def test_apply(self, extra_principals, root):
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
request = DummyRequest()
request.params['apply'] = u''
share_node(root, request)
assert (request.session.pop_flash('info') == [
u'No changes were made.'
])
assert list_groups('bob', root) == []
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
assert (request.session.pop_flash('success') == [
u'Your changes have been saved.'
])
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
with raises(Forbidden):
share_node(root, request)
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
def test_apply(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params['apply'] = u''
share_node(root, request)
self.assertEqual(request.session.pop_flash('info'),
[u'No changes made.'])
self.assertEqual(list_groups('bob', root), [])
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
self.assertEqual(request.session.pop_flash('success'),
[u'Your changes have been saved.'])
self.assertEqual(set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
def test_apply(self, extra_principals, root):
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
request = DummyRequest()
request.params['apply'] = ''
share_node(root, request)
assert (request.session.pop_flash('info') == ['No changes were made.'])
assert list_groups('bob', root) == []
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = '1'
request.params['role::bob::role:editor'] = '1'
request.params['orig-role::bob::role:owner'] = ''
request.params['orig-role::bob::role:editor'] = ''
share_node(root, request)
assert (request.session.pop_flash('success') == [
'Your changes have been saved.'
])
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = '1'
request.params['orig-role::bob::role:admin'] = ''
with raises(Forbidden):
share_node(root, request)
assert (set(list_groups(
'bob', root)) == {'role:owner', 'role:editor', 'role:special'})
def test_apply(self):
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params['apply'] = u''
share_node(root, request)
self.assertEqual(
request.session.pop_flash('notice'), [u'No changes made.'])
self.assertEqual(list_groups('bob', root), [])
set_groups('bob', root, ['role:special'])
request.params['role::bob::role:owner'] = u'1'
request.params['role::bob::role:editor'] = u'1'
request.params['orig-role::bob::role:owner'] = u''
request.params['orig-role::bob::role:editor'] = u''
share_node(root, request)
self.assertEqual(
request.session.pop_flash('success'),
[u'Your changes have been saved.'])
self.assertEqual(
set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params['role::bob::role:admin'] = u'1'
request.params['orig-role::bob::role:admin'] = u''
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(
set(list_groups('bob', root)),
set(['role:owner', 'role:editor', 'role:special']))
def share_node(context, request):
# Allow roles_form_handler to do processing on 'apply':
if 'apply' in request.POST:
if request.params.get('csrf_token') != request.session.get_csrf_token():
raise HTTPBadRequest('Invalid CSRF token')
changed = roles_form_handler(
context, request, SHARING_ROLES, list_groups_raw)
if changed:
for (principal_name, context, groups) in changed:
set_groups(principal_name, context, groups)
return HTTPFound(location=request.url)
existing = map_principals_with_local_roles(context)
def with_roles(entry):
all_groups = entry[1][0]
return len([g for g in all_groups if g.startswith('role:')]) > 0
existing = [e for e in filter(with_roles, existing)]
seen = set([entry[0].name for entry in existing])
# Allow search to take place and add some entries:
entries = list(existing) + search_principals(request, context, ignore=seen)
available_roles = [ROLES[role_name] for role_name in SHARING_ROLES]
return {
'entries': entries,
'available_roles': available_roles,
'csrf_token': request.session.get_csrf_token()
}
def test_copy_local_groups(self, db_session, root):
from kotti.security import principals_with_local_roles
from kotti.security import set_groups
self.test_principals_with_local_roles(db_session, root)
child = root[u'child']
assert (
set(principals_with_local_roles(child)) ==
set(['bob', 'group:bobsgroup', 'group:franksgroup'])
)
# We make a copy of 'child', and we expect the local roles set
# on 'child' to not be copied over:
child2 = root['child2'] = child.copy()
db_session.flush()
assert (
set(principals_with_local_roles(child2)) ==
set([u'bob', u'group:franksgroup']))
assert len(principals_with_local_roles(child)) == 3
# When we now change the local roles of 'child', the copy is
# unaffected:
set_groups('group:bobsgroup', child, [])
assert len(principals_with_local_roles(child)) == 2
assert len(principals_with_local_roles(child2)) == 2
def share_node(context, request):
# Allow roles_form_handler to do processing on 'apply':
changed = roles_form_handler(
context, request, SHARING_ROLES, list_groups_raw)
if changed:
for (principal_name, context, groups) in changed:
set_groups(principal_name, context, groups)
return HTTPFound(location=request.url)
existing = map_principals_with_local_roles(context)
def with_roles(entry):
all_groups = entry[1][0]
return [g for g in all_groups if g.startswith('role:')]
existing = filter(with_roles, existing)
seen = set([entry[0].name for entry in existing])
# Allow search to take place and add some entries:
entries = existing + search_principals(request, context, ignore=seen)
available_roles = [ROLES[role_name] for role_name in SHARING_ROLES]
return {
'entries': entries,
'available_roles': available_roles,
}
def test_groups_from_users(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
self.assertEqual(list_groups('bob', root), ['group:bobsgroup'])
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
self.assertEqual(
set(list_groups('bob', root)),
set(['group:bobsgroup', 'role:editor'])
)
self.assertEqual(
set(list_groups('bob', child)),
set(['group:bobsgroup', 'role:editor', 'group:foogroup'])
)
def share_node(context, request):
# Allow roles_form_handler to do processing on 'apply':
if "apply" in request.POST:
if request.params.get(
"csrf_token") != request.session.get_csrf_token():
raise HTTPBadRequest("Invalid CSRF token")
changed = roles_form_handler(context, request, SHARING_ROLES,
list_groups_raw)
if changed:
for (principal_name, context, groups) in changed:
set_groups(principal_name, context, groups)
return HTTPFound(location=request.url)
existing = map_principals_with_local_roles(context)
def with_roles(entry):
all_groups = entry[1][0]
return len([g for g in all_groups if g.startswith("role:")]) > 0
existing = [e for e in filter(with_roles, existing)]
seen = {entry[0].name for entry in existing}
# Allow search to take place and add some entries:
entries = list(existing) + search_principals(request, context, ignore=seen)
available_roles = [ROLES[role_name] for role_name in SHARING_ROLES]
return {
"entries": entries,
"available_roles": available_roles,
"csrf_token": request.session.get_csrf_token(),
}
def test_copy_local_groups(self, db_session, root):
from kotti.security import principals_with_local_roles
from kotti.security import set_groups
self.test_principals_with_local_roles(db_session, root)
child = root["child"]
assert set(principals_with_local_roles(child)) == {
"bob",
"group:bobsgroup",
"group:franksgroup",
}
# We make a copy of 'child', and we expect the local roles set
# on 'child' to not be copied over:
child2 = root["child2"] = child.copy()
db_session.flush()
assert set(principals_with_local_roles(child2)) == {
"bob", "group:franksgroup"
}
assert len(principals_with_local_roles(child)) == 3
# When we now change the local roles of 'child', the copy is
# unaffected:
set_groups("group:bobsgroup", child, [])
assert len(principals_with_local_roles(child)) == 2
assert len(principals_with_local_roles(child2)) == 2
def test_inherit(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
self.assertEqual(list_groups('bob', child), [])
set_groups('bob', root, ['role:editor'])
self.assertEqual(list_groups('bob', child), ['role:editor'])
# Groups from the child are added:
set_groups('bob', child, ['group:somegroup'])
self.assertEqual(
set(list_groups('bob', child)),
set(['group:somegroup', 'role:editor'])
)
# We can ask to list only those groups that are defined locally:
self.assertEqual(
list_groups_raw(u'bob', child), set(['group:somegroup']))
def test_copy_local_groups(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.security import principals_with_local_roles
from kotti.security import set_groups
self.test_principals_with_local_roles()
root = get_root()
child = root[u'child']
self.assertEqual(set(principals_with_local_roles(child)),
set(['bob', 'group:bobsgroup', 'group:franksgroup']))
# We make a copy of 'child', and we expect the local roles set
# on 'child' to not be copied over:
child2 = root['child2'] = child.copy()
DBSession.flush()
self.assertEqual(
set(principals_with_local_roles(child2)),
set([u'bob', u'group:franksgroup']),
)
self.assertEqual(len(principals_with_local_roles(child)), 3)
# When we now change the local roles of 'child', the copy is
# unaffected:
set_groups('group:bobsgroup', child, [])
self.assertEqual(len(principals_with_local_roles(child)), 2)
self.assertEqual(len(principals_with_local_roles(child2)), 2)
def share_node(context, request):
# Allow roles_form_handler to do processing on 'apply':
changed = roles_form_handler(context, request, SHARING_ROLES,
list_groups_raw)
if changed:
for (principal_name, context, groups) in changed:
set_groups(principal_name, context, groups)
return HTTPFound(location=request.url)
existing = map_principals_with_local_roles(context)
def with_roles(entry):
all_groups = entry[1][0]
return [g for g in all_groups if g.startswith('role:')]
existing = filter(with_roles, existing)
seen = set([entry[0].name for entry in existing])
# Allow search to take place and add some entries:
entries = existing + search_principals(request, context, ignore=seen)
available_roles = [ROLES[role_name] for role_name in SHARING_ROLES]
return {
'entries': entries,
'available_roles': available_roles,
}
def add_some_groups(db_session, root):
from kotti.resources import Node
from kotti.security import set_groups
child = root["child"] = Node()
grandchild = child["grandchild"] = Node()
db_session.flush()
# root:
# bob -> group:bobsgroup
# frank -> group:franksgroup
# group:franksgroup -> role:editor
# child:
# group:bobsgroup -> group:franksgroup
# grandchild:
# group:franksgroup -> role:admin
# group:franksgroup -> group:bobsgroup
# bob and frank are a site-wide members of their respective groups:
set_groups("bob", root, ["group:bobsgroup"])
set_groups("frank", root, ["group:franksgroup"])
# franksgroup has a site-wide editor role:
set_groups("group:franksgroup", root, ["role:editor"])
# bobsgroup is part of franksgroup on the child level:
set_groups("group:bobsgroup", child, ["group:franksgroup"])
# franksgroup has the admin role on the grandchild.
# and finally, to test recursion, we make franksgroup part of
# bobsgroup on the grandchild level:
set_groups("group:franksgroup", grandchild,
["role:owner", "group:bobsgroup"])
def test_apply(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
self.add_some_principals()
request.params["apply"] = u""
share_node(root, request)
self.assertEqual(request.session.pop_flash("info"), [u"No changes made."])
self.assertEqual(list_groups("bob", root), [])
set_groups("bob", root, ["role:special"])
request.params["role::bob::role:owner"] = u"1"
request.params["role::bob::role:editor"] = u"1"
request.params["orig-role::bob::role:owner"] = u""
request.params["orig-role::bob::role:editor"] = u""
share_node(root, request)
self.assertEqual(request.session.pop_flash("success"), [u"Your changes have been saved."])
self.assertEqual(set(list_groups("bob", root)), set(["role:owner", "role:editor", "role:special"]))
# We cannot set a role that's not displayed, even if we forged
# the request:
request.params["role::bob::role:admin"] = u"1"
request.params["orig-role::bob::role:admin"] = u""
self.assertRaises(Forbidden, share_node, root, request)
self.assertEqual(set(list_groups("bob", root)), set(["role:owner", "role:editor", "role:special"]))
def test_simple(self):
root = get_root()
set_groups('bob', root, ['role:editor'])
self.assertEqual(
list_groups('bob', root), ['role:editor'])
self.assertEqual(
list_groups_raw('bob', root), ['role:editor'])
def test_copy_local_groups(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.security import principals_with_local_roles
from kotti.security import set_groups
self.test_principals_with_local_roles()
root = get_root()
child = root[u'child']
self.assertEqual(
set(principals_with_local_roles(child)),
set(['bob', 'group:bobsgroup', 'group:franksgroup'])
)
# We make a copy of 'child', and we expect the local roles set
# on 'child' to not be copied over:
child2 = root['child2'] = child.copy()
DBSession.flush()
self.assertEqual(
set(principals_with_local_roles(child2)),
set([u'bob', u'group:franksgroup']),
)
self.assertEqual(len(principals_with_local_roles(child)), 3)
# When we now change the local roles of 'child', the copy is
# unaffected:
set_groups('group:bobsgroup', child, [])
self.assertEqual(len(principals_with_local_roles(child)), 2)
self.assertEqual(len(principals_with_local_roles(child2)), 2)
def add_some_groups(db_session, root):
from kotti.resources import Node
from kotti.security import set_groups
child = root[u'child'] = Node()
grandchild = child[u'grandchild'] = Node()
db_session.flush()
# root:
# bob -> group:bobsgroup
# frank -> group:franksgroup
# group:franksgroup -> role:editor
# child:
# group:bobsgroup -> group:franksgroup
# grandchild:
# group:franksgroup -> role:admin
# group:franksgroup -> group:bobsgroup
# bob and frank are a site-wide members of their respective groups:
set_groups('bob', root, ['group:bobsgroup'])
set_groups('frank', root, ['group:franksgroup'])
# franksgroup has a site-wide editor role:
set_groups('group:franksgroup', root, ['role:editor'])
# bobsgroup is part of franksgroup on the child level:
set_groups('group:bobsgroup', child, ['group:franksgroup'])
# franksgroup has the admin role on the grandchild.
# and finally, to test recursion, we make franksgroup part of
# bobsgroup on the grandchild level:
set_groups('group:franksgroup', grandchild,
['role:owner', 'group:bobsgroup'])
def test_simple(self, db_session, root):
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == {'role:editor'}
def test_simple(self, db_session, root):
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups("bob", root, ["role:editor"])
assert list_groups("bob", root) == ["role:editor"]
assert list_groups_raw("bob", root) == {"role:editor"}
def test_simple(self, db_session, root):
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == set(['role:editor'])
def test_works_with_auth(self):
session = DBSession()
root = get_root()
child = root[u'child'] = Node()
session.flush()
request = DummyRequest()
auth = CallbackAuthenticationPolicy()
auth.unauthenticated_userid = lambda *args: 'bob'
auth.callback = list_groups_callback
request.context = root
self.assertEqual( # user doesn't exist yet
auth.effective_principals(request),
['system.Everyone']
)
get_principals()[u'bob'] = dict(name=u'bob')
self.assertEqual(
auth.effective_principals(request),
['system.Everyone', 'system.Authenticated', 'bob']
)
# Define that bob belongs to bobsgroup on the root level:
set_groups('bob', root, ['group:bobsgroup'])
request.context = child
self.assertEqual(
set(auth.effective_principals(request)), set([
'system.Everyone', 'system.Authenticated',
'bob', 'group:bobsgroup'
])
)
# define that bob belongs to franksgroup in the user db:
get_principals()[u'bob'].groups = [u'group:franksgroup']
set_groups('group:franksgroup', child, ['group:anothergroup'])
self.assertEqual(
set(auth.effective_principals(request)), set([
'system.Everyone', 'system.Authenticated',
'bob', 'group:bobsgroup', 'group:franksgroup',
'group:anothergroup',
])
)
# And lastly test that circular group defintions are not a
# problem here either:
get_principals()[u'group:franksgroup'] = dict(
name=u'group:franksgroup',
title=u"Frank's group",
groups=[u'group:funnygroup', u'group:bobsgroup'],
)
self.assertEqual(
set(auth.effective_principals(request)), set([
'system.Everyone', 'system.Authenticated',
'bob', 'group:bobsgroup', 'group:franksgroup',
'group:anothergroup', 'group:funnygroup',
])
)
def test_works_with_auth(self, db_session, root):
from kotti.resources import Node
from kotti.security import get_principals
from kotti.security import list_groups_callback
from kotti.security import set_groups
child = root[u'child'] = Node()
db_session.flush()
request = DummyRequest()
auth = CallbackAuthenticationPolicy()
auth.unauthenticated_userid = lambda *args: 'bob'
auth.callback = list_groups_callback
request.context = root
assert ( # user doesn't exist yet
auth.effective_principals(request) == ['system.Everyone'])
get_principals()[u'bob'] = dict(name=u'bob')
assert (auth.effective_principals(request) == [
'system.Everyone', 'system.Authenticated', 'bob'
])
# Define that bob belongs to bobsgroup on the root level:
set_groups('bob', root, ['group:bobsgroup'])
request.context = child
assert (set(auth.effective_principals(request)) == set([
'system.Everyone', 'system.Authenticated', 'bob', 'group:bobsgroup'
]))
# define that bob belongs to franksgroup in the user db:
get_principals()[u'bob'].groups = [u'group:franksgroup']
set_groups('group:franksgroup', child, ['group:anothergroup'])
assert (set(auth.effective_principals(request)) == set([
'system.Everyone',
'system.Authenticated',
'bob',
'group:bobsgroup',
'group:franksgroup',
'group:anothergroup',
]))
# And lastly test that circular group defintions are not a
# problem here either:
get_principals()[u'group:franksgroup'] = dict(
name=u'group:franksgroup',
title=u"Frank's group",
groups=[u'group:funnygroup', u'group:bobsgroup'],
)
assert (set(auth.effective_principals(request)) == set([
'system.Everyone',
'system.Authenticated',
'bob',
'group:bobsgroup',
'group:franksgroup',
'group:anothergroup',
'group:funnygroup',
]))
def test_simple(self, db_session):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == set(['role:editor'])
def test_simple(self, db_session):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', root) == ['role:editor']
assert list_groups_raw(u'bob', root) == set(['role:editor'])
def test_simple(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
self.assertEqual(list_groups('bob', root), ['role:editor'])
self.assertEqual(list_groups_raw(u'bob', root), set(['role:editor']))
def set_owner(event):
obj, request = event.object, event.request
if request is not None and isinstance(obj, Node) and obj.owner is None:
userid = authenticated_userid(request)
if userid is not None:
# Set owner metadata:
obj.owner = userid
# Add owner role for userid if it's not inherited already:
if u'role:owner' not in list_groups(userid, obj):
groups = list_groups_raw(userid, obj) | set([u'role:owner'])
set_groups(userid, obj, groups)
def set_owner(event):
obj, request = event.object, event.request
if request is not None and isinstance(obj, Node) and obj.owner is None:
userid = authenticated_userid(request)
if userid is not None:
userid = unicode(userid)
# Set owner metadata:
obj.owner = userid
# Add owner role for userid if it's not inherited already:
if u'role:owner' not in list_groups(userid, obj):
groups = list_groups_raw(userid, obj) | set([u'role:owner'])
set_groups(userid, obj, groups)
def test_simple(self):
from kotti.resources import get_root
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
root = get_root()
set_groups('bob', root, ['role:editor'])
self.assertEqual(
list_groups('bob', root), ['role:editor'])
self.assertEqual(
list_groups_raw(u'bob', root), set(['role:editor']))
def test_search(self, extra_principals, root, db_session):
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.testing import DummyRequest
from kotti.views.users import share_node
request = DummyRequest()
P = get_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params['search'] = ''
request.params['query'] = 'Bob'
entries = share_node(root, request)['entries']
assert len(entries) == 2
assert entries[0][0] == P['bob']
assert entries[0][1] == ([], [])
assert entries[1][0] == P['group:bobsgroup']
assert entries[1][1] == ([], [])
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups('bob', root, ['role:editor'])
db_session.flush()
P['group:bobsgroup'].groups = ['role:admin']
db_session.flush()
entries = share_node(root, request)['entries']
assert len(entries) == 2
assert entries[0][0] == P['bob']
assert entries[0][1] == (['role:editor'], [])
assert entries[1][0] == P['group:bobsgroup']
assert entries[1][1] == (['role:admin'], ['role:admin'])
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params['query'] = 'Weeee'
entries = share_node(root, request)['entries']
assert len(entries) == 1
assert entries[0][0] == P['bob']
assert entries[0][1] == (['role:editor'], [])
assert (request.session.pop_flash('info') == [
'No users or groups were found.'
])
# It does not, however, include entries that have local group
# assignments only:
set_groups('frank', root, ['group:franksgroup'])
request.params['query'] = 'Weeee'
entries = share_node(root, request)['entries']
assert len(entries) == 1
assert entries[0][0] == P['bob']
def test_search(self):
from kotti.resources import get_root
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
P = get_principals()
self.add_some_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params['search'] = u''
request.params['query'] = u'Bob'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 2)
self.assertEqual(entries[0][0], P['bob'])
self.assertEqual(entries[0][1], ([], []))
self.assertEqual(entries[1][0], P['group:bobsgroup'])
self.assertEqual(entries[1][1], ([], []))
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups(u'bob', root, [u'role:editor'])
P[u'group:bobsgroup'].groups = [u'role:admin']
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 2)
self.assertEqual(entries[0][0], P['bob'])
self.assertEqual(entries[0][1], ([u'role:editor'], []))
self.assertEqual(entries[1][0], P['group:bobsgroup'])
self.assertEqual(entries[1][1], ([u'role:admin'], [u'role:admin']))
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params['query'] = u'Weeee'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0][0], P[u'bob'])
self.assertEqual(entries[0][1], ([u'role:editor'], []))
self.assertEqual(request.session.pop_flash('info'),
[u'No users or groups found.'])
# It does not, however, include entries that have local group
# assignments only:
set_groups(u'frank', root, [u'group:franksgroup'])
request.params['query'] = u'Weeee'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0][0], P['bob'])
def populate_root_document():
if DBSession.query(Node).count() == 0:
root = Document(name=u'', title=u'Front Page')
root.__acl__ = SITE_ACL
root.default_view = 'front-page'
DBSession.add(root)
url = JOB_CONTAINERS['url']
root[url] = Document(title=u'Job Containers', owner=u'admin')
set_groups(u'admin', root[url], set([u'role:owner']))
wf = get_workflow(root)
if wf is not None:
DBSession.flush() # Initializes workflow
wf.transition_to_state(root, None, u'public')
def test_search(self):
from kotti.resources import get_root
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.views.users import share_node
root = get_root()
request = DummyRequest()
P = get_principals()
self.add_some_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params['search'] = u''
request.params['query'] = u'Bob'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 2)
self.assertEqual(entries[0][0], P['bob'])
self.assertEqual(entries[0][1], ([], []))
self.assertEqual(entries[1][0], P['group:bobsgroup'])
self.assertEqual(entries[1][1], ([], []))
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups(u'bob', root, [u'role:editor'])
P[u'group:bobsgroup'].groups = [u'role:admin']
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 2)
self.assertEqual(entries[0][0], P['bob'])
self.assertEqual(entries[0][1], ([u'role:editor'], []))
self.assertEqual(entries[1][0], P['group:bobsgroup'])
self.assertEqual(entries[1][1], ([u'role:admin'], [u'role:admin']))
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params['query'] = u'Weeee'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0][0], P[u'bob'])
self.assertEqual(entries[0][1], ([u'role:editor'], []))
self.assertEqual(request.session.pop_flash('info'),
[u'No users or groups found.'])
# It does not, however, include entries that have local group
# assignments only:
set_groups(u'frank', root, [u'group:franksgroup'])
request.params['query'] = u'Weeee'
entries = share_node(root, request)['entries']
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0][0], P['bob'])
def test_search(self, extra_principals, root, db_session):
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.testing import DummyRequest
from kotti.views.users import share_node
request = DummyRequest()
P = get_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params['search'] = ''
request.params['query'] = 'Bob'
entries = share_node(root, request)['entries']
assert len(entries) == 2
assert entries[0][0] == P['bob']
assert entries[0][1] == ([], [])
assert entries[1][0] == P['group:bobsgroup']
assert entries[1][1] == ([], [])
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups('bob', root, ['role:editor'])
db_session.flush()
P['group:bobsgroup'].groups = ['role:admin']
db_session.flush()
entries = share_node(root, request)['entries']
assert len(entries) == 2
assert entries[0][0] == P['bob']
assert entries[0][1] == (['role:editor'], [])
assert entries[1][0] == P['group:bobsgroup']
assert entries[1][1] == (['role:admin'], ['role:admin'])
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params['query'] = 'Weeee'
entries = share_node(root, request)['entries']
assert len(entries) == 1
assert entries[0][0] == P['bob']
assert entries[0][1] == (['role:editor'], [])
assert (request.session.pop_flash('info') ==
['No users or groups were found.'])
# It does not, however, include entries that have local group
# assignments only:
set_groups('frank', root, ['group:franksgroup'])
request.params['query'] = 'Weeee'
entries = share_node(root, request)['entries']
assert len(entries) == 1
assert entries[0][0] == P['bob']
def test_search(self, extra_principals, root, db_session):
from kotti.security import get_principals
from kotti.security import set_groups
from kotti.testing import DummyRequest
from kotti.views.users import share_node
request = DummyRequest()
P = get_principals()
# Search for "Bob", which will return both the user and the
# group, both of which have no roles:
request.params["search"] = ""
request.params["query"] = "Bob"
entries = share_node(root, request)["entries"]
assert len(entries) == 2
assert entries[0][0] == P["bob"]
assert entries[0][1] == ([], [])
assert entries[1][0] == P["group:bobsgroup"]
assert entries[1][1] == ([], [])
# We make Bob an Editor in this context, and Bob's Group
# becomes global Admin:
set_groups("bob", root, ["role:editor"])
db_session.flush()
P["group:bobsgroup"].groups = ["role:admin"]
db_session.flush()
entries = share_node(root, request)["entries"]
assert len(entries) == 2
assert entries[0][0] == P["bob"]
assert entries[0][1] == (["role:editor"], [])
assert entries[1][0] == P["group:bobsgroup"]
assert entries[1][1] == (["role:admin"], ["role:admin"])
# A search that doesn't return any items will still include
# entries with existing local roles:
request.params["query"] = "Weeee"
entries = share_node(root, request)["entries"]
assert len(entries) == 1
assert entries[0][0] == P["bob"]
assert entries[0][1] == (["role:editor"], [])
assert request.session.pop_flash("info") == ["No users or groups were found."]
# It does not, however, include entries that have local group
# assignments only:
set_groups("frank", root, ["group:franksgroup"])
request.params["query"] = "Weeee"
entries = share_node(root, request)["entries"]
assert len(entries) == 1
assert entries[0][0] == P["bob"]
def test_deleted_group_removed_from_localgroups(self, events, extra_principals, root):
from kotti.security import set_groups
from kotti.resources import LocalGroup
from kotti.views.users import user_delete
request = DummyRequest()
set_groups(u'group:bobsgroup', root, ['role:admin'])
local_group = LocalGroup.query.first()
assert local_group.principal_name == u'group:bobsgroup'
assert local_group.node == root
request.params['name'] = u'group:bobsgroup'
request.params['delete'] = u'delete'
user_delete(root, request)
assert LocalGroup.query.first() == None
def test_deleted_group_removed_from_localgroups(self, events,
extra_principals, root):
from kotti.security import set_groups
from kotti.resources import LocalGroup
from kotti.views.users import user_delete
request = DummyRequest()
set_groups("group:bobsgroup", root, ["role:admin"])
local_group = LocalGroup.query.first()
assert local_group.principal_name == "group:bobsgroup"
assert local_group.node == root
request.params["name"] = "group:bobsgroup"
request.params["delete"] = "delete"
user_delete(root, request)
assert LocalGroup.query.first() is None
def test_deleted_group_removed_from_localgroups(self, events,
extra_principals, root):
from kotti.security import set_groups
from kotti.resources import LocalGroup
from kotti.views.users import user_delete
request = DummyRequest()
set_groups('group:bobsgroup', root, ['role:admin'])
local_group = LocalGroup.query.first()
assert local_group.principal_name == 'group:bobsgroup'
assert local_group.node == root
request.params['name'] = 'group:bobsgroup'
request.params['delete'] = 'delete'
user_delete(root, request)
assert LocalGroup.query.first() is None
def test_deleted_group_removed_from_localgroups(
self, events, extra_principals, root
):
from kotti.security import set_groups
from kotti.resources import LocalGroup
from kotti.views.users import user_delete
request = DummyRequest()
set_groups("group:bobsgroup", root, ["role:admin"])
local_group = LocalGroup.query.first()
assert local_group.principal_name == "group:bobsgroup"
assert local_group.node == root
request.params["name"] = "group:bobsgroup"
request.params["delete"] = "delete"
user_delete(root, request)
assert LocalGroup.query.first() is None
def test_local_roles_db_cascade(self, db_session, root):
from kotti.resources import LocalGroup
from kotti.resources import Node
from kotti.security import set_groups
child = root["child"] = Node()
db_session.flush()
# We set a local group on child and delete child. We then
# expect the LocalGroup entry to have been deleted from the
# database:
assert db_session.query(LocalGroup).count() == 0
set_groups("group:bobsgroup", child, ["role:editor"])
assert db_session.query(LocalGroup).count() == 1
del root["child"]
db_session.flush()
assert db_session.query(LocalGroup).count() == 0
def test_local_roles_db_cascade(self, db_session, root):
from kotti.resources import LocalGroup
from kotti.resources import Node
from kotti.security import set_groups
child = root[u'child'] = Node()
db_session.flush()
# We set a local group on child and delete child. We then
# expect the LocalGroup entry to have been deleted from the
# database:
assert db_session.query(LocalGroup).count() == 0
set_groups('group:bobsgroup', child, ['role:editor'])
assert db_session.query(LocalGroup).count() == 1
del root[u'child']
db_session.flush()
assert db_session.query(LocalGroup).count() == 0
def test_groups_from_users(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
child = root[u'child'] = Node()
db_session.flush()
assert list_groups('bob', root) == ['group:bobsgroup']
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
assert (set(list_groups('bob', root)) == set(
['group:bobsgroup', 'role:editor']))
assert (set(list_groups('bob', child)) == set(
['group:bobsgroup', 'role:editor', 'group:foogroup']))
def test_deleted_group_removed_from_localgroups(self, events, extra_principals):
from kotti import DBSession
from kotti.resources import get_root
from kotti.security import set_groups
from kotti.resources import LocalGroup
from kotti.views.users import user_delete
root = get_root()
request = DummyRequest()
set_groups(u'group:bobsgroup', root, ['role:admin'])
local_group = DBSession.query(LocalGroup).first()
assert local_group.principal_name == u'group:bobsgroup'
assert local_group.node == root
request.params['name'] = u'group:bobsgroup'
request.params['delete'] = u'delete'
user_delete(root, request)
assert DBSession.query(LocalGroup).first() == None
def test_groups_from_users(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
child = root[u'child'] = Node()
db_session.flush()
assert list_groups('bob', root) == ['group:bobsgroup']
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
assert (set(list_groups('bob', root)) ==
set(['group:bobsgroup', 'role:editor']))
assert (set(list_groups('bob', child)) ==
set(['group:bobsgroup', 'role:editor', 'group:foogroup']))
def set_owner(event):
"""Set ``owner`` of the object that triggered the event.
:param event: event that trigerred this handler.
:type event: :class:`ObjectInsert`
"""
obj, request = event.object, event.request
if request is not None and isinstance(obj, Node) and obj.owner is None:
userid = request.authenticated_userid
if userid is not None:
userid = unicode(userid)
# Set owner metadata:
obj.owner = userid
# Add owner role for userid if it's not inherited already:
if u'role:owner' not in list_groups(userid, obj):
groups = list_groups_raw(userid, obj) | set([u'role:owner'])
set_groups(userid, obj, groups)
def test_inherit(self):
session = DBSession()
root = get_root()
child = root[u'child'] = Node()
session.flush()
self.assertEqual(list_groups('bob', child), [])
set_groups('bob', root, ['role:editor'])
self.assertEqual(list_groups('bob', child), ['role:editor'])
# Groups from the child are added:
set_groups('bob', child, ['group:somegroup'])
self.assertEqual(
set(list_groups('bob', child)),
set(['group:somegroup', 'role:editor']))
# We can ask to list only those groups that are defined locally:
self.assertEqual(list_groups_raw('bob', child), ['group:somegroup'])
def set_owner(event):
"""Set ``owner`` of the object that triggered the event.
:param event: event that trigerred this handler.
:type event: :class:`ObjectInsert`
"""
obj, request = event.object, event.request
if request is not None and isinstance(obj, Node) and obj.owner is None:
userid = request.authenticated_userid
if userid is not None:
userid = unicode(userid)
# Set owner metadata:
obj.owner = userid
# Add owner role for userid if it's not inherited already:
if u'role:owner' not in list_groups(userid, obj):
groups = list_groups_raw(userid, obj) | set([u'role:owner'])
set_groups(userid, obj, groups)
def test_groups_from_users(self):
self.make_bob()
session = DBSession()
root = get_root()
child = root[u'child'] = Node()
session.flush()
self.assertEqual(list_groups('bob', root), ['group:bobsgroup'])
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
self.assertEqual(
set(list_groups('bob', root)),
set(['group:bobsgroup', 'role:editor']))
self.assertEqual(
set(list_groups('bob', child)),
set(['group:bobsgroup', 'role:editor', 'group:foogroup']))
def test_inherit(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
child = root["child"] = Node()
db_session.flush()
assert list_groups("bob", child) == []
set_groups("bob", root, ["role:editor"])
assert list_groups("bob", child) == ["role:editor"]
# Groups from the child are added:
set_groups("bob", child, ["group:somegroup"])
assert set(list_groups("bob", child)) == {"group:somegroup", "role:editor"}
# We can ask to list only those groups that are defined locally:
assert list_groups_raw("bob", child) == {"group:somegroup"}
def test_groups_from_users(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
child = root["child"] = Node()
db_session.flush()
assert list_groups("bob", root) == ["group:bobsgroup"]
set_groups("group:bobsgroup", root, ["role:editor"])
set_groups("role:editor", child, ["group:foogroup"])
assert set(list_groups("bob", root)) == {"group:bobsgroup", "role:editor"}
assert set(list_groups("bob", child)) == {
"group:bobsgroup",
"role:editor",
"group:foogroup",
}
def test_deleted_group_removed_from_localgroups(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.security import set_groups
from kotti.resources import LocalGroup
from kotti.views.users import user_delete
from kotti.tests.test_node_views import TestNodeShare
root = get_root()
request = DummyRequest()
TestNodeShare.add_some_principals()
set_groups(u'group:bobsgroup', root, ['role:admin'])
local_group = DBSession.query(LocalGroup).first()
assert local_group.principal_name == u'group:bobsgroup'
assert local_group.node == root
request.params['name'] = u'group:bobsgroup'
request.params['delete'] = u'delete'
user_delete(root, request)
assert DBSession.query(LocalGroup).first() == None
def test_inherit(self, db_session, root):
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import list_groups_raw
from kotti.security import set_groups
child = root[u'child'] = Node()
db_session.flush()
assert list_groups('bob', child) == []
set_groups('bob', root, ['role:editor'])
assert list_groups('bob', child) == ['role:editor']
# Groups from the child are added:
set_groups('bob', child, ['group:somegroup'])
assert (set(list_groups('bob',
child)) == {'group:somegroup', 'role:editor'})
# We can ask to list only those groups that are defined locally:
assert list_groups_raw(u'bob', child) == {'group:somegroup'}
def test_local_roles_db_cascade(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import LocalGroup
from kotti.resources import Node
from kotti.security import set_groups
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
# We set a local group on child and delete child. We then
# expect the LocalGroup entry to have been deleted from the
# database:
self.assertEqual(DBSession.query(LocalGroup).count(), 0)
set_groups('group:bobsgroup', child, ['role:editor'])
self.assertEqual(DBSession.query(LocalGroup).count(), 1)
del root[u'child']
DBSession.flush()
self.assertEqual(DBSession.query(LocalGroup).count(), 0)
def test_local_roles_db_cascade(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import LocalGroup
from kotti.resources import Node
from kotti.security import set_groups
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
# We set a local group on child and delete child. We then
# expect the LocalGroup entry to have been deleted from the
# database:
self.assertEqual(DBSession.query(LocalGroup).count(), 0)
set_groups('group:bobsgroup', child, ['role:editor'])
self.assertEqual(DBSession.query(LocalGroup).count(), 1)
del root[u'child']
DBSession.flush()
self.assertEqual(DBSession.query(LocalGroup).count(), 0)
def test_principals_with_local_roles(self, db_session, root):
from kotti.resources import Node
from kotti.security import map_principals_with_local_roles
from kotti.security import principals_with_local_roles
from kotti.security import set_groups
child = root[u'child'] = Node()
db_session.flush()
assert principals_with_local_roles(root) == []
assert principals_with_local_roles(child) == []
assert map_principals_with_local_roles(root) == []
assert map_principals_with_local_roles(child) == []
set_groups('group:bobsgroup', child, ['role:editor'])
set_groups('bob', root, ['group:bobsgroup'])
set_groups('group:franksgroup', root, ['role:editor'])
assert (set(principals_with_local_roles(child)) == {
'bob', 'group:bobsgroup', 'group:franksgroup'
})
assert (set(principals_with_local_roles(
child, inherit=False)) == {'group:bobsgroup'})
assert (set(
principals_with_local_roles(root)) == {'bob', 'group:franksgroup'})
def test_principals_with_local_roles(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Node
from kotti.security import map_principals_with_local_roles
from kotti.security import principals_with_local_roles
from kotti.security import set_groups
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
self.assertEqual(principals_with_local_roles(root), [])
self.assertEqual(principals_with_local_roles(child), [])
self.assertEqual(map_principals_with_local_roles(root), [])
self.assertEqual(map_principals_with_local_roles(child), [])
set_groups('group:bobsgroup', child, ['role:editor'])
set_groups('bob', root, ['group:bobsgroup'])
set_groups('group:franksgroup', root, ['role:editor'])
self.assertEqual(set(principals_with_local_roles(child)),
set(['bob', 'group:bobsgroup', 'group:franksgroup']))
self.assertEqual(
set(principals_with_local_roles(child, inherit=False)),
set(['group:bobsgroup']))
self.assertEqual(set(principals_with_local_roles(root)),
set(['bob', 'group:franksgroup']))
def test_principals_with_local_roles(self, db_session, root):
from kotti.resources import Node
from kotti.security import map_principals_with_local_roles
from kotti.security import principals_with_local_roles
from kotti.security import set_groups
child = root["child"] = Node()
db_session.flush()
assert principals_with_local_roles(root) == []
assert principals_with_local_roles(child) == []
assert map_principals_with_local_roles(root) == []
assert map_principals_with_local_roles(child) == []
set_groups("group:bobsgroup", child, ["role:editor"])
set_groups("bob", root, ["group:bobsgroup"])
set_groups("group:franksgroup", root, ["role:editor"])
assert set(principals_with_local_roles(child)) == {
"bob",
"group:bobsgroup",
"group:franksgroup",
}
assert set(principals_with_local_roles(
child, inherit=False)) == {"group:bobsgroup"}
assert set(
principals_with_local_roles(root)) == {"bob", "group:franksgroup"}
def test_principals_with_local_roles(self, db_session, root):
from kotti.resources import Node
from kotti.security import map_principals_with_local_roles
from kotti.security import principals_with_local_roles
from kotti.security import set_groups
child = root[u'child'] = Node()
db_session.flush()
assert principals_with_local_roles(root) == []
assert principals_with_local_roles(child) == []
assert map_principals_with_local_roles(root) == []
assert map_principals_with_local_roles(child) == []
set_groups('group:bobsgroup', child, ['role:editor'])
set_groups('bob', root, ['group:bobsgroup'])
set_groups('group:franksgroup', root, ['role:editor'])
assert (
set(principals_with_local_roles(child)) ==
set(['bob', 'group:bobsgroup', 'group:franksgroup'])
)
assert (
set(principals_with_local_roles(child, inherit=False)) ==
set(['group:bobsgroup'])
)
assert (
set(principals_with_local_roles(root)) ==
set(['bob', 'group:franksgroup'])
)
def test_groups_from_users(self):
from kotti import DBSession
from kotti.resources import get_root
from kotti.resources import Node
from kotti.security import list_groups
from kotti.security import set_groups
self.make_bob()
root = get_root()
child = root[u'child'] = Node()
DBSession.flush()
self.assertEqual(list_groups('bob', root), ['group:bobsgroup'])
set_groups('group:bobsgroup', root, ['role:editor'])
set_groups('role:editor', child, ['group:foogroup'])
self.assertEqual(set(list_groups('bob', root)),
set(['group:bobsgroup', 'role:editor']))
self.assertEqual(
set(list_groups('bob', child)),
set(['group:bobsgroup', 'role:editor', 'group:foogroup']))