Mercurial > p > roundup > code

annotate test/test_security.py @ 4480:1613754d2646

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix first part of Password handling security issue2550688 (thanks Joseph Myers for reporting and Eli Collins for fixing) Small change against original patch: We still accept plaintext passwords (in known_schemes) when parsing encrypted password (e.g. from database). This way existing databases with plaintext passwords continue to work (I don't know of any, this would need patching on the users side) and all regression tests pass.
author Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
date Thu, 14 Apr 2011 12:24:59 +0000
parents 8137456a86f3
children 6e3e4f24c753
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1 # Copyright (c) 2002 ekit.com Inc (http://www.ekit-inc.com/)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 #
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
3 # Permission is hereby granted, free of charge, to any person obtaining a copy
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4 # of this software and associated documentation files (the "Software"), to deal
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
5 # in the Software without restriction, including without limitation the rights
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
7 # copies of the Software, and to permit persons to whom the Software is
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8 # furnished to do so, subject to the following conditions:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9 #
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 # The above copyright notice and this permission notice shall be included in
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11 # all copies or substantial portions of the Software.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 #
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
17 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
19 # SOFTWARE.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
20
3535
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
21 # $Id: test_security.py,v 1.10 2006-02-03 04:04:37 richard Exp $
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
22
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
23 import os, unittest, shutil
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
24
2926
79f91a6dbc7f use new backends interface; fix vim modeline
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 1873
diff changeset
25 from roundup import backends
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4444
diff changeset
26 import roundup.password
1873
f63aa57386b0 Backend improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 1176
diff changeset
27 from db_test_base import setupSchema, MyTestCase, config
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
28
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
29 class PermissionTest(MyTestCase):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
30 def setUp(self):
2926
79f91a6dbc7f use new backends interface; fix vim modeline
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 1873
diff changeset
31 backend = backends.get_backend('anydbm')
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
32 # remove previous test, ignore errors
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
33 if os.path.exists(config.DATABASE):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
34 shutil.rmtree(config.DATABASE)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
35 os.makedirs(config.DATABASE + '/files')
2926
79f91a6dbc7f use new backends interface; fix vim modeline
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 1873
diff changeset
36 self.db = backend.Database(config, 'admin')
79f91a6dbc7f use new backends interface; fix vim modeline
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 1873
diff changeset
37 setupSchema(self.db, 1, backend)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
38
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
39 def testInterfaceSecurity(self):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
40 ' test that the CGI and mailgw have initialised security OK '
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
41 # TODO: some asserts
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
42
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
43 def testInitialiseSecurity(self):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
44 ei = self.db.security.addPermission(name="Edit", klass="issue",
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
45 description="User is allowed to edit issues")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
46 self.db.security.addPermissionToRole('User', ei)
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
47 ai = self.db.security.addPermission(name="View", klass="issue",
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
48 description="User is allowed to access issues")
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
49 self.db.security.addPermissionToRole('User', ai)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
50
3535
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
51 def testAdmin(self):
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
52 ei = self.db.security.addPermission(name="Edit", klass="issue",
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
53 description="User is allowed to edit issues")
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
54 self.db.security.addPermissionToRole('User', ei)
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
55 ei = self.db.security.addPermission(name="Edit", klass=None,
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
56 description="User is allowed to edit issues")
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
57 self.db.security.addPermissionToRole('Admin', ei)
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
58
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
59 u1 = self.db.user.create(username='one', roles='Admin')
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
60 u2 = self.db.user.create(username='two', roles='User')
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
61
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
62 self.assert_(self.db.security.hasPermission('Edit', u1, None))
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
63 self.assert_(not self.db.security.hasPermission('Edit', u2, None))
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
64
75dc225613cc fix security check for hasPermission(Permission, None)
Richard Jones <richard@users.sourceforge.net>
parents: 3119
diff changeset
65
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
66 def testGetPermission(self):
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
67 self.db.security.getPermission('Edit')
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
68 self.db.security.getPermission('View')
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
69 self.assertRaises(ValueError, self.db.security.getPermission, 'x')
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
70 self.assertRaises(ValueError, self.db.security.getPermission, 'Edit',
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
71 'fubar')
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
72
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
73 add = self.db.security.addPermission
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
74 get = self.db.security.getPermission
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
75
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
76 # class
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
77 ei = add(name="Edit", klass="issue")
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
78 self.assertEquals(get('Edit', 'issue'), ei)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
79 ai = add(name="View", klass="issue")
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
80 self.assertEquals(get('View', 'issue'), ai)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
81
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
82 # property
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
83 epi = add(name="Edit", klass="issue", properties=['title'])
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
84 self.assertEquals(get('Edit', 'issue', properties=['title']), epi)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
85 api = add(name="View", klass="issue", properties=['title'])
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
86 self.assertEquals(get('View', 'issue', properties=['title']), api)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
87
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
88 # check function
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
89 dummy = lambda: 0
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
90 eci = add(name="Edit", klass="issue", check=dummy)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
91 self.assertEquals(get('Edit', 'issue', check=dummy), eci)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
92 aci = add(name="View", klass="issue", check=dummy)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
93 self.assertEquals(get('View', 'issue', check=dummy), aci)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
94
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
95 # all
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
96 epci = add(name="Edit", klass="issue", properties=['title'],
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
97 check=dummy)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
98 self.assertEquals(get('Edit', 'issue', properties=['title'],
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
99 check=dummy), epci)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
100 apci = add(name="View", klass="issue", properties=['title'],
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
101 check=dummy)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
102 self.assertEquals(get('View', 'issue', properties=['title'],
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
103 check=dummy), apci)
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
104
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105 def testDBinit(self):
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
106 self.db.user.create(username="demo", roles='User')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
107 self.db.user.create(username="anonymous", roles='Anonymous')
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
108
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
109 def testAccessControls(self):
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
110 add = self.db.security.addPermission
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
111 has = self.db.security.hasPermission
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
112 addRole = self.db.security.addRole
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
113 addToRole = self.db.security.addPermissionToRole
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
114
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
115 none = self.db.user.create(username='none', roles='None')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
116
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
117 # test admin access
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
118 addRole(name='Super')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
119 addToRole('Super', add(name="Test"))
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
120 super = self.db.user.create(username='super', roles='Super')
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
121
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
122 # test class-level access
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
123 addRole(name='Role1')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
124 addToRole('Role1', add(name="Test", klass="test"))
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
125 user1 = self.db.user.create(username='user1', roles='Role1')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
126 self.assertEquals(has('Test', user1, 'test'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
127 self.assertEquals(has('Test', super, 'test'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
128 self.assertEquals(has('Test', none, 'test'), 0)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
129
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
130 # property
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
131 addRole(name='Role2')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
132 addToRole('Role2', add(name="Test", klass="test", properties=['a','b']))
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
133 user2 = self.db.user.create(username='user2', roles='Role2')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
134 # *any* access to class
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
135 self.assertEquals(has('Test', user1, 'test'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
136 self.assertEquals(has('Test', user2, 'test'), 1)
3119
c26f2ba69c78 some bits I missed, and the next release will be beta ;)
Richard Jones <richard@users.sourceforge.net>
parents: 3117
diff changeset
137
c26f2ba69c78 some bits I missed, and the next release will be beta ;)
Richard Jones <richard@users.sourceforge.net>
parents: 3117
diff changeset
138 # *any* access to item
c26f2ba69c78 some bits I missed, and the next release will be beta ;)
Richard Jones <richard@users.sourceforge.net>
parents: 3117
diff changeset
139 self.assertEquals(has('Test', user1, 'test', itemid='1'), 1)
c26f2ba69c78 some bits I missed, and the next release will be beta ;)
Richard Jones <richard@users.sourceforge.net>
parents: 3117
diff changeset
140 self.assertEquals(has('Test', user2, 'test', itemid='1'), 1)
c26f2ba69c78 some bits I missed, and the next release will be beta ;)
Richard Jones <richard@users.sourceforge.net>
parents: 3117
diff changeset
141 self.assertEquals(has('Test', super, 'test', itemid='1'), 1)
c26f2ba69c78 some bits I missed, and the next release will be beta ;)
Richard Jones <richard@users.sourceforge.net>
parents: 3117
diff changeset
142 self.assertEquals(has('Test', none, 'test', itemid='1'), 0)
c26f2ba69c78 some bits I missed, and the next release will be beta ;)
Richard Jones <richard@users.sourceforge.net>
parents: 3117
diff changeset
143
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
144 # now property test
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
145 self.assertEquals(has('Test', user2, 'test', property='a'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
146 self.assertEquals(has('Test', user2, 'test', property='b'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
147 self.assertEquals(has('Test', user2, 'test', property='c'), 0)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
148 self.assertEquals(has('Test', user1, 'test', property='a'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
149 self.assertEquals(has('Test', user1, 'test', property='b'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
150 self.assertEquals(has('Test', user1, 'test', property='c'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
151 self.assertEquals(has('Test', super, 'test', property='a'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
152 self.assertEquals(has('Test', super, 'test', property='b'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
153 self.assertEquals(has('Test', super, 'test', property='c'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
154 self.assertEquals(has('Test', none, 'test', property='a'), 0)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
155 self.assertEquals(has('Test', none, 'test', property='b'), 0)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
156 self.assertEquals(has('Test', none, 'test', property='c'), 0)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
157 self.assertEquals(has('Test', none, 'test'), 0)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
158
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
159 # check function
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
160 check = lambda db, userid, itemid: itemid == '1'
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
161 addRole(name='Role3')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
162 addToRole('Role3', add(name="Test", klass="test", check=check))
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
163 user3 = self.db.user.create(username='user3', roles='Role3')
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
164 # *any* access to class
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
165 self.assertEquals(has('Test', user1, 'test'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
166 self.assertEquals(has('Test', user2, 'test'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
167 self.assertEquals(has('Test', user3, 'test'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
168 self.assertEquals(has('Test', none, 'test'), 0)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
169 # now check function
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
170 self.assertEquals(has('Test', user3, 'test', itemid='1'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
171 self.assertEquals(has('Test', user3, 'test', itemid='2'), 0)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
172 self.assertEquals(has('Test', user2, 'test', itemid='1'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
173 self.assertEquals(has('Test', user2, 'test', itemid='2'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
174 self.assertEquals(has('Test', user1, 'test', itemid='2'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
175 self.assertEquals(has('Test', user1, 'test', itemid='2'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
176 self.assertEquals(has('Test', super, 'test', itemid='1'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
177 self.assertEquals(has('Test', super, 'test', itemid='2'), 1)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
178 self.assertEquals(has('Test', none, 'test', itemid='1'), 0)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 2926
diff changeset
179 self.assertEquals(has('Test', none, 'test', itemid='2'), 0)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
180
4438
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
181 def testTransitiveSearchPermissions(self):
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
182 add = self.db.security.addPermission
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
183 has = self.db.security.hasSearchPermission
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
184 addRole = self.db.security.addRole
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
185 addToRole = self.db.security.addPermissionToRole
4444
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
186 addRole(name='User')
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
187 addRole(name='Anonymous')
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
188 addRole(name='Issue')
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
189 addRole(name='Msg')
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
190 addRole(name='UV')
4438
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
191 user = self.db.user.create(username='user1', roles='User')
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
192 anon = self.db.user.create(username='anonymous', roles='Anonymous')
4444
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
193 ui = self.db.user.create(username='user2', roles='Issue')
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
194 uim = self.db.user.create(username='user3', roles='Issue,Msg')
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
195 uimu = self.db.user.create(username='user4', roles='Issue,Msg,UV')
4438
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
196 iv = add(name="View", klass="issue")
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
197 addToRole('User', iv)
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
198 addToRole('Anonymous', iv)
4444
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
199 addToRole('Issue', iv)
4438
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
200 ms = add(name="Search", klass="msg")
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
201 addToRole('User', ms)
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
202 addToRole('Anonymous', ms)
4444
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
203 addToRole('Msg', ms)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
204 uv = add(name="View", klass="user")
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
205 addToRole('User', uv)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
206 addToRole('UV', uv)
4438
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
207 self.assertEquals(has(anon, 'issue', 'messages'), 1)
4444
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
208 self.assertEquals(has(anon, 'issue', 'messages.author'), 0)
4438
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
209 self.assertEquals(has(anon, 'issue', 'messages.author.username'), 0)
4444
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
210 self.assertEquals(has(anon, 'issue', 'messages.recipients'), 0)
4438
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
211 self.assertEquals(has(anon, 'issue', 'messages.recipients.username'), 0)
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
212 self.assertEquals(has(user, 'issue', 'messages'), 1)
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
213 self.assertEquals(has(user, 'issue', 'messages.author'), 1)
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
214 self.assertEquals(has(user, 'issue', 'messages.author.username'), 1)
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
215 self.assertEquals(has(user, 'issue', 'messages.recipients'), 1)
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
216 self.assertEquals(has(user, 'issue', 'messages.recipients.username'), 1)
222efa59ee6c search permissions must allow transitive properties
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3535
diff changeset
217
4444
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
218 self.assertEquals(has(ui, 'issue', 'messages'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
219 self.assertEquals(has(ui, 'issue', 'messages.author'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
220 self.assertEquals(has(ui, 'issue', 'messages.author.username'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
221 self.assertEquals(has(ui, 'issue', 'messages.recipients'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
222 self.assertEquals(has(ui, 'issue', 'messages.recipients.username'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
223
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
224 self.assertEquals(has(uim, 'issue', 'messages'), 1)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
225 self.assertEquals(has(uim, 'issue', 'messages.author'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
226 self.assertEquals(has(uim, 'issue', 'messages.author.username'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
227 self.assertEquals(has(uim, 'issue', 'messages.recipients'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
228 self.assertEquals(has(uim, 'issue', 'messages.recipients.username'), 0)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
229
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
230 self.assertEquals(has(uimu, 'issue', 'messages'), 1)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
231 self.assertEquals(has(uimu, 'issue', 'messages.author'), 1)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
232 self.assertEquals(has(uimu, 'issue', 'messages.author.username'), 1)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
233 self.assertEquals(has(uimu, 'issue', 'messages.recipients'), 1)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
234 self.assertEquals(has(uimu, 'issue', 'messages.recipients.username'), 1)
8137456a86f3 more fixes to search permissions:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4438
diff changeset
235
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4444
diff changeset
236 # roundup.password has its own built-in test, call it.
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4444
diff changeset
237 def test_password(self):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4444
diff changeset
238 roundup.password.test()
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4444
diff changeset
239
1873
f63aa57386b0 Backend improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 1176
diff changeset
240 def test_suite():
f63aa57386b0 Backend improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 1176
diff changeset
241 suite = unittest.TestSuite()
f63aa57386b0 Backend improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 1176
diff changeset
242 suite.addTest(unittest.makeSuite(PermissionTest))
f63aa57386b0 Backend improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 1176
diff changeset
243 return suite
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
244
1873
f63aa57386b0 Backend improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 1176
diff changeset
245 if __name__ == '__main__':
f63aa57386b0 Backend improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 1176
diff changeset
246 runner = unittest.TextTestRunner()
f63aa57386b0 Backend improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 1176
diff changeset
247 unittest.main(testRunner=runner)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
248
2926
79f91a6dbc7f use new backends interface; fix vim modeline
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 1873
diff changeset
249 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/