def testApplyACLByGroup(self):
""" security: applying acl by group name"""
# This acl string...
acl_rights = ["PGroup,AllGroup:read,write,admin " "AGroup:read "]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
# Should apply these rights:
users = (
# user, rights
('Antony', (
'read',
'write',
'admin',
)), # in PGroup
('Beatrice', (
'read',
'write',
'admin',
)), # in PGroup
('Charles', ('read', )), # virtually in AGroup
)
# Check rights
for user, may in users:
mayNot = [
right for right in app.cfg.acl_rights_contents
if right not in may
]
# User should have these rights...
for right in may:
assert acl.may(user, right)
# But NOT these:
for right in mayNot:
assert not acl.may(user, right)
def test_backend_acl_with_all(self):
acl_rights = ["EditorGroup:read,write,admin All:read"]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
for member in self.expanded_groups[u'EditorGroup']:
for permission in ["read", "write", "admin"]:
assert acl.may(member, permission)
assert acl.may(u"Someone", "read")
for permission in ["write", "admin"]:
assert not acl.may(u"Someone", permission)
def test_backend_acl_deny(self):
"""
Test if the wiki group backend works with acl code.
Check user which does not have rights.
"""
acl_rights = ["AdminGroup:read,write"]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
assert u"SomeUser" not in flaskg.groups['AdminGroup']
for permission in ["read", "write"]:
assert not acl.may(u"SomeUser", permission), 'SomeUser must not have {0} permission because he is not listed in the AdminGroup'.format(permission)
assert u'Admin1' in flaskg.groups['AdminGroup']
assert not acl.may(u"Admin1", "admin")
def test_backend_acl_not_existing_group(self):
assert u'NotExistingGroup' not in flaskg.groups
acl_rights = ["NotExistingGroup:read,write,admin All:read"]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
assert not acl.may(u"Someone", "write")
def test_backend_acl_allow(self):
"""
Test if the wiki group backend works with acl code.
Check user which has rights.
"""
acl_rights = ["AdminGroup:admin,read,write"]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
for user in self.expanded_groups['AdminGroup']:
for permission in ["read", "write", "admin"]:
assert acl.may(u"Admin1", permission), '{0} must have {1} permission because he is member of the AdminGroup'.format(user, permission)
def test_wiki_backend_item_acl_usergroupmember_item(self):
"""
Test if the wiki group backend works with acl code.
First check acl rights of a user that is not a member of group
then add user member to an item group and check acl rights
"""
become_trusted()
update_item(u'NewGroup', {USERGROUP: ["ExampleUser"]}, DATA)
acl_rights = ["NewGroup:read,write"]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
has_rights_before = acl.may(u"AnotherUser", "read")
# update item - add AnotherUser to a item group NewGroup
update_item(u'NewGroup', {USERGROUP: ["AnotherUser"]}, '')
has_rights_after = acl.may(u"AnotherUser", "read")
assert not has_rights_before, 'AnotherUser has no read rights because in the beginning he is not a member of a group item NewGroup'
assert has_rights_after, 'AnotherUser must have read rights because after appenditem he is member of NewGroup'
def testApplyACLByUser(self):
""" security: applying acl by user name"""
# This acl string...
acl_rights = [
"-MinusGuy:read "
"+MinusGuy:read "
"+PlusGuy:read "
"-PlusGuy:read "
"Admin1,Admin2:read,write,admin "
"Admin3:read,write,admin "
"JoeDoe:read,write "
"name with spaces,another one:read,write "
"CamelCase,extended name:read,write "
"BadGuy: "
"All:read "
]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
# Should apply these rights:
users = (
# user, rights
# CamelCase names
('Admin1', ('read', 'write', 'admin')),
('Admin2', ('read', 'write', 'admin')),
('Admin3', ('read', 'write', 'admin')),
('JoeDoe', ('read', 'write')),
('SomeGuy', ('read', )),
# Extended names or mix of extended and CamelCase
('name with spaces', (
'read',
'write',
)),
('another one', (
'read',
'write',
)),
('CamelCase', (
'read',
'write',
)),
('extended name', (
'read',
'write',
)),
# Blocking bad guys
('BadGuy', ()),
# All other users - every one not mentioned in the acl lines
('All', ('read', )),
('Anonymous', ('read', )),
# we check whether ACL processing stops for a user/right match
# with ACL modifiers
('MinusGuy', ()),
('PlusGuy', ('read', )),
)
# Check rights
for user, may in users:
mayNot = [
right for right in app.cfg.acl_rights_contents
if right not in may
]
# User should have these rights...
for right in may:
assert acl.may(user, right)
# But NOT these:
for right in mayNot:
assert not acl.may(user, right)