Mercurial > p > roundup > code
annotate test/test_xmlrpc.py @ 4931:577b375a1ec2
Update CHANGES.txt
| author | anatoly techtonik <techtonik@gmail.com> |
|---|---|
| date | Wed, 01 Oct 2014 05:41:19 +0300 |
| parents | dad18ee491a9 |
| children | 3b9252085ba9 |
| rev | line source |
|---|---|
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
1 # |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
2 # Copyright (C) 2007 Stefan Seefeld |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
3 # All rights reserved. |
| 3839 | 4 # For license terms see the file COPYING.txt. |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
5 # |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
6 |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
7 import unittest, os, shutil, errno, sys, difflib, cgi, re |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
8 |
|
4793
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
9 from xmlrpclib import MultiCall |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
10 from roundup.cgi.exceptions import * |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
11 from roundup import init, instance, password, hyperdb, date |
|
4793
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
12 from roundup.xmlrpc import RoundupInstance, RoundupDispatcher |
|
3973
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
13 from roundup.backends import list_backends |
| 4781 | 14 from roundup.hyperdb import String |
|
4793
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
15 from roundup.cgi import TranslationService |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
16 |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
17 import db_test_base |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
18 |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
19 NEEDS_INSTANCE = 1 |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
20 |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
21 class TestCase(unittest.TestCase): |
|
3973
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
22 |
|
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
23 backend = None |
|
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
24 |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
25 def setUp(self): |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
26 self.dirname = '_test_xmlrpc' |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
27 # set up and open a tracker |
|
3973
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
28 self.instance = db_test_base.setupTracker(self.dirname, self.backend) |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
29 |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
30 # open the database |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
31 self.db = self.instance.open('admin') |
| 4781 | 32 |
| 33 # Get user id (user4 maybe). Used later to get data from db. | |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
34 self.joeid = 'user' + self.db.user.create(username='joe', |
|
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
35 password=password.Password('random'), address='random@home.org', |
|
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
36 realname='Joe Random', roles='User') |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
37 |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
38 self.db.commit() |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
39 self.db.close() |
| 4083 | 40 self.db = self.instance.open('joe') |
| 4781 | 41 |
| 42 self.db.tx_Source = 'web' | |
| 43 | |
| 44 self.db.issue.addprop(tx_Source=hyperdb.String()) | |
| 45 self.db.msg.addprop(tx_Source=hyperdb.String()) | |
| 46 | |
| 47 self.db.post_init() | |
| 48 | |
|
4795
dad18ee491a9
Fix minor problems in tests
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4793
diff
changeset
|
49 thisdir = os.path.dirname(__file__) |
| 4781 | 50 vars = {} |
|
4795
dad18ee491a9
Fix minor problems in tests
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4793
diff
changeset
|
51 execfile(os.path.join(thisdir, "tx_Source_detector.py"), vars) |
| 4781 | 52 vars['init'](self.db) |
| 53 | |
| 4083 | 54 self.server = RoundupInstance(self.db, self.instance.actions, None) |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
55 |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
56 def tearDown(self): |
|
4104
d8c2d214d688
do all the pre-release stuff...
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
57 self.db.close() |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
58 try: |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
59 shutil.rmtree(self.dirname) |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
60 except OSError, error: |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
61 if error.errno not in (errno.ENOENT, errno.ESRCH): raise |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
62 |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
63 def testAccess(self): |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
64 # Retrieve all three users. |
| 4083 | 65 results = self.server.list('user', 'id') |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
66 self.assertEqual(len(results), 3) |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
67 |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
68 # Obtain data for 'joe'. |
| 4083 | 69 results = self.server.display(self.joeid) |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
70 self.assertEqual(results['username'], 'joe') |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
71 self.assertEqual(results['realname'], 'Joe Random') |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
72 |
|
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
73 def testChange(self): |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
74 # Reset joe's 'realname'. |
| 4083 | 75 results = self.server.set(self.joeid, 'realname=Joe Doe') |
| 76 results = self.server.display(self.joeid, 'realname') | |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
77 self.assertEqual(results['realname'], 'Joe Doe') |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
78 |
|
3973
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
79 # check we can't change admin's details |
| 4083 | 80 self.assertRaises(Unauthorised, self.server.set, 'user1', 'realname=Joe Doe') |
|
3973
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
81 |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
82 def testCreate(self): |
| 4083 | 83 results = self.server.create('issue', 'title=foo') |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
84 issueid = 'issue' + results |
| 4083 | 85 results = self.server.display(issueid, 'title') |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
86 self.assertEqual(results['title'], 'foo') |
| 4781 | 87 self.assertEqual(self.db.issue.get('1', "tx_Source"), 'web') |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
88 |
|
3992
fe2af84a5ca5
allow binary data for "content" props through rawToHyperdb
Richard Jones <richard@users.sourceforge.net>
parents:
3973
diff
changeset
|
89 def testFileCreate(self): |
| 4083 | 90 results = self.server.create('file', 'content=hello\r\nthere') |
|
3992
fe2af84a5ca5
allow binary data for "content" props through rawToHyperdb
Richard Jones <richard@users.sourceforge.net>
parents:
3973
diff
changeset
|
91 fileid = 'file' + results |
| 4083 | 92 results = self.server.display(fileid, 'content') |
|
3992
fe2af84a5ca5
allow binary data for "content" props through rawToHyperdb
Richard Jones <richard@users.sourceforge.net>
parents:
3973
diff
changeset
|
93 self.assertEqual(results['content'], 'hello\r\nthere') |
|
fe2af84a5ca5
allow binary data for "content" props through rawToHyperdb
Richard Jones <richard@users.sourceforge.net>
parents:
3973
diff
changeset
|
94 |
| 4083 | 95 def testAction(self): |
| 96 # As this action requires special previledges, we temporarily switch | |
| 97 # to 'admin' | |
| 98 self.db.setCurrentUser('admin') | |
| 99 users_before = self.server.list('user') | |
| 100 try: | |
| 101 tmp = 'user' + self.db.user.create(username='tmp') | |
| 102 self.server.action('retire', tmp) | |
| 103 finally: | |
| 104 self.db.setCurrentUser('joe') | |
| 105 users_after = self.server.list('user') | |
| 106 self.assertEqual(users_before, users_after) | |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
107 |
|
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
108 def testAuthDeniedEdit(self): |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
109 # Wrong permissions (caught by roundup security module). |
|
3829
d0ac8188d274
Re-add failing test to make sure permissions are respected.
Stefan Seefeld <stefan@seefeld.name>
parents:
3828
diff
changeset
|
110 self.assertRaises(Unauthorised, self.server.set, |
| 4083 | 111 'user1', 'realname=someone') |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
112 |
|
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
113 def testAuthDeniedCreate(self): |
|
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
114 self.assertRaises(Unauthorised, self.server.create, |
| 4083 | 115 'user', {'username': 'blah'}) |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
116 |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
117 def testAuthAllowedEdit(self): |
| 4083 | 118 self.db.setCurrentUser('admin') |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
119 try: |
|
4241
1555a73f6451
py2.4 compat
Richard Jones <richard@users.sourceforge.net>
parents:
4104
diff
changeset
|
120 try: |
|
1555a73f6451
py2.4 compat
Richard Jones <richard@users.sourceforge.net>
parents:
4104
diff
changeset
|
121 self.server.set('user2', 'realname=someone') |
|
1555a73f6451
py2.4 compat
Richard Jones <richard@users.sourceforge.net>
parents:
4104
diff
changeset
|
122 except Unauthorised, err: |
|
1555a73f6451
py2.4 compat
Richard Jones <richard@users.sourceforge.net>
parents:
4104
diff
changeset
|
123 self.fail('raised %s'%err) |
| 4083 | 124 finally: |
| 125 self.db.setCurrentUser('joe') | |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
126 |
|
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
127 def testAuthAllowedCreate(self): |
| 4083 | 128 self.db.setCurrentUser('admin') |
|
3937
3c3077582c16
Add security checks and tests for xmlrpc interface.
Richard Jones <richard@users.sourceforge.net>
parents:
3839
diff
changeset
|
129 try: |
|
4241
1555a73f6451
py2.4 compat
Richard Jones <richard@users.sourceforge.net>
parents:
4104
diff
changeset
|
130 try: |
|
1555a73f6451
py2.4 compat
Richard Jones <richard@users.sourceforge.net>
parents:
4104
diff
changeset
|
131 self.server.create('user', 'username=blah') |
|
1555a73f6451
py2.4 compat
Richard Jones <richard@users.sourceforge.net>
parents:
4104
diff
changeset
|
132 except Unauthorised, err: |
|
1555a73f6451
py2.4 compat
Richard Jones <richard@users.sourceforge.net>
parents:
4104
diff
changeset
|
133 self.fail('raised %s'%err) |
| 4083 | 134 finally: |
| 135 self.db.setCurrentUser('joe') | |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
136 |
|
4437
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
137 def testAuthFilter(self): |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
138 # this checks if we properly check for search permissions |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
139 self.db.security.permissions = {} |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
140 self.db.security.addRole(name='User') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
141 self.db.security.addRole(name='Project') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
142 self.db.security.addPermissionToRole('User', 'Web Access') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
143 self.db.security.addPermissionToRole('Project', 'Web Access') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
144 # Allow viewing keyword |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
145 p = self.db.security.addPermission(name='View', klass='keyword') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
146 self.db.security.addPermissionToRole('User', p) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
147 # Allow viewing interesting things (but not keyword) on issue |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
148 # But users might only view issues where they are on nosy |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
149 # (so in the real world the check method would be better) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
150 p = self.db.security.addPermission(name='View', klass='issue', |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
151 properties=("title", "status"), check=lambda x,y,z: True) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
152 self.db.security.addPermissionToRole('User', p) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
153 # Allow role "Project" access to whole issue |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
154 p = self.db.security.addPermission(name='View', klass='issue') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
155 self.db.security.addPermissionToRole('Project', p) |
|
4446
17f796a78647
fix broken tests by adding additional permissions...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4437
diff
changeset
|
156 # Allow all access to status: |
|
17f796a78647
fix broken tests by adding additional permissions...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4437
diff
changeset
|
157 p = self.db.security.addPermission(name='View', klass='status') |
|
17f796a78647
fix broken tests by adding additional permissions...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4437
diff
changeset
|
158 self.db.security.addPermissionToRole('User', p) |
|
17f796a78647
fix broken tests by adding additional permissions...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4437
diff
changeset
|
159 self.db.security.addPermissionToRole('Project', p) |
|
4437
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
160 |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
161 keyword = self.db.keyword |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
162 status = self.db.status |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
163 issue = self.db.issue |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
164 |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
165 d1 = keyword.create(name='d1') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
166 d2 = keyword.create(name='d2') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
167 open = status.create(name='open') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
168 closed = status.create(name='closed') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
169 issue.create(title='i1', status=open, keyword=[d2]) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
170 issue.create(title='i2', status=open, keyword=[d1]) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
171 issue.create(title='i2', status=closed, keyword=[d1]) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
172 |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
173 chef = self.db.user.create(username = 'chef', roles='User, Project') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
174 joe = self.db.user.lookup('joe') |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
175 |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
176 # Conditionally allow view of whole issue (check is False here, |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
177 # this might check for keyword owner in the real world) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
178 p = self.db.security.addPermission(name='View', klass='issue', |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
179 check=lambda x,y,z: False) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
180 self.db.security.addPermissionToRole('User', p) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
181 # Allow user to search for issue.status |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
182 p = self.db.security.addPermission(name='Search', klass='issue', |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
183 properties=("status",)) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
184 self.db.security.addPermissionToRole('User', p) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
185 |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
186 keyw = {'keyword':self.db.keyword.lookup('d1')} |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
187 stat = {'status':self.db.status.lookup('open')} |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
188 keygroup = keysort = [('+', 'keyword')] |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
189 self.db.commit() |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
190 |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
191 # Filter on keyword ignored for role 'User': |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
192 r = self.server.filter('issue', None, keyw) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
193 self.assertEqual(r, ['1', '2', '3']) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
194 # Filter on status works for all: |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
195 r = self.server.filter('issue', None, stat) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
196 self.assertEqual(r, ['1', '2']) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
197 # Sorting and grouping for class User fails: |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
198 r = self.server.filter('issue', None, {}, sort=keysort) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
199 self.assertEqual(r, ['1', '2', '3']) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
200 r = self.server.filter('issue', None, {}, group=keygroup) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
201 self.assertEqual(r, ['1', '2', '3']) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
202 |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
203 self.db.close() |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
204 self.db = self.instance.open('chef') |
| 4781 | 205 self.db.tx_Source = 'web' |
| 206 | |
| 207 self.db.issue.addprop(tx_Source=hyperdb.String()) | |
| 208 self.db.msg.addprop(tx_Source=hyperdb.String()) | |
| 209 self.db.post_init() | |
| 210 | |
|
4437
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
211 self.server = RoundupInstance(self.db, self.instance.actions, None) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
212 |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
213 # Filter on keyword works for role 'Project': |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
214 r = self.server.filter('issue', None, keyw) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
215 self.assertEqual(r, ['2', '3']) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
216 # Filter on status works for all: |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
217 r = self.server.filter('issue', None, stat) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
218 self.assertEqual(r, ['1', '2']) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
219 # Sorting and grouping for class Project works: |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
220 r = self.server.filter('issue', None, {}, sort=keysort) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
221 self.assertEqual(r, ['2', '3', '1']) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
222 r = self.server.filter('issue', None, {}, group=keygroup) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
223 self.assertEqual(r, ['2', '3', '1']) |
|
261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4241
diff
changeset
|
224 |
|
4793
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
225 def testMulticall(self): |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
226 translator = TranslationService.get_translation( |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
227 language=self.instance.config["TRACKER_LANGUAGE"], |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
228 tracker_home=self.instance.config["TRACKER_HOME"]) |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
229 self.server = RoundupDispatcher(self.db, self.instance.actions, |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
230 translator, allow_none = True) |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
231 class S: |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
232 multicall=self.server.funcs['system.multicall'] |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
233 self.server.system = S() |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
234 self.db.issue.create(title='i1') |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
235 self.db.issue.create(title='i2') |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
236 m = MultiCall(self.server) |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
237 m.display('issue1') |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
238 m.display('issue2') |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
239 result = m() |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
240 results = [ |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
241 {'files': [], 'status': '1', 'tx_Source': 'web', |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
242 'keyword': [], 'title': 'i1', 'nosy': [], 'messages': [], |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
243 'priority': None, 'assignedto': None, 'superseder': []}, |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
244 {'files': [], 'status': '1', 'tx_Source': 'web', |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
245 'keyword': [], 'title': 'i2', 'nosy': [], 'messages': [], |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
246 'priority': None, 'assignedto': None, 'superseder': []}] |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
247 for n, r in enumerate(result): |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
248 self.assertEqual(r, results[n]) |
|
d9e5539303bd
Implement XMLRPC MultiCall (including test), see
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4781
diff
changeset
|
249 |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
250 def test_suite(): |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
251 suite = unittest.TestSuite() |
|
3973
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
252 for l in list_backends(): |
|
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
253 dct = dict(backend = l) |
|
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
254 subcls = type(TestCase)('TestCase_%s'%l, (TestCase,), dct) |
|
85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]
Richard Jones <richard@users.sourceforge.net>
parents:
3937
diff
changeset
|
255 suite.addTest(unittest.makeSuite(subcls)) |
|
3828
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
256 return suite |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
257 |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
258 if __name__ == '__main__': |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
259 runner = unittest.TextTestRunner() |
|
ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.
Stefan Seefeld <stefan@seefeld.name>
parents:
diff
changeset
|
260 unittest.main(testRunner=runner) |