def test_invite_user_prepares_context_and_delegates_to_group_member_create(self, group_member_create):
context = {"group_id": 42}
group_member_create_context = context
group_member_create_context["id"] = context["group_id"]
new_authz.is_authorized_boolean("user_invite", context)
group_member_create.assert_called(group_member_create_context, None)
def test_invite_user_prepares_context_and_delegates_to_group_member_create(self, group_member_create):
context = {'group_id': 42}
group_member_create_context = context
group_member_create_context['id'] = context['group_id']
new_authz.is_authorized_boolean('user_invite', context)
group_member_create.assert_called(group_member_create_context, None)
def package_relationship_create(context, data_dict):
user = context['user']
id = data_dict['subject']
id2 = data_dict['object']
# If we can update each package we can see the relationships
authorized1 = new_authz.is_authorized_boolean(
'package_update', context, {'id': id})
authorized2 = new_authz.is_authorized_boolean(
'package_update', context, {'id': id2})
if not authorized1 and authorized2:
return {'success': False, 'msg': _('User %s not authorized to edit these packages') % user}
else:
return {'success': True}
def package_relationship_create(context, data_dict):
user = context['user']
id = data_dict['subject']
id2 = data_dict['object']
# If we can update each package we can see the relationships
authorized1 = new_authz.is_authorized_boolean(
'package_update', context, {'id': id})
authorized2 = new_authz.is_authorized_boolean(
'package_update', context, {'id': id2})
if not authorized1 and authorized2:
return {'success': False, 'msg': _('User %s not authorized to edit these packages') % user}
else:
return {'success': True}
def package_relationships_list(context, data_dict):
user = context.get("user")
id = data_dict["id"]
id2 = data_dict.get("id2")
# If we can see each package we can see the relationships
authorized1 = new_authz.is_authorized_boolean("package_show", context, {"id": id})
if id2:
authorized2 = new_authz.is_authorized_boolean("package_show", context, {"id": id2})
else:
authorized2 = True
if not (authorized1 and authorized2):
return {"success": False, "msg": _("User %s not authorized to read these packages") % user}
else:
return {"success": True}
def package_relationships_list(context, data_dict):
user = context.get('user')
id = data_dict['id']
id2 = data_dict.get('id2')
# If we can see each package we can see the relationships
authorized1 = new_authz.is_authorized_boolean(
'package_show', context, {'id': id})
if id2:
authorized2 = new_authz.is_authorized_boolean(
'package_show', context, {'id': id2})
else:
authorized2 = True
if not (authorized1 and authorized2):
return {'success': False, 'msg': _('User %s not authorized to read these packages') % user}
else:
return {'success': True}
def package_relationship_delete(context, data_dict):
user = context['user']
relationship = context['relationship']
# If you can create this relationship the you can also delete it
authorized = new_authz.is_authorized_boolean('package_relationship_create', context, data_dict)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete relationship %s') % (user ,relationship.id)}
else:
return {'success': True}
def package_change_state(context, data_dict):
user = context['user']
package = get_package_object(context, data_dict)
# use the logic for package_update
authorized = new_authz.is_authorized_boolean('package_update', context, data_dict)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)}
else:
return {'success': True}
def group_change_state(context, data_dict):
user = context['user']
group = get_group_object(context, data_dict)
# use logic for group_update
authorized = new_authz.is_authorized_boolean('group_update', context, data_dict)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user),group.id)}
else:
return {'success': True}
def package_relationships_list(context, data_dict):
user = context.get('user')
id = data_dict['id']
id2 = data_dict.get('id2')
# If we can see each package we can see the relationships
authorized1 = new_authz.is_authorized_boolean(
'package_show', context, {'id': id})
if id2:
authorized2 = new_authz.is_authorized_boolean(
'package_show', context, {'id': id2})
else:
authorized2 = True
if not (authorized1 and authorized2):
return {'success': False, 'msg': _('User %s not authorized to read these packages') % user}
else:
return {'success': True}
def package_relationship_delete(context, data_dict):
user = context['user']
relationship = context['relationship']
# If you can create this relationship the you can also delete it
authorized = new_authz.is_authorized_boolean('package_relationship_create', context, data_dict)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete relationship %s') % (user ,relationship.id)}
else:
return {'success': True}
def test_auth_deleted_users_are_always_unauthorized(self):
always_success = lambda x,y: {'success': True}
new_authz._AuthFunctions._build()
new_authz._AuthFunctions._functions['always_success'] = always_success
# We can't reuse the username with the other tests because we can't
# rebuild_db(), because in the setup_class we get the sysadmin. If we
# rebuild the DB, we would delete the sysadmin as well.
username = '******'
self.create_user(username)
user = model.User.get(username)
user.delete()
assert not new_authz.is_authorized_boolean('always_success', {'user': username})
del new_authz._AuthFunctions._functions['always_success']
def package_relationship_delete(context, data_dict):
user = context["user"]
relationship = context["relationship"]
# If you can create this relationship the you can also delete it
authorized = new_authz.is_authorized_boolean("package_relationship_create", context, data_dict)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to delete relationship %s") % (user, relationship.id),
}
else:
return {"success": True}
def package_change_state(context, data_dict):
user = context["user"]
package = get_package_object(context, data_dict)
# use the logic for package_update
authorized = new_authz.is_authorized_boolean("package_update", context, data_dict)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to change state of package %s") % (str(user), package.id),
}
else:
return {"success": True}
def group_change_state(context, data_dict):
user = context["user"]
group = get_group_object(context, data_dict)
# use logic for group_update
authorized = new_authz.is_authorized_boolean("group_update", context, data_dict)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to change state of group %s") % (str(user), group.id),
}
else:
return {"success": True}
def test_auth_deleted_users_are_always_unauthorized(self):
always_success = lambda x, y: {"success": True}
new_authz._AuthFunctions._build()
new_authz._AuthFunctions._functions["always_success"] = always_success
# We can't reuse the username with the other tests because we can't
# rebuild_db(), because in the setup_class we get the sysadmin. If we
# rebuild the DB, we would delete the sysadmin as well.
username = "******"
self.create_user(username)
user = model.User.get(username)
user.delete()
assert not new_authz.is_authorized_boolean("always_success", {"user": username})
del new_authz._AuthFunctions._functions["always_success"]
def _get_relationships_Packages(pkg_ids):
query = model.Session.query(model.Package)\
.filter(model.Package.id.in_(pkg_ids))\
.filter(model.Package.state == u'active')
pkg_list = query.all()
ret = []
context = {'model': model, 'session': model.Session, 'user': c.user or c.author}
for pkg in pkg_list:
# Filtrar os packages privados sem acesso de edicao:
if (not pkg.private): ret.append(model_dictize.package_dictize(pkg,context))
else:
if new_authz.is_authorized_boolean('package_update', context, { 'id' : pkg.id}):
ret.append(model_dictize.package_dictize(pkg,context))
return ret
def group_change_state(context, data_dict):
user = context['user']
group = logic_auth.get_group_object(context, data_dict)
# use logic for group_update
authorized = new_authz.is_authorized_boolean('group_update',
context,
data_dict)
if not authorized:
return {
'success': False,
'msg': _('User %s not authorized to change state of group %s') %
(str(user), group.id)
}
else:
return {'success': True}
def package_change_state(context, data_dict):
user = context['user']
package = logic_auth.get_package_object(context, data_dict)
# use the logic for package_update
authorized = new_authz.is_authorized_boolean('package_update',
context,
data_dict)
if not authorized:
return {
'success': False,
'msg': _('User %s not authorized to change state of package %s') %
(str(user), package.id)
}
else:
return {'success': True}
def authorize(method, bucket, key, user, ofs):
"""
Check authz for the user with a given bucket/key combo within a
particular ofs implementation.
"""
if not method in ['POST', 'GET', 'PUT', 'DELETE']:
abort(400)
if method != 'GET':
# do not allow overwriting
if ofs.exists(bucket, key):
abort(409)
# now check user stuff
context = {'user': c.user, 'model': model}
is_authorized = new_authz.is_authorized_boolean(
'file_upload', context, {})
if not is_authorized:
h.flash_error('Not authorized to upload files.')
abort(401)
def authorize(method, bucket, key, user, ofs):
"""
Check authz for the user with a given bucket/key combo within a
particular ofs implementation.
"""
if not method in ['POST', 'GET', 'PUT', 'DELETE']:
abort(400)
if method != 'GET':
# do not allow overwriting
if ofs.exists(bucket, key):
abort(409)
# now check user stuff
context = {'user': c.user,
'model': model}
is_authorized = new_authz.is_authorized_boolean('file_upload', context, {})
if not is_authorized:
h.flash_error('Not authorized to upload files.')
abort(401)
