test_permissions.py
804 lines
| 31.9 KiB
| text/x-python
|
PythonLexer
r1 | ||||
r5088 | # Copyright (C) 2010-2023 RhodeCode GmbH | |||
r1 | # | |||
# This program is free software: you can redistribute it and/or modify | ||||
# it under the terms of the GNU Affero General Public License, version 3 | ||||
# (only), as published by the Free Software Foundation. | ||||
# | ||||
# This program is distributed in the hope that it will be useful, | ||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
# GNU General Public License for more details. | ||||
# | ||||
# You should have received a copy of the GNU Affero General Public License | ||||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||||
# | ||||
# This program is dual-licensed. If you wish to learn more about the | ||||
# RhodeCode Enterprise Edition, including its added features, Support services, | ||||
# and proprietary license terms, please see https://rhodecode.com/licenses/ | ||||
import pytest | ||||
from rhodecode.lib.auth import AuthUser | ||||
from rhodecode.model.db import ( | ||||
RepoGroup, User, UserGroupRepoGroupToPerm, Permission, UserToPerm, | ||||
UserGroupToPerm) | ||||
from rhodecode.model.meta import Session | ||||
from rhodecode.model.permission import PermissionModel | ||||
from rhodecode.model.repo import RepoModel | ||||
from rhodecode.model.repo_group import RepoGroupModel | ||||
from rhodecode.model.user import UserModel | ||||
from rhodecode.model.user_group import UserGroupModel | ||||
r5607 | from rhodecode.tests.fixtures.rc_fixture import Fixture | |||
r1 | ||||
fixture = Fixture() | ||||
r3946 | @pytest.fixture() | |||
r1 | def repo_name(backend_hg): | |||
return backend_hg.repo_name | ||||
class TestPermissions(object): | ||||
@pytest.fixture(scope='class', autouse=True) | ||||
r2351 | def default_permissions(self, request, baseapp): | |||
r1 | # recreate default user to get a clean start | |||
PermissionModel().create_default_user_permissions( | ||||
user=User.DEFAULT_USER, force=True) | ||||
Session().commit() | ||||
@pytest.fixture(autouse=True) | ||||
def prepare_users(self, request): | ||||
# TODO: User creation is a duplicate of test_nofitications, check | ||||
# if that can be unified | ||||
self.u1 = UserModel().create_or_update( | ||||
r5575 | username='u1', password='qweqwe', | |||
email='u1@rhodecode.org', firstname='u1', lastname='u1' | ||||
r1 | ) | |||
self.u2 = UserModel().create_or_update( | ||||
r5575 | username='u2', password='qweqwe', | |||
email='u2@rhodecode.org', firstname='u2', lastname='u2' | ||||
r1 | ) | |||
self.u3 = UserModel().create_or_update( | ||||
r5575 | username='u3', password='qweqwe', | |||
email='u3@rhodecode.org', firstname='u3', lastname='u3' | ||||
r1 | ) | |||
self.anon = User.get_default_user() | ||||
self.a1 = UserModel().create_or_update( | ||||
r5575 | username='a1', password='qweqwe', | |||
email='a1@rhodecode.org', firstname='a1', lastname='a1', | ||||
r1 | admin=True | |||
) | ||||
Session().commit() | ||||
request.addfinalizer(self.cleanup) | ||||
def cleanup(self): | ||||
if hasattr(self, 'test_repo'): | ||||
RepoModel().delete(repo=self.test_repo) | ||||
r3981 | Session().commit() | |||
r1 | ||||
if hasattr(self, 'g1'): | ||||
RepoGroupModel().delete(self.g1.group_id) | ||||
if hasattr(self, 'g2'): | ||||
RepoGroupModel().delete(self.g2.group_id) | ||||
r3981 | Session().commit() | |||
r1 | ||||
r3981 | UserModel().delete(self.u1, handle_repos='delete', handle_repo_groups='delete') | |||
UserModel().delete(self.u2, handle_repos='delete', handle_repo_groups='delete') | ||||
UserModel().delete(self.u3, handle_repos='delete', handle_repo_groups='delete') | ||||
UserModel().delete(self.a1, handle_repos='delete', handle_repo_groups='delete') | ||||
Session().commit() | ||||
r1 | ||||
if hasattr(self, 'ug1'): | ||||
UserGroupModel().delete(self.ug1, force=True) | ||||
r3981 | Session().commit() | |||
r1 | ||||
def test_default_perms_set(self, repo_name): | ||||
assert repo_perms(self.u1)[repo_name] == 'repository.read' | ||||
new_perm = 'repository.write' | ||||
RepoModel().grant_user_permission(repo=repo_name, user=self.u1, | ||||
perm=new_perm) | ||||
Session().commit() | ||||
assert repo_perms(self.u1)[repo_name] == new_perm | ||||
def test_default_admin_perms_set(self, repo_name): | ||||
assert repo_perms(self.a1)[repo_name] == 'repository.admin' | ||||
RepoModel().grant_user_permission(repo=repo_name, user=self.a1, | ||||
perm='repository.write') | ||||
Session().commit() | ||||
# cannot really downgrade admins permissions !? they still gets set as | ||||
# admin ! | ||||
assert repo_perms(self.a1)[repo_name] == 'repository.admin' | ||||
def test_default_group_perms(self, repo_name): | ||||
self.g1 = fixture.create_repo_group('test1', skip_if_exists=True) | ||||
self.g2 = fixture.create_repo_group('test2', skip_if_exists=True) | ||||
assert repo_perms(self.u1)[repo_name] == 'repository.read' | ||||
assert group_perms(self.u1) == { | ||||
'test1': 'group.read', 'test2': 'group.read'} | ||||
assert global_perms(self.u1) == set( | ||||
Permission.DEFAULT_USER_PERMISSIONS) | ||||
def test_default_admin_group_perms(self, repo_name): | ||||
self.g1 = fixture.create_repo_group('test1', skip_if_exists=True) | ||||
self.g2 = fixture.create_repo_group('test2', skip_if_exists=True) | ||||
assert repo_perms(self.a1)[repo_name] == 'repository.admin' | ||||
assert group_perms(self.a1) == { | ||||
'test1': 'group.admin', 'test2': 'group.admin'} | ||||
r1443 | def test_default_owner_repo_perms(self, backend, user_util, test_repo): | |||
user = user_util.create_user() | ||||
repo = test_repo('minimal', backend.alias) | ||||
org_owner = repo.user | ||||
assert repo_perms(user)[repo.repo_name] == 'repository.read' | ||||
repo.user = user | ||||
assert repo_perms(user)[repo.repo_name] == 'repository.admin' | ||||
repo.user = org_owner | ||||
r2975 | def test_default_owner_branch_perms(self, user_util, test_user_group): | |||
user = user_util.create_user() | ||||
assert branch_perms(user) == {} | ||||
r1443 | def test_default_owner_repo_group_perms(self, user_util, test_repo_group): | |||
user = user_util.create_user() | ||||
org_owner = test_repo_group.user | ||||
r1 | ||||
r1443 | assert group_perms(user)[test_repo_group.group_name] == 'group.read' | |||
test_repo_group.user = user | ||||
assert group_perms(user)[test_repo_group.group_name] == 'group.admin' | ||||
test_repo_group.user = org_owner | ||||
def test_default_owner_user_group_perms(self, user_util, test_user_group): | ||||
user = user_util.create_user() | ||||
org_owner = test_user_group.user | ||||
assert user_group_perms(user)[test_user_group.users_group_name] == 'usergroup.read' | ||||
test_user_group.user = user | ||||
assert user_group_perms(user)[test_user_group.users_group_name] == 'usergroup.admin' | ||||
test_user_group.user = org_owner | ||||
r1 | ||||
r5551 | def test_propagated_permissions_from_repo_group_to_private_repo(self, repo_name): | |||
# make group | ||||
self.g1 = fixture.create_repo_group('TOP_LEVEL', skip_if_exists=True) | ||||
# both perms should be read ! | ||||
assert group_perms(self.anon) == { | ||||
'TOP_LEVEL': 'group.read' | ||||
} | ||||
# Create repo inside the TOP_LEVEL | ||||
repo_name_in_group = RepoGroup.url_sep().join([self.g1.group_name, 'test_perm_on_private_repo']) | ||||
self.test_repo = fixture.create_repo(name=repo_name_in_group, | ||||
repo_type='hg', | ||||
repo_group=self.g1, | ||||
cur_user=self.u1,) | ||||
r5575 | assert repo_perms(self.anon)[repo_name_in_group] == 'repository.read' | |||
assert repo_perms(self.anon)['vcs_test_git'] == 'repository.read' | ||||
assert repo_perms(self.anon)['vcs_test_hg'] == 'repository.read' | ||||
assert repo_perms(self.anon)['vcs_test_svn'] == 'repository.read' | ||||
r5551 | # Now change default user permissions | |||
new_perm = 'repository.write' | ||||
perm_updates = [ | ||||
[self.anon.user_id, new_perm, 'user'] | ||||
] | ||||
RepoGroupModel().update_permissions( | ||||
repo_group=self.g1, perm_updates=perm_updates, recursive='all') | ||||
Session().commit() | ||||
r5575 | assert repo_perms(self.anon)[repo_name_in_group] == new_perm | |||
assert repo_perms(self.anon)['vcs_test_git'] == 'repository.read' | ||||
assert repo_perms(self.anon)['vcs_test_hg'] == 'repository.read' | ||||
assert repo_perms(self.anon)['vcs_test_svn'] == 'repository.read' | ||||
r5551 | ||||
# NOW MARK repo as private | ||||
changes = { | ||||
'repo_private': True | ||||
} | ||||
repo = RepoModel().get_by_repo_name(repo_name_in_group) | ||||
RepoModel().update(repo, **changes) | ||||
Session().commit() | ||||
# Private repo sets 'none' permission for default user | ||||
r5575 | assert repo_perms(self.anon)[repo_name_in_group] == 'repository.none' | |||
assert repo_perms(self.anon)['vcs_test_git'] == 'repository.read' | ||||
assert repo_perms(self.anon)['vcs_test_hg'] == 'repository.read' | ||||
assert repo_perms(self.anon)['vcs_test_svn'] == 'repository.read' | ||||
r5551 | ||||
# apply same logic of "updated" recursive, but now the anon permissions should be not be impacted | ||||
new_perm = 'repository.write' | ||||
perm_updates = [ | ||||
[self.anon.user_id, new_perm, 'user'] | ||||
] | ||||
RepoGroupModel().update_permissions( | ||||
repo_group=self.g1, perm_updates=perm_updates, recursive='all') | ||||
Session().commit() | ||||
r5575 | assert repo_perms(self.anon)[repo_name_in_group] == 'repository.none' | |||
assert repo_perms(self.anon)['vcs_test_git'] == 'repository.read' | ||||
assert repo_perms(self.anon)['vcs_test_hg'] == 'repository.read' | ||||
assert repo_perms(self.anon)['vcs_test_svn'] == 'repository.read' | ||||
r5551 | ||||
r1 | def test_propagated_permission_from_users_group_by_explicit_perms_exist( | |||
self, repo_name): | ||||
# make group | ||||
self.ug1 = fixture.create_user_group('G1') | ||||
UserGroupModel().add_user_to_group(self.ug1, self.u1) | ||||
# set permission to lower | ||||
new_perm = 'repository.none' | ||||
RepoModel().grant_user_permission( | ||||
repo=repo_name, user=self.u1, perm=new_perm) | ||||
Session().commit() | ||||
assert repo_perms(self.u1)[repo_name] == new_perm | ||||
# grant perm for group this should not override permission from user | ||||
# since it has explicitly set | ||||
new_perm_gr = 'repository.write' | ||||
RepoModel().grant_user_group_permission( | ||||
repo=repo_name, group_name=self.ug1, perm=new_perm_gr) | ||||
r3981 | Session().commit() | |||
r1 | ||||
assert repo_perms(self.u1)[repo_name] == new_perm | ||||
assert group_perms(self.u1) == {} | ||||
def test_propagated_permission_from_users_group(self, repo_name): | ||||
# make group | ||||
self.ug1 = fixture.create_user_group('G1') | ||||
UserGroupModel().add_user_to_group(self.ug1, self.u3) | ||||
# grant perm for group | ||||
# this should override default permission from user | ||||
new_perm_gr = 'repository.write' | ||||
RepoModel().grant_user_group_permission( | ||||
repo=repo_name, group_name=self.ug1, perm=new_perm_gr) | ||||
r3981 | Session().commit() | |||
r1 | ||||
assert repo_perms(self.u3)[repo_name] == new_perm_gr | ||||
assert group_perms(self.u3) == {} | ||||
def test_propagated_permission_from_users_group_lower_weight( | ||||
self, repo_name): | ||||
# make group with user | ||||
self.ug1 = fixture.create_user_group('G1') | ||||
UserGroupModel().add_user_to_group(self.ug1, self.u1) | ||||
# set permission to lower | ||||
new_perm_h = 'repository.write' | ||||
RepoModel().grant_user_permission( | ||||
repo=repo_name, user=self.u1, perm=new_perm_h) | ||||
Session().commit() | ||||
assert repo_perms(self.u1)[repo_name] == new_perm_h | ||||
# grant perm for group this should NOT override permission from user | ||||
# since it's lower than granted | ||||
new_perm_l = 'repository.read' | ||||
RepoModel().grant_user_group_permission( | ||||
repo=repo_name, group_name=self.ug1, perm=new_perm_l) | ||||
r3981 | Session().commit() | |||
r1 | ||||
assert repo_perms(self.u1)[repo_name] == new_perm_h | ||||
assert group_perms(self.u1) == {} | ||||
def test_repo_in_group_permissions(self): | ||||
self.g1 = fixture.create_repo_group('group1', skip_if_exists=True) | ||||
self.g2 = fixture.create_repo_group('group2', skip_if_exists=True) | ||||
# both perms should be read ! | ||||
assert group_perms(self.u1) == \ | ||||
r5575 | {'group1': 'group.read', 'group2': 'group.read'} | |||
r1 | ||||
assert group_perms(self.anon) == \ | ||||
r5575 | {'group1': 'group.read', 'group2': 'group.read'} | |||
r1 | ||||
# Change perms to none for both groups | ||||
RepoGroupModel().grant_user_permission( | ||||
repo_group=self.g1, user=self.anon, perm='group.none') | ||||
RepoGroupModel().grant_user_permission( | ||||
repo_group=self.g2, user=self.anon, perm='group.none') | ||||
assert group_perms(self.u1) == \ | ||||
r5575 | {'group1': 'group.none', 'group2': 'group.none'} | |||
r1 | assert group_perms(self.anon) == \ | |||
r5575 | {'group1': 'group.none', 'group2': 'group.none'} | |||
r1 | ||||
# add repo to group | ||||
name = RepoGroup.url_sep().join([self.g1.group_name, 'test_perm']) | ||||
self.test_repo = fixture.create_repo(name=name, | ||||
repo_type='hg', | ||||
repo_group=self.g1, | ||||
cur_user=self.u1,) | ||||
assert group_perms(self.u1) == \ | ||||
r5575 | {'group1': 'group.none', 'group2': 'group.none'} | |||
r1 | assert group_perms(self.anon) == \ | |||
r5575 | {'group1': 'group.none', 'group2': 'group.none'} | |||
r1 | ||||
# grant permission for u2 ! | ||||
RepoGroupModel().grant_user_permission( | ||||
repo_group=self.g1, user=self.u2, perm='group.read') | ||||
RepoGroupModel().grant_user_permission( | ||||
repo_group=self.g2, user=self.u2, perm='group.read') | ||||
Session().commit() | ||||
assert self.u1 != self.u2 | ||||
# u1 and anon should have not change perms while u2 should ! | ||||
assert group_perms(self.u1) == \ | ||||
r5575 | {'group1': 'group.none', 'group2': 'group.none'} | |||
r1 | assert group_perms(self.u2) == \ | |||
r5575 | {'group1': 'group.read', 'group2': 'group.read'} | |||
r1 | assert group_perms(self.anon) == \ | |||
r5575 | {'group1': 'group.none', 'group2': 'group.none'} | |||
r1 | ||||
def test_repo_group_user_as_user_group_member(self): | ||||
# create Group1 | ||||
self.g1 = fixture.create_repo_group('group1', skip_if_exists=True) | ||||
r5575 | assert group_perms(self.anon) == {'group1': 'group.read'} | |||
r1 | ||||
# set default permission to none | ||||
RepoGroupModel().grant_user_permission( | ||||
repo_group=self.g1, user=self.anon, perm='group.none') | ||||
r3981 | Session().commit() | |||
r1 | # make group | |||
self.ug1 = fixture.create_user_group('G1') | ||||
# add user to group | ||||
UserGroupModel().add_user_to_group(self.ug1, self.u1) | ||||
Session().commit() | ||||
# check if user is in the group | ||||
ug1 = UserGroupModel().get(self.ug1.users_group_id) | ||||
members = [x.user_id for x in ug1.members] | ||||
assert members == [self.u1.user_id] | ||||
# add some user to that group | ||||
# check his permissions | ||||
r5575 | assert group_perms(self.anon) == {'group1': 'group.none'} | |||
assert group_perms(self.u1) == {'group1': 'group.none'} | ||||
r1 | ||||
# grant ug1 read permissions for | ||||
RepoGroupModel().grant_user_group_permission( | ||||
repo_group=self.g1, group_name=self.ug1, perm='group.read') | ||||
Session().commit() | ||||
# check if the | ||||
obj = Session().query(UserGroupRepoGroupToPerm)\ | ||||
.filter(UserGroupRepoGroupToPerm.group == self.g1)\ | ||||
.filter(UserGroupRepoGroupToPerm.users_group == self.ug1)\ | ||||
.scalar() | ||||
assert obj.permission.permission_name == 'group.read' | ||||
r5575 | assert group_perms(self.anon) == {'group1': 'group.none'} | |||
assert group_perms(self.u1) == {'group1': 'group.read'} | ||||
r1 | ||||
def test_inherited_permissions_from_default_on_user_enabled(self): | ||||
# enable fork and create on default user | ||||
_form_result = { | ||||
'default_repo_create': 'hg.create.repository', | ||||
'default_fork_create': 'hg.fork.repository' | ||||
} | ||||
PermissionModel().set_new_user_perms( | ||||
User.get_default_user(), _form_result) | ||||
Session().commit() | ||||
# make sure inherit flag is turned on | ||||
self.u1.inherit_default_permissions = True | ||||
Session().commit() | ||||
# this user will have inherited permissions from default user | ||||
assert global_perms(self.u1) == default_perms() | ||||
def test_inherited_permissions_from_default_on_user_disabled(self): | ||||
# disable fork and create on default user | ||||
_form_result = { | ||||
'default_repo_create': 'hg.create.none', | ||||
'default_fork_create': 'hg.fork.none' | ||||
} | ||||
PermissionModel().set_new_user_perms( | ||||
User.get_default_user(), _form_result) | ||||
Session().commit() | ||||
# make sure inherit flag is turned on | ||||
self.u1.inherit_default_permissions = True | ||||
Session().commit() | ||||
# this user will have inherited permissions from default user | ||||
expected_perms = default_perms( | ||||
added=['hg.create.none', 'hg.fork.none'], | ||||
removed=['hg.create.repository', 'hg.fork.repository']) | ||||
assert global_perms(self.u1) == expected_perms | ||||
def test_non_inherited_permissions_from_default_on_user_enabled(self): | ||||
user_model = UserModel() | ||||
# enable fork and create on default user | ||||
usr = User.DEFAULT_USER | ||||
user_model.revoke_perm(usr, 'hg.create.none') | ||||
user_model.grant_perm(usr, 'hg.create.repository') | ||||
user_model.revoke_perm(usr, 'hg.fork.none') | ||||
user_model.grant_perm(usr, 'hg.fork.repository') | ||||
# disable global perms on specific user | ||||
user_model.revoke_perm(self.u1, 'hg.create.repository') | ||||
user_model.grant_perm(self.u1, 'hg.create.none') | ||||
user_model.revoke_perm(self.u1, 'hg.fork.repository') | ||||
user_model.grant_perm(self.u1, 'hg.fork.none') | ||||
r2975 | # TODO(marcink): check branch permissions now ? | |||
r1 | # make sure inherit flag is turned off | |||
self.u1.inherit_default_permissions = False | ||||
Session().commit() | ||||
# this user will have non inherited permissions from he's | ||||
# explicitly set permissions | ||||
r2975 | assert global_perms(self.u1) == { | |||
r1 | 'hg.create.none', | |||
'hg.fork.none', | ||||
'hg.register.manual_activate', | ||||
r1035 | 'hg.password_reset.enabled', | |||
r1 | 'hg.extern_activate.auto', | |||
'repository.read', | ||||
'group.read', | ||||
'usergroup.read', | ||||
r2975 | 'branch.push_force', | |||
} | ||||
r1 | ||||
def test_non_inherited_permissions_from_default_on_user_disabled(self): | ||||
user_model = UserModel() | ||||
# disable fork and create on default user | ||||
usr = User.DEFAULT_USER | ||||
user_model.revoke_perm(usr, 'hg.create.repository') | ||||
user_model.grant_perm(usr, 'hg.create.none') | ||||
user_model.revoke_perm(usr, 'hg.fork.repository') | ||||
user_model.grant_perm(usr, 'hg.fork.none') | ||||
# enable global perms on specific user | ||||
user_model.revoke_perm(self.u1, 'hg.create.none') | ||||
user_model.grant_perm(self.u1, 'hg.create.repository') | ||||
user_model.revoke_perm(self.u1, 'hg.fork.none') | ||||
user_model.grant_perm(self.u1, 'hg.fork.repository') | ||||
# make sure inherit flag is turned off | ||||
self.u1.inherit_default_permissions = False | ||||
Session().commit() | ||||
r2975 | # TODO(marcink): check branch perms | |||
r1 | # this user will have non inherited permissions from he's | |||
# explicitly set permissions | ||||
r2975 | assert global_perms(self.u1) == { | |||
r1 | 'hg.create.repository', | |||
'hg.fork.repository', | ||||
'hg.register.manual_activate', | ||||
r1035 | 'hg.password_reset.enabled', | |||
r1 | 'hg.extern_activate.auto', | |||
'repository.read', | ||||
'group.read', | ||||
'usergroup.read', | ||||
r2975 | 'branch.push_force', | |||
} | ||||
r1 | ||||
@pytest.mark.parametrize('perm, expected_perm', [ | ||||
('hg.inherit_default_perms.false', 'repository.none', ), | ||||
('hg.inherit_default_perms.true', 'repository.read', ), | ||||
]) | ||||
def test_inherited_permissions_on_objects(self, perm, expected_perm): | ||||
_form_result = { | ||||
'default_inherit_default_permissions': perm, | ||||
} | ||||
PermissionModel().set_new_user_perms( | ||||
User.get_default_user(), _form_result) | ||||
Session().commit() | ||||
# make sure inherit flag is turned on | ||||
self.u1.inherit_default_permissions = True | ||||
Session().commit() | ||||
r2975 | # TODO(marcink): check branch perms | |||
r1 | # this user will have inherited permissions from default user | |||
r2975 | assert global_perms(self.u1) == { | |||
r1 | 'hg.create.none', | |||
'hg.fork.none', | ||||
'hg.register.manual_activate', | ||||
r1035 | 'hg.password_reset.enabled', | |||
r1 | 'hg.extern_activate.auto', | |||
'repository.read', | ||||
'group.read', | ||||
'usergroup.read', | ||||
r2975 | 'branch.push_force', | |||
r1 | 'hg.create.write_on_repogroup.true', | |||
'hg.usergroup.create.false', | ||||
'hg.repogroup.create.false', | ||||
r2975 | perm | |||
} | ||||
r1 | ||||
assert set(repo_perms(self.u1).values()) == set([expected_perm]) | ||||
def test_repo_owner_permissions_not_overwritten_by_group(self): | ||||
# create repo as USER, | ||||
self.test_repo = fixture.create_repo(name='myownrepo', | ||||
repo_type='hg', | ||||
cur_user=self.u1) | ||||
# he has permissions of admin as owner | ||||
assert repo_perms(self.u1)['myownrepo'] == 'repository.admin' | ||||
# set his permission as user group, he should still be admin | ||||
self.ug1 = fixture.create_user_group('G1') | ||||
UserGroupModel().add_user_to_group(self.ug1, self.u1) | ||||
RepoModel().grant_user_group_permission( | ||||
self.test_repo, | ||||
group_name=self.ug1, | ||||
perm='repository.none') | ||||
Session().commit() | ||||
assert repo_perms(self.u1)['myownrepo'] == 'repository.admin' | ||||
def test_repo_owner_permissions_not_overwritten_by_others(self): | ||||
# create repo as USER, | ||||
self.test_repo = fixture.create_repo(name='myownrepo', | ||||
repo_type='hg', | ||||
cur_user=self.u1) | ||||
# he has permissions of admin as owner | ||||
assert repo_perms(self.u1)['myownrepo'] == 'repository.admin' | ||||
# set his permission as user, he should still be admin | ||||
RepoModel().grant_user_permission( | ||||
self.test_repo, user=self.u1, perm='repository.none') | ||||
Session().commit() | ||||
assert repo_perms(self.u1)['myownrepo'] == 'repository.admin' | ||||
def test_repo_group_owner_permissions_not_overwritten_by_group(self): | ||||
# "u1" shall be owner without any special permission assigned | ||||
self.g1 = fixture.create_repo_group('test1') | ||||
# Make user group and grant a permission to user group | ||||
self.ug1 = fixture.create_user_group('G1') | ||||
UserGroupModel().add_user_to_group(self.ug1, self.u1) | ||||
RepoGroupModel().grant_user_group_permission( | ||||
repo_group=self.g1, group_name=self.ug1, perm='group.write') | ||||
r3981 | Session().commit() | |||
r1 | ||||
# Verify that user does not get any special permission if he is not | ||||
# owner | ||||
assert group_perms(self.u1) == {'test1': 'group.write'} | ||||
# Make him owner of the repo group | ||||
self.g1.user = self.u1 | ||||
assert group_perms(self.u1) == {'test1': 'group.admin'} | ||||
def test_repo_group_owner_permissions_not_overwritten_by_others(self): | ||||
# "u1" shall be owner without any special permission assigned | ||||
self.g1 = fixture.create_repo_group('test1') | ||||
RepoGroupModel().grant_user_permission( | ||||
repo_group=self.g1, user=self.u1, perm='group.write') | ||||
r3981 | Session().commit() | |||
r1 | ||||
# Verify that user does not get any special permission if he is not | ||||
# owner | ||||
assert group_perms(self.u1) == {'test1': 'group.write'} | ||||
# Make him owner of the repo group | ||||
self.g1.user = self.u1 | ||||
r5575 | assert group_perms(self.u1) == {'test1': 'group.admin'} | |||
r1 | ||||
r3981 | def assert_user_perm_equal( | |||
r1 | self, user, change_factor=0, compare_keys=None): | |||
perms = UserToPerm.query().filter(UserToPerm.user == user).all() | ||||
assert len(perms) == \ | ||||
len(Permission.DEFAULT_USER_PERMISSIONS) + change_factor | ||||
if compare_keys: | ||||
assert set( | ||||
x.permissions.permission_name for x in perms) == compare_keys | ||||
r3981 | def assert_def_user_group_perm_equal( | |||
r1 | self, user_group, change_factor=0, compare_keys=None): | |||
perms = UserGroupToPerm.query().filter( | ||||
UserGroupToPerm.users_group == user_group).all() | ||||
assert len(perms) == \ | ||||
len(Permission.DEFAULT_USER_PERMISSIONS) + change_factor | ||||
if compare_keys: | ||||
assert set( | ||||
x.permissions.permission_name for x in perms) == compare_keys | ||||
def test_set_default_permissions(self): | ||||
PermissionModel().create_default_user_permissions(user=self.u1) | ||||
r3981 | self.assert_user_perm_equal(user=self.u1) | |||
r1 | ||||
def test_set_default_permissions_after_one_is_missing(self): | ||||
PermissionModel().create_default_user_permissions(user=self.u1) | ||||
r3981 | self.assert_user_perm_equal(user=self.u1) | |||
r1 | # now we delete one, it should be re-created after another call | |||
perms = UserToPerm.query().filter(UserToPerm.user == self.u1).all() | ||||
Session().delete(perms[0]) | ||||
Session().commit() | ||||
r3981 | self.assert_user_perm_equal(user=self.u1, change_factor=-1) | |||
r1 | ||||
# create missing one ! | ||||
PermissionModel().create_default_user_permissions(user=self.u1) | ||||
r3981 | self.assert_user_perm_equal(user=self.u1) | |||
r1 | ||||
@pytest.mark.parametrize("perm, modify_to", [ | ||||
('repository.read', 'repository.none'), | ||||
('group.read', 'group.none'), | ||||
('usergroup.read', 'usergroup.none'), | ||||
('hg.create.repository', 'hg.create.none'), | ||||
('hg.fork.repository', 'hg.fork.none'), | ||||
('hg.register.manual_activate', 'hg.register.auto_activate',) | ||||
]) | ||||
def test_set_default_permissions_after_modification(self, perm, modify_to): | ||||
PermissionModel().create_default_user_permissions(user=self.u1) | ||||
r3981 | self.assert_user_perm_equal(user=self.u1) | |||
r1 | ||||
old = Permission.get_by_key(perm) | ||||
new = Permission.get_by_key(modify_to) | ||||
assert old is not None | ||||
assert new is not None | ||||
# now modify permissions | ||||
p = UserToPerm.query().filter( | ||||
UserToPerm.user == self.u1).filter( | ||||
UserToPerm.permission == old).one() | ||||
p.permission = new | ||||
Session().add(p) | ||||
Session().commit() | ||||
PermissionModel().create_default_user_permissions(user=self.u1) | ||||
r3981 | self.assert_user_perm_equal(user=self.u1) | |||
r1 | ||||
def test_clear_user_perms(self): | ||||
PermissionModel().create_default_user_permissions(user=self.u1) | ||||
r3981 | self.assert_user_perm_equal(user=self.u1) | |||
r1 | ||||
# now clear permissions | ||||
cleared = PermissionModel()._clear_user_perms(self.u1.user_id) | ||||
r3981 | self.assert_user_perm_equal(user=self.u1, | |||
change_factor=len(cleared)*-1) | ||||
r1 | ||||
def test_clear_user_group_perms(self): | ||||
self.ug1 = fixture.create_user_group('G1') | ||||
PermissionModel().create_default_user_group_permissions( | ||||
user_group=self.ug1) | ||||
r3981 | self.assert_def_user_group_perm_equal(user_group=self.ug1) | |||
r1 | ||||
# now clear permissions | ||||
cleared = PermissionModel()._clear_user_group_perms( | ||||
self.ug1.users_group_id) | ||||
r3981 | self.assert_def_user_group_perm_equal(user_group=self.ug1, | |||
change_factor=len(cleared)*-1) | ||||
r1 | ||||
@pytest.mark.parametrize("form_result", [ | ||||
{}, | ||||
{'default_repo_create': 'hg.create.repository'}, | ||||
{'default_repo_create': 'hg.create.repository', | ||||
'default_repo_perm': 'repository.read'}, | ||||
{'default_repo_create': 'hg.create.none', | ||||
'default_repo_perm': 'repository.write', | ||||
'default_fork_create': 'hg.fork.none'}, | ||||
]) | ||||
def test_set_new_user_permissions(self, form_result): | ||||
_form_result = {} | ||||
_form_result.update(form_result) | ||||
PermissionModel().set_new_user_perms(self.u1, _form_result) | ||||
Session().commit() | ||||
change_factor = -1 * (len(Permission.DEFAULT_USER_PERMISSIONS) | ||||
- len(form_result.keys())) | ||||
r3981 | self.assert_user_perm_equal( | |||
r1 | self.u1, change_factor=change_factor) | |||
@pytest.mark.parametrize("form_result", [ | ||||
{}, | ||||
{'default_repo_create': 'hg.create.repository'}, | ||||
{'default_repo_create': 'hg.create.repository', | ||||
'default_repo_perm': 'repository.read'}, | ||||
{'default_repo_create': 'hg.create.none', | ||||
'default_repo_perm': 'repository.write', | ||||
'default_fork_create': 'hg.fork.none'}, | ||||
]) | ||||
def test_set_new_user_group_permissions(self, form_result): | ||||
_form_result = {} | ||||
_form_result.update(form_result) | ||||
self.ug1 = fixture.create_user_group('G1') | ||||
PermissionModel().set_new_user_group_perms(self.ug1, _form_result) | ||||
Session().commit() | ||||
change_factor = -1 * (len(Permission.DEFAULT_USER_PERMISSIONS) | ||||
- len(form_result.keys())) | ||||
r3981 | self.assert_def_user_group_perm_equal( | |||
r1 | self.ug1, change_factor=change_factor) | |||
@pytest.mark.parametrize("group_active, expected_perm", [ | ||||
(True, 'repository.admin'), | ||||
(False, 'repository.read'), | ||||
]) | ||||
def test_get_default_repo_perms_from_user_group_with_active_group( | ||||
self, backend, user_util, group_active, expected_perm): | ||||
repo = backend.create_repo() | ||||
user = user_util.create_user() | ||||
user_group = user_util.create_user_group( | ||||
members=[user], users_group_active=group_active) | ||||
user_util.grant_user_group_permission_to_repo( | ||||
repo, user_group, 'repository.admin') | ||||
permissions = repo_perms(user) | ||||
repo_permission = permissions.get(repo.repo_name) | ||||
assert repo_permission == expected_perm | ||||
@pytest.mark.parametrize("group_active, expected_perm", [ | ||||
(True, 'group.admin'), | ||||
(False, 'group.read') | ||||
]) | ||||
def test_get_default_group_perms_from_user_group_with_active_group( | ||||
self, user_util, group_active, expected_perm): | ||||
user = user_util.create_user() | ||||
repo_group = user_util.create_repo_group() | ||||
user_group = user_util.create_user_group( | ||||
members=[user], users_group_active=group_active) | ||||
user_util.grant_user_group_permission_to_repo_group( | ||||
repo_group, user_group, 'group.admin') | ||||
permissions = group_perms(user) | ||||
group_permission = permissions.get(repo_group.name) | ||||
assert group_permission == expected_perm | ||||
@pytest.mark.parametrize("group_active, expected_perm", [ | ||||
(True, 'usergroup.admin'), | ||||
(False, 'usergroup.read') | ||||
]) | ||||
def test_get_default_user_group_perms_from_user_group_with_active_group( | ||||
self, user_util, group_active, expected_perm): | ||||
user = user_util.create_user() | ||||
user_group = user_util.create_user_group( | ||||
members=[user], users_group_active=group_active) | ||||
target_user_group = user_util.create_user_group() | ||||
user_util.grant_user_group_permission_to_user_group( | ||||
target_user_group, user_group, 'usergroup.admin') | ||||
permissions = user_group_perms(user) | ||||
group_permission = permissions.get(target_user_group.users_group_name) | ||||
assert group_permission == expected_perm | ||||
def repo_perms(user): | ||||
auth_user = AuthUser(user_id=user.user_id) | ||||
return auth_user.permissions['repositories'] | ||||
r2975 | def branch_perms(user): | |||
auth_user = AuthUser(user_id=user.user_id) | ||||
return auth_user.permissions['repository_branches'] | ||||
r1 | def group_perms(user): | |||
auth_user = AuthUser(user_id=user.user_id) | ||||
return auth_user.permissions['repositories_groups'] | ||||
def user_group_perms(user): | ||||
auth_user = AuthUser(user_id=user.user_id) | ||||
return auth_user.permissions['user_groups'] | ||||
def global_perms(user): | ||||
auth_user = AuthUser(user_id=user.user_id) | ||||
return auth_user.permissions['global'] | ||||
def default_perms(added=None, removed=None): | ||||
expected_perms = set(Permission.DEFAULT_USER_PERMISSIONS) | ||||
if removed: | ||||
expected_perms.difference_update(removed) | ||||
if added: | ||||
expected_perms.update(added) | ||||
return expected_perms | ||||