def test_all_allowed(self):
wiki = c.project.app_instance('wiki')
page = WM.Page.query.get(app_config_id=wiki.config._id)
admin_role = M.ProjectRole.by_name('Admin')
dev_role = M.ProjectRole.by_name('Developer')
member_role = M.ProjectRole.by_name('Member')
auth_role = M.ProjectRole.by_name('*authenticated')
anon_role = M.ProjectRole.by_name('*anonymous')
test_user = M.User.by_username('test-user')
assert_equal(all_allowed(wiki, admin_role), set(['configure', 'read', 'create', 'edit', 'unmoderated_post', 'post', 'moderate', 'admin', 'delete']))
assert_equal(all_allowed(wiki, dev_role), set(['read', 'create', 'edit', 'unmoderated_post', 'post', 'moderate', 'delete']))
assert_equal(all_allowed(wiki, member_role), set(['read', 'create', 'edit', 'unmoderated_post', 'post']))
assert_equal(all_allowed(wiki, auth_role), set(['read', 'post', 'unmoderated_post']))
assert_equal(all_allowed(wiki, anon_role), set(['read']))
assert_equal(all_allowed(wiki, test_user), set(['read', 'post', 'unmoderated_post']))
_add_to_group(test_user, member_role)
assert_equal(all_allowed(wiki, test_user), set(['read', 'create', 'edit', 'unmoderated_post', 'post']))
_deny(wiki, auth_role, 'unmoderated_post')
assert_equal(all_allowed(wiki, member_role), set(['read', 'create', 'edit', 'post']))
assert_equal(all_allowed(wiki, test_user), set(['read', 'create', 'edit', 'post']))
def _set_private(self, bool_flag):
if bool_flag:
role_developer = ProjectRole.by_name('Developer')
role_creator = self.reported_by.project_role()
_allow_all = lambda role, perms: [
ACE.allow(role._id, perm) for perm in perms
]
# maintain existing access for developers and the ticket creator,
# but revoke all access for everyone else
self.acl = _allow_all(role_developer, security.all_allowed(self, role_developer)) \
+ _allow_all(role_creator, security.all_allowed(self, role_creator)) \
+ [DENY_ALL]
else:
self.acl = []
def test_weird_allow_vs_deny(self):
'''
Test weird interaction of DENYs and ALLOWs in has_access.
'''
wiki = c.project.app_instance('wiki')
page = WM.Page.query.get(app_config_id=wiki.config._id)
auth_role = M.ProjectRole.by_name('*authenticated')
test_user = M.User.by_username('test-user')
# DENY for auth_role on page prevents chaining of auth_role for 'read'
# but anon_role still chains so ALLOW read for anon_role on wiki applies
# and authed user can still read. 'post' and 'unmoderated_post' don't
# match DENY rule so they chain as normal.
#
# This behavior seems wrong and should probably be fixed at some point,
# but this test is here to confirm that all_allowed matches has_access.
assert has_access(page, 'read', test_user)()
assert has_access(page, 'post', test_user)()
assert has_access(page, 'unmoderated_post', test_user)()
assert_equal(all_allowed(page, test_user), set(['read', 'post', 'unmoderated_post']))
_deny(page, auth_role, 'read')
assert has_access(page, 'read', test_user)()
assert has_access(page, 'post', test_user)()
assert has_access(page, 'unmoderated_post', test_user)()
assert_equal(all_allowed(page, test_user), set(['read', 'post', 'unmoderated_post']))
# Same thing applies to ALLOW vs DENY on the same ACL;
# an ALLOW on any applicable role overrides a DENY on any other.
#
# In this case it's reasonable since you might want to DENY read for
# *anon but ALLOW it for *auth. *anon ALLOW overriding *auth DENY is
# just an unfortunate side-effect of not having a true heiarchy of roles.
assert has_access(wiki, 'read', test_user)()
assert has_access(wiki, 'post', test_user)()
assert has_access(wiki, 'unmoderated_post', test_user)()
assert_equal(all_allowed(wiki, test_user), set(['read', 'post', 'unmoderated_post']))
_deny(wiki, auth_role, 'read')
assert has_access(wiki, 'read', test_user)()
assert has_access(wiki, 'post', test_user)()
assert has_access(wiki, 'unmoderated_post', test_user)()
assert_equal(all_allowed(wiki, test_user), set(['read', 'post', 'unmoderated_post']))
def test_deny_vs_allow(self):
'''
Test interaction of DENYs and ALLOWs in has_access.
'''
wiki = c.project.app_instance('wiki')
page = WM.Page.query.get(app_config_id=wiki.config._id)
anon_role = M.ProjectRole.by_name('*anonymous')
auth_role = M.ProjectRole.by_name('*authenticated')
test_user = M.User.by_username('test-user')
# confirm that *anon has expected access
assert has_access(page, 'read', anon_role)()
assert has_access(page, 'post', anon_role)()
assert has_access(page, 'unmoderated_post', anon_role)()
assert_equal(all_allowed(page, anon_role), set(['read']))
# as well as an authenticated user
assert has_access(page, 'read', test_user)()
assert has_access(page, 'post', test_user)()
assert has_access(page, 'unmoderated_post', test_user)()
assert_equal(all_allowed(page, test_user),
set(['read', 'post', 'unmoderated_post']))
_deny(page, auth_role, 'read')
# read granted to *anon should *not* bubble up past the *auth DENY
assert not has_access(page, 'read', test_user)()
# but other perms should not be affected
assert has_access(page, 'post', test_user)()
assert has_access(page, 'unmoderated_post', test_user)()
# FIXME: all_allowed doesn't respect blocked user feature
#assert_equal(all_allowed(page, test_user), set(['post', 'unmoderated_post']))
assert has_access(wiki, 'read', test_user)()
assert has_access(wiki, 'post', test_user)()
assert has_access(wiki, 'unmoderated_post', test_user)()
assert_equal(all_allowed(wiki, test_user),
set(['read', 'post', 'unmoderated_post']))
_deny(wiki, anon_role, 'read')
_allow(wiki, auth_role, 'read')
# there isn't a true heiarchy of roles, so any applicable DENY
# will block a user, even if there's an explicit ALLOW "higher up"
assert not has_access(wiki, 'read', test_user)()
assert has_access(wiki, 'post', test_user)()
assert has_access(wiki, 'unmoderated_post', test_user)()