def test_invenio_access_permission_for_users(app): """User can access to an action allowed/denied to the user""" InvenioAccess(app) with app.test_request_context(): db.session.begin(nested=True) user_can_all = User(email='*****@*****.**') user_can_read = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') db.session.add(user_can_all) db.session.add(user_can_read) db.session.add(user_can_open) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.add(ActionUsers(action='read', user=user_can_all)) db.session.add(ActionUsers(action='read', user=user_can_read)) db.session.commit() permission_open = DynamicPermission(ActionNeed('open')) permission_read = DynamicPermission(ActionNeed('read')) identity_all = FakeIdentity(UserNeed(user_can_all.id)) identity_read = FakeIdentity(UserNeed(user_can_read.id)) identity_open = FakeIdentity(UserNeed(user_can_open.id)) assert permission_open.allows(identity_all) assert permission_read.allows(identity_all) assert permission_open.allows(identity_open) assert not permission_read.allows(identity_open) assert not permission_open.allows(identity_read) assert permission_read.allows(identity_read)
def example_group(app): """ Create example groups. :param app: An instance of :class:`~flask.Flask`. :return: App object. """ with app.app_context(): admin = User(email='*****@*****.**', password='******') member = User(email='*****@*****.**', password='******') non_member = User(email='*****@*****.**', password='******') db.session.add(admin) db.session.add(member) db.session.add(non_member) group = Group.create(name='test_group', admins=[admin]) membership = group.invite(member) membership.accept() admin_id = admin.id member_id = member.id non_member_id = non_member.id group_id = group.id db.session.commit() app.get_admin = lambda: User.query.get(admin_id) app.get_member = lambda: User.query.get(member_id) app.get_non_member = lambda: User.query.get(non_member_id) app.get_group = lambda: Group.query.get(group_id) return app
def test_permission_factory(app, db, action, permission_factory): """Test revisions.""" InvenioAccess(app) rec_uuid = uuid.uuid4() with db.session.begin_nested(): user_all = User(email='*****@*****.**') user_one = User(email='*****@*****.**') user_none = User(email='*****@*****.**') db.session.add(user_all) db.session.add(user_one) db.session.add(user_none) db.session.add(ActionUsers(action=action, user=user_all, argument=None)) db.session.add( ActionUsers(action=action, user=user_one, argument=str(rec_uuid))) record = Record.create({'title': 'permission test'}, id_=rec_uuid) # Create a record and assign permissions. permission = permission_factory(record) # Assert which permissions has access. assert permission.allows(FakeIdentity(UserNeed(user_all.id))) assert permission.allows(FakeIdentity(UserNeed(user_one.id))) assert not permission.allows(FakeIdentity(UserNeed(user_none.id)))
def test_invite_by_emails(app): """ Test invite by emails. :param app: The flask application. """ with app.app_context(): u1 = User(email='*****@*****.**', password='******') u2 = User(email='*****@*****.**', password='******') g = Group.create(name='test_group') db.session.add(u1) db.session.add(u2) db.session.commit() result = g.invite_by_emails( [u1.email, u2.email, '*****@*****.**']) assert result[0].state.code is MembershipState.PENDING_USER assert result[1].state.code is MembershipState.PENDING_USER assert result[2] is None assert g.is_member(u1, with_pending=True) assert g.is_member(u2, with_pending=True) assert not g.is_member('*****@*****.**', with_pending=True)
def test_create_profile(app): """Test that userprofile can be patched using UserAccount constructor.""" with app.app_context(): user = User( email='*****@*****.**', ) db.session.add(user) db.session.commit() user_id = user.id patch_user = User( id=user_id, email='*****@*****.**', profile={'full_name': 'updated_full_name'} ) db.session.merge(patch_user) db.session.commit() patch_user = User( id=user_id, profile={'username': '******'} ) db.session.merge(patch_user) db.session.commit() user = User.query.filter(User.id == user_id).one() assert user.profile.full_name == 'updated_full_name' assert user.email == '*****@*****.**' assert user.profile.username == 'test_username'
def test_group_is_member(app): """ Test if group is member. :param app: The flask application. """ with app.app_context(): from weko_groups.models import Group from invenio_accounts.models import User g = Group.create(name='test_group') u = User(email='*****@*****.**', password='******') u2 = User(email='*****@*****.**', password='******') u3 = User(email='*****@*****.**', password='******') db.session.add(u) db.session.add(u2) db.session.add(u3) db.session.commit() g.add_member(u) g.add_member(u2, state=MembershipState.PENDING_USER) g.add_member(u3, state=MembershipState.PENDING_ADMIN) assert g.is_member(u) assert not g.is_member(u2) assert g.is_member(u2, with_pending=True) assert not g.is_member(u3) assert g.is_member(u3, with_pending=True)
def test_membership_query_invitations(app): """ Test membership query invitations. :param app: The flask application. """ with app.app_context(): from weko_groups.models import Group, Membership, \ MembershipState from invenio_accounts.models import User from flask_sqlalchemy import BaseQuery g = Group.create(name="test") u1 = User(email="*****@*****.**", password="******") u2 = User(email="[email protected]", password="******") u3 = User(email="[email protected]", password="******") db.session.add_all([u1, u2, u3]) db.session.commit() Membership.create(g, u1, MembershipState.ACTIVE) Membership.create(g, u2, MembershipState.PENDING_USER) Membership.create(g, u3, MembershipState.PENDING_ADMIN) assert isinstance(Membership.query_by_user(u1), BaseQuery) assert Membership.query_invitations(u1).count() == 0 assert Membership.query_invitations(u2).count() == 1 assert Membership.query_invitations(u3).count() == 0
def users(app): # Create test users encrypted_password = encrypt_password('123456') user = User( email='*****@*****.**', password=encrypted_password, active=True ) user_partially_allowed = User( email='*****@*****.**', password=encrypted_password, active=True, ) user_allowed = User( email='*****@*****.**', password=encrypted_password, active=True, ) db.session.add_all( [user, user_partially_allowed, user_allowed] ) db.session.commit() # Create actions for the allowed user restricted_collection_action = ActionUsers( action='view-restricted-collection', argument='Restricted Collection', user_id=user_allowed.id ) another_restricted_collection_action = ActionUsers( action='view-restricted-collection', argument='Another Restricted Collection', user_id=user_allowed.id ) # Create actions for the partially allowed user partial_restricted_collection_action = ActionUsers( action='view-restricted-collection', argument='Restricted Collection', user_id=user_partially_allowed.id ) db.session.add_all( [ restricted_collection_action, another_restricted_collection_action, partial_restricted_collection_action ] ) db.session.commit() yield SessionActivity.query.delete() ActionUsers.query.filter_by(action='view-restricted-collection').delete() User.query.filter_by(email='*****@*****.**').delete() User.query.filter_by(email='*****@*****.**').delete() User.query.filter_by(email='*****@*****.**').delete() db.session.commit()
def test_group_invite(app): """ Test group invite. :param app: The flask application. """ with app.app_context(): from weko_groups.models import Group, Membership, \ MembershipState from invenio_accounts.models import User g = Group.create(name="test") u = User(email="*****@*****.**", password="******") u2 = User(email="*****@*****.**", password="******") db.session.add(u) db.session.add(u2) db.session.commit() m = g.invite(u) assert Membership.query.count() == 1 assert m.state == MembershipState.PENDING_USER a = Group.create(name="admin") g2 = Group.create(name="test2", admins=[a]) assert g2.invite(u2, admin=g) is None m = g2.invite(u2, admin=a) assert Membership.query.count() == 2 assert m.state == MembershipState.PENDING_USER
def test_file_permissions(app, db, record_with_files_creation, user, access_right, expected): """Test file permissions.""" pid, record, record_url = record_with_files_creation # Create test users admin = User(email='*****@*****.**', password='******') owner = User(email='*****@*****.**', password='******') auth = User(email='*****@*****.**', password='******') db.session.add_all([admin, owner, auth]) db.session.add(ActionUsers.allow(ActionNeed('admin-access'), user=admin)) db.session.commit() # Create test record record['access_right'] = access_right record['owners'] = [owner.id] record.commit() db.session.commit() file_url = url_for( 'invenio_records_ui.recid_files', pid_value=pid.pid_value, filename='Test.pdf', ) with app.test_client() as client: if user: # Login as user with client.session_transaction() as sess: sess['user_id'] = User.query.filter_by( email='{}@zenodo.org'.format(user)).one().id sess['_fresh'] = True res = client.get(file_url) assert res.status_code == expected
def test_dynamic_permission_needs_cache_invalidation(app): """Testing DynamicPermission refreshes needs. This is important when protecting a view with @permission.require(http_exception=403) If cache does not get invalidated, the needs will only be refreshed when the Python process restarts. """ cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): user_can_all = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') db.session.add(user_can_all) db.session.add(user_can_open) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.flush() permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.needs == set([Need(method='id', value=1)]) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.flush() assert permission_open.needs == set( [Need(method='id', value=1), Need(method='id', value=2)] )
def users(app): """Create user fixtures.""" hashed_password = hash_password('123456') user = User(email='*****@*****.**', password=hashed_password, active=True) user_allowed = User(email='*****@*****.**', password=hashed_password, active=True) db.session.add_all([user, user_allowed]) db.session.commit() author_admin = ActionUsers(action='admin-holdingpen-authors', user_id=user_allowed.id) db.session.add(author_admin) db.session.commit() yield ActionUsers.query.filter_by(action='admin-holdingpen-authors').delete() User.query.filter_by(email='*****@*****.**').delete() User.query.filter_by(email='*****@*****.**').delete() db.session.commit()
def users(): """Create users needed in this test module.""" curator = User( email='*****@*****.**', password=hash_password('curator'), active=True, ) scientist = User( email='*****@*****.**', password=hash_password('scientist'), active=True, ) db.session.add_all([curator, scientist]) db.session.commit() curator_action = ActionUsers( action='editor_manage_tickets', argument=None, user_id=curator.id, ) db.session.add(curator_action) db.session.commit() yield ActionUsers.query.filter_by(action='editor_manage_tickets').delete() User.query.filter_by(email='*****@*****.**').delete() User.query.filter_by(email='*****@*****.**').delete() db.session.commit()
def test_invenio_access_permission_cache_redis(app): """Caching the user using redis.""" cache = RedisCache() InvenioAccess(app, cache=cache) with app.test_request_context(): user_can_all = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') db.session.add(user_can_all) db.session.add(user_can_open) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.flush() identity_open = FakeIdentity(UserNeed(user_can_open.id)) permission_open = DynamicPermission(ActionNeed('open')) assert not permission_open.allows(identity_open) assert current_access.get_action_cache('open') == (set( [Need(method='id', value=1)]), set([])) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.flush() permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_open) assert current_access.get_action_cache('open') == (set( [Need(method='id', value=1), Need(method='id', value=2)]), set([]))
def setUp(self): super(ProviderTestCase, self).setUp() # Set environment variable DEBUG to true, to allow testing without # SSL in oauthlib. if self.app.config.get('CFG_SITE_SECURE_URL').startswith('http://'): self.os_debug = os.environ.get('OAUTHLIB_INSECURE_TRANSPORT', '') os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = 'true' from invenio_accounts.models import User from invenio_oauth2server.models import Client, Scope from invenio_oauth2server.registry import scopes as scopes_registry # Register a test scope scopes_registry.register(Scope('test:scope')) self.base_url = self.app.config.get('CFG_SITE_SECURE_URL') # Create needed objects u = User(email='*****@*****.**', nickname='tester') u.password = "******" u2 = User(email='*****@*****.**', nickname='tester2') u2.password = "******" db.session.add(u) db.session.add(u2) c1 = Client(client_id='dev', client_secret='dev', name='dev', description='', is_confidential=False, user=u, _redirect_uris='%s/oauth2test/authorized' % self.base_url, _default_scopes="test:scope") c2 = Client(client_id='confidential', client_secret='confidential', name='confidential', description='', is_confidential=True, user=u, _redirect_uris='%s/oauth2test/authorized' % self.base_url, _default_scopes="test:scope") db.session.add(c1) db.session.add(c2) db.session.commit() self.objects = [u, u2, c1, c2] # Create a personal access token as well. from invenio_oauth2server.models import Token self.personal_token = Token.create_personal('test-personal', 1, scopes=[], is_internal=True)
def test_invenio_access_permission_cache(app): """Caching the user using memory caching.""" cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): user_can_all = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') user_can_open_1 = User(email='*****@*****.**') db.session.add(user_can_all) db.session.add(user_can_open) db.session.add(user_can_open_1) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.flush() permission_open = DynamicPermission(ActionNeed('open')) identity_open = FakeIdentity(UserNeed(user_can_open.id)) assert not permission_open.allows(identity_open) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1)]), set([]) ) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.flush() permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_open) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) db.session.add(ActionUsers(action='open', argument=1, user=user_can_open_1)) db.session.flush() identity_open_1 = FakeIdentity(UserNeed(user_can_open_1.id)) permission_open_1 = DynamicPermission( ParameterizedActionNeed('open', '1')) assert not permission_open.allows(identity_open_1) assert permission_open_1.allows(identity_open_1) assert current_access.get_action_cache('open::1') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=3)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) )
def test_verify_email_works_with_numbers_and_strings(self): from invenio_accounts.models import User u = User(email="*****@*****.**", password="") u.note = 2 self.assertTrue(u.verify_email()) u2 = User(email="*****@*****.**", password="") u2.note = "2" self.assertTrue(u2.verify_email())
def test_invenio_access_permission_for_users(app): """User can access to an action allowed/denied to the user""" InvenioAccess(app) with app.test_request_context(): db.session.begin(nested=True) superuser = User(email='*****@*****.**') user_can_all = User(email='*****@*****.**') user_can_read = User(email='*****@*****.**') user_can_open = User(email='*****@*****.**') db.session.add(superuser) db.session.add(user_can_all) db.session.add(user_can_read) db.session.add(user_can_open) db.session.add(ActionUsers(action='superuser-access', user=superuser)) db.session.add(ActionUsers(action='open', user=user_can_all)) db.session.add(ActionUsers(action='open', user=user_can_open)) db.session.add(ActionUsers(action='read', user=user_can_all)) db.session.add(ActionUsers(action='read', user=user_can_read)) db.session.add(ActionUsers(action='not_logged', user=user_can_all)) db.session.commit() permission_open = DynamicPermission(ActionNeed('open')) permission_read = DynamicPermission(ActionNeed('read')) permission_not_logged = DynamicPermission(ActionNeed('not_logged')) identity_superuser = FakeIdentity(UserNeed(superuser.id)) identity_all = FakeIdentity(UserNeed(user_can_all.id)) identity_read = FakeIdentity(UserNeed(user_can_read.id)) identity_open = FakeIdentity(UserNeed(user_can_open.id)) identity_unknown = AnonymousIdentity() # global permissions assert permission_open.allows(identity_superuser) assert permission_read.allows(identity_superuser) assert permission_open.allows(identity_all) assert permission_read.allows(identity_all) assert permission_not_logged.allows(identity_all) assert permission_open.allows(identity_open) assert not permission_read.allows(identity_open) assert not permission_not_logged.allows(identity_open) assert not permission_open.allows(identity_read) assert permission_read.allows(identity_read) assert not permission_not_logged.allows(identity_read) assert not permission_open.allows(identity_unknown) assert not permission_read.allows(identity_unknown)
def test_case_insensitive_username(app): """Test case-insensitive uniqueness.""" with app.app_context(): with db.session.begin_nested(): u1 = User(email='*****@*****.**') u2 = User(email='*****@*****.**') db.session.add(u1, u2) profile1 = UserProfile(user=u1, username="******") profile2 = UserProfile(user=u2, username="******") db.session.add(profile1) db.session.add(profile2) pytest.raises(IntegrityError, db.session.commit)
def setUp(self): super(RemoteTokenTestCase, self).setUp() from invenio_accounts.models import User u1 = User(nickname='RemoteTokenTestCaseUser1', password='') u2 = User(nickname='RemoteTokenTestCaseUser2', password='') u3 = User(nickname='RemoteTokenTestCaseUser3', password='') db.session.add(u1) db.session.add(u2) db.session.add(u3) db.session.commit() self.u1 = u1.id self.u2 = u2.id self.u3 = u3.id db.session.expunge_all()
def sync_user_and_profile(cls, data): """Create or update the rero user with the patron data. :param data - dict representing the patron data """ # start a session to be able to rollback if the data are not valid with db.session.begin_nested(): user = cls._get_user_by_data(data) # need to create the user if not user: birth_date = data.get('birth_date') # sanity check if not birth_date: raise RecordValidationError('birth_date field is required') # the default password is the birth date user = User(email=data.get('email'), password=hash_password(birth_date), profile=dict(), active=True) db.session.add(user) # update all common fields for field in cls.profile_fields: # date field need conversion if field == 'birth_date': setattr(user.profile, field, datetime.strptime(data.get(field), '%Y-%m-%d')) else: setattr(user.profile, field, data.get(field, '')) db.session.merge(user) if not data.get('user_id'): # the fresh created user return user
def mock_user(app, request): def teardown(app): with app.app_context(): user = User.query.filter_by(id=2).first() token = RemoteToken.query.filter_by(access_token='123').first() user_identity = UserIdentity.query.filter_by( id='0000-0001-9412-8627', method='orcid').first() remote_account = RemoteAccount.query.filter_by(user_id=2).first() with db.session.begin_nested(): db.session.delete(token) db.session.delete(user_identity) db.session.delete(remote_account) db.session.delete(user) db.session.commit() request.addfinalizer(lambda: teardown(app)) user = User(id=2, ) token = RemoteToken(id_remote_account=1, access_token='123') user_identity = UserIdentity(id='0000-0001-9412-8627', id_user='******', method='orcid') remote_account = RemoteAccount(id=1, user_id=2, extra_data={}, client_id=1, user=user) with app.app_context(): with db.session.begin_nested(): db.session.add(user) db.session.add(user_identity) db.session.add(remote_account) db.session.add(token) db.session.commit() return MockUser(app)
def system_user(app, db): """Create a regular system user.""" user = User(**dict(email="*****@*****.**", active=True)) db.session.add(user) db.session.commit() user_id = user.id identity = UserIdentity(**dict(id="1", method="cern", id_user=user_id)) db.session.add(identity) profile = UserProfile( **dict( user_id=user_id, _displayname="id_" + str(user_id), full_name="System User", ) ) db.session.add(profile) remote_account = RemoteAccount( client_id="CLIENT_ID", **dict( user_id=user_id, extra_data=dict(person_id="1", department="Department"), ) ) db.session.add(remote_account) db.session.commit() return user
def oauth_register(account_info, form_data=None): """Register user if possible.""" from invenio_accounts.models import User email = account_info.get("email") if form_data and form_data.get("email"): email = form_data.get("email") if email: note = '1' if cfg['CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT']: note = '2' if not User.query.filter_by(email=email).first(): # Email does not already exists. so we can proceed to register # user. u = User(nickname=account_info.get('nickname', ''), email=email, password=None, note=note) try: db.session.add(u) db.session.commit() except Exception: current_app.logger.exception("Cannot create user") return None # verify the email if note == '2': u.verify_email() return UserInfo(u.id) return None
def _import_users(users, users_identities, users_profiles, remote_accounts): """Import users in db.""" click.secho('Migrating {0} users'.format(len(users)), fg='green') for user in users: user = User(**user) db.session.add(user) click.secho('Migrating {0} user identities'.format( len(users_identities)), fg='green') for identity in users_identities: user_identity = UserIdentity(**identity) db.session.add(user_identity) click.secho('Migrating {0} user profiles'.format(len(users_profiles)), fg='green') for profile in users_profiles: user_profile = UserProfile(**profile) db.session.add(user_profile) click.secho('Migrating {0} remote accoutns'.format( len(remote_accounts)), fg='green') client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key'] for account in remote_accounts: remote_account = RemoteAccount(client_id=client_id, **account) db.session.add(remote_account) db.session.commit()
def test_profiles(app): """Test the user profile.""" user = User(email="*****@*****.**") profile = { "full_name": "Invenio Admin", } with pytest.raises(ValueError): # the profile doesn't expect an 'email' value user.user_profile = { **profile, "email": "*****@*****.**", } assert user.user_profile == {} # a valid profile should be accepted user.user_profile = profile assert dict(user.user_profile) == profile # setting expected properties should work assert len(user.user_profile) == 1 assert user.user_profile["full_name"] == "Invenio Admin" # but setting unexpected properties should not work with pytest.raises(ValueError): user.user_profile["invalid"] = "value" # similar with wrong types for expected fields with pytest.raises(ValueError): user.user_profile["email"] = 1 assert len(user.user_profile) == 1 assert user.user_profile["full_name"] == "Invenio Admin"
def test_get_job_recipient_internal_uid(base_app, db, es_clear): expected_email = "*****@*****.**" user = User() user.email = expected_email user.active = True user.id = 23 db.session.add(user) test_user = UserIdentity(id="user", method="test", id_user=user.id) db.session.add(test_user) job = { "acquisition_source": { "datetime": "2019-07-04T11:21:22.611086", "email": "*****@*****.**", "internal_uid": user.id, "method": "submitter", "orcid": "0000-0002-8672-7088", "source": "submitter", "submission_number": "None", } } email = get_job_recipient(job) # The email is not the one in acquisition_source but in the user account assert email == expected_email
def setup_app(app): with app.app_context(): db.drop_all() db.create_all() reindex_all(recreate=True) ctx = app.test_request_context() ctx.push() user_count = User.query.filter_by(email='*****@*****.**').count() if user_count == 0: user = User(email=TEST_EMAIL, password='******', active=True) admin_role = Role(name='admin') coordinator_role = Role(name='coordinator') user.roles.append(admin_role) user.roles.append(coordinator_role) db.session.add(admin_role) db.session.add(coordinator_role) db.session.add(user) db.session.commit() yield app ctx.pop()
def patron1(app, db): """Create a patron user.""" user = User(**dict(email="*****@*****.**", active=True)) db.session.add(user) db.session.commit() user_id = user.id identity = UserIdentity(**dict(id="1", method="cern", id_user=user_id)) db.session.add(identity) profile = UserProfile( **dict( user_id=user_id, _displayname="id_" + str(user_id), full_name="System User", ) ) db.session.add(profile) client_id = app.config["CERN_APP_OPENID_CREDENTIALS"]["consumer_key"] remote_account = RemoteAccount( client_id=client_id, **dict( user_id=user_id, extra_data=dict(person_id="1", department="Department"), ) ) db.session.add(remote_account) db.session.commit() return user
def test_invenio_access_permission_for_system_roles(app): """User can access to an action allowed/denied to their system roles.""" InvenioAccess(app) with app.test_request_context(): db.session.begin(nested=True) user = User(email='*****@*****.**') db.session.add(user) db.session.add(ActionSystemRoles.allow( action=ActionNeed('open'), role=authenticated_user)) db.session.add(ActionSystemRoles.allow( action=ActionNeed('write'), role_name='any_user')) db.session.commit() permission_open = DynamicPermission(ActionNeed('open')) permission_write = DynamicPermission(ActionNeed('write')) identity_anon_user = FakeIdentity(any_user) identity_auth_user = FakeIdentity(authenticated_user, any_user) assert not permission_open.allows(identity_anon_user) assert permission_open.allows(identity_auth_user) assert permission_write.allows(identity_anon_user) assert permission_write.allows(identity_auth_user)