def test_clean_perms_command(self):
"""
Same test as the one above but rather function directly, we call
management command instead.
"""
# assign obj perms
target_perms = {
self.target_user1: ["change_%s" % user_module_name],
self.target_group1: ["delete_group"],
self.target_obj1: ["change_contenttype", "delete_contenttype"],
self.target_obj2: ["change_contenttype"],
}
for target, perms in target_perms.items():
target.__old_pk = target.pk # Store pkeys
for perm in perms:
assign_perm(perm, self.user, target)
# Remove targets
for target, perms in target_perms.items():
target.delete()
# Clean orphans
call_command("clean_orphan_obj_perms", verbosity=0)
# Recreate targets and check if user has no permissions
for target, perms in target_perms.items():
target.pk = target.__old_pk
target.save()
for perm in perms:
self.assertFalse(self.user.has_perm(perm, target))
def test_remove_perm(self):
assign_perm('contenttypes.change_contenttype', self.user, self.ctype)
self.assertTrue(
self.user.has_perm('contenttypes.change_contenttype', self.ctype))
remove_perm('contenttypes.change_contenttype', self.user, self.ctype)
self.assertFalse(
self.user.has_perm('contenttypes.change_contenttype', self.ctype))
def test_group_assign_perm(self):
assign_perm("change_contenttype", self.group, self.ctype)
assign_perm("delete_contenttype", self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_contenttype", self.ctype))
self.assertTrue(check.has_perm("delete_contenttype", self.ctype))
def test_has_global_permission_and_object_based_permission_any_perm(self):
assign_perm('contenttypes.change_contenttype', self.group1)
assign_perm('contenttypes.delete_contenttype', self.group1, self.obj1)
objects = get_objects_for_group(self.group1, ['contenttypes.change_contenttype', 'contenttypes.delete_contenttype'], any_perm=True)
self.assertEquals(set(objects),
set(ContentType.objects.all()))
def save(self, *args, **kwargs):
""" Override save method to enable setting of permissions for retina users """
created = self._state.adding
super().save(*args, **kwargs)
if not created:
return
if (
self.annotation_set.grader.groups.filter(
name=settings.RETINA_GRADERS_GROUP_NAME
).exists()
or self.annotation_set.grader.groups.filter(
name=settings.RETINA_ADMINS_GROUP_NAME
).exists()
):
model_name = self._meta.model_name
admins_group = Group.objects.get(
name=settings.RETINA_ADMINS_GROUP_NAME
)
for permission_type in self._meta.default_permissions:
permission_name = f"{permission_type}_{model_name}"
assign_perm(permission_name, self.annotation_set.grader, self)
assign_perm(permission_name, admins_group, self)
def test_without_group_users_no_result(self):
self.user1.groups.add(self.group1)
assign_perm("change_contenttype", self.group1, self.obj1)
result = get_users_with_perms(self.obj1, attach_perms=True,
with_group_users=False)
expected = {}
self.assertEqual(result, expected)
def test_perms_single(self):
perm = 'contenttypes.change_contenttype'
assign_perm(perm, self.group1, self.obj1)
self.assertEqual(
set(get_objects_for_group(self.group1, perm)),
set(get_objects_for_group(self.group1, [perm]))
)
def test_group_remove_perm(self):
# assign perm first
assign_perm("change_contenttype", self.group, self.ctype)
remove_perm("change_contenttype", self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_contenttype", self.ctype))
def test_attach_perms(self):
self.user1.groups.add(self.group1)
self.user2.groups.add(self.group2)
self.user3.groups.add(self.group3)
assign_perm("change_contenttype", self.group1, self.obj1)
assign_perm("change_contenttype", self.group2, self.obj1)
assign_perm("delete_contenttype", self.group3, self.obj2)
assign_perm("delete_contenttype", self.user2, self.obj1)
assign_perm("change_contenttype", self.user3, self.obj2)
# Check contenttype1
result = get_users_with_perms(self.obj1, attach_perms=True)
expected = {
self.user1: ["change_contenttype"],
self.user2: ["change_contenttype", "delete_contenttype"],
}
self.assertEqual(result.keys(), expected.keys())
for key, perms in result.items():
self.assertEqual(set(perms), set(expected[key]))
# Check contenttype2
result = get_users_with_perms(self.obj2, attach_perms=True)
expected = {
self.user3: ["change_contenttype", "delete_contenttype"],
}
self.assertEqual(result.keys(), expected.keys())
for key, perms in result.items():
self.assertEqual(set(perms), set(expected[key]))
def test_user_with_share(self):
assign_perm("view_collection", self.user1, self.collection)
assign_perm("share_collection", self.user1, self.collection)
# Can add permissions to users.
data = {'users': {'add': {self.user2.pk: ['view']}}}
resp = self._detail_permissions(self.collection.pk, data, self.user1)
self.assertEqual(resp.status_code, status.HTTP_200_OK)
self.assertEqual(UserObjectPermission.objects.filter(user=self.user2).count(), 1)
# Can add permissions to groups.
data = {'groups': {'add': {self.group.pk: ['view']}}}
resp = self._detail_permissions(self.collection.pk, data, self.user1)
self.assertEqual(resp.status_code, status.HTTP_200_OK)
self.assertEqual(GroupObjectPermission.objects.count(), 1)
# Can remove permissions from users.
data = {'users': {'remove': {self.user2.pk: ['view']}}}
resp = self._detail_permissions(self.collection.pk, data, self.user1)
self.assertEqual(resp.status_code, status.HTTP_200_OK)
self.assertEqual(UserObjectPermission.objects.filter(user=self.user2).count(), 0)
# Can remove permissions from groups.
data = {'groups': {'remove': {self.group.pk: ['view']}}}
resp = self._detail_permissions(self.collection.pk, data, self.user1)
self.assertEqual(resp.status_code, status.HTTP_200_OK)
self.assertEqual(GroupObjectPermission.objects.count(), 0)
def test_index_permission_protected_project(self):
project = Project.objects.create(
active=True,
custom_permissions=True,
login_required=True,
name='MY_TEMPLATE_NAME',
)
batch = Batch.objects.create(project=project, name='MY_BATCH_NAME')
Task.objects.create(batch=batch)
in_user = User.objects.create_user('in_user', password='******')
User.objects.create_user('out_user', password='******')
group = Group.objects.create(name='testgroup')
in_user.groups.add(group)
assign_perm('can_work_on', group, project)
in_client = django.test.Client()
in_client.login(username='******', password='******')
response = in_client.get(reverse('index'))
self.assertEqual(response.status_code, 200)
self.assertFalse(b'No Tasks available' in response.content)
self.assertTrue(b'MY_TEMPLATE_NAME' in response.content)
self.assertTrue(b'MY_BATCH_NAME' in response.content)
out_client = django.test.Client()
out_client.login(username='******', password='******')
response = out_client.get(reverse('index'))
self.assertEqual(response.status_code, 200)
self.assertTrue(b'No Tasks available' in response.content)
self.assertFalse(b'MY_TEMPLATE_NAME' in response.content)
self.assertFalse(b'MY_BATCH_NAME' in response.content)
def test_map_download(self):
"""Test the correct permissions on layers on map download"""
create_models(type='map')
create_maplayers()
# Get a Map
the_map = Map.objects.get(title='GeoNode Default Map')
# Get a MapLayer and set the parameters as it is local and not a background
# and leave it alone in the map
map_layer = the_map.layer_set.get(name='geonode:CA')
map_layer.local = True
map_layer.group = 'overlay'
map_layer.save()
the_map.layer_set.all().delete()
the_map.layer_set.add(map_layer)
# Get the Layer and set the permissions for bobby to it and the map
bobby = Profile.objects.get(username='******')
the_layer = Layer.objects.get(typename='geonode:CA')
remove_perm('download_resourcebase', bobby, the_layer.get_self_resource())
remove_perm('download_resourcebase', Group.objects.get(name='anonymous'),
the_layer.get_self_resource())
assign_perm('view_resourcebase', bobby, the_layer.get_self_resource())
assign_perm('download_resourcebase', bobby, the_map.get_self_resource())
self.client.login(username='******', password='******')
response = self.client.get(reverse('map_download', args=(the_map.id,)))
self.assertTrue('Could not find downloadable layers for this map' in response.content)
def test_add_form_buttons_with_permission(self):
assign_perm('reply', self.user, self.letter.case.monitoring)
assign_perm('add_draft', self.user, self.letter.case.monitoring)
form = ReplyForm(user=self.user, letter=self.letter)
html = self.render_form(form)
self.assertIn('name="save"', html)
self.assertIn('name="send"', html)
def update(self, request, pk):
"""
Add or remove permissions
"""
if not request.user.is_authenticated():
return Response(
status=403,
data={
'detail': 'Authentication required',
},
)
required_params = ['user', ]
for param in required_params:
if param not in request.DATA:
return Response(
status=400,
data={
'detail': 'Parameter required {param}'.format(
param=param,
),
},
)
check_list = get_object_or_404(CheckList, id=pk)
if not request.user.has_perm('api.change_checklist', check_list):
return Response(
status=403,
data={
'detail': 'Permission denied',
},
)
user = get_object_or_404(User, id=request.DATA.get('user'), )
if user.id == check_list.owner.id:
return Response(
status=400,
data={
'detail': "Owner permissions can't be changed",
},
)
if user.has_perm('api.change_checklist', check_list):
remove_perm('api.view_checklist', user, check_list)
remove_perm('api.change_checklist', user, check_list)
else:
assign_perm('api.view_checklist', user, check_list)
assign_perm('api.change_checklist', user, check_list)
return Response(
status=200,
data={
'change_checklist': user.has_perm(
'api.change_checklist',
check_list
),
'detail': 'Permissions updated',
'view_checklist': user.has_perm(
'api.view_checklist',
check_list
),
},
)
def test_unpublished_layer(self):
"""With resource publishing"""
layer = Layer.objects.filter(alternate='geonode:CA')[0]
layer.is_published = False
layer.save()
user = get_user_model().objects.get(username='******')
self.client.login(username='******', password='******')
# 404 if layer is unpublished
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 404)
# 404 if layer is unpublished but user has permission but does not belong to the group
assign_perm('publish_resourcebase', user, layer.get_self_resource())
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 404)
# 200 if layer is unpublished and user is owner
remove_perm('publish_resourcebase', user, layer.get_self_resource())
layer.owner = user
layer.save()
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 200)
# 200 if layer is published
layer.is_published = True
layer.save()
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 200)
layer.is_published = True
layer.save()
def set_owner_permissions(resource):
"""assign all admin permissions to the owner"""
if resource.polymorphic_ctype.name == 'layer':
for perm in LAYER_ADMIN_PERMISSIONS:
assign_perm(perm, resource.owner, resource.layer)
for perm in ADMIN_PERMISSIONS:
assign_perm(perm, resource.owner, resource.get_self_resource())
def test_unpublished_layer(self):
"""Test unpublished layer behaviour"""
user = get_user_model().objects.get(username='******')
self.client.login(username='******', password='******')
# default (RESOURCE_PUBLISHING=False)
# access to layer detail page gives 200 if layer is published or
# unpublished
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 200)
layer = Layer.objects.filter(title='CA')[0]
layer.is_published = False
layer.save()
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 200)
# with resource publishing
with self.settings(RESOURCE_PUBLISHING=True):
# 404 if layer is unpublished
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 404)
# 200 if layer is unpublished but user has permission
assign_perm('publish_resourcebase', user, layer.get_self_resource())
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 200)
# 200 if layer is published
layer.is_published = True
layer.save()
remove_perm('publish_resourcebase', user, layer.get_self_resource())
response = self.client.get(reverse('layer_detail', args=('geonode:CA',)))
self.failUnlessEqual(response.status_code, 200)
layer.is_published = True
layer.save()
def test_spawned_process(self):
"""Test that manager is run for spawned processes and permissions are copied."""
DescriptorSchema.objects.create(
name='Test schema', slug='test-schema', contributor=self.contributor
)
spawned_process = Process.objects.filter(slug='test-save-file').latest()
# Patch the process to create Entity, so its bahaviour can be tested.
spawned_process.entity_type = 'test-schema'
spawned_process.entity_descriptor_schema = 'test-schema'
spawned_process.save()
process = Process.objects.filter(slug='test-spawn-new').latest()
with transaction.atomic():
data = Data.objects.create(
name='Test data',
contributor=self.contributor,
process=process,
)
self.collection.data.add(data)
assign_perm('view_data', self.user, data)
# Created and spawned objects should be done.
self.assertEqual(Data.objects.filter(status=Data.STATUS_DONE).count(), 2)
# Check that permissions are inherited.
child = Data.objects.last()
self.assertTrue(self.user.has_perm('view_data', child))
self.assertEqual(child.collection_set.count(), 1)
self.assertEqual(child.collection_set.first().pk, self.collection.pk)
self.assertEqual(child.entity_set.first().collections.count(), 1)
self.assertEqual(child.entity_set.first().collections.first().pk, self.collection.pk)
def setUpClass(cls):
from guardian.shortcuts import assign_perm
# create users
create = User.objects.create_user
users = {
'fullaccess': create('fullaccess', '*****@*****.**', 'password'),
'readonly': create('readonly', '*****@*****.**', 'password'),
'writeonly': create('writeonly', '*****@*****.**', 'password'),
'deleteonly': create('deleteonly', '*****@*****.**', 'password'),
}
# give everyone model level permissions, as we are not testing those
everyone = Group.objects.create(name='everyone')
model_name = BasicPermModel._meta.module_name
app_label = BasicPermModel._meta.app_label
f = '{0}_{1}'.format
perms = {
'view': f('view', model_name),
'change': f('change', model_name),
'delete': f('delete', model_name)
}
for perm in perms.values():
perm = '{0}.{1}'.format(app_label, perm)
assign_perm(perm, everyone)
everyone.user_set.add(*users.values())
cls.perms = perms
cls.users = users
def form_valid(self, form):
form.instance.author = self.request.user
form.instance.assignment = get_object_or_404(models.Assignment, pk=self.kwargs['pk'])
current_date = timezone.now()
form.instance.create_date = current_date
form.instance.last_modified_date = current_date
form.parent_attempt = None
form.instance.number = 1
stage = form.instance.assignment.active_stage()
if stage is None:
return HttpResponse(status=400)
elif current_date < stage.start_date or current_date > stage.grace_period_end_date:
return HttpResponse(status=400)
form.instance.is_late = (current_date > stage.end_date)
#period = get_object_or_404(models.SubmissionPeriod, pk=self.kwargs['pk'])
#if not period:
# return False
#form.instance.assignment = assignment
response = super(ArticleOriginCreate, self).form_valid(form)
assign_perm('articles.change_article', self.request.user, form.instance)
return response
def form_valid(self, form):
form.instance.author = self.request.user
attempt = get_object_or_404(models.GradingAttempt, pk = self.kwargs['pk'])
if not attempt:
return False
form.instance.parent_attempt = attempt
form.instance.assignment = attempt.article.assignment
current_date = timezone.now()
form.instance.create_date = current_date
form.instance.last_modified_date = current_date
form.instance.number = attempt.article.number + 1
stage = form.instance.assignment.active_stage()
if stage is None:
return HttpResponse(status=400)
elif current_date < stage.start_date or current_date > stage.grace_period_end_date:
return HttpResponse(status=400)
form.instance.is_late = (current_date > stage.end_date)
response = super(ArticleRevisionCreate, self).form_valid(form)
assign_perm('articles.change_article', self.request.user, form.instance)
return response
def set_object_permissions(sender, instance=None, created=False, **kwargs):
if created:
for perm in get_perms_for_model(Team):
assign_perm(perm.codename, instance.organization, instance)
if instance.created_by:
assign_perm(perm.codename, instance.created_by, instance)
def test_aggregations(self):
item = models.ExampleItem()
item.name = 'Example'
item.enabled = False
item.save()
m2m_item = models.ExampleM2MItem()
m2m_item.save()
shortcuts.assign_perm(
'rest_framework_reactive.view_exampleitem',
auth_models.AnonymousUser(),
item,
)
observer = QueryObserver(
request(views.AggregationTestViewSet, items=[m2m_item.pk])
)
observer.subscribe(
'test-session',
dependencies=[models.ExampleItem, models.ExampleM2MItem.items.through],
)
# There should be a dependency on the intermediate table.
observer_state = observer_models.Observer.objects.get(pk=observer.id)
dependencies = observer_state.dependencies.all().values_list('table', flat=True)
self.assertIn('drfr_test_app_examplem2mitem_items', dependencies)
def test_for_assign_no_duplicates_with_multiple_permissions(self):
assign_perm('cases.can_view', self.user)
assign_perm('cases.can_assign', self.user)
case = CaseFactory(created_by=self.user)
self.assertEqual(
1,
len(Case.objects.for_assign(self.user)))
def join(self, user, **kwargs):
from geonode.layers.models import Layer
from geonode.tabular.models import Tabular
'Joins an user to this app as a member.'
if user == user.get_anonymous():
raise ValueError("The invited user cannot be anonymous")
AppMember(app=self, user=user, **kwargs).save()
# asocia todos los recursos del usuario que tienen
# los recursos que necesita la app
manager = self.get_managers()[0]
for resource in user.resourcebase_set.all():
keywords = set(resource.keyword_list())
try: keywords.add(resource.layer.layer_type.name)
except Layer.DoesNotExist: pass
try: keywords.add(resource.tabular.tabular_type.name)
except Tabular.DoesNotExist: pass
if len(keywords.intersection(self.keyword_list())) > 0:
assign_perm('view_resourcebase', manager, resource)
def test_inactive_user_blocked(self):
t = Thing(name='Test thing')
t.save()
self.user.is_active = False
self.user.save()
assign_perm('change_thing', self.user, t)
self.assertFalse(self.user.has_perm('tests.change_thing', t))
def test_object_permissions_win_over_group(self):
t = Thing(name='Test thing')
t.save()
perm = Permission.objects.get(codename="add_thing")
self.group.permissions.add(perm)
perm = Permission.objects.get(codename="change_thing")
self.group.permissions.add(perm)
perm = Permission.objects.get(codename="delete_thing")
self.group.permissions.add(perm)
self.user.save()
self.assertTrue(self.user.has_perm('tests.change_thing'))
self.assertTrue(self.user.has_perm('tests.add_thing'))
self.assertTrue(self.user.has_perm('tests.delete_thing'))
self.assertTrue(self.user.has_perm('tests.change_thing', t))
self.assertTrue(self.user.has_perm('tests.add_thing', t))
self.assertTrue(self.user.has_perm('tests.delete_thing', t))
assign_perm('change_thing', self.group, t) # per-object permission
self.assertTrue(self.user.has_perm('tests.change_thing', t))
self.assertFalse(self.user.has_perm('tests.add_thing', t))
self.assertFalse(self.user.has_perm('tests.delete_thing', t))
def test_user_has_access_on_model_with_metaclass(self):
"""
Test to the fix issues of comparaison made via type()
in the decorator. In the case of a `Model` implementing
a custom metaclass, the decorator fail because type
doesn't return `ModelBase`
"""
perm = get_user_permission_full_codename('change')
class TestMeta(ModelBase):
pass
class ProxyUser(User):
class Meta:
proxy = True
app_label = User._meta.app_label
__metaclass__ = TestMeta
joe, created = ProxyUser.objects.get_or_create(username='******')
assign_perm(perm, self.user, obj=joe)
request = self._get_request(self.user)
@permission_required_or_403(perm, (
ProxyUser, 'username', 'username'))
def dummy_view(request, username):
return HttpResponse('dummy_view')
response = dummy_view(request, username='******')
self.assertEqual(response.status_code, 200)
self.assertEqual(response.content, b'dummy_view')
def test_attach_groups_only_has_perms(self):
cache.clear()
self.user1.groups.add(self.group1)
assign_perm("change_contenttype", self.group1, self.obj1)
result = get_users_with_perms(self.obj1, attach_perms=True)
expected = {self.user1: ["change_contenttype"]}
self.assertEqual(result, expected)
def form_valid(self, form):
old_course = models.Course.objects.get(pk=form.instance.pk)
initial_instructors = list(old_course.instructors.all())
initial_students = list(old_course.students.all())
response = super(CourseUpdate, self).form_valid(form)
instructors = form.instance.instructors.all()
students = form.instance.students.all()
# print(initial_instructors)
# print(instructors)
# print(initial_students)
# print(students)
# Revoke permissions
for user in initial_instructors:
remove_perm('change_course', user, form.instance)
remove_perm('view_course', user, form.instance)
remove_perm('instruct_course', user, form.instance)
for user in initial_students:
remove_perm('view_course', user, form.instance)
remove_perm('enroll_course', user, form.instance)
# Assign permissions
for user in instructors:
assign_perm('change_course', user, form.instance)
assign_perm('view_course', user, form.instance)
assign_perm('instruct_course', user, form.instance)
for user in students:
assign_perm('view_course', user, form.instance)
assign_perm('enroll_course', user, form.instance)
return response
def _create_demo_challenge(self):
demo = Challenge.objects.create(
short_name="demo",
description="demo project",
creator=self.users["demo"],
use_workspaces=True,
hidden=False,
display_forum_link=True,
)
demo.add_participant(self.users["demop"])
Page.objects.create(
challenge=demo, title="all", permission_level="ALL"
)
Page.objects.create(
challenge=demo, title="reg", permission_level="REG"
)
Page.objects.create(
challenge=demo, title="adm", permission_level="ADM"
)
Phase.objects.create(challenge=demo, title="Phase 2")
for phase_num, phase in enumerate(demo.phase_set.all()):
assign_perm("create_phase_workspace", self.users["demop"], phase)
phase.score_title = "Accuracy ± std"
phase.score_jsonpath = "acc.mean"
phase.score_error_jsonpath = "acc.std"
phase.extra_results_columns = [
{
"title": "Dice ± std",
"path": "dice.mean",
"error_path": "dice.std",
"order": "desc",
}
]
phase.submission_kind = phase.SubmissionKind.ALGORITHM
phase.evaluation_detail_observable_url = (
phase.evaluation_comparison_observable_url
) = "https://observablehq.com/embed/@grand-challenge/data-fetch-example?cell=*"
phase.save()
method = Method(phase=phase, creator=self.users["demo"])
container = ContentFile(base64.b64decode(b""))
method.image.save("test.tar", container)
method.save()
submission = Submission(phase=phase, creator=self.users["demop"])
content = ContentFile(base64.b64decode(b""))
submission.predictions_file.save("test.csv", content)
submission.save()
e = Evaluation.objects.create(
submission=submission,
method=method,
status=Evaluation.SUCCESS,
)
def create_result(evaluation, result: dict):
interface = ComponentInterface.objects.get(
slug="metrics-json-file"
)
try:
output_civ = evaluation.outputs.get(interface=interface)
output_civ.value = result
output_civ.save()
except ObjectDoesNotExist:
output_civ = ComponentInterfaceValue.objects.create(
interface=interface, value=result
)
evaluation.outputs.add(output_civ)
create_result(
e,
{
"acc": {"mean": 0.1 * phase_num, "std": 0.1},
"dice": {"mean": 0.71, "std": 0.05},
},
)
def test_user_permissions(self):
self.group1.user_set.add(self.user1)
assign_perm("view_collection", self.user1, self.collection)
assign_perm("edit_collection", self.user1, self.collection)
assign_perm("view_collection", self.user2, self.collection)
assign_perm("view_collection", self.group1, self.collection)
assign_perm("edit_collection", self.group1, self.collection)
assign_perm("view_collection", self.group2, self.collection)
expected_perms = [
{
'permissions': ['edit', 'view'],
'type': 'user',
'id': self.user1.pk,
'name': 'test_user1'
},
{
'permissions': ['edit', 'view'],
'type': 'group',
'id': self.group1.pk,
'name': 'Test group 1'
},
]
perms = get_object_perms(self.collection, self.user1)
self.assertCountEqual(self._sort_perms(expected_perms),
self._sort_perms(perms))
self.group2.user_set.add(self.user1)
expected_perms.append(
{
'permissions': ['view'],
'type': 'group',
'id': self.group2.pk,
'name': 'Test group 2'
}, )
perms = get_object_perms(self.collection, self.user1)
self.assertCountEqual(self._sort_perms(expected_perms),
self._sort_perms(perms))
assign_perm("view_collection", self.anonymous, self.collection)
expected_perms.append({'permissions': ['view'], 'type': 'public'}, )
perms = get_object_perms(self.collection, self.user1)
self.assertCountEqual(self._sort_perms(expected_perms),
self._sort_perms(perms))
def setUpTestData(cls):
super().setUpTestData()
cls.descriptor_schema = DescriptorSchema.objects.create(
slug="test-schema",
version="1.0.0",
contributor=cls.contributor,
schema=[{
"name":
"company",
"group": [
{
"name": "name",
"type": "basic:string:",
"required": False,
},
{
"name": "departments",
"type": "list:basic:string:",
"required": False,
},
],
}],
)
cls.collections = [
Collection.objects.create(
name="Test collection 0",
slug="test-collection-0",
contributor=cls.contributor,
description="My description!",
descriptor_schema=cls.descriptor_schema,
descriptor={
"company": {
"name": "Genialis",
"departments": ["engineering", "operations"],
}
},
tags=["first-tag"],
),
Collection.objects.create(
name="Test collection 1",
slug="test-collection-1",
contributor=cls.contributor,
description="My favourite test collection",
descriptor_schema=cls.descriptor_schema,
tags=["first-tag", "second-tag"],
),
Collection.objects.create(
name="User test collection",
slug="user-collection",
contributor=cls.user,
description="User's description",
tags=["second-tag"],
),
]
tzone = get_current_timezone()
cls.collections[0].created = datetime.datetime(2016,
7,
30,
0,
59,
tzinfo=tzone)
cls.collections[0].save()
cls.collections[1].created = datetime.datetime(2016,
7,
30,
1,
59,
tzinfo=tzone)
cls.collections[1].save()
cls.collections[2].created = datetime.datetime(2016,
7,
30,
2,
59,
tzinfo=tzone)
cls.collections[2].save()
assign_perm("owner_collection", cls.admin, cls.collections[0])
assign_perm("view_collection", cls.user, cls.collections[0])
assign_perm("owner_collection", cls.admin, cls.collections[1])
assign_perm("view_collection", cls.user, cls.collections[1])
assign_perm("view_collection", cls.user, cls.collections[2])
assign_perm("edit_collection", cls.user, cls.collections[2])
assign_perm("owner_collection", cls.user, cls.collections[2])
cls.viewset_class = CollectionViewSet
def setUpTestData(cls):
super().setUpTestData()
tzone = get_current_timezone()
descriptor_schema = DescriptorSchema.objects.create(
slug="test-schema",
version="1.0.0",
contributor=cls.contributor,
schema=[{
"name":
"company",
"group": [
{
"name": "name",
"type": "basic:string:",
"required": False,
},
{
"name": "departments",
"type": "list:basic:string:",
"required": False,
},
],
}],
)
cls.collection1 = Collection.objects.create(
name="My collection",
slug="my-collection",
contributor=cls.contributor,
)
cls.collection2 = Collection.objects.create(
name="Other collection",
slug="other-collection",
contributor=cls.contributor,
)
cls.entity1 = Entity.objects.create(
name="My entity",
slug="my-entity",
collection=cls.collection1,
contributor=cls.contributor,
)
cls.entity2 = Entity.objects.create(
name="Other entity",
slug="other-entity",
collection=cls.collection2,
contributor=cls.contributor,
)
cls.proc1 = Process.objects.create(
type="data:test:process1:",
name="First process",
slug="test-process-1",
version="1.0.0",
contributor=cls.contributor,
input_schema=[{
"name": "input_data",
"type": "data:test:",
"required": False
}],
)
cls.proc2 = Process.objects.create(
type="data:test:process2:",
name="Second process",
slug="test-process-2",
version="1.0.0",
contributor=cls.contributor,
input_schema=[{
"name": "input_data",
"type": "data:test:",
"required": False
}],
)
cls.data = [
Data.objects.create(
name="Data 0",
slug="dataslug-0",
contributor=cls.contributor,
collection=cls.collection1,
entity=cls.entity1,
process=cls.proc1,
status=Data.STATUS_RESOLVING,
started=datetime.datetime(2016, 7, 31, 0, 0, tzinfo=tzone),
finished=datetime.datetime(2016, 7, 31, 0, 30, tzinfo=tzone),
tags=["first-tag"],
descriptor_schema=descriptor_schema,
descriptor={
"company": {
"name": "Genialis",
"departments": ["engineering", "operations"],
}
},
),
Data.objects.create(
name="Data 1",
slug="dataslug-1",
contributor=cls.contributor,
collection=cls.collection2,
entity=cls.entity2,
process=cls.proc1,
status=Data.STATUS_DONE,
started=datetime.datetime(2016, 7, 31, 1, 0, tzinfo=tzone),
finished=datetime.datetime(2016, 7, 31, 1, 30, tzinfo=tzone),
tags=["first-tag", "second-tag", "data"],
),
Data.objects.create(
name="User data",
slug="dataslug-2",
contributor=cls.user,
process=cls.proc2,
status=Data.STATUS_DONE,
started=datetime.datetime(2016, 7, 31, 2, 0, tzinfo=tzone),
finished=datetime.datetime(2016, 7, 31, 2, 30, tzinfo=tzone),
tags=["second-tag"],
),
]
cls.data[0].created = datetime.datetime(2016,
7,
30,
0,
59,
tzinfo=tzone)
cls.data[0].save()
cls.data[1].created = datetime.datetime(2016,
7,
30,
1,
59,
tzinfo=tzone)
cls.data[1].save()
cls.data[2].created = datetime.datetime(2016,
7,
30,
2,
59,
tzinfo=tzone)
cls.data[2].save()
assign_perm("owner_data", cls.admin, cls.data[0])
assign_perm("view_data", cls.user, cls.data[0])
assign_perm("owner_data", cls.admin, cls.data[1])
assign_perm("view_data", cls.user, cls.data[1])
assign_perm("owner_data", cls.user, cls.data[2])
assign_perm("view_data", cls.user, cls.data[2])
assign_perm("edit_data", cls.user, cls.data[2])
cls.viewset_class = DataViewSet
def get_all_level_info(self):
"""
Translates the current object guardian perms into a JSON-like "perm_spec" object in the form:
{
'users': {
<Profile AnonymousUser>: ['view'],
<Profile username>: ['perm1','perm2','perm3'],
<Profile username2>: ['perm1','perm2','perm3']
...
}
'groups': [
<Group groupname>: ['perm1','perm2','perm3'],
<Group groupname2>: ['perm1','perm2','perm3'],
...
]
}
"""
resource = self.get_self_resource()
users = get_users_with_perms(resource)
groups = get_groups_with_perms(resource, attach_perms=True)
if groups:
for group in groups:
try:
group_profile = GroupProfile.objects.get(slug=group.name)
managers = group_profile.get_managers()
if managers:
for manager in managers:
if manager not in users and not manager.is_superuser and \
manager != resource.owner:
for perm in ADMIN_PERMISSIONS + VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS:
assign_perm(perm, manager, resource)
users[
manager] = ADMIN_PERMISSIONS + VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS
except GroupProfile.DoesNotExist:
tb = traceback.format_exc()
logger.debug(tb)
if resource.group:
try:
group_profile = GroupProfile.objects.get(
slug=resource.group.name)
managers = group_profile.get_managers()
if managers:
for manager in managers:
if manager not in users and not manager.is_superuser and \
manager != resource.owner:
for perm in ADMIN_PERMISSIONS + VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS:
assign_perm(perm, manager, resource)
users[
manager] = ADMIN_PERMISSIONS + VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS
except GroupProfile.DoesNotExist:
tb = traceback.format_exc()
logger.debug(tb)
info = {'users': users, 'groups': groups}
try:
if hasattr(self, "dataset"):
info_dataset = {
'users':
get_users_with_perms(self.dataset),
'groups':
get_groups_with_perms(self.dataset, attach_perms=True)
}
for user in info_dataset['users']:
if user in info['users']:
info['users'][user] = info['users'][
user] + info_dataset['users'][user]
else:
info['users'][user] = info_dataset['users'][user]
for group in info_dataset['groups']:
if group in info['groups']:
info['groups'][group] = list(
dict.fromkeys(info['groups'][group] +
info_dataset['groups'][group]))
else:
info['groups'][group] = info_dataset['groups'][group]
except Exception:
tb = traceback.format_exc()
logger.debug(tb)
# Remove duplicated perms if any
if info:
for _k, _v in info.items():
for _kk, _vv in info[_k].items():
if _vv and isinstance(_vv, list):
info[_k][_kk] = list(set(_vv))
return info
def test_allow_if_user_given_permission(self):
self._create_user_and_login('alice')
assign_perm('change_xform', self.user, self.xform)
response = self.client.get(self.url)
self.assertEqual(response.status_code, 200)
def set_all_permissions(self, user_or_group): assign_perm(self.view_permission_name, user_or_group, self) assign_perm(self.change_children_permission_name, user_or_group, self)
def add(cls, user, obj):
cls._remove_obj_permissions(user, obj)
for codename, klass in cls.permissions:
if type(obj) == klass:
assign_perm(codename, user, obj)
def test_perms_single(self):
perm = 'contenttypes.change_contenttype'
assign_perm(perm, self.group1, self.obj1)
self.assertEqual(set(get_objects_for_group(self.group1, perm)),
set(get_objects_for_group(self.group1, [perm])))
def test_update_order_as_non_superuser(self):
def test_root_menu_order(root_menu_items):
# check that order of root menu items has been preserved
root_menu_iterator = zip(
MenuItem.objects.filter(menu_type=MenuItem.MAIN_MENU,
parent_id=None), root_menu_items)
for possibly_changed_root_item, old_root_item in root_menu_iterator:
self.assertEqual(possibly_changed_root_item.order,
old_root_item.order)
assign_perm(MenuItem.CHANGE_CHILDREN_PERMISSION_NAME, self.user,
self.root_menu_item)
root_menu_items = MenuItem.objects.filter(menu_type=MenuItem.MAIN_MENU,
parent_id=None)
# move subsub item to sub item position
children_data = [{
'id': menu_item.id
} for menu_item in [self.sub_item, self.sub_sub_item]]
order_data = {
'main_menu_items': [
{
'id': self.root_menu_item.id,
'children': children_data,
},
],
'footer_items': [],
}
response = self.app.post(reverse('menu_items_update_order'),
params=json.dumps(order_data),
user=self.user)
self.assertEqual(response.status_code, 200)
root_menu_children = MenuItem.objects.filter(
parent_id=self.root_menu_item.id)
self.assertEqual(root_menu_children.count(), 2)
test_root_menu_order(root_menu_items)
# change order of children
children_data = [{
'id': menu_item.id
} for menu_item in reversed(root_menu_children)]
order_data['main_menu_items'][0]['children'] = children_data
response = self.app.post(reverse('menu_items_update_order'),
params=json.dumps(order_data),
user=self.user)
self.assertEqual(response.status_code, 200)
# check that order has indeed changed
for changed_child, old_child in zip(
reversed(
MenuItem.objects.filter(parent_id=self.root_menu_item.id)),
root_menu_children):
self.assertNotEqual(changed_child.order, old_child.order)
test_root_menu_order(root_menu_items)
# put one child as child of another
children_data = [
{
'id': root_menu_children[0].id,
'children': [{
'id': root_menu_children[1].id
}],
},
]
order_data['main_menu_items'][0]['children'] = children_data
response = self.app.post(reverse('menu_items_update_order'),
params=json.dumps(order_data),
user=self.user)
self.assertEqual(response.status_code, 200)
self.assertEqual(
MenuItem.objects.filter(
parent_id=root_menu_children[0].id).count(), 1)
test_root_menu_order(root_menu_items)
def test_group_assign_perm_global(self):
perm = assign_perm("contenttypes.change_contenttype", self.group)
self.assertTrue(self.user.has_perm("contenttypes.change_contenttype"))
self.assertTrue(isinstance(perm, Permission))
def test_klass_as_queryset(self):
assign_perm('contenttypes.change_contenttype', self.group1, self.obj1)
objects = get_objects_for_group(self.group1, ['change_contenttype'],
ContentType.objects.all())
self.assertEqual(list(objects), [self.obj1])
def test_object_based_permission_with_groups_2perms(self):
group_names = ['group1', 'group2', 'group3']
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
self.user.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by('id'))
assign_perm('contenttypes.change_contenttype', self.user)
assign_perm('change_contenttype', self.user, ctypes[0])
assign_perm('change_contenttype', self.user, ctypes[1])
assign_perm('delete_contenttype', self.user, ctypes[1])
assign_perm('delete_contenttype', self.user, ctypes[2])
assign_perm('change_contenttype', groups[0], ctypes[3])
assign_perm('change_contenttype', groups[1], ctypes[3])
assign_perm('change_contenttype', groups[2], ctypes[4])
assign_perm('delete_contenttype', groups[0], ctypes[0])
objects = get_objects_for_user(self.user, [
'contenttypes.change_contenttype',
'contenttypes.delete_contenttype'
],
accept_global_perms=True)
self.assertEqual(set(objects.values_list('id', flat=True)),
set([ctypes[0].id, ctypes[1].id, ctypes[2].id]))
def test_short_codenames_with_klass(self):
assign_perm('contenttypes.change_contenttype', self.user, self.ctype)
objects = get_objects_for_user(self.user, ['change_contenttype'],
ContentType)
self.assertEqual([obj.name for obj in objects], [self.ctype.name])
def test_groups_perms(self):
group1 = Group.objects.create(name='group1')
group2 = Group.objects.create(name='group2')
group3 = Group.objects.create(name='group3')
groups = [group1, group2, group3]
for group in groups:
self.user.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by('id'))
assign_perm('auth.change_group', self.user)
assign_perm('change_contenttype', self.user, ctypes[0])
assign_perm('change_contenttype', self.user, ctypes[1])
assign_perm('delete_contenttype', self.user, ctypes[1])
assign_perm('delete_contenttype', self.user, ctypes[2])
assign_perm('change_contenttype', groups[0], ctypes[3])
assign_perm('change_contenttype', groups[1], ctypes[3])
assign_perm('change_contenttype', groups[2], ctypes[4])
assign_perm('delete_contenttype', groups[0], ctypes[0])
objects = get_objects_for_user(self.user,
['contenttypes.change_contenttype'])
self.assertEqual(set(objects.values_list('id', flat=True)),
set(ctypes[i].id for i in [0, 1, 3, 4]))
objects = get_objects_for_user(self.user, [
'contenttypes.change_contenttype',
'contenttypes.delete_contenttype'
])
self.assertEqual(set(objects.values_list('id', flat=True)),
set(ctypes[i].id for i in [0, 1]))
objects = get_objects_for_user(self.user,
['contenttypes.change_contenttype'])
self.assertEqual(set(objects.values_list('id', flat=True)),
set(ctypes[i].id for i in [0, 1, 3, 4]))
def test_object_based_permission_with_groups_3perms(self):
group_names = ['group1', 'group2', 'group3']
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
self.user.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by('id'))
assign_perm('contenttypes.change_contenttype', self.user)
assign_perm('change_contenttype', self.user, ctypes[0])
assign_perm('change_contenttype', self.user, ctypes[1])
assign_perm('delete_contenttype', self.user, ctypes[1])
assign_perm('delete_contenttype', self.user, ctypes[2])
# add_contenttype does not make sense, here just for testing purposes,
# to also cover one if branch in function.
assign_perm('add_contenttype', self.user, ctypes[1])
assign_perm('change_contenttype', groups[0], ctypes[3])
assign_perm('change_contenttype', groups[1], ctypes[3])
assign_perm('change_contenttype', groups[2], ctypes[4])
assign_perm('delete_contenttype', groups[0], ctypes[0])
assign_perm('add_contenttype', groups[0], ctypes[0])
objects = get_objects_for_user(self.user, [
'contenttypes.change_contenttype',
'contenttypes.delete_contenttype', 'contenttypes.add_contenttype'
],
accept_global_perms=True)
self.assertEqual(set(objects.values_list('id', flat=True)),
set([ctypes[0].id, ctypes[1].id]))
def test_perms_single(self):
perm = 'auth.change_group'
assign_perm(perm, self.user, self.group)
self.assertEqual(set(get_objects_for_user(self.user, perm)),
set(get_objects_for_user(self.user, [perm])))
def test_user_assign_perm(self):
assign_perm("change_contenttype", self.user, self.ctype)
assign_perm("change_contenttype", self.group, self.ctype)
self.assertTrue(self.user.has_perm("change_contenttype", self.ctype))
def test_mixed(self):
assign_perm("change_contenttype", self.group1, self.obj1)
assign_perm("change_contenttype", self.group1, self.obj2)
assign_perm("change_%s" % user_module_name, self.group1, self.user3)
assign_perm("change_contenttype", self.group2, self.obj2)
assign_perm("change_contenttype", self.group2, self.obj1)
assign_perm("delete_contenttype", self.group2, self.obj1)
assign_perm("change_%s" % user_module_name, self.group3, self.user1)
result = get_groups_with_perms(self.obj1)
self.assertEqual(set(result), set([self.group1, self.group2]))
def test_klass_as_queryset(self):
assign_perm('auth.change_group', self.user, self.group)
objects = get_objects_for_user(self.user, ['auth.change_group'],
Group.objects.all())
self.assertEqual([obj.name for obj in objects], [self.group.name])
def test_simple(self):
assign_perm("change_contenttype", self.group1, self.obj1)
result = get_groups_with_perms(self.obj1)
self.assertEqual(len(result), 1)
self.assertEqual(result[0], self.group1)
def test_mixed_attach_perms(self):
assign_perm("change_contenttype", self.group1, self.obj1)
assign_perm("change_contenttype", self.group1, self.obj2)
assign_perm("change_group", self.group1, self.group3)
assign_perm("change_contenttype", self.group2, self.obj2)
assign_perm("change_contenttype", self.group2, self.obj1)
assign_perm("delete_contenttype", self.group2, self.obj1)
assign_perm("change_group", self.group3, self.group1)
result = get_groups_with_perms(self.obj1, attach_perms=True)
expected = {
self.group1: ["change_contenttype"],
self.group2: ["change_contenttype", "delete_contenttype"],
}
self.assertEqual(result.keys(), expected.keys())
for key, perms in result.items():
self.assertEqual(set(perms), set(expected[key]))
def test_user_remove_perm_global(self):
# assign perm first
perm = "contenttypes.change_contenttype"
assign_perm(perm, self.user)
remove_perm(perm, self.user)
self.assertFalse(self.user.has_perm(perm))
def test_simple_attach_perms(self):
assign_perm("change_contenttype", self.group1, self.obj1)
result = get_groups_with_perms(self.obj1, attach_perms=True)
expected = {self.group1: ["change_contenttype"]}
self.assertEqual(result, expected)
def test_has_global_permission(self):
assign_perm('contenttypes.change_contenttype', self.group1)
objects = get_objects_for_group(self.group1,
['contenttypes.change_contenttype'])
self.assertEquals(set(objects), set(ContentType.objects.all()))
def test_attach_groups_only_has_perms(self):
self.user1.groups.add(self.group1)
assign_perm("change_contenttype", self.group1, self.obj1)
result = get_users_with_perms(self.obj1, attach_perms=True)
expected = {self.user1: ["change_contenttype"]}
self.assertEqual(result, expected)
def set_permissions(self, perm_spec):
"""
Sets an object's the permission levels based on the perm_spec JSON.
the mapping looks like:
{
'users': {
'AnonymousUser': ['view'],
<username>: ['perm1','perm2','perm3'],
<username2>: ['perm1','perm2','perm3']
...
}
'groups': [
<groupname>: ['perm1','perm2','perm3'],
<groupname2>: ['perm1','perm2','perm3'],
...
]
}
"""
remove_object_permissions(self)
# default permissions for resource owner
set_owner_permissions(self)
# Anonymous User group
if 'users' in perm_spec and "AnonymousUser" in perm_spec['users']:
anonymous_group = Group.objects.get(name='anonymous')
for perm in perm_spec['users']['AnonymousUser']:
if self.polymorphic_ctype.name == 'layer' and perm in ('change_layer_data', 'change_layer_style',
'add_layer', 'change_layer', 'delete_layer',):
assign_perm(perm, anonymous_group, self.layer)
else:
assign_perm(perm, anonymous_group, self.get_self_resource())
# Owner
if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
if self.polymorphic_ctype.name == 'layer':
purge_geofence_layer_rules(self.get_self_resource())
perms = [
"change_resourcebase",
"change_resourcebase_permissions",
"view_resourcebase",
"download_resourcebase"]
sync_geofence_with_guardian(self.layer, perms, user=self.owner)
# All the other users
if 'users' in perm_spec and len(perm_spec['users']) > 0:
for user, perms in perm_spec['users'].items():
_user = get_user_model().objects.get(username=user)
for perm in perms:
if self.polymorphic_ctype.name == 'layer' and perm in (
'change_layer_data', 'change_layer_style',
'add_layer', 'change_layer', 'delete_layer',):
assign_perm(perm, _user, self.layer)
else:
assign_perm(perm, _user, self.get_self_resource())
# Set the GeoFence Rules
if user and user == "AnonymousUser":
user = None
if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
if self.polymorphic_ctype.name == 'layer':
sync_geofence_with_guardian(self.layer, perms, user=user)
# All the other groups
if 'groups' in perm_spec and len(perm_spec['groups']) > 0:
for group, perms in perm_spec['groups'].items():
_group = Group.objects.get(name=group)
for perm in perms:
if self.polymorphic_ctype.name == 'layer' and perm in (
'change_layer_data', 'change_layer_style',
'add_layer', 'change_layer', 'delete_layer',):
assign_perm(perm, _group, self.layer)
else:
assign_perm(perm, _group, self.get_self_resource())
# Set the GeoFence Rules
if _group and _group.name and _group.name == 'anonymous':
_group = None
if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
if self.polymorphic_ctype.name == 'layer':
sync_geofence_with_guardian(self.layer, perms, group=_group)
def test_user_remove_perm(self):
# assign perm first
assign_perm("change_contenttype", self.user, self.ctype)
remove_perm("change_contenttype", self.user, self.ctype)
self.assertFalse(self.user.has_perm("change_contenttype", self.ctype))
def allow_edit(self, user):
assign_perm('can_edit', user, self)
def give_permissions(user, level):
if user != 'default':
try:
user = get_user(user, message.hub.id)
except User.DoesNotExist:
return
else:
user = PermGroup.objects.get(name='default')
if level == 'read':
assign_perm('view_datastore', user, datastore)
remove_perm('change_datastore', user, datastore)
remove_perm('delete_datastore', user, datastore)
elif level == 'write':
assign_perm('view_datastore', user, datastore)
assign_perm('change_datastore', user, datastore)
remove_perm('delete_datastore', user, datastore)
elif level == 'admin':
assign_perm('view_datastore', user, datastore)
assign_perm('change_datastore', user, datastore)
assign_perm('delete_datastore', user, datastore)
elif level == 'deny':
remove_perm('view_datastore', user, datastore)
remove_perm('change_datastore', user, datastore)
remove_perm('delete_datastore', user, datastore)
