def setUp(self): super(TestOwnershipPermissionPolicy, self).setUp() self.policy = OwnershipPermissionPolicy(Image, owner_field_name='uploaded_by_user')
from wagtail.wagtailcore.permission_policies import OwnershipPermissionPolicy from wagtail.wagtailimages.models import Image, get_image_model permission_policy = OwnershipPermissionPolicy( get_image_model(), auth_model=Image, owner_field_name='uploaded_by_user')
class TestOwnershipPermissionPolicy(PermissionPolicyTestCase): def setUp(self): super(TestOwnershipPermissionPolicy, self).setUp() self.policy = OwnershipPermissionPolicy(Image, owner_field_name='uploaded_by_user') def test_user_has_permission(self): self.assertUserPermissionMatrix([ # Superuser has permission to do everything (self.superuser, True, True, True, True), # Inactive superuser can do nothing (self.inactive_superuser, False, False, False, False), # User with 'add' permission via group can add, # and by extension, change and delete their own instances (self.image_adder, True, True, True, False), # User with 'add' permission via user can add, # and by extension, change and delete their own instances (self.oneoff_image_adder, True, True, True, False), # Inactive user with 'add' permission can do nothing (self.inactive_image_adder, False, False, False, False), # User with 'change' permission via group can change and delete but not add (self.image_changer, False, True, True, False), # User with 'change' permission via user can change and delete but not add (self.oneoff_image_changer, False, True, True, False), # Inactive user with 'change' permission can do nothing (self.inactive_image_changer, False, False, False, False), # 'delete' permission is ignored for this policy (self.oneoff_image_deleter, False, False, False, False), # User with no permission can do nothing (self.useless_user, False, False, False, False), # Anonymous user can do nothing (self.anonymous_user, False, False, False, False), ]) def test_user_has_any_permission(self): # Superuser can do everything self.assertTrue( self.policy.user_has_any_permission(self.superuser, ['add', 'change']) ) # Inactive superuser can do nothing self.assertFalse( self.policy.user_has_any_permission(self.inactive_superuser, ['add', 'change']) ) # Only one of the permissions in the list needs to pass # in order for user_has_any_permission to return true self.assertTrue( self.policy.user_has_any_permission(self.image_changer, ['add', 'change']) ) self.assertTrue( self.policy.user_has_any_permission(self.oneoff_image_changer, ['add', 'change']) ) # User with some permission, but not the ones in the list, # should return false self.assertFalse( self.policy.user_has_any_permission(self.oneoff_image_deleter, ['add', 'change']) ) # Inactive user with the appropriate permissions can do nothing self.assertFalse( self.policy.user_has_any_permission(self.inactive_image_changer, ['add', 'delete']) ) # User with no permissions can do nothing self.assertFalse( self.policy.user_has_any_permission(self.useless_user, ['add', 'change']) ) # Anonymous user can do nothing self.assertFalse( self.policy.user_has_any_permission(self.anonymous_user, ['add', 'change']) ) def test_users_with_permission(self): users_with_add_permission = self.policy.users_with_permission('add') self.assertResultSetEqual(users_with_add_permission, [ self.superuser, self.image_adder, self.oneoff_image_adder, ]) # users with add permission have change permission too (i.e. for their own images) users_with_change_permission = self.policy.users_with_permission('change') self.assertResultSetEqual(users_with_change_permission, [ self.superuser, self.image_adder, self.oneoff_image_adder, self.image_changer, self.oneoff_image_changer, ]) # conditions for deletion are the same as for change; 'delete' permission # records in django.contrib.auth are ignored users_with_delete_permission = self.policy.users_with_permission('delete') self.assertResultSetEqual(users_with_delete_permission, [ self.superuser, self.image_adder, self.oneoff_image_adder, self.image_changer, self.oneoff_image_changer, ]) # non-standard permissions are only available to superusers users_with_frobnicate_permission = self.policy.users_with_permission('frobnicate') self.assertResultSetEqual(users_with_frobnicate_permission, [ self.superuser, ]) def test_users_with_any_permission(self): users_with_add_or_change_permission = self.policy.users_with_any_permission( ['add', 'change'] ) self.assertResultSetEqual(users_with_add_or_change_permission, [ self.superuser, self.image_adder, self.oneoff_image_adder, self.image_changer, self.oneoff_image_changer, ]) users_with_add_or_frobnicate_permission = self.policy.users_with_any_permission( ['add', 'frobnicate'] ) self.assertResultSetEqual(users_with_add_or_frobnicate_permission, [ self.superuser, self.image_adder, self.oneoff_image_adder, ]) def test_user_has_permission_for_instance(self): # Test permissions for an image owned by image_adder self.assertUserInstancePermissionMatrix(self.adder_image, [ # superuser can do everything (self.superuser, True, True, True), # inactive superuser can do nothing (self.inactive_superuser, False, False, False), # image_adder can change and delete their own images, # but not perform custom actions (self.image_adder, True, True, False), # user with add permission cannot edit images owned by others (self.oneoff_image_adder, False, False, False), # inactive user with 'add' permission can do nothing (self.inactive_image_adder, False, False, False), # user with change permission can change and delete all images (self.image_changer, True, True, False), # likewise for change permission specified at the user level (self.oneoff_image_changer, True, True, False), # inactive user with 'change' permission can do nothing (self.inactive_image_changer, False, False, False), # delete permissions are ignored (self.oneoff_image_deleter, False, False, False), # user with no permissions can do nothing (self.useless_user, False, False, False), # anonymous user can do nothing (self.anonymous_user, False, False, False), ]) # Test permissions for an image owned by useless_user self.assertUserInstancePermissionMatrix(self.useless_image, [ # superuser can do everything (self.superuser, True, True, True), # image_adder cannot edit images owned by others (self.image_adder, False, False, False), (self.oneoff_image_adder, False, False, False), # user with change permission can change and delete all images (self.image_changer, True, True, False), (self.oneoff_image_changer, True, True, False), # inactive users can do nothing (self.inactive_superuser, False, False, False), (self.inactive_image_adder, False, False, False), (self.inactive_image_changer, False, False, False), # delete permissions are ignored (self.oneoff_image_deleter, False, False, False), # user with no permissions can do nothing, even on images # they own (self.useless_user, False, False, False), # anonymous user can do nothing (self.anonymous_user, False, False, False), ]) # Instances with a null owner should always follow the same rules # as 'an instance owned by someone else' self.assertUserInstancePermissionMatrix(self.anonymous_image, [ (self.superuser, True, True, True), (self.image_adder, False, False, False), (self.oneoff_image_adder, False, False, False), (self.image_changer, True, True, False), (self.oneoff_image_changer, True, True, False), (self.inactive_superuser, False, False, False), (self.inactive_image_adder, False, False, False), (self.inactive_image_changer, False, False, False), (self.oneoff_image_deleter, False, False, False), (self.useless_user, False, False, False), (self.anonymous_user, False, False, False), ]) def test_user_has_any_permission_for_instance(self): # Superuser can do everything self.assertTrue( self.policy.user_has_any_permission_for_instance( self.superuser, ['change', 'delete'], self.adder_image ) ) # Inactive superuser can do nothing self.assertFalse( self.policy.user_has_any_permission_for_instance( self.inactive_superuser, ['change', 'delete'], self.adder_image ) ) # Only one of the permissions in the list needs to pass # in order for user_has_any_permission to return true self.assertTrue( self.policy.user_has_any_permission_for_instance( self.image_changer, ['change', 'frobnicate'], self.adder_image ) ) self.assertTrue( self.policy.user_has_any_permission_for_instance( self.oneoff_image_changer, ['change', 'frobnicate'], self.adder_image ) ) # User with some permission, but not the ones in the list, # should return false self.assertFalse( self.policy.user_has_any_permission_for_instance( self.oneoff_image_deleter, ['change', 'delete'], self.adder_image ) ) # Inactive user with the appropriate permissions can do nothing self.assertFalse( self.policy.user_has_any_permission_for_instance( self.inactive_image_changer, ['change', 'delete'], self.adder_image ) ) # User with no permissions can do nothing self.assertFalse( self.policy.user_has_any_permission_for_instance( self.useless_user, ['change', 'delete'], self.adder_image ) ) # Anonymous user can do nothing self.assertFalse( self.policy.user_has_any_permission_for_instance( self.anonymous_user, ['change', 'delete'], self.adder_image ) ) def test_instances_user_has_permission_for(self): all_images = [ self.adder_image, self.useless_image, self.anonymous_image ] no_images = [] # the set of images editable by superuser includes all images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.superuser, 'change' ), all_images ) # the set of images editable by inactive superuser includes no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.inactive_superuser, 'change' ), no_images ) # a user with 'add' permission can change their own images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.image_adder, 'change' ), [self.adder_image] ) # a user with 'add' permission can also delete their own images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.image_adder, 'delete' ), [self.adder_image] ) # a user with 'change' permission can change all images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.image_changer, 'change' ), all_images ) # ditto for 'change' permission assigned at the user level self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.oneoff_image_changer, 'change' ), all_images ) # an inactive user with the relevant permission can edit no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.inactive_image_changer, 'change' ), no_images ) # a user with no permission can edit no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.useless_user, 'change' ), no_images ) # the set of images editable by anonymous user includes no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.anonymous_user, 'change' ), no_images ) def test_instances_user_has_any_permission_for(self): all_images = [ self.adder_image, self.useless_image, self.anonymous_image ] no_images = [] # the set of images editable by superuser includes all images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.superuser, ['change', 'delete'] ), all_images ) # the set of images editable by inactive superuser includes no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.inactive_superuser, ['change', 'delete'] ), no_images ) # a user with 'add' permission can change/delete their own images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.image_adder, ['delete', 'frobnicate'] ), [self.adder_image] ) # a user with 'edit' permission can change/delete all images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.oneoff_image_changer, ['delete', 'frobnicate'] ), all_images ) # a user with no permission can edit no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.useless_user, ['change', 'delete'] ), no_images ) # an inactive user with the relevant permission can edit no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.inactive_image_changer, ['change', 'delete'] ), no_images ) # a user with permission, but not the matching one, can edit no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.oneoff_image_deleter, ['change', 'delete'] ), no_images ) # the set of images editable by anonymous user includes no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.anonymous_user, ['change', 'delete'] ), no_images ) def test_users_with_permission_for_instance(self): # adder_image can be edited by its owner (who has add permission) and # all users with 'change' permission users_with_change_permission = self.policy.users_with_permission_for_instance( 'change', self.adder_image ) self.assertResultSetEqual(users_with_change_permission, [ self.superuser, self.image_adder, self.image_changer, self.oneoff_image_changer, ]) # the same set of users can also delete users_with_delete_permission = self.policy.users_with_permission_for_instance( 'delete', self.adder_image ) self.assertResultSetEqual(users_with_delete_permission, [ self.superuser, self.image_adder, self.image_changer, self.oneoff_image_changer, ]) # custom actions are available to superusers only users_with_delete_permission = self.policy.users_with_permission_for_instance( 'frobnicate', self.adder_image ) self.assertResultSetEqual(users_with_delete_permission, [ self.superuser, ]) # useless_user can NOT edit their own image, because they do not have # 'add' permission users_with_change_permission = self.policy.users_with_permission_for_instance( 'change', self.useless_image ) self.assertResultSetEqual(users_with_change_permission, [ self.superuser, self.image_changer, self.oneoff_image_changer, ]) # an image with no owner is treated as if it's owned by 'somebody else' - # i.e. users with 'change' permission can edit it users_with_change_permission = self.policy.users_with_permission_for_instance( 'change', self.anonymous_image ) self.assertResultSetEqual(users_with_change_permission, [ self.superuser, self.image_changer, self.oneoff_image_changer, ]) def test_users_with_any_permission_for_instance(self): users_with_change_or_frob_permission = self.policy.users_with_any_permission_for_instance( ['change', 'frobnicate'], self.adder_image ) self.assertResultSetEqual(users_with_change_or_frob_permission, [ self.superuser, self.image_adder, self.image_changer, self.oneoff_image_changer, ])
from wagtail.wagtailcore.permission_policies import OwnershipPermissionPolicy from wagtail.wagtaildocs.models import Document, get_document_model permission_policy = OwnershipPermissionPolicy( get_document_model(), auth_model=Document, owner_field_name='uploaded_by_user' )