def testPost_NewUser(self):
with test_utils.RootLogin():
self.DoNewUserPost(
'xyz.com', '*****@*****.**', # gets the uid 'recipient'
perms.Role.DOMAIN_ADMIN)
self.assertEqual({perms.Role.DOMAIN_ADMIN},
perms.GetSubjectsForTarget('xyz.com')['recipient'])
def GetDomainAdmin(self, user, domain): # pylint:disable=unused-argument
"""Displays the administration page for the given domain."""
domain_name = domain
perms.AssertAccess(perms.Role.DOMAIN_ADMIN, domain_name)
domain = domains.Domain.Get(domain_name)
if not domain:
raise base_handler.Error(404, 'Unknown domain %r.' % domain_name)
subject_roles = perms.GetSubjectsForTarget(domain_name)
user_roles = [(users.Get(subj), _MaxRole(r))
for (subj, r) in subject_roles.items()
if perms.IsUserId(subj)]
user_roles.sort(key=lambda (u, r): u.email)
labels = sorted(e.label
for e in model.CatalogEntry.GetAll(domain_name))
self.response.out.write(
self.RenderTemplate(
'admin_domain.html', {
'domain': domain,
'user_roles': user_roles,
'labels': labels,
'domain_role': _MaxRole(
subject_roles.get(domain_name, set())),
'user_permission_choices': DOMAIN_PERMISSION_CHOICES,
'initial_domain_role_choices': INITIAL_DOMAIN_ROLE_CHOICES,
'show_welcome': self.request.get('welcome', '')
}))
def testPost_SetDomainRole(self):
with test_utils.RootLogin():
perms.Grant('xyz.com', perms.Role.DOMAIN_ADMIN, 'xyz.com')
perms.Grant('xyz.com', perms.Role.MAP_CREATOR, 'xyz.com')
self.DoUserPermissionsPost(
'xyz.com', [], domain_role=perms.Role.CATALOG_EDITOR)
self.assertEqual({perms.Role.CATALOG_EDITOR},
perms.GetSubjectsForTarget('xyz.com')['xyz.com'])
def testPost_NewPermissions(self):
with test_utils.RootLogin():
response = self.DoUserPermissionsPost(
'xyz.com', [('insider', 'DOMAIN_ADMIN', False)])
# Should redirect back to the admin page.
self.assertTrue('/root/xyz.com/.admin' in response.headers['Location'])
self.assertEqual({perms.Role.DOMAIN_ADMIN},
perms.GetSubjectsForTarget('xyz.com')['insider'])
def testSetRolesForDomain(self):
# Anyone at xyz.com can create maps on xyz or on abc.com
admin.SetRolesForDomain({'xyz.com': {perms.Role.MAP_CREATOR}}, 'xyz.com')
admin.SetRolesForDomain({'xyz.com': {perms.Role.MAP_CREATOR}}, 'abc.com')
# Anyone at abc.com can create maps and edit the catalog at abc.com
admin.SetRolesForDomain(
{'abc.com': {perms.Role.CATALOG_EDITOR, perms.Role.MAP_CREATOR}},
'abc.com')
# User 1 is a domain admin and catalog editor for xyz.com,
# and a map creator for abc.com
admin.SetRolesForDomain(
{'manager': {perms.Role.DOMAIN_ADMIN, perms.Role.CATALOG_EDITOR}},
'xyz.com')
admin.SetRolesForDomain(
{'manager': {perms.Role.MAP_CREATOR}}, 'abc.com')
# User 2 is a map creator at xyz.com, despite belonging to abc.com
admin.SetRolesForDomain(
{'insider': {perms.Role.MAP_CREATOR}}, 'xyz.com')
# User 3 is a map reviewer at xyz.com
admin.SetRolesForDomain(
{'reviewer': {perms.Role.DOMAIN_REVIEWER}}, 'xyz.com')
self.assertEquals(
{'xyz.com': {perms.Role.MAP_CREATOR},
'manager': {perms.Role.DOMAIN_ADMIN, perms.Role.CATALOG_EDITOR},
'reviewer': {perms.Role.DOMAIN_REVIEWER},
'insider': {perms.Role.MAP_CREATOR},
'outsider': {perms.Role.MAP_CREATOR}},
perms.GetSubjectsForTarget('xyz.com'))
# Revoke DOMAIN_ADMIN from user 'manager'
admin.SetRolesForDomain(
{'manager': {perms.Role.CATALOG_EDITOR}}, 'xyz.com')
self.assertEquals({'xyz.com': {perms.Role.MAP_CREATOR},
'manager': {perms.Role.CATALOG_EDITOR},
'reviewer': {perms.Role.DOMAIN_REVIEWER},
'insider': {perms.Role.MAP_CREATOR},
'outsider': {perms.Role.MAP_CREATOR}},
perms.GetSubjectsForTarget('xyz.com'))
def testPost_MultipleChangesDontInterfere(self):
with test_utils.RootLogin():
# Demote insider to MAP_CREATOR; revoke all permissions for outsider;
# add recipient as a catalog editor
self.DoUserPermissionsPost(
'xyz.com', [('insider', perms.Role.MAP_CREATOR, False),
('outsider', perms.Role.DOMAIN_ADMIN, True)],
new_user=('*****@*****.**', perms.Role.CATALOG_EDITOR),
domain_role=perms.Role.DOMAIN_ADMIN)
new_perms = perms.GetSubjectsForTarget('xyz.com')
self.assertEqual({perms.Role.MAP_CREATOR}, new_perms['insider'])
self.assertNotIn('outsider', new_perms)
self.assertEqual({perms.Role.CATALOG_EDITOR}, new_perms['recipient'])
self.assertEqual({perms.Role.DOMAIN_ADMIN}, new_perms['xyz.com'])
def SetRolesForDomain(subject_roles, domain_name):
"""Gives each user exactly the specified set of roles to the given domain.
Args:
subject_roles: A dictionary mapping subjects (user IDs or domain names)
to sets of perms.Role constants. For each subject, all roles in the
set will be granted, and all roles not in the set will be revoked.
domain_name: A domain name.
"""
# TODO(kpy): Simplify this to take subject_roles in the form {subject: role},
# as this is never called with role sets that have more than one element.
old_subject_roles = perms.GetSubjectsForTarget(domain_name)
for subject, new_roles in subject_roles.items():
old_roles = old_subject_roles.get(subject, set())
for role in old_roles - new_roles:
perms.Revoke(subject, role, domain_name)
for role in new_roles - old_roles:
perms.Grant(subject, role, domain_name)
def testPost_SetDomainRoleNone(self):
with test_utils.RootLogin():
perms.Grant('xyz.com', perms.Role.CATALOG_EDITOR, 'xyz.com')
self.DoUserPermissionsPost('xyz.com', [], domain_role=perms.Role.NONE)
self.assertNotIn('xyz.com', perms.GetSubjectsForTarget('xyz.com'))
def testPost_DeleteUser(self):
with test_utils.RootLogin():
self.DoUserPermissionsPost('xyz.com',
[('outsider', 'DOMAIN_ADMIN', True)])
self.assertNotIn('outsider', perms.GetSubjectsForTarget('xyz.com'))
