Show More
| @@ -1,186 +1,192 b'' | |||
|
|
1 | 1 | # -*- coding: utf-8 -*- |
|
|
2 | 2 | |
|
|
3 | 3 | # Copyright (C) 2010-2016 RhodeCode GmbH |
|
|
4 | 4 | # |
|
|
5 | 5 | # This program is free software: you can redistribute it and/or modify |
|
|
6 | 6 | # it under the terms of the GNU Affero General Public License, version 3 |
|
|
7 | 7 | # (only), as published by the Free Software Foundation. |
|
|
8 | 8 | # |
|
|
9 | 9 | # This program is distributed in the hope that it will be useful, |
|
|
10 | 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
|
11 | 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
|
12 | 12 | # GNU General Public License for more details. |
|
|
13 | 13 | # |
|
|
14 | 14 | # You should have received a copy of the GNU Affero General Public License |
|
|
15 | 15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
|
16 | 16 | # |
|
|
17 | 17 | # This program is dual-licensed. If you wish to learn more about the |
|
|
18 | 18 | # RhodeCode Enterprise Edition, including its added features, Support services, |
|
|
19 | 19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ |
|
|
20 | 20 | |
|
|
21 | 21 | import pytest |
|
|
22 | 22 | |
|
|
23 | 23 | from rhodecode.tests import ( |
|
|
24 | 24 | TestController, url, assert_session_flash, link_to) |
|
|
25 | 25 | from rhodecode.model.db import User, UserGroup |
|
|
26 | 26 | from rhodecode.model.meta import Session |
|
|
27 | 27 | from rhodecode.tests.fixture import Fixture |
|
|
28 | 28 | |
|
|
29 | 29 | TEST_USER_GROUP = 'admins_test' |
|
|
30 | 30 | |
|
|
31 | 31 | fixture = Fixture() |
|
|
32 | 32 | |
|
|
33 | 33 | |
|
|
34 | 34 | class TestAdminUsersGroupsController(TestController): |
|
|
35 | 35 | |
|
|
36 | 36 | def test_index(self): |
|
|
37 | 37 | self.log_user() |
|
|
38 | 38 | response = self.app.get(url('users_groups')) |
|
|
39 | 39 | response.status_int == 200 |
|
|
40 | 40 | |
|
|
41 | 41 | def test_create(self): |
|
|
42 | 42 | self.log_user() |
|
|
43 | 43 | users_group_name = TEST_USER_GROUP |
|
|
44 | 44 | response = self.app.post(url('users_groups'), { |
|
|
45 | 45 | 'users_group_name': users_group_name, |
|
|
46 | 46 | 'user_group_description': 'DESC', |
|
|
47 | 47 | 'active': True, |
|
|
48 | 48 | 'csrf_token': self.csrf_token}) |
|
|
49 | 49 | |
|
|
50 | 50 | user_group_link = link_to( |
|
|
51 | 51 | users_group_name, |
|
|
52 | 52 | url('edit_users_group', |
|
|
53 | 53 | user_group_id=UserGroup.get_by_group_name( |
|
|
54 | 54 | users_group_name).users_group_id)) |
|
|
55 | 55 | assert_session_flash( |
|
|
56 | 56 | response, |
|
|
57 | 57 | 'Created user group %s' % user_group_link) |
|
|
58 | 58 | |
|
|
59 | 59 | def test_delete(self): |
|
|
60 | 60 | self.log_user() |
|
|
61 | 61 | users_group_name = TEST_USER_GROUP + 'another' |
|
|
62 | 62 | response = self.app.post(url('users_groups'), { |
|
|
63 | 63 | 'users_group_name': users_group_name, |
|
|
64 | 64 | 'user_group_description': 'DESC', |
|
|
65 | 65 | 'active': True, |
|
|
66 | 66 | 'csrf_token': self.csrf_token}) |
|
|
67 | 67 | |
|
|
68 | 68 | user_group_link = link_to( |
|
|
69 | 69 | users_group_name, |
|
|
70 | 70 | url('edit_users_group', |
|
|
71 | 71 | user_group_id=UserGroup.get_by_group_name( |
|
|
72 | 72 | users_group_name).users_group_id)) |
|
|
73 | 73 | assert_session_flash( |
|
|
74 | 74 | response, |
|
|
75 | 75 | 'Created user group %s' % user_group_link) |
|
|
76 | 76 | |
|
|
77 | 77 | group = Session().query(UserGroup).filter( |
|
|
78 | 78 | UserGroup.users_group_name == users_group_name).one() |
|
|
79 | 79 | |
|
|
80 | 80 | response = self.app.post( |
|
|
81 | 81 | url('delete_users_group', user_group_id=group.users_group_id), |
|
|
82 | 82 | params={'_method': 'delete', 'csrf_token': self.csrf_token}) |
|
|
83 | 83 | |
|
|
84 | 84 | group = Session().query(UserGroup).filter( |
|
|
85 | 85 | UserGroup.users_group_name == users_group_name).scalar() |
|
|
86 | 86 | |
|
|
87 | 87 | assert group is None |
|
|
88 | 88 | |
|
|
89 | 89 | @pytest.mark.parametrize('repo_create, repo_create_write, user_group_create, repo_group_create, fork_create, inherit_default_permissions, expect_error, expect_form_error', [ |
|
|
90 | 90 | ('hg.create.none', 'hg.create.write_on_repogroup.false', 'hg.usergroup.create.false', 'hg.repogroup.create.false', 'hg.fork.none', 'hg.inherit_default_perms.false', False, False), |
|
|
91 | 91 | ('hg.create.repository', 'hg.create.write_on_repogroup.true', 'hg.usergroup.create.true', 'hg.repogroup.create.true', 'hg.fork.repository', 'hg.inherit_default_perms.false', False, False), |
|
|
92 | 92 | ('hg.create.XXX', 'hg.create.write_on_repogroup.true', 'hg.usergroup.create.true', 'hg.repogroup.create.true', 'hg.fork.repository', 'hg.inherit_default_perms.false', False, True), |
|
|
93 | 93 | ('', '', '', '', '', '', True, False), |
|
|
94 | 94 | ]) |
|
|
95 | 95 | def test_global_perms_on_group( |
|
|
96 | 96 | self, repo_create, repo_create_write, user_group_create, |
|
|
97 | 97 | repo_group_create, fork_create, expect_error, expect_form_error, |
|
|
98 | 98 | inherit_default_permissions): |
|
|
99 | 99 | self.log_user() |
|
|
100 | 100 | users_group_name = TEST_USER_GROUP + 'another2' |
|
|
101 | 101 | response = self.app.post(url('users_groups'), |
|
|
102 | 102 | {'users_group_name': users_group_name, |
|
|
103 | 103 | 'user_group_description': 'DESC', |
|
|
104 | 104 | 'active': True, |
|
|
105 | 105 | 'csrf_token': self.csrf_token}) |
|
|
106 | 106 | |
|
|
107 | 107 | ug = UserGroup.get_by_group_name(users_group_name) |
|
|
108 | 108 | user_group_link = link_to( |
|
|
109 | 109 | users_group_name, |
|
|
110 | 110 | url('edit_users_group', user_group_id=ug.users_group_id)) |
|
|
111 | 111 | assert_session_flash( |
|
|
112 | 112 | response, |
|
|
113 | 113 | 'Created user group %s' % user_group_link) |
|
|
114 | 114 | response.follow() |
|
|
115 | 115 | |
|
|
116 | 116 | # ENABLE REPO CREATE ON A GROUP |
|
|
117 | 117 | perm_params = { |
|
|
118 | 118 | 'inherit_default_permissions': False, |
|
|
119 | 119 | 'default_repo_create': repo_create, |
|
|
120 | 120 | 'default_repo_create_on_write': repo_create_write, |
|
|
121 | 121 | 'default_user_group_create': user_group_create, |
|
|
122 | 122 | 'default_repo_group_create': repo_group_create, |
|
|
123 | 123 | 'default_fork_create': fork_create, |
|
|
124 | 124 | 'default_inherit_default_permissions': inherit_default_permissions, |
|
|
125 | 125 | |
|
|
126 | 126 | '_method': 'put', |
|
|
127 | 127 | 'csrf_token': self.csrf_token, |
|
|
128 | 128 | } |
|
|
129 | 129 | response = self.app.post( |
|
|
130 | 130 | url('edit_user_group_global_perms', |
|
|
131 | 131 | user_group_id=ug.users_group_id), |
|
|
132 | 132 | params=perm_params) |
|
|
133 | 133 | |
|
|
134 | 134 | if expect_form_error: |
|
|
135 | 135 | assert response.status_int == 200 |
|
|
136 | 136 | response.mustcontain('Value must be one of') |
|
|
137 | 137 | else: |
|
|
138 | 138 | if expect_error: |
|
|
139 | 139 | msg = 'An error occurred during permissions saving' |
|
|
140 | 140 | else: |
|
|
141 | 141 | msg = 'User Group global permissions updated successfully' |
|
|
142 | 142 | ug = UserGroup.get_by_group_name(users_group_name) |
|
|
143 | 143 | del perm_params['_method'] |
|
|
144 | 144 | del perm_params['csrf_token'] |
|
|
145 | 145 | del perm_params['inherit_default_permissions'] |
|
|
146 | 146 | assert perm_params == ug.get_default_perms() |
|
|
147 | 147 | assert_session_flash(response, msg) |
|
|
148 | 148 | |
|
|
149 | 149 | fixture.destroy_user_group(users_group_name) |
|
|
150 | 150 | |
|
|
151 | 151 | def test_edit(self): |
|
|
152 | 152 | self.log_user() |
|
|
153 | response = self.app.get(url('edit_users_group', user_group_id=1)) | |
|
|
153 | ug = fixture.create_user_group(TEST_USER_GROUP, skip_if_exists=True) | |
|
|
154 | response = self.app.get( | |
|
|
155 | url('edit_users_group', user_group_id=ug.users_group_id)) | |
|
|
156 | fixture.destroy_user_group(TEST_USER_GROUP) | |
|
|
154 | 157 | |
|
|
155 | 158 | def test_edit_user_group_members(self): |
|
|
156 | 159 | self.log_user() |
|
|
157 | response = self.app.get(url('edit_user_group_members', user_group_id=1)) | |
|
|
160 | ug = fixture.create_user_group(TEST_USER_GROUP, skip_if_exists=True) | |
|
|
161 | response = self.app.get( | |
|
|
162 | url('edit_user_group_members', user_group_id=ug.users_group_id)) | |
|
|
158 | 163 | response.mustcontain('No members yet') |
|
|
164 | fixture.destroy_user_group(TEST_USER_GROUP) | |
|
|
159 | 165 | |
|
|
160 | 166 | def test_usergroup_escape(self): |
|
|
161 | 167 | user = User.get_by_username('test_admin') |
|
|
162 | 168 | user.name = '<img src="/image1" onload="alert(\'Hello, World!\');">' |
|
|
163 | 169 | user.lastname = ( |
|
|
164 | 170 | '<img src="/image2" onload="alert(\'Hello, World!\');">') |
|
|
165 | 171 | Session().add(user) |
|
|
166 | 172 | Session().commit() |
|
|
167 | 173 | |
|
|
168 | 174 | self.log_user() |
|
|
169 | 175 | users_group_name = 'samplegroup' |
|
|
170 | 176 | data = { |
|
|
171 | 177 | 'users_group_name': users_group_name, |
|
|
172 | 178 | 'user_group_description': ( |
|
|
173 | 179 | '<strong onload="alert();">DESC</strong>'), |
|
|
174 | 180 | 'active': True, |
|
|
175 | 181 | 'csrf_token': self.csrf_token |
|
|
176 | 182 | } |
|
|
177 | 183 | |
|
|
178 | 184 | response = self.app.post(url('users_groups'), data) |
|
|
179 | 185 | response = self.app.get(url('users_groups')) |
|
|
180 | 186 | |
|
|
181 | 187 | response.mustcontain( |
|
|
182 | 188 | '<strong onload="alert();">' |
|
|
183 | 189 | 'DESC</strong>') |
|
|
184 | 190 | response.mustcontain( |
|
|
185 | 191 | '<img src="/image2" onload="' |
|
|
186 | 192 | 'alert('Hello, World!');">') |
General Comments 0
You need to be logged in to leave comments.
Login now