예제 #1
0
    def test_error_when_no_access_to_meeting_dossier(self, browser):
        with self.login(self.administrator):
            RoleAssignmentManager(
                self.committee_container).add_or_update_assignment(
                    SharingRoleAssignment(self.regular_user.getId(),
                                          ['Reader']))
            RoleAssignmentManager(self.committee).add_or_update_assignment(
                SharingRoleAssignment(self.regular_user.getId(),
                                      ['CommitteeResponsible', 'Editor']))

            # Let regular_user have no access to meeting_dossier
            self.meeting_dossier.__ac_local_roles_block__ = True

            agenda_item = self.schedule_proposal(self.meeting,
                                                 self.submitted_proposal)
            agenda_item.decide()

        self.login(self.regular_user, browser)
        with browser.expect_http_error(code=403):
            browser.open(
                self.agenda_item_url(agenda_item, 'generate_excerpt'),
                data={'excerpt_title': 'Excerption \xc3\x84nderungen'})
            expected_messages = {
                u'messages': [{
                    u'messageTitle': u'Error',
                    u'message':
                    u'Insufficient privileges to add a document to the meeting dossier.',
                    u'messageClass': u'error',
                }],
            }
            self.assertEquals(expected_messages, browser.json)
예제 #2
0
    def test_guarded_by_modify_portal_content(self):
        self.login(self.regular_user)
        self.assertIn(self.transition, self.get_workflow_transitions_for(self.task))

        RoleAssignmentManager(self.portal).add_or_update_assignment(
            SharingRoleAssignment(self.reader_user.getId(), ['Reader']),
        )
        RoleAssignmentManager(self.dossier).add_or_update_assignment(
            SharingRoleAssignment(self.reader_user.getId(), ['Reader']),
        )

        self.login(self.reader_user)
        self.assertNotIn(self.transition, self.get_workflow_transitions_for(self.task))
예제 #3
0
    def test_update_roles_preserves_unmanaged_roles(self):
        assignments = [
            SharingRoleAssignment('foo', ['Contributor', 'Administrator']),
            SharingRoleAssignment('org-unit-1_users', ['Contributor'])
        ]
        RoleAssignmentManager(self.committee).reset(assignments)

        CommitteeRoles(self.committee).update(
            'foo', previous_principal='org-unit-1_users')
        local_roles = dict(self.committee.get_local_roles())
        self.assertItemsEqual(
            ['Administrator', 'CommitteeResponsible', 'Contributor'],
            local_roles['foo'])
        self.assertItemsEqual(['Contributor'], local_roles['org-unit-1_users'])
예제 #4
0
    def test_remove_role_assignments_and_updates_local_roles(self, browser):
        self.login(self.administrator, browser=browser)

        manager = RoleAssignmentManager(self.empty_dossier)
        manager.add_or_update_assignment(
            SharingRoleAssignment(
                self.regular_user.id, ['Reader', 'Editor', 'Contributor']))

        data = json.dumps({
            "entries": [
                {"id": self.regular_user.id,
                 "roles": {"Contributor": False,
                           "Editor": False,
                           "Reader": False,
                           "Reviewer": False,
                           "Publisher": False},
                 "type": "user"},
            ],
            "inherit": True})

        browser.open(self.empty_dossier, data, view='@sharing', method='POST',
                     headers={'Accept': 'application/json',
                              'Content-Type': 'application/json'})

        self.assertEquals(
            (('robert.ziegler', ('Owner',)),),
            self.empty_dossier.get_local_roles())
        self.assertEquals(
            [],
            RoleAssignmentManager(self.empty_dossier).storage._storage())
예제 #5
0
    def test_subdossiers_the_user_cannot_view_can_also_block_deactivation(
            self, browser):
        with self.login(self.dossier_manager):
            # Protect self.subsubdossier so it cannot be seen by an 'Editor' of self.subdossier
            self.assertFalse(
                getattr(self.subsubdossier, '__ac_local_roles_block__', False))
            dossier_protector = IProtectDossier(self.subsubdossier)
            dossier_protector.dossier_manager = self.dossier_manager.getId()
            dossier_protector.reading = [self.secretariat_user.getId()]
            dossier_protector.protect()
            self.assertTrue(
                getattr(self.subsubdossier, '__ac_local_roles_block__', False))
            self.assertFalse(
                api.user.has_permission('View',
                                        user=self.regular_user,
                                        obj=self.subsubdossier),
                'This test does not actually test what it says on the tin, if self.regular_user can see self.subsubdossier.',
            )

            # Grant self.regular_user 'Editor' on self.subdossier so the action to deactivate is presented to the user
            RoleAssignmentManager(self.subdossier).add_or_update_assignment(
                SharingRoleAssignment(self.regular_user.getId(),
                                      ['Reader', 'Contributor', 'Editor']))

        self.login(self.regular_user, browser)
        self.deactivate(self.subdossier, browser)
        expected_msgs = [
            u"The Dossier 2016 contains a subdossier "
            u"which can't be deactivated by the user."
        ]
        self.assert_errors(self.subdossier, browser, expected_msgs)
예제 #6
0
    def test_add_recursive_documents_and_subdossiers_local_roles(
            self, browser):
        self.login(self.regular_user, browser)

        RoleAssignmentManager(
            self.subdossiertemplate).add_or_update_assignment(
                SharingRoleAssignment(self.regular_user.getId(),
                                      ['Reader', 'Contributor', 'Editor']))

        browser.open(self.leaf_repofolder)
        factoriesmenu.add('Dossier with template')
        token = browser.css(
            'input[name="form.widgets.template"]').first.attrib.get('value')
        browser.fill({'form.widgets.template': token}).submit()
        browser.click_on('Save')
        dossier = browser.context

        self.assertEqual('Bauvorhaben klein', dossier.title)
        subdossier = dossier.listFolderContents()[1]
        self.assertEqual(
            [u'Werkst\xe4tte', u'Anfragen'],
            [obj.title for obj in dossier.listFolderContents()],
            "The content of the subdossiertemplate is not correct!")
        expected_role_assignments = [{
            'cause':
            3,
            'reference':
            None,
            'roles': ['Reader', 'Contributor', 'Editor'],
            'principal':
            'kathi.barfuss',
        }]
        role_assignments = RoleAssignmentManager(subdossier).storage._storage()
        self.assertEqual(expected_role_assignments, role_assignments)
예제 #7
0
    def test_update_localroles_if_user_has_changed_protection_fields(
            self, browser):
        self.login(self.dossier_manager, browser)

        browser.open(self.leaf_repofolder)
        factoriesmenu.add(u'Business Case Dossier')
        browser.fill({'Title': 'My Dossier'})
        form = browser.find_form_by_field('Reading')
        form.find_widget('Reading and writing').fill(self.regular_user.getId())
        browser.click_on('Save')

        new_dossier = browser.context
        RoleAssignmentManager(new_dossier).add_or_update_assignment(
            SharingRoleAssignment('projekt_a', ['Contributor']))

        self.assert_local_roles(
            IProtectDossier(new_dossier).READING_AND_WRITING_ROLES,
            self.regular_user.getId(), new_dossier)

        self.assert_local_roles(['Contributor'], 'projekt_a', new_dossier)

        browser.open(new_dossier, view="@@edit")
        browser.fill({'Title': 'My new Dossier'})
        form = browser.find_form_by_field('Reading')
        form.find_widget('Reading and writing').fill([])
        form.find_widget('Reading').fill([self.regular_user.getId()])
        browser.click_on('Save')

        self.assert_local_roles(
            IProtectDossier(new_dossier).READING_ROLES,
            self.regular_user.getId(), new_dossier)

        self.assert_local_roles([], 'projekt_a', new_dossier)
예제 #8
0
def assign_owner_role_on_creation(workspace, event):
    """The creator of the workspace should have the WorkspaceOwner role,
    so that the she / he can access the workspace.
    """
    owner_userid = workspace.Creator()
    assignment = SharingRoleAssignment(owner_userid, ['WorkspaceOwner'])
    RoleAssignmentManager(workspace).add_or_update_assignment(assignment)
예제 #9
0
    def create_org_unit_inbox(self):
        container = create(Builder('inbox_container').titled(u'Inboxes'))
        RoleAssignmentManager(container).add_or_update_assignment(
            SharingRoleAssignment(self.regular_user.getId(),
                                  ['Reader', 'Contributor', 'Editor']))

        return create(
            Builder('inbox').titled(u'Inbox').within(container).having(
                responsible_org_unit='fa'))
예제 #10
0
    def test_user_has_permission_if_dossier_manager_on_repo(self):
        self.login(self.regular_user)

        RoleAssignmentManager(self.leaf_repofolder).add_or_update_assignment(
            SharingRoleAssignment(self.regular_user.getId(),
                                  ['DossierManager']))

        self.assertTrue(
            api.user.has_permission('opengever.dossier: Protect dossier',
                                    obj=self.dossier))
예제 #11
0
    def test_reader_of_parent_can_still_view_closed_task(self, browser):
        with self.login(self.regular_user):
            RoleAssignmentManager(self.portal).add_or_update_assignment(
                SharingRoleAssignment(self.reader_user.getId(), ['Reader']), )
            RoleAssignmentManager(self.dossier).add_or_update_assignment(
                SharingRoleAssignment(self.reader_user.getId(), ['Reader']), )

        self.login(self.reader_user, browser)
        browser.open(self.task, view='tabbedview_view-overview')
        expected_actions = []
        self.assertEqual(expected_actions, browser.css('#action-menu a').text)

        with self.login(self.dossier_responsible, browser=browser):
            self.set_workflow_state('task-state-tested-and-closed',
                                    self.subtask)
            self.set_workflow_state('task-state-resolved', self.task)

        browser.open(self.task, view='tabbedview_view-overview')
        expected_actions = []
        self.assertEqual(expected_actions, browser.css('#action-menu a').text)
예제 #12
0
    def grant(self, *roles, **kwargs):
        user_id = kwargs.get('user_id', TEST_USER_ID)
        context = kwargs.get('on', None)

        if context is None:
            setRoles(self.portal, user_id, list(roles))
        else:
            RoleAssignmentManager(context).add_or_update_assignment(
                SharingRoleAssignment(user_id, list(roles)))

        transaction.commit()
예제 #13
0
    def test_check_protect_dossier_consistency_returns_no_messages_if_no_inconsistency(
            self):
        self.login(self.dossier_manager)

        RoleAssignmentManager(self.empty_dossier).add_or_update_assignment(
            SharingRoleAssignment(self.dossier_responsible.id, ['Reader']))
        RoleAssignmentManager(self.empty_dossier).add_or_update_assignment(
            SharingRoleAssignment(self.dossier_responsible.id, [
                'Reader', 'Editor', 'Contributor', 'Reviewer', 'Publisher',
                'DossierManager', 'Owner'
            ]))

        dossier_protector = IProtectDossier(self.empty_dossier)
        dossier_protector.dossier_manager = self.dossier_manager.getId()
        dossier_protector.reading = [self.dossier_responsible.id]
        dossier_protector.protect()
        view = getMultiAdapter((self.empty_dossier, self.request),
                               name="check_protect_dossier_consistency")

        self.assertIsNone(json.loads(view()).get('messages'))
예제 #14
0
    def test_responsible_can_edit_related_documents_that_are_inside_a_task(
            self, browser):
        self.login(self.administrator, browser=browser)
        api.content.disable_roles_acquisition(obj=self.dossier)

        RoleAssignmentManager(self.dossier).add_or_update_assignment(
            SharingRoleAssignment(self.administrator.getId(),
                                  ['Reader', 'Contributor', 'Editor']))

        self.task.responsible = self.secretariat_user.id
        notify(ObjectModifiedEvent(self.task))

        self.login(self.secretariat_user, browser=browser)
        browser.open(self.taskdocument, view='edit')
예제 #15
0
    def test_check_protect_dossier_consistency_returns_error_msg_if_inconsistent(
            self):
        self.login(self.dossier_manager)

        dossier_protector = IProtectDossier(self.dossier)
        dossier_protector.reading = [self.regular_user.getId()]
        dossier_protector.protect()

        RoleAssignmentManager(self.dossier).add_or_update_assignment(
            SharingRoleAssignment(self.regular_user.getId(),
                                  ['DossierManager']))

        view = getMultiAdapter((self.dossier, self.request),
                               name="check_protect_dossier_consistency")

        self.assertEqual(1, len(json.loads(view()).get('messages')))
예제 #16
0
    def test_upload_box_is_also_shown_in_a_resolved_task(self, browser):
        self.login(self.regular_user, browser)

        self.set_workflow_state('task-state-tested-and-closed', self.task)
        RoleAssignmentManager(self.dossier).add_or_update_assignment(
            SharingRoleAssignment('kathi.barfuss',
                                  ['Reader', 'Contributor', 'Editor']))

        manager = queryMultiAdapter((self.taskdocument, self.request),
                                    ICheckinCheckoutManager)
        manager.checkout()

        browser.open(self.taskdocument)

        self.assertGreater(len(browser.css('#uploadbox')), 0,
                           'Uploadbox is not displayed, but should.')
예제 #17
0
    def _update_role_settings(self, new_settings, reindex=True):
        """Replaced because we need our own permission manager stuff.
        """
        assignments = []
        principals_to_clear = []

        for s in new_settings:
            principal = s['id']
            selected_roles = frozenset(s['roles'])
            if not selected_roles:
                principals_to_clear.append(principal)
                continue

            assignments.append(SharingRoleAssignment(principal,
                                                     selected_roles))

        manager = RoleAssignmentManager(self.context)
        if assignments:
            manager.reset(assignments)
        else:
            manager.clear_by_cause_and_principals(ASSIGNMENT_VIA_SHARING,
                                                  principals_to_clear)
예제 #18
0
    def setUp(self):
        super(TestMyInvitationsView, self).setUp()
        self.login(self.workspace_admin)
        self.storage = getUtility(IInvitationStorage)

        self.workspace2 = create(Builder('workspace')
                                 .within(self.workspace_root)
                                 .titled(u'Second workspace'))

        self.storage.add_invitation(
            self.workspace, self.regular_user.getId(),
            self.workspace_admin.getId(), 'WorkspaceGuest')
        self.storage.add_invitation(
            self.workspace2, self.regular_user.getId(),
            self.workspace_admin.getId(), 'WorkspaceGuest')
        self.storage.add_invitation(
            self.workspace2, self.workspace_guest.getId(),
            self.workspace_admin.getId(), 'WorkspaceGuest')

        RoleAssignmentManager(self.workspace_root).add_or_update_assignment(
            SharingRoleAssignment(self.regular_user.getId(),
                                  ['WorkspacesUser']))
예제 #19
0
    def test_sharing_view_extends_information(self, browser):
        self.login(self.administrator, browser=browser)

        manager = RoleAssignmentManager(self.empty_dossier)
        manager.add_or_update_assignment(
            TaskRoleAssignment(
                self.regular_user.id, ['Contributor'], self.task))
        manager.add_or_update_assignment(
            SharingRoleAssignment(
                self.regular_user.id, ['Reader', 'Editor', 'Contributor']))

        browser.open(self.empty_dossier, view='@sharing',
                     method='Get', headers={'Accept': 'application/json'})

        entries = browser.json['entries']

        self.assertEquals(
            {u'automatic_roles': {u'Contributor': True,
                                  u'Editor': False,
                                  u'Publisher': False,
                                  u'Reader': False,
                                  u'Reviewer': False},
             u'computed_roles': {u'Contributor': True,
                                 u'Editor': True,
                                 u'Publisher': False,
                                 u'Reader': True,
                                 u'Reviewer': False},
             u'disabled': False,
             u'id': u'kathi.barfuss',
             u'login': u'kathi.barfuss',
             u'roles': {u'Contributor': True,
                        u'Editor': True,
                        u'Publisher': False,
                        u'Reader': True,
                        u'Reviewer': False},
             u'title': u'B\xe4rfuss K\xe4thi',
             u'type': u'user',
             u'url': u'http://nohost/plone/@@user-details-plain/kathi.barfuss'},
            [item for item in entries if item['id'] == self.regular_user.id][0])
예제 #20
0
    def __iter__(self):
        for item in self.previous:
            pathkey = self.pathkey(*item.keys())[0]
            roleskey = self.roleskey(*item.keys())[0]

            if not pathkey or not roleskey or \
               roleskey not in item:    # not enough info
                yield item
                continue

            obj = self.context.unrestrictedTraverse(item[pathkey].lstrip('/'),
                                                    None)
            if obj is None:  # path doesn't exist
                yield item
                continue

            if IRoleManager.providedBy(obj):
                for principal, roles in item[roleskey].items():
                    if roles:
                        RoleAssignmentManager(obj).add_or_update_assignment(
                            SharingRoleAssignment(principal, roles))

            yield item
예제 #21
0
 def _assign_roles_to_development_users_group(self, roles, obj):
     assignment = SharingRoleAssignment(DEVELOPMENT_USERS_GROUP, roles)
     RoleAssignmentManager(obj).add_or_update_assignment(assignment)
예제 #22
0
    def update_inherit(self, status=True, reindex=True):
        """Method Wrapper for the super method, to allow notify a
        corresponding event. Needed for adding a Journalentry after a
        change of the inheritance
        """
        user = api.user.get_current()
        is_administrator = user.has_role('Administrator') or user.has_role(
            'Manager')

        # Modifying local roles needs the "Sharing page: Delegate roles"
        # permission as well as "Modify portal content". However, we don't
        # want to give the "Role Manager" Role "Modify portal content",
        # so we circumvent the permission check here by temporarily assuming
        # the owner's roles. [lgraf]

        context = self.context
        portal_membership = getToolByName(context, 'portal_membership')

        block = not status
        oldblock = bool(
            getattr(aq_base(context), '__ac_local_roles_block__', False))

        if block == oldblock:
            return False

        # store the real user
        user = portal_membership.getAuthenticatedMember()

        # assume the manger user security context
        old_sm = getSecurityManager()

        owner = getToolByName(
            context, 'portal_url').getPortalObject().getWrappedOwner()
        newSecurityManager(self.context, owner)

        if block and not is_administrator:
            # If user has inherited local roles and removes inheritance,
            # locally set roles he inherited before
            # to avoid definitive lose of access (refs #11945)

            # For administrators and managers we skip those fallback, because
            # the access for those users is ensured by the global roles. So we
            # can avoid local_roles assigned to a specific users, which we say
            # should not be used usually.

            context_roles = user.getRolesInContext(context)
            global_roles = user.getRoles()
            local_roles = [r for r in context_roles if r not in global_roles]
            if local_roles:
                assignment = SharingRoleAssignment(user.getId(), local_roles)
                RoleAssignmentManager(
                    self.context).add_or_update_assignment(assignment)

        context.__ac_local_roles_block__ = True if block else None

        # Restore the old security manager
        setSecurityManager(old_sm)

        if reindex:
            context.reindexObjectSecurity()

        if not block:
            notify(LocalRolesAcquisitionActivated(self.context))
        else:
            notify(LocalRolesAcquisitionBlocked(self.context))

        return True
예제 #23
0
 def create_single_inbox(self):
     inbox = create(Builder('inbox').titled(u'Inbox'))
     RoleAssignmentManager(inbox).add_or_update_assignment(
         SharingRoleAssignment(self.regular_user.getId(),
                               ['Reader', 'Contributor', 'Editor']))
     return inbox