def test_no_root_view_permissions(po_directory, nobody, default, admin, view,
no_permission_sets, no_projects, project_foo,
project_bar):
"""Tests user-accessible projects when there are no permissions set at
the root.
"""
ALL_PROJECTS = [project_foo.code, project_bar.code]
foo_user = UserFactory.create(username='******')
bar_user = UserFactory.create(username='******')
# By setting explicit `view` permissions for `foo_user` in `project_foo`,
# only `foo_user` will be able to access that project
_require_permission_set(foo_user, project_foo.directory, [view])
assert items_equal(Project.accessible_by_user(admin), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(foo_user),
[project_foo.code])
assert items_equal(Project.accessible_by_user(bar_user), [])
assert items_equal(Project.accessible_by_user(default), [])
assert items_equal(Project.accessible_by_user(nobody), [])
# Now let's allow showing `project_bar` to all registered users, but keep
# `project_foo` visible only to `foo_user`.
_require_permission_set(default, project_bar.directory, [view])
assert items_equal(Project.accessible_by_user(admin), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(foo_user), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(bar_user),
[project_bar.code])
assert items_equal(Project.accessible_by_user(default), [project_bar.code])
assert items_equal(Project.accessible_by_user(nobody), [])
def test_get_tasks_permissions(
client,
test_name,
snapshot_stack,
refresh_stats,
request,
request_users,
patch_timezone_now,
project0,
hide,
):
"""Tests pending tasks retrieval with restricted permissions."""
language = "language0"
url = "/xhr/tasks/%s/" % language
user = request_users["user"]
# Disallow `project0` access to `member`
if user.username == "member":
_require_permission_set(user, project0.directory, negative_permissions=[hide])
# FIXME: stats refreshing boilerplate
global users_with_stats
if user not in users_with_stats:
request.getfixturevalue("refresh_stats")
users_with_stats.add(user)
now = aware_datetime(2017, 2, 28, 9, 0)
patch_timezone_now(now)
DueDateFactory.create(
pootle_path="/projects/project0/", due_on=now + timedelta(days=8),
)
DueDateFactory.create(
pootle_path="/%s/project0/store0.po" % language, due_on=now + timedelta(days=2),
)
DueDateFactory.create(
pootle_path="/%s/project1/store0.po" % language, due_on=now + timedelta(days=4),
)
with snapshot_stack.push([as_dir(test_name), as_dir(user.username)]):
if not user.is_anonymous:
client.force_login(user)
response = client.get(url)
with snapshot_stack.push("status_code") as snapshot:
snapshot.assert_matches(response.status_code)
with snapshot_stack.push("context") as snapshot:
snapshot.assert_matches(response.json())
def test_get_users_with_permission(default, member, translate):
language = Language.objects.get(code="language0")
project = Project.objects.get(code="project0")
User = get_user_model()
directory = TranslationProject.objects.get(project=project,
language=language).directory
_require_permission_set(member, directory, [translate])
# remove "Can submit translation" permission for default user
ps = PermissionSet.objects.filter(user=default,
directory=Directory.objects.root)[0]
ps.positive_permissions.set(
ps.positive_permissions.exclude(id=translate.id))
ps.save()
users = User.objects.get_users_with_permission("translate", project,
language)
for user in users:
assert check_user_permission(user, "translate", directory)
def test_root_hide_permissions(
po_directory,
nobody,
default,
admin,
hide,
view,
no_permission_sets,
no_projects,
project_foo,
project_bar,
root,
):
"""Tests user-accessible projects when there are `hide` permissions
set at the root.
"""
ALL_PROJECTS = [project_foo.code, project_bar.code]
foo_user = UserFactory.create(username="******")
bar_user = UserFactory.create(username="******")
# By default all projects are not accessible
_require_permission_set(default, root, negative_permissions=[hide])
_require_permission_set(nobody, root, negative_permissions=[hide])
assert items_equal(Project.accessible_by_user(admin), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(default), [])
assert items_equal(Project.accessible_by_user(nobody), [])
assert items_equal(Project.accessible_by_user(foo_user), [])
assert items_equal(Project.accessible_by_user(bar_user), [])
# Now let's make `project_foo` accessible to `foo_user`.
_require_permission_set(foo_user, project_foo.directory, [view])
assert items_equal(Project.accessible_by_user(admin), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(default), [])
assert items_equal(Project.accessible_by_user(nobody), [])
assert items_equal(Project.accessible_by_user(foo_user),
[project_foo.code])
assert items_equal(Project.accessible_by_user(bar_user), [])
# Making projects accessible for anonymous users should open the door for
# everyone
_require_permission_set(nobody, root, [view])
assert items_equal(Project.accessible_by_user(admin), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(default), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(nobody), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(foo_user), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(bar_user), ALL_PROJECTS)
def test_root_view_permissions(
po_directory,
nobody,
default,
admin,
view,
no_projects,
no_permission_sets,
project_foo,
project_bar,
root,
):
"""Tests user-accessible projects with view permissions at the root."""
ALL_PROJECTS = [project_foo.code, project_bar.code]
foo_user = UserFactory.create(username="******")
bar_user = UserFactory.create(username="******")
# We'll only give `bar_user` access to all projects server-wide
_require_permission_set(bar_user, root, [view])
assert items_equal(Project.accessible_by_user(admin), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(bar_user), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(foo_user), [])
assert items_equal(Project.accessible_by_user(default), [])
assert items_equal(Project.accessible_by_user(nobody), [])
# Now we'll also allow `foo_user` access `project_foo`
_require_permission_set(foo_user, project_foo.directory, [view])
assert items_equal(Project.accessible_by_user(foo_user),
[project_foo.code])
# Let's change server-wide defaults: all registered users have access to
# all projects. `foo_user`, albeit having explicit access for
# `project_foo`, will be able to access any project because they fall back
# and extend with the defaults.
_require_permission_set(default, root, [view])
assert items_equal(Project.accessible_by_user(admin), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(foo_user), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(bar_user), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(default), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(nobody), [])
# Let's give anonymous users access to all projects too
_require_permission_set(nobody, root, [view])
assert items_equal(Project.accessible_by_user(nobody), ALL_PROJECTS)
def test_no_root_hide_permissions(
po_directory,
nobody,
default,
admin,
hide,
view,
no_projects,
no_permission_sets,
project_foo,
project_bar,
root,
):
"""Tests user-accessible projects when there are no `hide` permissions
set at the root.
"""
ALL_PROJECTS = [project_foo.code, project_bar.code]
foo_user = UserFactory.create(username="******")
bar_user = UserFactory.create(username="******")
# By default everyone has access to projects
_require_permission_set(default, root, [view])
_require_permission_set(nobody, root, [view])
# At the same time, `project_foo` is inaccessible registered users...
_require_permission_set(default,
project_foo.directory,
negative_permissions=[hide])
assert items_equal(Project.accessible_by_user(admin), ALL_PROJECTS)
assert items_equal(Project.accessible_by_user(default), [project_bar.code])
assert items_equal(Project.accessible_by_user(nobody), [project_bar.code])
assert items_equal(Project.accessible_by_user(foo_user),
[project_bar.code])
assert items_equal(Project.accessible_by_user(bar_user),
[project_bar.code])
# ...and anonymous users as well
_require_permission_set(nobody,
project_foo.directory,
negative_permissions=[hide])
assert items_equal(Project.accessible_by_user(nobody), [project_bar.code])
# Let's make `project_foo` accessible for `foo_user`
_require_permission_set(foo_user, project_foo.directory, [view])
assert items_equal(Project.accessible_by_user(foo_user), ALL_PROJECTS)
# `project_bar` is now inaccessible for anonymous users
_require_permission_set(nobody,
project_bar.directory,
negative_permissions=[hide])
assert items_equal(Project.accessible_by_user(nobody), [])