def test_user_permissions(self):
self.group1.user_set.add(self.user1)
assign_perm("view_collection", self.user1, self.collection)
assign_perm("edit_collection", self.user1, self.collection)
assign_perm("view_collection", self.user2, self.collection)
assign_perm("view_collection", self.group1, self.collection)
assign_perm("edit_collection", self.group1, self.collection)
assign_perm("view_collection", self.group2, self.collection)
expected_perms = [
{'permissions': ['edit', 'view'], 'type': 'user', 'id': self.user1.pk, 'name': 'test_user1'},
{'permissions': ['edit', 'view'], 'type': 'group', 'id': self.group1.pk, 'name': 'Test group 1'},
]
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
self.group2.user_set.add(self.user1)
expected_perms.append(
{'permissions': ['view'], 'type': 'group', 'id': self.group2.pk, 'name': 'Test group 2'},
)
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
assign_perm("view_collection", self.anonymous, self.collection)
expected_perms.append(
{'permissions': ['view'], 'type': 'public'},
)
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
def test_user_permissions(self):
self.group1.user_set.add(self.user1)
assign_perm("view_collection", self.user1, self.collection)
assign_perm("edit_collection", self.user1, self.collection)
assign_perm("view_collection", self.user2, self.collection)
assign_perm("view_collection", self.group1, self.collection)
assign_perm("edit_collection", self.group1, self.collection)
assign_perm("view_collection", self.group2, self.collection)
expected_perms = [
{'permissions': ['edit', 'view'], 'type': 'user', 'id': self.user1.pk, 'name': 'test_user1'},
{'permissions': ['edit', 'view'], 'type': 'group', 'id': self.group1.pk, 'name': 'Test group 1'},
]
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
self.group2.user_set.add(self.user1)
expected_perms.append(
{'permissions': ['view'], 'type': 'group', 'id': self.group2.pk, 'name': 'Test group 2'},
)
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
assign_perm("view_collection", self.anonymous, self.collection)
expected_perms.append(
{'permissions': ['view'], 'type': 'public'},
)
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
def test_user_permissions(self):
self.group1.user_set.add(self.user1)
assign_perm("view_collection", self.user1, self.collection)
assign_perm("edit_collection", self.user1, self.collection)
assign_perm("view_collection", self.user2, self.collection)
assign_perm("view_collection", self.group1, self.collection)
assign_perm("edit_collection", self.group1, self.collection)
assign_perm("view_collection", self.group2, self.collection)
expected_perms = [
{"permissions": ["edit", "view"], "type": "user", "id": self.user1.pk, "name": "test_user1"},
{"permissions": ["edit", "view"], "type": "group", "id": self.group1.pk, "name": "Test group 1"},
]
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
self.group2.user_set.add(self.user1)
expected_perms.append({"permissions": ["view"], "type": "group", "id": self.group2.pk, "name": "Test group 2"})
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
assign_perm("view_collection", self.anonymous, self.collection)
expected_perms.append({"permissions": ["view"], "type": "public"})
perms = get_object_perms(self.collection, self.user1)
six.assertCountEqual(self, expected_perms, perms)
def test_all_permissions(self):
self.group1.user_set.add(self.user1)
perms = get_object_perms(self.collection)
self.assertEqual(len(perms), 0)
assign_perm("view_collection", self.user1, self.collection)
assign_perm("edit_collection", self.user1, self.collection)
assign_perm("view_collection", self.user2, self.collection)
expected_perms = [
{'permissions': ['edit', 'view'], 'type': 'user', 'id': self.user1.pk, 'name': 'test_user1'},
{'permissions': ['view'], 'type': 'user', 'id': self.user2.pk, 'name': 'test_user2'},
]
perms = get_object_perms(self.collection)
self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms))
assign_perm("view_collection", self.group1, self.collection)
assign_perm("edit_collection", self.group1, self.collection)
assign_perm("view_collection", self.group2, self.collection)
expected_perms.extend([
{'permissions': ['edit', 'view'], 'type': 'group', 'id': self.group1.pk, 'name': 'Test group 1'},
{'permissions': ['view'], 'type': 'group', 'id': self.group2.pk, 'name': 'Test group 2'},
])
perms = get_object_perms(self.collection)
self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms))
assign_perm("view_collection", self.anonymous, self.collection)
expected_perms.append(
{'permissions': ['view'], 'type': 'public'},
)
perms = get_object_perms(self.collection)
self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms))
def test_all_permissions(self):
self.group1.user_set.add(self.user1)
perms = get_object_perms(self.collection)
self.assertEqual(len(perms), 0)
assign_perm("view_collection", self.user1, self.collection)
assign_perm("edit_collection", self.user1, self.collection)
assign_perm("view_collection", self.user2, self.collection)
expected_perms = [
{
"permissions": ["edit", "view"],
"type": "user",
"id": self.user1.pk,
"name": "test_user1",
"username": "******",
},
{
"permissions": ["view"],
"type": "user",
"id": self.user2.pk,
"name": "test_user2",
"username": "******",
},
]
perms = get_object_perms(self.collection)
self.assertCountEqual(self._sort_perms(expected_perms),
self._sort_perms(perms))
assign_perm("view_collection", self.group1, self.collection)
assign_perm("edit_collection", self.group1, self.collection)
assign_perm("view_collection", self.group2, self.collection)
expected_perms.extend([
{
"permissions": ["edit", "view"],
"type": "group",
"id": self.group1.pk,
"name": "Test group 1",
},
{
"permissions": ["view"],
"type": "group",
"id": self.group2.pk,
"name": "Test group 2",
},
])
perms = get_object_perms(self.collection)
self.assertCountEqual(self._sort_perms(expected_perms),
self._sort_perms(perms))
assign_perm("view_collection", self.anonymous, self.collection)
expected_perms.append({"permissions": ["view"], "type": "public"}, )
perms = get_object_perms(self.collection)
self.assertCountEqual(self._sort_perms(expected_perms),
self._sort_perms(perms))
def detail_permissions(self, request, pk=None):
"""Get or set permissions API endpoint."""
obj = self.get_object()
if request.method == 'POST':
content_type = ContentType.objects.get_for_model(obj)
payload = request.data
share_content = strtobool(payload.pop('share_content', 'false'))
user = request.user
is_owner = user.has_perm('owner_{}'.format(content_type), obj=obj)
allow_owner = is_owner or user.is_superuser
check_owner_permission(payload, allow_owner)
check_public_permissions(payload)
check_user_permissions(payload, request.user.pk)
with transaction.atomic():
update_permission(obj, payload)
owner_count = UserObjectPermission.objects.filter(
object_pk=obj.id,
content_type=content_type,
permission__codename__startswith='owner_'
).count()
if not owner_count:
raise exceptions.ParseError('Object must have at least one owner.')
if share_content:
self.set_content_permissions(user, obj, payload)
return Response(get_object_perms(obj))
def detail_permissions(self, request, pk=None):
"""Get or set permissions API endpoint."""
obj = self.get_object()
if request.method == 'POST':
content_type = ContentType.objects.get_for_model(obj)
payload = request.data
share_content = strtobool(payload.pop('share_content', 'false'))
user = request.user
is_owner = user.has_perm('owner_{}'.format(content_type), obj=obj)
allow_owner = is_owner or user.is_superuser
check_owner_permission(payload, allow_owner)
check_public_permissions(payload)
check_user_permissions(payload, request.user.pk)
with transaction.atomic():
update_permission(obj, payload)
owner_count = UserObjectPermission.objects.filter(
object_pk=obj.id,
content_type=content_type,
permission__codename__startswith='owner_').count()
if not owner_count:
raise exceptions.ParseError(
'Object must have at least one owner.')
if share_content:
self.set_content_permissions(user, obj, payload)
return Response(get_object_perms(obj))
def to_representation(serializer_self, instance): # pylint: disable=no-self-argument
"""Object serializer."""
# TODO: These permissions queries may be expensive. Should we limit or optimize this?
data = super(SerializerWithPermissions,
serializer_self).to_representation(instance)
data['current_user_permissions'] = get_object_perms(
instance, self.request.user)
return data
def to_representation(serializer_self, instance): # pylint: disable=no-self-argument
"""Object serializer."""
data = super().to_representation(instance)
if ('fields' not in self.request.query_params
or 'current_user_permissions' in self.request.query_params['fields']):
data['current_user_permissions'] = get_object_perms(instance, self.request.user)
return data
def to_representation(serializer_self, instance: models.Model):
"""Object serializer."""
data = super().to_representation(instance)
if ("fields" not in self.request.query_params
or "current_user_permissions"
in self.request.query_params["fields"]):
data["current_user_permissions"] = get_object_perms(
instance, self.request.user, True)
return data
def to_representation(serializer_self, instance): # pylint: disable=no-self-argument
"""Object serializer."""
data = super().to_representation(instance)
if ('fields' not in self.request.query_params
or 'current_user_permissions'
in self.request.query_params['fields']):
data['current_user_permissions'] = get_object_perms(
instance, self.request.user)
return data
def detail_permissions(self, request, pk=None):
"""API endpoint to get/set permissions."""
obj = self.get_object()
if request.method == 'POST':
content_type = ContentType.objects.get_for_model(obj)
owner_perm = 'owner_{}'.format(content_type)
if not (request.user.has_perm(owner_perm, obj=obj) or request.user.is_superuser):
self._filter_owner_permission(request.data)
self._filter_public_permissions(request.data)
self._filter_user_permissions(request.data, request.user.pk)
self._update_permission(obj, request.data)
return Response(get_object_perms(obj))
def detail_permissions(self, request, pk=None):
"""Get or set permissions API endpoint."""
obj = self.get_object()
if request.method == 'POST':
content_type = ContentType.objects.get_for_model(obj)
owner_perm = 'owner_{}'.format(content_type)
if not (request.user.has_perm(owner_perm, obj=obj)
or request.user.is_superuser):
self._filter_owner_permission(request.data)
self._filter_public_permissions(request.data)
self._filter_user_permissions(request.data, request.user.pk)
self._update_permission(obj, request.data)
return Response(get_object_perms(obj))
def detail_permissions(self, request: Request, pk=None) -> Response:
"""Get or set permissions API endpoint."""
# The object is taken from the queryset on the view for which
# permissions are prefetched for the current user only.
# This implies that obj.permission_group.permissions returns
# permissions for the current user.
# To get all the permissions we have to perform a refresh from the
# database. This must only be done if user has share permission on the
# given object otherwise only his permissions must be returned.
obj = self.get_object()
if obj.has_permission(Permission.SHARE, request.user):
obj.refresh_from_db()
audit_manager = AuditManager.global_instance()
if request.method == "POST":
audit_manager.log_message("Permissions updated: %s", request.data)
allow_owner = obj.is_owner(
request.user) or request.user.is_superuser
check_owner_permission(request.data, allow_owner, obj)
check_public_permissions(request.data)
check_user_permissions(request.data, request.user.pk)
with transaction.atomic():
update_permission(obj, request.data)
owner_count = obj.permission_group.permissions.filter(
value=Permission.OWNER.value, user__isnull=False).count()
if not owner_count:
raise exceptions.ParseError(
"Object must have at least one owner.")
else:
audit_manager.log_message("Permissions read: %s", request.data)
return Response(get_object_perms(obj))
def to_representation(serializer_self, instance): # pylint: disable=no-self-argument
"""Object serializer."""
# TODO: These permissions queries may be expensive. Should we limit or optimize this?
data = super(SerializerWithPermissions, serializer_self).to_representation(instance)
data['permissions'] = get_object_perms(instance, self.request.user)
return data
