def setUp(self): self.env = EnvironmentStub( enable=['trac.*', 'tractags.*']) self.env.path = tempfile.mkdtemp() self.tag_s = TagSystem(self.env) self.tag_rh = TagRequestHandler(self.env) self.db = self.env.get_db_cnx() setup = TagSetup(self.env) # Current tractags schema is setup with enabled component anyway. # Revert these changes for getting a clean setup. self._revert_tractags_schema_init() setup.upgrade_environment(self.db) perms = PermissionSystem(self.env) # Revoke default permissions, because more diversity is required here. perms.revoke_permission('anonymous', 'TAGS_VIEW') perms.revoke_permission('authenticated', 'TAGS_MODIFY') perms.grant_permission('reader', 'TAGS_VIEW') perms.grant_permission('writer', 'TAGS_MODIFY') perms.grant_permission('admin', 'TAGS_ADMIN') self.anonymous = PermissionCache(self.env) self.reader = PermissionCache(self.env, 'reader') self.writer = PermissionCache(self.env, 'writer') self.admin = PermissionCache(self.env, 'admin') self.href = Href('/trac') self.abs_href = Href('http://example.org/trac')
def setUp(self): self.env = EnvironmentStub( enable=['trac.*', 'tractags.*']) self.env.path = tempfile.mkdtemp() self.db = self.env.get_db_cnx() setup = TagSetup(self.env) # Current tractags schema is setup with enabled component anyway. # Revert these changes for getting a clean setup. self._revert_tractags_schema_init() setup.upgrade_environment(self.db) self.tag_s = TagSystem(self.env) self.tag_rh = TagRequestHandler(self.env) perms = PermissionSystem(self.env) # Revoke default permissions, because more diversity is required here. perms.revoke_permission('anonymous', 'TAGS_VIEW') perms.revoke_permission('authenticated', 'TAGS_MODIFY') perms.grant_permission('reader', 'TAGS_VIEW') perms.grant_permission('writer', 'TAGS_MODIFY') perms.grant_permission('admin', 'TAGS_ADMIN') self.anonymous = PermissionCache(self.env) self.reader = PermissionCache(self.env, 'reader') self.writer = PermissionCache(self.env, 'writer') self.admin = PermissionCache(self.env, 'admin') self.href = Href('/trac') self.abs_href = Href('http://example.org/trac')
def test_change_milestone_requires_milestone_view(self): """Changing ticket milestone requires MILESTONE_VIEW.""" perm_sys = PermissionSystem(self.env) perm_sys.revoke_permission('anonymous', 'MILESTONE_VIEW') perm_sys.grant_permission('user_w_mv', 'MILESTONE_VIEW') self._insert_ticket(summary='the summary') def make_req(authname): return MockRequest(self.env, authname=authname, method='GET', path_info='/ticket/1') def get_milestone_field(fields): for field in fields: if 'milestone' == field['name']: return field req = make_req('user') self.assertTrue(self.ticket_module.match_request(req)) data = self.ticket_module.process_request(req)[1] milestone_field = get_milestone_field(data['fields']) self.assertFalse(milestone_field['editable']) self.assertEqual([], milestone_field['optgroups'][0]['options']) self.assertEqual([], milestone_field['optgroups'][1]['options']) req = make_req('user_w_mv') self.assertTrue(self.ticket_module.match_request(req)) data = self.ticket_module.process_request(req)[1] milestone_field = get_milestone_field(data['fields']) self.assertTrue(milestone_field['editable']) self.assertEqual([], milestone_field['optgroups'][0]['options']) self.assertEqual(['milestone1', 'milestone2', 'milestone3', 'milestone4'], milestone_field['optgroups'][1]['options'])
def test_add_comment_requires_ticket_append(self): """Adding a ticket comment requires TICKET_APPEND.""" ps = PermissionSystem(self.env) ps.revoke_permission('authenticated', 'TICKET_MODIFY') ps.grant_permission('user1', 'TICKET_APPEND') ps.grant_permission('user2', 'TICKET_CHGPROP') ticket = self._insert_ticket(summary='the summary') comment = 'the comment' def make_req(authname): change_time = Ticket(self.env, 1)['changetime'] return MockRequest( self.env, authname=authname, method='POST', path_info='/ticket/1', args={'comment': comment, 'action': 'leave', 'submit': True, 'view_time': unicode(to_utimestamp(change_time))}) req = make_req('user1') self.assertTrue(self.ticket_module.match_request(req)) self.assertRaises(RequestDone, self.ticket_module.process_request, req) self.assertEqual([], req.chrome['warnings']) self.assertEqual(comment, ticket.get_change(1)['fields']['comment']['new']) req = make_req('user2') self.assertTrue(self.ticket_module.match_request(req)) self.ticket_module.process_request(req) self.assertEqual(1, len(req.chrome['warnings'])) self.assertEqual("No permissions to add a comment.", unicode(req.chrome['warnings'][0]))
def remove_permissions(self, permissions): perm = PermissionSystem(self.env) for agent, p in permissions.items(): if '*' in p: p = [ i for i, j in perm.get_user_permissions(agent).items() if j] for permission in p: try: perm.revoke_permission(agent, permission) except: continue
def remove_permissions(self, permissions): perm = PermissionSystem(self.env) for agent, p in permissions.items(): if '*' in p: p = [ i for i, j in perm.get_user_permissions(agent).items() if j ] for permission in p: try: perm.revoke_permission(agent, permission) except: continue
def update_trac_permissions(self, group, env): if self.dummy_run: self.note("Would update Trac permissions for group '%s'" % group.acronym) else: self.note("Updating Trac permissions for group '%s'" % group.acronym) mgr = PermissionSystem(env) permission_list = mgr.get_all_permissions() permission_list = [(u, a) for (u, a) in permission_list if not u in ['anonymous', 'authenticated']] permissions = {} for user, action in permission_list: if not user in permissions: permissions[user] = [] permissions[user].append(action) roles = (list( group.role_set.filter(name_id__in=set([ 'chair', 'secr', 'ad', 'trac-admin', ] + group.features.admin_roles))) + list( self.secretariat.role_set.filter(name_id__in=[ 'trac-admin', ]))) users = [] for role in roles: user = role.email.address.lower() users.append(user) if not user in permissions: try: mgr.grant_permission(user, 'TRAC_ADMIN') self.note(" Granting admin permission for %s" % user) except TracError as e: self.log("While adding admin permission for %s: %s" ( user, e)) for user in permissions: if not user in users: if 'TRAC_ADMIN' in permissions[user]: try: self.note(" Revoking admin permission for %s" % user) mgr.revoke_permission(user, 'TRAC_ADMIN') except TracError as e: self.log( "While revoking admin permission for %s: %s" ( user, e))
def test_milestone_redirects_to_roadmap(self): """The path /milestone redirects to /roadmap.""" def test_milestone_redirect(authname=None): req = MockRequest(self.env, method='GET', path_info='/milestone', authname=authname) with self.assertRaises(RequestDone): self.mmodule.process_request(req) self.assertEqual('http://example.org/trac.cgi/roadmap', req.headers_sent['Location']) self.assertEqual('302 Found', req._status) return req # Redirects for user with MILESTONE_VIEW req = test_milestone_redirect() self.assertIn('MILESTONE_VIEW', req.perm) # Redirects for user without MILESTONE_VIEW perm_sys = PermissionSystem(self.env) perm_sys.revoke_permission('anonymous', 'MILESTONE_VIEW') req = test_milestone_redirect('user1') self.assertNotIn('MILESTONE_VIEW', req.perm)
def process_admin_request(self, req, cat, page, path_info): perm = PermissionSystem(self.env) perms = perm.get_all_permissions() subject = req.args.get('subject') action = req.args.get('action') group = req.args.get('group') if req.method == 'POST': # Grant permission to subject if req.args.get('add') and subject and action: if action not in perm.get_actions(): raise TracError('Unknown action') perm.grant_permission(subject, action) req.redirect(self.env.href.admin(cat, page)) # Add subject to group elif req.args.get('add') and subject and group: perm.grant_permission(subject, group) req.redirect(self.env.href.admin(cat, page)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): sel = req.args.get('sel') sel = isinstance(sel, list) and sel or [sel] for key in sel: subject, action = key.split(':', 1) if (subject, action) in perms: perm.revoke_permission(subject, action) req.redirect(self.env.href.admin(cat, page)) perms.sort(lambda a, b: cmp(a[0], b[0])) req.hdf['admin.actions'] = perm.get_actions() req.hdf['admin.perms'] = [{'subject': p[0], 'action': p[1], 'key': '%s:%s' % p } for p in perms] return 'admin_perm.cs', None
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() target = req.args.get('target', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper() or \ target and target.isupper(): raise TracError( _("All upper-cased tokens are reserved for " "permission names.")) # Grant permission to subject if 'add' in req.args and subject and action: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_("Unknown action")) req.perm.require(action) try: perm.grant_permission(subject, action) except TracError as e: add_warning(req, e) else: add_notice( req, _( "The subject %(subject)s has been " "granted the permission %(action)s.", subject=subject, action=action)) # Add subject to group elif 'add' in req.args and subject and group: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): req.perm.require( action, message=_( "The subject %(subject)s was not added to " "the group %(group)s because the group has " "%(perm)s permission and users cannot grant " "permissions they don't possess.", subject=subject, group=group, perm=action)) try: perm.grant_permission(subject, group) except TracError as e: add_warning(req, e) else: add_notice( req, _( "The subject %(subject)s has been " "added to the group %(group)s.", subject=subject, group=group)) # Copy permissions to subject elif 'copy' in req.args and subject and target: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') subject_permissions = perm.get_users_dict().get(subject, []) if not subject_permissions: add_warning( req, _( "The subject %(subject)s does not " "have any permissions.", subject=subject)) for action in subject_permissions: if action not in all_actions: # plugin disabled? self.log.warning( "Skipped granting %s to %s: " "permission unavailable.", action, target) else: if action not in req.perm: add_warning( req, _( "The permission %(action)s was " "not granted to %(subject)s " "because users cannot grant " "permissions they don't possess.", action=action, subject=subject)) continue try: perm.grant_permission(target, action) except PermissionExistsError: pass else: add_notice( req, _( "The subject %(subject)s has " "been granted the permission " "%(action)s.", subject=target, action=action)) req.redirect(req.href.admin(cat, page)) # Remove permissions action elif 'remove' in req.args and 'sel' in req.args: req.perm('admin', 'general/perm').require('PERMISSION_REVOKE') for key in req.args.getlist('sel'): subject, action = key.split(':', 1) subject = unicode_from_base64(subject) action = unicode_from_base64(action) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _("The selected permissions have been " "revoked.")) req.redirect(req.href.admin(cat, page)) return 'admin_perms.html', { 'actions': all_actions, 'allowed_actions': [a for a in all_actions if a in req.perm], 'perms': perm.get_users_dict(), 'groups': perm.get_groups_dict(), 'unicode_to_base64': unicode_to_base64 }
class TagModelTestCase(unittest.TestCase): def setUp(self): self.env = EnvironmentStub(default_data=True, enable=['trac.*', 'tractags.*']) self.env.path = tempfile.mkdtemp() self.perms = PermissionSystem(self.env) self.req = Mock(authname='editor') self.check_perm = WikiTagProvider(self.env).check_permission setup = TagSetup(self.env) # Current tractags schema is setup with enabled component anyway. # Revert these changes for getting default permissions inserted. self._revert_tractags_schema_init() setup.upgrade_environment() # Populate table with initial test data. self.env.db_transaction(""" INSERT INTO tags (tagspace, name, tag) VALUES ('wiki', 'WikiStart', 'tag1') """) self.realm = 'wiki' def tearDown(self): self.env.shutdown() shutil.rmtree(self.env.path) # Helpers def _revert_tractags_schema_init(self): with self.env.db_transaction as db: db("DROP TABLE IF EXISTS tags") db("DROP TABLE IF EXISTS tags_change") db("DELETE FROM system WHERE name='tags_version'") db("DELETE FROM permission WHERE action %s" % db.like(), ('TAGS_%',)) def _tags(self): tags = {} for name, tag in self.env.db_query(""" SELECT name,tag FROM tags """): if name in tags: tags[name].add(tag) else: tags[name] = set([tag]) return tags # Tests def test_get_tags(self): resource = Resource(self.realm, 'WikiStart') self.assertEquals([tag for tag in resource_tags(self.env, resource)], ['tag1']) def test_get_tagged_resource_no_perm(self): self.perms.revoke_permission('anonymous', 'WIKI_VIEW') perm = PermissionCache(self.env) tags = set(['tag1']) # Don't yield resource without permission - 'WIKI_VIEW' here. self.assertEqual([(res, tags) for res, tags in tagged_resources(self.env, self.check_perm, perm, self.realm, tags)], []) def test_get_tagged_resource(self): perm = PermissionCache(self.env) resource = Resource(self.realm, 'WikiStart') tags = set(['tag1']) self.assertEqual([(res, tags) for res, tags in tagged_resources(self.env, self.check_perm, perm, self.realm, tags)], [(resource, tags)]) def test_reparent(self): resource = Resource(self.realm, 'TaggedPage') old_name = 'WikiStart' tag_resource(self.env, resource, 'WikiStart', self.req.authname) self.assertEquals(dict(TaggedPage=set(['tag1'])), self._tags()) def test_tag_changes(self): # Add previously untagged resource. resource = Resource(self.realm, 'TaggedPage') tags = set(['tag1']) tag_resource(self.env, resource, author=self.req.authname, tags=tags) self.assertEquals(dict(TaggedPage=tags, WikiStart=tags), self._tags()) # Add new tag to already tagged resource. resource = Resource(self.realm, 'WikiStart') tags = set(['tag1', 'tag2']) tag_resource(self.env, resource, author=self.req.authname, tags=tags) self.assertEquals(dict(TaggedPage=set(['tag1']), WikiStart=tags), self._tags()) # Exchange tags for already tagged resource. tags = set(['tag1', 'tag3']) tag_resource(self.env, resource, author=self.req.authname, tags=tags) self.assertEquals(dict(TaggedPage=set(['tag1']), WikiStart=tags), self._tags()) # Delete a subset of tags for already tagged resource. tags = set(['tag3']) tag_resource(self.env, resource, author=self.req.authname, tags=tags) self.assertEquals(dict(TaggedPage=set(['tag1']), WikiStart=tags), self._tags()) # Empty tag iterable deletes all resource tag references. tags = tuple() tag_resource(self.env, resource, author=self.req.authname, tags=tags) self.assertEquals(dict(TaggedPage=set(['tag1'])), self._tags())
def runTest(self): """Tests for the Copy Permissions functionality added in http://trac.edgewall.org/ticket/11099.""" checkbox_value = lambda s, p: '%s:%s' % (unicode_to_base64(s), unicode_to_base64(p)) grant_msg = "The subject %s has been granted the permission %s\." def grant_permission(subject, action): tc.formvalue('addperm', 'gp_subject', subject) tc.formvalue('addperm', 'action', action) tc.submit() tc.find(grant_msg % (subject, action)) tc.find(checkbox_value(subject, action)) env = self._testenv.get_trac_environment() # Copy permissions from subject to target self._tester.go_to_admin('Permissions') perm_sys = PermissionSystem(env) anon_perms = perm_sys.store.get_user_permissions('anonymous') for perm in anon_perms: tc.find(checkbox_value('anonymous', perm)) tc.notfind(checkbox_value('user1', perm)) tc.formvalue('copyperm', 'cp_subject', 'anonymous') tc.formvalue('copyperm', 'cp_target', 'user1') tc.submit() for perm in anon_perms: tc.find("The subject user1 has been granted the permission %s\." % perm) tc.find(checkbox_value('user1', perm)) # Subject doesn't have any permissions tc.notfind(checkbox_value('noperms', '')) tc.formvalue('copyperm', 'cp_subject', 'noperms') tc.formvalue('copyperm', 'cp_target', 'user1') tc.submit() tc.find("The subject noperms does not have any permissions\.") # Subject belongs to group but doesn't directly have any permissions grant_permission('group1', 'TICKET_VIEW') tc.formvalue('addsubj', 'sg_subject', 'noperms') tc.formvalue('addsubj', 'sg_group', 'group1') tc.submit() tc.find("The subject noperms has been added to the group group1\.") tc.formvalue('copyperm', 'cp_subject', 'noperms') tc.formvalue('copyperm', 'cp_target', 'user1') tc.submit() tc.find("The subject noperms does not have any permissions\.") # Target uses reserved all upper-case form tc.formvalue('copyperm', 'cp_subject', 'noperms') tc.formvalue('copyperm', 'cp_target', 'USER1') tc.submit() tc.find("All upper-cased tokens are reserved for permission names\.") self._tester.go_to_admin("Permissions") # Subject users reserved all upper-case form tc.formvalue('copyperm', 'cp_subject', 'USER1') tc.formvalue('copyperm', 'cp_target', 'noperms') tc.submit() tc.find("All upper-cased tokens are reserved for permission names\.") self._tester.go_to_admin("Permissions") # Target already possess one of the permissions anon_perms = perm_sys.store.get_user_permissions('anonymous') for perm in anon_perms: tc.notfind(checkbox_value('user2', perm)) grant_permission('user2', anon_perms[0]) tc.formvalue('copyperm', 'cp_subject', 'anonymous') tc.formvalue('copyperm', 'cp_target', 'user2') tc.submit() tc.notfind("The subject <em>user2</em> has been granted the " "permission %s\." % anon_perms[0]) for perm in anon_perms[1:]: tc.find("The subject user2 has been granted the permission %s\." % perm) tc.find(checkbox_value('user2', perm)) # Subject has a permission that is no longer defined try: env.db_transaction("INSERT INTO permission VALUES (%s,%s)", ('anonymous', 'NOTDEFINED_PERMISSION')) except env.db_exc.IntegrityError: pass env.config.touch() # invalidate permission cache tc.reload() tc.find(checkbox_value('anonymous', 'NOTDEFINED_PERMISSION')) perm_sys = PermissionSystem(env) anon_perms = perm_sys.store.get_user_permissions('anonymous') for perm in anon_perms: tc.notfind(checkbox_value('user3', perm)) tc.formvalue('copyperm', 'cp_subject', 'anonymous') tc.formvalue('copyperm', 'cp_target', 'user3') tc.submit() for perm in anon_perms: msg = grant_msg % ('user3', perm) if perm == 'NOTDEFINED_PERMISSION': tc.notfind(msg) tc.notfind(checkbox_value('user3', perm)) else: tc.find(msg) tc.find(checkbox_value('user3', perm)) perm_sys.revoke_permission('anonymous', 'NOTDEFINED_PERMISSION') # Actor doesn't posses permission grant_permission('anonymous', 'PERMISSION_GRANT') grant_permission('user3', 'TRAC_ADMIN') self._tester.logout() self._tester.go_to_admin("Permissions") try: tc.formvalue('copyperm', 'cp_subject', 'user3') tc.formvalue('copyperm', 'cp_target', 'user4') tc.submit() perm_sys = PermissionSystem(env) for perm in [perm[1] for perm in perm_sys.get_all_permissions() if perm[0] == 'user3' and perm[1] != 'TRAC_ADMIN']: tc.find(grant_msg % ('user4', perm)) tc.notfind("The permission TRAC_ADMIN was not granted to user4 " "because users cannot grant permissions they don't " "possess.") finally: self._testenv.revoke_perm('anonymous', 'PERMISSION_GRANT') self._tester.login('admin')
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_permissions = perm.get_all_permissions() all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper(): raise TracError( _('All upper-cased tokens are reserved for ' 'permission names')) # Grant permission to subject if req.args.get('add') and subject and action: req.perm.require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_('Unknown action')) req.perm.require(action) if (subject, action) not in all_permissions: perm.grant_permission(subject, action) add_notice( req, _( 'The subject %(subject)s has been ' 'granted the permission %(action)s.', subject=subject, action=action)) req.redirect(req.href.admin(cat, page)) else: add_warning( req, _( 'The permission %(action)s was already ' 'granted to %(subject)s.', action=action, subject=subject)) # Add subject to group elif req.args.get('add') and subject and group: req.perm.require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): if not action in all_actions: # plugin disabled? self.env.log.warn("Adding %s to group %s: " \ "Permission %s unavailable, skipping perm check." \ % (subject, group, action)) else: req.perm.require(action) if (subject, group) not in all_permissions: perm.grant_permission(subject, group) add_notice( req, _( 'The subject %(subject)s has been added ' 'to the group %(group)s.', subject=subject, group=group)) req.redirect(req.href.admin(cat, page)) else: add_warning( req, _( 'The subject %(subject)s was already ' 'added to the group %(group)s.', subject=subject, group=group)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): req.perm.require('PERMISSION_REVOKE') sel = req.args.get('sel') sel = sel if isinstance(sel, list) else [sel] for key in sel: subject, action = key.split(':', 1) subject = unicode_from_base64(subject) action = unicode_from_base64(action) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _('The selected permissions have been ' 'revoked.')) req.redirect(req.href.admin(cat, page)) perms = [perm for perm in all_permissions if perm[1].isupper()] groups = [perm for perm in all_permissions if not perm[1].isupper()] return 'admin_perms.html', { 'actions': all_actions, 'perms': perms, 'groups': groups, 'unicode_to_base64': unicode_to_base64 }
def runTest(self): """Tests for the Copy Permissions functionality added in http://trac.edgewall.org/ticket/11099.""" checkbox_value = lambda s, p: '%s:%s' % (unicode_to_base64(s), unicode_to_base64(p)) grant_msg = "The subject %s has been granted the permission %s\." def grant_permission(subject, action): tc.formvalue('addperm', 'gp_subject', subject) tc.formvalue('addperm', 'action', action) tc.submit() tc.find(grant_msg % (subject, action)) tc.find(checkbox_value(subject, action)) env = self._testenv.get_trac_environment() # Copy permissions from subject to target self._tester.go_to_admin('Permissions') perm_sys = PermissionSystem(env) anon_perms = perm_sys.store.get_user_permissions('anonymous') for perm in anon_perms: tc.find(checkbox_value('anonymous', perm)) tc.notfind(checkbox_value('user1', perm)) tc.formvalue('copyperm', 'cp_subject', 'anonymous') tc.formvalue('copyperm', 'cp_target', 'user1') tc.submit() for perm in anon_perms: tc.find("The subject user1 has been granted the permission %s\." % perm) tc.find(checkbox_value('user1', perm)) # Subject doesn't have any permissions tc.notfind(checkbox_value('noperms', '')) tc.formvalue('copyperm', 'cp_subject', 'noperms') tc.formvalue('copyperm', 'cp_target', 'user1') tc.submit() tc.find("The subject noperms does not have any permissions\.") # Subject belongs to group but doesn't directly have any permissions grant_permission('group1', 'TICKET_VIEW') tc.formvalue('addsubj', 'sg_subject', 'noperms') tc.formvalue('addsubj', 'sg_group', 'group1') tc.submit() tc.find("The subject noperms has been added to the group group1\.") tc.formvalue('copyperm', 'cp_subject', 'noperms') tc.formvalue('copyperm', 'cp_target', 'user1') tc.submit() tc.find("The subject noperms does not have any permissions\.") # Target uses reserved all upper-case form tc.formvalue('copyperm', 'cp_subject', 'noperms') tc.formvalue('copyperm', 'cp_target', 'USER1') tc.submit() tc.find("All upper-cased tokens are reserved for permission names\.") self._tester.go_to_admin("Permissions") # Subject users reserved all upper-case form tc.formvalue('copyperm', 'cp_subject', 'USER1') tc.formvalue('copyperm', 'cp_target', 'noperms') tc.submit() tc.find("All upper-cased tokens are reserved for permission names\.") self._tester.go_to_admin("Permissions") # Target already possess one of the permissions anon_perms = perm_sys.store.get_user_permissions('anonymous') for perm in anon_perms: tc.notfind(checkbox_value('user2', perm)) grant_permission('user2', anon_perms[0]) tc.formvalue('copyperm', 'cp_subject', 'anonymous') tc.formvalue('copyperm', 'cp_target', 'user2') tc.submit() tc.notfind("The subject <em>user2</em> has been granted the " "permission %s\." % anon_perms[0]) for perm in anon_perms[1:]: tc.find("The subject user2 has been granted the permission %s\." % perm) tc.find(checkbox_value('user2', perm)) # Subject has a permission that is no longer defined try: env.db_transaction("INSERT INTO permission VALUES (%s,%s)", ('anonymous', 'NOTDEFINED_PERMISSION')) except env.db_exc.IntegrityError: pass env.config.touch() # invalidate permission cache tc.reload() tc.find(checkbox_value('anonymous', 'NOTDEFINED_PERMISSION')) perm_sys = PermissionSystem(env) anon_perms = perm_sys.store.get_user_permissions('anonymous') for perm in anon_perms: tc.notfind(checkbox_value('user3', perm)) tc.formvalue('copyperm', 'cp_subject', 'anonymous') tc.formvalue('copyperm', 'cp_target', 'user3') tc.submit() for perm in anon_perms: msg = grant_msg % ('user3', perm) if perm == 'NOTDEFINED_PERMISSION': tc.notfind(msg) tc.notfind(checkbox_value('user3', perm)) else: tc.find(msg) tc.find(checkbox_value('user3', perm)) perm_sys.revoke_permission('anonymous', 'NOTDEFINED_PERMISSION') # Actor doesn't posses permission grant_permission('anonymous', 'PERMISSION_GRANT') grant_permission('user3', 'TRAC_ADMIN') self._tester.logout() self._tester.go_to_admin("Permissions") try: tc.formvalue('copyperm', 'cp_subject', 'user3') tc.formvalue('copyperm', 'cp_target', 'user4') tc.submit() perm_sys = PermissionSystem(env) for perm in [ perm[1] for perm in perm_sys.get_all_permissions() if perm[0] == 'user3' and perm[1] != 'TRAC_ADMIN' ]: tc.find(grant_msg % ('user4', perm)) tc.notfind("The permission TRAC_ADMIN was not granted to user4 " "because users cannot grant permissions they don't " "possess.") finally: self._testenv.revoke_perm('anonymous', 'PERMISSION_GRANT') self._tester.login('admin')
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_permissions = perm.get_all_permissions() all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper(): raise TracError(_('All upper-cased tokens are reserved for ' 'permission names')) # Grant permission to subject if req.args.get('add') and subject and action: req.perm.require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_('Unknown action')) req.perm.require(action) if (subject, action) not in all_permissions: perm.grant_permission(subject, action) add_notice(req, _('The subject %(subject)s has been ' 'granted the permission %(action)s.', subject=subject, action=action)) req.redirect(req.href.admin(cat, page)) else: add_warning(req, _('The permission %(action)s was already ' 'granted to %(subject)s.', action=action, subject=subject)) # Add subject to group elif req.args.get('add') and subject and group: req.perm.require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): if not action in all_actions: # plugin disabled? self.env.log.warn("Adding %s to group %s: " \ "Permission %s unavailable, skipping perm check." \ % (subject, group, action)) else: req.perm.require(action) if (subject, group) not in all_permissions: perm.grant_permission(subject, group) add_notice(req, _('The subject %(subject)s has been added ' 'to the group %(group)s.', subject=subject, group=group)) req.redirect(req.href.admin(cat, page)) else: add_warning(req, _('The subject %(subject)s was already ' 'added to the group %(group)s.', subject=subject, group=group)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): req.perm.require('PERMISSION_REVOKE') sel = req.args.get('sel') sel = isinstance(sel, list) and sel or [sel] for key in sel: subject, action = key.split(':', 1) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _('The selected permissions have been ' 'revoked.')) req.redirect(req.href.admin(cat, page)) return 'admin_perms.html', { 'actions': all_actions, 'perms': all_permissions }
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_permissions = perm.get_all_permissions() all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() target = req.args.get('target', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper() or \ target and target.isupper(): raise TracError(_("All upper-cased tokens are reserved for " "permission names.")) # Grant permission to subject if req.args.get('add') and subject and action: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_("Unknown action")) req.perm.require(action) if (subject, action) not in all_permissions: perm.grant_permission(subject, action) add_notice(req, _("The subject %(subject)s has been " "granted the permission %(action)s.", subject=subject, action=action)) req.redirect(req.href.admin(cat, page)) else: add_warning(req, _("The permission %(action)s was already " "granted to %(subject)s.", action=action, subject=subject)) # Add subject to group elif req.args.get('add') and subject and group: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): if not action in all_actions: # plugin disabled? self.env.log.warn("Adding %s to group %s: " "Permission %s unavailable, skipping perm check.", subject, group, action) else: req.perm.require(action, message=_("The subject %(subject)s was not added " "to the group %(group)s because the " "group has %(perm)s permission and " "users cannot grant permissions they " "don't possess.", subject=subject, group=group, perm=action)) if (subject, group) not in all_permissions: perm.grant_permission(subject, group) add_notice(req, _("The subject %(subject)s has been added " "to the group %(group)s.", subject=subject, group=group)) req.redirect(req.href.admin(cat, page)) else: add_warning(req, _("The subject %(subject)s was already " "added to the group %(group)s.", subject=subject, group=group)) # Copy permissions to subject elif req.args.get('copy') and subject and target: req.perm.require('PERMISSION_GRANT') subject_permissions = [i[1] for i in all_permissions if i[0] == subject and i[1].isupper()] if not subject_permissions: add_warning(req,_("The subject %(subject)s does not " "have any permissions.", subject=subject)) for action in subject_permissions: if (target, action) in all_permissions: continue if not action in all_actions: # plugin disabled? self.env.log.warn("Skipped granting %s to %s: " "permission unavailable.", action, target) else: if action not in req.perm: add_warning(req, _("The permission %(action)s was " "not granted to %(subject)s " "because users cannot grant " "permissions they don't possess.", action=action, subject=subject)) continue perm.grant_permission(target, action) add_notice(req, _("The subject %(subject)s has " "been granted the permission " "%(action)s.", subject=target, action=action)) req.redirect(req.href.admin(cat, page)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): req.perm('admin', 'general/perm').require('PERMISSION_REVOKE') sel = req.args.get('sel') sel = sel if isinstance(sel, list) else [sel] for key in sel: subject, action = key.split(':', 1) subject = unicode_from_base64(subject) action = unicode_from_base64(action) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _("The selected permissions have been " "revoked.")) req.redirect(req.href.admin(cat, page)) return 'admin_perms.html', { 'actions': all_actions, 'perms': perm.get_users_dict(), 'groups': perm.get_groups_dict(), 'unicode_to_base64': unicode_to_base64 }
def render_admin_panel(self, req, cat, page, path_info): perm = PermissionSystem(self.env) all_permissions = perm.get_all_permissions() all_actions = perm.get_actions() if req.method == 'POST': subject = req.args.get('subject', '').strip() target = req.args.get('target', '').strip() action = req.args.get('action') group = req.args.get('group', '').strip() if subject and subject.isupper() or \ group and group.isupper() or \ target and target.isupper(): raise TracError( _("All upper-cased tokens are reserved for " "permission names.")) # Grant permission to subject if req.args.get('add') and subject and action: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') if action not in all_actions: raise TracError(_("Unknown action")) req.perm.require(action) if (subject, action) not in all_permissions: perm.grant_permission(subject, action) add_notice( req, _( "The subject %(subject)s has been " "granted the permission %(action)s.", subject=subject, action=action)) req.redirect(req.href.admin(cat, page)) else: add_warning( req, _( "The permission %(action)s was already " "granted to %(subject)s.", action=action, subject=subject)) # Add subject to group elif req.args.get('add') and subject and group: req.perm('admin', 'general/perm').require('PERMISSION_GRANT') for action in perm.get_user_permissions(group): if not action in all_actions: # plugin disabled? self.env.log.warn( "Adding %s to group %s: " "Permission %s unavailable, skipping perm check.", subject, group, action) else: req.perm.require( action, message=_( "The subject %(subject)s was not added " "to the group %(group)s because the " "group has %(perm)s permission and " "users cannot grant permissions they " "don't possess.", subject=subject, group=group, perm=action)) if (subject, group) not in all_permissions: perm.grant_permission(subject, group) add_notice( req, _( "The subject %(subject)s has been added " "to the group %(group)s.", subject=subject, group=group)) req.redirect(req.href.admin(cat, page)) else: add_warning( req, _( "The subject %(subject)s was already " "added to the group %(group)s.", subject=subject, group=group)) # Copy permissions to subject elif req.args.get('copy') and subject and target: req.perm.require('PERMISSION_GRANT') subject_permissions = [ i[1] for i in all_permissions if i[0] == subject and i[1].isupper() ] if not subject_permissions: add_warning( req, _( "The subject %(subject)s does not " "have any permissions.", subject=subject)) for action in subject_permissions: if (target, action) in all_permissions: continue if not action in all_actions: # plugin disabled? self.env.log.warn( "Skipped granting %s to %s: " "permission unavailable.", action, target) else: if action not in req.perm: add_warning( req, _( "The permission %(action)s was " "not granted to %(subject)s " "because users cannot grant " "permissions they don't possess.", action=action, subject=subject)) continue perm.grant_permission(target, action) add_notice( req, _( "The subject %(subject)s has " "been granted the permission " "%(action)s.", subject=target, action=action)) req.redirect(req.href.admin(cat, page)) # Remove permissions action elif req.args.get('remove') and req.args.get('sel'): req.perm('admin', 'general/perm').require('PERMISSION_REVOKE') sel = req.args.get('sel') sel = sel if isinstance(sel, list) else [sel] for key in sel: subject, action = key.split(':', 1) subject = unicode_from_base64(subject) action = unicode_from_base64(action) if (subject, action) in perm.get_all_permissions(): perm.revoke_permission(subject, action) add_notice(req, _("The selected permissions have been " "revoked.")) req.redirect(req.href.admin(cat, page)) perms = [perm for perm in all_permissions if perm[1].isupper()] groups = [perm for perm in all_permissions if not perm[1].isupper()] return 'admin_perms.html', { 'actions': all_actions, 'perms': perms, 'groups': groups, 'unicode_to_base64': unicode_to_base64 }