def test_clean_perms_command(self): """ Same test as the one above but rather function directly, we call management command instead. """ # assign obj perms target_perms = { self.target_user1: ["change_%s" % user_module_name], self.target_group1: ["delete_group"], self.target_obj1: ["change_contenttype", "delete_contenttype"], self.target_obj2: ["change_contenttype"], } for target, perms in target_perms.items(): target.__old_pk = target.pk # Store pkeys for perm in perms: assign_perm(perm, self.user, target) # Remove targets for target, perms in target_perms.items(): target.delete() # Clean orphans call_command("clean_orphan_obj_perms", verbosity=0) # Recreate targets and check if user has no permissions for target, perms in target_perms.items(): target.pk = target.__old_pk target.save() for perm in perms: self.assertFalse(self.user.has_perm(perm, target))
def test_remove_perm(self): assign_perm('contenttypes.change_contenttype', self.user, self.ctype) self.assertTrue( self.user.has_perm('contenttypes.change_contenttype', self.ctype)) remove_perm('contenttypes.change_contenttype', self.user, self.ctype) self.assertFalse( self.user.has_perm('contenttypes.change_contenttype', self.ctype))
def test_group_assign_perm(self): assign_perm("change_contenttype", self.group, self.ctype) assign_perm("delete_contenttype", self.group, self.ctype) check = ObjectPermissionChecker(self.group) self.assertTrue(check.has_perm("change_contenttype", self.ctype)) self.assertTrue(check.has_perm("delete_contenttype", self.ctype))
def test_has_global_permission_and_object_based_permission_any_perm(self): assign_perm('contenttypes.change_contenttype', self.group1) assign_perm('contenttypes.delete_contenttype', self.group1, self.obj1) objects = get_objects_for_group(self.group1, ['contenttypes.change_contenttype', 'contenttypes.delete_contenttype'], any_perm=True) self.assertEquals(set(objects), set(ContentType.objects.all()))
def save(self, *args, **kwargs): """ Override save method to enable setting of permissions for retina users """ created = self._state.adding super().save(*args, **kwargs) if not created: return if ( self.annotation_set.grader.groups.filter( name=settings.RETINA_GRADERS_GROUP_NAME ).exists() or self.annotation_set.grader.groups.filter( name=settings.RETINA_ADMINS_GROUP_NAME ).exists() ): model_name = self._meta.model_name admins_group = Group.objects.get( name=settings.RETINA_ADMINS_GROUP_NAME ) for permission_type in self._meta.default_permissions: permission_name = f"{permission_type}_{model_name}" assign_perm(permission_name, self.annotation_set.grader, self) assign_perm(permission_name, admins_group, self)
def test_without_group_users_no_result(self): self.user1.groups.add(self.group1) assign_perm("change_contenttype", self.group1, self.obj1) result = get_users_with_perms(self.obj1, attach_perms=True, with_group_users=False) expected = {} self.assertEqual(result, expected)
def test_perms_single(self): perm = 'contenttypes.change_contenttype' assign_perm(perm, self.group1, self.obj1) self.assertEqual( set(get_objects_for_group(self.group1, perm)), set(get_objects_for_group(self.group1, [perm])) )
def test_group_remove_perm(self): # assign perm first assign_perm("change_contenttype", self.group, self.ctype) remove_perm("change_contenttype", self.group, self.ctype) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_contenttype", self.ctype))
def test_attach_perms(self): self.user1.groups.add(self.group1) self.user2.groups.add(self.group2) self.user3.groups.add(self.group3) assign_perm("change_contenttype", self.group1, self.obj1) assign_perm("change_contenttype", self.group2, self.obj1) assign_perm("delete_contenttype", self.group3, self.obj2) assign_perm("delete_contenttype", self.user2, self.obj1) assign_perm("change_contenttype", self.user3, self.obj2) # Check contenttype1 result = get_users_with_perms(self.obj1, attach_perms=True) expected = { self.user1: ["change_contenttype"], self.user2: ["change_contenttype", "delete_contenttype"], } self.assertEqual(result.keys(), expected.keys()) for key, perms in result.items(): self.assertEqual(set(perms), set(expected[key])) # Check contenttype2 result = get_users_with_perms(self.obj2, attach_perms=True) expected = { self.user3: ["change_contenttype", "delete_contenttype"], } self.assertEqual(result.keys(), expected.keys()) for key, perms in result.items(): self.assertEqual(set(perms), set(expected[key]))
def test_user_with_share(self): assign_perm("view_collection", self.user1, self.collection) assign_perm("share_collection", self.user1, self.collection) # Can add permissions to users. data = {'users': {'add': {self.user2.pk: ['view']}}} resp = self._detail_permissions(self.collection.pk, data, self.user1) self.assertEqual(resp.status_code, status.HTTP_200_OK) self.assertEqual(UserObjectPermission.objects.filter(user=self.user2).count(), 1) # Can add permissions to groups. data = {'groups': {'add': {self.group.pk: ['view']}}} resp = self._detail_permissions(self.collection.pk, data, self.user1) self.assertEqual(resp.status_code, status.HTTP_200_OK) self.assertEqual(GroupObjectPermission.objects.count(), 1) # Can remove permissions from users. data = {'users': {'remove': {self.user2.pk: ['view']}}} resp = self._detail_permissions(self.collection.pk, data, self.user1) self.assertEqual(resp.status_code, status.HTTP_200_OK) self.assertEqual(UserObjectPermission.objects.filter(user=self.user2).count(), 0) # Can remove permissions from groups. data = {'groups': {'remove': {self.group.pk: ['view']}}} resp = self._detail_permissions(self.collection.pk, data, self.user1) self.assertEqual(resp.status_code, status.HTTP_200_OK) self.assertEqual(GroupObjectPermission.objects.count(), 0)
def test_index_permission_protected_project(self): project = Project.objects.create( active=True, custom_permissions=True, login_required=True, name='MY_TEMPLATE_NAME', ) batch = Batch.objects.create(project=project, name='MY_BATCH_NAME') Task.objects.create(batch=batch) in_user = User.objects.create_user('in_user', password='******') User.objects.create_user('out_user', password='******') group = Group.objects.create(name='testgroup') in_user.groups.add(group) assign_perm('can_work_on', group, project) in_client = django.test.Client() in_client.login(username='******', password='******') response = in_client.get(reverse('index')) self.assertEqual(response.status_code, 200) self.assertFalse(b'No Tasks available' in response.content) self.assertTrue(b'MY_TEMPLATE_NAME' in response.content) self.assertTrue(b'MY_BATCH_NAME' in response.content) out_client = django.test.Client() out_client.login(username='******', password='******') response = out_client.get(reverse('index')) self.assertEqual(response.status_code, 200) self.assertTrue(b'No Tasks available' in response.content) self.assertFalse(b'MY_TEMPLATE_NAME' in response.content) self.assertFalse(b'MY_BATCH_NAME' in response.content)
def test_map_download(self): """Test the correct permissions on layers on map download""" create_models(type='map') create_maplayers() # Get a Map the_map = Map.objects.get(title='GeoNode Default Map') # Get a MapLayer and set the parameters as it is local and not a background # and leave it alone in the map map_layer = the_map.layer_set.get(name='geonode:CA') map_layer.local = True map_layer.group = 'overlay' map_layer.save() the_map.layer_set.all().delete() the_map.layer_set.add(map_layer) # Get the Layer and set the permissions for bobby to it and the map bobby = Profile.objects.get(username='******') the_layer = Layer.objects.get(typename='geonode:CA') remove_perm('download_resourcebase', bobby, the_layer.get_self_resource()) remove_perm('download_resourcebase', Group.objects.get(name='anonymous'), the_layer.get_self_resource()) assign_perm('view_resourcebase', bobby, the_layer.get_self_resource()) assign_perm('download_resourcebase', bobby, the_map.get_self_resource()) self.client.login(username='******', password='******') response = self.client.get(reverse('map_download', args=(the_map.id,))) self.assertTrue('Could not find downloadable layers for this map' in response.content)
def test_add_form_buttons_with_permission(self): assign_perm('reply', self.user, self.letter.case.monitoring) assign_perm('add_draft', self.user, self.letter.case.monitoring) form = ReplyForm(user=self.user, letter=self.letter) html = self.render_form(form) self.assertIn('name="save"', html) self.assertIn('name="send"', html)
def update(self, request, pk): """ Add or remove permissions """ if not request.user.is_authenticated(): return Response( status=403, data={ 'detail': 'Authentication required', }, ) required_params = ['user', ] for param in required_params: if param not in request.DATA: return Response( status=400, data={ 'detail': 'Parameter required {param}'.format( param=param, ), }, ) check_list = get_object_or_404(CheckList, id=pk) if not request.user.has_perm('api.change_checklist', check_list): return Response( status=403, data={ 'detail': 'Permission denied', }, ) user = get_object_or_404(User, id=request.DATA.get('user'), ) if user.id == check_list.owner.id: return Response( status=400, data={ 'detail': "Owner permissions can't be changed", }, ) if user.has_perm('api.change_checklist', check_list): remove_perm('api.view_checklist', user, check_list) remove_perm('api.change_checklist', user, check_list) else: assign_perm('api.view_checklist', user, check_list) assign_perm('api.change_checklist', user, check_list) return Response( status=200, data={ 'change_checklist': user.has_perm( 'api.change_checklist', check_list ), 'detail': 'Permissions updated', 'view_checklist': user.has_perm( 'api.view_checklist', check_list ), }, )
def test_unpublished_layer(self): """With resource publishing""" layer = Layer.objects.filter(alternate='geonode:CA')[0] layer.is_published = False layer.save() user = get_user_model().objects.get(username='******') self.client.login(username='******', password='******') # 404 if layer is unpublished response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 404) # 404 if layer is unpublished but user has permission but does not belong to the group assign_perm('publish_resourcebase', user, layer.get_self_resource()) response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 404) # 200 if layer is unpublished and user is owner remove_perm('publish_resourcebase', user, layer.get_self_resource()) layer.owner = user layer.save() response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) # 200 if layer is published layer.is_published = True layer.save() response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) layer.is_published = True layer.save()
def set_owner_permissions(resource): """assign all admin permissions to the owner""" if resource.polymorphic_ctype.name == 'layer': for perm in LAYER_ADMIN_PERMISSIONS: assign_perm(perm, resource.owner, resource.layer) for perm in ADMIN_PERMISSIONS: assign_perm(perm, resource.owner, resource.get_self_resource())
def test_unpublished_layer(self): """Test unpublished layer behaviour""" user = get_user_model().objects.get(username='******') self.client.login(username='******', password='******') # default (RESOURCE_PUBLISHING=False) # access to layer detail page gives 200 if layer is published or # unpublished response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) layer = Layer.objects.filter(title='CA')[0] layer.is_published = False layer.save() response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) # with resource publishing with self.settings(RESOURCE_PUBLISHING=True): # 404 if layer is unpublished response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 404) # 200 if layer is unpublished but user has permission assign_perm('publish_resourcebase', user, layer.get_self_resource()) response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) # 200 if layer is published layer.is_published = True layer.save() remove_perm('publish_resourcebase', user, layer.get_self_resource()) response = self.client.get(reverse('layer_detail', args=('geonode:CA',))) self.failUnlessEqual(response.status_code, 200) layer.is_published = True layer.save()
def test_spawned_process(self): """Test that manager is run for spawned processes and permissions are copied.""" DescriptorSchema.objects.create( name='Test schema', slug='test-schema', contributor=self.contributor ) spawned_process = Process.objects.filter(slug='test-save-file').latest() # Patch the process to create Entity, so its bahaviour can be tested. spawned_process.entity_type = 'test-schema' spawned_process.entity_descriptor_schema = 'test-schema' spawned_process.save() process = Process.objects.filter(slug='test-spawn-new').latest() with transaction.atomic(): data = Data.objects.create( name='Test data', contributor=self.contributor, process=process, ) self.collection.data.add(data) assign_perm('view_data', self.user, data) # Created and spawned objects should be done. self.assertEqual(Data.objects.filter(status=Data.STATUS_DONE).count(), 2) # Check that permissions are inherited. child = Data.objects.last() self.assertTrue(self.user.has_perm('view_data', child)) self.assertEqual(child.collection_set.count(), 1) self.assertEqual(child.collection_set.first().pk, self.collection.pk) self.assertEqual(child.entity_set.first().collections.count(), 1) self.assertEqual(child.entity_set.first().collections.first().pk, self.collection.pk)
def setUpClass(cls): from guardian.shortcuts import assign_perm # create users create = User.objects.create_user users = { 'fullaccess': create('fullaccess', '*****@*****.**', 'password'), 'readonly': create('readonly', '*****@*****.**', 'password'), 'writeonly': create('writeonly', '*****@*****.**', 'password'), 'deleteonly': create('deleteonly', '*****@*****.**', 'password'), } # give everyone model level permissions, as we are not testing those everyone = Group.objects.create(name='everyone') model_name = BasicPermModel._meta.module_name app_label = BasicPermModel._meta.app_label f = '{0}_{1}'.format perms = { 'view': f('view', model_name), 'change': f('change', model_name), 'delete': f('delete', model_name) } for perm in perms.values(): perm = '{0}.{1}'.format(app_label, perm) assign_perm(perm, everyone) everyone.user_set.add(*users.values()) cls.perms = perms cls.users = users
def form_valid(self, form): form.instance.author = self.request.user form.instance.assignment = get_object_or_404(models.Assignment, pk=self.kwargs['pk']) current_date = timezone.now() form.instance.create_date = current_date form.instance.last_modified_date = current_date form.parent_attempt = None form.instance.number = 1 stage = form.instance.assignment.active_stage() if stage is None: return HttpResponse(status=400) elif current_date < stage.start_date or current_date > stage.grace_period_end_date: return HttpResponse(status=400) form.instance.is_late = (current_date > stage.end_date) #period = get_object_or_404(models.SubmissionPeriod, pk=self.kwargs['pk']) #if not period: # return False #form.instance.assignment = assignment response = super(ArticleOriginCreate, self).form_valid(form) assign_perm('articles.change_article', self.request.user, form.instance) return response
def form_valid(self, form): form.instance.author = self.request.user attempt = get_object_or_404(models.GradingAttempt, pk = self.kwargs['pk']) if not attempt: return False form.instance.parent_attempt = attempt form.instance.assignment = attempt.article.assignment current_date = timezone.now() form.instance.create_date = current_date form.instance.last_modified_date = current_date form.instance.number = attempt.article.number + 1 stage = form.instance.assignment.active_stage() if stage is None: return HttpResponse(status=400) elif current_date < stage.start_date or current_date > stage.grace_period_end_date: return HttpResponse(status=400) form.instance.is_late = (current_date > stage.end_date) response = super(ArticleRevisionCreate, self).form_valid(form) assign_perm('articles.change_article', self.request.user, form.instance) return response
def set_object_permissions(sender, instance=None, created=False, **kwargs): if created: for perm in get_perms_for_model(Team): assign_perm(perm.codename, instance.organization, instance) if instance.created_by: assign_perm(perm.codename, instance.created_by, instance)
def test_aggregations(self): item = models.ExampleItem() item.name = 'Example' item.enabled = False item.save() m2m_item = models.ExampleM2MItem() m2m_item.save() shortcuts.assign_perm( 'rest_framework_reactive.view_exampleitem', auth_models.AnonymousUser(), item, ) observer = QueryObserver( request(views.AggregationTestViewSet, items=[m2m_item.pk]) ) observer.subscribe( 'test-session', dependencies=[models.ExampleItem, models.ExampleM2MItem.items.through], ) # There should be a dependency on the intermediate table. observer_state = observer_models.Observer.objects.get(pk=observer.id) dependencies = observer_state.dependencies.all().values_list('table', flat=True) self.assertIn('drfr_test_app_examplem2mitem_items', dependencies)
def test_for_assign_no_duplicates_with_multiple_permissions(self): assign_perm('cases.can_view', self.user) assign_perm('cases.can_assign', self.user) case = CaseFactory(created_by=self.user) self.assertEqual( 1, len(Case.objects.for_assign(self.user)))
def join(self, user, **kwargs): from geonode.layers.models import Layer from geonode.tabular.models import Tabular 'Joins an user to this app as a member.' if user == user.get_anonymous(): raise ValueError("The invited user cannot be anonymous") AppMember(app=self, user=user, **kwargs).save() # asocia todos los recursos del usuario que tienen # los recursos que necesita la app manager = self.get_managers()[0] for resource in user.resourcebase_set.all(): keywords = set(resource.keyword_list()) try: keywords.add(resource.layer.layer_type.name) except Layer.DoesNotExist: pass try: keywords.add(resource.tabular.tabular_type.name) except Tabular.DoesNotExist: pass if len(keywords.intersection(self.keyword_list())) > 0: assign_perm('view_resourcebase', manager, resource)
def test_inactive_user_blocked(self): t = Thing(name='Test thing') t.save() self.user.is_active = False self.user.save() assign_perm('change_thing', self.user, t) self.assertFalse(self.user.has_perm('tests.change_thing', t))
def test_object_permissions_win_over_group(self): t = Thing(name='Test thing') t.save() perm = Permission.objects.get(codename="add_thing") self.group.permissions.add(perm) perm = Permission.objects.get(codename="change_thing") self.group.permissions.add(perm) perm = Permission.objects.get(codename="delete_thing") self.group.permissions.add(perm) self.user.save() self.assertTrue(self.user.has_perm('tests.change_thing')) self.assertTrue(self.user.has_perm('tests.add_thing')) self.assertTrue(self.user.has_perm('tests.delete_thing')) self.assertTrue(self.user.has_perm('tests.change_thing', t)) self.assertTrue(self.user.has_perm('tests.add_thing', t)) self.assertTrue(self.user.has_perm('tests.delete_thing', t)) assign_perm('change_thing', self.group, t) # per-object permission self.assertTrue(self.user.has_perm('tests.change_thing', t)) self.assertFalse(self.user.has_perm('tests.add_thing', t)) self.assertFalse(self.user.has_perm('tests.delete_thing', t))
def test_user_has_access_on_model_with_metaclass(self): """ Test to the fix issues of comparaison made via type() in the decorator. In the case of a `Model` implementing a custom metaclass, the decorator fail because type doesn't return `ModelBase` """ perm = get_user_permission_full_codename('change') class TestMeta(ModelBase): pass class ProxyUser(User): class Meta: proxy = True app_label = User._meta.app_label __metaclass__ = TestMeta joe, created = ProxyUser.objects.get_or_create(username='******') assign_perm(perm, self.user, obj=joe) request = self._get_request(self.user) @permission_required_or_403(perm, ( ProxyUser, 'username', 'username')) def dummy_view(request, username): return HttpResponse('dummy_view') response = dummy_view(request, username='******') self.assertEqual(response.status_code, 200) self.assertEqual(response.content, b'dummy_view')
def test_attach_groups_only_has_perms(self): cache.clear() self.user1.groups.add(self.group1) assign_perm("change_contenttype", self.group1, self.obj1) result = get_users_with_perms(self.obj1, attach_perms=True) expected = {self.user1: ["change_contenttype"]} self.assertEqual(result, expected)
def form_valid(self, form): old_course = models.Course.objects.get(pk=form.instance.pk) initial_instructors = list(old_course.instructors.all()) initial_students = list(old_course.students.all()) response = super(CourseUpdate, self).form_valid(form) instructors = form.instance.instructors.all() students = form.instance.students.all() # print(initial_instructors) # print(instructors) # print(initial_students) # print(students) # Revoke permissions for user in initial_instructors: remove_perm('change_course', user, form.instance) remove_perm('view_course', user, form.instance) remove_perm('instruct_course', user, form.instance) for user in initial_students: remove_perm('view_course', user, form.instance) remove_perm('enroll_course', user, form.instance) # Assign permissions for user in instructors: assign_perm('change_course', user, form.instance) assign_perm('view_course', user, form.instance) assign_perm('instruct_course', user, form.instance) for user in students: assign_perm('view_course', user, form.instance) assign_perm('enroll_course', user, form.instance) return response
def _create_demo_challenge(self): demo = Challenge.objects.create( short_name="demo", description="demo project", creator=self.users["demo"], use_workspaces=True, hidden=False, display_forum_link=True, ) demo.add_participant(self.users["demop"]) Page.objects.create( challenge=demo, title="all", permission_level="ALL" ) Page.objects.create( challenge=demo, title="reg", permission_level="REG" ) Page.objects.create( challenge=demo, title="adm", permission_level="ADM" ) Phase.objects.create(challenge=demo, title="Phase 2") for phase_num, phase in enumerate(demo.phase_set.all()): assign_perm("create_phase_workspace", self.users["demop"], phase) phase.score_title = "Accuracy ± std" phase.score_jsonpath = "acc.mean" phase.score_error_jsonpath = "acc.std" phase.extra_results_columns = [ { "title": "Dice ± std", "path": "dice.mean", "error_path": "dice.std", "order": "desc", } ] phase.submission_kind = phase.SubmissionKind.ALGORITHM phase.evaluation_detail_observable_url = ( phase.evaluation_comparison_observable_url ) = "https://observablehq.com/embed/@grand-challenge/data-fetch-example?cell=*" phase.save() method = Method(phase=phase, creator=self.users["demo"]) container = ContentFile(base64.b64decode(b"")) method.image.save("test.tar", container) method.save() submission = Submission(phase=phase, creator=self.users["demop"]) content = ContentFile(base64.b64decode(b"")) submission.predictions_file.save("test.csv", content) submission.save() e = Evaluation.objects.create( submission=submission, method=method, status=Evaluation.SUCCESS, ) def create_result(evaluation, result: dict): interface = ComponentInterface.objects.get( slug="metrics-json-file" ) try: output_civ = evaluation.outputs.get(interface=interface) output_civ.value = result output_civ.save() except ObjectDoesNotExist: output_civ = ComponentInterfaceValue.objects.create( interface=interface, value=result ) evaluation.outputs.add(output_civ) create_result( e, { "acc": {"mean": 0.1 * phase_num, "std": 0.1}, "dice": {"mean": 0.71, "std": 0.05}, }, )
def test_user_permissions(self): self.group1.user_set.add(self.user1) assign_perm("view_collection", self.user1, self.collection) assign_perm("edit_collection", self.user1, self.collection) assign_perm("view_collection", self.user2, self.collection) assign_perm("view_collection", self.group1, self.collection) assign_perm("edit_collection", self.group1, self.collection) assign_perm("view_collection", self.group2, self.collection) expected_perms = [ { 'permissions': ['edit', 'view'], 'type': 'user', 'id': self.user1.pk, 'name': 'test_user1' }, { 'permissions': ['edit', 'view'], 'type': 'group', 'id': self.group1.pk, 'name': 'Test group 1' }, ] perms = get_object_perms(self.collection, self.user1) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms)) self.group2.user_set.add(self.user1) expected_perms.append( { 'permissions': ['view'], 'type': 'group', 'id': self.group2.pk, 'name': 'Test group 2' }, ) perms = get_object_perms(self.collection, self.user1) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms)) assign_perm("view_collection", self.anonymous, self.collection) expected_perms.append({'permissions': ['view'], 'type': 'public'}, ) perms = get_object_perms(self.collection, self.user1) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms))
def setUpTestData(cls): super().setUpTestData() cls.descriptor_schema = DescriptorSchema.objects.create( slug="test-schema", version="1.0.0", contributor=cls.contributor, schema=[{ "name": "company", "group": [ { "name": "name", "type": "basic:string:", "required": False, }, { "name": "departments", "type": "list:basic:string:", "required": False, }, ], }], ) cls.collections = [ Collection.objects.create( name="Test collection 0", slug="test-collection-0", contributor=cls.contributor, description="My description!", descriptor_schema=cls.descriptor_schema, descriptor={ "company": { "name": "Genialis", "departments": ["engineering", "operations"], } }, tags=["first-tag"], ), Collection.objects.create( name="Test collection 1", slug="test-collection-1", contributor=cls.contributor, description="My favourite test collection", descriptor_schema=cls.descriptor_schema, tags=["first-tag", "second-tag"], ), Collection.objects.create( name="User test collection", slug="user-collection", contributor=cls.user, description="User's description", tags=["second-tag"], ), ] tzone = get_current_timezone() cls.collections[0].created = datetime.datetime(2016, 7, 30, 0, 59, tzinfo=tzone) cls.collections[0].save() cls.collections[1].created = datetime.datetime(2016, 7, 30, 1, 59, tzinfo=tzone) cls.collections[1].save() cls.collections[2].created = datetime.datetime(2016, 7, 30, 2, 59, tzinfo=tzone) cls.collections[2].save() assign_perm("owner_collection", cls.admin, cls.collections[0]) assign_perm("view_collection", cls.user, cls.collections[0]) assign_perm("owner_collection", cls.admin, cls.collections[1]) assign_perm("view_collection", cls.user, cls.collections[1]) assign_perm("view_collection", cls.user, cls.collections[2]) assign_perm("edit_collection", cls.user, cls.collections[2]) assign_perm("owner_collection", cls.user, cls.collections[2]) cls.viewset_class = CollectionViewSet
def setUpTestData(cls): super().setUpTestData() tzone = get_current_timezone() descriptor_schema = DescriptorSchema.objects.create( slug="test-schema", version="1.0.0", contributor=cls.contributor, schema=[{ "name": "company", "group": [ { "name": "name", "type": "basic:string:", "required": False, }, { "name": "departments", "type": "list:basic:string:", "required": False, }, ], }], ) cls.collection1 = Collection.objects.create( name="My collection", slug="my-collection", contributor=cls.contributor, ) cls.collection2 = Collection.objects.create( name="Other collection", slug="other-collection", contributor=cls.contributor, ) cls.entity1 = Entity.objects.create( name="My entity", slug="my-entity", collection=cls.collection1, contributor=cls.contributor, ) cls.entity2 = Entity.objects.create( name="Other entity", slug="other-entity", collection=cls.collection2, contributor=cls.contributor, ) cls.proc1 = Process.objects.create( type="data:test:process1:", name="First process", slug="test-process-1", version="1.0.0", contributor=cls.contributor, input_schema=[{ "name": "input_data", "type": "data:test:", "required": False }], ) cls.proc2 = Process.objects.create( type="data:test:process2:", name="Second process", slug="test-process-2", version="1.0.0", contributor=cls.contributor, input_schema=[{ "name": "input_data", "type": "data:test:", "required": False }], ) cls.data = [ Data.objects.create( name="Data 0", slug="dataslug-0", contributor=cls.contributor, collection=cls.collection1, entity=cls.entity1, process=cls.proc1, status=Data.STATUS_RESOLVING, started=datetime.datetime(2016, 7, 31, 0, 0, tzinfo=tzone), finished=datetime.datetime(2016, 7, 31, 0, 30, tzinfo=tzone), tags=["first-tag"], descriptor_schema=descriptor_schema, descriptor={ "company": { "name": "Genialis", "departments": ["engineering", "operations"], } }, ), Data.objects.create( name="Data 1", slug="dataslug-1", contributor=cls.contributor, collection=cls.collection2, entity=cls.entity2, process=cls.proc1, status=Data.STATUS_DONE, started=datetime.datetime(2016, 7, 31, 1, 0, tzinfo=tzone), finished=datetime.datetime(2016, 7, 31, 1, 30, tzinfo=tzone), tags=["first-tag", "second-tag", "data"], ), Data.objects.create( name="User data", slug="dataslug-2", contributor=cls.user, process=cls.proc2, status=Data.STATUS_DONE, started=datetime.datetime(2016, 7, 31, 2, 0, tzinfo=tzone), finished=datetime.datetime(2016, 7, 31, 2, 30, tzinfo=tzone), tags=["second-tag"], ), ] cls.data[0].created = datetime.datetime(2016, 7, 30, 0, 59, tzinfo=tzone) cls.data[0].save() cls.data[1].created = datetime.datetime(2016, 7, 30, 1, 59, tzinfo=tzone) cls.data[1].save() cls.data[2].created = datetime.datetime(2016, 7, 30, 2, 59, tzinfo=tzone) cls.data[2].save() assign_perm("owner_data", cls.admin, cls.data[0]) assign_perm("view_data", cls.user, cls.data[0]) assign_perm("owner_data", cls.admin, cls.data[1]) assign_perm("view_data", cls.user, cls.data[1]) assign_perm("owner_data", cls.user, cls.data[2]) assign_perm("view_data", cls.user, cls.data[2]) assign_perm("edit_data", cls.user, cls.data[2]) cls.viewset_class = DataViewSet
def get_all_level_info(self): """ Translates the current object guardian perms into a JSON-like "perm_spec" object in the form: { 'users': { <Profile AnonymousUser>: ['view'], <Profile username>: ['perm1','perm2','perm3'], <Profile username2>: ['perm1','perm2','perm3'] ... } 'groups': [ <Group groupname>: ['perm1','perm2','perm3'], <Group groupname2>: ['perm1','perm2','perm3'], ... ] } """ resource = self.get_self_resource() users = get_users_with_perms(resource) groups = get_groups_with_perms(resource, attach_perms=True) if groups: for group in groups: try: group_profile = GroupProfile.objects.get(slug=group.name) managers = group_profile.get_managers() if managers: for manager in managers: if manager not in users and not manager.is_superuser and \ manager != resource.owner: for perm in ADMIN_PERMISSIONS + VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS: assign_perm(perm, manager, resource) users[ manager] = ADMIN_PERMISSIONS + VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS except GroupProfile.DoesNotExist: tb = traceback.format_exc() logger.debug(tb) if resource.group: try: group_profile = GroupProfile.objects.get( slug=resource.group.name) managers = group_profile.get_managers() if managers: for manager in managers: if manager not in users and not manager.is_superuser and \ manager != resource.owner: for perm in ADMIN_PERMISSIONS + VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS: assign_perm(perm, manager, resource) users[ manager] = ADMIN_PERMISSIONS + VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS except GroupProfile.DoesNotExist: tb = traceback.format_exc() logger.debug(tb) info = {'users': users, 'groups': groups} try: if hasattr(self, "dataset"): info_dataset = { 'users': get_users_with_perms(self.dataset), 'groups': get_groups_with_perms(self.dataset, attach_perms=True) } for user in info_dataset['users']: if user in info['users']: info['users'][user] = info['users'][ user] + info_dataset['users'][user] else: info['users'][user] = info_dataset['users'][user] for group in info_dataset['groups']: if group in info['groups']: info['groups'][group] = list( dict.fromkeys(info['groups'][group] + info_dataset['groups'][group])) else: info['groups'][group] = info_dataset['groups'][group] except Exception: tb = traceback.format_exc() logger.debug(tb) # Remove duplicated perms if any if info: for _k, _v in info.items(): for _kk, _vv in info[_k].items(): if _vv and isinstance(_vv, list): info[_k][_kk] = list(set(_vv)) return info
def test_allow_if_user_given_permission(self): self._create_user_and_login('alice') assign_perm('change_xform', self.user, self.xform) response = self.client.get(self.url) self.assertEqual(response.status_code, 200)
def set_all_permissions(self, user_or_group): assign_perm(self.view_permission_name, user_or_group, self) assign_perm(self.change_children_permission_name, user_or_group, self)
def add(cls, user, obj): cls._remove_obj_permissions(user, obj) for codename, klass in cls.permissions: if type(obj) == klass: assign_perm(codename, user, obj)
def test_perms_single(self): perm = 'contenttypes.change_contenttype' assign_perm(perm, self.group1, self.obj1) self.assertEqual(set(get_objects_for_group(self.group1, perm)), set(get_objects_for_group(self.group1, [perm])))
def test_update_order_as_non_superuser(self): def test_root_menu_order(root_menu_items): # check that order of root menu items has been preserved root_menu_iterator = zip( MenuItem.objects.filter(menu_type=MenuItem.MAIN_MENU, parent_id=None), root_menu_items) for possibly_changed_root_item, old_root_item in root_menu_iterator: self.assertEqual(possibly_changed_root_item.order, old_root_item.order) assign_perm(MenuItem.CHANGE_CHILDREN_PERMISSION_NAME, self.user, self.root_menu_item) root_menu_items = MenuItem.objects.filter(menu_type=MenuItem.MAIN_MENU, parent_id=None) # move subsub item to sub item position children_data = [{ 'id': menu_item.id } for menu_item in [self.sub_item, self.sub_sub_item]] order_data = { 'main_menu_items': [ { 'id': self.root_menu_item.id, 'children': children_data, }, ], 'footer_items': [], } response = self.app.post(reverse('menu_items_update_order'), params=json.dumps(order_data), user=self.user) self.assertEqual(response.status_code, 200) root_menu_children = MenuItem.objects.filter( parent_id=self.root_menu_item.id) self.assertEqual(root_menu_children.count(), 2) test_root_menu_order(root_menu_items) # change order of children children_data = [{ 'id': menu_item.id } for menu_item in reversed(root_menu_children)] order_data['main_menu_items'][0]['children'] = children_data response = self.app.post(reverse('menu_items_update_order'), params=json.dumps(order_data), user=self.user) self.assertEqual(response.status_code, 200) # check that order has indeed changed for changed_child, old_child in zip( reversed( MenuItem.objects.filter(parent_id=self.root_menu_item.id)), root_menu_children): self.assertNotEqual(changed_child.order, old_child.order) test_root_menu_order(root_menu_items) # put one child as child of another children_data = [ { 'id': root_menu_children[0].id, 'children': [{ 'id': root_menu_children[1].id }], }, ] order_data['main_menu_items'][0]['children'] = children_data response = self.app.post(reverse('menu_items_update_order'), params=json.dumps(order_data), user=self.user) self.assertEqual(response.status_code, 200) self.assertEqual( MenuItem.objects.filter( parent_id=root_menu_children[0].id).count(), 1) test_root_menu_order(root_menu_items)
def test_group_assign_perm_global(self): perm = assign_perm("contenttypes.change_contenttype", self.group) self.assertTrue(self.user.has_perm("contenttypes.change_contenttype")) self.assertTrue(isinstance(perm, Permission))
def test_klass_as_queryset(self): assign_perm('contenttypes.change_contenttype', self.group1, self.obj1) objects = get_objects_for_group(self.group1, ['change_contenttype'], ContentType.objects.all()) self.assertEqual(list(objects), [self.obj1])
def test_object_based_permission_with_groups_2perms(self): group_names = ['group1', 'group2', 'group3'] groups = [Group.objects.create(name=name) for name in group_names] for group in groups: self.user.groups.add(group) # Objects to operate on ctypes = list(ContentType.objects.all().order_by('id')) assign_perm('contenttypes.change_contenttype', self.user) assign_perm('change_contenttype', self.user, ctypes[0]) assign_perm('change_contenttype', self.user, ctypes[1]) assign_perm('delete_contenttype', self.user, ctypes[1]) assign_perm('delete_contenttype', self.user, ctypes[2]) assign_perm('change_contenttype', groups[0], ctypes[3]) assign_perm('change_contenttype', groups[1], ctypes[3]) assign_perm('change_contenttype', groups[2], ctypes[4]) assign_perm('delete_contenttype', groups[0], ctypes[0]) objects = get_objects_for_user(self.user, [ 'contenttypes.change_contenttype', 'contenttypes.delete_contenttype' ], accept_global_perms=True) self.assertEqual(set(objects.values_list('id', flat=True)), set([ctypes[0].id, ctypes[1].id, ctypes[2].id]))
def test_short_codenames_with_klass(self): assign_perm('contenttypes.change_contenttype', self.user, self.ctype) objects = get_objects_for_user(self.user, ['change_contenttype'], ContentType) self.assertEqual([obj.name for obj in objects], [self.ctype.name])
def test_groups_perms(self): group1 = Group.objects.create(name='group1') group2 = Group.objects.create(name='group2') group3 = Group.objects.create(name='group3') groups = [group1, group2, group3] for group in groups: self.user.groups.add(group) # Objects to operate on ctypes = list(ContentType.objects.all().order_by('id')) assign_perm('auth.change_group', self.user) assign_perm('change_contenttype', self.user, ctypes[0]) assign_perm('change_contenttype', self.user, ctypes[1]) assign_perm('delete_contenttype', self.user, ctypes[1]) assign_perm('delete_contenttype', self.user, ctypes[2]) assign_perm('change_contenttype', groups[0], ctypes[3]) assign_perm('change_contenttype', groups[1], ctypes[3]) assign_perm('change_contenttype', groups[2], ctypes[4]) assign_perm('delete_contenttype', groups[0], ctypes[0]) objects = get_objects_for_user(self.user, ['contenttypes.change_contenttype']) self.assertEqual(set(objects.values_list('id', flat=True)), set(ctypes[i].id for i in [0, 1, 3, 4])) objects = get_objects_for_user(self.user, [ 'contenttypes.change_contenttype', 'contenttypes.delete_contenttype' ]) self.assertEqual(set(objects.values_list('id', flat=True)), set(ctypes[i].id for i in [0, 1])) objects = get_objects_for_user(self.user, ['contenttypes.change_contenttype']) self.assertEqual(set(objects.values_list('id', flat=True)), set(ctypes[i].id for i in [0, 1, 3, 4]))
def test_object_based_permission_with_groups_3perms(self): group_names = ['group1', 'group2', 'group3'] groups = [Group.objects.create(name=name) for name in group_names] for group in groups: self.user.groups.add(group) # Objects to operate on ctypes = list(ContentType.objects.all().order_by('id')) assign_perm('contenttypes.change_contenttype', self.user) assign_perm('change_contenttype', self.user, ctypes[0]) assign_perm('change_contenttype', self.user, ctypes[1]) assign_perm('delete_contenttype', self.user, ctypes[1]) assign_perm('delete_contenttype', self.user, ctypes[2]) # add_contenttype does not make sense, here just for testing purposes, # to also cover one if branch in function. assign_perm('add_contenttype', self.user, ctypes[1]) assign_perm('change_contenttype', groups[0], ctypes[3]) assign_perm('change_contenttype', groups[1], ctypes[3]) assign_perm('change_contenttype', groups[2], ctypes[4]) assign_perm('delete_contenttype', groups[0], ctypes[0]) assign_perm('add_contenttype', groups[0], ctypes[0]) objects = get_objects_for_user(self.user, [ 'contenttypes.change_contenttype', 'contenttypes.delete_contenttype', 'contenttypes.add_contenttype' ], accept_global_perms=True) self.assertEqual(set(objects.values_list('id', flat=True)), set([ctypes[0].id, ctypes[1].id]))
def test_perms_single(self): perm = 'auth.change_group' assign_perm(perm, self.user, self.group) self.assertEqual(set(get_objects_for_user(self.user, perm)), set(get_objects_for_user(self.user, [perm])))
def test_user_assign_perm(self): assign_perm("change_contenttype", self.user, self.ctype) assign_perm("change_contenttype", self.group, self.ctype) self.assertTrue(self.user.has_perm("change_contenttype", self.ctype))
def test_mixed(self): assign_perm("change_contenttype", self.group1, self.obj1) assign_perm("change_contenttype", self.group1, self.obj2) assign_perm("change_%s" % user_module_name, self.group1, self.user3) assign_perm("change_contenttype", self.group2, self.obj2) assign_perm("change_contenttype", self.group2, self.obj1) assign_perm("delete_contenttype", self.group2, self.obj1) assign_perm("change_%s" % user_module_name, self.group3, self.user1) result = get_groups_with_perms(self.obj1) self.assertEqual(set(result), set([self.group1, self.group2]))
def test_klass_as_queryset(self): assign_perm('auth.change_group', self.user, self.group) objects = get_objects_for_user(self.user, ['auth.change_group'], Group.objects.all()) self.assertEqual([obj.name for obj in objects], [self.group.name])
def test_simple(self): assign_perm("change_contenttype", self.group1, self.obj1) result = get_groups_with_perms(self.obj1) self.assertEqual(len(result), 1) self.assertEqual(result[0], self.group1)
def test_mixed_attach_perms(self): assign_perm("change_contenttype", self.group1, self.obj1) assign_perm("change_contenttype", self.group1, self.obj2) assign_perm("change_group", self.group1, self.group3) assign_perm("change_contenttype", self.group2, self.obj2) assign_perm("change_contenttype", self.group2, self.obj1) assign_perm("delete_contenttype", self.group2, self.obj1) assign_perm("change_group", self.group3, self.group1) result = get_groups_with_perms(self.obj1, attach_perms=True) expected = { self.group1: ["change_contenttype"], self.group2: ["change_contenttype", "delete_contenttype"], } self.assertEqual(result.keys(), expected.keys()) for key, perms in result.items(): self.assertEqual(set(perms), set(expected[key]))
def test_user_remove_perm_global(self): # assign perm first perm = "contenttypes.change_contenttype" assign_perm(perm, self.user) remove_perm(perm, self.user) self.assertFalse(self.user.has_perm(perm))
def test_simple_attach_perms(self): assign_perm("change_contenttype", self.group1, self.obj1) result = get_groups_with_perms(self.obj1, attach_perms=True) expected = {self.group1: ["change_contenttype"]} self.assertEqual(result, expected)
def test_has_global_permission(self): assign_perm('contenttypes.change_contenttype', self.group1) objects = get_objects_for_group(self.group1, ['contenttypes.change_contenttype']) self.assertEquals(set(objects), set(ContentType.objects.all()))
def test_attach_groups_only_has_perms(self): self.user1.groups.add(self.group1) assign_perm("change_contenttype", self.group1, self.obj1) result = get_users_with_perms(self.obj1, attach_perms=True) expected = {self.user1: ["change_contenttype"]} self.assertEqual(result, expected)
def set_permissions(self, perm_spec): """ Sets an object's the permission levels based on the perm_spec JSON. the mapping looks like: { 'users': { 'AnonymousUser': ['view'], <username>: ['perm1','perm2','perm3'], <username2>: ['perm1','perm2','perm3'] ... } 'groups': [ <groupname>: ['perm1','perm2','perm3'], <groupname2>: ['perm1','perm2','perm3'], ... ] } """ remove_object_permissions(self) # default permissions for resource owner set_owner_permissions(self) # Anonymous User group if 'users' in perm_spec and "AnonymousUser" in perm_spec['users']: anonymous_group = Group.objects.get(name='anonymous') for perm in perm_spec['users']['AnonymousUser']: if self.polymorphic_ctype.name == 'layer' and perm in ('change_layer_data', 'change_layer_style', 'add_layer', 'change_layer', 'delete_layer',): assign_perm(perm, anonymous_group, self.layer) else: assign_perm(perm, anonymous_group, self.get_self_resource()) # Owner if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False): if self.polymorphic_ctype.name == 'layer': purge_geofence_layer_rules(self.get_self_resource()) perms = [ "change_resourcebase", "change_resourcebase_permissions", "view_resourcebase", "download_resourcebase"] sync_geofence_with_guardian(self.layer, perms, user=self.owner) # All the other users if 'users' in perm_spec and len(perm_spec['users']) > 0: for user, perms in perm_spec['users'].items(): _user = get_user_model().objects.get(username=user) for perm in perms: if self.polymorphic_ctype.name == 'layer' and perm in ( 'change_layer_data', 'change_layer_style', 'add_layer', 'change_layer', 'delete_layer',): assign_perm(perm, _user, self.layer) else: assign_perm(perm, _user, self.get_self_resource()) # Set the GeoFence Rules if user and user == "AnonymousUser": user = None if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False): if self.polymorphic_ctype.name == 'layer': sync_geofence_with_guardian(self.layer, perms, user=user) # All the other groups if 'groups' in perm_spec and len(perm_spec['groups']) > 0: for group, perms in perm_spec['groups'].items(): _group = Group.objects.get(name=group) for perm in perms: if self.polymorphic_ctype.name == 'layer' and perm in ( 'change_layer_data', 'change_layer_style', 'add_layer', 'change_layer', 'delete_layer',): assign_perm(perm, _group, self.layer) else: assign_perm(perm, _group, self.get_self_resource()) # Set the GeoFence Rules if _group and _group.name and _group.name == 'anonymous': _group = None if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False): if self.polymorphic_ctype.name == 'layer': sync_geofence_with_guardian(self.layer, perms, group=_group)
def test_user_remove_perm(self): # assign perm first assign_perm("change_contenttype", self.user, self.ctype) remove_perm("change_contenttype", self.user, self.ctype) self.assertFalse(self.user.has_perm("change_contenttype", self.ctype))
def allow_edit(self, user): assign_perm('can_edit', user, self)
def give_permissions(user, level): if user != 'default': try: user = get_user(user, message.hub.id) except User.DoesNotExist: return else: user = PermGroup.objects.get(name='default') if level == 'read': assign_perm('view_datastore', user, datastore) remove_perm('change_datastore', user, datastore) remove_perm('delete_datastore', user, datastore) elif level == 'write': assign_perm('view_datastore', user, datastore) assign_perm('change_datastore', user, datastore) remove_perm('delete_datastore', user, datastore) elif level == 'admin': assign_perm('view_datastore', user, datastore) assign_perm('change_datastore', user, datastore) assign_perm('delete_datastore', user, datastore) elif level == 'deny': remove_perm('view_datastore', user, datastore) remove_perm('change_datastore', user, datastore) remove_perm('delete_datastore', user, datastore)