def test_backend_acl_not_existing_group(self):
assert u'NotExistingGroup' not in flaskg.groups
acl_rights = ["NotExistingGroup:read,write,admin All:read"]
acl = security.AccessControlList(app.cfg, acl_rights)
assert not acl.may(u"Someone", "write")
def test_wiki_backend_page_acl_append_page(self):
"""
Test if the wiki group backend works with acl code.
First check acl rights of a user that is not a member of group
then add user member to a page group and check acl rights
"""
request = self.request
become_trusted(request)
create_page(request, u'NewGroup', u" * ExampleUser")
acl_rights = ["NewGroup:read,write"]
acl = security.AccessControlList(request.cfg, acl_rights)
has_rights_before = acl.may(request, u"AnotherUser", "read")
# update page - add AnotherUser to a page group NewGroup
append_page(request, u'NewGroup', u" * AnotherUser")
has_rights_after = acl.may(request, u"AnotherUser", "read")
nuke_page(request, u'NewGroup')
assert not has_rights_before, 'AnotherUser has no read rights because in the beginning he is not a member of a group page NewGroup'
assert has_rights_after, 'AnotherUser must have read rights because after appendage he is member of NewGroup'
def testApplyACLByGroup(self):
""" security: applying acl by group name"""
# This acl string...
acl_rights = ["PGroup,AllGroup:read,write,admin " "AGroup:read "]
acl = security.AccessControlList(self.request.cfg, acl_rights)
# Should apply these rights:
users = (
# user, rights
('Antony', (
'read',
'write',
'admin',
)), # in PGroup
('Beatrice', (
'read',
'write',
'admin',
)), # in PGroup
('Charles', ('read', )), # virtually in AGroup
)
# Check rights
for user, may in users:
mayNot = [
right for right in self.request.cfg.acl_rights_valid
if right not in may
]
# User should have these rights...
for right in may:
assert acl.may(self.request, user, right)
# But NOT these:
for right in mayNot:
assert not acl.may(self.request, user, right)
def test_backend_acl_not_existing_group(self):
request = self.request
assert u'NotExistingGroup' not in request.groups
acl_rights = ["NotExistingGroup:read,write,delete,admin All:read"]
acl = security.AccessControlList(request.cfg, acl_rights)
assert not acl.may(request, u"Someone", "write")
def test_backend_acl_allow(self):
"""
Test if the wiki group backend works with acl code.
Check user which has rights.
"""
acl_rights = ["AdminGroup:admin,read,write"]
acl = security.AccessControlList(app.cfg, acl_rights)
for user in self.expanded_groups['AdminGroup']:
for permission in ["read", "write", "admin"]:
assert acl.may(u"Admin1", permission), '%s must have %s permission because he is member of the AdminGroup' % (user, permission)
def test_backend_acl_with_all(self):
acl_rights = ["EditorGroup:read,write,admin All:read"]
acl = security.AccessControlList(app.cfg, acl_rights)
for member in self.expanded_groups[u'EditorGroup']:
for permission in ["read", "write", "admin"]:
assert acl.may(member, permission)
assert acl.may(u"Someone", "read")
for permission in ["write", "admin"]:
assert not acl.may(u"Someone", permission)
def testApplyACLByUser(self):
""" security: applying acl by user name"""
# This acl string...
acl_rights = [
"-MinusGuy:read "
"+MinusGuy:read "
"+PlusGuy:read "
"-PlusGuy:read "
"Admin1,Admin2:read,write,delete,revert,admin "
"Admin3:read,write,admin "
"JoeDoe:read,write "
"name with spaces,another one:read,write "
"CamelCase,extended name:read,write "
"BadGuy: "
"All:read "
]
acl = security.AccessControlList(self.request.cfg, acl_rights)
# Should apply these rights:
users = (
# user, rights
# CamelCase names
('Admin1', ('read', 'write', 'admin', 'revert', 'delete')),
('Admin2', ('read', 'write', 'admin', 'revert', 'delete')),
('Admin3', ('read', 'write', 'admin')),
('JoeDoe', ('read', 'write')),
('SomeGuy', ('read', )),
# Extended names or mix of extended and CamelCase
('name with spaces', ('read', 'write', )),
('another one', ('read', 'write', )),
('CamelCase', ('read', 'write', )),
('extended name', ('read', 'write', )),
# Blocking bad guys
('BadGuy', ()),
# All other users - every one not mentioned in the acl lines
('All', ('read', )),
('Anonymous', ('read', )),
# we check whether ACL processing stops for a user/right match
# with ACL modifiers
('MinusGuy', ()),
('PlusGuy', ('read', )),
)
# Check rights
for user, may in users:
mayNot = [right for right in self.request.cfg.acl_rights_valid
if right not in may]
# User should have these rights...
for right in may:
assert acl.may(self.request, user, right)
# But NOT these:
for right in mayNot:
assert not acl.may(self.request, user, right)
def test_backend_acl_deny(self):
"""
Test if the wiki group backend works with acl code.
Check user which does not have rights.
"""
acl_rights = ["AdminGroup:read,write"]
acl = security.AccessControlList(app.cfg, acl_rights)
assert u"SomeUser" not in flaskg.groups['AdminGroup']
for permission in ["read", "write"]:
assert not acl.may(u"SomeUser", permission), 'SomeUser must not have %s permission because he is not listed in the AdminGroup' % permission
assert u'Admin1' in flaskg.groups['AdminGroup']
assert not acl.may(u"Admin1", "admin")
def test_wiki_backend_item_acl_usergroupmember_item(self):
"""
Test if the wiki group backend works with acl code.
First check acl rights of a user that is not a member of group
then add user member to an item group and check acl rights
"""
become_trusted()
update_item(u'NewGroup', 0, {USERGROUP: ["ExampleUser"]}, DATA)
acl_rights = ["NewGroup:read,write"]
acl = security.AccessControlList(app.cfg, acl_rights)
has_rights_before = acl.may(u"AnotherUser", "read")
# update item - add AnotherUser to a item group NewGroup
update_item(u'NewGroup', 1, {USERGROUP: ["AnotherUser"]}, '')
has_rights_after = acl.may(u"AnotherUser", "read")
assert not has_rights_before, 'AnotherUser has no read rights because in the beginning he is not a member of a group item NewGroup'
assert has_rights_after, 'AnotherUser must have read rights because after appenditem he is member of NewGroup'