예제 #1
0
 def testClassPermission(self):
     cl = self._make_client(dict(username='******'))
     self.failUnlessRaises(exceptions.Unauthorised,
                           actions.EditItemAction(cl).handle)
     cl.nodeid = '1'
     self.assertRaises(exceptions.Unauthorised,
                       actions.EditItemAction(cl).handle)
예제 #2
0
    def testCheckAndPropertyPermission(self):
        self.db.security.permissions = {}
        def own_record(db, userid, itemid): return userid == itemid
        p = self.db.security.addPermission(name='Edit', klass='user',
            check=own_record, properties=("password", ))
        self.db.security.addPermissionToRole('User', p)

        cl = self._make_client(dict(username='******'))
        self.assertRaises(exceptions.Unauthorised,
            actions.EditItemAction(cl).handle)
        cl = self._make_client({'password':'******', '@confirm@password':'******'})
        self.failUnlessRaises(exceptions.Unauthorised,
            actions.EditItemAction(cl).handle)
예제 #3
0
    def testCreatePermission(self):
        # this checks if we properly differentiate between create and
        # edit permissions
        self.db.security.permissions = {}
        self.db.security.addRole(name='UserAdd')
        # Don't allow roles
        p = self.db.security.addPermission(
            name='Create',
            klass='user',
            properties=("username", "password", "address", "alternate_address",
                        "realname", "phone", "organisation", "timezone"))
        self.db.security.addPermissionToRole('UserAdd', p)
        # Don't allow roles *and* don't allow username
        p = self.db.security.addPermission(
            name='Edit',
            klass='user',
            properties=("password", "address", "alternate_address", "realname",
                        "phone", "organisation", "timezone"))
        self.db.security.addPermissionToRole('UserAdd', p)
        self.db.user.set('4', roles='UserAdd')

        # anonymous may not
        cl = self._make_client(
            {
                'username': '******',
                'password': '******',
                '@confirm@password': '******',
                'address': '*****@*****.**',
                'roles': 'Admin'
            },
            nodeid=None,
            userid='2')
        self.assertRaises(exceptions.Unauthorised,
                          actions.NewItemAction(cl).handle)
        # Don't allow creating new user with roles
        cl = self._make_client(
            {
                'username': '******',
                'password': '******',
                '@confirm@password': '******',
                'address': '*****@*****.**',
                'roles': 'Admin'
            },
            nodeid=None,
            userid='4')
        self.assertRaises(exceptions.Unauthorised,
                          actions.NewItemAction(cl).handle)
        self.assertEqual(cl._error_message, [])
        # this should work
        cl = self._make_client(
            {
                'username': '******',
                'password': '******',
                '@confirm@password': '******',
                'address': '*****@*****.**'
            },
            nodeid=None,
            userid='4')
        self.assertRaises(exceptions.Redirect,
                          actions.NewItemAction(cl).handle)
        self.assertEqual(cl._error_message, [])
        # don't allow changing (my own) username (in this example)
        cl = self._make_client(dict(username='******'), userid='4')
        self.assertRaises(exceptions.Unauthorised,
                          actions.EditItemAction(cl).handle)
        cl = self._make_client(dict(username='******'),
                               userid='4',
                               nodeid='4')
        self.assertRaises(exceptions.Unauthorised,
                          actions.EditItemAction(cl).handle)
        # don't allow changing (my own) roles
        cl = self._make_client(dict(roles='User,Admin'),
                               userid='4',
                               nodeid='4')
        self.assertRaises(exceptions.Unauthorised,
                          actions.EditItemAction(cl).handle)
        cl = self._make_client(dict(roles='User,Admin'), userid='4')
        self.assertRaises(exceptions.Unauthorised,
                          actions.EditItemAction(cl).handle)
        cl = self._make_client(dict(roles='User,Admin'))
        self.assertRaises(exceptions.Unauthorised,
                          actions.EditItemAction(cl).handle)