def test_removeRoleFromPrincipal_existing(self): root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm.addRole('test') zrm.assignRoleToPrincipal('test', 'foo') zrm.assignRoleToPrincipal('test', 'bar') zrm.assignRoleToPrincipal('test', 'baz') assigned = [x[0] for x in zrm.listAssignedPrincipals('test')] self.assertEqual(len(assigned), 3) self.failUnless('foo' in assigned) self.failUnless('bar' in assigned) self.failUnless('baz' in assigned) removed = zrm.removeRoleFromPrincipal('test', 'bar') self.failUnless(removed) assigned = [x[0] for x in zrm.listAssignedPrincipals('test')] self.assertEqual(len(assigned), 2) self.failUnless('foo' in assigned) self.failIf('bar' in assigned) self.failUnless('baz' in assigned)
def test_manage_removeRoles_POST_permissions(self): ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) self.assertRaises(Forbidden, zrm.manage_removeRoles, [ROLE_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zrm.manage_removeRoles, [ROLE_ID], RESPONSE=res, REQUEST=req) req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)
def test_roles_for_control_panel(self): """There's a special case, the users control panel for which we should never grant to users the roles they have got through the groups they belong. In that intent, the control panels view pushes '__ignore_group_roles__' = True in the request. """ root = FauxPAS() # Add a minimal PluginRegistry with a mock IGroupsPlugin, because the # roles plugin depends on it: root._setObject('plugins', PluginRegistry(_PLUGIN_TYPE_INFO)) root._setObject('groups', FauxGroupsPlugin()) root['plugins'].activatePlugin(IGroupsPlugin, 'groups') garm = self._makeOne('garm').__of__(root) # 2 roles garm.addRole('foo_role') garm.addRole('bar_role') # Group 'somegroup' has 'bar_role' garm.assignRoleToPrincipal('bar_role', 'somegroup') # 'johndoe' has 'foo_role' johndoe = DummyUser('johndoe', ('somegroup',)) garm.assignRoleToPrincipal('foo_role', 'johndoe') # 'johndoe' should have 'foo_role' and 'bar_roles' got = garm.getRolesForPrincipal(johndoe) expected = ['foo_role', 'bar_role'] self.assertEqual(set(got), set(expected)) # For the users control panel, johndoe has only the 'foo_role' garm.REQUEST.set('__ignore_group_roles__', True) got = garm.getRolesForPrincipal(johndoe) self.assertEqual(got, ('foo_role',)) # Confirm we can get only the inherited roles garm.REQUEST.set('__ignore_group_roles__', False) garm.REQUEST.set('__ignore_direct_roles__', True) got = garm.getRolesForPrincipal(johndoe) self.assertEqual(got, ('bar_role',)) return
def test_assignRoleToPrincipal_already(self): root = FauxPAS() zrm = self._makeOne(id='assign_already').__of__(root) zrm.addRole('test') zrm.assignRoleToPrincipal('test', 'foo') new = zrm.assignRoleToPrincipal('test', 'foo') self.failIf(new) assigned = [x[0] for x in zrm.listAssignedPrincipals('test')] self.assertEqual(len(assigned), 1) self.assertEqual(assigned[0], 'foo')
def test_removeRole_POST_permissions(self): ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zrm.removeRole, ROLE_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zrm.removeRole(ROLE_ID, REQUEST=req)
def test_removeRoleFromPrincipal_noop(self): root = FauxPAS() zrm = self._makeOne(id='remove_noop').__of__(root) zrm.addRole('test') zrm.assignRoleToPrincipal('test', 'foo') zrm.assignRoleToPrincipal('test', 'baz') assigned = [x[0] for x in zrm.listAssignedPrincipals('test')] self.assertEqual(len(assigned), 2) self.assertTrue('foo' in assigned) self.assertTrue('baz' in assigned) removed = zrm.removeRoleFromPrincipal('test', 'bar') self.assertFalse(removed)
def test_multiplePrincipalsPerGroup(self): pas = FauxPAS() zgm = self._makeOne().__of__(pas) zgm.addGroup('group1') zgm.addGroup('group2') user1 = DummyUser('userid1') user2 = DummyUser('userid2') zgm.addPrincipalToGroup(user1.getId(), 'group1') zgm.addPrincipalToGroup(user1.getId(), 'group2') zgm.addPrincipalToGroup(user2.getId(), 'group2') group_ids = zgm.listGroupIds() self.assertEqual(len(group_ids), 2) principals = zgm.listAssignedPrincipals('group2') self.assertEqual(principals, [('userid1', 'userid1'), ('userid2', 'userid2')])
def test_manage_removeRoleFromPricipal_POS_permissionsT(self): USER_ID = 'testuser' ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req)
def test_assignRoleToPrincipal_POST_permissions(self): USER_ID = 'testuser' ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) req, res = makeRequestAndResponse() # Fails with a GET req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zrm.assignRoleToPrincipal, ROLE_ID, USER_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req)
def test_roles_for_control_panel(self): """There's a special case, the users control panel for which we should never grant to users the roles they have got through the groups they belong. In that intent, the control panels view pushes '__ignore_group_roles__' = True in the request. """ root = FauxPAS() # Add a minimal PluginRegistry with a mock IGroupsPlugin, because the # roles plugin depends on it: root._setObject('plugins', PluginRegistry(_PLUGIN_TYPE_INFO)) root._setObject('groups', FauxGroupsPlugin()) root['plugins'].activatePlugin(IGroupsPlugin, 'groups') garm = self._makeOne('garm').__of__(root) # 2 roles garm.addRole('foo_role') garm.addRole('bar_role') # Group 'somegroup' has 'bar_role' garm.assignRoleToPrincipal('bar_role', 'somegroup') # 'johndoe' has 'foo_role' johndoe = DummyUser('johndoe', ('somegroup', )) garm.assignRoleToPrincipal('foo_role', 'johndoe') # 'johndoe' should have 'foo_role' and 'bar_roles' got = garm.getRolesForPrincipal(johndoe) expected = ['foo_role', 'bar_role'] self.assertEqual(set(got), set(expected)) # For the users control panel, johndoe has only the 'foo_role' garm.REQUEST.set('__ignore_group_roles__', True) got = garm.getRolesForPrincipal(johndoe) self.assertEqual(got, ('foo_role', )) # Confirm we can get only the inherited roles garm.REQUEST.set('__ignore_group_roles__', False) garm.REQUEST.set('__ignore_direct_roles__', True) got = garm.getRolesForPrincipal(johndoe) self.assertEqual(got, ('bar_role', )) return
def testPOSTProtections(self): from zExceptions import Forbidden USER_ID = 'testuser' ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) user = DummyUser(USER_ID) req, res = makeRequestAndResponse() # Fails with a GET # test assignRoleToPrincipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.assignRoleToPrincipal, ROLE_ID, USER_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req) # test removeRoleFromPricipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.removeRoleFromPrincipal, ROLE_ID, USER_ID, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.removeRoleFromPrincipal(ROLE_ID, USER_ID, REQUEST=req) # test removeRole req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.removeRole, ROLE_ID, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.removeRole(ROLE_ID, REQUEST=req) # Readd the role for the manage_* methods zrm.addRole(ROLE_ID) # test manage_assignRoleToPrincipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_assignRoleToPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_assignRoleToPrincipals(ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) # test manage_removeRoleFromPricipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) # test manage_removeRoles req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_removeRoles, [ROLE_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)