4963a9689f
Add ACL created and edited events. Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
185 lines
6.6 KiB
Python
185 lines
6.6 KiB
Python
from __future__ import absolute_import, unicode_literals
|
|
|
|
from django.core.exceptions import PermissionDenied
|
|
|
|
from mayan.apps.common.tests import BaseTestCase
|
|
from mayan.apps.documents.models import Document, DocumentType
|
|
from mayan.apps.documents.permissions import permission_document_view
|
|
from mayan.apps.documents.tests import (
|
|
TEST_SMALL_DOCUMENT_PATH, TEST_DOCUMENT_TYPE_LABEL,
|
|
TEST_DOCUMENT_TYPE_2_LABEL
|
|
)
|
|
|
|
from ..classes import ModelPermission
|
|
from ..models import AccessControlList
|
|
|
|
from .mixins import ACLTestMixin
|
|
|
|
|
|
class PermissionTestCase(ACLTestMixin, BaseTestCase):
|
|
def setUp(self):
|
|
super(PermissionTestCase, self).setUp()
|
|
self.document_type_1 = DocumentType.objects.create(
|
|
label=TEST_DOCUMENT_TYPE_LABEL
|
|
)
|
|
|
|
self.document_type_2 = DocumentType.objects.create(
|
|
label=TEST_DOCUMENT_TYPE_2_LABEL
|
|
)
|
|
|
|
with open(TEST_SMALL_DOCUMENT_PATH, mode='rb') as file_object:
|
|
self.document_1 = self.document_type_1.new_document(
|
|
file_object=file_object
|
|
)
|
|
|
|
with open(TEST_SMALL_DOCUMENT_PATH, mode='rb') as file_object:
|
|
self.document_2 = self.document_type_1.new_document(
|
|
file_object=file_object
|
|
)
|
|
|
|
with open(TEST_SMALL_DOCUMENT_PATH, mode='rb') as file_object:
|
|
self.document_3 = self.document_type_2.new_document(
|
|
file_object=file_object
|
|
)
|
|
|
|
def tearDown(self):
|
|
for document_type in DocumentType.objects.all():
|
|
document_type.delete()
|
|
super(PermissionTestCase, self).tearDown()
|
|
|
|
def test_check_access_without_permissions(self):
|
|
with self.assertRaises(PermissionDenied):
|
|
AccessControlList.objects.check_access(
|
|
permissions=(permission_document_view,),
|
|
user=self._test_case_user, obj=self.document_1
|
|
)
|
|
|
|
def test_filtering_without_permissions(self):
|
|
self.assertQuerysetEqual(
|
|
AccessControlList.objects.filter_by_access(
|
|
permission=permission_document_view, user=self._test_case_user,
|
|
queryset=Document.objects.all()
|
|
), []
|
|
)
|
|
|
|
def test_check_access_with_acl(self):
|
|
self.grant_access(
|
|
obj=self.document_1, permission=permission_document_view
|
|
)
|
|
|
|
try:
|
|
AccessControlList.objects.check_access(
|
|
obj=self.document_1, permissions=(permission_document_view,),
|
|
user=self._test_case_user,
|
|
)
|
|
except PermissionDenied:
|
|
self.fail('PermissionDenied exception was not expected.')
|
|
|
|
def test_filtering_with_permissions(self):
|
|
self.grant_access(
|
|
obj=self.document_1, permission=permission_document_view
|
|
)
|
|
|
|
self.assertQuerysetEqual(
|
|
AccessControlList.objects.filter_by_access(
|
|
permission=permission_document_view,
|
|
queryset=Document.objects.all(), user=self._test_case_user
|
|
), (repr(self.document_1),)
|
|
)
|
|
|
|
def test_check_access_with_inherited_acl(self):
|
|
self.grant_access(
|
|
obj=self.document_type_1, permission=permission_document_view
|
|
)
|
|
|
|
try:
|
|
AccessControlList.objects.check_access(
|
|
obj=self.document_1, permissions=(permission_document_view,),
|
|
user=self._test_case_user
|
|
)
|
|
except PermissionDenied:
|
|
self.fail('PermissionDenied exception was not expected.')
|
|
|
|
def test_check_access_with_inherited_acl_and_local_acl(self):
|
|
self.grant_access(
|
|
obj=self.document_type_1, permission=permission_document_view
|
|
)
|
|
self.grant_access(
|
|
obj=self.document_3, permission=permission_document_view
|
|
)
|
|
|
|
try:
|
|
AccessControlList.objects.check_access(
|
|
obj=self.document_3, permissions=(permission_document_view,),
|
|
user=self._test_case_user
|
|
)
|
|
except PermissionDenied:
|
|
self.fail('PermissionDenied exception was not expected.')
|
|
|
|
def test_filtering_with_inherited_permissions(self):
|
|
self.grant_access(
|
|
obj=self.document_type_1, permission=permission_document_view
|
|
)
|
|
|
|
result = AccessControlList.objects.filter_by_access(
|
|
permission=permission_document_view,
|
|
queryset=Document.objects.all(), user=self._test_case_user
|
|
)
|
|
|
|
# Since document_1 and document_2 are of document_type_1
|
|
# they are the only ones that should be returned
|
|
|
|
self.assertTrue(self.document_1 in result)
|
|
self.assertTrue(self.document_2 in result)
|
|
self.assertTrue(self.document_3 not in result)
|
|
|
|
def test_filtering_with_inherited_permissions_and_local_acl(self):
|
|
self.grant_permission(permission=permission_document_view)
|
|
self.grant_access(
|
|
obj=self.document_type_1, permission=permission_document_view
|
|
)
|
|
self.grant_access(
|
|
obj=self.document_3, permission=permission_document_view
|
|
)
|
|
|
|
result = AccessControlList.objects.filter_by_access(
|
|
permission=permission_document_view,
|
|
queryset=Document.objects.all(), user=self._test_case_user,
|
|
)
|
|
self.assertTrue(self.document_1 in result)
|
|
self.assertTrue(self.document_2 in result)
|
|
self.assertTrue(self.document_3 in result)
|
|
|
|
|
|
class InheritedPermissionTestCase(ACLTestMixin, BaseTestCase):
|
|
def test_retrieve_inherited_role_permission_not_model_applicable(self):
|
|
self._create_test_model()
|
|
self.test_object = self.TestModel.objects.create()
|
|
self._create_test_acl()
|
|
self._create_test_permission()
|
|
|
|
self.test_role.grant(permission=self.test_permission)
|
|
|
|
queryset = AccessControlList.objects.get_inherited_permissions(
|
|
obj=self.test_object, role=self.test_role
|
|
)
|
|
self.assertTrue(self.test_permission.stored_permission not in queryset)
|
|
|
|
def test_retrieve_inherited_role_permission_model_applicable(self):
|
|
self._create_test_model()
|
|
self.test_object = self.TestModel.objects.create()
|
|
self._create_test_acl()
|
|
self._create_test_permission()
|
|
|
|
ModelPermission.register(
|
|
model=self.test_object._meta.model, permissions=(
|
|
self.test_permission,
|
|
)
|
|
)
|
|
self.test_role.grant(permission=self.test_permission)
|
|
|
|
queryset = AccessControlList.objects.get_inherited_permissions(
|
|
obj=self.test_object, role=self.test_role
|
|
)
|
|
self.assertTrue(self.test_permission.stored_permission in queryset)
|