##// END OF EJS Templates
auth: make owner of user group give proper admin permissions to the user group....
marcink -
r1443:6321ed72 default
parent child Browse files
Show More
@@ -0,0 +1,128 b''
1 # -*- coding: utf-8 -*-
2
3 # Copyright (C) 2016-2017 RhodeCode GmbH
4 #
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU Affero General Public License, version 3
7 # (only), as published by the Free Software Foundation.
8 #
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
17 # This program is dual-licensed. If you wish to learn more about the
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
21 import pytest
22
23 from rhodecode.tests import (
24 TestController, url, assert_session_flash, link_to)
25 from rhodecode.model.db import User, UserGroup
26 from rhodecode.model.meta import Session
27 from rhodecode.tests.fixture import Fixture
28
29
30 fixture = Fixture()
31
32
33 class TestAdminUsersGroupsController(TestController):
34
35 def test_regular_user_cannot_see_admin_interfaces(self, user_util):
36 user = user_util.create_user(password='qweqwe')
37 self.log_user(user.username, 'qweqwe')
38
39 # check if in home view, such user doesn't see the "admin" menus
40 response = self.app.get(url('home'))
41
42 assert_response = response.assert_response()
43
44 assert_response.no_element_exists('li.local-admin-repos')
45 assert_response.no_element_exists('li.local-admin-repo-groups')
46 assert_response.no_element_exists('li.local-admin-user-groups')
47
48 response = self.app.get(url('repos'), status=200)
49 response.mustcontain('data: []')
50
51 response = self.app.get(url('repo_groups'), status=200)
52 response.mustcontain('data: []')
53
54 response = self.app.get(url('users_groups'), status=200)
55 response.mustcontain('data: []')
56
57 def test_regular_user_can_see_admin_interfaces_if_owner(self, user_util):
58 user = user_util.create_user(password='qweqwe')
59 username = user.username
60
61 repo = user_util.create_repo(owner=username)
62 repo_name = repo.repo_name
63
64 repo_group = user_util.create_repo_group(owner=username)
65 repo_group_name = repo_group.group_name
66
67 user_group = user_util.create_user_group(owner=username)
68 user_group_name = user_group.users_group_name
69
70 self.log_user(username, 'qweqwe')
71 # check if in home view, such user doesn't see the "admin" menus
72 response = self.app.get(url('home'))
73
74 assert_response = response.assert_response()
75
76 assert_response.one_element_exists('li.local-admin-repos')
77 assert_response.one_element_exists('li.local-admin-repo-groups')
78 assert_response.one_element_exists('li.local-admin-user-groups')
79
80 # admin interfaces have visible elements
81 response = self.app.get(url('repos'), status=200)
82 response.mustcontain('"name_raw": "{}"'.format(repo_name))
83
84 response = self.app.get(url('repo_groups'), status=200)
85 response.mustcontain('"name_raw": "{}"'.format(repo_group_name))
86
87 response = self.app.get(url('users_groups'), status=200)
88 response.mustcontain('"group_name_raw": "{}"'.format(user_group_name))
89
90 def test_regular_user_can_see_admin_interfaces_if_admin_perm(self, user_util):
91 user = user_util.create_user(password='qweqwe')
92 username = user.username
93
94 repo = user_util.create_repo()
95 repo_name = repo.repo_name
96
97 repo_group = user_util.create_repo_group()
98 repo_group_name = repo_group.group_name
99
100 user_group = user_util.create_user_group()
101 user_group_name = user_group.users_group_name
102
103 user_util.grant_user_permission_to_repo(
104 repo, user, 'repository.admin')
105 user_util.grant_user_permission_to_repo_group(
106 repo_group, user, 'group.admin')
107 user_util.grant_user_permission_to_user_group(
108 user_group, user, 'usergroup.admin')
109
110 self.log_user(username, 'qweqwe')
111 # check if in home view, such user doesn't see the "admin" menus
112 response = self.app.get(url('home'))
113
114 assert_response = response.assert_response()
115
116 assert_response.one_element_exists('li.local-admin-repos')
117 assert_response.one_element_exists('li.local-admin-repo-groups')
118 assert_response.one_element_exists('li.local-admin-user-groups')
119
120 # admin interfaces have visible elements
121 response = self.app.get(url('repos'), status=200)
122 response.mustcontain('"name_raw": "{}"'.format(repo_name))
123
124 response = self.app.get(url('repo_groups'), status=200)
125 response.mustcontain('"name_raw": "{}"'.format(repo_group_name))
126
127 response = self.app.get(url('users_groups'), status=200)
128 response.mustcontain('"group_name_raw": "{}"'.format(user_group_name))
@@ -571,8 +571,14 b' class PermissionCalculator(object):'
571 # on given user group
571 # on given user group
572 for perm in self.default_user_group_perms:
572 for perm in self.default_user_group_perms:
573 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
573 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
574 p = perm.Permission.permission_name
575 o = PermOrigin.USERGROUP_DEFAULT
574 o = PermOrigin.USERGROUP_DEFAULT
575 if perm.UserGroup.user_id == self.user_id:
576 # set admin if owner
577 p = 'usergroup.admin'
578 o = PermOrigin.USERGROUP_OWNER
579 else:
580 p = perm.Permission.permission_name
581
576 # if we decide this user isn't inheriting permissions from default
582 # if we decide this user isn't inheriting permissions from default
577 # user we set him to .none so only explicit permissions work
583 # user we set him to .none so only explicit permissions work
578 if not user_inherit_object_permissions:
584 if not user_inherit_object_permissions:
@@ -651,7 +657,7 b' class PermissionCalculator(object):'
651 multiple_counter[g_k] += 1
657 multiple_counter[g_k] += 1
652 p = perm.Permission.permission_name
658 p = perm.Permission.permission_name
653 if perm.RepoGroup.user_id == self.user_id:
659 if perm.RepoGroup.user_id == self.user_id:
654 # set admin if owner
660 # set admin if owner, even for member of other user group
655 p = 'group.admin'
661 p = 'group.admin'
656 o = PermOrigin.REPOGROUP_OWNER
662 o = PermOrigin.REPOGROUP_OWNER
657 else:
663 else:
@@ -687,7 +693,7 b' class PermissionCalculator(object):'
687 # user group for user group permissions
693 # user group for user group permissions
688 user_group_from_user_group = Permission\
694 user_group_from_user_group = Permission\
689 .get_default_user_group_perms_from_user_group(
695 .get_default_user_group_perms_from_user_group(
690 self.user_id, self.scope_repo_group_id)
696 self.user_id, self.scope_user_group_id)
691
697
692 multiple_counter = collections.defaultdict(int)
698 multiple_counter = collections.defaultdict(int)
693 for perm in user_group_from_user_group:
699 for perm in user_group_from_user_group:
@@ -698,9 +704,15 b' class PermissionCalculator(object):'
698 o = PermOrigin.USERGROUP_USERGROUP % u_k
704 o = PermOrigin.USERGROUP_USERGROUP % u_k
699 multiple_counter[g_k] += 1
705 multiple_counter[g_k] += 1
700 p = perm.Permission.permission_name
706 p = perm.Permission.permission_name
701 if multiple_counter[g_k] > 1:
707
702 cur_perm = self.permissions_user_groups[g_k]
708 if perm.UserGroup.user_id == self.user_id:
703 p = self._choose_permission(p, cur_perm)
709 # set admin if owner, even for member of other user group
710 p = 'usergroup.admin'
711 o = PermOrigin.USERGROUP_OWNER
712 else:
713 if multiple_counter[g_k] > 1:
714 cur_perm = self.permissions_user_groups[g_k]
715 p = self._choose_permission(p, cur_perm)
704 self.permissions_user_groups[g_k] = p, o
716 self.permissions_user_groups[g_k] = p, o
705
717
706 # user explicit permission for user groups
718 # user explicit permission for user groups
@@ -709,12 +721,18 b' class PermissionCalculator(object):'
709 for perm in user_user_groups_perms:
721 for perm in user_user_groups_perms:
710 ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
722 ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
711 u_k = perm.UserUserGroupToPerm.user.username
723 u_k = perm.UserUserGroupToPerm.user.username
712 p = perm.Permission.permission_name
713 o = PermOrigin.USERGROUP_USER % u_k
724 o = PermOrigin.USERGROUP_USER % u_k
714 if not self.explicit:
725
715 cur_perm = self.permissions_user_groups.get(
726 if perm.UserGroup.user_id == self.user_id:
716 ug_k, 'usergroup.none')
727 # set admin if owner
717 p = self._choose_permission(p, cur_perm)
728 p = 'usergroup.admin'
729 o = PermOrigin.USERGROUP_OWNER
730 else:
731 p = perm.Permission.permission_name
732 if not self.explicit:
733 cur_perm = self.permissions_user_groups.get(
734 ug_k, 'usergroup.none')
735 p = self._choose_permission(p, cur_perm)
718 self.permissions_user_groups[ug_k] = p, o
736 self.permissions_user_groups[ug_k] = p, o
719
737
720 def _choose_permission(self, new_perm, cur_perm):
738 def _choose_permission(self, new_perm, cur_perm):
@@ -942,25 +960,27 b' class AuthUser(object):'
942 """
960 """
943 Returns list of repositories you're an admin of
961 Returns list of repositories you're an admin of
944 """
962 """
945 return [x[0] for x in self.permissions['repositories'].iteritems()
963 return [
946 if x[1] == 'repository.admin']
964 x[0] for x in self.permissions['repositories'].iteritems()
965 if x[1] == 'repository.admin']
947
966
948 @property
967 @property
949 def repository_groups_admin(self):
968 def repository_groups_admin(self):
950 """
969 """
951 Returns list of repository groups you're an admin of
970 Returns list of repository groups you're an admin of
952 """
971 """
953 return [x[0]
972 return [
954 for x in self.permissions['repositories_groups'].iteritems()
973 x[0] for x in self.permissions['repositories_groups'].iteritems()
955 if x[1] == 'group.admin']
974 if x[1] == 'group.admin']
956
975
957 @property
976 @property
958 def user_groups_admin(self):
977 def user_groups_admin(self):
959 """
978 """
960 Returns list of user groups you're an admin of
979 Returns list of user groups you're an admin of
961 """
980 """
962 return [x[0] for x in self.permissions['user_groups'].iteritems()
981 return [
963 if x[1] == 'usergroup.admin']
982 x[0] for x in self.permissions['user_groups'].iteritems()
983 if x[1] == 'usergroup.admin']
964
984
965 @property
985 @property
966 def ip_allowed(self):
986 def ip_allowed(self):
@@ -142,13 +142,13 b''
142 <%def name="admin_menu_simple(repositories=None, repository_groups=None, user_groups=None)">
142 <%def name="admin_menu_simple(repositories=None, repository_groups=None, user_groups=None)">
143 <ul class="submenu">
143 <ul class="submenu">
144 %if repositories:
144 %if repositories:
145 <li><a href="${h.url('repos')}">${_('Repositories')}</a></li>
145 <li class="local-admin-repos"><a href="${h.url('repos')}">${_('Repositories')}</a></li>
146 %endif
146 %endif
147 %if repository_groups:
147 %if repository_groups:
148 <li><a href="${h.url('repo_groups')}">${_('Repository groups')}</a></li>
148 <li class="local-admin-repo-groups"><a href="${h.url('repo_groups')}">${_('Repository groups')}</a></li>
149 %endif
149 %endif
150 %if user_groups:
150 %if user_groups:
151 <li><a href="${h.url('users_groups')}">${_('User groups')}</a></li>
151 <li class="local-admin-user-groups"><a href="${h.url('users_groups')}">${_('User groups')}</a></li>
152 %endif
152 %endif
153 </ul>
153 </ul>
154 </%def>
154 </%def>
@@ -137,8 +137,7 b' class _BaseTest(TestController):'
137 assert new_repo_group.group_name == repo_group_name_unicode
137 assert new_repo_group.group_name == repo_group_name_unicode
138 assert new_repo_group.group_description == description
138 assert new_repo_group.group_description == description
139
139
140 #
140 # test if the repository is visible in the list ?
141 # # test if the repository is visible in the list ?
142 response = self.app.get(
141 response = self.app.get(
143 url('repo_group_home', group_name=repo_group_name))
142 url('repo_group_home', group_name=repo_group_name))
144 response.mustcontain(repo_group_name)
143 response.mustcontain(repo_group_name)
@@ -130,14 +130,36 b' class TestPermissions(object):'
130 assert group_perms(self.a1) == {
130 assert group_perms(self.a1) == {
131 'test1': 'group.admin', 'test2': 'group.admin'}
131 'test1': 'group.admin', 'test2': 'group.admin'}
132
132
133 def test_default_owner_group_perms(self):
133 def test_default_owner_repo_perms(self, backend, user_util, test_repo):
134 # "u1" shall be owner without any special permission assigned
134 user = user_util.create_user()
135 self.g1 = fixture.create_repo_group('test1')
135 repo = test_repo('minimal', backend.alias)
136 assert group_perms(self.u1) == {'test1': 'group.read'}
136 org_owner = repo.user
137 assert repo_perms(user)[repo.repo_name] == 'repository.read'
138
139 repo.user = user
140 assert repo_perms(user)[repo.repo_name] == 'repository.admin'
141 repo.user = org_owner
142
143 def test_default_owner_repo_group_perms(self, user_util, test_repo_group):
144 user = user_util.create_user()
145 org_owner = test_repo_group.user
137
146
138 # Make him owner, but do not add any special permissions
147 assert group_perms(user)[test_repo_group.group_name] == 'group.read'
139 self.g1.user = self.u1
148
140 assert group_perms(self.u1) == {'test1': 'group.admin'}
149 test_repo_group.user = user
150 assert group_perms(user)[test_repo_group.group_name] == 'group.admin'
151 test_repo_group.user = org_owner
152
153 def test_default_owner_user_group_perms(self, user_util, test_user_group):
154 user = user_util.create_user()
155 org_owner = test_user_group.user
156
157 assert user_group_perms(user)[test_user_group.users_group_name] == 'usergroup.read'
158
159 test_user_group.user = user
160 assert user_group_perms(user)[test_user_group.users_group_name] == 'usergroup.admin'
161
162 test_user_group.user = org_owner
141
163
142 def test_propagated_permission_from_users_group_by_explicit_perms_exist(
164 def test_propagated_permission_from_users_group_by_explicit_perms_exist(
143 self, repo_name):
165 self, repo_name):
General Comments 0
You need to be logged in to leave comments. Login now