rhodecode-enterprise-ce Commit - r1443:6321ed72

auth: make owner of user group give proper admin permissions to the user group....

marcink -

r1443:6321ed72 default

parent child

rhodecode/tests/functional/test_delegated_admin.py

0 created 644 +128 0

@@ -0,0 +1,128 b''
	1	# -- coding: utf-8 --
	2
	3	# Copyright (C) 2016-2017 RhodeCode GmbH
	4	#
	5	# This program is free software: you can redistribute it and/or modify
	6	# it under the terms of the GNU Affero General Public License, version 3
	7	# (only), as published by the Free Software Foundation.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16	#
	17	# This program is dual-licensed. If you wish to learn more about the
	18	# RhodeCode Enterprise Edition, including its added features, Support services,
	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
	20
	21	import pytest
	22
	23	from rhodecode.tests import (
	24	TestController, url, assert_session_flash, link_to)
	25	from rhodecode.model.db import User, UserGroup
	26	from rhodecode.model.meta import Session
	27	from rhodecode.tests.fixture import Fixture
	28
	29
	30	fixture = Fixture()
	31
	32
	33	class TestAdminUsersGroupsController(TestController):
	34
	35	def test_regular_user_cannot_see_admin_interfaces(self, user_util):
	36	user = user_util.create_user(password='qweqwe')
	37	self.log_user(user.username, 'qweqwe')
	38
	39	# check if in home view, such user doesn't see the "admin" menus
	40	response = self.app.get(url('home'))
	41
	42	assert_response = response.assert_response()
	43
	44	assert_response.no_element_exists('li.local-admin-repos')
	45	assert_response.no_element_exists('li.local-admin-repo-groups')
	46	assert_response.no_element_exists('li.local-admin-user-groups')
	47
	48	response = self.app.get(url('repos'), status=200)
	49	response.mustcontain('data: []')
	50
	51	response = self.app.get(url('repo_groups'), status=200)
	52	response.mustcontain('data: []')
	53
	54	response = self.app.get(url('users_groups'), status=200)
	55	response.mustcontain('data: []')
	56
	57	def test_regular_user_can_see_admin_interfaces_if_owner(self, user_util):
	58	user = user_util.create_user(password='qweqwe')
	59	username = user.username
	60
	61	repo = user_util.create_repo(owner=username)
	62	repo_name = repo.repo_name
	63
	64	repo_group = user_util.create_repo_group(owner=username)
	65	repo_group_name = repo_group.group_name
	66
	67	user_group = user_util.create_user_group(owner=username)
	68	user_group_name = user_group.users_group_name
	69
	70	self.log_user(username, 'qweqwe')
	71	# check if in home view, such user doesn't see the "admin" menus
	72	response = self.app.get(url('home'))
	73
	74	assert_response = response.assert_response()
	75
	76	assert_response.one_element_exists('li.local-admin-repos')
	77	assert_response.one_element_exists('li.local-admin-repo-groups')
	78	assert_response.one_element_exists('li.local-admin-user-groups')
	79
	80	# admin interfaces have visible elements
	81	response = self.app.get(url('repos'), status=200)
	82	response.mustcontain('"name_raw": "{}"'.format(repo_name))
	83
	84	response = self.app.get(url('repo_groups'), status=200)
	85	response.mustcontain('"name_raw": "{}"'.format(repo_group_name))
	86
	87	response = self.app.get(url('users_groups'), status=200)
	88	response.mustcontain('"group_name_raw": "{}"'.format(user_group_name))
	89
	90	def test_regular_user_can_see_admin_interfaces_if_admin_perm(self, user_util):
	91	user = user_util.create_user(password='qweqwe')
	92	username = user.username
	93
	94	repo = user_util.create_repo()
	95	repo_name = repo.repo_name
	96
	97	repo_group = user_util.create_repo_group()
	98	repo_group_name = repo_group.group_name
	99
	100	user_group = user_util.create_user_group()
	101	user_group_name = user_group.users_group_name
	102
	103	user_util.grant_user_permission_to_repo(
	104	repo, user, 'repository.admin')
	105	user_util.grant_user_permission_to_repo_group(
	106	repo_group, user, 'group.admin')
	107	user_util.grant_user_permission_to_user_group(
	108	user_group, user, 'usergroup.admin')
	109
	110	self.log_user(username, 'qweqwe')
	111	# check if in home view, such user doesn't see the "admin" menus
	112	response = self.app.get(url('home'))
	113
	114	assert_response = response.assert_response()
	115
	116	assert_response.one_element_exists('li.local-admin-repos')
	117	assert_response.one_element_exists('li.local-admin-repo-groups')
	118	assert_response.one_element_exists('li.local-admin-user-groups')
	119
	120	# admin interfaces have visible elements
	121	response = self.app.get(url('repos'), status=200)
	122	response.mustcontain('"name_raw": "{}"'.format(repo_name))
	123
	124	response = self.app.get(url('repo_groups'), status=200)
	125	response.mustcontain('"name_raw": "{}"'.format(repo_group_name))
	126
	127	response = self.app.get(url('users_groups'), status=200)
	128	response.mustcontain('"group_name_raw": "{}"'.format(user_group_name))

rhodecode/lib/auth.py

0 +38 -18

                     # on given user group
                     for perm in self.default_user_group_perms:
                         u_k = perm.UserUserGroupToPerm.user_group.users_group_name
-                        p = perm.Permission.permission_name
                         o = PermOrigin.USERGROUP_DEFAULT
+                        if perm.UserGroup.user_id == self.user_id:
+                            # set admin if owner
+                            p = 'usergroup.admin'
+                            o = PermOrigin.USERGROUP_OWNER
+                        else:
+                            p = perm.Permission.permission_name
                         # if we decide this user isn't inheriting permissions from default
                         # user we set him to .none so only explicit permissions work
                         if not user_inherit_object_permissions:
                         multiple_counter[g_k] += 1
                         p = perm.Permission.permission_name
                         if perm.RepoGroup.user_id == self.user_id:
-                            # set admin if owner
+                            # set admin if owner, even for member of other user group
                             p = 'group.admin'
                             o = PermOrigin.REPOGROUP_OWNER
                         else:
                     # user group for user group permissions
                     user_group_from_user_group = Permission\
                         .get_default_user_group_perms_from_user_group(
-                            self.user_id, self.scope_repo_group_id)
+                            self.user_id, self.scope_user_group_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_group_from_user_group:
                         o = PermOrigin.USERGROUP_USERGROUP % u_k
                         multiple_counter[g_k] += 1
                         p = perm.Permission.permission_name
-                        if multiple_counter[g_k] > 1:
-                            cur_perm = self.permissions_user_groups[g_k]
+                        if perm.UserGroup.user_id == self.user_id:
-                            p = self._choose_permission(p, cur_perm)
+                            # set admin if owner, even for member of other user group
+                            p = 'usergroup.admin'
+                            o = PermOrigin.USERGROUP_OWNER
+                        else:
+                            if multiple_counter[g_k] > 1:
+                                cur_perm = self.permissions_user_groups[g_k]
+                                p = self._choose_permission(p, cur_perm)
                         self.permissions_user_groups[g_k] = p, o
                     # user explicit permission for user groups
                     for perm in user_user_groups_perms:
                         ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
                         u_k = perm.UserUserGroupToPerm.user.username
-                        p = perm.Permission.permission_name
                         o = PermOrigin.USERGROUP_USER % u_k
-                        if not self.explicit:
-                            cur_perm = self.permissions_user_groups.get(
+                        if perm.UserGroup.user_id == self.user_id:
-                                ug_k, 'usergroup.none')
+                            # set admin if owner
-                            p = self._choose_permission(p, cur_perm)
+                            p = 'usergroup.admin'
+                            o = PermOrigin.USERGROUP_OWNER
+                        else:
+                            p = perm.Permission.permission_name
+                            if not self.explicit:
+                                cur_perm = self.permissions_user_groups.get(
+                                    ug_k, 'usergroup.none')
+                                p = self._choose_permission(p, cur_perm)
                         self.permissions_user_groups[ug_k] = p, o
                 def _choose_permission(self, new_perm, cur_perm):
                     """
                     Returns list of repositories you're an admin of
                     """
-                    return [x[0] for x in self.permissions['repositories'].iteritems()
+                    return [
-                            if x[1] == 'repository.admin']
+                        x[0] for x in self.permissions['repositories'].iteritems()
+                        if x[1] == 'repository.admin']
                 @property
                 def repository_groups_admin(self):
                     """
                     Returns list of repository groups you're an admin of
                     """
-                    return [x[0]
+                    return [
-                            for x in self.permissions['repositories_groups'].iteritems()
+                        x[0] for x in self.permissions['repositories_groups'].iteritems()
-                            if x[1] == 'group.admin']
+                        if x[1] == 'group.admin']
                 @property
                 def user_groups_admin(self):
                     """
                     Returns list of user groups you're an admin of
                     """
-                    return [x[0] for x in self.permissions['user_groups'].iteritems()
+                    return [
-                            if x[1] == 'usergroup.admin']
+                        x[0] for x in self.permissions['user_groups'].iteritems()
+                        if x[1] == 'usergroup.admin']
                 @property
                 def ip_allowed(self):

rhodecode/templates/base/base.mako

0 +3 -3

             <%def name="admin_menu_simple(repositories=None, repository_groups=None, user_groups=None)">
               <ul class="submenu">
                %if repositories:
-                  <li><a href="${h.url('repos')}">${_('Repositories')}</a></li>
+                  <li class="local-admin-repos"><a href="${h.url('repos')}">${_('Repositories')}</a></li>
                %endif
                %if repository_groups:
-                  <li><a href="${h.url('repo_groups')}">${_('Repository groups')}</a></li>
+                  <li class="local-admin-repo-groups"><a href="${h.url('repo_groups')}">${_('Repository groups')}</a></li>
                %endif
                %if user_groups:
-                  <li><a href="${h.url('users_groups')}">${_('User groups')}</a></li>
+                  <li class="local-admin-user-groups"><a href="${h.url('users_groups')}">${_('User groups')}</a></li>
                %endif
               </ul>
             </%def>

rhodecode/tests/functional/test_admin_repo_groups.py

0 +1 -2

                     assert new_repo_group.group_name == repo_group_name_unicode
                     assert new_repo_group.group_description == description
+                    # test if the repository is visible in the list ?
-                    # # test if the repository is visible in the list ?
                     response = self.app.get(
                         url('repo_group_home', group_name=repo_group_name))
                     response.mustcontain(repo_group_name)

rhodecode/tests/models/test_permissions.py

0 +29 -7

@@ -130,14 +130,36 b' class TestPermissions(object):'
130	assert group_perms(self.a1) == {	130	assert group_perms(self.a1) == {
131	'test1': 'group.admin', 'test2': 'group.admin'}	131	'test1': 'group.admin', 'test2': 'group.admin'}
132		132
133	def test_default_owner_group_perms(self):	133	def test_default_owner_repo_perms(self, backend, user_util, test_repo):
134	# "u1" shall be owner without any special permission assigned	134	user = user_util.create_user()
135	self.g1 = fixture.create_repo_group('test1')	135	repo = test_repo('minimal', backend.alias)
136	assert group_perms(self.u1) == {'test1': 'group.read'}	136	org_owner = repo.user
		137	assert repo_perms(user)[repo.repo_name] == 'repository.read'
		138
		139	repo.user = user
		140	assert repo_perms(user)[repo.repo_name] == 'repository.admin'
		141	repo.user = org_owner
		142
		143	def test_default_owner_repo_group_perms(self, user_util, test_repo_group):
		144	user = user_util.create_user()
		145	org_owner = test_repo_group.user
137		146
138	# Make him owner, but do not add any special permissions	147	assert group_perms(user)[test_repo_group.group_name] == 'group.read'
139	self.g1.user = self.u1	148
140	assert group_perms(self.u1) == {'test1': 'group.admin'}	149	test_repo_group.user = user
		150	assert group_perms(user)[test_repo_group.group_name] == 'group.admin'
		151	test_repo_group.user = org_owner
		152
		153	def test_default_owner_user_group_perms(self, user_util, test_user_group):
		154	user = user_util.create_user()
		155	org_owner = test_user_group.user
		156
		157	assert user_group_perms(user)[test_user_group.users_group_name] == 'usergroup.read'
		158
		159	test_user_group.user = user
		160	assert user_group_perms(user)[test_user_group.users_group_name] == 'usergroup.admin'
		161
		162	test_user_group.user = org_owner
141		163
142	def test_propagated_permission_from_users_group_by_explicit_perms_exist(	164	def test_propagated_permission_from_users_group_by_explicit_perms_exist(
143	self, repo_name):	165	self, repo_name):

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages