def test_group_permission_remove_proper(self, full_app, sqla_session):
perm_name = 'edit'
with session_context(sqla_session) as session:
admin, token = create_admin(session)
group = create_group({'group_name': 'aaaa'}, sqla_session=session)
resource = create_entry({
'resource_name': 'entry-x',
'note': 'x'
},
sqla_session=session)
perm_inst = GroupResourcePermission(group_id=group.id,
perm_name=perm_name)
resource.group_permissions.append(perm_inst)
node_id = resource.resource_id
qs = parse.urlencode({'group_id': group.id, 'perm_name': perm_name})
url_path = '/api/0.1/resources/{}/group_permissions?{}'.format(
node_id, qs)
headers = {str('x-testscaffold-auth-token'): str(token)}
response = full_app.delete(url_path, status=200, headers=headers)
perm_inst = GroupResourcePermissionService.get(group.id,
resource_id=node_id,
perm_name=perm_name,
db_session=sqla_session)
assert not isinstance(perm_inst, GroupResourcePermission)
def test_group_permission_add_proper(self, full_app, sqla_session):
with session_context(sqla_session) as session:
admin, token = create_admin(session)
group = create_group({'group_name': 'aaaa'}, sqla_session=session)
resource = create_entry({
'resource_name': 'entry-x',
'note': 'x'
},
sqla_session=session)
node_id = resource.resource_id
url_path = '/api/0.1/resources/{}/group_permissions'.format(node_id)
headers = {str('x-testscaffold-auth-token'): str(token)}
perm_name = 'edit'
perm_dict = {'group_id': group.id, 'perm_name': perm_name}
response = full_app.post_json(url_path,
perm_dict,
status=200,
headers=headers)
assert response.json['group_id'] == group.id
assert response.json['perm_name'] == perm_name
assert response.json['resource_id'] == node_id
perm_inst = GroupResourcePermissionService.get(group.id,
resource_id=node_id,
perm_name=perm_name,
db_session=sqla_session)
assert isinstance(perm_inst, GroupResourcePermission)
def test_group_resource_permission(self, db_session):
self.set_up_user_group_and_perms(db_session)
resource3 = add_resource_b(db_session, 3, 'other resource')
db_session.flush()
group_permission2 = GroupResourcePermission(
perm_name='group_perm2',
group_id=self.group2.id,
)
row = GroupResourcePermissionService.get(
group_id=self.group2.id, resource_id=self.resource2.resource_id,
perm_name='group_perm2', db_session=db_session)
assert row is None
self.resource2.group_permissions.append(group_permission2)
row = GroupResourcePermissionService.get(
group_id=self.group2.id, resource_id=self.resource2.resource_id,
perm_name='group_perm2', db_session=db_session)
assert row is not None
def group_permission_delete(self, resource, group_id, perm_name):
perm_inst = GroupResourcePermissionService.get(
resource_id=resource.resource_id,
group_id=group_id,
perm_name=perm_name,
db_session=self.request.dbsession)
resource.group_permissions.remove(perm_inst)
return True
def group_permission_get(self, resource_id, group_id, perm_name):
perm_inst = GroupResourcePermissionService.get(
resource_id=resource_id,
group_id=group_id,
perm_name=perm_name,
db_session=self.request.dbsession)
if not perm_inst:
raise pyramid.httpexceptions.HTTPNotFound()
return perm_inst
def delete_group_resource_permission_response(group,
resource,
permission,
db_session,
similar=True):
# type: (models.Group, ServiceOrResourceType, PermissionSet, Session, bool) -> HTTPException
"""
Get validated response on deleted group resource permission.
:param group: group for which to delete the permission.
:param resource: service or resource for which to delete the permission.
:param permission: permission with modifiers to be deleted.
:param db_session: database connection.
:param similar:
Allow matching provided permission against any similar database permission. Otherwise, must match exactly.
:returns: valid HTTP response on successful operations.
:raises HTTPException: error HTTP response of corresponding situation.
"""
check_valid_service_or_resource_permission(permission.name, resource,
db_session)
res_id = resource.resource_id
if similar:
found_perm = get_similar_group_resource_permission(
group, resource, permission, db_session=db_session)
else:
found_perm = permission
del_perm = GroupResourcePermissionService.get(group.id,
res_id,
str(found_perm),
db_session=db_session)
permission.type = PermissionType.APPLIED
perm_content = {
"permission_name": str(permission),
"permission": permission.json(),
"resource": format_resource(resource, basic_info=True),
"group": format_group(group, basic_info=True)
}
ax.verify_param(
del_perm,
not_none=True,
http_error=HTTPNotFound,
content=perm_content,
msg_on_fail=s.GroupServicePermission_DELETE_NotFoundResponseSchema.
description)
ax.evaluate_call(
lambda: db_session.delete(del_perm),
fallback=lambda: db_session.rollback(),
http_error=HTTPForbidden,
content=perm_content,
msg_on_fail=s.GroupServicePermission_DELETE_ForbiddenResponseSchema.
description)
return ax.valid_http(
http_success=HTTPOk,
detail=s.GroupServicePermission_DELETE_OkResponseSchema.description)
def test_group_resource_permission(self, db_session):
self.set_up_user_group_and_perms(db_session)
resource3 = add_resource_b(db_session, 3, 'other resource')
db_session.flush()
group_permission2 = GroupResourcePermission(
perm_name='group_perm2',
group_id=self.group2.id,
)
row = GroupResourcePermissionService.get(
group_id=self.group2.id,
resource_id=self.resource2.resource_id,
perm_name='group_perm2',
db_session=db_session)
assert row is None
self.resource2.group_permissions.append(group_permission2)
row = GroupResourcePermissionService.get(
group_id=self.group2.id,
resource_id=self.resource2.resource_id,
perm_name='group_perm2',
db_session=db_session)
assert row is not None
def upgrade():
context = get_context()
session = Session(bind=op.get_bind())
if not isinstance(context.connection.engine.dialect, PGDialect):
return
grp_res_perms = GroupResourcePermissionService.base_query(
db_session=session)
usr_res_perms = UserResourcePermissionService.base_query(
db_session=session)
for perm_list in [grp_res_perms, usr_res_perms]:
perm_map = [(perm, PermissionSet(perm.perm_name))
for perm in perm_list]
perm_rm = set()
perm_keep = set()
# find any user/group-resource that has both recursive and match permissions simultaneously
# this is not allowed anymore, so remove the match access that is redundant anyway
for perm_db, perm_set in perm_map:
perm_dup = False
for other_db, other_set in perm_map:
if perm_set is other_set:
continue
if perm_db.resource_id == other_db.resource_id and perm_set.like(
other_set):
if perm_set.scope == Scope.RECURSIVE:
perm_keep.add(perm_db)
perm_rm.add(other_db)
else:
perm_keep.add(other_db)
perm_rm.add(perm_db)
perm_dup = True
break
if not perm_dup:
perm_keep.add(perm_db)
# apply changes
for perm in perm_keep:
perm_name_raw = perm.perm_name
perm_scope = Scope.RECURSIVE
if perm_name_raw.endswith("-" + Scope.MATCH.value):
perm_name_raw = perm_name_raw.rsplit("-", 1)[0]
perm_scope = Scope.MATCH
perm.perm_name = str(PermissionSet(perm_name_raw,
scope=perm_scope))
for perm in perm_rm:
session.delete(perm)
session.commit()
def downgrade():
"""
Any existing 'BROWSE' permission must be dropped.
"""
context = get_context()
session = Session(bind=op.get_bind())
if not isinstance(context.connection.engine.dialect, PGDialect):
return
# two following lines avoids double "DELETE" erroneous call (ignore duplicate)
# https://stackoverflow.com/questions/28824401
context.connection.engine.dialect.supports_sane_rowcount = False
context.connection.engine.dialect.supports_sane_multi_rowcount = False
grp_perms = GroupResourcePermissionService.base_query(db_session=session)
usr_perms = UserResourcePermissionService.base_query(db_session=session)
for perm in grp_perms:
if perm.perm_name == "browse":
session.delete(perm)
for perm in usr_perms:
if perm.perm_name == "browse":
session.delete(perm)
session.commit()
def downgrade():
context = get_context()
session = Session(bind=op.get_bind())
if not isinstance(context.connection.engine.dialect, PGDialect):
return
# two following lines avoids double "DELETE" erroneous call (ignore duplicate)
# https://stackoverflow.com/questions/28824401
context.connection.engine.dialect.supports_sane_rowcount = False
context.connection.engine.dialect.supports_sane_multi_rowcount = False
grp_res_perms = GroupResourcePermissionService.base_query(
db_session=session)
usr_res_perms = UserResourcePermissionService.base_query(
db_session=session)
for perm_list in [grp_res_perms, usr_res_perms]:
for perm in perm_list:
perm_set = PermissionSet(perm.perm_name)
if perm_set.implicit_permission is None:
session.delete(perm)
else:
perm.perm_name = perm_set.implicit_permission
session.commit()