Mercurial > p > roundup > code
changeset 8135:aa5ae3f84889 permission-performance
Test new filter function in security checks
And add bug-fix after moving filter_with_permissions to hyperdb.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Wed, 23 Oct 2024 16:29:43 +0200 |
| parents | 132d450bdc00 |
| children | 5a2b9435a04d |
| files | roundup/hyperdb.py test/db_test_base.py |
| diffstat | 2 files changed, 76 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/roundup/hyperdb.py Wed Oct 23 14:59:22 2024 +0200 +++ b/roundup/hyperdb.py Wed Oct 23 16:29:43 2024 +0200 @@ -1828,10 +1828,10 @@ new_ids = set(item_ids) confirmed = set() for perm in sec.filter_iter(permission, userid, cn): - fargs = perm.filter(self._client.db, userid, klass) + fargs = perm.filter(self.db, userid, self) for farg in fargs: farg.update(sort=[], group=[], retired=None) - result = klass.filter(list(new_ids), **farg) + result = self.filter(list(new_ids), **farg) new_ids.difference_update(result) confirmed.update(result) # all allowed?
--- a/test/db_test_base.py Wed Oct 23 14:59:22 2024 +0200 +++ b/test/db_test_base.py Wed Oct 23 16:29:43 2024 +0200 @@ -2959,6 +2959,80 @@ ae(filt(None, {'title': ['one', 'two']}, ('+','id'), retired=retire), r[retire][4]) + def setupQuery(self): + self.filteringSetup() + self.db.user.set('3', roles='User') + self.db.user.set('4', roles='User') + self.db.user.set('5', roles='User') + self.db.commit() + self.db.close() + self.open_database('bleep') + setupSchema(self.db, 0, self.module) + cls = self.module.Class + query = cls(self.db, "query", klass=String(), name=String(), + private_for=Link("user")) + self.db.post_init() + # Allow searching query + sec = self.db.security + p = sec.addPermission(name='Search', klass='query') + sec.addPermissionToRole('User', p) + # Queries user3 + default = dict(klass='issue', private_for='3') + self.db.query.create(name='c5', **default) + self.db.query.create(name='c4', **default) + self.db.query.create(name='b4', **default) + self.db.query.create(name='b3', **default) + # public queries + d = dict(default,private_for=None) + self.db.query.create(name='a1', **d) + self.db.query.create(name='a2', **d) + # Queries user5 + d = dict(default,private_for='5') + self.db.query.create(name='other_user1', **d) + self.db.query.create(name='other_user2', **d) + + def view_query(db, userid, itemid): + q = db.query.getnode(itemid) + if q.private_for is None: + return True + if q.private_for == userid: + return True + return False + + return view_query + + def testFilteringWithoutPermissionCheck(self): + view_query = self.setupQuery() + filt = self.db.query.filter + r = filt(None, {}, sort=[('+', 'name')]) + # Gets all queries + self.assertEqual(r, ['5', '6', '4', '3', '2', '1', '7', '8']) + + def testFilteringWithPermissionNoFilterFunction(self): + view_query = self.setupQuery() + perm = self.db.security.addPermission + p = perm(name='View', klass='query', check=view_query) + self.db.security.addPermissionToRole("User", p) + filt = self.db.query.filter_with_permissions + + r = filt(None, {}, sort=[('+', 'name')]) + # User may see own and public queries + self.assertEqual(r, ['5', '6', '4', '3', '2', '1']) + + def testFilteringWithPermissionFilterFunction(self): + view_query = self.setupQuery() + + def filter(db, userid, klass): + return [dict(filterspec = dict(private_for=['-1', userid]))] + perm = self.db.security.addPermission + p = perm(name='View', klass='query', check=view_query, filter=filter) + self.db.security.addPermissionToRole("User", p) + filt = self.db.query.filter_with_permissions + + r = filt(None, {}, sort=[('+', 'name')]) + # User may see own and public queries + self.assertEqual(r, ['5', '6', '4', '3', '2', '1']) + # XXX add sorting tests for other types # nuke and re-create db for restore