def test_ActionSharing(self): parent = BaseNode(name='root') model = parent['model'] = BaseNode() request = self.layer.new_request() action = ActionSharing() self.assertFalse(IPrincipalACL.providedBy(model)) self.assertEqual(action(model, request), u'') sharingmodel = parent['sharingmodel'] = SharingNode() self.assertTrue(IPrincipalACL.providedBy(sharingmodel)) self.assertEqual(action(sharingmodel, request), u'') with self.layer.authenticated('editor'): rule = request.has_permission('manage_permissions', sharingmodel) self.assertTrue(isinstance(rule, ACLDenied)) self.assertEqual(action(sharingmodel, request), u'') with self.layer.authenticated('manager'): rule = request.has_permission('manage_permissions', sharingmodel) self.assertTrue(isinstance(rule, ACLAllowed)) rendered = action(sharingmodel, request) self.checkOutput( """ ...<a id="toolbaraction-share" href="http://example.com/root/sharingmodel/sharing" ajax:bind="click" ajax:target="http://example.com/root/sharingmodel" ajax:action="sharing:#content:inner" ajax:path="href" ><span class="glyphicon glyphicon-share"></span > Sharing</a>... """, rendered)
def aggregated_roles(self): aggregated = dict() model = self while model: if not IPrincipalACL.providedBy(model): model = model.parent continue for id, roles in model.principal_roles.items(): if aggregated.get(id): aggregated[id].update(roles) else: aggregated[id] = set(roles) model = model.parent return aggregated
def display(self): return IPrincipalACL.providedBy(self.model) \ and self.permitted('manage_permissions')
def test_PrincipalACL(self): # PrincipalACL is an abstract class. Directly use causes an error @plumbing(PrincipalACL) class PrincipalACLNode(BaseNode): pass node = PrincipalACLNode() err = self.expect_error(NotImplementedError, lambda: node.__acl__) expected = ( 'Abstract ``PrincipalACL`` does not implement ``principal_roles``.' ) self.assertEqual(str(err), expected) # Concrete PrincipalACL implementation. Implements principal_roles # property class MyPrincipalACL(PrincipalACL): @default @instance_property def principal_roles(self): return dict() @plumbing(MyPrincipalACL) class MyPrincipalACLNode(BaseNode): pass node = MyPrincipalACLNode() self.assertTrue(IPrincipalACL.providedBy(node)) node.principal_roles['someuser'] = ['manager'] node.principal_roles['otheruser'] = ['editor'] node.principal_roles['group:some_group'] = ['editor', 'manager'] def find_rule(acl, who): for rule in acl: if rule[1] == who: return rule rule = find_rule(node.__acl__, 'someuser') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'someuser') self.assertEqual(sorted(rule[2]), sorted([ 'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state', 'view', 'paste', 'manage_permissions', 'delete' ])) rule = find_rule(node.__acl__, 'otheruser') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'otheruser') self.assertEqual(sorted(rule[2]), sorted([ 'edit', 'add', 'list', 'view' ])) rule = find_rule(node.__acl__, 'group:some_group') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'group:some_group') self.assertEqual(sorted(rule[2]), sorted([ 'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state', 'view', 'paste', 'manage_permissions', 'delete' ])) rule = find_rule(node.__acl__, 'system.Authenticated') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'system.Authenticated') self.assertEqual(rule[2], ['view']) rule = find_rule(node.__acl__, 'role:viewer') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'role:viewer') self.assertEqual(sorted(rule[2]), sorted(['view', 'list'])) rule = node.__acl__[-1] self.assertEqual(rule[0], 'Deny') self.assertEqual(rule[1], 'system.Everyone') self.assertEqual(rule[2], ALL_PERMISSIONS) # PrincipalACL role inheritance child = node['child'] = MyPrincipalACLNode() child.principal_roles['someuser'] = ['editor'] rule = find_rule(child.__acl__, 'someuser') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'someuser') self.assertEqual(sorted(rule[2]), sorted([ 'edit', 'add', 'list', 'view' ])) rule = find_rule(child.__acl__, 'system.Authenticated') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'system.Authenticated') self.assertEqual(rule[2], ['view']) rule = find_rule(child.__acl__, 'role:viewer') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'role:viewer') self.assertEqual(sorted(rule[2]), sorted(['view', 'list'])) rule = child.__acl__[-1] self.assertEqual(rule[0], 'Deny') self.assertEqual(rule[1], 'system.Everyone') self.assertEqual(rule[2], ALL_PERMISSIONS) subchild = child['child'] = MyPrincipalACLNode() subchild.role_inheritance = True subchild.principal_roles['otheruser'] = ['admin'] self.assertEqual(subchild.aggregated_roles_for('inexistent'), []) self.assertEqual( sorted(subchild.aggregated_roles_for('someuser')), sorted(['manager', 'editor']) ) self.assertEqual( sorted(subchild.aggregated_roles_for('otheruser')), sorted(['admin', 'editor']) ) rule = find_rule(subchild.__acl__, 'someuser') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'someuser') self.assertEqual(sorted(rule[2]), sorted([ 'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state', 'view', 'paste', 'manage_permissions', 'delete' ])) rule = find_rule(subchild.__acl__, 'otheruser') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'otheruser') self.assertEqual(sorted(rule[2]), sorted([ 'cut', 'edit', 'copy', 'list', 'add', 'change_state', 'view', 'paste', 'manage_permissions', 'delete' ])) rule = find_rule(subchild.__acl__, 'group:some_group') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'group:some_group') self.assertEqual(sorted(rule[2]), sorted([ 'cut', 'edit', 'copy', 'manage', 'list', 'add', 'change_state', 'view', 'paste', 'manage_permissions', 'delete' ])) rule = find_rule(subchild.__acl__, 'system.Authenticated') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'system.Authenticated') self.assertEqual(rule[2], ['view']) rule = subchild.__acl__[-1] self.assertEqual(rule[0], 'Deny') self.assertEqual(rule[1], 'system.Everyone') self.assertEqual(rule[2], ALL_PERMISSIONS) # Principal roles get inherited even if some parent does not provide # principal roles child = node['no_principal_roles'] = BaseNode() subchild = child['no_principal_roles'] = MyPrincipalACLNode() self.assertEqual( sorted(subchild.aggregated_roles_for('group:some_group')), sorted(['manager', 'editor']) ) # If principal role found which is not provided by plumbing endpoint # acl, this role does not grant any permissions node = MyPrincipalACLNode() node.principal_roles['someuser'] = ['inexistent_role'] rule = find_rule(node.__acl__, 'someuser') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'someuser') self.assertEqual(rule[2], []) rule = find_rule(node.__acl__, 'system.Authenticated') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'system.Authenticated') self.assertEqual(rule[2], ['view']) rule = find_rule(node.__acl__, 'role:viewer') self.assertEqual(rule[0], 'Allow') self.assertEqual(rule[1], 'role:viewer') self.assertEqual(sorted(rule[2]), sorted(['view', 'list'])) rule = node.__acl__[-1] self.assertEqual(rule[0], 'Deny') self.assertEqual(rule[1], 'system.Everyone') self.assertEqual(rule[2], ALL_PERMISSIONS) self.assertEqual( node.__acl__[-1], ('Deny', 'system.Everyone', ALL_PERMISSIONS) )