[tokkee]

tokkee.org

Code

projects / roundup.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
use idea from Eli Collins to use a list of deprecated password
[roundup.git] / test / test_cgi.py
diff --git a/test/test_cgi.py b/test/test_cgi.py
index 92e0a58793a637c232ad1410e764be14aefde5bc..2d63ed4c26df63cb442ecfdcc4dbd933ad219981 100644 (file)
--- a/test/test_cgi.py
+++ b/test/test_cgi.py
@@ -8,13 +8,22 @@
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 #
-# $Id: test_cgi.py,v 1.16 2003-05-09 01:47:50 richard Exp $
+# $Id: test_cgi.py,v 1.36 2008-08-07 06:12:57 richard Exp $
 
-import unittest, os, shutil, errno, sys, difflib, cgi, re
+import unittest, os, shutil, errno, sys, difflib, cgi, re, StringIO
 
-from roundup.cgi import client
+from roundup.cgi import client, actions, exceptions
+from roundup.cgi.exceptions import FormError
+from roundup.cgi.templating import HTMLItem, HTMLRequest
+from roundup.cgi.form_parser import FormParser
 from roundup import init, instance, password, hyperdb, date
 
+from mocknull import MockNull
+
+import db_test_base
+
+NEEDS_INSTANCE = 1
+
 class FileUpload:
     def __init__(self, content, filename):
         self.content = content
@@ -33,48 +42,58 @@ def makeForm(args):
             form.list.append(cgi.MiniFieldStorage(k, v))
     return form
 
-class config:
-    TRACKER_NAME = 'testing testing'
-    TRACKER_WEB = 'http://testing.testing/'
+cm = client.clean_message
+class MessageTestCase(unittest.TestCase):
+    def testCleanMessageOK(self):
+        self.assertEqual(cm('<br>x<br />'), '<br>x<br />')
+        self.assertEqual(cm('<i>x</i>'), '<i>x</i>')
+        self.assertEqual(cm('<b>x</b>'), '<b>x</b>')
+        self.assertEqual(cm('<a href="y">x</a>'),
+            '<a href="y">x</a>')
+        self.assertEqual(cm('<BR>x<BR />'), '<BR>x<BR />')
+        self.assertEqual(cm('<I>x</I>'), '<I>x</I>')
+        self.assertEqual(cm('<B>x</B>'), '<B>x</B>')
+        self.assertEqual(cm('<A HREF="y">x</A>'),
+            '<A HREF="y">x</A>')
+
+    def testCleanMessageBAD(self):
+        self.assertEqual(cm('<script>x</script>'),
+            '&lt;script&gt;x&lt;/script&gt;')
+        self.assertEqual(cm('<iframe>x</iframe>'),
+            '&lt;iframe&gt;x&lt;/iframe&gt;')
 
 class FormTestCase(unittest.TestCase):
     def setUp(self):
         self.dirname = '_test_cgi_form'
-        try:
-            shutil.rmtree(self.dirname)
-        except OSError, error:
-            if error.errno not in (errno.ENOENT, errno.ESRCH): raise
-        # create the instance
-        init.install(self.dirname, 'templates/classic')
-        init.write_select_db(self.dirname, 'anydbm')
-        init.initialise(self.dirname, 'sekrit')
-        # check we can load the package
-        self.instance = instance.open(self.dirname)
-        # and open the database
+        # set up and open a tracker
+        self.instance = db_test_base.setupTracker(self.dirname)
+
+        # open the database
         self.db = self.instance.open('admin')
         self.db.user.create(username='Chef', address='chef@bork.bork.bork',
             realname='Bork, Chef', roles='User')
-        self.db.user.create(username='mary', address='mary@test',
+        self.db.user.create(username='mary', address='mary@test.test',
             roles='User', realname='Contrary, Mary')
 
-        test = self.instance.dbinit.Class(self.db, "test",
+        test = self.instance.backend.Class(self.db, "test",
             string=hyperdb.String(), number=hyperdb.Number(),
             boolean=hyperdb.Boolean(), link=hyperdb.Link('test'),
             multilink=hyperdb.Multilink('test'), date=hyperdb.Date(),
-            interval=hyperdb.Interval())
+            messages=hyperdb.Multilink('msg'), interval=hyperdb.Interval())
 
         # compile the labels re
         classes = '|'.join(self.db.classes.keys())
-        self.FV_SPECIAL = re.compile(client.Client.FV_LABELS%classes,
+        self.FV_SPECIAL = re.compile(FormParser.FV_LABELS%classes,
             re.VERBOSE)
 
     def parseForm(self, form, classname='test', nodeid=None):
-        cl = client.Client(self.instance, None, {'PATH_INFO':'/'},
-            makeForm(form))
+        cl = client.Client(self.instance, None, {'PATH_INFO':'/',
+            'REQUEST_METHOD':'POST'}, makeForm(form))
         cl.classname = classname
         cl.nodeid = nodeid
+        cl.language = ('en',)
         cl.db = self.db
-        return cl.parsePropsFromForm()
+        return cl.parsePropsFromForm(create=1)
 
     def tearDown(self):
         self.db.close()
@@ -128,21 +147,25 @@ class FormTestCase(unittest.TestCase):
         self.assertEqual(self.parseForm({}), ({('test', None): {}}, []))
 
     def testNothingWithRequired(self):
-        self.assertRaises(ValueError, self.parseForm, {':required': 'string'})
-        self.assertRaises(ValueError, self.parseForm,
+        self.assertRaises(FormError, self.parseForm, {':required': 'string'})
+        self.assertRaises(FormError, self.parseForm,
             {':required': 'title,status', 'status':'1'}, 'issue')
-        self.assertRaises(ValueError, self.parseForm,
+        self.assertRaises(FormError, self.parseForm,
             {':required': ['title','status'], 'status':'1'}, 'issue')
-        self.assertRaises(ValueError, self.parseForm,
+        self.assertRaises(FormError, self.parseForm,
             {':required': 'status', 'status':''}, 'issue')
-        self.assertRaises(ValueError, self.parseForm,
+        self.assertRaises(FormError, self.parseForm,
             {':required': 'nosy', 'nosy':''}, 'issue')
+        self.assertRaises(FormError, self.parseForm,
+            {':required': 'msg-1@content', 'msg-1@content':''}, 'issue')
+        self.assertRaises(FormError, self.parseForm,
+            {':required': 'msg-1@content'}, 'issue')
 
     #
     # Nonexistant edit
     #
     def testEditNonexistant(self):
-        self.assertRaises(IndexError, self.parseForm, {'boolean': ''},
+        self.assertRaises(FormError, self.parseForm, {'boolean': ''},
             'test', '1')
 
     #
@@ -153,7 +176,7 @@ class FormTestCase(unittest.TestCase):
             ({('test', None): {}}, []))
         self.assertEqual(self.parseForm({'string': ' '}),
             ({('test', None): {}}, []))
-        self.assertRaises(ValueError, self.parseForm, {'string': ['', '']})
+        self.assertRaises(FormError, self.parseForm, {'string': ['', '']})
 
     def testSetString(self):
         self.assertEqual(self.parseForm({'string': 'foo'}),
@@ -172,12 +195,57 @@ class FormTestCase(unittest.TestCase):
         self.assertEqual(self.parseForm({'title': ' '}, 'issue', nodeid),
             ({('issue', nodeid): {'title': None}}, []))
 
+    def testStringLinkId(self):
+        self.db.status.set('1', name='2')
+        self.db.status.set('2', name='1')
+        issue = self.db.issue.create(title='i1-status1', status='1')
+        self.assertEqual(self.db.issue.get(issue,'status'),'1')
+        self.assertEqual(self.db.status.lookup('1'),'2')
+        self.assertEqual(self.db.status.lookup('2'),'1')
+        form = cgi.FieldStorage()
+        cl = client.Client(self.instance, None, {'PATH_INFO':'/'}, form)
+        cl.classname = 'issue'
+        cl.nodeid = issue
+        cl.db = self.db
+        cl.language = ('en',)
+        item = HTMLItem(cl, 'issue', issue)
+        self.assertEqual(item.status.id, '1')
+        self.assertEqual(item.status.name, '2')
+
+    def testStringMultilinkId(self):
+        id = self.db.keyword.create(name='2')
+        self.assertEqual(id,'1')
+        id = self.db.keyword.create(name='1')
+        self.assertEqual(id,'2')
+        issue = self.db.issue.create(title='i1-status1', keyword=['1'])
+        self.assertEqual(self.db.issue.get(issue,'keyword'),['1'])
+        self.assertEqual(self.db.keyword.lookup('1'),'2')
+        self.assertEqual(self.db.keyword.lookup('2'),'1')
+        form = cgi.FieldStorage()
+        cl = client.Client(self.instance, None, {'PATH_INFO':'/'}, form)
+        cl.classname = 'issue'
+        cl.nodeid = issue
+        cl.db = self.db
+        cl.language = ('en',)
+        cl.userid = '1'
+        item = HTMLItem(cl, 'issue', issue)
+        for keyword in item.keyword:
+            self.assertEqual(keyword.id, '1')
+            self.assertEqual(keyword.name, '2')
+
     def testFileUpload(self):
         file = FileUpload('foo', 'foo.txt')
         self.assertEqual(self.parseForm({'content': file}, 'file'),
             ({('file', None): {'content': 'foo', 'name': 'foo.txt',
             'type': 'text/plain'}}, []))
 
+    def testEditFileClassAttributes(self):
+        self.assertEqual(self.parseForm({'name': 'foo.txt',
+                                         'type': 'application/octet-stream'},
+                                        'file'),
+                         ({('file', None): {'name': 'foo.txt',
+                                            'type': 'application/octet-stream'}},[]))
+
     #
     # Link
     #
@@ -186,7 +254,7 @@ class FormTestCase(unittest.TestCase):
             ({('test', None): {}}, []))
         self.assertEqual(self.parseForm({'link': ' '}),
             ({('test', None): {}}, []))
-        self.assertRaises(ValueError, self.parseForm, {'link': ['', '']})
+        self.assertRaises(FormError, self.parseForm, {'link': ['', '']})
         self.assertEqual(self.parseForm({'link': '-1'}),
             ({('test', None): {}}, []))
 
@@ -208,8 +276,8 @@ class FormTestCase(unittest.TestCase):
 # XXX This is not the current behaviour - should we enforce this?
 #        self.assertRaises(IndexError, self.parseForm,
 #            {'status': '4'}))
-        self.assertRaises(ValueError, self.parseForm, {'link': 'frozzle'})
-        self.assertRaises(ValueError, self.parseForm, {'status': 'frozzle'},
+        self.assertRaises(FormError, self.parseForm, {'link': 'frozzle'})
+        self.assertRaises(FormError, self.parseForm, {'status': 'frozzle'},
             'issue')
 
     #
@@ -241,15 +309,16 @@ class FormTestCase(unittest.TestCase):
         cl.classname = 'issue'
         cl.nodeid = None
         cl.db = self.db
-        self.assertEqual(cl.parsePropsFromForm(), 
+        cl.language = ('en',)
+        self.assertEqual(cl.parsePropsFromForm(create=1),
             ({('issue', None): {'nosy': ['1','2', '3']}}, []))
 
     def testEmptyMultilinkSet(self):
         nodeid = self.db.issue.create(nosy=['1','2'])
-        self.assertEqual(self.parseForm({'nosy': ''}, 'issue', nodeid), 
+        self.assertEqual(self.parseForm({'nosy': ''}, 'issue', nodeid),
             ({('issue', nodeid): {'nosy': []}}, []))
         nodeid = self.db.issue.create(nosy=['1','2'])
-        self.assertEqual(self.parseForm({'nosy': ' '}, 'issue', nodeid), 
+        self.assertEqual(self.parseForm({'nosy': ' '}, 'issue', nodeid),
             ({('issue', nodeid): {'nosy': []}}, []))
         self.assertEqual(self.parseForm({'nosy': '1,2'}, 'issue', nodeid),
             ({('issue', nodeid): {}}, []))
@@ -258,11 +327,11 @@ class FormTestCase(unittest.TestCase):
 # XXX This is not the current behaviour - should we enforce this?
 #        self.assertRaises(IndexError, self.parseForm,
 #            {'nosy': '4'}))
-        self.assertRaises(ValueError, self.parseForm, {'nosy': 'frozzle'},
+        self.assertRaises(FormError, self.parseForm, {'nosy': 'frozzle'},
             'issue')
-        self.assertRaises(ValueError, self.parseForm, {'nosy': '1,frozzle'},
+        self.assertRaises(FormError, self.parseForm, {'nosy': '1,frozzle'},
             'issue')
-        self.assertRaises(ValueError, self.parseForm, {'multilink': 'frozzle'})
+        self.assertRaises(FormError, self.parseForm, {'multilink': 'frozzle'})
 
     def testMultilinkAdd(self):
         nodeid = self.db.issue.create(nosy=['1'])
@@ -302,7 +371,7 @@ class FormTestCase(unittest.TestCase):
             'issue', nodeid), ({('issue', nodeid): {'nosy': ['3']}}, []))
 
         # remove one that doesn't exist?
-        self.assertRaises(ValueError, self.parseForm, {':remove:nosy': '4'},
+        self.assertRaises(FormError, self.parseForm, {':remove:nosy': '4'},
             'issue', nodeid)
 
     def testMultilinkRetired(self):
@@ -316,9 +385,9 @@ class FormTestCase(unittest.TestCase):
             ({('issue', nodeid): {'nosy': ['1','2','3']}}, []))
 
     def testAddRemoveNonexistant(self):
-        self.assertRaises(ValueError, self.parseForm, {':remove:foo': '2'},
+        self.assertRaises(FormError, self.parseForm, {':remove:foo': '2'},
             'issue')
-        self.assertRaises(ValueError, self.parseForm, {':add:foo': '2'},
+        self.assertRaises(FormError, self.parseForm, {':add:foo': '2'},
             'issue')
 
     #
@@ -329,9 +398,9 @@ class FormTestCase(unittest.TestCase):
             ({('user', None): {}}, []))
         self.assertEqual(self.parseForm({'password': ''}, 'user'),
             ({('user', None): {}}, []))
-        self.assertRaises(ValueError, self.parseForm, {'password': ['', '']},
+        self.assertRaises(FormError, self.parseForm, {'password': ['', '']},
             'user')
-        self.assertRaises(ValueError, self.parseForm, {'password': 'foo',
+        self.assertRaises(FormError, self.parseForm, {'password': 'foo',
             ':confirm:password': ['', '']}, 'user')
 
     def testSetPassword(self):
@@ -340,9 +409,9 @@ class FormTestCase(unittest.TestCase):
             ({('user', None): {'password': 'foo'}}, []))
 
     def testSetPasswordConfirmBad(self):
-        self.assertRaises(ValueError, self.parseForm, {'password': 'foo'},
+        self.assertRaises(FormError, self.parseForm, {'password': 'foo'},
             'user')
-        self.assertRaises(ValueError, self.parseForm, {'password': 'foo',
+        self.assertRaises(FormError, self.parseForm, {'password': 'foo',
             ':confirm:password': 'bar'}, 'user')
 
     def testEmptyPasswordNotSet(self):
@@ -356,6 +425,30 @@ class FormTestCase(unittest.TestCase):
             ':confirm:password': ''}, 'user', nodeid),
             ({('user', nodeid): {}}, []))
 
+    def testPasswordMigration(self):
+        chef = self.db.user.lookup('Chef')
+        form = dict(__login_name='Chef', __login_password='foo')
+        cl = self._make_client(form)
+        # assume that the "best" algorithm is the first one and doesn't
+        # need migration, all others should be migrated.
+        for scheme in password.Password.deprecated_schemes:
+            pw1 = password.Password('foo', scheme=scheme)
+            self.assertEqual(pw1.needs_migration(), True)
+            self.db.user.set(chef, password=pw1)
+            self.db.commit()
+            actions.LoginAction(cl).handle()
+            pw = self.db.user.get(chef, 'password')
+            self.assertEqual(pw, 'foo')
+            self.assertEqual(pw.needs_migration(), False)
+        pw1 = pw
+        self.assertEqual(pw1.needs_migration(), False)
+        scheme = password.Password.known_schemes[0]
+        self.assertEqual(scheme, pw1.scheme)
+        actions.LoginAction(cl).handle()
+        pw = self.db.user.get(chef, 'password')
+        self.assertEqual(pw, 'foo')
+        self.assertEqual(pw, pw1)
+
     #
     # Boolean
     #
@@ -364,7 +457,7 @@ class FormTestCase(unittest.TestCase):
             ({('test', None): {}}, []))
         self.assertEqual(self.parseForm({'boolean': ' '}),
             ({('test', None): {}}, []))
-        self.assertRaises(ValueError, self.parseForm, {'boolean': ['', '']})
+        self.assertRaises(FormError, self.parseForm, {'boolean': ['', '']})
 
     def testSetBoolean(self):
         self.assertEqual(self.parseForm({'boolean': 'yes'}),
@@ -386,6 +479,14 @@ class FormTestCase(unittest.TestCase):
         self.assertEqual(self.parseForm({'boolean': ' '}, 'test', nodeid),
             ({('test', nodeid): {'boolean': None}}, []))
 
+    def testRequiredBoolean(self):
+        self.assertRaises(FormError, self.parseForm, {'boolean': '',
+            ':required': 'boolean'})
+        try:
+            self.parseForm({'boolean': 'no', ':required': 'boolean'})
+        except FormError:
+            self.fail('boolean "no" raised "required missing"')
+
     #
     # Number
     #
@@ -394,23 +495,38 @@ class FormTestCase(unittest.TestCase):
             ({('test', None): {}}, []))
         self.assertEqual(self.parseForm({'number': ' '}),
             ({('test', None): {}}, []))
-        self.assertRaises(ValueError, self.parseForm, {'number': ['', '']})
+        self.assertRaises(FormError, self.parseForm, {'number': ['', '']})
 
     def testInvalidNumber(self):
-        self.assertRaises(ValueError, self.parseForm, {'number': 'hi, mum!'})
+        self.assertRaises(FormError, self.parseForm, {'number': 'hi, mum!'})
 
     def testSetNumber(self):
         self.assertEqual(self.parseForm({'number': '1'}),
             ({('test', None): {'number': 1}}, []))
+        self.assertEqual(self.parseForm({'number': '0'}),
+            ({('test', None): {'number': 0}}, []))
         self.assertEqual(self.parseForm({'number': '\n0\n'}),
             ({('test', None): {'number': 0}}, []))
+
+    def testSetNumberReplaceOne(self):
         nodeid = self.db.test.create(number=1)
         self.assertEqual(self.parseForm({'number': '1'}, 'test', nodeid),
             ({('test', nodeid): {}}, []))
+        self.assertEqual(self.parseForm({'number': '0'}, 'test', nodeid),
+            ({('test', nodeid): {'number': 0}}, []))
+
+    def testSetNumberReplaceZero(self):
         nodeid = self.db.test.create(number=0)
         self.assertEqual(self.parseForm({'number': '0'}, 'test', nodeid),
             ({('test', nodeid): {}}, []))
 
+    def testSetNumberReplaceNone(self):
+        nodeid = self.db.test.create()
+        self.assertEqual(self.parseForm({'number': '0'}, 'test', nodeid),
+            ({('test', nodeid): {'number': 0}}, []))
+        self.assertEqual(self.parseForm({'number': '1'}, 'test', nodeid),
+            ({('test', nodeid): {'number': 1}}, []))
+
     def testEmptyNumberSet(self):
         nodeid = self.db.test.create(number=0)
         self.assertEqual(self.parseForm({'number': ''}, 'test', nodeid),
@@ -419,6 +535,14 @@ class FormTestCase(unittest.TestCase):
         self.assertEqual(self.parseForm({'number': ' '}, 'test', nodeid),
             ({('test', nodeid): {'number': None}}, []))
 
+    def testRequiredNumber(self):
+        self.assertRaises(FormError, self.parseForm, {'number': '',
+            ':required': 'number'})
+        try:
+            self.parseForm({'number': '0', ':required': 'number'})
+        except FormError:
+            self.fail('number "no" raised "required missing"')
+
     #
     # Date
     #
@@ -427,24 +551,24 @@ class FormTestCase(unittest.TestCase):
             ({('test', None): {}}, []))
         self.assertEqual(self.parseForm({'date': ' '}),
             ({('test', None): {}}, []))
-        self.assertRaises(ValueError, self.parseForm, {'date': ['', '']})
+        self.assertRaises(FormError, self.parseForm, {'date': ['', '']})
 
     def testInvalidDate(self):
-        self.assertRaises(ValueError, self.parseForm, {'date': '12'})
+        self.assertRaises(FormError, self.parseForm, {'date': '12'})
 
     def testSetDate(self):
         self.assertEqual(self.parseForm({'date': '2003-01-01'}),
             ({('test', None): {'date': date.Date('2003-01-01')}}, []))
         nodeid = self.db.test.create(date=date.Date('2003-01-01'))
-        self.assertEqual(self.parseForm({'date': '2003-01-01'}, 'test', 
+        self.assertEqual(self.parseForm({'date': '2003-01-01'}, 'test',
             nodeid), ({('test', nodeid): {}}, []))
 
     def testEmptyDateSet(self):
         nodeid = self.db.test.create(date=date.Date('.'))
-        self.assertEqual(self.parseForm({'date': ''}, 'test', nodeid), 
+        self.assertEqual(self.parseForm({'date': ''}, 'test', nodeid),
             ({('test', nodeid): {'date': None}}, []))
         nodeid = self.db.test.create(date=date.Date('1970-01-01.00:00:00'))
-        self.assertEqual(self.parseForm({'date': ' '}, 'test', nodeid), 
+        self.assertEqual(self.parseForm({'date': ' '}, 'test', nodeid),
             ({('test', nodeid): {'date': None}}, []))
 
     #
@@ -470,23 +594,34 @@ class FormTestCase(unittest.TestCase):
             }),
             ({('test', None): {'string': 'a'},
               ('issue', '-1'): {'nosy': ['1']},
-              ('issue', '-2'): {}
              },
              [('issue', '-2', 'superseder', [('issue', '-1')])
              ]
             )
         )
 
+    def testMessages(self):
+        self.assertEqual(self.parseForm({
+            'msg-1@content': 'asdf',
+            'msg-2@content': 'qwer',
+            '@link@messages': 'msg-1, msg-2'}),
+            ({('test', None): {},
+              ('msg', '-2'): {'content': 'qwer'},
+              ('msg', '-1'): {'content': 'asdf'}},
+             [('test', None, 'messages', [('msg', '-1'), ('msg', '-2')])]
+            )
+        )
+
     def testLinkBadDesignator(self):
-        self.assertRaises(ValueError, self.parseForm,
+        self.assertRaises(FormError, self.parseForm,
             {'test-1@link@link': 'blah'})
-        self.assertRaises(ValueError, self.parseForm,
+        self.assertRaises(FormError, self.parseForm,
             {'test-1@link@link': 'issue'})
 
     def testLinkNotLink(self):
-        self.assertRaises(ValueError, self.parseForm,
+        self.assertRaises(FormError, self.parseForm,
             {'test-1@link@boolean': 'issue-1'})
-        self.assertRaises(ValueError, self.parseForm,
+        self.assertRaises(FormError, self.parseForm,
             {'test-1@link@string': 'issue-1'})
 
     def testBackwardsCompat(self):
@@ -501,16 +636,287 @@ class FormTestCase(unittest.TestCase):
             'name': 'foo.txt', 'type': 'text/plain'}},
             [('issue', None, 'files', [('file', '-1')])]))
 
-def suite():
-    l = [unittest.makeSuite(FormTestCase),
-    ]
-    return unittest.TestSuite(l)
+    #
+    # SECURITY
+    #
+    # XXX test all default permissions
+    def _make_client(self, form, classname='user', nodeid='1',
+           userid='2', template='item'):
+        cl = client.Client(self.instance, None, {'PATH_INFO':'/',
+            'REQUEST_METHOD':'POST'}, makeForm(form))
+        cl.classname = classname
+        if nodeid is not None:
+            cl.nodeid = nodeid
+        cl.db = self.db
+        cl.userid = userid
+        cl.language = ('en',)
+        cl.error_message = []
+        cl.template = template
+        return cl
+
+    def testClassPermission(self):
+        cl = self._make_client(dict(username='bob'))
+        self.failUnlessRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        cl.nodeid = '1'
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+
+    def testCheckAndPropertyPermission(self):
+        self.db.security.permissions = {}
+        def own_record(db, userid, itemid):
+            return userid == itemid
+        p = self.db.security.addPermission(name='Edit', klass='user',
+            check=own_record, properties=("password", ))
+        self.db.security.addPermissionToRole('User', p)
+
+        cl = self._make_client(dict(username='bob'))
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        cl = self._make_client(dict(roles='User,Admin'), userid='4', nodeid='4')
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        cl = self._make_client(dict(roles='User,Admin'), userid='4')
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        cl = self._make_client(dict(roles='User,Admin'))
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        # working example, mary may change her pw
+        cl = self._make_client({'password':'ob', '@confirm@password':'ob'},
+            nodeid='4', userid='4')
+        self.assertRaises(exceptions.Redirect,
+            actions.EditItemAction(cl).handle)
+        cl = self._make_client({'password':'bob', '@confirm@password':'bob'})
+        self.failUnlessRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+
+    def testCreatePermission(self):
+        # this checks if we properly differentiate between create and
+        # edit permissions
+        self.db.security.permissions = {}
+        self.db.security.addRole(name='UserAdd')
+        # Don't allow roles
+        p = self.db.security.addPermission(name='Create', klass='user',
+            properties=("username", "password", "address",
+            "alternate_address", "realname", "phone", "organisation",
+            "timezone"))
+        self.db.security.addPermissionToRole('UserAdd', p)
+        # Don't allow roles *and* don't allow username
+        p = self.db.security.addPermission(name='Edit', klass='user',
+            properties=("password", "address", "alternate_address",
+            "realname", "phone", "organisation", "timezone"))
+        self.db.security.addPermissionToRole('UserAdd', p)
+        self.db.user.set('4', roles='UserAdd')
+
+        # anonymous may not
+        cl = self._make_client({'username':'new_user', 'password':'secret',
+            '@confirm@password':'secret', 'address':'new_user@bork.bork',
+            'roles':'Admin'}, nodeid=None, userid='2')
+        self.assertRaises(exceptions.Unauthorised,
+            actions.NewItemAction(cl).handle)
+        # Don't allow creating new user with roles
+        cl = self._make_client({'username':'new_user', 'password':'secret',
+            '@confirm@password':'secret', 'address':'new_user@bork.bork',
+            'roles':'Admin'}, nodeid=None, userid='4')
+        self.assertRaises(exceptions.Unauthorised,
+            actions.NewItemAction(cl).handle)
+        self.assertEqual(cl.error_message,[])
+        # this should work
+        cl = self._make_client({'username':'new_user', 'password':'secret',
+            '@confirm@password':'secret', 'address':'new_user@bork.bork'},
+            nodeid=None, userid='4')
+        self.assertRaises(exceptions.Redirect,
+            actions.NewItemAction(cl).handle)
+        self.assertEqual(cl.error_message,[])
+        # don't allow changing (my own) username (in this example)
+        cl = self._make_client(dict(username='new_user42'), userid='4')
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        cl = self._make_client(dict(username='new_user42'), userid='4',
+            nodeid='4')
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        # don't allow changing (my own) roles
+        cl = self._make_client(dict(roles='User,Admin'), userid='4',
+            nodeid='4')
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        cl = self._make_client(dict(roles='User,Admin'), userid='4')
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+        cl = self._make_client(dict(roles='User,Admin'))
+        self.assertRaises(exceptions.Unauthorised,
+            actions.EditItemAction(cl).handle)
+
+    def testSearchPermission(self):
+        # this checks if we properly check for search permissions
+        self.db.security.permissions = {}
+        self.db.security.addRole(name='User')
+        self.db.security.addRole(name='Project')
+        self.db.security.addPermissionToRole('User', 'Web Access')
+        self.db.security.addPermissionToRole('Project', 'Web Access')
+        # Allow viewing department
+        p = self.db.security.addPermission(name='View', klass='department')
+        self.db.security.addPermissionToRole('User', p)
+        # Allow viewing interesting things (but not department) on iss
+        # But users might only view issues where they are on nosy
+        # (so in the real world the check method would be better)
+        p = self.db.security.addPermission(name='View', klass='iss',
+            properties=("title", "status"), check=lambda x,y,z: True)
+        self.db.security.addPermissionToRole('User', p)
+        # Allow all relevant roles access to stat
+        p = self.db.security.addPermission(name='View', klass='stat')
+        self.db.security.addPermissionToRole('User', p)
+        self.db.security.addPermissionToRole('Project', p)
+        # Allow role "Project" access to whole iss
+        p = self.db.security.addPermission(name='View', klass='iss')
+        self.db.security.addPermissionToRole('Project', p)
+
+        department = self.instance.backend.Class(self.db, "department",
+            name=hyperdb.String())
+        status = self.instance.backend.Class(self.db, "stat",
+            name=hyperdb.String())
+        issue = self.instance.backend.Class(self.db, "iss",
+            title=hyperdb.String(), status=hyperdb.Link('stat'),
+            department=hyperdb.Link('department'))
+
+        d1 = department.create(name='d1')
+        d2 = department.create(name='d2')
+        open = status.create(name='open')
+        closed = status.create(name='closed')
+        issue.create(title='i1', status=open, department=d2)
+        issue.create(title='i2', status=open, department=d1)
+        issue.create(title='i2', status=closed, department=d1)
+
+        chef = self.db.user.lookup('Chef')
+        mary = self.db.user.lookup('mary')
+        self.db.user.set(chef, roles = 'User, Project')
+
+        perm = self.db.security.hasPermission
+        search = self.db.security.hasSearchPermission
+        self.assert_(perm('View', chef, 'iss', 'department', '1'))
+        self.assert_(perm('View', chef, 'iss', 'department', '2'))
+        self.assert_(perm('View', chef, 'iss', 'department', '3'))
+        self.assert_(search(chef, 'iss', 'department'))
+
+        self.assert_(not perm('View', mary, 'iss', 'department'))
+        self.assert_(perm('View', mary, 'iss', 'status'))
+        # Conditionally allow view of whole iss (check is False here,
+        # this might check for department owner in the real world)
+        p = self.db.security.addPermission(name='View', klass='iss',
+            check=lambda x,y,z: False)
+        self.db.security.addPermissionToRole('User', p)
+        self.assert_(perm('View', mary, 'iss', 'department'))
+        self.assert_(not perm('View', mary, 'iss', 'department', '1'))
+        self.assert_(not search(mary, 'iss', 'department'))
+
+        self.assert_(perm('View', mary, 'iss', 'status'))
+        self.assert_(not search(mary, 'iss', 'status'))
+        # Allow user to search for iss.status
+        p = self.db.security.addPermission(name='Search', klass='iss',
+            properties=("status",))
+        self.db.security.addPermissionToRole('User', p)
+        self.assert_(search(mary, 'iss', 'status'))
+
+        dep = {'@action':'search','columns':'id','@filter':'department',
+            'department':'1'}
+        stat = {'@action':'search','columns':'id','@filter':'status',
+            'status':'1'}
+        depsort = {'@action':'search','columns':'id','@sort':'department'}
+        depgrp = {'@action':'search','columns':'id','@group':'department'}
+
+        # Filter on department ignored for role 'User':
+        cl = self._make_client(dep, classname='iss', nodeid=None, userid=mary,
+            template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual([x.id for x in h.batch()],['1', '2', '3'])
+        # Filter on department works for role 'Project':
+        cl = self._make_client(dep, classname='iss', nodeid=None, userid=chef,
+            template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual([x.id for x in h.batch()],['2', '3'])
+        # Filter on status works for all:
+        cl = self._make_client(stat, classname='iss', nodeid=None, userid=mary,
+            template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual([x.id for x in h.batch()],['1', '2'])
+        cl = self._make_client(stat, classname='iss', nodeid=None, userid=chef,
+            template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual([x.id for x in h.batch()],['1', '2'])
+        # Sorting and grouping for class Project works:
+        cl = self._make_client(depsort, classname='iss', nodeid=None,
+            userid=chef, template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual([x.id for x in h.batch()],['2', '3', '1'])
+        cl = self._make_client(depgrp, classname='iss', nodeid=None,
+            userid=chef, template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual([x.id for x in h.batch()],['2', '3', '1'])
+        # Sorting and grouping for class User fails:
+        cl = self._make_client(depsort, classname='iss', nodeid=None,
+            userid=mary, template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual([x.id for x in h.batch()],['1', '2', '3'])
+        cl = self._make_client(depgrp, classname='iss', nodeid=None,
+            userid=mary, template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual([x.id for x in h.batch()],['1', '2', '3'])
+
+    def testRoles(self):
+        cl = self._make_client({})
+        self.db.user.set('1', roles='aDmin,    uSer')
+        item = HTMLItem(cl, 'user', '1')
+        self.assert_(item.hasRole('Admin'))
+        self.assert_(item.hasRole('User'))
+        self.assert_(item.hasRole('AdmiN'))
+        self.assert_(item.hasRole('UseR'))
+        self.assert_(item.hasRole('UseR','Admin'))
+        self.assert_(item.hasRole('UseR','somethingelse'))
+        self.assert_(item.hasRole('somethingelse','Admin'))
+        self.assert_(not item.hasRole('userr'))
+        self.assert_(not item.hasRole('adminn'))
+        self.assert_(not item.hasRole(''))
+        self.assert_(not item.hasRole(' '))
+        self.db.user.set('1', roles='')
+        self.assert_(not item.hasRole(''))
+
+    def testCSVExport(self):
+        cl = self._make_client({'@columns': 'id,name'}, nodeid=None,
+            userid='1')
+        cl.classname = 'status'
+        output = StringIO.StringIO()
+        cl.request = MockNull()
+        cl.request.wfile = output
+        actions.ExportCSVAction(cl).handle()
+        self.assertEquals('id,name\r\n1,unread\r\n2,deferred\r\n3,chatting\r\n'
+            '4,need-eg\r\n5,in-progress\r\n6,testing\r\n7,done-cbb\r\n'
+            '8,resolved\r\n',
+            output.getvalue())
+
+    def testCSVExportFailPermission(self):
+        cl = self._make_client({'@columns': 'id,email,password'}, nodeid=None,
+            userid='2')
+        cl.classname = 'user'
+        output = StringIO.StringIO()
+        cl.request = MockNull()
+        cl.request.wfile = output
+        self.assertRaises(exceptions.Unauthorised,
+            actions.ExportCSVAction(cl).handle)
+
+
+def test_suite():
+    suite = unittest.TestSuite()
+
+def test_suite():
+    suite = unittest.TestSuite()
+    suite.addTest(unittest.makeSuite(FormTestCase))
+    suite.addTest(unittest.makeSuite(MessageTestCase))
+    return suite
 
-def run():
+if __name__ == '__main__':
     runner = unittest.TextTestRunner()
     unittest.main(testRunner=runner)
 
-if __name__ == '__main__':
-    run()
-
-# vim: set filetype=python ts=4 sw=4 et si
+# vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker (SVN clone)