##// END OF EJS Templates
invalidate: encapsulate how key is generated from repo_name and kind
invalidate: encapsulate how key is generated from repo_name and kind

File last commit:

r3734:a8f52054 beta
r3773:8e2cd46f beta
Show More
test_permissions.py
525 lines | 23.2 KiB | text/x-python | PythonLexer
orginized test module...
r2527 import os
import unittest
from rhodecode.tests import *
more usage of fixture tools...
r3647 from rhodecode.tests.fixture import Fixture
orginized test module...
r2527 from rhodecode.model.repos_group import ReposGroupModel
from rhodecode.model.repo import RepoModel
fixed default permissions population during upgrades...
r3733 from rhodecode.model.db import RepoGroup, User, UserGroupRepoGroupToPerm,\
Permission, UserToPerm
orginized test module...
r2527 from rhodecode.model.user import UserModel
from rhodecode.model.meta import Session
Mads Kiilerich
further cleanup of UsersGroup...
r3417 from rhodecode.model.users_group import UserGroupModel
orginized test module...
r2527 from rhodecode.lib.auth import AuthUser
fixed default permissions population during upgrades...
r3733 from rhodecode.model.permission import PermissionModel
more usage of fixture tools...
r3647
fixture = Fixture()
orginized test module...
r2527
class TestPermissions(unittest.TestCase):
def __init__(self, methodName='runTest'):
super(TestPermissions, self).__init__(methodName=methodName)
def setUp(self):
self.u1 = UserModel().create_or_update(
username=u'u1', password=u'qweqwe',
email=u'u1@rhodecode.org', firstname=u'u1', lastname=u'u1'
)
self.u2 = UserModel().create_or_update(
username=u'u2', password=u'qweqwe',
email=u'u2@rhodecode.org', firstname=u'u2', lastname=u'u2'
)
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 self.u3 = UserModel().create_or_update(
username=u'u3', password=u'qweqwe',
email=u'u3@rhodecode.org', firstname=u'u3', lastname=u'u3'
)
New default permissions definition for user group create
r3734 self.anon = User.get_default_user()
orginized test module...
r2527 self.a1 = UserModel().create_or_update(
username=u'a1', password=u'qweqwe',
email=u'a1@rhodecode.org', firstname=u'a1', lastname=u'a1', admin=True
)
Session().commit()
def tearDown(self):
if hasattr(self, 'test_repo'):
RepoModel().delete(repo=self.test_repo)
fixed #570 explicit users group permissions can overwrite owner permissions...
r2864
orginized test module...
r2527 UserModel().delete(self.u1)
UserModel().delete(self.u2)
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 UserModel().delete(self.u3)
orginized test module...
r2527 UserModel().delete(self.a1)
if hasattr(self, 'g1'):
ReposGroupModel().delete(self.g1.group_id)
if hasattr(self, 'g2'):
ReposGroupModel().delete(self.g2.group_id)
if hasattr(self, 'ug1'):
Mads Kiilerich
further cleanup of UsersGroup...
r3417 UserGroupModel().delete(self.ug1, force=True)
orginized test module...
r2527
Session().commit()
def test_default_perms_set(self):
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {},
'global': set([u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate']),
'repositories': {u'vcs_test_hg': u'repository.read'}
}
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
new_perm = 'repository.write'
RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1,
perm=new_perm)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm)
def test_default_admin_perms_set(self):
a1_auth = AuthUser(user_id=self.a1.user_id)
perms = {
'repositories_groups': {},
'global': set([u'hg.admin']),
'repositories': {u'vcs_test_hg': u'repository.admin'}
}
self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
new_perm = 'repository.write'
RepoModel().grant_user_permission(repo=HG_REPO, user=self.a1,
perm=new_perm)
Session().commit()
# cannot really downgrade admins permissions !? they still get's set as
# admin !
u1_auth = AuthUser(user_id=self.a1.user_id)
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
def test_default_group_perms(self):
more usage of fixture tools...
r3647 self.g1 = fixture.create_group('test1', skip_if_exists=True)
self.g2 = fixture.create_group('test2', skip_if_exists=True)
orginized test module...
r2527 u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {u'test1': 'group.read', u'test2': 'group.read'},
fixed default permissions population during upgrades...
r3733 'global': set(Permission.DEFAULT_USER_PERMISSIONS),
orginized test module...
r2527 'repositories': {u'vcs_test_hg': u'repository.read'}
}
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
self.assertEqual(u1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
fixed default permissions population during upgrades...
r3733 self.assertEqual(u1_auth.permissions['global'],
perms['global'])
orginized test module...
r2527
def test_default_admin_group_perms(self):
more usage of fixture tools...
r3647 self.g1 = fixture.create_group('test1', skip_if_exists=True)
self.g2 = fixture.create_group('test2', skip_if_exists=True)
orginized test module...
r2527 a1_auth = AuthUser(user_id=self.a1.user_id)
perms = {
'repositories_groups': {u'test1': 'group.admin', u'test2': 'group.admin'},
'global': set(['hg.admin']),
'repositories': {u'vcs_test_hg': 'repository.admin'}
}
self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
self.assertEqual(a1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 def test_propagated_permission_from_users_group_by_explicit_perms_exist(self):
orginized test module...
r2527 # make group
- Manage User’s Groups: create, delete, rename, add/remove users inside....
r3714 self.ug1 = fixture.create_user_group('G1')
Mads Kiilerich
further cleanup of UsersGroup...
r3417 UserGroupModel().add_user_to_group(self.ug1, self.u1)
orginized test module...
r2527
# set permission to lower
new_perm = 'repository.none'
RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1, perm=new_perm)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm)
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 # grant perm for group this should not override permission from user
# since it has explicitly set
new_perm_gr = 'repository.write'
orginized test module...
r2527 RepoModel().grant_users_group_permission(repo=HG_REPO,
group_name=self.ug1,
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 perm=new_perm_gr)
orginized test module...
r2527 # check perms
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {},
'global': set([u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate']),
'repositories': {u'vcs_test_hg': u'repository.read'}
}
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm)
self.assertEqual(u1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 def test_propagated_permission_from_users_group(self):
# make group
- Manage User’s Groups: create, delete, rename, add/remove users inside....
r3714 self.ug1 = fixture.create_user_group('G1')
Mads Kiilerich
further cleanup of UsersGroup...
r3417 UserGroupModel().add_user_to_group(self.ug1, self.u3)
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709
# grant perm for group this should override default permission from user
new_perm_gr = 'repository.write'
RepoModel().grant_users_group_permission(repo=HG_REPO,
group_name=self.ug1,
perm=new_perm_gr)
# check perms
u3_auth = AuthUser(user_id=self.u3.user_id)
perms = {
'repositories_groups': {},
'global': set([u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate']),
'repositories': {u'vcs_test_hg': u'repository.read'}
}
self.assertEqual(u3_auth.permissions['repositories'][HG_REPO],
new_perm_gr)
self.assertEqual(u3_auth.permissions['repositories_groups'],
perms['repositories_groups'])
orginized test module...
r2527 def test_propagated_permission_from_users_group_lower_weight(self):
# make group
- Manage User’s Groups: create, delete, rename, add/remove users inside....
r3714 self.ug1 = fixture.create_user_group('G1')
orginized test module...
r2527 # add user to group
Mads Kiilerich
further cleanup of UsersGroup...
r3417 UserGroupModel().add_user_to_group(self.ug1, self.u1)
orginized test module...
r2527
# set permission to lower
new_perm_h = 'repository.write'
RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1,
perm=new_perm_h)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm_h)
# grant perm for group this should NOT override permission from user
# since it's lower than granted
new_perm_l = 'repository.read'
RepoModel().grant_users_group_permission(repo=HG_REPO,
group_name=self.ug1,
perm=new_perm_l)
# check perms
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {},
'global': set([u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate']),
'repositories': {u'vcs_test_hg': u'repository.write'}
}
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm_h)
self.assertEqual(u1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
def test_repo_in_group_permissions(self):
more usage of fixture tools...
r3647 self.g1 = fixture.create_group('group1', skip_if_exists=True)
self.g2 = fixture.create_group('group2', skip_if_exists=True)
orginized test module...
r2527 # both perms should be read !
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'],
{u'group1': u'group.read', u'group2': u'group.read'})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'],
{u'group1': u'group.read', u'group2': u'group.read'})
#Change perms to none for both groups
ReposGroupModel().grant_user_permission(repos_group=self.g1,
user=self.anon,
perm='group.none')
ReposGroupModel().grant_user_permission(repos_group=self.g2,
user=self.anon,
perm='group.none')
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'],
{u'group1': u'group.none', u'group2': u'group.none'})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'],
{u'group1': u'group.none', u'group2': u'group.none'})
# add repo to group
name = RepoGroup.url_sep().join([self.g1.group_name, 'test_perm'])
more usage of fixture tools...
r3647 self.test_repo = fixture.create_repo(name=name,
repo_type='hg',
repos_group=self.g1,
cur_user=self.u1,)
orginized test module...
r2527
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'],
{u'group1': u'group.none', u'group2': u'group.none'})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'],
{u'group1': u'group.none', u'group2': u'group.none'})
#grant permission for u2 !
ReposGroupModel().grant_user_permission(repos_group=self.g1,
user=self.u2,
perm='group.read')
ReposGroupModel().grant_user_permission(repos_group=self.g2,
user=self.u2,
perm='group.read')
Session().commit()
self.assertNotEqual(self.u1, self.u2)
#u1 and anon should have not change perms while u2 should !
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'],
{u'group1': u'group.none', u'group2': u'group.none'})
u2_auth = AuthUser(user_id=self.u2.user_id)
self.assertEqual(u2_auth.permissions['repositories_groups'],
{u'group1': u'group.read', u'group2': u'group.read'})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'],
{u'group1': u'group.none', u'group2': u'group.none'})
def test_repo_group_user_as_user_group_member(self):
# create Group1
more usage of fixture tools...
r3647 self.g1 = fixture.create_group('group1', skip_if_exists=True)
orginized test module...
r2527 a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'],
{u'group1': u'group.read'})
# set default permission to none
ReposGroupModel().grant_user_permission(repos_group=self.g1,
user=self.anon,
perm='group.none')
# make group
- Manage User’s Groups: create, delete, rename, add/remove users inside....
r3714 self.ug1 = fixture.create_user_group('G1')
orginized test module...
r2527 # add user to group
Mads Kiilerich
further cleanup of UsersGroup...
r3417 UserGroupModel().add_user_to_group(self.ug1, self.u1)
orginized test module...
r2527 Session().commit()
# check if user is in the group
Mads Kiilerich
further cleanup of UsersGroup...
r3417 membrs = [x.user_id for x in UserGroupModel().get(self.ug1.users_group_id).members]
orginized test module...
r2527 self.assertEqual(membrs, [self.u1.user_id])
# add some user to that group
# check his permissions
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'],
{u'group1': u'group.none'})
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'],
{u'group1': u'group.none'})
# grant ug1 read permissions for
ReposGroupModel().grant_users_group_permission(repos_group=self.g1,
group_name=self.ug1,
perm='group.read')
Session().commit()
# check if the
Mads Kiilerich
further cleanup of UsersGroup...
r3417 obj = Session().query(UserGroupRepoGroupToPerm)\
.filter(UserGroupRepoGroupToPerm.group == self.g1)\
.filter(UserGroupRepoGroupToPerm.users_group == self.ug1)\
orginized test module...
r2527 .scalar()
self.assertEqual(obj.permission.permission_name, 'group.read')
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'],
{u'group1': u'group.none'})
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'],
{u'group1': u'group.read'})
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709
def test_inherited_permissions_from_default_on_user_enabled(self):
user_model = UserModel()
# enable fork and create on default user
usr = 'default'
user_model.revoke_perm(usr, 'hg.create.none')
user_model.grant_perm(usr, 'hg.create.repository')
user_model.revoke_perm(usr, 'hg.fork.none')
user_model.grant_perm(usr, 'hg.fork.repository')
# make sure inherit flag is turned on
self.u1.inherit_default_permissions = True
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
# this user will have inherited permissions from default user
self.assertEqual(u1_auth.permissions['global'],
set(['hg.create.repository', 'hg.fork.repository',
'hg.register.manual_activate',
fixed default permissions population during upgrades...
r3733 'repository.read', 'group.read',
'usergroup.read']))
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709
def test_inherited_permissions_from_default_on_user_disabled(self):
user_model = UserModel()
# disable fork and create on default user
usr = 'default'
user_model.revoke_perm(usr, 'hg.create.repository')
user_model.grant_perm(usr, 'hg.create.none')
user_model.revoke_perm(usr, 'hg.fork.repository')
user_model.grant_perm(usr, 'hg.fork.none')
# make sure inherit flag is turned on
self.u1.inherit_default_permissions = True
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
# this user will have inherited permissions from default user
self.assertEqual(u1_auth.permissions['global'],
set(['hg.create.none', 'hg.fork.none',
'hg.register.manual_activate',
fixed default permissions population during upgrades...
r3733 'repository.read', 'group.read',
'usergroup.read']))
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709
def test_non_inherited_permissions_from_default_on_user_enabled(self):
user_model = UserModel()
# enable fork and create on default user
usr = 'default'
user_model.revoke_perm(usr, 'hg.create.none')
user_model.grant_perm(usr, 'hg.create.repository')
user_model.revoke_perm(usr, 'hg.fork.none')
user_model.grant_perm(usr, 'hg.fork.repository')
#disable global perms on specific user
user_model.revoke_perm(self.u1, 'hg.create.repository')
user_model.grant_perm(self.u1, 'hg.create.none')
user_model.revoke_perm(self.u1, 'hg.fork.repository')
user_model.grant_perm(self.u1, 'hg.fork.none')
# make sure inherit flag is turned off
self.u1.inherit_default_permissions = False
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
# this user will have non inherited permissions from he's
# explicitly set permissions
self.assertEqual(u1_auth.permissions['global'],
set(['hg.create.none', 'hg.fork.none',
'hg.register.manual_activate',
fixed default permissions population during upgrades...
r3733 'repository.read', 'group.read',
'usergroup.read']))
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709
def test_non_inherited_permissions_from_default_on_user_disabled(self):
user_model = UserModel()
# disable fork and create on default user
usr = 'default'
user_model.revoke_perm(usr, 'hg.create.repository')
user_model.grant_perm(usr, 'hg.create.none')
user_model.revoke_perm(usr, 'hg.fork.repository')
user_model.grant_perm(usr, 'hg.fork.none')
#enable global perms on specific user
user_model.revoke_perm(self.u1, 'hg.create.none')
user_model.grant_perm(self.u1, 'hg.create.repository')
user_model.revoke_perm(self.u1, 'hg.fork.none')
user_model.grant_perm(self.u1, 'hg.fork.repository')
# make sure inherit flag is turned off
self.u1.inherit_default_permissions = False
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
# this user will have non inherited permissions from he's
# explicitly set permissions
self.assertEqual(u1_auth.permissions['global'],
set(['hg.create.repository', 'hg.fork.repository',
'hg.register.manual_activate',
fixed default permissions population during upgrades...
r3733 'repository.read', 'group.read',
'usergroup.read']))
fixed #570 explicit users group permissions can overwrite owner permissions...
r2864
def test_owner_permissions_doesnot_get_overwritten_by_group(self):
#create repo as USER,
more usage of fixture tools...
r3647 self.test_repo = fixture.create_repo(name='myownrepo',
repo_type='hg',
cur_user=self.u1)
fixed #570 explicit users group permissions can overwrite owner permissions...
r2864
#he has permissions of admin as owner
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
fixed tests and missing replacements from 5f1850e4712a
r3415 #set his permission as user group, he should still be admin
- Manage User’s Groups: create, delete, rename, add/remove users inside....
r3714 self.ug1 = fixture.create_user_group('G1')
Mads Kiilerich
further cleanup of UsersGroup...
r3417 UserGroupModel().add_user_to_group(self.ug1, self.u1)
more usage of fixture tools...
r3647 RepoModel().grant_users_group_permission(self.test_repo,
group_name=self.ug1,
fixed #570 explicit users group permissions can overwrite owner permissions...
r2864 perm='repository.none')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
def test_owner_permissions_doesnot_get_overwritten_by_others(self):
#create repo as USER,
more usage of fixture tools...
r3647 self.test_repo = fixture.create_repo(name='myownrepo',
repo_type='hg',
cur_user=self.u1)
fixed #570 explicit users group permissions can overwrite owner permissions...
r2864
#he has permissions of admin as owner
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
#set his permission as user, he should still be admin
more usage of fixture tools...
r3647 RepoModel().grant_user_permission(self.test_repo, user=self.u1,
fixed #570 explicit users group permissions can overwrite owner permissions...
r2864 perm='repository.none')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
fixed default permissions population during upgrades...
r3733
def _test_def_perm_equal(self, user, change_factor=0):
perms = UserToPerm.query()\
.filter(UserToPerm.user == user)\
.all()
self.assertEqual(len(perms),
len(Permission.DEFAULT_USER_PERMISSIONS,)+change_factor,
msg=perms)
def test_set_default_permissions(self):
PermissionModel().create_default_permissions(user=self.u1)
self._test_def_perm_equal(user=self.u1)
def test_set_default_permissions_after_one_is_missing(self):
PermissionModel().create_default_permissions(user=self.u1)
self._test_def_perm_equal(user=self.u1)
#now we delete one, it should be re-created after another call
perms = UserToPerm.query()\
.filter(UserToPerm.user == self.u1)\
.all()
Session().delete(perms[0])
Session().commit()
self._test_def_perm_equal(user=self.u1, change_factor=-1)
#create missing one !
PermissionModel().create_default_permissions(user=self.u1)
self._test_def_perm_equal(user=self.u1)
@parameterized.expand([
('repository.read', 'repository.none'),
('group.read', 'group.none'),
('usergroup.read', 'usergroup.none'),
('hg.create.repository', 'hg.create.none'),
('hg.fork.repository', 'hg.fork.none'),
('hg.register.manual_activate', 'hg.register.auto_activate',)
])
def test_set_default_permissions_after_modification(self, perm, modify_to):
PermissionModel().create_default_permissions(user=self.u1)
self._test_def_perm_equal(user=self.u1)
old = Permission.get_by_key(perm)
new = Permission.get_by_key(modify_to)
self.assertNotEqual(old, None)
self.assertNotEqual(new, None)
#now modify permissions
p = UserToPerm.query()\
.filter(UserToPerm.user == self.u1)\
.filter(UserToPerm.permission == old)\
.one()
p.permission = new
Session().add(p)
Session().commit()
PermissionModel().create_default_permissions(user=self.u1)
self._test_def_perm_equal(user=self.u1)