class CryptoAdminPanelTestCase(unittest.TestCase): def setUp(self): self.env = EnvironmentStub(enable=['trac.*', 'crypto.*']) self.env.path = tempfile.mkdtemp() self.perm = PermissionSystem(self.env) self.req = Mock() self.crypto_ap = CryptoAdminPanel(self.env) def tearDown(self): shutil.rmtree(self.env.path) def test_available_actions(self): self.failIf('CRYPTO_ADMIN' not in self.perm.get_actions()) self.failIf('CRYPTO_DELETE' not in self.perm.get_actions()) def test_available_actions_no_perms(self): self.perm.grant_permission('admin', 'authenticated') self.assertFalse(self.perm.check_permission('CRYPTO_ADMIN', 'admin')) self.assertFalse(self.perm.check_permission('CRYPTO_DELETE', 'admin')) def test_available_actions_delete_only(self): self.perm.grant_permission('admin', 'CRYPTO_DELETE') self.assertFalse(self.perm.check_permission('CRYPTO_ADMIN', 'admin')) self.assertTrue(self.perm.check_permission('CRYPTO_DELETE', 'admin')) def test_available_actions_full_perms(self): self.perm.grant_permission('admin', 'TRAC_ADMIN') self.assertTrue(self.perm.check_permission('CRYPTO_ADMIN', 'admin')) self.assertTrue(self.perm.check_permission('CRYPTO_DELETE', 'admin'))
class CryptoAdminPanelTestCase(unittest.TestCase): def setUp(self): self.env = EnvironmentStub(enable=['trac.*', 'crypto.*']) self.env.path = tempfile.mkdtemp() self.perm = PermissionSystem(self.env) self.req = Mock() self.crypto_ap = CryptoAdminPanel(self.env) def tearDown(self): shutil.rmtree(self.env.path) def test_available_actions(self): self.failIf('CRYPTO_ADMIN' not in self.perm.get_actions()) self.failIf('CRYPTO_DELETE' not in self.perm.get_actions()) def test_available_actions_no_perms(self): self.perm.grant_permission('admin', 'authenticated') self.assertFalse(self.perm.check_permission('CRYPTO_ADMIN', 'admin')) self.assertFalse(self.perm.check_permission('CRYPTO_DELETE', 'admin')) def test_available_actions_delete_only(self): self.perm.grant_permission('admin', 'CRYPTO_DELETE') self.assertFalse(self.perm.check_permission('CRYPTO_ADMIN', 'admin')) self.assertTrue(self.perm.check_permission('CRYPTO_DELETE', 'admin')) def test_available_actions_full_perms(self): self.perm.grant_permission('admin', 'TRAC_ADMIN') self.assertTrue(self.perm.check_permission('CRYPTO_ADMIN', 'admin')) self.assertTrue(self.perm.check_permission('CRYPTO_DELETE', 'admin'))
def process_admin_request(self, req, cat, page, path_info): perm = PermissionSystem(self.env) perms = self._get_all_permissions() subject = req.args.get('subject') action = req.args.get('action') group = req.args.get('group') if req.method == 'POST': # Grant permission to subject if req.args.get('add') and subject and action: if action not in perm.get_actions(): raise TracError('Unknown action') self._grant_permission(subject, action) req.redirect(self.env.href.admin(cat, page)) # Add subject to group elif req.args.get('add') and subject and group: self._grant_permission(subject, group) req.redirect(self.env.href.admin(cat, page)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): sel = req.args.get('sel') sel = isinstance(sel, list) and sel or [sel] for key in sel: subject, action = key.split(':', 1) if (subject, action) in perms: self._revoke_permission(subject, action) req.redirect(self.env.href.admin(cat, page)) perms.sort(lambda a, b: cmp(a[0], b[0])) req.hdf['admin.actions'] = perm.get_actions() req.hdf['admin.perms'] = [{ 'subject': p[0], 'action': p[1], 'key': '%s:%s' % p } for p in perms] return 'tracforge_admin_perm.cs', None
def process_admin_request(self, req, cat, page, path_info): perm = PermissionSystem(self.env) perms = perm.get_all_permissions() subject = req.args.get('subject') action = req.args.get('action') group = req.args.get('group') if req.method == 'POST': # Grant permission to subject if req.args.get('add') and subject and action: if action not in perm.get_actions(): raise TracError('Unknown action') perm.grant_permission(subject, action) req.redirect(self.env.href.admin(cat, page)) # Add subject to group elif req.args.get('add') and subject and group: perm.grant_permission(subject, group) req.redirect(self.env.href.admin(cat, page)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): sel = req.args.get('sel') sel = isinstance(sel, list) and sel or [sel] for key in sel: subject, action = key.split(':', 1) if (subject, action) in perms: perm.revoke_permission(subject, action) req.redirect(self.env.href.admin(cat, page)) perms.sort(lambda a, b: cmp(a[0], b[0])) req.hdf['admin.actions'] = perm.get_actions() req.hdf['admin.perms'] = [{'subject': p[0], 'action': p[1], 'key': '%s:%s' % p } for p in perms] return 'admin_perm.cs', None
def check_permission(self, action, username, resource, perm): # FIXME: Better handling of recursive imports from multiproduct.env import ProductEnvironment if isinstance(self.env, ProductEnvironment): permsys = PermissionSystem(self.env.parent) if permsys.check_permission('TRAC_ADMIN', username): return action in PermissionSystem(self.env).get_actions() \ or None # FIXME: maybe False is better elif username == self.env.product.owner: # Product owner granted with PRODUCT_ADMIN permission ootb permsys = PermissionSystem(self.env) # FIXME: would `action != 'TRAC_ADMIN'` be enough ? return True if action in permsys.get_actions() and \ action != 'TRAC_ADMIN' \ else None
def check_permission(self, action, username, resource, perm): # FIXME: Better handling of recursive imports from multiproduct.env import ProductEnvironment if isinstance(self.env, ProductEnvironment): permsys = PermissionSystem(self.env.parent) if permsys.check_permission('TRAC_ADMIN', username): return action in PermissionSystem(self.env).get_actions() \ or None # FIXME: maybe False is better elif username == self.env.product.owner: # Product owner granted with PRODUCT_ADMIN permission ootb permsys = PermissionSystem(self.env) # FIXME: would `action != 'TRAC_ADMIN'` be enough ? return True if action in permsys.get_actions() and \ action != 'TRAC_ADMIN' \ else None
class PermissionTestCase(unittest.TestCase): def setUp(self): self.env = EnvironmentStub(enable=['trac.*', 'acct_mgr.api.*']) self.env.path = tempfile.mkdtemp() self.perm = PermissionSystem(self.env) self.req = Mock() self.actions = [ 'ACCTMGR_ADMIN', 'ACCTMGR_CONFIG_ADMIN', 'ACCTMGR_USER_ADMIN', 'EMAIL_VIEW', 'USER_VIEW' ] def tearDown(self): shutil.rmtree(self.env.path) def test_available_actions(self): for action in self.actions: self.failIf(action not in self.perm.get_actions()) def test_available_actions_no_perms(self): for action in self.actions: self.assertFalse(self.perm.check_permission(action, 'anonymous')) def test_available_actions_config_admin(self): user = '******' self.perm.grant_permission(user, 'ACCTMGR_CONFIG_ADMIN') actions = [self.actions[0]] + self.actions[2:] for action in actions: self.assertFalse(self.perm.check_permission(action, user)) def test_available_actions_user_admin(self): user = '******' self.perm.grant_permission(user, 'ACCTMGR_USER_ADMIN') for action in self.actions[2:]: self.assertTrue(self.perm.check_permission(action, user)) for action in self.actions[:2] + ['TRAC_ADMIN']: self.assertFalse(self.perm.check_permission(action, user)) def test_available_actions_full_perms(self): perm_map = dict(acctmgr_admin='ACCTMGR_ADMIN', trac_admin='TRAC_ADMIN') for user in perm_map: self.perm.grant_permission(user, perm_map[user]) for action in self.actions: self.assertTrue(self.perm.check_permission(action, user)) if user != 'trac_admin': self.assertFalse(self.perm.check_permission( 'TRAC_ADMIN', user))
class PermissionTestCase(unittest.TestCase): def setUp(self): self.env = EnvironmentStub( enable=['trac.*', 'acct_mgr.api.*']) self.env.path = tempfile.mkdtemp() self.perm = PermissionSystem(self.env) self.req = Mock() self.actions = ['ACCTMGR_ADMIN', 'ACCTMGR_CONFIG_ADMIN', 'ACCTMGR_USER_ADMIN', 'EMAIL_VIEW', 'USER_VIEW'] def tearDown(self): shutil.rmtree(self.env.path) def test_available_actions(self): for action in self.actions: self.failIf(action not in self.perm.get_actions()) def test_available_actions_no_perms(self): for action in self.actions: self.assertFalse(self.perm.check_permission(action, 'anonymous')) def test_available_actions_config_admin(self): user = '******' self.perm.grant_permission(user, 'ACCTMGR_CONFIG_ADMIN') actions = [self.actions[0]] + self.actions[2:] for action in actions: self.assertFalse(self.perm.check_permission(action, user)) def test_available_actions_user_admin(self): user = '******' self.perm.grant_permission(user, 'ACCTMGR_USER_ADMIN') for action in self.actions[2:]: self.assertTrue(self.perm.check_permission(action, user)) for action in self.actions[:2] + ['TRAC_ADMIN']: self.assertFalse(self.perm.check_permission(action, user)) def test_available_actions_full_perms(self): perm_map = dict(acctmgr_admin='ACCTMGR_ADMIN', trac_admin='TRAC_ADMIN') for user in perm_map: self.perm.grant_permission(user, perm_map[user]) for action in self.actions: self.assertTrue(self.perm.check_permission(action, user)) if user != 'trac_admin': self.assertFalse(self.perm.check_permission('TRAC_ADMIN', user))
class TagSystemTestCase(unittest.TestCase): def setUp(self): self.env = EnvironmentStub(default_data=True, enable=['trac.*', 'tractags.*']) self.env.path = tempfile.mkdtemp() self.perms = PermissionSystem(self.env) self.req = Mock() self.actions = ['TAGS_ADMIN', 'TAGS_MODIFY', 'TAGS_VIEW'] self.tag_s = TagSystem(self.env) self.db = self.env.get_db_cnx() setup = TagSetup(self.env) # Current tractags schema is setup with enabled component anyway. # Revert these changes for getting default permissions inserted. self._revert_tractags_schema_init() setup.upgrade_environment(self.db) def tearDown(self): self.db.close() # Really close db connections. self.env.shutdown() shutil.rmtree(self.env.path) # Helpers def _revert_tractags_schema_init(self): cursor = self.db.cursor() cursor.execute("DROP TABLE IF EXISTS tags") cursor.execute("DELETE FROM system WHERE name='tags_version'") cursor.execute("DELETE FROM permission WHERE action %s" % self.db.like(), ('TAGS_%',)) # Tests def test_available_actions(self): for action in self.actions: self.failIf(action not in self.perms.get_actions()) def test_available_providers(self): # Standard implementations of DefaultTagProvider should be registered. seen = [] for provider in [TicketTagProvider(self.env), WikiTagProvider(self.env)]: self.failIf(provider not in self.tag_s.tag_providers) # Ensure unique provider references, a possible bug in Trac-0.11. self.failIf(provider in seen) seen.append(provider) def test_set_tags_no_perms(self): resource = Resource('wiki', 'WikiStart') tags = ['tag1'] # Mock an anonymous request. self.req.perm = PermissionCache(self.env) self.assertRaises(PermissionError, self.tag_s.set_tags, self.req, resource, tags) def test_set_tags(self): resource = Resource('wiki', 'WikiStart') tags = ['tag1'] self.req.perm = PermissionCache(self.env, username='******') # Shouldn't raise an error with appropriate permission. self.tag_s.set_tags(self.req, resource, tags) def test_query_no_args(self): # Regression test for query without argument, # reported as th:ticket:7857. # Mock an anonymous request. self.req.perm = PermissionCache(self.env) self.assertEquals([(res, tags) for res, tags in self.tag_s.query(self.req, query='')], [])
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() target = req.args.get('target', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper() or \ target and target.isupper(): raise TracError( _("All upper-cased tokens are reserved for " "permission names.")) # Grant permission to subject if 'add' in req.args and subject and action: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_("Unknown action")) req.perm.require(action) try: perm.grant_permission(subject, action) except TracError as e: add_warning(req, e) else: add_notice( req, _( "The subject %(subject)s has been " "granted the permission %(action)s.", subject=subject, action=action)) # Add subject to group elif 'add' in req.args and subject and group: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): req.perm.require( action, message=_( "The subject %(subject)s was not added to " "the group %(group)s because the group has " "%(perm)s permission and users cannot grant " "permissions they don't possess.", subject=subject, group=group, perm=action)) try: perm.grant_permission(subject, group) except TracError as e: add_warning(req, e) else: add_notice( req, _( "The subject %(subject)s has been " "added to the group %(group)s.", subject=subject, group=group)) # Copy permissions to subject elif 'copy' in req.args and subject and target: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') subject_permissions = perm.get_users_dict().get(subject, []) if not subject_permissions: add_warning( req, _( "The subject %(subject)s does not " "have any permissions.", subject=subject)) for action in subject_permissions: if action not in all_actions: # plugin disabled? self.log.warning( "Skipped granting %s to %s: " "permission unavailable.", action, target) else: if action not in req.perm: add_warning( req, _( "The permission %(action)s was " "not granted to %(subject)s " "because users cannot grant " "permissions they don't possess.", action=action, subject=subject)) continue try: perm.grant_permission(target, action) except PermissionExistsError: pass else: add_notice( req, _( "The subject %(subject)s has " "been granted the permission " "%(action)s.", subject=target, action=action)) req.redirect(req.href.admin(cat, page)) # Remove permissions action elif 'remove' in req.args and 'sel' in req.args: req.perm('admin', 'general/perm').require('PERMISSION_REVOKE') for key in req.args.getlist('sel'): subject, action = key.split(':', 1) subject = unicode_from_base64(subject) action = unicode_from_base64(action) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _("The selected permissions have been " "revoked.")) req.redirect(req.href.admin(cat, page)) return 'admin_perms.html', { 'actions': all_actions, 'allowed_actions': [a for a in all_actions if a in req.perm], 'perms': perm.get_users_dict(), 'groups': perm.get_groups_dict(), 'unicode_to_base64': unicode_to_base64 }
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_permissions = perm.get_all_permissions() all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper(): raise TracError( _('All upper-cased tokens are reserved for ' 'permission names')) # Grant permission to subject if req.args.get('add') and subject and action: req.perm.require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_('Unknown action')) req.perm.require(action) if (subject, action) not in all_permissions: perm.grant_permission(subject, action) add_notice( req, _( 'The subject %(subject)s has been ' 'granted the permission %(action)s.', subject=subject, action=action)) req.redirect(req.href.admin(cat, page)) else: add_warning( req, _( 'The permission %(action)s was already ' 'granted to %(subject)s.', action=action, subject=subject)) # Add subject to group elif req.args.get('add') and subject and group: req.perm.require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): if not action in all_actions: # plugin disabled? self.env.log.warn("Adding %s to group %s: " \ "Permission %s unavailable, skipping perm check." \ % (subject, group, action)) else: req.perm.require(action) if (subject, group) not in all_permissions: perm.grant_permission(subject, group) add_notice( req, _( 'The subject %(subject)s has been added ' 'to the group %(group)s.', subject=subject, group=group)) req.redirect(req.href.admin(cat, page)) else: add_warning( req, _( 'The subject %(subject)s was already ' 'added to the group %(group)s.', subject=subject, group=group)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): req.perm.require('PERMISSION_REVOKE') sel = req.args.get('sel') sel = sel if isinstance(sel, list) else [sel] for key in sel: subject, action = key.split(':', 1) subject = unicode_from_base64(subject) action = unicode_from_base64(action) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _('The selected permissions have been ' 'revoked.')) req.redirect(req.href.admin(cat, page)) perms = [perm for perm in all_permissions if perm[1].isupper()] groups = [perm for perm in all_permissions if not perm[1].isupper()] return 'admin_perms.html', { 'actions': all_actions, 'perms': perms, 'groups': groups, 'unicode_to_base64': unicode_to_base64 }
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_permissions = perm.get_all_permissions() all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper(): raise TracError(_('All upper-cased tokens are reserved for ' 'permission names')) # Grant permission to subject if req.args.get('add') and subject and action: req.perm.require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_('Unknown action')) req.perm.require(action) if (subject, action) not in all_permissions: perm.grant_permission(subject, action) add_notice(req, _('The subject %(subject)s has been ' 'granted the permission %(action)s.', subject=subject, action=action)) req.redirect(req.href.admin(cat, page)) else: add_warning(req, _('The permission %(action)s was already ' 'granted to %(subject)s.', action=action, subject=subject)) # Add subject to group elif req.args.get('add') and subject and group: req.perm.require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): if not action in all_actions: # plugin disabled? self.env.log.warn("Adding %s to group %s: " \ "Permission %s unavailable, skipping perm check." \ % (subject, group, action)) else: req.perm.require(action) if (subject, group) not in all_permissions: perm.grant_permission(subject, group) add_notice(req, _('The subject %(subject)s has been added ' 'to the group %(group)s.', subject=subject, group=group)) req.redirect(req.href.admin(cat, page)) else: add_warning(req, _('The subject %(subject)s was already ' 'added to the group %(group)s.', subject=subject, group=group)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): req.perm.require('PERMISSION_REVOKE') sel = req.args.get('sel') sel = isinstance(sel, list) and sel or [sel] for key in sel: subject, action = key.split(':', 1) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _('The selected permissions have been ' 'revoked.')) req.redirect(req.href.admin(cat, page)) return 'admin_perms.html', { 'actions': all_actions, 'perms': all_permissions }
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_permissions = perm.get_all_permissions() all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() target = req.args.get('target', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper() or \ target and target.isupper(): raise TracError(_("All upper-cased tokens are reserved for " "permission names.")) # Grant permission to subject if req.args.get('add') and subject and action: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_("Unknown action")) req.perm.require(action) if (subject, action) not in all_permissions: perm.grant_permission(subject, action) add_notice(req, _("The subject %(subject)s has been " "granted the permission %(action)s.", subject=subject, action=action)) req.redirect(req.href.admin(cat, page)) else: add_warning(req, _("The permission %(action)s was already " "granted to %(subject)s.", action=action, subject=subject)) # Add subject to group elif req.args.get('add') and subject and group: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): if not action in all_actions: # plugin disabled? self.env.log.warn("Adding %s to group %s: " "Permission %s unavailable, skipping perm check.", subject, group, action) else: req.perm.require(action, message=_("The subject %(subject)s was not added " "to the group %(group)s because the " "group has %(perm)s permission and " "users cannot grant permissions they " "don't possess.", subject=subject, group=group, perm=action)) if (subject, group) not in all_permissions: perm.grant_permission(subject, group) add_notice(req, _("The subject %(subject)s has been added " "to the group %(group)s.", subject=subject, group=group)) req.redirect(req.href.admin(cat, page)) else: add_warning(req, _("The subject %(subject)s was already " "added to the group %(group)s.", subject=subject, group=group)) # Copy permissions to subject elif req.args.get('copy') and subject and target: req.perm.require('PERMISSION_GRANT') subject_permissions = [i[1] for i in all_permissions if i[0] == subject and i[1].isupper()] if not subject_permissions: add_warning(req,_("The subject %(subject)s does not " "have any permissions.", subject=subject)) for action in subject_permissions: if (target, action) in all_permissions: continue if not action in all_actions: # plugin disabled? self.env.log.warn("Skipped granting %s to %s: " "permission unavailable.", action, target) else: if action not in req.perm: add_warning(req, _("The permission %(action)s was " "not granted to %(subject)s " "because users cannot grant " "permissions they don't possess.", action=action, subject=subject)) continue perm.grant_permission(target, action) add_notice(req, _("The subject %(subject)s has " "been granted the permission " "%(action)s.", subject=target, action=action)) req.redirect(req.href.admin(cat, page)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): req.perm('admin', 'general/perm').require('PERMISSION_REVOKE') sel = req.args.get('sel') sel = sel if isinstance(sel, list) else [sel] for key in sel: subject, action = key.split(':', 1) subject = unicode_from_base64(subject) action = unicode_from_base64(action) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _("The selected permissions have been " "revoked.")) req.redirect(req.href.admin(cat, page)) return 'admin_perms.html', { 'actions': all_actions, 'perms': perm.get_users_dict(), 'groups': perm.get_groups_dict(), 'unicode_to_base64': unicode_to_base64 }
def render_admin_panel(self, req, cat, page, path_info): add_script(req, "multiproject/js/jquery-ui.js") add_script(req, "multiproject/js/permissions.js") add_stylesheet(req, "multiproject/css/jquery-ui.css") add_stylesheet(req, "multiproject/css/permissions.css") is_normal_project = self.env.project_identifier != self.env.config.get("multiproject", "sys_home_project_name") # API instances perm_sys = PermissionSystem(self.env) group_store = CQDEUserGroupStore(env=self.env) org_store = CQDEOrganizationStore.instance() if is_normal_project: membership = MembershipApi(self.env, Project.get(self.env)) else: membership = None if req.method == "POST": action = req.args.get("action") if action == "remove_member": self._remove_member(req, group_store) elif action == "add_member": add_type = req.args.get("add_type") if add_type == "user": self._add_user(req, group_store, membership) elif add_type == "organization": self._add_organization(req, group_store) elif add_type == "ldap_group": self._add_ldap_group(req, group_store) elif add_type == "login_status": login_status = req.args.get("login_status") if login_status not in ("authenticated", "anonymous"): raise TracError("Invalid arguments") self._add_user(req, group_store, membership, username=login_status) else: raise TracError("Invalid add_type") elif action == "add_permission": self._add_perm_to_group(req, group_store, perm_sys) elif action == "remove_permission": self._remove_permission(req, group_store, perm_sys) elif action == "create_group": self._create_group(req, group_store, perm_sys) elif action == "remove_group": self._remove_group(req, group_store) elif action == "add_organization": self._add_organization(req, group_store) elif action == "decline_membership": self._decline_membership(req, membership) else: raise TracError("Unknown action %s" % action) # get membership request list after form posts have been processed if is_normal_project: membership_requests = set(membership.get_membership_requests()) else: membership_requests = set() permissions = set(perm_sys.get_actions()) # check if project if current configuration and permission state is in such state that # permission editions are likely fail invalid_state = None try: group_store.is_valid_group_members() except InvalidPermissionsState, e: add_warning( req, _( "Application permission configuration conflicts with project permissions. " "Before you can fully edit permissions or users you will need to either remove " "offending permissions or set correct application configuration. Page reload" "is required to update this warning." ), ) add_warning(req, e.message)
def render_admin_panel(self, req, cat, page, path_info): add_script(req, 'multiproject/js/jquery-ui.js') add_script(req, 'multiproject/js/permissions.js') add_stylesheet(req, 'multiproject/css/jquery-ui.css') add_stylesheet(req, 'multiproject/css/permissions.css') project = Project.get(self.env) # is_normal_project = self.env.project_identifier != \ self.env.config.get('multiproject', 'sys_home_project_name') # API instances perm_sys = PermissionSystem(self.env) group_store = CQDEUserGroupStore(env=self.env) org_store = CQDEOrganizationStore.instance() if is_normal_project: membership = MembershipApi(self.env, Project.get(self.env)) else: membership = None if req.method == 'POST': action = req.args.get('action') if action == 'remove_member': self._remove_member(req, group_store) elif action == 'add_member': add_type = req.args.get('add_type') if add_type == 'user': self._add_user(req, group_store, membership) elif add_type == 'organization': self._add_organization(req, group_store) elif add_type == 'ldap_group': self._add_ldap_group(req, group_store) elif add_type == 'login_status': login_status = req.args.get('login_status') if login_status not in ('authenticated', 'anonymous'): raise TracError('Invalid arguments') self._add_user(req, group_store, membership, username=login_status) else: raise TracError('Invalid add_type') elif action == 'add_permission': self._add_perm_to_group(req, group_store, perm_sys) elif action == 'remove_permission': self._remove_permission(req, group_store, perm_sys) elif action == 'create_group': self._create_group(req, group_store, perm_sys) elif action == 'remove_group': self._remove_group(req, group_store) elif action == 'add_organization': self._add_organization(req, group_store) elif action == 'decline_membership': self._decline_membership(req, membership) elif 'makepublic' in req.args: project_api = Projects() if conf.allow_public_projects: self._make_public(req, project) project_api.add_public_project_visibility(project.id) # Reload page return req.redirect(req.href(req.path_info)) else: raise TracError("Public projects are disabled", "Error!") elif 'makeprivate' in req.args: project_api = Projects() self._make_private(req, project) project_api.remove_public_project_visibility(project.id) # Reload page return req.redirect(req.href(req.path_info)) else: raise TracError('Unknown action %s' % action) # get membership request list after form posts have been processed if is_normal_project: membership_requests = set(membership.get_membership_requests()) else: membership_requests = set() permissions = set(perm_sys.get_actions()) # check if project if current configuration and permission state is in such state that # permission editions are likely fail invalid_state = None if is_normal_project: is_a_public = project.public else: is_a_public = "" try: group_store.is_valid_group_members() except InvalidPermissionsState, e: add_warning( req, _('Application permission configuration conflicts with project permissions. ' 'Before you can fully edit permissions or users you will need to either remove ' 'offending permissions or set correct application configuration. Page reload' 'is required to update this warning.')) add_warning(req, e.message)
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_permissions = perm.get_all_permissions() all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() target = req.args.get('target', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper() or \ target and target.isupper(): raise TracError( _("All upper-cased tokens are reserved for " "permission names.")) # Grant permission to subject if req.args.get('add') and subject and action: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_("Unknown action")) req.perm.require(action) if (subject, action) not in all_permissions: perm.grant_permission(subject, action) add_notice( req, _( "The subject %(subject)s has been " "granted the permission %(action)s.", subject=subject, action=action)) req.redirect(req.href.admin(cat, page)) else: add_warning( req, _( "The permission %(action)s was already " "granted to %(subject)s.", action=action, subject=subject)) # Add subject to group elif req.args.get('add') and subject and group: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): if not action in all_actions: # plugin disabled? self.env.log.warn( "Adding %s to group %s: " "Permission %s unavailable, skipping perm check.", subject, group, action) else: req.perm.require( action, message=_( "The subject %(subject)s was not added " "to the group %(group)s because the " "group has %(perm)s permission and " "users cannot grant permissions they " "don't possess.", subject=subject, group=group, perm=action)) if (subject, group) not in all_permissions: perm.grant_permission(subject, group) add_notice( req, _( "The subject %(subject)s has been added " "to the group %(group)s.", subject=subject, group=group)) req.redirect(req.href.admin(cat, page)) else: add_warning( req, _( "The subject %(subject)s was already " "added to the group %(group)s.", subject=subject, group=group)) # Copy permissions to subject elif req.args.get('copy') and subject and target: req.perm.require('PERMISSION_GRANT') subject_permissions = [ i[1] for i in all_permissions if i[0] == subject and i[1].isupper() ] if not subject_permissions: add_warning( req, _( "The subject %(subject)s does not " "have any permissions.", subject=subject)) for action in subject_permissions: if (target, action) in all_permissions: continue if not action in all_actions: # plugin disabled? self.env.log.warn( "Skipped granting %s to %s: " "permission unavailable.", action, target) else: if action not in req.perm: add_warning( req, _( "The permission %(action)s was " "not granted to %(subject)s " "because users cannot grant " "permissions they don't possess.", action=action, subject=subject)) continue perm.grant_permission(target, action) add_notice( req, _( "The subject %(subject)s has " "been granted the permission " "%(action)s.", subject=target, action=action)) req.redirect(req.href.admin(cat, page)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): req.perm('admin', 'general/perm').require('PERMISSION_REVOKE') sel = req.args.get('sel') sel = sel if isinstance(sel, list) else [sel] for key in sel: subject, action = key.split(':', 1) subject = unicode_from_base64(subject) action = unicode_from_base64(action) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _("The selected permissions have been " "revoked.")) req.redirect(req.href.admin(cat, page)) perms = [perm for perm in all_permissions if perm[1].isupper()] groups = [perm for perm in all_permissions if not perm[1].isupper()] return 'admin_perms.html', { 'actions': all_actions, 'perms': perms, 'groups': groups, 'unicode_to_base64': unicode_to_base64 }
def render_admin_panel(self, req, cat, page, path_info): add_script(req, 'multiproject/js/jquery-ui.js') add_script(req, 'multiproject/js/permissions.js') add_stylesheet(req, 'multiproject/css/jquery-ui.css') add_stylesheet(req, 'multiproject/css/permissions.css') project = Project.get(self.env) # is_normal_project = self.env.project_identifier != \ self.env.config.get('multiproject', 'sys_home_project_name') # API instances perm_sys = PermissionSystem(self.env) group_store = CQDEUserGroupStore(env=self.env) org_store = CQDEOrganizationStore.instance() if is_normal_project: membership = MembershipApi(self.env, Project.get(self.env)) else: membership = None if req.method == 'POST': action = req.args.get('action') if action == 'remove_member': self._remove_member(req, group_store) elif action == 'add_member': add_type = req.args.get('add_type') if add_type == 'user': self._add_user(req, group_store, membership) elif add_type == 'organization': self._add_organization(req, group_store) elif add_type == 'ldap_group': self._add_ldap_group(req, group_store) elif add_type == 'login_status': login_status = req.args.get('login_status') if login_status not in ('authenticated', 'anonymous'): raise TracError('Invalid arguments') self._add_user(req, group_store, membership, username=login_status) else: raise TracError('Invalid add_type') elif action == 'add_permission': self._add_perm_to_group(req, group_store, perm_sys) elif action == 'remove_permission': self._remove_permission(req, group_store, perm_sys) elif action == 'create_group': self._create_group(req, group_store, perm_sys) elif action == 'remove_group': self._remove_group(req, group_store) elif action == 'add_organization': self._add_organization(req, group_store) elif action == 'decline_membership': self._decline_membership(req, membership) elif 'makepublic' in req.args: project_api = Projects() if conf.allow_public_projects: self._make_public(req, project) project_api.add_public_project_visibility(project.id) # Reload page return req.redirect(req.href(req.path_info)) else: raise TracError("Public projects are disabled", "Error!") elif 'makeprivate' in req.args: project_api = Projects() self._make_private(req, project) project_api.remove_public_project_visibility(project.id) # Reload page return req.redirect(req.href(req.path_info)) else: raise TracError('Unknown action %s' % action) # get membership request list after form posts have been processed if is_normal_project: membership_requests = set(membership.get_membership_requests()) else: membership_requests = set() permissions = set(perm_sys.get_actions()) # check if project if current configuration and permission state is in such state that # permission editions are likely fail invalid_state = None if is_normal_project: is_a_public = project.public else: is_a_public = "" try: group_store.is_valid_group_members() except InvalidPermissionsState, e: add_warning(req, _('Application permission configuration conflicts with project permissions. ' 'Before you can fully edit permissions or users you will need to either remove ' 'offending permissions or set correct application configuration. Page reload' 'is required to update this warning.')) add_warning(req, e.message)
class TagSystemTestCase(unittest.TestCase): def setUp(self): self.env = EnvironmentStub(default_data=True, enable=['trac.*', 'tractags.*']) self.env.path = tempfile.mkdtemp() self.perms = PermissionSystem(self.env) self.req = Mock() self.actions = ['TAGS_ADMIN', 'TAGS_MODIFY', 'TAGS_VIEW'] self.tag_s = TagSystem(self.env) self.db = self.env.get_db_cnx() setup = TagSetup(self.env) # Current tractags schema is setup with enabled component anyway. # Revert these changes for getting default permissions inserted. self._revert_tractags_schema_init() setup.upgrade_environment(self.db) def tearDown(self): self.db.close() # Really close db connections. self.env.shutdown() shutil.rmtree(self.env.path) # Helpers def _revert_tractags_schema_init(self): cursor = self.db.cursor() cursor.execute("DROP TABLE IF EXISTS tags") cursor.execute("DELETE FROM system WHERE name='tags_version'") cursor.execute( "DELETE FROM permission WHERE action %s" % self.db.like(), ('TAGS_%', )) # Tests def test_available_actions(self): for action in self.actions: self.failIf(action not in self.perms.get_actions()) def test_available_providers(self): # Standard implementations of DefaultTagProvider should be registered. seen = [] for provider in [ TicketTagProvider(self.env), WikiTagProvider(self.env) ]: self.failIf(provider not in self.tag_s.tag_providers) # Ensure unique provider references, a possible bug in Trac-0.11. self.failIf(provider in seen) seen.append(provider) def test_set_tags_no_perms(self): resource = Resource('wiki', 'WikiStart') tags = ['tag1'] # Mock an anonymous request. self.req.perm = PermissionCache(self.env) self.assertRaises(PermissionError, self.tag_s.set_tags, self.req, resource, tags) def test_set_tags(self): resource = Resource('wiki', 'WikiStart') tags = ['tag1'] self.req.perm = PermissionCache(self.env, username='******') # Shouldn't raise an error with appropriate permission. self.tag_s.set_tags(self.req, resource, tags) def test_query_no_args(self): # Regression test for query without argument, # reported as th:ticket:7857. # Mock an anonymous request. self.req.perm = PermissionCache(self.env) self.assertEquals( [(res, tags) for res, tags in self.tag_s.query(self.req, query='')], [])