def test_ActionSharing(self):
parent = BaseNode(name='root')
model = parent['model'] = BaseNode()
request = self.layer.new_request()
action = ActionSharing()
self.assertFalse(IPrincipalACL.providedBy(model))
self.assertEqual(action(model, request), u'')
sharingmodel = parent['sharingmodel'] = SharingNode()
self.assertTrue(IPrincipalACL.providedBy(sharingmodel))
self.assertEqual(action(sharingmodel, request), u'')
with self.layer.authenticated('editor'):
rule = request.has_permission('manage_permissions', sharingmodel)
self.assertTrue(isinstance(rule, ACLDenied))
self.assertEqual(action(sharingmodel, request), u'')
with self.layer.authenticated('manager'):
rule = request.has_permission('manage_permissions', sharingmodel)
self.assertTrue(isinstance(rule, ACLAllowed))
rendered = action(sharingmodel, request)
self.checkOutput(
"""
...<a
id="toolbaraction-share"
href="http://example.com/root/sharingmodel/sharing"
ajax:bind="click"
ajax:target="http://example.com/root/sharingmodel"
ajax:action="sharing:#content:inner"
ajax:path="href"
><span class="glyphicon glyphicon-share"></span
> Sharing</a>...
""", rendered)
def aggregated_roles(self):
aggregated = dict()
model = self
while model:
if not IPrincipalACL.providedBy(model):
model = model.parent
continue
for id, roles in model.principal_roles.items():
if aggregated.get(id):
aggregated[id].update(roles)
else:
aggregated[id] = set(roles)
model = model.parent
return aggregated
def aggregated_roles(self):
aggregated = dict()
model = self
while model:
if not IPrincipalACL.providedBy(model):
model = model.parent
continue
for id, roles in model.principal_roles.items():
if aggregated.get(id):
aggregated[id].update(roles)
else:
aggregated[id] = set(roles)
model = model.parent
return aggregated
def display(self):
return IPrincipalACL.providedBy(self.model) \
and self.permitted('manage_permissions')
def test_PrincipalACL(self):
# PrincipalACL is an abstract class. Directly use causes an error
@plumbing(PrincipalACL)
class PrincipalACLNode(BaseNode):
pass
node = PrincipalACLNode()
err = self.expect_error(NotImplementedError, lambda: node.__acl__)
expected = (
'Abstract ``PrincipalACL`` does not implement ``principal_roles``.'
)
self.assertEqual(str(err), expected)
# Concrete PrincipalACL implementation. Implements principal_roles
# property
class MyPrincipalACL(PrincipalACL):
@default
@instance_property
def principal_roles(self):
return dict()
@plumbing(MyPrincipalACL)
class MyPrincipalACLNode(BaseNode):
pass
node = MyPrincipalACLNode()
self.assertTrue(IPrincipalACL.providedBy(node))
node.principal_roles['someuser'] = ['manager']
node.principal_roles['otheruser'] = ['editor']
node.principal_roles['group:some_group'] = ['editor', 'manager']
def find_rule(acl, who):
for rule in acl:
if rule[1] == who:
return rule
rule = find_rule(node.__acl__, 'someuser')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'someuser')
self.assertEqual(sorted(rule[2]), sorted([
'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state',
'view', 'paste', 'manage_permissions', 'delete'
]))
rule = find_rule(node.__acl__, 'otheruser')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'otheruser')
self.assertEqual(sorted(rule[2]), sorted([
'edit', 'add', 'list', 'view'
]))
rule = find_rule(node.__acl__, 'group:some_group')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'group:some_group')
self.assertEqual(sorted(rule[2]), sorted([
'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state',
'view', 'paste', 'manage_permissions', 'delete'
]))
rule = find_rule(node.__acl__, 'system.Authenticated')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'system.Authenticated')
self.assertEqual(rule[2], ['view'])
rule = find_rule(node.__acl__, 'role:viewer')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'role:viewer')
self.assertEqual(sorted(rule[2]), sorted(['view', 'list']))
rule = node.__acl__[-1]
self.assertEqual(rule[0], 'Deny')
self.assertEqual(rule[1], 'system.Everyone')
self.assertEqual(rule[2], ALL_PERMISSIONS)
# PrincipalACL role inheritance
child = node['child'] = MyPrincipalACLNode()
child.principal_roles['someuser'] = ['editor']
rule = find_rule(child.__acl__, 'someuser')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'someuser')
self.assertEqual(sorted(rule[2]), sorted([
'edit', 'add', 'list', 'view'
]))
rule = find_rule(child.__acl__, 'system.Authenticated')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'system.Authenticated')
self.assertEqual(rule[2], ['view'])
rule = find_rule(child.__acl__, 'role:viewer')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'role:viewer')
self.assertEqual(sorted(rule[2]), sorted(['view', 'list']))
rule = child.__acl__[-1]
self.assertEqual(rule[0], 'Deny')
self.assertEqual(rule[1], 'system.Everyone')
self.assertEqual(rule[2], ALL_PERMISSIONS)
subchild = child['child'] = MyPrincipalACLNode()
subchild.role_inheritance = True
subchild.principal_roles['otheruser'] = ['admin']
self.assertEqual(subchild.aggregated_roles_for('inexistent'), [])
self.assertEqual(
sorted(subchild.aggregated_roles_for('someuser')),
sorted(['manager', 'editor'])
)
self.assertEqual(
sorted(subchild.aggregated_roles_for('otheruser')),
sorted(['admin', 'editor'])
)
rule = find_rule(subchild.__acl__, 'someuser')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'someuser')
self.assertEqual(sorted(rule[2]), sorted([
'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state',
'view', 'paste', 'manage_permissions', 'delete'
]))
rule = find_rule(subchild.__acl__, 'otheruser')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'otheruser')
self.assertEqual(sorted(rule[2]), sorted([
'cut', 'edit', 'copy', 'list', 'add', 'change_state', 'view',
'paste', 'manage_permissions', 'delete'
]))
rule = find_rule(subchild.__acl__, 'group:some_group')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'group:some_group')
self.assertEqual(sorted(rule[2]), sorted([
'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state',
'view', 'paste', 'manage_permissions', 'delete'
]))
rule = find_rule(subchild.__acl__, 'system.Authenticated')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'system.Authenticated')
self.assertEqual(rule[2], ['view'])
rule = subchild.__acl__[-1]
self.assertEqual(rule[0], 'Deny')
self.assertEqual(rule[1], 'system.Everyone')
self.assertEqual(rule[2], ALL_PERMISSIONS)
# Principal roles get inherited even if some parent does not provide
# principal roles
child = node['no_principal_roles'] = BaseNode()
subchild = child['no_principal_roles'] = MyPrincipalACLNode()
self.assertEqual(
sorted(subchild.aggregated_roles_for('group:some_group')),
sorted(['manager', 'editor'])
)
# If principal role found which is not provided by plumbing endpoint
# acl, this role does not grant any permissions
node = MyPrincipalACLNode()
node.principal_roles['someuser'] = ['inexistent_role']
rule = find_rule(node.__acl__, 'someuser')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'someuser')
self.assertEqual(rule[2], [])
rule = find_rule(node.__acl__, 'system.Authenticated')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'system.Authenticated')
self.assertEqual(rule[2], ['view'])
rule = find_rule(node.__acl__, 'role:viewer')
self.assertEqual(rule[0], 'Allow')
self.assertEqual(rule[1], 'role:viewer')
self.assertEqual(sorted(rule[2]), sorted(['view', 'list']))
rule = node.__acl__[-1]
self.assertEqual(rule[0], 'Deny')
self.assertEqual(rule[1], 'system.Everyone')
self.assertEqual(rule[2], ALL_PERMISSIONS)
self.assertEqual(
node.__acl__[-1],
('Deny', 'system.Everyone', ALL_PERMISSIONS)
)
def display(self):
return IPrincipalACL.providedBy(self.model) \
and self.permitted('manage_permissions')
