def test_group_permission_remove_proper(self, full_app, sqla_session): perm_name = 'edit' with session_context(sqla_session) as session: admin, token = create_admin(session) group = create_group({'group_name': 'aaaa'}, sqla_session=session) resource = create_entry({ 'resource_name': 'entry-x', 'note': 'x' }, sqla_session=session) perm_inst = GroupResourcePermission(group_id=group.id, perm_name=perm_name) resource.group_permissions.append(perm_inst) node_id = resource.resource_id qs = parse.urlencode({'group_id': group.id, 'perm_name': perm_name}) url_path = '/api/0.1/resources/{}/group_permissions?{}'.format( node_id, qs) headers = {str('x-testscaffold-auth-token'): str(token)} response = full_app.delete(url_path, status=200, headers=headers) perm_inst = GroupResourcePermissionService.get(group.id, resource_id=node_id, perm_name=perm_name, db_session=sqla_session) assert not isinstance(perm_inst, GroupResourcePermission)
def test_group_permission_add_proper(self, full_app, sqla_session): with session_context(sqla_session) as session: admin, token = create_admin(session) group = create_group({'group_name': 'aaaa'}, sqla_session=session) resource = create_entry({ 'resource_name': 'entry-x', 'note': 'x' }, sqla_session=session) node_id = resource.resource_id url_path = '/api/0.1/resources/{}/group_permissions'.format(node_id) headers = {str('x-testscaffold-auth-token'): str(token)} perm_name = 'edit' perm_dict = {'group_id': group.id, 'perm_name': perm_name} response = full_app.post_json(url_path, perm_dict, status=200, headers=headers) assert response.json['group_id'] == group.id assert response.json['perm_name'] == perm_name assert response.json['resource_id'] == node_id perm_inst = GroupResourcePermissionService.get(group.id, resource_id=node_id, perm_name=perm_name, db_session=sqla_session) assert isinstance(perm_inst, GroupResourcePermission)
def test_group_resource_permission(self, db_session): self.set_up_user_group_and_perms(db_session) resource3 = add_resource_b(db_session, 3, 'other resource') db_session.flush() group_permission2 = GroupResourcePermission( perm_name='group_perm2', group_id=self.group2.id, ) row = GroupResourcePermissionService.get( group_id=self.group2.id, resource_id=self.resource2.resource_id, perm_name='group_perm2', db_session=db_session) assert row is None self.resource2.group_permissions.append(group_permission2) row = GroupResourcePermissionService.get( group_id=self.group2.id, resource_id=self.resource2.resource_id, perm_name='group_perm2', db_session=db_session) assert row is not None
def group_permission_delete(self, resource, group_id, perm_name): perm_inst = GroupResourcePermissionService.get( resource_id=resource.resource_id, group_id=group_id, perm_name=perm_name, db_session=self.request.dbsession) resource.group_permissions.remove(perm_inst) return True
def group_permission_get(self, resource_id, group_id, perm_name): perm_inst = GroupResourcePermissionService.get( resource_id=resource_id, group_id=group_id, perm_name=perm_name, db_session=self.request.dbsession) if not perm_inst: raise pyramid.httpexceptions.HTTPNotFound() return perm_inst
def delete_group_resource_permission_response(group, resource, permission, db_session, similar=True): # type: (models.Group, ServiceOrResourceType, PermissionSet, Session, bool) -> HTTPException """ Get validated response on deleted group resource permission. :param group: group for which to delete the permission. :param resource: service or resource for which to delete the permission. :param permission: permission with modifiers to be deleted. :param db_session: database connection. :param similar: Allow matching provided permission against any similar database permission. Otherwise, must match exactly. :returns: valid HTTP response on successful operations. :raises HTTPException: error HTTP response of corresponding situation. """ check_valid_service_or_resource_permission(permission.name, resource, db_session) res_id = resource.resource_id if similar: found_perm = get_similar_group_resource_permission( group, resource, permission, db_session=db_session) else: found_perm = permission del_perm = GroupResourcePermissionService.get(group.id, res_id, str(found_perm), db_session=db_session) permission.type = PermissionType.APPLIED perm_content = { "permission_name": str(permission), "permission": permission.json(), "resource": format_resource(resource, basic_info=True), "group": format_group(group, basic_info=True) } ax.verify_param( del_perm, not_none=True, http_error=HTTPNotFound, content=perm_content, msg_on_fail=s.GroupServicePermission_DELETE_NotFoundResponseSchema. description) ax.evaluate_call( lambda: db_session.delete(del_perm), fallback=lambda: db_session.rollback(), http_error=HTTPForbidden, content=perm_content, msg_on_fail=s.GroupServicePermission_DELETE_ForbiddenResponseSchema. description) return ax.valid_http( http_success=HTTPOk, detail=s.GroupServicePermission_DELETE_OkResponseSchema.description)
def upgrade(): context = get_context() session = Session(bind=op.get_bind()) if not isinstance(context.connection.engine.dialect, PGDialect): return grp_res_perms = GroupResourcePermissionService.base_query( db_session=session) usr_res_perms = UserResourcePermissionService.base_query( db_session=session) for perm_list in [grp_res_perms, usr_res_perms]: perm_map = [(perm, PermissionSet(perm.perm_name)) for perm in perm_list] perm_rm = set() perm_keep = set() # find any user/group-resource that has both recursive and match permissions simultaneously # this is not allowed anymore, so remove the match access that is redundant anyway for perm_db, perm_set in perm_map: perm_dup = False for other_db, other_set in perm_map: if perm_set is other_set: continue if perm_db.resource_id == other_db.resource_id and perm_set.like( other_set): if perm_set.scope == Scope.RECURSIVE: perm_keep.add(perm_db) perm_rm.add(other_db) else: perm_keep.add(other_db) perm_rm.add(perm_db) perm_dup = True break if not perm_dup: perm_keep.add(perm_db) # apply changes for perm in perm_keep: perm_name_raw = perm.perm_name perm_scope = Scope.RECURSIVE if perm_name_raw.endswith("-" + Scope.MATCH.value): perm_name_raw = perm_name_raw.rsplit("-", 1)[0] perm_scope = Scope.MATCH perm.perm_name = str(PermissionSet(perm_name_raw, scope=perm_scope)) for perm in perm_rm: session.delete(perm) session.commit()
def downgrade(): """ Any existing 'BROWSE' permission must be dropped. """ context = get_context() session = Session(bind=op.get_bind()) if not isinstance(context.connection.engine.dialect, PGDialect): return # two following lines avoids double "DELETE" erroneous call (ignore duplicate) # https://stackoverflow.com/questions/28824401 context.connection.engine.dialect.supports_sane_rowcount = False context.connection.engine.dialect.supports_sane_multi_rowcount = False grp_perms = GroupResourcePermissionService.base_query(db_session=session) usr_perms = UserResourcePermissionService.base_query(db_session=session) for perm in grp_perms: if perm.perm_name == "browse": session.delete(perm) for perm in usr_perms: if perm.perm_name == "browse": session.delete(perm) session.commit()
def downgrade(): context = get_context() session = Session(bind=op.get_bind()) if not isinstance(context.connection.engine.dialect, PGDialect): return # two following lines avoids double "DELETE" erroneous call (ignore duplicate) # https://stackoverflow.com/questions/28824401 context.connection.engine.dialect.supports_sane_rowcount = False context.connection.engine.dialect.supports_sane_multi_rowcount = False grp_res_perms = GroupResourcePermissionService.base_query( db_session=session) usr_res_perms = UserResourcePermissionService.base_query( db_session=session) for perm_list in [grp_res_perms, usr_res_perms]: for perm in perm_list: perm_set = PermissionSet(perm.perm_name) if perm_set.implicit_permission is None: session.delete(perm) else: perm.perm_name = perm_set.implicit_permission session.commit()