def test_authorize_authenticated(self):
# Annotation (even without consumer key) is actionable if the action
# list includes the special string 'group:__authenticated__' and the user
# is authenticated (i.e. a user and consumer tuple is provided)
ann = {'permissions': {'read': ['group:__authenticated__']}}
assert not authorize(ann, 'read')
assert authorize(ann, 'read', h.MockUser('bob'))
def test_authorize_world(self):
# Annotation (even without consumer key) is actionable if the action
# list includes the special string 'group:__world__'
ann = {'permissions': {'read': ['group:__world__']}}
assert authorize(ann, 'read')
assert authorize(ann, 'read', h.MockUser('bob'))
assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
def test_authorize_consumer(self):
# Annotation (WITH consumer key) is actionable if the action
# list includes the special string 'group:__consumer__' and the user
# is authenticated to the same consumer as that of the annotation
ann = {'permissions': {'read': ['group:__consumer__']}}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', h.MockUser('bob'))
assert not authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
ann = {
'consumer': 'consumerkey',
'permissions': {
'read': ['group:__consumer__']
}
}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', h.MockUser('bob'))
assert authorize(ann, 'read', h.MockUser('alice', 'consumerkey'))
assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
assert not authorize(ann, 'read',
h.MockUser('bob', 'adifferentconsumerkey'))
assert not authorize(ann, 'read',
h.MockUser('group:__consumer__', 'consumerkey'))
assert not authorize(
ann, 'read',
h.MockUser('group:__consumer__', 'adifferentconsumerkey'))
def test_authorize_admin(self):
# An admin user can do anything
ann = {'consumer': 'consumerkey', 'user': '******'}
admin = h.MockUser('walter', 'consumerkey')
admin.is_admin = True
assert authorize(ann, 'read', admin)
assert authorize(ann, 'update', admin)
assert authorize(ann, 'admin', admin)
def test_authorize_authenticated(self):
# Annotation (even without consumer key) is actionable if the action
# list includes the special string 'group:__authenticated__' and the user
# is authenticated (i.e. a user and consumer tuple is provided)
ann = {
'permissions': {'read': ['group:__authenticated__']}
}
assert not authorize(ann, 'read')
assert authorize(ann, 'read', h.MockUser('bob'))
def test_authorize_world(self):
# Annotation (even without consumer key) is actionable if the action
# list includes the special string 'group:__world__'
ann = {
'permissions': {'read': ['group:__world__']}
}
assert authorize(ann, 'read')
assert authorize(ann, 'read', 'bob')
assert authorize(ann, 'read', 'bob', 'consumerkey')
def test_authorize_owner(self):
# The annotation-owning user can do anything ('user' is a string)
ann = {
'consumer': 'consumerkey',
'user': '******',
'permissions': {'read': ['alice', 'charlie']}
}
assert authorize(ann, 'read', 'bob', 'consumerkey')
assert not authorize(ann, 'read', 'bob', 'adifferentconsumer')
assert not authorize(ann, 'read', 'sally', 'consumerkey')
def test_authorize_read_annotation_user_dict(self):
# The annotation-owning user can do anything ('user' is an object)
ann = {
'consumer': 'consumerkey',
'user': {'id': 'bob'},
'permissions': {'read': ['alice', 'charlie']}
}
assert authorize(ann, 'read', 'bob', 'consumerkey')
assert not authorize(ann, 'read', 'bob', 'adifferentconsumer')
assert not authorize(ann, 'read', 'sally', 'consumerkey')
def test_authorize_admin(self):
# An admin user can do anything
ann = {
'consumer': 'consumerkey',
'user': '******'
}
admin = h.MockUser('walter', 'consumerkey')
admin.is_admin = True
assert authorize(ann, 'read', admin)
assert authorize(ann, 'update', admin)
assert authorize(ann, 'admin', admin)
def test_authorize_owner(self):
# The annotation-owning user can do anything ('user' is a string)
ann = {
'consumer': 'consumerkey',
'user': '******',
'permissions': {
'read': ['alice', 'charlie']
}
}
assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
assert not authorize(ann, 'read',
h.MockUser('bob', 'adifferentconsumer'))
assert not authorize(ann, 'read', h.MockUser('sally', 'consumerkey'))
def authorize(annotation, action, user=None):
action_field = annotation.get('permissions', {}).get(action, [])
if not action_field:
return True
else:
return authz.authorize(annotation, action, user)
def authorize(annotation, action, user=None):
action_field = annotation.get('permissions', {}).get(action, [])
if not action_field:
return True
else:
return authz.authorize(annotation, action, user)
def test_authorize_consumer(self):
# Annotation (WITH consumer key) is actionable if the action
# list includes the special string 'group:__consumer__' and the user
# is authenticated to the same consumer as that of the annotation
ann = {
'permissions': {'read': ['group:__consumer__']}
}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', h.MockUser('bob'))
assert not authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
ann = {
'consumer': 'consumerkey',
'permissions': {'read': ['group:__consumer__']}
}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', h.MockUser('bob'))
assert authorize(ann, 'read', h.MockUser('alice', 'consumerkey'))
assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
assert not authorize(ann, 'read', h.MockUser('bob', 'adifferentconsumerkey'))
assert not authorize(ann, 'read', h.MockUser('group:__consumer__', 'consumerkey'))
assert not authorize(ann, 'read', h.MockUser('group:__consumer__', 'adifferentconsumerkey'))
def search_annotations():
kwargs = dict(request.args.items())
uid = current_user_id()
if uid:
if not auth.verify_request(request):
return _failed_auth_response()
results = Annotation.search(**kwargs)
results = filter(lambda a: authz.authorize(a, 'read', uid), results)
total = Annotation.count(**kwargs)
return jsonify({
'total': total,
'rows': results,
})
def search_annotations():
kwargs = dict(request.args.items())
uid = current_user_id()
if uid:
if not auth.verify_request(request):
return _failed_auth_response()
results = Annotation.search(**kwargs)
results = filter(lambda a: authz.authorize(a, 'read', uid), results)
total = Annotation.count(**kwargs)
return jsonify({
'total': total,
'rows': results,
})
def after_action(event):
request = event.request
action = event.action
annotation = event.annotation
annotation.update(url_values_from_document(annotation))
manager = request.get_sockjs_manager()
for session in manager.active_sessions():
if not authz.authorize(annotation, 'read', session.request.user):
continue
if not session.filter.match(annotation, action):
continue
session.send([annotation, action])
def test_authorize_basic(self):
# Annotation with consumer and permissions fields is actionable as
# per the permissions spec
ann = {'consumer': 'consumerkey', 'permissions': {'read': ['bob']}}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', h.MockUser('bob'))
assert authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
assert not authorize(ann, 'read', h.MockUser('alice', 'consumerkey'))
assert not authorize(ann, 'update')
assert not authorize(ann, 'update', h.MockUser('bob', 'consumerkey'))
def after_action(event):
action = event.action
annotation = event.annotation
annotation.update(url_values_from_document(annotation))
for connection in StreamerSession.connections:
if not authz.authorize(annotation, 'read', connection.request.user):
continue
if not connection.filter.match(annotation, action):
continue
try:
connection.send([annotation, action])
except:
log.info(traceback.format_exc())
log.info('Filter error!')
connection.close()
def after_action(event):
action = event.action
annotation = event.annotation
annotation.update(url_values_from_document(annotation))
for connection in StreamerSession.connections:
if not authz.authorize(annotation, 'read', connection.request.user):
continue
if not connection.filter.match(annotation, action):
continue
try:
connection.send([annotation, action])
except:
log.info(traceback.format_exc())
log.info('Filter error!')
connection.close()
def test_authorize_basic(self):
# Annotation with consumer and permissions fields is actionable as
# per the permissions spec
ann = {
'consumer': 'consumerkey',
'permissions': {'read': ['bob']}
}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', 'bob')
assert authorize(ann, 'read', 'bob', 'consumerkey')
assert not authorize(ann, 'read', 'alice', 'consumerkey')
assert not authorize(ann, 'update')
assert not authorize(ann, 'update', 'bob', 'consumerkey')
def update_annotation(id):
annotation = Annotation.fetch(id)
if not annotation:
return jsonify('Annotation not found! No update performed.', status=404)
failure = _check_action(annotation, 'update', current_user_id())
if failure:
return failure
if request.json:
updated = _filter_input(request.json)
updated['id'] = id # use id from URL, regardless of what arrives in JSON payload
if 'permissions' in updated and updated['permissions'] != annotation.get('permissions', {}):
if not authz.authorize(annotation, 'admin', current_user_id()):
return _failed_authz_response('permissions update')
annotation.update(updated)
annotation.save()
return jsonify(annotation)
def update_annotation(id):
annotation = Annotation.fetch(id)
if not annotation:
return jsonify('Annotation not found! No update performed.',
status=404)
failure = _check_action(annotation, 'update', current_user_id())
if failure:
return failure
if request.json:
updated = _filter_input(request.json)
updated[
'id'] = id # use id from URL, regardless of what arrives in JSON payload
if 'permissions' in updated and updated[
'permissions'] != annotation.get('permissions', {}):
if not authz.authorize(annotation, 'admin', current_user_id()):
return _failed_authz_response('permissions update')
annotation.update(updated)
annotation.save()
return jsonify(annotation)
def test_authorize_admin_user(self):
ann = Annotation(permissions={ACTION.ADMIN: ["bob"]})
assert authorize(ann, "admin", "bob")
assert not authorize(ann, "admin", "alice")
def test_authorize_null_consumer(self):
# An annotation with no consumer set is private
ann = {'permissions': {'read': ['bob']}}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', h.MockUser('bob'))
assert not authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
def test_authorize_admin_user(self):
ann = Annotation(permissions={'admin': ['bob']})
assert authorize(ann, 'admin', 'bob')
assert not authorize(ann, 'admin', 'alice')
def test_authorize_delete_user(self):
ann = Annotation(permissions={'delete': ['bob']})
assert authorize(ann, 'delete', 'bob')
assert not authorize(ann, 'delete', 'alice')
def test_authorize_read_user(self):
ann = Annotation(permissions={'read': ['bob']})
assert authorize(ann, 'read', 'bob')
assert not authorize(ann, 'read', 'alice')
def test_authorize_admin_user(self):
ann = Annotation(permissions={'admin': ['bob']})
assert authorize(ann, 'admin', 'bob')
assert not authorize(ann, 'admin', 'alice')
def test_authorize_delete_user(self):
ann = Annotation(permissions={'delete': ['bob']})
assert authorize(ann, 'delete', 'bob')
assert not authorize(ann, 'delete', 'alice')
def _check_action(annotation, action, uid):
if not authz.authorize(annotation, action, uid):
return _failed_authz_response()
if uid and not auth.verify_request(request):
return _failed_auth_response()
def test_authorize_empty(self):
# An annotation with no permissions field is private
ann = {}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', 'bob')
assert not authorize(ann, 'read', 'bob', 'consumerkey')
def _check_action(annotation, action, uid):
if not authz.authorize(annotation, action, uid):
return _failed_authz_response()
if uid and not auth.verify_request(request):
return _failed_auth_response()
def test_authorize_null_consumer(self):
# An annotation with no consumer set is private
ann = {'permissions': {'read': ['bob']}}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', 'bob')
assert not authorize(ann, 'read', 'bob', 'consumerkey')
def test_authorize_read_user(self):
ann = Annotation(permissions={'read': ['bob']})
assert authorize(ann, 'read', 'bob')
assert not authorize(ann, 'read', 'alice')
def test_authorize_read_nouser(self):
ann = Annotation()
assert authorize(ann, "read")
assert authorize(ann, "read", "bob")
def test_authorize_delete_nouser(self):
ann = Annotation()
assert not authorize(ann, 'delete')
assert authorize(ann, 'delete', 'bob')
def test_authorize_read_user(self):
ann = Annotation(permissions={ACTION.READ: ["bob"]})
assert authorize(ann, "read", "bob")
assert not authorize(ann, "read", "alice")
def test_authorize_admin_nouser(self):
ann = Annotation()
assert not authorize(ann, 'admin')
assert authorize(ann, 'admin', 'bob')
def test_authorize_update_user(self):
ann = Annotation(permissions={ACTION.UPDATE: ["bob"]})
assert authorize(ann, "update", "bob")
assert not authorize(ann, "update", "alice")
def test_authorize_read_nouser(self):
ann = Annotation()
assert authorize(ann, 'read')
assert authorize(ann, 'read', 'bob')
def test_authorize_delete_nouser(self):
ann = Annotation()
assert authorize(ann, "delete")
assert authorize(ann, "delete", "bob")
def test_authorize_delete_nouser(self):
ann = Annotation()
assert not authorize(ann, 'delete')
assert authorize(ann, 'delete', 'bob')
def test_authorize_delete_user(self):
ann = Annotation(permissions={ACTION.DELETE: ["bob"]})
assert authorize(ann, "delete", "bob")
assert not authorize(ann, "delete", "alice")
def test_authorize_admin_nouser(self):
ann = Annotation()
assert not authorize(ann, 'admin')
assert authorize(ann, 'admin', 'bob')
def test_authorize_admin_nouser(self):
ann = Annotation()
assert authorize(ann, "admin")
assert authorize(ann, "admin", "bob")
def test_authorize_read_nouser(self):
ann = Annotation()
assert authorize(ann, 'read')
assert authorize(ann, 'read', 'bob')
def test_authorize_empty(self):
# An annotation with no permissions field is private
ann = {}
assert not authorize(ann, 'read')
assert not authorize(ann, 'read', h.MockUser('bob'))
assert not authorize(ann, 'read', h.MockUser('bob', 'consumerkey'))
