| | |
| | | |
| | | from pyramid.testing import cleanUp |
| | | |
| | | |
| | | class TestACLAuthorizationPolicy(unittest.TestCase): |
| | | def setUp(self): |
| | | cleanUp() |
| | |
| | | |
| | | def _getTargetClass(self): |
| | | from pyramid.authorization import ACLAuthorizationPolicy |
| | | |
| | | return ACLAuthorizationPolicy |
| | | |
| | | def _makeOne(self): |
| | |
| | | def test_class_implements_IAuthorizationPolicy(self): |
| | | from zope.interface.verify import verifyClass |
| | | from pyramid.interfaces import IAuthorizationPolicy |
| | | |
| | | verifyClass(IAuthorizationPolicy, self._getTargetClass()) |
| | | |
| | | def test_instance_implements_IAuthorizationPolicy(self): |
| | | from zope.interface.verify import verifyObject |
| | | from pyramid.interfaces import IAuthorizationPolicy |
| | | |
| | | verifyObject(IAuthorizationPolicy, self._makeOne()) |
| | | |
| | | def test_permits_no_acl(self): |
| | | context = DummyContext() |
| | | policy = self._makeOne() |
| | | self.assertEqual(policy.permits(context, [], 'view'), False) |
| | | |
| | | |
| | | def test_permits(self): |
| | | from pyramid.security import Deny |
| | | from pyramid.security import Allow |
| | |
| | | from pyramid.security import Authenticated |
| | | from pyramid.security import ALL_PERMISSIONS |
| | | from pyramid.security import DENY_ALL |
| | | |
| | | root = DummyContext() |
| | | community = DummyContext(__name__='community', __parent__=root) |
| | | blog = DummyContext(__name__='blog', __parent__=community) |
| | | root.__acl__ = [ |
| | | (Allow, Authenticated, VIEW), |
| | | ] |
| | | root.__acl__ = [(Allow, Authenticated, VIEW)] |
| | | community.__acl__ = [ |
| | | (Allow, 'fred', ALL_PERMISSIONS), |
| | | (Allow, 'wilma', VIEW), |
| | | DENY_ALL, |
| | | ] |
| | | ] |
| | | blog.__acl__ = [ |
| | | (Allow, 'barney', MEMBER_PERMS), |
| | | (Allow, 'wilma', VIEW), |
| | | ] |
| | | ] |
| | | |
| | | policy = self._makeOne() |
| | | |
| | | result = policy.permits(blog, [Everyone, Authenticated, 'wilma'], |
| | | 'view') |
| | | result = policy.permits( |
| | | blog, [Everyone, Authenticated, 'wilma'], 'view' |
| | | ) |
| | | self.assertEqual(result, True) |
| | | self.assertEqual(result.context, blog) |
| | | self.assertEqual(result.ace, (Allow, 'wilma', VIEW)) |
| | | self.assertEqual(result.acl, blog.__acl__) |
| | | |
| | | result = policy.permits(blog, [Everyone, Authenticated, 'wilma'], |
| | | 'delete') |
| | | result = policy.permits( |
| | | blog, [Everyone, Authenticated, 'wilma'], 'delete' |
| | | ) |
| | | self.assertEqual(result, False) |
| | | self.assertEqual(result.context, community) |
| | | self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
| | | self.assertEqual(result.acl, community.__acl__) |
| | | |
| | | result = policy.permits(blog, [Everyone, Authenticated, 'fred'], 'view') |
| | | result = policy.permits( |
| | | blog, [Everyone, Authenticated, 'fred'], 'view' |
| | | ) |
| | | self.assertEqual(result, True) |
| | | self.assertEqual(result.context, community) |
| | | self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS)) |
| | | result = policy.permits(blog, [Everyone, Authenticated, 'fred'], |
| | | 'doesntevenexistyet') |
| | | result = policy.permits( |
| | | blog, [Everyone, Authenticated, 'fred'], 'doesntevenexistyet' |
| | | ) |
| | | self.assertEqual(result, True) |
| | | self.assertEqual(result.context, community) |
| | | self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS)) |
| | | self.assertEqual(result.acl, community.__acl__) |
| | | |
| | | result = policy.permits(blog, [Everyone, Authenticated, 'barney'], |
| | | 'view') |
| | | result = policy.permits( |
| | | blog, [Everyone, Authenticated, 'barney'], 'view' |
| | | ) |
| | | self.assertEqual(result, True) |
| | | self.assertEqual(result.context, blog) |
| | | self.assertEqual(result.ace, (Allow, 'barney', MEMBER_PERMS)) |
| | | result = policy.permits(blog, [Everyone, Authenticated, 'barney'], |
| | | 'administer') |
| | | result = policy.permits( |
| | | blog, [Everyone, Authenticated, 'barney'], 'administer' |
| | | ) |
| | | self.assertEqual(result, False) |
| | | self.assertEqual(result.context, community) |
| | | self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
| | | self.assertEqual(result.acl, community.__acl__) |
| | | |
| | | result = policy.permits(root, [Everyone, Authenticated, 'someguy'], |
| | | 'view') |
| | | |
| | | result = policy.permits( |
| | | root, [Everyone, Authenticated, 'someguy'], 'view' |
| | | ) |
| | | self.assertEqual(result, True) |
| | | self.assertEqual(result.context, root) |
| | | self.assertEqual(result.ace, (Allow, Authenticated, VIEW)) |
| | | result = policy.permits(blog, |
| | | [Everyone, Authenticated, 'someguy'], 'view') |
| | | result = policy.permits( |
| | | blog, [Everyone, Authenticated, 'someguy'], 'view' |
| | | ) |
| | | self.assertEqual(result, False) |
| | | self.assertEqual(result.context, community) |
| | | self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
| | |
| | | self.assertEqual(result, False) |
| | | self.assertEqual(result.ace, '<default deny>') |
| | | self.assertEqual( |
| | | result.acl, |
| | | '<No ACL found on any object in resource lineage>') |
| | | result.acl, '<No ACL found on any object in resource lineage>' |
| | | ) |
| | | |
| | | def test_permits_string_permissions_in_acl(self): |
| | | from pyramid.security import Allow |
| | | |
| | | root = DummyContext() |
| | | root.__acl__ = [ |
| | | (Allow, 'wilma', 'view_stuff'), |
| | | ] |
| | | root.__acl__ = [(Allow, 'wilma', 'view_stuff')] |
| | | |
| | | policy = self._makeOne() |
| | | |
| | | result = policy.permits(root, ['wilma'], 'view') |
| | | # would be True if matching against 'view_stuff' instead of against |
| | | # ['view_stuff'] |
| | | self.assertEqual(result, False) |
| | | self.assertEqual(result, False) |
| | | |
| | | def test_principals_allowed_by_permission_direct(self): |
| | | from pyramid.security import Allow |
| | | from pyramid.security import DENY_ALL |
| | | |
| | | context = DummyContext() |
| | | acl = [ (Allow, 'chrism', ('read', 'write')), |
| | | DENY_ALL, |
| | | (Allow, 'other', 'read') ] |
| | | acl = [ |
| | | (Allow, 'chrism', ('read', 'write')), |
| | | DENY_ALL, |
| | | (Allow, 'other', 'read'), |
| | | ] |
| | | context.__acl__ = acl |
| | | policy = self._makeOne() |
| | | result = sorted( |
| | | policy.principals_allowed_by_permission(context, 'read')) |
| | | policy.principals_allowed_by_permission(context, 'read') |
| | | ) |
| | | self.assertEqual(result, ['chrism']) |
| | | |
| | | def test_principals_allowed_by_permission_callable_acl(self): |
| | | from pyramid.security import Allow |
| | | from pyramid.security import DENY_ALL |
| | | |
| | | context = DummyContext() |
| | | acl = lambda: [ (Allow, 'chrism', ('read', 'write')), |
| | | DENY_ALL, |
| | | (Allow, 'other', 'read') ] |
| | | acl = lambda: [ |
| | | (Allow, 'chrism', ('read', 'write')), |
| | | DENY_ALL, |
| | | (Allow, 'other', 'read'), |
| | | ] |
| | | context.__acl__ = acl |
| | | policy = self._makeOne() |
| | | result = sorted( |
| | | policy.principals_allowed_by_permission(context, 'read')) |
| | | policy.principals_allowed_by_permission(context, 'read') |
| | | ) |
| | | self.assertEqual(result, ['chrism']) |
| | | |
| | | |
| | | def test_principals_allowed_by_permission_string_permission(self): |
| | | from pyramid.security import Allow |
| | | |
| | | context = DummyContext() |
| | | acl = [ (Allow, 'chrism', 'read_it')] |
| | | acl = [(Allow, 'chrism', 'read_it')] |
| | | context.__acl__ = acl |
| | | policy = self._makeOne() |
| | | result = policy.principals_allowed_by_permission(context, 'read') |
| | | # would be ['chrism'] if 'read' were compared against 'read_it' instead |
| | | # of against ['read_it'] |
| | | self.assertEqual(list(result), []) |
| | | |
| | | |
| | | def test_principals_allowed_by_permission(self): |
| | | from pyramid.security import Allow |
| | | from pyramid.security import Deny |
| | | from pyramid.security import DENY_ALL |
| | | from pyramid.security import ALL_PERMISSIONS |
| | | |
| | | root = DummyContext(__name__='', __parent__=None) |
| | | community = DummyContext(__name__='community', __parent__=root) |
| | | blog = DummyContext(__name__='blog', __parent__=community) |
| | | root.__acl__ = [ (Allow, 'chrism', ('read', 'write')), |
| | | (Allow, 'other', ('read',)), |
| | | (Allow, 'jim', ALL_PERMISSIONS)] |
| | | community.__acl__ = [ (Deny, 'flooz', 'read'), |
| | | (Allow, 'flooz', 'read'), |
| | | (Allow, 'mork', 'read'), |
| | | (Deny, 'jim', 'read'), |
| | | (Allow, 'someguy', 'manage')] |
| | | blog.__acl__ = [ (Allow, 'fred', 'read'), |
| | | DENY_ALL] |
| | | root.__acl__ = [ |
| | | (Allow, 'chrism', ('read', 'write')), |
| | | (Allow, 'other', ('read',)), |
| | | (Allow, 'jim', ALL_PERMISSIONS), |
| | | ] |
| | | community.__acl__ = [ |
| | | (Deny, 'flooz', 'read'), |
| | | (Allow, 'flooz', 'read'), |
| | | (Allow, 'mork', 'read'), |
| | | (Deny, 'jim', 'read'), |
| | | (Allow, 'someguy', 'manage'), |
| | | ] |
| | | blog.__acl__ = [(Allow, 'fred', 'read'), DENY_ALL] |
| | | |
| | | policy = self._makeOne() |
| | | |
| | | |
| | | result = sorted(policy.principals_allowed_by_permission(blog, 'read')) |
| | | self.assertEqual(result, ['fred']) |
| | | result = sorted(policy.principals_allowed_by_permission(community, |
| | | 'read')) |
| | | result = sorted( |
| | | policy.principals_allowed_by_permission(community, 'read') |
| | | ) |
| | | self.assertEqual(result, ['chrism', 'mork', 'other']) |
| | | result = sorted(policy.principals_allowed_by_permission(community, |
| | | 'read')) |
| | | result = sorted( |
| | | policy.principals_allowed_by_permission(community, 'read') |
| | | ) |
| | | result = sorted(policy.principals_allowed_by_permission(root, 'read')) |
| | | self.assertEqual(result, ['chrism', 'jim', 'other']) |
| | | |
| | | def test_principals_allowed_by_permission_no_acls(self): |
| | | context = DummyContext() |
| | | policy = self._makeOne() |
| | | result = sorted(policy.principals_allowed_by_permission(context,'read')) |
| | | result = sorted( |
| | | policy.principals_allowed_by_permission(context, 'read') |
| | | ) |
| | | self.assertEqual(result, []) |
| | | |
| | | def test_principals_allowed_by_permission_deny_not_permission_in_acl(self): |
| | | from pyramid.security import Deny |
| | | from pyramid.security import Everyone |
| | | |
| | | context = DummyContext() |
| | | acl = [ (Deny, Everyone, 'write') ] |
| | | acl = [(Deny, Everyone, 'write')] |
| | | context.__acl__ = acl |
| | | policy = self._makeOne() |
| | | result = sorted( |
| | | policy.principals_allowed_by_permission(context, 'read')) |
| | | policy.principals_allowed_by_permission(context, 'read') |
| | | ) |
| | | self.assertEqual(result, []) |
| | | |
| | | def test_principals_allowed_by_permission_deny_permission_in_acl(self): |
| | | from pyramid.security import Deny |
| | | from pyramid.security import Everyone |
| | | |
| | | context = DummyContext() |
| | | acl = [ (Deny, Everyone, 'read') ] |
| | | acl = [(Deny, Everyone, 'read')] |
| | | context.__acl__ = acl |
| | | policy = self._makeOne() |
| | | result = sorted( |
| | | policy.principals_allowed_by_permission(context, 'read')) |
| | | policy.principals_allowed_by_permission(context, 'read') |
| | | ) |
| | | self.assertEqual(result, []) |
| | | |
| | | def test_callable_acl(self): |
| | | from pyramid.security import Allow |
| | | |
| | | context = DummyContext() |
| | | fn = lambda self: [(Allow, 'bob', 'read')] |
| | | context.__acl__ = fn.__get__(context, context.__class__) |
| | | policy = self._makeOne() |
| | | result = policy.permits(context, ['bob'], 'read') |
| | | self.assertTrue(result) |
| | | |
| | | |
| | | |
| | | class DummyContext: |
| | | def __init__(self, *arg, **kw): |
| | |
| | | MEMBER_PERMS = GUEST_PERMS + (EDIT, CREATE, DELETE) |
| | | MODERATOR_PERMS = MEMBER_PERMS + (MODERATE,) |
| | | ADMINISTRATOR_PERMS = MODERATOR_PERMS + (ADMINISTER,) |
| | | |