Author: matevz
Date: Thu Apr  4 07:43:31 2013
New Revision: 1464333

URL: http://svn.apache.org/r1464333
Log:
#438 - Implement and enforce product permission policy, applied patches 
t438_r1463560_product_perm_tracadmin_all.diff and 
t438_r1463560_newproduct_perm.diff (from Olemis)

Modified:
    bloodhound/trunk/bloodhound_multiproduct/multiproduct/perm.py
    bloodhound/trunk/bloodhound_multiproduct/tests/perm.py

Modified: bloodhound/trunk/bloodhound_multiproduct/multiproduct/perm.py
URL: 
http://svn.apache.org/viewvc/bloodhound/trunk/bloodhound_multiproduct/multiproduct/perm.py?rev=1464333&r1=1464332&r2=1464333&view=diff
==============================================================================
--- bloodhound/trunk/bloodhound_multiproduct/multiproduct/perm.py (original)
+++ bloodhound/trunk/bloodhound_multiproduct/multiproduct/perm.py Thu Apr  4 
07:43:31 2013
@@ -40,11 +40,10 @@ class MultiproductPermissionPolicy(Compo
         from multiproduct.env import ProductEnvironment
 
         if isinstance(self.env, ProductEnvironment):
-            if action == 'TRAC_ADMIN':
-                # Always lookup TRAC_ADMIN permission in global scope
-                permsys = PermissionSystem(self.env.parent)
-                return bool(permsys.check_permission(action, username, 
-                                                resource, perm))
+            permsys = PermissionSystem(self.env.parent)
+            if permsys.check_permission('TRAC_ADMIN', username):
+                return action in PermissionSystem(self.env).get_actions() \
+                        or None     # FIXME: maybe False is better
             elif username == self.env.product.owner:
                 # Product owner granted with PRODUCT_ADMIN permission ootb
                 permsys = PermissionSystem(self.env)

Modified: bloodhound/trunk/bloodhound_multiproduct/tests/perm.py
URL: 
http://svn.apache.org/viewvc/bloodhound/trunk/bloodhound_multiproduct/tests/perm.py?rev=1464333&r1=1464332&r2=1464333&view=diff
==============================================================================
--- bloodhound/trunk/bloodhound_multiproduct/tests/perm.py (original)
+++ bloodhound/trunk/bloodhound_multiproduct/tests/perm.py Thu Apr  4 07:43:31 
2013
@@ -29,6 +29,7 @@ from trac.tests.perm import DefaultPermi
         PermissionPolicyTestCase, TestPermissionPolicy, TestPermissionRequestor
 
 from multiproduct.env import ProductEnvironment
+from multiproduct.model import Product
 from multiproduct.perm import MultiproductPermissionPolicy, sudo
 from tests.env import MultiproductTestCase
 
@@ -295,6 +296,34 @@ class ProductPermissionPolicyTestCase(Pe
         self.global_perm_admin._do_add('testuser', 'TRAC_ADMIN')
         self.assertTrue(self.perm.has_permission('TRAC_ADMIN'))
 
+    def test_product_trac_admin_actions(self):
+        """Allow all actions in product scope for TRAC_ADMIN
+        """
+        self.global_perm_admin._do_add('testuser', 'TRAC_ADMIN')
+
+        all_actions = self.permsys.get_actions()
+        self.assertEquals(['TEST_CREATE', 'EMAIL_VIEW', 'TRAC_ADMIN',
+                           'TEST_DELETE', 'TEST_MODIFY', 'PRODUCT_ADMIN',
+                           'TEST_ADMIN'], all_actions)
+        self.assertEquals({}, self.permsys.get_user_permissions('testuser'))
+        for action in all_actions:
+            self.assertTrue(self.perm.has_permission(action),
+                            'Check for permission action %s' % (action,))
+        self.assertFalse(self.perm.has_permission('UNKNOWN_PERM'))
+
+        # Clear permissions cache and retry 
+        self.perm._cache.clear()
+        self.global_perm_admin._do_remove('testuser', 'TRAC_ADMIN')
+
+        all_actions = self.permsys.get_actions()
+        self.assertEquals(['TEST_CREATE', 'EMAIL_VIEW', 'TRAC_ADMIN',
+                           'TEST_DELETE', 'TEST_MODIFY', 'PRODUCT_ADMIN',
+                           'TEST_ADMIN'], all_actions)
+        self.assertEquals({}, self.permsys.get_user_permissions('testuser'))
+        for action in all_actions:
+            self.assertFalse(self.perm.has_permission(action),
+                            'Check for permission action %s' % (action,))
+
     def test_product_trac_admin_fail_local(self):
         """TRAC_ADMIN granted in product env will be ignored
         """
@@ -334,6 +363,44 @@ class ProductPermissionPolicyTestCase(Pe
         self.assertTrue(self.perm.has_permission('PRODUCT_ADMIN'))
         self.assertFalse(self.perm.has_permission('TRAC_ADMIN'))
 
+    def test_new_product_perm(self):
+        """Only product owner and TRAC_ADMIN will access new product
+        """
+        newproduct = Product(self.global_env)
+        newproduct.prefix = 'NEW'
+        newproduct.name = 'New product'
+        newproduct.owner = 'owneruser'
+        newproduct.insert()
+
+        env = ProductEnvironment(self.global_env, newproduct)
+        self.global_perm_admin._do_add('adminuser', 'TRAC_ADMIN')
+        admin_perm = perm.PermissionCache(env, 'adminuser')
+        owner_perm = perm.PermissionCache(env, 'owneruser')
+        user_perm = perm.PermissionCache(env, 'testuser')
+        global_permsys = perm.PermissionSystem(self.global_env)
+        permsys = perm.PermissionSystem(env)
+
+        self.assertEquals({'EMAIL_VIEW': True, 'TEST_ADMIN': True,
+                           'TEST_CREATE': True, 'TEST_DELETE': True,
+                           'TEST_MODIFY': True, 'TRAC_ADMIN' : True},
+                          global_permsys.get_user_permissions('adminuser'))
+        self.assertEquals({}, global_permsys.get_user_permissions('owneruser'))
+        self.assertEquals({}, global_permsys.get_user_permissions('testuser'))
+        self.assertEquals({}, permsys.get_user_permissions('adminuser'))
+        self.assertEquals({}, permsys.get_user_permissions('owneruser'))
+        self.assertEquals({}, permsys.get_user_permissions('testuser'))
+
+        all_actions = self.permsys.get_actions()
+        all_actions.remove('TRAC_ADMIN')
+        for action in all_actions:
+            self.assertTrue(admin_perm.has_permission(action))
+            self.assertTrue(owner_perm.has_permission(action))
+            self.assertFalse(user_perm.has_permission(action))
+
+        self.assertTrue(admin_perm.has_permission('TRAC_ADMIN'))
+        self.assertFalse(owner_perm.has_permission('TRAC_ADMIN'))
+        self.assertFalse(user_perm.has_permission('TRAC_ADMIN'))
+
 
 def test_suite():
     suite = unittest.TestSuite()


Reply via email to