def test_undefined_role_strict():
az = Authorizer(default_permissions, strict=True)
@az.class_role_provider('get_roles')
class ProtectedUser(User):
def get_roles(self, user):
return 'user_admin'
user = ProtectedUser(1234, ['non-existing-role-name'])
az.identity_provider(lambda: user)
az.default_role_provider(lambda u, _: u.roles)
with pytest.raises(NotDefinedError):
az.is_allowed('non-existing-permission', user)
with pytest.raises(NotDefinedError):
az.is_allowed('user_view', user)
def test_object_permissions():
az = Authorizer(default_permissions)
az.identity_provider(lambda: User(1234, ['editor']))
az.default_role_provider(lambda u, _: u.roles)
@az.role_provider(Article)
def role_provider(user, obj):
return 'admin' if user.id == obj.created_by else 'viewer'
article = Article(created_by=1234)
assert az.is_allowed('article_delete', article)
assert az.is_allowed('article_view', article)
other_article = Article(created_by=5678)
assert not az.is_allowed('article_delete', other_article)
assert az.is_allowed('article_view', other_article)
def test_object_permissions():
az = Authorizer(default_permissions)
az.identity_provider(lambda: User(1234, ['editor']))
az.default_role_provider(lambda u, _: u.roles)
@az.context_role_provider(owner_role)
class ProtectedArticle(Article):
pass
article = ProtectedArticle(created_by=1234)
assert az.is_allowed('article_delete', article)
assert az.is_allowed('article_view', article)
other_article = ProtectedArticle(created_by=5678)
assert not az.is_allowed('article_delete', other_article)
assert az.is_allowed('article_view', other_article)
def test_object_permissions_named_provider():
az = Authorizer(default_permissions)
az.identity_provider(lambda: User(1234, ['editor']))
az.default_role_provider(lambda u, _: u.roles)
@az.context_role_provider('get_roles')
class ProtectedArticle(Article):
def get_roles(self, user):
return ['admin'] if user.id == self.created_by else []
article = ProtectedArticle(created_by=1234)
assert az.is_allowed('article_delete', article)
assert az.is_allowed('article_view', article)
other_article = ProtectedArticle(created_by=5678)
assert not az.is_allowed('article_delete', other_article)
assert az.is_allowed('article_view', other_article)
def test_object_permissions_child_class():
az = Authorizer(default_permissions)
az.identity_provider(lambda: User(1234, ['editor']))
az.default_role_provider(lambda u, _: u.roles)
@az.role_provider(Article)
def get_roles(user, article):
return ['admin'] if user.id == article.created_by else []
class ChildArticle(Article):
pass
article = ChildArticle(created_by=1234)
assert az.is_allowed('article_delete', article)
assert az.is_allowed('article_view', article)
other_article = ChildArticle(created_by=5678)
assert not az.is_allowed('article_delete', other_article)
assert az.is_allowed('article_view', other_article)
def test_undefined_role():
az = Authorizer(default_permissions)
@az.class_role_provider('get_roles')
class ProtectedUser(User):
def get_roles(self, user):
return 'user_admin'
user = ProtectedUser(1234, ['non-existing-role-name'])
az.identity_provider(lambda: user)
az.default_role_provider(lambda u, _: u.roles)
assert not az.is_allowed('non-existing-permission', user)
assert not az.is_allowed('user_view', user)
def test_class_role_provider():
az = Authorizer(default_permissions)
@az.class_role_provider('get_roles')
class ProtectedUser(User):
def get_roles(self, user):
return 'user_admin' if same_user(self, user) else None
user = ProtectedUser(1234, ['editor'])
other_user = ProtectedUser(5678, ['viewer'])
az.identity_provider(lambda: user)
az.default_role_provider(lambda u, _: u.roles)
# These should all pass with no problem
assert az.is_allowed('user_view', user)
assert az.is_allowed('user_view', other_user)
assert az.is_allowed('user_edit', user)
# This should not be allowed
assert not az.is_allowed('user_edit', other_user)
def test_requires_decorator():
az = Authorizer(default_permissions)
@az.class_role_provider('get_roles')
class ProtectedUser(User):
def get_roles(self, user):
return 'user_admin' if same_user(self, user) else None
@az.require('user_view')
def view(self):
return 'viewed'
@az.require('user_edit')
def edit(self):
return 'edited'
user = ProtectedUser(1234, ['editor'])
other_user = ProtectedUser(5678, ['viewer'])
az.identity_provider(lambda: user)
az.default_role_provider(lambda u, _: u.roles)
# These should all pass with no
assert user.view() == 'viewed'
assert user.edit() == 'edited'
assert other_user.view() == 'viewed'
# This should throw an exception
with pytest.raises(NotAuthorized):
other_user.edit()
def test_object_permissions_without_inheritance():
az = Authorizer(default_permissions)
@az.role_provider(User)
def role_provider(user, ctx):
return 'user_admin' if same_user(user, ctx) else None
user = User(1234, ['editor'])
other_user = User(5678, ['viewer'])
az.identity_provider(lambda: user)
az.default_role_provider(lambda u, _: u.roles)
assert az.is_allowed('user_view', user)
assert az.is_allowed('user_edit', user)
assert az.is_allowed('user_view', other_user)
assert not az.is_allowed('user_edit', other_user)
def test_object_permissions_without_inheritance():
az = Authorizer(default_permissions)
@az.context_role_provider(lambda u, o: 'user_admin' if same_user(u, o) else None)
class ProtectedUser(User):
pass
user = ProtectedUser(1234, ['editor'])
other_user = ProtectedUser(5678, ['viewer'])
az.identity_provider(lambda: user)
az.default_role_provider(lambda u, _: u.roles)
assert az.is_allowed('user_view', user)
assert az.is_allowed('user_edit', user)
assert az.is_allowed('user_view', other_user)
assert not az.is_allowed('user_edit', other_user)
def test_object_permissions_set_provider():
az = Authorizer(default_permissions)
az.identity_provider(lambda: User(1234, ['editor']))
az.default_role_provider(lambda u, _: u.roles)
def get_roles(user, article):
return ['admin'] if user.id == article.created_by else []
az.set_role_provider(for_type=Article, provider=get_roles)
article = Article(created_by=1234)
assert az.is_allowed('article_delete', article)
assert az.is_allowed('article_view', article)
other_article = Article(created_by=5678)
assert not az.is_allowed('article_delete', other_article)
assert az.is_allowed('article_view', other_article)
def test_default_permissions_inherited_no_context(role, permission, allowed):
az = Authorizer(default_permissions)
az.identity_provider(lambda: User(1234, [role]))
az.default_role_provider(lambda u, _: u.roles)
assert az.is_allowed(permission) == allowed
