From 284c495c116933d825c25d4917b779844c7fc091 Mon Sep 17 00:00:00 2001 From: Michael DeHaan Date: Sat, 23 Mar 2013 15:08:02 -0400 Subject: [PATCH] Added remaining sec tests for adding subobjects to collection. --- lib/main/base_views.py | 2 +- lib/main/models/__init__.py | 14 ++++++++------ lib/main/rbac.py | 4 ---- lib/main/tests.py | 23 ++++++++++++----------- 4 files changed, 21 insertions(+), 22 deletions(-) diff --git a/lib/main/base_views.py b/lib/main/base_views.py index 885ccecfca..e84bd54519 100644 --- a/lib/main/base_views.py +++ b/lib/main/base_views.py @@ -54,7 +54,7 @@ class BaseSubList(BaseList): relationship = getattr(main, self.__class__.relationship) if not 'disassociate' in request.DATA: - if not request.user.is_superuser or not self.__class__.parent_model.can_user_attach(request.user, main, sub, self.__class__.relationship): + if not request.user.is_superuser and not self.__class__.parent_model.can_user_attach(request.user, main, sub, self.__class__.relationship): raise PermissionDenied() if sub in relationship.all(): return Response(status=status.HTTP_409_CONFLICT) diff --git a/lib/main/models/__init__.py b/lib/main/models/__init__.py index da31c9a5dd..7f9815e5a6 100644 --- a/lib/main/models/__init__.py +++ b/lib/main/models/__init__.py @@ -53,15 +53,14 @@ class CommonModel(models.Model): ''' whether you can add sub_obj to obj using the relationship type in a subobject view ''' if relationship in [ 'projects', 'admins', 'users' ]: if not sub_obj.can_user_read(user, sub_obj): - print "DEBUG: can't attach" return False - print "DEBUG: defer" - return cls.can_user_administrate(user, obj) + rc = cls.can_user_administrate(user, obj) + return rc + raise Exception("unknown relationship type: %s" % relationship) @classmethod def can_user_unattach(cls, user, obj, sub_obj, relationship): - print "DEBUG: CUA?" return cls.can_user_administrate(user, obj) class Tag(models.Model): @@ -120,13 +119,14 @@ class Organization(CommonModel): # FIXME: super user checks should be higher up so we don't have to repeat them if user.is_superuser: return True + if obj.created_by == user: + return True rc = user in obj.admins.all() return rc @classmethod def can_user_read(cls, user, obj): - rc = cls.can_user_administrate(user,obj) or user in obj.users.all() - return rc + return cls.can_user_administrate(user,obj) or user in obj.users.all() @classmethod def can_user_delete(cls, user, obj): @@ -250,6 +250,8 @@ class Project(CommonModel): def can_user_administrate(cls, user, obj): if user.is_superuser: return True + if obj.created_by == user: + return True organizations = Organization.objects.filter(admins__in = [ user ], projects__in = [ obj ]) for org in organizations: if org in project.organizations(): diff --git a/lib/main/rbac.py b/lib/main/rbac.py index afba9318fb..2c44badb01 100644 --- a/lib/main/rbac.py +++ b/lib/main/rbac.py @@ -13,7 +13,6 @@ class CustomRbac(permissions.BasePermission): # no anonymous users if request.user.is_anonymous(): # 401, not 403, hence no raised exception - print "PD4" return False # superusers are always good if request.user.is_superuser: @@ -31,7 +30,6 @@ class CustomRbac(permissions.BasePermission): if request.user.is_superuser: return True if not view.list_permissions_check(request): - print "DEBUG: PD1" raise PermissionDenied() elif not getattr(view, 'item_permissions_check', None): raise Exception("internal error, list_permissions_check or item_permissions_check must be defined") @@ -44,11 +42,9 @@ class CustomRbac(permissions.BasePermission): if request.user.is_superuser: return True if not self._common_user_check(request): - print "DEBUG: PD2" return False if not obj.active: raise Http404() if not view.item_permissions_check(request, obj): - print "DEBUG: PD3" raise PermissionDenied() return True diff --git a/lib/main/tests.py b/lib/main/tests.py index 1a9ff462ae..93cb50cca1 100644 --- a/lib/main/tests.py +++ b/lib/main/tests.py @@ -16,6 +16,7 @@ import django.test from django.test.client import Client from lib.main.models import * + class BaseTest(django.test.TestCase): def make_user(self, username, password, super_user=False): @@ -29,8 +30,9 @@ class BaseTest(django.test.TestCase): def make_organizations(self, created_by, count=1): results = [] for x in range(0, count): + self.object_ctr = self.object_ctr + 1 results.append(Organization.objects.create( - name="org%s" % x, + name="org%s-%s" % (x, self.object_ctr), description="org%s" % x, created_by=created_by )) @@ -39,8 +41,9 @@ class BaseTest(django.test.TestCase): def make_projects(self, created_by, count=1): results = [] for x in range(0, count): + self.object_ctr = self.object_ctr + 1 results.append(Project.objects.create( - name="proj%s" % x, + name="proj%s-%s" % (x, self.object_ctr), description="proj%s" % x, scm_type='git', default_playbook='foo.yml', @@ -127,6 +130,7 @@ class OrganizationsTest(BaseTest): return '/api/v1/organizations/' def setUp(self): + self.object_ctr = 0 self.setup_users() self.organizations = self.make_organizations(self.super_django_user, 10) @@ -274,7 +278,7 @@ class OrganizationsTest(BaseTest): # find projects attached to the first org projects0_url = orgs['results'][0]['related']['projects'] projects1_url = orgs['results'][1]['related']['projects'] - projects2_url = orgs['results'][1]['related']['projects'] + projects2_url = orgs['results'][2]['related']['projects'] # get all the projects on the first org projects0 = self.get(projects0_url, expect=200, auth=self.get_super_credentials()) @@ -301,12 +305,9 @@ class OrganizationsTest(BaseTest): self.assertEquals(projects1['count'], 5) # FIXME: need to add tests for associating and disassocating from a non-priveledged acct - print projects1_url a_project = projects1['results'][-1] a_project['disassociate'] = 1 projects1 = self.get(projects1_url, expect=200, auth=self.get_super_credentials()) - print "GOT: %s" % projects1 - print "POSTING: %s" % a_project self.post(projects1_url, a_project, expect=204, auth=self.get_normal_credentials()) projects1 = self.get(projects1_url, expect=200, auth=self.get_super_credentials()) self.assertEquals(projects1['count'], 4) @@ -314,16 +315,16 @@ class OrganizationsTest(BaseTest): new_project_a = self.make_projects(self.normal_django_user, 1)[0] new_project_b = self.make_projects(self.other_django_user, 1)[0] - # admin of org can add projects he can read - self.post(projects1_url, dict(id=new_project_a['id']), expect=204, auth=self.get_normal_credentials()) + # admin of org can add projects that he can read + self.post(projects1_url, dict(id=new_project_a.pk), expect=204, auth=self.get_normal_credentials()) # but not those he cannot - self.post(projects1_url, dict(id=new_project_b['id']), expect=403, auth=self.get_normal_credentials()) + self.post(projects1_url, dict(id=new_project_b.pk), expect=403, auth=self.get_normal_credentials()) # and can't post a project he can read to an org he cannot - self.post(projects2_url, dict(id=new_project_a['id']), expect=403, auth=self.get_normal_credentials()) + # self.post(projects2_url, dict(id=new_project_a.pk), expect=403, auth=self.get_normal_credentials()) # and can't do post a project he can read to an organization he cannot - self.post(projects2_url, dict(id=new_project_a['id']), expect=403, auth=self.get_normal_credentials()) + self.post(projects2_url, dict(id=new_project_a.pk), expect=403, auth=self.get_normal_credentials()) def test_post_item_subobjects_users(self):