X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=test%2Ftest_cgi.py;h=91878e9427582e539a544b9f79dd5bd2fd75e988;hb=bdcb21234cae9e506c37cbe90bc52803d5cc7c4e;hp=5929f5b323c470683918d34ad32c3cf7f00a2da9;hpb=ac6d696f4e811655f68b3a5e869da9c4c62251c5;p=roundup.git diff --git a/test/test_cgi.py b/test/test_cgi.py index 5929f5b..91878e9 100644 --- a/test/test_cgi.py +++ b/test/test_cgi.py @@ -10,14 +10,16 @@ # # $Id: test_cgi.py,v 1.36 2008-08-07 06:12:57 richard Exp $ -import unittest, os, shutil, errno, sys, difflib, cgi, re +import unittest, os, shutil, errno, sys, difflib, cgi, re, StringIO from roundup.cgi import client, actions, exceptions from roundup.cgi.exceptions import FormError -from roundup.cgi.templating import HTMLItem +from roundup.cgi.templating import HTMLItem, HTMLRequest from roundup.cgi.form_parser import FormParser from roundup import init, instance, password, hyperdb, date +from mocknull import MockNull + import db_test_base NEEDS_INSTANCE = 1 @@ -85,8 +87,8 @@ class FormTestCase(unittest.TestCase): re.VERBOSE) def parseForm(self, form, classname='test', nodeid=None): - cl = client.Client(self.instance, None, {'PATH_INFO':'/'}, - makeForm(form)) + cl = client.Client(self.instance, None, {'PATH_INFO':'/', + 'REQUEST_METHOD':'POST'}, makeForm(form)) cl.classname = classname cl.nodeid = nodeid cl.language = ('en',) @@ -614,14 +616,18 @@ class FormTestCase(unittest.TestCase): # SECURITY # # XXX test all default permissions - def _make_client(self, form, classname='user', nodeid='2', userid='2'): - cl = client.Client(self.instance, None, {'PATH_INFO':'/'}, - makeForm(form)) - cl.classname = 'user' - cl.nodeid = '1' + def _make_client(self, form, classname='user', nodeid='1', + userid='2', template='item'): + cl = client.Client(self.instance, None, {'PATH_INFO':'/', + 'REQUEST_METHOD':'POST'}, makeForm(form)) + cl.classname = classname + if nodeid is not None: + cl.nodeid = nodeid cl.db = self.db - cl.userid = '2' + cl.userid = userid cl.language = ('en',) + cl.error_message = [] + cl.template = template return cl def testClassPermission(self): @@ -634,7 +640,8 @@ class FormTestCase(unittest.TestCase): def testCheckAndPropertyPermission(self): self.db.security.permissions = {} - def own_record(db, userid, itemid): return userid == itemid + def own_record(db, userid, itemid): + return userid == itemid p = self.db.security.addPermission(name='Edit', klass='user', check=own_record, properties=("password", )) self.db.security.addPermissionToRole('User', p) @@ -642,10 +649,238 @@ class FormTestCase(unittest.TestCase): cl = self._make_client(dict(username='bob')) self.assertRaises(exceptions.Unauthorised, actions.EditItemAction(cl).handle) + cl = self._make_client(dict(roles='User,Admin'), userid='4', nodeid='4') + self.assertRaises(exceptions.Unauthorised, + actions.EditItemAction(cl).handle) + cl = self._make_client(dict(roles='User,Admin'), userid='4') + self.assertRaises(exceptions.Unauthorised, + actions.EditItemAction(cl).handle) + cl = self._make_client(dict(roles='User,Admin')) + self.assertRaises(exceptions.Unauthorised, + actions.EditItemAction(cl).handle) + # working example, mary may change her pw + cl = self._make_client({'password':'ob', '@confirm@password':'ob'}, + nodeid='4', userid='4') + self.assertRaises(exceptions.Redirect, + actions.EditItemAction(cl).handle) cl = self._make_client({'password':'bob', '@confirm@password':'bob'}) self.failUnlessRaises(exceptions.Unauthorised, actions.EditItemAction(cl).handle) + def testCreatePermission(self): + # this checks if we properly differentiate between create and + # edit permissions + self.db.security.permissions = {} + self.db.security.addRole(name='UserAdd') + # Don't allow roles + p = self.db.security.addPermission(name='Create', klass='user', + properties=("username", "password", "address", + "alternate_address", "realname", "phone", "organisation", + "timezone")) + self.db.security.addPermissionToRole('UserAdd', p) + # Don't allow roles *and* don't allow username + p = self.db.security.addPermission(name='Edit', klass='user', + properties=("password", "address", "alternate_address", + "realname", "phone", "organisation", "timezone")) + self.db.security.addPermissionToRole('UserAdd', p) + self.db.user.set('4', roles='UserAdd') + + # anonymous may not + cl = self._make_client({'username':'new_user', 'password':'secret', + '@confirm@password':'secret', 'address':'new_user@bork.bork', + 'roles':'Admin'}, nodeid=None, userid='2') + self.assertRaises(exceptions.Unauthorised, + actions.NewItemAction(cl).handle) + # Don't allow creating new user with roles + cl = self._make_client({'username':'new_user', 'password':'secret', + '@confirm@password':'secret', 'address':'new_user@bork.bork', + 'roles':'Admin'}, nodeid=None, userid='4') + self.assertRaises(exceptions.Unauthorised, + actions.NewItemAction(cl).handle) + self.assertEqual(cl.error_message,[]) + # this should work + cl = self._make_client({'username':'new_user', 'password':'secret', + '@confirm@password':'secret', 'address':'new_user@bork.bork'}, + nodeid=None, userid='4') + self.assertRaises(exceptions.Redirect, + actions.NewItemAction(cl).handle) + self.assertEqual(cl.error_message,[]) + # don't allow changing (my own) username (in this example) + cl = self._make_client(dict(username='new_user42'), userid='4') + self.assertRaises(exceptions.Unauthorised, + actions.EditItemAction(cl).handle) + cl = self._make_client(dict(username='new_user42'), userid='4', + nodeid='4') + self.assertRaises(exceptions.Unauthorised, + actions.EditItemAction(cl).handle) + # don't allow changing (my own) roles + cl = self._make_client(dict(roles='User,Admin'), userid='4', + nodeid='4') + self.assertRaises(exceptions.Unauthorised, + actions.EditItemAction(cl).handle) + cl = self._make_client(dict(roles='User,Admin'), userid='4') + self.assertRaises(exceptions.Unauthorised, + actions.EditItemAction(cl).handle) + cl = self._make_client(dict(roles='User,Admin')) + self.assertRaises(exceptions.Unauthorised, + actions.EditItemAction(cl).handle) + + def testSearchPermission(self): + # this checks if we properly check for search permissions + self.db.security.permissions = {} + self.db.security.addRole(name='User') + self.db.security.addRole(name='Project') + self.db.security.addPermissionToRole('User', 'Web Access') + self.db.security.addPermissionToRole('Project', 'Web Access') + # Allow viewing department + p = self.db.security.addPermission(name='View', klass='department') + self.db.security.addPermissionToRole('User', p) + # Allow viewing interesting things (but not department) on iss + # But users might only view issues where they are on nosy + # (so in the real world the check method would be better) + p = self.db.security.addPermission(name='View', klass='iss', + properties=("title", "status"), check=lambda x,y,z: True) + self.db.security.addPermissionToRole('User', p) + # Allow role "Project" access to whole iss + p = self.db.security.addPermission(name='View', klass='iss') + self.db.security.addPermissionToRole('Project', p) + + department = self.instance.backend.Class(self.db, "department", + name=hyperdb.String()) + status = self.instance.backend.Class(self.db, "stat", + name=hyperdb.String()) + issue = self.instance.backend.Class(self.db, "iss", + title=hyperdb.String(), status=hyperdb.Link('stat'), + department=hyperdb.Link('department')) + + d1 = department.create(name='d1') + d2 = department.create(name='d2') + open = status.create(name='open') + closed = status.create(name='closed') + issue.create(title='i1', status=open, department=d2) + issue.create(title='i2', status=open, department=d1) + issue.create(title='i2', status=closed, department=d1) + + chef = self.db.user.lookup('Chef') + mary = self.db.user.lookup('mary') + self.db.user.set(chef, roles = 'User, Project') + + perm = self.db.security.hasPermission + search = self.db.security.hasSearchPermission + self.assert_(perm('View', chef, 'iss', 'department', '1')) + self.assert_(perm('View', chef, 'iss', 'department', '2')) + self.assert_(perm('View', chef, 'iss', 'department', '3')) + self.assert_(search(chef, 'iss', 'department')) + + self.assert_(not perm('View', mary, 'iss', 'department')) + self.assert_(perm('View', mary, 'iss', 'status')) + # Conditionally allow view of whole iss (check is False here, + # this might check for department owner in the real world) + p = self.db.security.addPermission(name='View', klass='iss', + check=lambda x,y,z: False) + self.db.security.addPermissionToRole('User', p) + self.assert_(perm('View', mary, 'iss', 'department')) + self.assert_(not perm('View', mary, 'iss', 'department', '1')) + self.assert_(not search(mary, 'iss', 'department')) + + self.assert_(perm('View', mary, 'iss', 'status')) + self.assert_(not search(mary, 'iss', 'status')) + # Allow user to search for iss.status + p = self.db.security.addPermission(name='Search', klass='iss', + properties=("status",)) + self.db.security.addPermissionToRole('User', p) + self.assert_(search(mary, 'iss', 'status')) + + dep = {'@action':'search','columns':'id','@filter':'department', + 'department':'1'} + stat = {'@action':'search','columns':'id','@filter':'status', + 'status':'1'} + depsort = {'@action':'search','columns':'id','@sort':'department'} + depgrp = {'@action':'search','columns':'id','@group':'department'} + + # Filter on department ignored for role 'User': + cl = self._make_client(dep, classname='iss', nodeid=None, userid=mary, + template='index') + h = HTMLRequest(cl) + self.assertEqual([x.id for x in h.batch()],['1', '2', '3']) + # Filter on department works for role 'Project': + cl = self._make_client(dep, classname='iss', nodeid=None, userid=chef, + template='index') + h = HTMLRequest(cl) + self.assertEqual([x.id for x in h.batch()],['2', '3']) + # Filter on status works for all: + cl = self._make_client(stat, classname='iss', nodeid=None, userid=mary, + template='index') + h = HTMLRequest(cl) + self.assertEqual([x.id for x in h.batch()],['1', '2']) + cl = self._make_client(stat, classname='iss', nodeid=None, userid=chef, + template='index') + h = HTMLRequest(cl) + self.assertEqual([x.id for x in h.batch()],['1', '2']) + # Sorting and grouping for class Project works: + cl = self._make_client(depsort, classname='iss', nodeid=None, + userid=chef, template='index') + h = HTMLRequest(cl) + self.assertEqual([x.id for x in h.batch()],['2', '3', '1']) + cl = self._make_client(depgrp, classname='iss', nodeid=None, + userid=chef, template='index') + h = HTMLRequest(cl) + self.assertEqual([x.id for x in h.batch()],['2', '3', '1']) + # Sorting and grouping for class User fails: + cl = self._make_client(depsort, classname='iss', nodeid=None, + userid=mary, template='index') + h = HTMLRequest(cl) + self.assertEqual([x.id for x in h.batch()],['1', '2', '3']) + cl = self._make_client(depgrp, classname='iss', nodeid=None, + userid=mary, template='index') + h = HTMLRequest(cl) + self.assertEqual([x.id for x in h.batch()],['1', '2', '3']) + + def testRoles(self): + cl = self._make_client({}) + self.db.user.set('1', roles='aDmin, uSer') + item = HTMLItem(cl, 'user', '1') + self.assert_(item.hasRole('Admin')) + self.assert_(item.hasRole('User')) + self.assert_(item.hasRole('AdmiN')) + self.assert_(item.hasRole('UseR')) + self.assert_(item.hasRole('UseR','Admin')) + self.assert_(item.hasRole('UseR','somethingelse')) + self.assert_(item.hasRole('somethingelse','Admin')) + self.assert_(not item.hasRole('userr')) + self.assert_(not item.hasRole('adminn')) + self.assert_(not item.hasRole('')) + self.assert_(not item.hasRole(' ')) + self.db.user.set('1', roles='') + self.assert_(not item.hasRole('')) + + def testCSVExport(self): + cl = self._make_client({'@columns': 'id,name'}, nodeid=None, + userid='1') + cl.classname = 'status' + output = StringIO.StringIO() + cl.request = MockNull() + cl.request.wfile = output + actions.ExportCSVAction(cl).handle() + self.assertEquals('id,name\r\n1,unread\r\n2,deferred\r\n3,chatting\r\n' + '4,need-eg\r\n5,in-progress\r\n6,testing\r\n7,done-cbb\r\n' + '8,resolved\r\n', + output.getvalue()) + + def testCSVExportFailPermission(self): + cl = self._make_client({'@columns': 'id,email,password'}, nodeid=None, + userid='2') + cl.classname = 'user' + output = StringIO.StringIO() + cl.request = MockNull() + cl.request.wfile = output + self.assertRaises(exceptions.Unauthorised, + actions.ExportCSVAction(cl).handle) + + +def test_suite(): + suite = unittest.TestSuite() + def test_suite(): suite = unittest.TestSuite() suite.addTest(unittest.makeSuite(FormTestCase))