = {'model': model, 'user': '******'} nose.tools.assert_raises(logic.NotAuthorized, helpers.call_auth, 'package_update', context=context, **params)
def test_group_admin_delete_correct_creds(self): ''' Calling group admin delete by a sysadmin doesn't raise NotAuthorized. ''' a_sysadmin = factories.Sysadmin() context = {'user': a_sysadmin['name'], 'model': None} helpers.call_auth('group_admin_delete', context=context)
def test_project_admin_list_correct_creds(self): ''' Calling project admin list by a sysadmin doesn't raise NotAuthorized. ''' a_sysadmin = factories.Sysadmin() context = {'user': a_sysadmin['name'], 'model': None} helpers.call_auth('ckanext_project_admin_list', context=context)
def test_showcase_admin_remove_correct_creds(self): ''' Calling showcase admin remove by a sysadmin doesn't raise NotAuthorized. ''' a_sysadmin = factories.Sysadmin() context = {'user': a_sysadmin['name'], 'model': None} helpers.call_auth('ckanext_showcase_admin_remove', context=context)
def test_config_option_public_activity_stream_detail(self): '''Config option says an anon user is authorized to get activity stream data/detail. ''' dataset = factories.Dataset() context = {'user': None, 'model': model} helpers.call_auth('package_activity_list', context=context, id=dataset['id'], include_data=True)
def test_project_package_association_delete_sysadmin(self): ''' Calling project package association create by a sysadmin doesn't raise NotAuthorized. ''' a_sysadmin = factories.Sysadmin() context = {'user': a_sysadmin['name'], 'model': None} helpers.call_auth('ckanext_project_package_association_delete', context=context)
def test_showcase_package_association_create_showcase_admin(self): ''' Calling showcase package association create by a showcase admin doesn't raise NotAuthorized. ''' showcase_admin = factories.User() # Make user a showcase admin helpers.call_action('ckanext_showcase_admin_add', context={}, username=showcase_admin['name']) context = {'user': showcase_admin['name'], 'model': None} helpers.call_auth('ckanext_showcase_package_association_create', context=context)
def test_project_package_association_delete_project_admin(self): ''' Calling project package association create by a project admin doesn't raise NotAuthorized. ''' project_admin = factories.User() # Make user a project admin helpers.call_action('ckanext_project_admin_add', context={}, username=project_admin['name']) context = {'user': project_admin['name'], 'model': None} helpers.call_auth('ckanext_project_package_association_delete', context=context)
def test_sysadmin_user_can_clear(self): user = factories.User(sysadmin=True) context = {'user': user['name'], 'model': model} response = helpers.call_auth('resource_view_clear', context=context) assert_equals(response, True)
def test_user_update_user_can_update_herself(self): '''Users should be authorized to update their own accounts.''' # Make a mock ckan.model.User object, Fred. fred = factories.MockUser(name='fred') # Make a mock ckan.model object. mock_model = mock.MagicMock() # model.User.get(user_id) should return our mock user. mock_model.User.get.return_value = fred # Put the mock model in the context. # This is easier than patching import ckan.model. context = {'model': mock_model} # The 'user' in the context has to match fred.name, so that the # auth function thinks that the user being updated is the same user as # the user who is logged-in. context['user'] = fred.name # Make Fred try to update his own user name. params = { 'id': fred.id, 'name': 'updated_user_name', } result = helpers.call_auth('user_update', context=context, **params) assert result is True
def test_group_show__user_is_avail_to_public(self): group = factories.Group() context = {'model': model} context['user'] = '' assert helpers.call_auth('group_show', context=context, id=group['name'])
def test_group_show__deleted_group_is_visible_to_its_member(self): fred = factories.User(name="fred") org = factories.Group(users=[fred]) context = {"model": model} context["user"] = "******" ret = helpers.call_auth("group_show", context=context, id=org["name"]) assert ret
def test_group_show__deleted_org_is_visible_to_its_member(self): fred = factories.User(name="fred") fred["capacity"] = "editor" org = factories.Organization(users=[fred]) context = {"model": model} context["user"] = "******" ret = helpers.call_auth("group_show", context=context, id=org["name"]) assert ret
def assert_authorization_passes(self, auth_function_name, user_roles, project_id, project_id_parameter, **kwargs): kwargs[project_id_parameter] = project_id for user_role in user_roles: assert_true(helpers.call_auth( auth_function_name, context=self.get_user_context(user_role), **kwargs) )
def test_group_show__deleted_group_is_visible_to_its_member(self): fred = factories.User(name='fred') org = factories.Group(users=[fred]) context = {'model': model} context['user'] = '******' ret = helpers.call_auth('group_show', context=context, id=org['name']) assert ret
def test_authorized_if_user_has_permissions_on_dataset(self): user = factories.User() dataset = factories.Dataset(user=user) context = {'user': user['name'], 'model': core_model} response = helpers.call_auth('package_create_default_resource_views', context=context, package=dataset) assert_equals(response, True)
def test_group_show__deleted_org_is_visible_to_its_member(self): fred = factories.User(name='fred') fred['capacity'] = 'editor' org = factories.Organization(users=[fred], state='deleted') context = {'model': model} context['user'] = '******' ret = helpers.call_auth('group_show', context=context, id=org['name']) assert ret
def test_datastore_search_sql_perms(self): context = self._get_context(self.normal_user) context['table_names'] = [self.resource['id']] with pytest.raises(toolkit.NotAuthorized): core_helpers.call_auth( 'datastore_search_sql', context=context, resource_id=self.resource['id'], ) context = self._get_context(self.org_user) context['table_names'] = [self.resource['id']] assert core_helpers.call_auth('datastore_search_sql', context=context, resource_id=self.resource['id']) context = self._get_context(self.sysadmin) context['table_names'] = [self.resource['id']] assert core_helpers.call_auth('datastore_search_sql', context=context, resource_id=self.resource['id'])
def test_package_show__deleted_dataset_is_visible_to_editor(self): fred = factories.User(name="fred") fred["capacity"] = "editor" org = factories.Organization(users=[fred]) dataset = factories.Dataset(owner_org=org["id"], state="deleted") context = {"model": model} context["user"] = "******" ret = helpers.call_auth("package_show", context=context, id=dataset["name"]) assert ret
def test_group_show__deleted_org_is_visible_to_its_member(self): fred = factories.User(name='fred') fred['capacity'] = 'editor' org = factories.Organization(users=[fred]) context = {'model': model} context['user'] = '******' ret = helpers.call_auth('group_show', context=context, id=org['name']) assert ret
def test_run_sysadmin(self, app): resource = factories.Resource() sysadmin = factories.Sysadmin() context = {'user': sysadmin['name'], 'model': model} assert_equals( call_auth('resource_validation_run', context=context, resource_id=resource['id']), True)
def test_sysadmin_is_authorized(self): sysadmin = factories.Sysadmin() resource = {'title': 'Resource', 'url': 'http://test', 'format': 'csv'} context = {'user': sysadmin['name'], 'model': core_model} response = helpers.call_auth('resource_create', context=context, **resource) assert_equals(response, True)
def test_delete_collaborator_admin_is_authorized(self): user = factories.User() helpers.call_action( 'package_collaborator_create', id=self.dataset['id'], user_id=user['id'], capacity='admin') context = self._get_context(user) assert helpers.call_auth( 'package_collaborator_delete', context=context, id=self.dataset['id'])
def test_dataset_show_private_member(self): org = factories.Organization() dataset = factories.Dataset(private=True, owner_org=org['id']) user = factories.User() context = self._get_context(user) with pytest.raises(logic.NotAuthorized): helpers.call_auth('package_show', context=context, id=dataset['id']) helpers.call_action('package_collaborator_create', id=dataset['id'], user_id=user['id'], capacity='member') assert helpers.call_auth('package_show', context=context, id=dataset['id'])
def test_sysadmin_is_authorized(self): sysadmin = factories.Sysadmin() resource = {"title": "Resource", "url": "http://test", "format": "csv"} context = {"user": sysadmin["name"], "model": core_model} response = helpers.call_auth("resource_create", context=context, **resource) assert response
def test_not_authorized_if_user_has_no_permissions_on_dataset_3(self): org = factories.Organization() user = factories.User() member = {"username": user["name"], "role": "admin", "id": org["id"]} helpers.call_action("organization_member_create", **member) user_2 = factories.User() dataset = factories.Dataset(owner_org=org["id"]) context = {"user": user_2["name"], "model": core_model} with pytest.raises(logic.NotAuthorized): helpers.call_auth( "package_create_default_resource_views", context=context, package=dataset, )
def test_resource_create_public_admin_and_editor(self, role): org = factories.Organization() dataset = factories.Dataset(owner_org=org['id']) user = factories.User() context = self._get_context(user) with pytest.raises(logic.NotAuthorized): helpers.call_auth('resource_create', context=context, package_id=dataset['id']) helpers.call_action('package_collaborator_create', id=dataset['id'], user_id=user['id'], capacity=role) assert helpers.call_auth('resource_create', context=context, package_id=dataset['id'])
def test_create_unowned_datasets(self): user = factories.User() dataset = factories.Dataset(user=user) assert dataset['owner_org'] is None assert dataset['creator_user_id'] == user['id'] context = self._get_context(user) assert helpers.call_auth( 'package_collaborator_create', context=context, id=dataset['id'])
def test_user_generate_own_apikey(self): fred = factories.MockUser(name="fred") mock_model = mock.MagicMock() mock_model.User.get.return_value = fred # auth_user_obj shows user as logged in for non-anonymous auth # functions context = {"model": mock_model, "auth_user_obj": fred} context["user"] = fred.name params = {"id": fred.id} result = helpers.call_auth("user_generate_apikey", context=context, **params) assert result is True
def test_package_show__deleted_dataset_is_visible_to_editor(self): fred = factories.User(name='fred') fred['capacity'] = 'editor' org = factories.Organization(users=[fred]) dataset = factories.Dataset(owner_org=org['id'], state='deleted') context = {'model': model} context['user'] = '******' ret = helpers.call_auth('package_show', context=context, id=dataset['name']) assert ret
def test_resource_view_list_private_editor(self): org = factories.Organization() dataset = factories.Dataset(private=True, owner_org=org['id']) resource = factories.Resource(package_id=dataset['id']) user = factories.User() context = self._get_context(user) with pytest.raises(logic.NotAuthorized): helpers.call_auth('resource_view_list', context=context, id=resource['id']) helpers.call_action('package_collaborator_create', id=dataset['id'], user_id=user['id'], capacity='editor') assert helpers.call_auth('resource_view_list', context=context, id=resource['id'])
def test_user_update_with_no_user_in_context(): # Make a mock ckan.model.User object. mock_user = factories.MockUser(name="fred") # Make a mock ckan.model object. mock_model = mock.MagicMock() # model.User.get(user_id) should return our mock user. mock_model.User.get.return_value = mock_user # Put the mock model in the context. # This is easier than patching import ckan.model. context = {"model": mock_model} # For this test we're going to have no 'user' in the context. context["user"] = None params = {"id": mock_user.id, "name": "updated_user_name"} with pytest.raises(logic.NotAuthorized): helpers.call_auth("user_update", context=context, **params)
def test_datastore_info_private_member(self): org = factories.Organization() dataset = factories.Dataset(private=True, owner_org=org[u'id']) resource = factories.Resource(package_id=dataset[u'id']) user = factories.User() context = self._get_context(user) with pytest.raises(logic.NotAuthorized): helpers.call_auth(u'datastore_info', context=context, resource_id=resource[u'id']) helpers.call_action(u'package_collaborator_create', id=dataset[u'id'], user_id=user[u'id'], capacity=u'member') assert helpers.call_auth(u'datastore_info', context=context, resource_id=resource[u'id'])
def test_resource_delete_public_member(self): org = factories.Organization() dataset = factories.Dataset(owner_org=org['id']) resource = factories.Resource(package_id=dataset['id']) user = factories.User() context = self._get_context(user) with pytest.raises(logic.NotAuthorized): helpers.call_auth('resource_delete', context=context, id=resource['id']) helpers.call_action('package_collaborator_create', id=dataset['id'], user_id=user['id'], capacity='member') with pytest.raises(logic.NotAuthorized): helpers.call_auth('resource_delete', context=context, id=resource['id'])
def test_only_org_member_can_view_revision(self): user = factories.User() simple_user = factories.User() org = factories.Organization(users=[{ 'name': user['name'], 'capacity': 'editor' }]) self.user = user self.simple_user = simple_user self.org = org pkg = factories.Dataset(owner_org=org['id']) th.call_action('move_to_next_stage', id=pkg['id']) data = th.call_action('move_to_next_stage', id=pkg['id']) pkg.update(data) revision = th.call_action('create_dataset_revision', {'user': user['name']}, id=pkg['id']) th.call_auth('read_dataset_revision', { 'model': model, 'user': user['name'] }, **revision) nt.assert_raises(tk.NotAuthorized, th.call_auth, 'read_dataset_revision', { 'model': model, 'user': simple_user['name'] }, **revision) th.call_action('move_to_next_stage', id=revision['id']) th.call_auth('read_dataset_revision', { 'model': model, 'user': user['name'] }, **revision) nt.assert_raises(tk.NotAuthorized, th.call_auth, 'read_dataset_revision', { 'model': model, 'user': simple_user['name'] }, **revision)
def test_ipermissionlabels_user_group_see_privates_inverted( create_with_upload): """User is not allowed to see another user's private datasets""" user_a = factories.User() user_b = factories.User() owner_org = factories.Organization(users=[{ 'name': user_a['id'], 'capacity': 'admin' }]) owner_group = factories.Group(users=[ { 'name': user_a['id'], 'capacity': 'admin' }, ]) context_a = { 'ignore_auth': False, 'user': user_a['name'], 'model': model, 'api_version': 3 } context_b = { 'ignore_auth': False, 'user': user_b['name'], 'model': model, 'api_version': 3 } dataset, _ = make_dataset(context_a, owner_org, create_with_upload=create_with_upload, activate=True, groups=[{ "id": owner_group["id"] }], private=True) with pytest.raises(logic.NotAuthorized): helpers.call_auth("package_show", context_b, id=dataset["id"])
def test_unowned_only_creator_can_edit(self): fred = factories.User(name='fred') bob = factories.User(name='bob') dataset = factories.Dataset(user=fred) context = {'model': model, 'user': '******'} params = { 'id': dataset['id'], } result = helpers.call_auth('package_update', context=context, **params) assert result == True #Bob should not be able to edit package context = {'model': model, 'user': '******'} nose.tools.assert_raises(logic.NotAuthorized, helpers.call_auth, 'package_update', context=context, **params)
def test_unowned_only_managing_users_can_edit(self): fred = factories.User(name='fred') bob = factories.User(name='bob') alice = factories.User(name='alice') lisa = factories.User(name='lisa') dataset = factories.Dataset(user=fred, managing_users='bob,alice') context = {'model': model, 'user': '******'} params = { 'id': dataset['id'], } result = helpers.call_auth('package_update', context=context, **params) assert result == True #Bob and alice should be also able to edit context = {'model': model, 'user': '******'} result = helpers.call_auth('package_update', context=context, **params) assert result == True context = {'model': model, 'user': '******'} result = helpers.call_auth('package_update', context=context, **params) assert result == True #Lisa shuldn't be able context = {'model': model, 'user': '******'} nose.tools.assert_raises(logic.NotAuthorized, helpers.call_auth, 'package_update', context=context, **params)
def test_proposed_dataset_invisible_to_another_editor(self): user = factories.User() user2 = factories.User() org = factories.Organization( user=user2, users=[{u"name": user["id"], u"capacity": u"editor"}] ) factories.Dataset( name=u"d1", notes=u"Proposed:", user=user2, owner_org=org["id"] ) results = get_action(u"package_search")( {u"user": user["name"]}, {u"include_private": True} )["results"] names = [r["name"] for r in results] assert names == [] with pytest.raises(NotAuthorized): call_auth( u"package_show", {u"user": user["name"], u"model": model}, id=u"d1", )
def test_proposed_dataset_visible_to_creator(self): user = factories.User() dataset = factories.Dataset( name=u'd1', notes=u'Proposed:', user=user) results = get_action(u'package_search')( {u'user': user['name']}, {u'include_private': True})['results'] names = [r['name'] for r in results] assert_equal(names, [u'd1']) ret = call_auth(u'package_show', {u'user': user['name'], u'model': model}, id=u'd1') assert ret
def test_owned_dataset_company_users_with_admin_should_edit(self): org = factories.Organization() fred = factories.User(name='fred') bob = factories.User(name='bob') alice = factories.User(name='alice') member_fred = { 'username': fred['name'], 'role': 'admin', 'id': org['id'] } helpers.call_action('organization_member_create', **member_fred) member_bob = { 'username': bob['name'], 'role': 'admin', 'id': org['id'] } helpers.call_action('organization_member_create', **member_bob) dataset = factories.Dataset(user=fred, owner_org=org['name'], managing_users="bob") context = {'model': model, 'user': '******'} params = { 'id': dataset['id'], } result = helpers.call_auth('package_update', context=context, **params) assert result == True context = {'model': model, 'user': '******'} result = helpers.call_auth('package_update', context=context, **params) assert result == True #Alice is not in the organization context = {'model': model, 'user': '******'} nose.tools.assert_raises(logic.NotAuthorized, helpers.call_auth, 'package_update', context=context, **params)
def test_authorized_if_user_has_permissions_on_dataset_2(self): user = factories.User() dataset = factories.Dataset(user=user) context = {"user": user["name"], "model": core_model} response = helpers.call_auth( "package_create_default_resource_views", context=context, package=dataset, ) assert response
def test_org_admin_bulk_update_delete_forbidden(create_with_upload): """do not allow bulk_update_delete""" user = factories.User() owner_org = factories.Organization(users=[{ 'name': user['id'], 'capacity': 'admin' }]) # create a datasets create_context1 = { 'ignore_auth': False, 'user': user['name'], 'api_version': 3 } ds1, _ = make_dataset(create_context1, owner_org, create_with_upload=create_with_upload, activate=True) create_context2 = { 'ignore_auth': False, 'user': user['name'], 'api_version': 3 } ds2, _ = make_dataset(create_context2, owner_org, create_with_upload=create_with_upload, activate=True) # assert: bulk_update_delete is should be forbidden test_context = { 'ignore_auth': False, 'user': user['name'], 'model': model, 'api_version': 3 } with pytest.raises(logic.NotAuthorized): helpers.call_auth("bulk_update_delete", test_context, datasets=[ds1, ds2], org_id=owner_org["id"])
def test_proposed_dataset_visible_to_creator(self): user = factories.User() factories.Dataset(name=u"d1", notes=u"Proposed:", user=user) results = get_action(u"package_search")( {u"user": user["name"]}, {u"include_private": True} )["results"] names = [r["name"] for r in results] assert names == [u"d1"] ret = call_auth( u"package_show", {u"user": user["name"], u"model": model}, id=u"d1" ) assert ret
def test_not_authorized_if_user_has_no_permissions_on_dataset_4(self): org = factories.Organization() user = factories.User() member = {"username": user["name"], "role": "admin", "id": org["id"]} helpers.call_action("organization_member_create", **member) user_2 = factories.User() dataset = factories.Dataset(user=user, owner_org=org["id"]) resource = { "package_id": dataset["id"], "title": "Resource", "url": "http://test", "format": "csv", } context = {"user": user_2["name"], "model": core_model} with pytest.raises(logic.NotAuthorized): helpers.call_auth("resource_create", context=context, **resource)
def test_user_generate_own_apikey(): fred = factories.MockUser(name="fred") mock_model = mock.MagicMock() mock_model.User.get.return_value = fred # auth_user_obj shows user as logged in for non-anonymous auth # functions context = {"model": mock_model, "auth_user_obj": fred} context["user"] = fred.name params = {"id": fred.id} result = helpers.call_auth("user_generate_apikey", context=context, **params) assert result is True
def test_show_anon_public_dataset(self, app): user = factories.User() org = factories.Organization() dataset = factories.Dataset(owner_org=org['id'], resources=[factories.Resource()], private=False) context = {'user': user['name'], 'model': model} assert_equals( call_auth('resource_validation_show', context=context, resource_id=dataset['resources'][0]['id']), True)
def test_user_update_visitor_cannot_update_user(): """Visitors should not be able to update users' accounts.""" # Make a mock ckan.model.User object, Fred. fred = factories.MockUser(name="fred") # Make a mock ckan.model object. mock_model = mock.MagicMock() # model.User.get(user_id) should return Fred. mock_model.User.get.return_value = fred # Put the mock model in the context. # This is easier than patching import ckan.model. context = {"model": mock_model} # No user is going to be logged-in. context["user"] = "******" # Make the visitor try to update Fred's user account. params = {"id": fred.id, "name": "updated_user_name"} with pytest.raises(logic.NotAuthorized): helpers.call_auth("user_update", context=context, **params)
def test_authorized_if_user_has_permissions_on_dataset(self): user = factories.User() dataset = factories.Dataset(user=user) resource = {'package_id': dataset['id'], 'title': 'Resource', 'url': 'http://test', 'format': 'csv'} context = {'user': user['name'], 'model': core_model} response = helpers.call_auth('resource_create', context=context, **resource) assert_equals(response, True)
def test_authorized_if_user_has_permissions_on_dataset_3(self): user = factories.User() dataset = factories.Dataset(user=user) resource = factories.Resource(user=user, package_id=dataset["id"]) context = {"user": user["name"], "model": model} response = helpers.call_auth( "resource_create_default_resource_views", context=context, resource=resource, ) assert response
def test_user_generate_own_apikey(self): fred = factories.MockUser(name='fred') mock_model = mock.MagicMock() mock_model.User.get.return_value = fred # auth_user_obj shows user as logged in for non-anonymous auth # functions context = {'model': mock_model, 'auth_user_obj': fred} context['user'] = fred.name params = { 'id': fred.id, } result = helpers.call_auth('user_generate_apikey', context=context, **params) assert result is True
def test_user_invite_delegates_correctly_to_group_member_create(self, gmc): user = factories.User() context = { 'user': user['name'], 'model': None, 'auth_user_obj': user } data_dict = {'group_id': 42} gmc.return_value = {'success': False} nose.tools.assert_raises(logic.NotAuthorized, helpers.call_auth, 'user_invite', context=context, **data_dict) gmc.return_value = {'success': True} result = helpers.call_auth('user_invite', context=context, **data_dict) assert result is True
def test_proposed_dataset_visible_to_org_admin(self): user = factories.User() user2 = factories.User() org = factories.Organization( user=user2, users=[{u'name': user['id'], u'capacity': u'editor'}]) dataset = factories.Dataset( name=u'd1', notes=u'Proposed:', user=user, owner_org=org['id']) results = get_action(u'package_search')( {u'user': user2[u'name']}, {u'include_private': True})['results'] names = [r['name'] for r in results] assert_equal(names, [u'd1']) ret = call_auth(u'package_show', {u'user': user2['name'], u'model': model}, id=u'd1') assert ret
def test_authorized_if_user_has_permissions_on_dataset(self): user = factories.User() dataset = factories.Dataset(user=user) resource = factories.Resource(user=user, package_id=dataset['id']) resource_view = {'resource_id': resource['id'], 'title': u'Resource View', 'view_type': u'image_view', 'image_url': 'url'} context = {'user': user['name'], 'model': core_model} response = helpers.call_auth('resource_view_create', context=context, **resource_view) assert_equals(response, True)
def test_org_user_can_delete(self): user = factories.User() org_users = [{'name': user['name'], 'capacity': 'editor'}] org = factories.Organization(users=org_users) dataset = factories.Dataset(owner_org=org['id'], resources=[factories.Resource()], user=user) resource_view = factories.ResourceView( resource_id=dataset['resources'][0]['id'] ) context = {'user': user['name'], 'model': model} response = helpers.call_auth('resource_view_delete', context=context, id=resource_view['id']) assert_equals(response, True)