def test_authorize_authenticated(self): # Annotation (even without consumer key) is actionable if the action # list includes the special string 'group:__authenticated__' and the user # is authenticated (i.e. a user and consumer tuple is provided) ann = {'permissions': {'read': ['group:__authenticated__']}} assert not authorize(ann, 'read') assert authorize(ann, 'read', h.MockUser('bob'))
def test_authorize_world(self): # Annotation (even without consumer key) is actionable if the action # list includes the special string 'group:__world__' ann = {'permissions': {'read': ['group:__world__']}} assert authorize(ann, 'read') assert authorize(ann, 'read', h.MockUser('bob')) assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
def test_authorize_consumer(self): # Annotation (WITH consumer key) is actionable if the action # list includes the special string 'group:__consumer__' and the user # is authenticated to the same consumer as that of the annotation ann = {'permissions': {'read': ['group:__consumer__']}} assert not authorize(ann, 'read') assert not authorize(ann, 'read', h.MockUser('bob')) assert not authorize(ann, 'read', h.MockUser('bob', 'consumerkey')) ann = { 'consumer': 'consumerkey', 'permissions': { 'read': ['group:__consumer__'] } } assert not authorize(ann, 'read') assert not authorize(ann, 'read', h.MockUser('bob')) assert authorize(ann, 'read', h.MockUser('alice', 'consumerkey')) assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey')) assert not authorize(ann, 'read', h.MockUser('bob', 'adifferentconsumerkey')) assert not authorize(ann, 'read', h.MockUser('group:__consumer__', 'consumerkey')) assert not authorize( ann, 'read', h.MockUser('group:__consumer__', 'adifferentconsumerkey'))
def test_authorize_admin(self): # An admin user can do anything ann = {'consumer': 'consumerkey', 'user': '******'} admin = h.MockUser('walter', 'consumerkey') admin.is_admin = True assert authorize(ann, 'read', admin) assert authorize(ann, 'update', admin) assert authorize(ann, 'admin', admin)
def test_authorize_authenticated(self): # Annotation (even without consumer key) is actionable if the action # list includes the special string 'group:__authenticated__' and the user # is authenticated (i.e. a user and consumer tuple is provided) ann = { 'permissions': {'read': ['group:__authenticated__']} } assert not authorize(ann, 'read') assert authorize(ann, 'read', h.MockUser('bob'))
def test_authorize_world(self): # Annotation (even without consumer key) is actionable if the action # list includes the special string 'group:__world__' ann = { 'permissions': {'read': ['group:__world__']} } assert authorize(ann, 'read') assert authorize(ann, 'read', 'bob') assert authorize(ann, 'read', 'bob', 'consumerkey')
def test_authorize_owner(self): # The annotation-owning user can do anything ('user' is a string) ann = { 'consumer': 'consumerkey', 'user': '******', 'permissions': {'read': ['alice', 'charlie']} } assert authorize(ann, 'read', 'bob', 'consumerkey') assert not authorize(ann, 'read', 'bob', 'adifferentconsumer') assert not authorize(ann, 'read', 'sally', 'consumerkey')
def test_authorize_read_annotation_user_dict(self): # The annotation-owning user can do anything ('user' is an object) ann = { 'consumer': 'consumerkey', 'user': {'id': 'bob'}, 'permissions': {'read': ['alice', 'charlie']} } assert authorize(ann, 'read', 'bob', 'consumerkey') assert not authorize(ann, 'read', 'bob', 'adifferentconsumer') assert not authorize(ann, 'read', 'sally', 'consumerkey')
def test_authorize_admin(self): # An admin user can do anything ann = { 'consumer': 'consumerkey', 'user': '******' } admin = h.MockUser('walter', 'consumerkey') admin.is_admin = True assert authorize(ann, 'read', admin) assert authorize(ann, 'update', admin) assert authorize(ann, 'admin', admin)
def test_authorize_owner(self): # The annotation-owning user can do anything ('user' is a string) ann = { 'consumer': 'consumerkey', 'user': '******', 'permissions': { 'read': ['alice', 'charlie'] } } assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey')) assert not authorize(ann, 'read', h.MockUser('bob', 'adifferentconsumer')) assert not authorize(ann, 'read', h.MockUser('sally', 'consumerkey'))
def authorize(annotation, action, user=None): action_field = annotation.get('permissions', {}).get(action, []) if not action_field: return True else: return authz.authorize(annotation, action, user)
def test_authorize_consumer(self): # Annotation (WITH consumer key) is actionable if the action # list includes the special string 'group:__consumer__' and the user # is authenticated to the same consumer as that of the annotation ann = { 'permissions': {'read': ['group:__consumer__']} } assert not authorize(ann, 'read') assert not authorize(ann, 'read', h.MockUser('bob')) assert not authorize(ann, 'read', h.MockUser('bob', 'consumerkey')) ann = { 'consumer': 'consumerkey', 'permissions': {'read': ['group:__consumer__']} } assert not authorize(ann, 'read') assert not authorize(ann, 'read', h.MockUser('bob')) assert authorize(ann, 'read', h.MockUser('alice', 'consumerkey')) assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey')) assert not authorize(ann, 'read', h.MockUser('bob', 'adifferentconsumerkey')) assert not authorize(ann, 'read', h.MockUser('group:__consumer__', 'consumerkey')) assert not authorize(ann, 'read', h.MockUser('group:__consumer__', 'adifferentconsumerkey'))
def search_annotations(): kwargs = dict(request.args.items()) uid = current_user_id() if uid: if not auth.verify_request(request): return _failed_auth_response() results = Annotation.search(**kwargs) results = filter(lambda a: authz.authorize(a, 'read', uid), results) total = Annotation.count(**kwargs) return jsonify({ 'total': total, 'rows': results, })
def after_action(event): request = event.request action = event.action annotation = event.annotation annotation.update(url_values_from_document(annotation)) manager = request.get_sockjs_manager() for session in manager.active_sessions(): if not authz.authorize(annotation, 'read', session.request.user): continue if not session.filter.match(annotation, action): continue session.send([annotation, action])
def test_authorize_basic(self): # Annotation with consumer and permissions fields is actionable as # per the permissions spec ann = {'consumer': 'consumerkey', 'permissions': {'read': ['bob']}} assert not authorize(ann, 'read') assert not authorize(ann, 'read', h.MockUser('bob')) assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey')) assert not authorize(ann, 'read', h.MockUser('alice', 'consumerkey')) assert not authorize(ann, 'update') assert not authorize(ann, 'update', h.MockUser('bob', 'consumerkey'))
def after_action(event): action = event.action annotation = event.annotation annotation.update(url_values_from_document(annotation)) for connection in StreamerSession.connections: if not authz.authorize(annotation, 'read', connection.request.user): continue if not connection.filter.match(annotation, action): continue try: connection.send([annotation, action]) except: log.info(traceback.format_exc()) log.info('Filter error!') connection.close()
def test_authorize_basic(self): # Annotation with consumer and permissions fields is actionable as # per the permissions spec ann = { 'consumer': 'consumerkey', 'permissions': {'read': ['bob']} } assert not authorize(ann, 'read') assert not authorize(ann, 'read', 'bob') assert authorize(ann, 'read', 'bob', 'consumerkey') assert not authorize(ann, 'read', 'alice', 'consumerkey') assert not authorize(ann, 'update') assert not authorize(ann, 'update', 'bob', 'consumerkey')
def update_annotation(id): annotation = Annotation.fetch(id) if not annotation: return jsonify('Annotation not found! No update performed.', status=404) failure = _check_action(annotation, 'update', current_user_id()) if failure: return failure if request.json: updated = _filter_input(request.json) updated['id'] = id # use id from URL, regardless of what arrives in JSON payload if 'permissions' in updated and updated['permissions'] != annotation.get('permissions', {}): if not authz.authorize(annotation, 'admin', current_user_id()): return _failed_authz_response('permissions update') annotation.update(updated) annotation.save() return jsonify(annotation)
def update_annotation(id): annotation = Annotation.fetch(id) if not annotation: return jsonify('Annotation not found! No update performed.', status=404) failure = _check_action(annotation, 'update', current_user_id()) if failure: return failure if request.json: updated = _filter_input(request.json) updated[ 'id'] = id # use id from URL, regardless of what arrives in JSON payload if 'permissions' in updated and updated[ 'permissions'] != annotation.get('permissions', {}): if not authz.authorize(annotation, 'admin', current_user_id()): return _failed_authz_response('permissions update') annotation.update(updated) annotation.save() return jsonify(annotation)
def test_authorize_admin_user(self): ann = Annotation(permissions={ACTION.ADMIN: ["bob"]}) assert authorize(ann, "admin", "bob") assert not authorize(ann, "admin", "alice")
def test_authorize_null_consumer(self): # An annotation with no consumer set is private ann = {'permissions': {'read': ['bob']}} assert not authorize(ann, 'read') assert not authorize(ann, 'read', h.MockUser('bob')) assert not authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
def test_authorize_admin_user(self): ann = Annotation(permissions={'admin': ['bob']}) assert authorize(ann, 'admin', 'bob') assert not authorize(ann, 'admin', 'alice')
def test_authorize_delete_user(self): ann = Annotation(permissions={'delete': ['bob']}) assert authorize(ann, 'delete', 'bob') assert not authorize(ann, 'delete', 'alice')
def test_authorize_read_user(self): ann = Annotation(permissions={'read': ['bob']}) assert authorize(ann, 'read', 'bob') assert not authorize(ann, 'read', 'alice')
def _check_action(annotation, action, uid): if not authz.authorize(annotation, action, uid): return _failed_authz_response() if uid and not auth.verify_request(request): return _failed_auth_response()
def test_authorize_empty(self): # An annotation with no permissions field is private ann = {} assert not authorize(ann, 'read') assert not authorize(ann, 'read', 'bob') assert not authorize(ann, 'read', 'bob', 'consumerkey')
def test_authorize_null_consumer(self): # An annotation with no consumer set is private ann = {'permissions': {'read': ['bob']}} assert not authorize(ann, 'read') assert not authorize(ann, 'read', 'bob') assert not authorize(ann, 'read', 'bob', 'consumerkey')
def test_authorize_read_nouser(self): ann = Annotation() assert authorize(ann, "read") assert authorize(ann, "read", "bob")
def test_authorize_delete_nouser(self): ann = Annotation() assert not authorize(ann, 'delete') assert authorize(ann, 'delete', 'bob')
def test_authorize_read_user(self): ann = Annotation(permissions={ACTION.READ: ["bob"]}) assert authorize(ann, "read", "bob") assert not authorize(ann, "read", "alice")
def test_authorize_admin_nouser(self): ann = Annotation() assert not authorize(ann, 'admin') assert authorize(ann, 'admin', 'bob')
def test_authorize_update_user(self): ann = Annotation(permissions={ACTION.UPDATE: ["bob"]}) assert authorize(ann, "update", "bob") assert not authorize(ann, "update", "alice")
def test_authorize_read_nouser(self): ann = Annotation() assert authorize(ann, 'read') assert authorize(ann, 'read', 'bob')
def test_authorize_delete_nouser(self): ann = Annotation() assert authorize(ann, "delete") assert authorize(ann, "delete", "bob")
def test_authorize_delete_user(self): ann = Annotation(permissions={ACTION.DELETE: ["bob"]}) assert authorize(ann, "delete", "bob") assert not authorize(ann, "delete", "alice")
def test_authorize_admin_nouser(self): ann = Annotation() assert authorize(ann, "admin") assert authorize(ann, "admin", "bob")
def test_authorize_empty(self): # An annotation with no permissions field is private ann = {} assert not authorize(ann, 'read') assert not authorize(ann, 'read', h.MockUser('bob')) assert not authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))