class ForeignKeyTest(TestCase):
def setUp(self):
self.user = User.objects.create_user(
'useruser',
'*****@*****.**',
'useruser')
self.user.save()
self.user_group = UserGroup(name='user_group')
self.user_group.save()
self.user_group.members.add(self.user)
self.user_group.save()
self.data_set1 = DataSet(name='data_set10')
self.data_set1.save()
self.data_set2 = DataSet(name='data_set20')
self.data_set2.save()
self.permission_mapper = PermissionMapper()
self.permission_mapper.save()
self.permission_mapper.user_group = self.user_group
self.permission_mapper.data_set = self.data_set1
self.permission_mapper.save()
def test_foreignkey_works_if_no_dataset(self):
content = Content.objects.create(name="Some content without dataset")
foreign = (testmodels.ContentWithForeignKeyToContentWithDataset
.objects.create(
name="Whee", content_id=content.pk))
# Raises no exception
self.assertTrue(foreign.content)
def test_foreignkey_works_if_dataset_with_access(self):
content = Content.objects.create(
name="Some content with dataset",
data_set=self.data_set1)
foreign = (testmodels.ContentWithForeignKeyToContentWithDataset
.objects.create(
name="Whee", content_id=content.pk))
# Raises no exception
self.assertTrue(foreign.content)
def test_foreignkey_raises_if_dataset_without_access(self):
content = Content.objects.create(
name="Some content with dataset but no access",
data_set=self.data_set2)
foreign = (testmodels.ContentWithForeignKeyToContentWithDataset
.objects.create(
name="Whee", content_id=content.pk))
self.assertRaises(
Content.DoesNotExist, lambda: foreign.content)
def field_from_native(self, data, files, field_name, into):
permission_mappers = []
for pm_json in data.getlist('permission_mappers'):
pm_data = json.loads(pm_json)
if 'id' in pm_data:
pm = PermissionMapper.objects.get(pk=pm_data['id'])
else:
pm = PermissionMapper()
pm.permission_group = Role.objects.get(
pk=pm_data['permission_group'])
pm.user_group = UserGroup.objects.get(pk=pm_data['user_group'])
permission_mappers.append(pm)
into['permission_mappers'] = permission_mappers
def field_from_native(self, data, files, field_name, into):
permission_mappers = []
for pm_json in data.getlist('permission_mappers'):
pm_data = json.loads(pm_json)
if 'id' in pm_data:
pm = PermissionMapper.objects.get(pk=pm_data['id'])
else:
pm = PermissionMapper()
pm.permission_group = Role.objects.get(
pk=pm_data['permission_group'])
pm.user_group = UserGroup.objects.get(pk=pm_data['user_group'])
permission_mappers.append(pm)
into['permission_mappers'] = permission_mappers
def setUp(self):
self.middleware = SecurityMiddleware()
request_factory = RequestFactory()
self.request = request_factory.get('/some/url')
self.user = User.objects.create_user(
'useruser',
'*****@*****.**',
'useruser')
self.user.save()
self.user_group = UserGroup(name='user_group')
self.user_group.save()
self.user_group.members.add(self.user)
self.user_group.save()
self.data_set1 = DataSet(name='data_set10')
self.data_set1.save()
self.data_set2 = DataSet(name='data_set20')
self.data_set2.save()
self.permission_mapper = PermissionMapper()
self.permission_mapper.save()
self.permission_mapper.user_group = self.user_group
self.permission_mapper.data_set = self.data_set1
self.permission_mapper.save()
self.geo_content1 = GeoContent()
self.geo_content1.save()
self.geo_content1.data_set = self.data_set1
self.geo_content1.save()
self.geo_content2 = GeoContent()
self.geo_content2.save()
self.geo_content2.data_set = self.data_set2
self.geo_content2.save()
self.geo_content3 = GeoContent()
self.geo_content3.save()
self.geo_content3.data_set = None
self.geo_content3.save()
def setUp(self):
self.backend = LizardPermissionBackend()
self.manager = User.objects.create_user(
'managermanager',
'*****@*****.**',
'managermanager')
self.manager.save()
self.manager.is_staff = True
self.manager.save()
self.user_group = UserGroup()
self.user_group.save()
self.data_set = DataSet(name='data_set')
self.data_set.save()
self.content = Content()
self.content.save()
self.content.data_set = self.data_set
self.content.save()
self.permission_mapper = PermissionMapper()
self.permission_mapper.save()
self.permission_mapper.user_group = self.user_group
self.permission_mapper.data_set = self.data_set
self.permission_mapper.save()
self.content = Content()
self.content.save()
self.content.data_set = self.data_set
self.content.save()
class FilteredGeoManagerTest(TestCase):
def setUp(self):
self.middleware = SecurityMiddleware()
request_factory = RequestFactory()
self.request = request_factory.get('/some/url')
self.user = User.objects.create_user(
'useruser',
'*****@*****.**',
'useruser')
self.user.save()
self.user_group = UserGroup(name='user_group')
self.user_group.save()
self.user_group.members.add(self.user)
self.user_group.save()
self.data_set1 = DataSet(name='data_set10')
self.data_set1.save()
self.data_set2 = DataSet(name='data_set20')
self.data_set2.save()
self.permission_mapper = PermissionMapper()
self.permission_mapper.save()
self.permission_mapper.user_group = self.user_group
self.permission_mapper.data_set = self.data_set1
self.permission_mapper.save()
self.geo_content1 = GeoContent()
self.geo_content1.save()
self.geo_content1.data_set = self.data_set1
self.geo_content1.save()
self.geo_content2 = GeoContent()
self.geo_content2.save()
self.geo_content2.data_set = self.data_set2
self.geo_content2.save()
self.geo_content3 = GeoContent()
self.geo_content3.save()
self.geo_content3.data_set = None
self.geo_content3.save()
def test_geo_manager(self):
request = Mock()
request.user = self.user
request.allowed_data_set_ids = set([self.data_set1.id])
print request.allowed_data_set_ids
geo_manager.request = request
self.assertEqual(len(GeoContent.objects.all()), 2)
def test_data_set_append_plus_user_group_relation(self):
self.request.user = self.user1
self.user_group1.members.add(self.user1)
self.user_group1.save()
self.permission_mapper1 = PermissionMapper()
self.permission_mapper1.save()
self.permission_mapper1.user_group = self.user_group1
self.permission_mapper1.data_set = self.data_set1
self.permission_mapper1.save()
self.request.allowed_data_set_ids = set([42])
self.middleware.process_request(self.request)
self.assertSetEqual(set([42, self.data_set1.id]),
self.request.allowed_data_set_ids)
def test_data_sets_for_member(self):
self.request.user = self.user1
self.user_group1.members.add(self.user1)
self.user_group1.save()
self.permission_mapper1 = PermissionMapper()
self.permission_mapper1.save()
self.permission_mapper1.user_group = self.user_group1
self.permission_mapper1.data_set = self.data_set1
self.permission_mapper1.save()
self.request.user_group_ids = set([self.user_group1.id])
# ^^^ By hand instead of via ._user_group_ids()
self.assertSetEqual(set([self.data_set1.id]),
set(self.middleware._data_sets(self.request)))
def test_no_filtering(self):
# We have a data_set link, but we don't actually want to be filtered
# ourselves as we need to be queried to determin the data_set
# access. Chicken-egg problem. (Which only surfaces when debugging,
# btw.)
data_set1 = DataSet(name='data_set1')
data_set1.save()
permission_mapper = PermissionMapper(name='test')
permission_mapper.save()
permission_mapper.data_set = data_set1
permission_mapper.save()
self.assertListEqual(list(PermissionMapper.objects.all()),
[permission_mapper])
def setUp(self):
self.user = User.objects.create_user(
'useruser',
'*****@*****.**',
'useruser')
self.user.save()
self.user_group = UserGroup(name='user_group')
self.user_group.save()
self.user_group.members.add(self.user)
self.user_group.save()
self.data_set1 = DataSet(name='data_set10')
self.data_set1.save()
self.data_set2 = DataSet(name='data_set20')
self.data_set2.save()
self.permission_mapper = PermissionMapper()
self.permission_mapper.save()
self.permission_mapper.user_group = self.user_group
self.permission_mapper.data_set = self.data_set1
self.permission_mapper.save()
def test_partial_manager(self):
"""A manager of just some bits of test content should get in, too."""
client = Client()
self.assertTrue(client.login(username='******',
password='******'))
response = client.get('/admin/testcontent/content/')
# Permission denied as we don't have user group access.
self.assertEquals(response.status_code, 403)
# Now add content. Still no access.
self.user_group.members.add(self.manager)
self.user_group.save()
self.data_set = DataSet(name='data_set')
self.data_set.save()
self.permission_mapper = PermissionMapper()
self.permission_mapper.save()
self.permission_mapper.user_group = self.user_group
self.permission_mapper.data_set = self.data_set
self.permission_mapper.save()
self.content = Content()
self.content.save()
self.content.data_set = self.data_set
self.content.save()
response = client.get('/admin/testcontent/content/')
self.assertEquals(response.status_code, 403)
# Just the right permission on a group that we're not connected to
# means nothing.
add_permission = Permission.objects.get(codename='change_content')
group = Group()
group.save()
group.permissions.add(add_permission)
group.save()
response = client.get('/admin/testcontent/content/')
self.assertEquals(response.status_code, 403)
# With rights via a user group, we ought to have access.
self.permission_mapper.permission_group = group
self.permission_mapper.save()
response = client.get('/admin/testcontent/content/')
self.assertEquals(response.status_code, 200)
# We also see something on the main admin page.
response = client.get('/admin/')
self.assertEquals(response.status_code, 200)
class MiddlewareTest(TestCase):
def setUp(self):
self.middleware = SecurityMiddleware()
request_factory = RequestFactory()
self.request = request_factory.get('/some/url')
self.request.session = {} # Weird that it is needed.
self.admin1 = User(email='*****@*****.**', username='******')
self.admin1.save()
self.user1 = User(email='*****@*****.**', username='******')
self.user1.save()
self.user2 = User(email='*****@*****.**', username='******')
self.user2.save()
self.user_group1 = UserGroup(name='user_group1')
self.user_group1.save()
self.user_group2 = UserGroup(name='user_group2')
self.user_group2.save()
self.data_set1 = DataSet(name='data_set1')
self.data_set1.save()
self.data_set2 = DataSet(name='data_set2')
self.data_set2.save()
def test_user_groups_for_anonymous(self):
self.assertEquals([], self.middleware._user_group_ids(self.request))
self.middleware.process_request(self.request)
self.assertEquals(self.request.user_group_ids, set([]))
def test_data_sets_for_anonymous(self):
self.assertListEqual(
[],
list(self.middleware._data_sets(self.request)))
self.middleware.process_request(self.request)
self.assertEquals(self.request.allowed_data_set_ids, set([]))
def test_user_groups_for_non_member(self):
self.request.user = self.user1
self.assertListEqual(
[],
list(self.middleware._user_group_ids(self.request)))
def test_user_groups_for_member(self):
self.request.user = self.user1
self.user_group1.members.add(self.user1)
self.user_group1.save()
self.assertListEqual(
[self.user_group1.id],
list(self.middleware._user_group_ids(self.request)))
def test_user_groups_append(self):
self.request.user = self.user1
self.user_group1.members.add(self.user1)
self.user_group1.save()
self.request.user_group_ids = set([42])
self.middleware.process_request(self.request)
self.assertSetEqual(set([42, self.user_group1.id]),
self.request.user_group_ids)
def test_data_sets_for_non_member(self):
self.request.user_group_ids = set([])
self.assertListEqual([],
list(self.middleware._data_sets(self.request)))
def test_data_sets_for_member(self):
self.request.user = self.user1
self.user_group1.members.add(self.user1)
self.user_group1.save()
self.permission_mapper1 = PermissionMapper()
self.permission_mapper1.save()
self.permission_mapper1.user_group = self.user_group1
self.permission_mapper1.data_set = self.data_set1
self.permission_mapper1.save()
self.request.user_group_ids = set([self.user_group1.id])
# ^^^ By hand instead of via ._user_group_ids()
self.assertSetEqual(set([self.data_set1.id]),
set(self.middleware._data_sets(self.request)))
def test_data_set_append_plus_user_group_relation(self):
self.request.user = self.user1
self.user_group1.members.add(self.user1)
self.user_group1.save()
self.permission_mapper1 = PermissionMapper()
self.permission_mapper1.save()
self.permission_mapper1.user_group = self.user_group1
self.permission_mapper1.data_set = self.data_set1
self.permission_mapper1.save()
self.request.allowed_data_set_ids = set([42])
self.middleware.process_request(self.request)
self.assertSetEqual(set([42, self.data_set1.id]),
self.request.allowed_data_set_ids)
class PermissionBackendTest(TestCase):
def setUp(self):
self.backend = LizardPermissionBackend()
self.manager = User.objects.create_user(
'managermanager',
'*****@*****.**',
'managermanager')
self.manager.save()
self.manager.is_staff = True
self.manager.save()
self.user_group = UserGroup()
self.user_group.save()
self.data_set = DataSet(name='data_set')
self.data_set.save()
self.content = Content()
self.content.save()
self.content.data_set = self.data_set
self.content.save()
self.permission_mapper = PermissionMapper()
self.permission_mapper.save()
self.permission_mapper.user_group = self.user_group
self.permission_mapper.data_set = self.data_set
self.permission_mapper.save()
self.content = Content()
self.content.save()
self.content.data_set = self.data_set
self.content.save()
def test_no_authentication(self):
self.assertEquals(None, self.backend.authenticate())
def test_security_module_perms(self):
"""Usergroup managers need specific access to our module in de admin.
"""
self.assertFalse(
self.backend.has_module_perms(self.manager, 'lizard_security'))
self.user_group.managers.add(self.manager)
self.user_group.save()
self.assertTrue(
self.backend.has_module_perms(self.manager, 'lizard_security'))
def test_has_perm_only_objects(self):
self.assertFalse(self.backend.has_perm('dont care', 'none.can_exist'))
def test_has_perm(self):
add_permission = Permission.objects.get(codename='change_content')
group = Group()
group.save()
group.permissions.add(add_permission)
group.save()
self.permission_mapper.permission_group = group
self.permission_mapper.save()
self.assertFalse(self.backend.has_perm(
self.manager, 'testcontent.change_content', self.content))
# If we belong to the right group, we *do* have access.
with patch('lizard_security.backends.request') as request:
request.user_group_ids = [self.user_group.id]
request.allowed_data_set_ids = [self.data_set.id]
self.assertTrue(self.backend.has_perm(
self.manager, 'testcontent.change_content', self.content))
def test_has_perm_with_implicit_view_perm(self):
with patch('lizard_security.backends.request') as request:
request.user_group_ids = [self.user_group.id]
request.allowed_data_set_ids = [self.data_set.id]
self.assertTrue(self.backend.has_perm(
self.manager,
'lizard_security.can_view_lizard_data',
self.content))
def test_has_perm_with_unset_dataset(self):
# And now without a dataset.
add_permission = Permission.objects.get(codename='change_content')
group = Group()
group.save()
group.permissions.add(add_permission)
group.save()
self.permission_mapper.permission_group = group
self.permission_mapper.save()
self.permission_mapper.data_set = None
self.permission_mapper.save()
self.content = Content()
self.content.save()
self.content.data_set = None
self.content.save()
self.assertFalse(self.backend.has_perm(
self.manager, 'testcontent.change_content', self.content))
# If we belong to the right group, we *do* have access.
with patch('lizard_security.backends.request') as request:
request.user_group_ids = [self.user_group.id]
request.allowed_data_set_ids = []
self.assertTrue(self.backend.has_perm(
self.manager, 'testcontent.change_content', self.content))
class AdminInterfaceTests(TestCase):
def setUp(self):
self.admin = User.objects.create_user(
'adminadmin',
'*****@*****.**',
'adminadmin')
self.admin.save()
self.admin.is_superuser = True
self.admin.is_staff = True
self.admin.save()
self.manager = User.objects.create_user(
'managermanager',
'*****@*****.**',
'managermanager')
self.manager.save()
self.manager.is_staff = True
self.manager.save()
self.user_group = UserGroup()
self.user_group.save()
def test_smoke(self):
"""Looking as admin at the admin pages should not crash them :-)"""
client = Client()
self.assertTrue(client.login(username='******',
password='******'))
response = client.get('/admin/')
self.assertEquals(response.status_code, 200)
response = client.get('/admin/lizard_security/dataset/')
self.assertEquals(response.status_code, 200)
response = client.get('/admin/lizard_security/permissionmapper/')
self.assertEquals(response.status_code, 200)
response = client.get('/admin/lizard_security/usergroup/')
self.assertEquals(response.status_code, 200)
def test_partial_manager(self):
"""A manager of just some bits of test content should get in, too."""
client = Client()
self.assertTrue(client.login(username='******',
password='******'))
response = client.get('/admin/testcontent/content/')
# Permission denied as we don't have user group access.
self.assertEquals(response.status_code, 403)
# Now add content. Still no access.
self.user_group.members.add(self.manager)
self.user_group.save()
self.data_set = DataSet(name='data_set')
self.data_set.save()
self.permission_mapper = PermissionMapper()
self.permission_mapper.save()
self.permission_mapper.user_group = self.user_group
self.permission_mapper.data_set = self.data_set
self.permission_mapper.save()
self.content = Content()
self.content.save()
self.content.data_set = self.data_set
self.content.save()
response = client.get('/admin/testcontent/content/')
self.assertEquals(response.status_code, 403)
# Just the right permission on a group that we're not connected to
# means nothing.
add_permission = Permission.objects.get(codename='change_content')
group = Group()
group.save()
group.permissions.add(add_permission)
group.save()
response = client.get('/admin/testcontent/content/')
self.assertEquals(response.status_code, 403)
# With rights via a user group, we ought to have access.
self.permission_mapper.permission_group = group
self.permission_mapper.save()
response = client.get('/admin/testcontent/content/')
self.assertEquals(response.status_code, 200)
# We also see something on the main admin page.
response = client.get('/admin/')
self.assertEquals(response.status_code, 200)
def test_smoke(self):
permission_mapper = PermissionMapper(name='test')
permission_mapper.save()
self.assertTrue(permission_mapper)
self.assertTrue(unicode(permission_mapper))