##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
auth: make owner of user group give proper admin permissions to the user group....
marcink -
r1443:6321ed72 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,128 b''
1 # -*- coding: utf-8 -*-
2
3 # Copyright (C) 2016-2017 RhodeCode GmbH
4 #
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU Affero General Public License, version 3
7 # (only), as published by the Free Software Foundation.
8 #
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
17 # This program is dual-licensed. If you wish to learn more about the
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
21 import pytest
22
23 from rhodecode.tests import (
24 TestController, url, assert_session_flash, link_to)
25 from rhodecode.model.db import User, UserGroup
26 from rhodecode.model.meta import Session
27 from rhodecode.tests.fixture import Fixture
28
29
30 fixture = Fixture()
31
32
33 class TestAdminUsersGroupsController(TestController):
34
35 def test_regular_user_cannot_see_admin_interfaces(self, user_util):
36 user = user_util.create_user(password='qweqwe')
37 self.log_user(user.username, 'qweqwe')
38
39 # check if in home view, such user doesn't see the "admin" menus
40 response = self.app.get(url('home'))
41
42 assert_response = response.assert_response()
43
44 assert_response.no_element_exists('li.local-admin-repos')
45 assert_response.no_element_exists('li.local-admin-repo-groups')
46 assert_response.no_element_exists('li.local-admin-user-groups')
47
48 response = self.app.get(url('repos'), status=200)
49 response.mustcontain('data: []')
50
51 response = self.app.get(url('repo_groups'), status=200)
52 response.mustcontain('data: []')
53
54 response = self.app.get(url('users_groups'), status=200)
55 response.mustcontain('data: []')
56
57 def test_regular_user_can_see_admin_interfaces_if_owner(self, user_util):
58 user = user_util.create_user(password='qweqwe')
59 username = user.username
60
61 repo = user_util.create_repo(owner=username)
62 repo_name = repo.repo_name
63
64 repo_group = user_util.create_repo_group(owner=username)
65 repo_group_name = repo_group.group_name
66
67 user_group = user_util.create_user_group(owner=username)
68 user_group_name = user_group.users_group_name
69
70 self.log_user(username, 'qweqwe')
71 # check if in home view, such user doesn't see the "admin" menus
72 response = self.app.get(url('home'))
73
74 assert_response = response.assert_response()
75
76 assert_response.one_element_exists('li.local-admin-repos')
77 assert_response.one_element_exists('li.local-admin-repo-groups')
78 assert_response.one_element_exists('li.local-admin-user-groups')
79
80 # admin interfaces have visible elements
81 response = self.app.get(url('repos'), status=200)
82 response.mustcontain('"name_raw": "{}"'.format(repo_name))
83
84 response = self.app.get(url('repo_groups'), status=200)
85 response.mustcontain('"name_raw": "{}"'.format(repo_group_name))
86
87 response = self.app.get(url('users_groups'), status=200)
88 response.mustcontain('"group_name_raw": "{}"'.format(user_group_name))
89
90 def test_regular_user_can_see_admin_interfaces_if_admin_perm(self, user_util):
91 user = user_util.create_user(password='qweqwe')
92 username = user.username
93
94 repo = user_util.create_repo()
95 repo_name = repo.repo_name
96
97 repo_group = user_util.create_repo_group()
98 repo_group_name = repo_group.group_name
99
100 user_group = user_util.create_user_group()
101 user_group_name = user_group.users_group_name
102
103 user_util.grant_user_permission_to_repo(
104 repo, user, 'repository.admin')
105 user_util.grant_user_permission_to_repo_group(
106 repo_group, user, 'group.admin')
107 user_util.grant_user_permission_to_user_group(
108 user_group, user, 'usergroup.admin')
109
110 self.log_user(username, 'qweqwe')
111 # check if in home view, such user doesn't see the "admin" menus
112 response = self.app.get(url('home'))
113
114 assert_response = response.assert_response()
115
116 assert_response.one_element_exists('li.local-admin-repos')
117 assert_response.one_element_exists('li.local-admin-repo-groups')
118 assert_response.one_element_exists('li.local-admin-user-groups')
119
120 # admin interfaces have visible elements
121 response = self.app.get(url('repos'), status=200)
122 response.mustcontain('"name_raw": "{}"'.format(repo_name))
123
124 response = self.app.get(url('repo_groups'), status=200)
125 response.mustcontain('"name_raw": "{}"'.format(repo_group_name))
126
127 response = self.app.get(url('users_groups'), status=200)
128 response.mustcontain('"group_name_raw": "{}"'.format(user_group_name))
Show file before | Show file after | Hide comments
@@ -571,8 +571,14 b' class PermissionCalculator(object):'
571 571 # on given user group
572 572 for perm in self.default_user_group_perms:
573 573 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
574 p = perm.Permission.permission_name
575 574 o = PermOrigin.USERGROUP_DEFAULT
575 if perm.UserGroup.user_id == self.user_id:
576 # set admin if owner
577 p = 'usergroup.admin'
578 o = PermOrigin.USERGROUP_OWNER
579 else:
580 p = perm.Permission.permission_name
581
576 582 # if we decide this user isn't inheriting permissions from default
577 583 # user we set him to .none so only explicit permissions work
578 584 if not user_inherit_object_permissions:
@@ -651,7 +657,7 b' class PermissionCalculator(object):'
651 657 multiple_counter[g_k] += 1
652 658 p = perm.Permission.permission_name
653 659 if perm.RepoGroup.user_id == self.user_id:
654 # set admin if owner
660 # set admin if owner, even for member of other user group
655 661 p = 'group.admin'
656 662 o = PermOrigin.REPOGROUP_OWNER
657 663 else:
@@ -687,7 +693,7 b' class PermissionCalculator(object):'
687 693 # user group for user group permissions
688 694 user_group_from_user_group = Permission\
689 695 .get_default_user_group_perms_from_user_group(
690 self.user_id, self.scope_repo_group_id)
696 self.user_id, self.scope_user_group_id)
691 697
692 698 multiple_counter = collections.defaultdict(int)
693 699 for perm in user_group_from_user_group:
@@ -698,9 +704,15 b' class PermissionCalculator(object):'
698 704 o = PermOrigin.USERGROUP_USERGROUP % u_k
699 705 multiple_counter[g_k] += 1
700 706 p = perm.Permission.permission_name
701 if multiple_counter[g_k] > 1:
702 cur_perm = self.permissions_user_groups[g_k]
703 p = self._choose_permission(p, cur_perm)
707
708 if perm.UserGroup.user_id == self.user_id:
709 # set admin if owner, even for member of other user group
710 p = 'usergroup.admin'
711 o = PermOrigin.USERGROUP_OWNER
712 else:
713 if multiple_counter[g_k] > 1:
714 cur_perm = self.permissions_user_groups[g_k]
715 p = self._choose_permission(p, cur_perm)
704 716 self.permissions_user_groups[g_k] = p, o
705 717
706 718 # user explicit permission for user groups
@@ -709,12 +721,18 b' class PermissionCalculator(object):'
709 721 for perm in user_user_groups_perms:
710 722 ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
711 723 u_k = perm.UserUserGroupToPerm.user.username
712 p = perm.Permission.permission_name
713 724 o = PermOrigin.USERGROUP_USER % u_k
714 if not self.explicit:
715 cur_perm = self.permissions_user_groups.get(
716 ug_k, 'usergroup.none')
717 p = self._choose_permission(p, cur_perm)
725
726 if perm.UserGroup.user_id == self.user_id:
727 # set admin if owner
728 p = 'usergroup.admin'
729 o = PermOrigin.USERGROUP_OWNER
730 else:
731 p = perm.Permission.permission_name
732 if not self.explicit:
733 cur_perm = self.permissions_user_groups.get(
734 ug_k, 'usergroup.none')
735 p = self._choose_permission(p, cur_perm)
718 736 self.permissions_user_groups[ug_k] = p, o
719 737
720 738 def _choose_permission(self, new_perm, cur_perm):
@@ -942,25 +960,27 b' class AuthUser(object):'
942 960 """
943 961 Returns list of repositories you're an admin of
944 962 """
945 return [x[0] for x in self.permissions['repositories'].iteritems()
946 if x[1] == 'repository.admin']
963 return [
964 x[0] for x in self.permissions['repositories'].iteritems()
965 if x[1] == 'repository.admin']
947 966
948 967 @property
949 968 def repository_groups_admin(self):
950 969 """
951 970 Returns list of repository groups you're an admin of
952 971 """
953 return [x[0]
954 for x in self.permissions['repositories_groups'].iteritems()
955 if x[1] == 'group.admin']
972 return [
973 x[0] for x in self.permissions['repositories_groups'].iteritems()
974 if x[1] == 'group.admin']
956 975
957 976 @property
958 977 def user_groups_admin(self):
959 978 """
960 979 Returns list of user groups you're an admin of
961 980 """
962 return [x[0] for x in self.permissions['user_groups'].iteritems()
963 if x[1] == 'usergroup.admin']
981 return [
982 x[0] for x in self.permissions['user_groups'].iteritems()
983 if x[1] == 'usergroup.admin']
964 984
965 985 @property
966 986 def ip_allowed(self):
Show file before | Show file after | Hide comments
@@ -142,13 +142,13 b''
142 142 <%def name="admin_menu_simple(repositories=None, repository_groups=None, user_groups=None)">
143 143 <ul class="submenu">
144 144 %if repositories:
145 <li><a href="${h.url('repos')}">${_('Repositories')}</a></li>
145 <li class="local-admin-repos"><a href="${h.url('repos')}">${_('Repositories')}</a></li>
146 146 %endif
147 147 %if repository_groups:
148 <li><a href="${h.url('repo_groups')}">${_('Repository groups')}</a></li>
148 <li class="local-admin-repo-groups"><a href="${h.url('repo_groups')}">${_('Repository groups')}</a></li>
149 149 %endif
150 150 %if user_groups:
151 <li><a href="${h.url('users_groups')}">${_('User groups')}</a></li>
151 <li class="local-admin-user-groups"><a href="${h.url('users_groups')}">${_('User groups')}</a></li>
152 152 %endif
153 153 </ul>
154 154 </%def>
Show file before | Show file after | Hide comments
@@ -137,8 +137,7 b' class _BaseTest(TestController):'
137 137 assert new_repo_group.group_name == repo_group_name_unicode
138 138 assert new_repo_group.group_description == description
139 139
140 #
141 # # test if the repository is visible in the list ?
140 # test if the repository is visible in the list ?
142 141 response = self.app.get(
143 142 url('repo_group_home', group_name=repo_group_name))
144 143 response.mustcontain(repo_group_name)
Show file before | Show file after | Hide comments
@@ -130,14 +130,36 b' class TestPermissions(object):'
130 130 assert group_perms(self.a1) == {
131 131 'test1': 'group.admin', 'test2': 'group.admin'}
132 132
133 def test_default_owner_group_perms(self):
134 # "u1" shall be owner without any special permission assigned
135 self.g1 = fixture.create_repo_group('test1')
136 assert group_perms(self.u1) == {'test1': 'group.read'}
133 def test_default_owner_repo_perms(self, backend, user_util, test_repo):
134 user = user_util.create_user()
135 repo = test_repo('minimal', backend.alias)
136 org_owner = repo.user
137 assert repo_perms(user)[repo.repo_name] == 'repository.read'
138
139 repo.user = user
140 assert repo_perms(user)[repo.repo_name] == 'repository.admin'
141 repo.user = org_owner
142
143 def test_default_owner_repo_group_perms(self, user_util, test_repo_group):
144 user = user_util.create_user()
145 org_owner = test_repo_group.user
137 146
138 # Make him owner, but do not add any special permissions
139 self.g1.user = self.u1
140 assert group_perms(self.u1) == {'test1': 'group.admin'}
147 assert group_perms(user)[test_repo_group.group_name] == 'group.read'
148
149 test_repo_group.user = user
150 assert group_perms(user)[test_repo_group.group_name] == 'group.admin'
151 test_repo_group.user = org_owner
152
153 def test_default_owner_user_group_perms(self, user_util, test_user_group):
154 user = user_util.create_user()
155 org_owner = test_user_group.user
156
157 assert user_group_perms(user)[test_user_group.users_group_name] == 'usergroup.read'
158
159 test_user_group.user = user
160 assert user_group_perms(user)[test_user_group.users_group_name] == 'usergroup.admin'
161
162 test_user_group.user = org_owner
141 163
142 164 def test_propagated_permission_from_users_group_by_explicit_perms_exist(
143 165 self, repo_name):
General Comments 0
You need to be logged in to leave comments. Login now