def test_affects_unrelated(self): """Unrelated objects test. If I set an ACL on an object, it should not affect objects that it doesn't match. (in this case, a different language) """ lang_cs = Language.objects.get(code='cs') lang_de = Language.objects.get(code='de') trans_cs = Translation.objects.create( subproject=self.subproject, language=lang_cs, filename="this/is/not/a.template") trans_de = Translation.objects.create( subproject=self.subproject, language=lang_de, filename="this/is/not/a.template") acl = GroupACL.objects.create(language=lang_cs) acl.groups.add(self.group) self.assertTrue(can_edit(self.privileged, trans_cs, self.PERMISSION)) self.assertFalse(can_edit(self.user, trans_cs, self.PERMISSION)) self.assertTrue(can_edit(self.privileged, trans_de, self.PERMISSION)) self.assertTrue(can_edit(self.user, trans_de, self.PERMISSION))
def test_affects_partial_match(self): """Partial ACL match test. If I set an ACL on two criteria, e.g., subproject and language, it should not affect objects that only match one of the criteria. """ lang_cs = Language.objects.get(code='cs') lang_de = Language.objects.get(code='de') trans_cs = Translation.objects.create( subproject=self.subproject, language=lang_cs, filename="this/is/not/a.template") trans_de = Translation.objects.create( subproject=self.subproject, language=lang_de, filename="this/is/not/a.template") acl = GroupACL.objects.create(language=lang_cs, subproject=self.subproject) acl.groups.add(self.group) self.assertTrue(can_edit(self.privileged, trans_cs, self.PERMISSION)) self.assertFalse(can_edit(self.user, trans_cs, self.PERMISSION)) self.assertTrue(can_edit(self.privileged, trans_de, self.PERMISSION)) self.assertTrue(can_edit(self.user, trans_de, self.PERMISSION))
def test_affects_partial_match(self): """Partial ACL match test. If I set an ACL on two criteria, e.g., subproject and language, it should not affect objects that only match one of the criteria. """ lang_cs = Language.objects.get(code='cs') lang_de = Language.objects.get(code='de') trans_cs = Translation.objects.create( subproject=self.subproject, language=lang_cs, filename="this/is/not/a.template" ) trans_de = Translation.objects.create( subproject=self.subproject, language=lang_de, filename="this/is/not/a.template" ) acl = GroupACL.objects.create( language=lang_cs, subproject=self.subproject ) acl.groups.add(self.group) self.assertTrue(can_edit(self.privileged, trans_cs, self.PERMISSION)) self.assertFalse(can_edit(self.user, trans_cs, self.PERMISSION)) self.assertTrue(can_edit(self.privileged, trans_de, self.PERMISSION)) self.assertTrue(can_edit(self.user, trans_de, self.PERMISSION))
def test_affects_unrelated(self): """Unrelated objects test. If I set an ACL on an object, it should not affect objects that it doesn't match. (in this case, a different language) """ lang_cs = Language.objects.get(code='cs') lang_de = Language.objects.get(code='de') trans_cs = Translation.objects.create( subproject=self.subproject, language=lang_cs, filename="this/is/not/a.template" ) trans_de = Translation.objects.create( subproject=self.subproject, language=lang_de, filename="this/is/not/a.template" ) acl = GroupACL.objects.create(language=lang_cs) acl.groups.add(self.group) self.assertTrue(can_edit(self.privileged, trans_cs, self.PERMISSION)) self.assertFalse(can_edit(self.user, trans_cs, self.PERMISSION)) self.assertTrue(can_edit(self.privileged, trans_de, self.PERMISSION)) self.assertTrue(can_edit(self.user, trans_de, self.PERMISSION))
def test_acl_lockout(self): """Basic sanity check. Group ACL set on a subproject should only allow members of the marked group to edit it. """ self.assertTrue(can_edit(self.user, self.trans, self.PERMISSION)) self.assertTrue(can_edit(self.privileged, self.trans, self.PERMISSION)) acl = GroupACL.objects.create(subproject=self.subproject) acl.groups.add(self.group) self.clear_permission_cache() self.assertTrue(can_edit(self.privileged, self.trans, self.PERMISSION)) self.assertFalse(can_edit(self.user, self.trans, self.PERMISSION))
def test_acl_not_filtered(self): ''' Basic sanity check. Group ACL set on a subproject should only allow members of the marked group to edit it. ''' self.assertTrue(can_edit(self.user, self.trans, self.PERMISSION)) self.assertTrue(can_edit(self.privileged, self.trans, self.PERMISSION)) acl = GroupACL.objects.create(subproject=self.subproject) acl.groups.add(self.group) acl.permissions.remove(self.permission) self.clear_permission_cache() self.assertTrue(can_edit(self.privileged, self.trans, self.PERMISSION)) self.assertTrue(can_edit(self.user, self.trans, self.PERMISSION))
def test_acl_overlap(self): """ACL overlap test. When two ACLs can apply to a translation object, only the most specific one should apply. """ acl_lang = GroupACL.objects.create(language=self.language) acl_lang.groups.add(self.group) self.assertTrue(can_edit(self.privileged, self.trans, self.PERMISSION)) acl_sub = GroupACL.objects.create(subproject=self.subproject) self.clear_permission_cache() self.assertFalse(can_edit(self.privileged, self.trans, self.PERMISSION)) acl_sub.groups.add(self.group) self.clear_permission_cache() self.assertTrue(can_edit(self.privileged, self.trans, self.PERMISSION))
def test_acl_overlap(self): """ACL overlap test. When two ACLs can apply to a translation object, only the most specific one should apply. """ acl_lang = GroupACL.objects.create(language=self.language) acl_lang.groups.add(self.group) self.assertTrue( can_edit(self.privileged, self.trans, self.PERMISSION)) acl_sub = GroupACL.objects.create(subproject=self.subproject) self.clear_permission_cache() self.assertFalse( can_edit(self.privileged, self.trans, self.PERMISSION)) acl_sub.groups.add(self.group) self.clear_permission_cache() self.assertTrue( can_edit(self.privileged, self.trans, self.PERMISSION))
def test_group_locked(self): """Limited privilege test. Once a group is used in a GroupACL, it is said to be "locked". Privileges from the locked group should not apply outside GroupACL. I.e., if I gain "author_translation" privilege through membership in a "privileged_group", applicable to Czech language, this should not apply to any other language. """ lang_cs = Language.objects.get(code='cs') lang_de = Language.objects.get(code='de') trans_cs = Translation.objects.create( subproject=self.subproject, language=lang_cs, plural=lang_cs.plural, filename="this/is/not/a.template") trans_de = Translation.objects.create( subproject=self.subproject, language=lang_de, plural=lang_de.plural, filename="this/is/not/a.template") perm_name = 'trans.author_translation' permission = Permission.objects.get(codename='author_translation', content_type__app_label='trans') # Avoid conflict with automatic GroupACL self.project.groupacl_set.all()[0].permissions.remove(permission) self.assertFalse(can_edit(self.user, trans_cs, perm_name)) self.assertFalse(can_edit(self.privileged, trans_cs, perm_name)) self.assertFalse(can_edit(self.privileged, trans_de, perm_name)) self.clear_permission_cache() self.group.permissions.add(permission) self.assertFalse(can_edit(self.user, trans_cs, perm_name)) self.assertTrue(can_edit(self.privileged, trans_cs, perm_name)) self.assertTrue(can_edit(self.privileged, trans_de, perm_name)) self.clear_permission_cache() acl = GroupACL.objects.create(language=lang_cs) acl.groups.add(self.group) self.assertTrue(can_edit(self.privileged, trans_cs, perm_name)) self.assertFalse(can_edit(self.privileged, trans_de, perm_name))
def test_group_locked(self): """Limited privilege test. Once a group is used in a GroupACL, it is said to be "locked". Privileges from the locked group should not apply outside GroupACL. I.e., if I gain "author_translation" privilege through membership in a "privileged_group", applicable to Czech language, this should not apply to any other language. """ lang_cs = Language.objects.get(code='cs') lang_de = Language.objects.get(code='de') trans_cs = Translation.objects.create( subproject=self.subproject, language=lang_cs, filename="this/is/not/a.template" ) trans_de = Translation.objects.create( subproject=self.subproject, language=lang_de, filename="this/is/not/a.template" ) perm_name = 'trans.author_translation' permission = Permission.objects.get( codename='author_translation', content_type__app_label='trans' ) # Avoid conflict with automatic GroupACL self.project.groupacl_set.all()[0].permissions.remove(permission) self.assertFalse(can_edit(self.user, trans_cs, perm_name)) self.assertFalse(can_edit(self.privileged, trans_cs, perm_name)) self.assertFalse(can_edit(self.privileged, trans_de, perm_name)) self.clear_permission_cache() self.group.permissions.add(permission) self.assertFalse(can_edit(self.user, trans_cs, perm_name)) self.assertTrue(can_edit(self.privileged, trans_cs, perm_name)) self.assertTrue(can_edit(self.privileged, trans_de, perm_name)) self.clear_permission_cache() acl = GroupACL.objects.create(language=lang_cs) acl.groups.add(self.group) self.assertTrue(can_edit(self.privileged, trans_cs, perm_name)) self.assertFalse(can_edit(self.privileged, trans_de, perm_name))