commit | author | age
|
a1a9fb
|
1 |
import unittest |
CM |
2 |
|
b60bdb
|
3 |
from pyramid.testing import cleanUp |
a1a9fb
|
4 |
|
CM |
5 |
class TestACLAuthorizationPolicy(unittest.TestCase): |
|
6 |
def setUp(self): |
|
7 |
cleanUp() |
|
8 |
|
|
9 |
def tearDown(self): |
|
10 |
cleanUp() |
|
11 |
|
|
12 |
def _getTargetClass(self): |
b60bdb
|
13 |
from pyramid.authorization import ACLAuthorizationPolicy |
a1a9fb
|
14 |
return ACLAuthorizationPolicy |
CM |
15 |
|
|
16 |
def _makeOne(self): |
|
17 |
return self._getTargetClass()() |
|
18 |
|
|
19 |
def test_class_implements_IAuthorizationPolicy(self): |
|
20 |
from zope.interface.verify import verifyClass |
b60bdb
|
21 |
from pyramid.interfaces import IAuthorizationPolicy |
a1a9fb
|
22 |
verifyClass(IAuthorizationPolicy, self._getTargetClass()) |
CM |
23 |
|
|
24 |
def test_instance_implements_IAuthorizationPolicy(self): |
|
25 |
from zope.interface.verify import verifyObject |
b60bdb
|
26 |
from pyramid.interfaces import IAuthorizationPolicy |
a1a9fb
|
27 |
verifyObject(IAuthorizationPolicy, self._makeOne()) |
CM |
28 |
|
|
29 |
def test_permits_no_acl(self): |
|
30 |
context = DummyContext() |
|
31 |
policy = self._makeOne() |
|
32 |
self.assertEqual(policy.permits(context, [], 'view'), False) |
|
33 |
|
|
34 |
def test_permits(self): |
b60bdb
|
35 |
from pyramid.security import Deny |
CM |
36 |
from pyramid.security import Allow |
|
37 |
from pyramid.security import Everyone |
|
38 |
from pyramid.security import Authenticated |
|
39 |
from pyramid.security import ALL_PERMISSIONS |
|
40 |
from pyramid.security import DENY_ALL |
a1a9fb
|
41 |
root = DummyContext() |
CM |
42 |
community = DummyContext(__name__='community', __parent__=root) |
|
43 |
blog = DummyContext(__name__='blog', __parent__=community) |
|
44 |
root.__acl__ = [ |
|
45 |
(Allow, Authenticated, VIEW), |
|
46 |
] |
|
47 |
community.__acl__ = [ |
|
48 |
(Allow, 'fred', ALL_PERMISSIONS), |
|
49 |
(Allow, 'wilma', VIEW), |
|
50 |
DENY_ALL, |
|
51 |
] |
|
52 |
blog.__acl__ = [ |
|
53 |
(Allow, 'barney', MEMBER_PERMS), |
|
54 |
(Allow, 'wilma', VIEW), |
|
55 |
] |
|
56 |
|
|
57 |
policy = self._makeOne() |
|
58 |
|
|
59 |
result = policy.permits(blog, [Everyone, Authenticated, 'wilma'], |
|
60 |
'view') |
|
61 |
self.assertEqual(result, True) |
|
62 |
self.assertEqual(result.context, blog) |
|
63 |
self.assertEqual(result.ace, (Allow, 'wilma', VIEW)) |
e0162e
|
64 |
self.assertEqual(result.acl, blog.__acl__) |
a1a9fb
|
65 |
|
CM |
66 |
result = policy.permits(blog, [Everyone, Authenticated, 'wilma'], |
|
67 |
'delete') |
|
68 |
self.assertEqual(result, False) |
|
69 |
self.assertEqual(result.context, community) |
|
70 |
self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
e0162e
|
71 |
self.assertEqual(result.acl, community.__acl__) |
a1a9fb
|
72 |
|
CM |
73 |
result = policy.permits(blog, [Everyone, Authenticated, 'fred'], 'view') |
|
74 |
self.assertEqual(result, True) |
|
75 |
self.assertEqual(result.context, community) |
|
76 |
self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS)) |
|
77 |
result = policy.permits(blog, [Everyone, Authenticated, 'fred'], |
|
78 |
'doesntevenexistyet') |
|
79 |
self.assertEqual(result, True) |
|
80 |
self.assertEqual(result.context, community) |
|
81 |
self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS)) |
e0162e
|
82 |
self.assertEqual(result.acl, community.__acl__) |
a1a9fb
|
83 |
|
CM |
84 |
result = policy.permits(blog, [Everyone, Authenticated, 'barney'], |
|
85 |
'view') |
|
86 |
self.assertEqual(result, True) |
|
87 |
self.assertEqual(result.context, blog) |
|
88 |
self.assertEqual(result.ace, (Allow, 'barney', MEMBER_PERMS)) |
|
89 |
result = policy.permits(blog, [Everyone, Authenticated, 'barney'], |
|
90 |
'administer') |
|
91 |
self.assertEqual(result, False) |
|
92 |
self.assertEqual(result.context, community) |
|
93 |
self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
e0162e
|
94 |
self.assertEqual(result.acl, community.__acl__) |
a1a9fb
|
95 |
|
CM |
96 |
result = policy.permits(root, [Everyone, Authenticated, 'someguy'], |
|
97 |
'view') |
|
98 |
self.assertEqual(result, True) |
|
99 |
self.assertEqual(result.context, root) |
|
100 |
self.assertEqual(result.ace, (Allow, Authenticated, VIEW)) |
|
101 |
result = policy.permits(blog, |
|
102 |
[Everyone, Authenticated, 'someguy'], 'view') |
|
103 |
self.assertEqual(result, False) |
|
104 |
self.assertEqual(result.context, community) |
|
105 |
self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
e0162e
|
106 |
self.assertEqual(result.acl, community.__acl__) |
a1a9fb
|
107 |
|
CM |
108 |
result = policy.permits(root, [Everyone], 'view') |
|
109 |
self.assertEqual(result, False) |
|
110 |
self.assertEqual(result.context, root) |
e0162e
|
111 |
self.assertEqual(result.ace, '<default deny>') |
CM |
112 |
self.assertEqual(result.acl, root.__acl__) |
a1a9fb
|
113 |
|
CM |
114 |
context = DummyContext() |
|
115 |
result = policy.permits(context, [Everyone], 'view') |
|
116 |
self.assertEqual(result, False) |
e0162e
|
117 |
self.assertEqual(result.ace, '<default deny>') |
CM |
118 |
self.assertEqual( |
|
119 |
result.acl, |
3e2f12
|
120 |
'<No ACL found on any object in resource lineage>') |
a1a9fb
|
121 |
|
52ca12
|
122 |
def test_permits_string_permissions_in_acl(self): |
CM |
123 |
from pyramid.security import Allow |
|
124 |
root = DummyContext() |
|
125 |
root.__acl__ = [ |
|
126 |
(Allow, 'wilma', 'view_stuff'), |
|
127 |
] |
|
128 |
|
|
129 |
policy = self._makeOne() |
|
130 |
|
|
131 |
result = policy.permits(root, ['wilma'], 'view') |
|
132 |
# would be True if matching against 'view_stuff' instead of against |
|
133 |
# ['view_stuff'] |
|
134 |
self.assertEqual(result, False) |
|
135 |
|
a1a9fb
|
136 |
def test_principals_allowed_by_permission_direct(self): |
b60bdb
|
137 |
from pyramid.security import Allow |
CM |
138 |
from pyramid.security import DENY_ALL |
a1a9fb
|
139 |
context = DummyContext() |
CM |
140 |
acl = [ (Allow, 'chrism', ('read', 'write')), |
|
141 |
DENY_ALL, |
|
142 |
(Allow, 'other', 'read') ] |
|
143 |
context.__acl__ = acl |
|
144 |
policy = self._makeOne() |
|
145 |
result = sorted( |
|
146 |
policy.principals_allowed_by_permission(context, 'read')) |
|
147 |
self.assertEqual(result, ['chrism']) |
|
148 |
|
678f49
|
149 |
def test_principals_allowed_by_permission_callable_acl(self): |
CM |
150 |
from pyramid.security import Allow |
|
151 |
from pyramid.security import DENY_ALL |
|
152 |
context = DummyContext() |
|
153 |
acl = lambda: [ (Allow, 'chrism', ('read', 'write')), |
|
154 |
DENY_ALL, |
|
155 |
(Allow, 'other', 'read') ] |
|
156 |
context.__acl__ = acl |
|
157 |
policy = self._makeOne() |
|
158 |
result = sorted( |
|
159 |
policy.principals_allowed_by_permission(context, 'read')) |
|
160 |
self.assertEqual(result, ['chrism']) |
|
161 |
|
52ca12
|
162 |
def test_principals_allowed_by_permission_string_permission(self): |
CM |
163 |
from pyramid.security import Allow |
|
164 |
context = DummyContext() |
|
165 |
acl = [ (Allow, 'chrism', 'read_it')] |
|
166 |
context.__acl__ = acl |
|
167 |
policy = self._makeOne() |
|
168 |
result = policy.principals_allowed_by_permission(context, 'read') |
|
169 |
# would be ['chrism'] if 'read' were compared against 'read_it' instead |
|
170 |
# of against ['read_it'] |
|
171 |
self.assertEqual(list(result), []) |
|
172 |
|
a1a9fb
|
173 |
def test_principals_allowed_by_permission(self): |
b60bdb
|
174 |
from pyramid.security import Allow |
CM |
175 |
from pyramid.security import Deny |
|
176 |
from pyramid.security import DENY_ALL |
|
177 |
from pyramid.security import ALL_PERMISSIONS |
a1a9fb
|
178 |
root = DummyContext(__name__='', __parent__=None) |
CM |
179 |
community = DummyContext(__name__='community', __parent__=root) |
|
180 |
blog = DummyContext(__name__='blog', __parent__=community) |
|
181 |
root.__acl__ = [ (Allow, 'chrism', ('read', 'write')), |
|
182 |
(Allow, 'other', ('read',)), |
|
183 |
(Allow, 'jim', ALL_PERMISSIONS)] |
|
184 |
community.__acl__ = [ (Deny, 'flooz', 'read'), |
|
185 |
(Allow, 'flooz', 'read'), |
|
186 |
(Allow, 'mork', 'read'), |
|
187 |
(Deny, 'jim', 'read'), |
|
188 |
(Allow, 'someguy', 'manage')] |
|
189 |
blog.__acl__ = [ (Allow, 'fred', 'read'), |
|
190 |
DENY_ALL] |
|
191 |
|
|
192 |
policy = self._makeOne() |
|
193 |
|
|
194 |
result = sorted(policy.principals_allowed_by_permission(blog, 'read')) |
|
195 |
self.assertEqual(result, ['fred']) |
|
196 |
result = sorted(policy.principals_allowed_by_permission(community, |
|
197 |
'read')) |
|
198 |
self.assertEqual(result, ['chrism', 'mork', 'other']) |
|
199 |
result = sorted(policy.principals_allowed_by_permission(community, |
|
200 |
'read')) |
|
201 |
result = sorted(policy.principals_allowed_by_permission(root, 'read')) |
|
202 |
self.assertEqual(result, ['chrism', 'jim', 'other']) |
|
203 |
|
|
204 |
def test_principals_allowed_by_permission_no_acls(self): |
|
205 |
context = DummyContext() |
|
206 |
policy = self._makeOne() |
|
207 |
result = sorted(policy.principals_allowed_by_permission(context,'read')) |
|
208 |
self.assertEqual(result, []) |
|
209 |
|
729c91
|
210 |
def test_principals_allowed_by_permission_deny_not_permission_in_acl(self): |
CM |
211 |
from pyramid.security import Deny |
|
212 |
from pyramid.security import Everyone |
|
213 |
context = DummyContext() |
|
214 |
acl = [ (Deny, Everyone, 'write') ] |
|
215 |
context.__acl__ = acl |
|
216 |
policy = self._makeOne() |
|
217 |
result = sorted( |
|
218 |
policy.principals_allowed_by_permission(context, 'read')) |
|
219 |
self.assertEqual(result, []) |
|
220 |
|
|
221 |
def test_principals_allowed_by_permission_deny_permission_in_acl(self): |
|
222 |
from pyramid.security import Deny |
|
223 |
from pyramid.security import Everyone |
|
224 |
context = DummyContext() |
|
225 |
acl = [ (Deny, Everyone, 'read') ] |
|
226 |
context.__acl__ = acl |
|
227 |
policy = self._makeOne() |
|
228 |
result = sorted( |
|
229 |
policy.principals_allowed_by_permission(context, 'read')) |
|
230 |
self.assertEqual(result, []) |
038dcb
|
231 |
|
MM |
232 |
def test_callable_acl(self): |
|
233 |
from pyramid.security import Allow |
|
234 |
context = DummyContext() |
|
235 |
fn = lambda self: [(Allow, 'bob', 'read')] |
|
236 |
context.__acl__ = fn.__get__(context, context.__class__) |
|
237 |
policy = self._makeOne() |
|
238 |
result = policy.permits(context, ['bob'], 'read') |
|
239 |
self.assertTrue(result) |
729c91
|
240 |
|
CM |
241 |
|
a1a9fb
|
242 |
class DummyContext: |
CM |
243 |
def __init__(self, *arg, **kw): |
|
244 |
self.__dict__.update(kw) |
|
245 |
|
|
246 |
|
|
247 |
VIEW = 'view' |
|
248 |
EDIT = 'edit' |
|
249 |
CREATE = 'create' |
|
250 |
DELETE = 'delete' |
|
251 |
MODERATE = 'moderate' |
|
252 |
ADMINISTER = 'administer' |
|
253 |
COMMENT = 'comment' |
|
254 |
|
|
255 |
GUEST_PERMS = (VIEW, COMMENT) |
|
256 |
MEMBER_PERMS = GUEST_PERMS + (EDIT, CREATE, DELETE) |
|
257 |
MODERATOR_PERMS = MEMBER_PERMS + (MODERATE,) |
|
258 |
ADMINISTRATOR_PERMS = MODERATOR_PERMS + (ADMINISTER,) |
|
259 |
|