0001-misc-remove-options-about-read-access-7946.patch
tests/test_acl_read.py | ||
---|---|---|
1 |
import sys |
|
2 |
import shutil |
|
3 | ||
4 |
from quixote import cleanup |
|
5 |
from wcs.qommon.http_request import HTTPRequest |
|
6 |
from wcs import formdef |
|
7 |
from wcs.formdef import FormDef |
|
8 | ||
9 |
from utilities import create_temporary_pub |
|
10 | ||
11 |
users = {} |
|
12 | ||
13 |
def setup_module(module): |
|
14 |
cleanup() |
|
15 | ||
16 |
global users |
|
17 |
global pub |
|
18 | ||
19 |
pub = create_temporary_pub() |
|
20 | ||
21 |
req = HTTPRequest(None, {}) |
|
22 |
pub._set_request(req) |
|
23 | ||
24 |
user = pub.user_class(name='user') |
|
25 |
user.id = 'user' |
|
26 |
users[user.id] = user |
|
27 | ||
28 |
user = pub.user_class(name='user-one-role') |
|
29 |
user.id = 'user-one-role' |
|
30 |
user.roles = ['role-1'] |
|
31 |
users[user.id] = user |
|
32 | ||
33 |
user = pub.user_class(name='user-same-role') |
|
34 |
user.id = 'user-same-role' |
|
35 |
user.roles = ['role-1'] |
|
36 |
users[user.id] = user |
|
37 | ||
38 |
user = pub.user_class(name='user-other-role') |
|
39 |
user.id = 'user-other-role' |
|
40 |
user.roles = ['role-2'] |
|
41 |
users[user.id] = user |
|
42 | ||
43 |
user = pub.user_class(name='user-admin') |
|
44 |
user.id = 'user-admin' |
|
45 |
user.is_admin = True |
|
46 |
users[user.id] = user |
|
47 | ||
48 | ||
49 |
def teardown_module(module): |
|
50 |
shutil.rmtree(pub.APP_DIR) |
|
51 | ||
52 | ||
53 |
def create_objects(): |
|
54 |
formdef = FormDef() |
|
55 |
formdef.url_name = 'foobar' |
|
56 |
formdef.workflow_roles = {} |
|
57 |
formdata = formdef.data_class()() |
|
58 |
formdata._formdef = formdef |
|
59 |
formdata.status = 'wf-new' |
|
60 |
return formdef, formdata |
|
61 | ||
62 | ||
63 |
def check_acl(formdata, access_user_id): |
|
64 |
return formdata.formdef.is_user_allowed_read(users.get(access_user_id), formdata) |
|
65 | ||
66 | ||
67 |
def test_acl_all(): |
|
68 |
formdef, formdata = create_objects() |
|
69 |
formdef.acl_read = 'all' |
|
70 | ||
71 |
assert check_acl(formdata, None) |
|
72 |
assert check_acl(formdata, 'user') |
|
73 | ||
74 | ||
75 |
def test_acl_owner(): |
|
76 |
formdef, formdata = create_objects() |
|
77 |
formdef.acl_read = 'owner' |
|
78 |
formdata.user_id = 'user' |
|
79 | ||
80 |
assert not check_acl(formdata, None) |
|
81 |
assert check_acl(formdata, 'user') |
|
82 |
assert not check_acl(formdata, 'user-one-role') |
|
83 |
assert check_acl(formdata, 'user-admin') |
|
84 | ||
85 |
formdata.user_id = 'user-one-role' |
|
86 |
assert not check_acl(formdata, 'user') |
|
87 | ||
88 | ||
89 |
def test_acl_roles_basics(): |
|
90 |
formdef, formdata = create_objects() |
|
91 |
formdef.acl_read = 'roles' |
|
92 |
formdef.user_id = 'user-one-role' |
|
93 |
formdef.roles = ['role-1'] |
|
94 | ||
95 |
assert not check_acl(formdata, None) |
|
96 |
assert not check_acl(formdata, 'user') |
|
97 |
assert check_acl(formdata, 'user-admin') |
|
98 | ||
99 | ||
100 |
def test_acl_roles_submitter_role(): |
|
101 |
formdef, formdata = create_objects() |
|
102 |
formdef.acl_read = 'roles' |
|
103 |
formdef.user_id = 'user-one-role' |
|
104 |
formdef.roles = ['role-1'] |
|
105 | ||
106 |
assert check_acl(formdata, 'user-one-role') |
|
107 |
assert check_acl(formdata, 'user-same-role') |
|
108 |
assert not check_acl(formdata, 'user-other-role') |
|
109 | ||
110 | ||
111 |
def test_acl_roles_receiver_role(): |
|
112 |
formdef, formdata = create_objects() |
|
113 |
formdef.acl_read = 'roles' |
|
114 |
formdef.user_id = 'user-one-role' |
|
115 |
formdef.workflow_roles['_receiver'] = 'role-1' |
|
116 | ||
117 |
assert check_acl(formdata, 'user-one-role') |
|
118 |
assert check_acl(formdata, 'user-same-role') |
|
119 |
assert not check_acl(formdata, 'user-other-role') |
|
120 | ||
121 | ||
122 |
def test_acl_none_basics(): |
|
123 |
formdef, formdata = create_objects() |
|
124 |
formdef.acl_read = 'none' |
|
125 |
formdef.user_id = 'user' |
|
126 |
formdef.workflow_roles['_receiver'] = 'role-1' |
|
127 | ||
128 |
assert not check_acl(formdata, None) |
|
129 |
assert not check_acl(formdata, 'user') |
|
130 |
assert check_acl(formdata, 'user-admin') |
|
131 |
assert check_acl(formdata, 'user-one-role') |
|
132 |
assert not check_acl(formdata, 'user-other-role') |
|
133 | ||
134 | ||
135 |
def test_acl_none_finished(): |
|
136 |
formdef, formdata = create_objects() |
|
137 |
formdef.acl_read = 'none' |
|
138 |
formdef.user_id = 'user' |
|
139 |
formdef.workflow_roles['_receiver'] = 'role-1' |
|
140 |
formdata.status = 'wf-finished' |
|
141 | ||
142 |
assert not check_acl(formdata, None) |
|
143 |
assert not check_acl(formdata, 'user') |
|
144 |
assert check_acl(formdata, 'user-admin') |
|
145 |
assert check_acl(formdata, 'user-one-role') |
|
146 |
assert not check_acl(formdata, 'user-other-role') |
tests/test_admin_pages.py | ||
---|---|---|
520 | 520 |
resp = resp.forms[0].submit('cancel') |
521 | 521 |
assert resp.location == 'http://example.net/backoffice/forms/1/' |
522 | 522 | |
523 |
def test_form_acl_read(): |
|
524 |
create_superuser() |
|
525 |
create_role() |
|
526 | ||
527 |
FormDef.wipe() |
|
528 |
formdef = FormDef() |
|
529 |
formdef.name = 'form title' |
|
530 |
formdef.fields = [] |
|
531 |
formdef.store() |
|
532 | ||
533 |
app = login(get_app(pub)) |
|
534 |
resp = app.get('/backoffice/forms/1/') |
|
535 |
resp = resp.click(href='acl-read') |
|
536 |
resp = resp.forms[0].submit('cancel') |
|
537 | ||
538 |
resp = app.get('/backoffice/forms/1/') |
|
539 |
resp = resp.click(href='acl-read') |
|
540 |
resp.forms[0]['acl_read'] = 'Everybody' |
|
541 |
resp = resp.forms[0].submit('submit') |
|
542 |
assert FormDef.get(1).acl_read == 'all' |
|
543 | ||
544 | 523 |
def test_form_roles(): |
545 | 524 |
create_superuser() |
546 | 525 |
role = create_role() |
wcs/admin/forms.py | ||
---|---|---|
91 | 91 |
form.get_widget('name').set_error(_('This name is already used')) |
92 | 92 |
raise ValueError() |
93 | 93 | |
94 |
for f in ('name', 'confirmation', 'acl_read',
|
|
94 |
for f in ('name', 'confirmation', |
|
95 | 95 |
'only_allow_one', 'category_id', 'disabled', |
96 | 96 |
'enable_tracking_codes', 'workflow_id', 'private_status_and_history', |
97 | 97 |
'disabled_redirection', 'always_advertise', |
... | ... | |
288 | 288 |
'role', ('workflow-options', 'workflow_options'), |
289 | 289 |
('workflow-variables', 'workflow_variables'), |
290 | 290 |
('workflow-status-remapping', 'workflow_status_remapping'), |
291 |
'roles', 'title', 'options', ('acl-read', 'acl_read'),
|
|
291 |
'roles', 'title', 'options', |
|
292 | 292 |
'overwrite', 'qrcode', 'information', |
293 | 293 |
('public-url', 'public_url'), |
294 | 294 |
('backoffice-submission-roles', 'backoffice_submission_roles'),] |
... | ... | |
406 | 406 |
_('Backoffice Submission Role'), |
407 | 407 |
self._get_roles_label('backoffice_submission_roles')) |
408 | 408 | |
409 |
r += add_option_line('acl-read', _('Read Access'), |
|
410 |
{'none': _('None'), |
|
411 |
'owner': _('Owner'), |
|
412 |
'roles': _('Roles'), |
|
413 |
'all': _('Everybody')}.get(self.formdef.acl_read, 'none')) |
|
414 | 409 |
r += htmltext('</ul>') |
415 | 410 |
r += htmltext('</div>') |
416 | 411 |
r += htmltext('</div>') |
... | ... | |
636 | 631 |
r += form.render() |
637 | 632 |
return r.getvalue() |
638 | 633 | |
639 |
def acl_read(self): |
|
640 |
form = Form(enctype='multipart/form-data') |
|
641 |
form.add(SingleSelectWidget, 'acl_read', title=_('Read Access'), |
|
642 |
options=[ |
|
643 |
(str('none'), _('None')), |
|
644 |
(str('owner'), _('Owner')), |
|
645 |
(str('roles'), _('Roles')), |
|
646 |
(str('all'), _('Everybody'))], |
|
647 |
value=self.formdef.acl_read) |
|
648 |
form.add_submit('submit', _('Submit')) |
|
649 |
form.add_submit('cancel', _('Cancel')) |
|
650 |
if form.get_widget('cancel').parse(): |
|
651 |
return redirect('.') |
|
652 | ||
653 |
if form.is_submitted() and not form.has_errors(): |
|
654 |
self.formdef.acl_read = form.get_widget('acl_read').parse() |
|
655 |
self.formdef.store() |
|
656 |
return redirect('.') |
|
657 | ||
658 |
get_response().breadcrumb.append( ('acl-read', _('Read Access')) ) |
|
659 |
self.html_top(title=self.formdef.name) |
|
660 |
r = TemplateIO(html=True) |
|
661 |
r += htmltext('<h2>%s</h2>') % _('Roles') |
|
662 |
r += htmltext('<p>%s</p>') % _('Select who is granted a read access.') |
|
663 |
r += form.render() |
|
664 |
return r.getvalue() |
|
665 | ||
666 | 634 |
def workflow(self): |
667 | 635 |
form = Form(enctype='multipart/form-data') |
668 | 636 |
workflows = get_workflows(condition=lambda x: x.possible_status) |
wcs/backoffice/management.py | ||
---|---|---|
71 | 71 |
pending_forms.extend(formdef_data_class.get_ids_with_indexed_value( |
72 | 72 |
'status', status)) |
73 | 73 | |
74 |
if formdef.acl_read != 'all' and pending_forms:
|
|
74 |
if pending_forms: |
|
75 | 75 |
concerned_ids = set() |
76 | 76 |
formdata_class = formdef.data_class() |
77 | 77 |
user_roles = set(user.roles or []) |
wcs/formdef.py | ||
---|---|---|
80 | 80 |
expiration_date = None |
81 | 81 |
has_captcha = False |
82 | 82 | |
83 |
acl_read = 'owner' # one of ('none', 'owner', 'roles', 'all') |
|
84 | 83 |
private_status_and_history = False |
85 | 84 | |
86 | 85 |
last_modification_time = None |
... | ... | |
142 | 141 |
self.fields = [x.real_field for x in self.fields] |
143 | 142 | |
144 | 143 |
if self.__dict__.has_key('public'): |
145 |
if self.__dict__.get('public'): |
|
146 |
self.acl_read = 'all' |
|
147 | 144 |
del self.__dict__['public'] |
148 | 145 |
changed = True |
149 | 146 | |
... | ... | |
882 | 879 |
return False |
883 | 880 | |
884 | 881 |
def is_user_allowed_read(self, user, formdata=None): |
885 |
if self.acl_read == 'all': |
|
886 |
return True |
|
887 | 882 |
if not user: |
888 |
if self.acl_read == 'owner' and formdata and get_session() and \
|
|
883 |
if formdata and get_session() and \ |
|
889 | 884 |
get_session().is_anonymous_submitter(formdata): |
890 | 885 |
return True |
891 | 886 |
return False |
... | ... | |
905 | 900 | |
906 | 901 |
user_roles = ensure_role_are_strings(user_roles) |
907 | 902 | |
908 |
if self.acl_read == 'roles': |
|
909 |
form_roles = (self.roles or []) |
|
910 |
if formdata: |
|
911 |
from wcs.workflows import get_role_translation |
|
912 |
form_roles.extend([get_role_translation(formdata, x) |
|
913 |
for x in self.workflow_roles.keys() if x]) |
|
914 |
form_roles = ensure_role_are_strings(form_roles) |
|
915 |
if user_roles.intersection(form_roles): |
|
916 |
return True |
|
917 |
elif self.acl_read == 'owner': |
|
918 |
if formdata and formdata.is_submitter(user): |
|
903 |
if formdata and formdata.is_submitter(user): |
|
904 |
return True |
|
905 |
if self.is_of_concern_for_user(user): |
|
906 |
if not formdata: |
|
919 | 907 |
return True |
920 |
if self.is_of_concern_for_user(user): |
|
921 |
if not formdata: |
|
922 |
return True |
|
923 |
elif self.acl_read == 'none': |
|
924 |
# no special permission for anybody, but the form will be viewable |
|
925 |
# to users with a workflow action available. |
|
926 |
pass |
|
927 | 908 | |
928 | 909 |
if formdata: |
929 | 910 |
# current status |
wcs/forms/backoffice.py | ||
---|---|---|
158 | 158 |
select_ids = [x.id for x in formdata_class.select(clause=criterias)] |
159 | 159 |
item_ids = list(set(item_ids).intersection(select_ids)) |
160 | 160 | |
161 |
if self.formdef.acl_read != 'all' and item_ids: |
|
162 |
# if the formdef has some ACL defined, we don't go the full way of |
|
163 |
# supporting all the cases but assume that as we are in the |
|
164 |
# backoffice, we don't have to care about the situation where the |
|
165 |
# user is the submitter, and may limit ourselves to consider |
|
166 |
# treating roles. |
|
161 |
if item_ids: |
|
162 |
# as we are in the backoffice, we don't have to care about the |
|
163 |
# situation where the user is the submitter, and we limit ourselves |
|
164 |
# to consider treating roles. |
|
167 | 165 |
user = user or get_request().user |
168 | 166 |
if not user.is_admin: |
169 | 167 |
user_roles = set(user.roles or []) |
wcs/forms/root.py | ||
---|---|---|
864 | 864 | |
865 | 865 |
def tempfile(self): |
866 | 866 |
self.check_role() |
867 |
if not self.formdef.acl_read == 'all' and ( |
|
868 |
self.user and not self.user.id == get_session().user): |
|
867 |
if self.user and not self.user.id == get_session().user: |
|
869 | 868 |
self.check_receiver() |
870 | 869 |
try: |
871 | 870 |
t = get_request().form['t'] |
... | ... | |
1207 | 1206 |
r += htmltext('<li><a class="%s" href="%s%s/">%s</a>') % ( |
1208 | 1207 |
' '.join(classes), url_prefix, formdef.url_name, formdef.name) |
1209 | 1208 | |
1210 |
if formdef.acl_read == 'all': |
|
1211 |
r += htmltext(' <a class="listing" href="%s%s/listing">%s</a>') % ( |
|
1212 |
url_prefix, formdef.url_name, _('(listing)')) |
|
1213 | 1209 |
if formdef.description: |
1214 | 1210 |
r += htmltext('<div class="description">%s</div>' % formdef.description) |
1215 | 1211 |
r += htmltext('</li>') |
1216 |
- |