blob: f87253667e8219b57117f0fc0206303f10e84812 [file] [log] [blame]
# Copyright 2016 The Chromium Authors. All rights reserved.
# Use of this source code is govered by a BSD-style
# license that can be found in the LICENSE file or at
# https://developers.google.com/open-source/licenses/bsd
"""Tests for permissions.py."""
import time
import unittest
import mox
import settings
from framework import framework_constants
from framework import framework_views
from framework import monorailrequest
from framework import permissions
from proto import project_pb2
from proto import site_pb2
from proto import tracker_pb2
from proto import user_pb2
from proto import usergroup_pb2
from testing import fake
from testing import testing_helpers
from tracker import tracker_bizobj
class PermissionSetTest(unittest.TestCase):
def setUp(self):
self.perms = permissions.PermissionSet(['A', 'b', 'Cc'])
self.proj = project_pb2.Project()
self.proj.contributor_ids.append(111L)
self.proj.contributor_ids.append(222L)
self.proj.extra_perms.append(project_pb2.Project.ExtraPerms(
member_id=111L, perms=['Cc', 'D', 'e', 'Ff']))
self.proj.extra_perms.append(project_pb2.Project.ExtraPerms(
member_id=222L, perms=['G', 'H']))
# user 3 used to be a member and had extra perms, but no longer in project.
self.proj.extra_perms.append(project_pb2.Project.ExtraPerms(
member_id=333L, perms=['G', 'H']))
def testGetAttr(self):
self.assertTrue(self.perms.a)
self.assertTrue(self.perms.A)
self.assertTrue(self.perms.b)
self.assertTrue(self.perms.Cc)
self.assertTrue(self.perms.CC)
self.assertFalse(self.perms.z)
self.assertFalse(self.perms.Z)
def testCanUsePerm_Anonymous(self):
effective_ids = set()
self.assertTrue(self.perms.CanUsePerm('A', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm('D', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm('Z', effective_ids, self.proj, []))
def testCanUsePerm_SignedInNoGroups(self):
effective_ids = {111L}
self.assertTrue(self.perms.CanUsePerm('A', effective_ids, self.proj, []))
self.assertTrue(self.perms.CanUsePerm('D', effective_ids, self.proj, []))
self.assertTrue(self.perms.CanUsePerm(
'D', effective_ids, self.proj, ['Restrict-D-A']))
self.assertFalse(self.perms.CanUsePerm('G', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm('Z', effective_ids, self.proj, []))
effective_ids = {222L}
self.assertTrue(self.perms.CanUsePerm('A', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm('D', effective_ids, self.proj, []))
self.assertTrue(self.perms.CanUsePerm('G', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm('Z', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm(
'Z', effective_ids, self.proj, ['Restrict-Z-A']))
def testCanUsePerm_SignedInWithGroups(self):
effective_ids = {111L, 222L, 333L}
self.assertTrue(self.perms.CanUsePerm('A', effective_ids, self.proj, []))
self.assertTrue(self.perms.CanUsePerm('D', effective_ids, self.proj, []))
self.assertTrue(self.perms.CanUsePerm('G', effective_ids, self.proj, []))
self.assertTrue(self.perms.CanUsePerm(
'G', effective_ids, self.proj, ['Restrict-G-D']))
self.assertFalse(self.perms.CanUsePerm('Z', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm(
'G', effective_ids, self.proj, ['Restrict-G-Z']))
def testCanUsePerm_FormerMember(self):
effective_ids = {333L}
self.assertTrue(self.perms.CanUsePerm('A', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm('D', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm('G', effective_ids, self.proj, []))
self.assertFalse(self.perms.CanUsePerm('Z', effective_ids, self.proj, []))
def testHasPerm_InPermSet(self):
self.assertTrue(self.perms.HasPerm('a', 0, None))
self.assertTrue(self.perms.HasPerm('a', 0, self.proj))
self.assertTrue(self.perms.HasPerm('A', 0, None))
self.assertTrue(self.perms.HasPerm('A', 0, self.proj))
self.assertFalse(self.perms.HasPerm('Z', 0, None))
self.assertFalse(self.perms.HasPerm('Z', 0, self.proj))
def testHasPerm_InExtraPerms(self):
self.assertTrue(self.perms.HasPerm('d', 111L, self.proj))
self.assertTrue(self.perms.HasPerm('D', 111L, self.proj))
self.assertTrue(self.perms.HasPerm('Cc', 111L, self.proj))
self.assertTrue(self.perms.HasPerm('CC', 111L, self.proj))
self.assertFalse(self.perms.HasPerm('Z', 111L, self.proj))
self.assertFalse(self.perms.HasPerm('d', 222L, self.proj))
self.assertFalse(self.perms.HasPerm('D', 222L, self.proj))
# Only current members can have extra permissions
self.proj.contributor_ids = []
self.assertFalse(self.perms.HasPerm('d', 111L, self.proj))
# TODO(jrobbins): also test consider_restrictions=False and
# restriction labels directly in this class.
def testHasPerm_GrantedPerms(self):
self.assertTrue(self.perms.CanUsePerm(
'A', {111L}, self.proj, [], granted_perms=['z']))
self.assertTrue(self.perms.CanUsePerm(
'a', {111L}, self.proj, [], granted_perms=['z']))
self.assertTrue(self.perms.CanUsePerm(
'a', {111L}, self.proj, [], granted_perms=['a']))
self.assertTrue(self.perms.CanUsePerm(
'Z', {111L}, self.proj, [], granted_perms=['y', 'z']))
self.assertTrue(self.perms.CanUsePerm(
'z', {111L}, self.proj, [], granted_perms=['y', 'z']))
self.assertFalse(self.perms.CanUsePerm(
'z', {111L}, self.proj, [], granted_perms=['y']))
def testDebugString(self):
self.assertEqual('PermissionSet()',
permissions.PermissionSet([]).DebugString())
self.assertEqual('PermissionSet(a)',
permissions.PermissionSet(['A']).DebugString())
self.assertEqual('PermissionSet(a, b, cc)', self.perms.DebugString())
def testRepr(self):
self.assertEqual('PermissionSet(frozenset([]))',
permissions.PermissionSet([]).__repr__())
self.assertEqual('PermissionSet(frozenset([\'a\']))',
permissions.PermissionSet(['A']).__repr__())
class PermissionsTest(unittest.TestCase):
NOW = 1277762224 # Any timestamp will do, we only compare it to itself +/- 1
COMMITTER_USER_ID = 111L
OWNER_USER_ID = 222L
CONTRIB_USER_ID = 333L
SITE_ADMIN_USER_ID = 444L
def MakeProject(self, project_name, state, add_members=True, access=None):
args = dict(project_name=project_name, state=state)
if add_members:
args.update(owner_ids=[self.OWNER_USER_ID],
committer_ids=[self.COMMITTER_USER_ID],
contributor_ids=[self.CONTRIB_USER_ID])
if access:
args.update(access=access)
return fake.Project(**args)
def setUp(self):
self.live_project = self.MakeProject('live', project_pb2.ProjectState.LIVE)
self.archived_project = self.MakeProject(
'archived', project_pb2.ProjectState.ARCHIVED)
self.other_live_project = self.MakeProject(
'other_live', project_pb2.ProjectState.LIVE, add_members=False)
self.members_only_project = self.MakeProject(
's3kr3t', project_pb2.ProjectState.LIVE,
access=project_pb2.ProjectAccess.MEMBERS_ONLY)
self.nonmember = user_pb2.User()
self.member = user_pb2.User()
self.owner = user_pb2.User()
self.contrib = user_pb2.User()
self.site_admin = user_pb2.User()
self.site_admin.is_site_admin = True
self.borg_user = user_pb2.User(email=settings.borg_service_account)
self.normal_artifact = tracker_pb2.Issue()
self.normal_artifact.labels.extend(['hot', 'Key-Value'])
self.normal_artifact.reporter_id = 111L
# Two PermissionSets w/ permissions outside of any project.
self.normal_user_perms = permissions.GetPermissions(
None, {111L}, None)
self.admin_perms = permissions.PermissionSet(
[permissions.ADMINISTER_SITE,
permissions.CREATE_PROJECT])
self.mox = mox.Mox()
def tearDown(self):
self.mox.UnsetStubs()
def testGetPermissions_Admin(self):
self.assertEqual(
permissions.ADMIN_PERMISSIONSET,
permissions.GetPermissions(self.site_admin, None, None))
def testGetPermissions_BorgServiceAccount(self):
self.assertEqual(
permissions.GROUP_IMPORT_BORG_PERMISSIONSET,
permissions.GetPermissions(self.borg_user, None, None))
def CheckPermissions(self, perms, expected_list):
expect_view, expect_commit, expect_edit_project = expected_list
self.assertEqual(
expect_view, perms.HasPerm(permissions.VIEW, None, None))
self.assertEqual(
expect_commit, perms.HasPerm(permissions.COMMIT, None, None))
self.assertEqual(
expect_edit_project,
perms.HasPerm(permissions.EDIT_PROJECT, None, None))
def testAnonPermissions(self):
perms = permissions.GetPermissions(None, set(), self.live_project)
self.CheckPermissions(perms, [True, False, False])
perms = permissions.GetPermissions(None, set(), self.members_only_project)
self.CheckPermissions(perms, [False, False, False])
def testNonmemberPermissions(self):
perms = permissions.GetPermissions(
self.nonmember, {123}, self.live_project)
self.CheckPermissions(perms, [True, False, False])
perms = permissions.GetPermissions(
self.nonmember, {123}, self.members_only_project)
self.CheckPermissions(perms, [False, False, False])
def testMemberPermissions(self):
perms = permissions.GetPermissions(
self.member, {self.COMMITTER_USER_ID}, self.live_project)
self.CheckPermissions(perms, [True, True, False])
perms = permissions.GetPermissions(
self.member, {self.COMMITTER_USER_ID}, self.other_live_project)
self.CheckPermissions(perms, [True, False, False])
perms = permissions.GetPermissions(
self.member, {self.COMMITTER_USER_ID}, self.members_only_project)
self.CheckPermissions(perms, [True, True, False])
def testOwnerPermissions(self):
perms = permissions.GetPermissions(
self.owner, {self.OWNER_USER_ID}, self.live_project)
self.CheckPermissions(perms, [True, True, True])
perms = permissions.GetPermissions(
self.owner, {self.OWNER_USER_ID}, self.other_live_project)
self.CheckPermissions(perms, [True, False, False])
perms = permissions.GetPermissions(
self.owner, {self.OWNER_USER_ID}, self.members_only_project)
self.CheckPermissions(perms, [True, True, True])
def testContributorPermissions(self):
perms = permissions.GetPermissions(
self.contrib, {self.CONTRIB_USER_ID}, self.live_project)
self.CheckPermissions(perms, [True, False, False])
perms = permissions.GetPermissions(
self.contrib, {self.CONTRIB_USER_ID}, self.other_live_project)
self.CheckPermissions(perms, [True, False, False])
perms = permissions.GetPermissions(
self.contrib, {self.CONTRIB_USER_ID}, self.members_only_project)
self.CheckPermissions(perms, [True, False, False])
def testLookupPermset_ExactMatch(self):
self.assertEqual(
permissions.USER_PERMISSIONSET,
permissions._LookupPermset(
permissions.USER_ROLE, project_pb2.ProjectState.LIVE,
project_pb2.ProjectAccess.ANYONE))
def testLookupPermset_WildcardAccess(self):
self.assertEqual(
permissions.OWNER_ACTIVE_PERMISSIONSET,
permissions._LookupPermset(
permissions.OWNER_ROLE, project_pb2.ProjectState.LIVE,
project_pb2.ProjectAccess.MEMBERS_ONLY))
def testGetPermissionKey_AnonUser(self):
self.assertEqual(
(permissions.ANON_ROLE, permissions.UNDEFINED_STATUS,
permissions.UNDEFINED_ACCESS),
permissions._GetPermissionKey(None, None))
self.assertEqual(
(permissions.ANON_ROLE, project_pb2.ProjectState.LIVE,
project_pb2.ProjectAccess.ANYONE),
permissions._GetPermissionKey(None, self.live_project))
def testGetPermissionKey_ExpiredProject(self):
self.archived_project.delete_time = self.NOW
# In an expired project, the user's committe role does not count.
self.assertEqual(
(permissions.USER_ROLE, project_pb2.ProjectState.ARCHIVED,
project_pb2.ProjectAccess.ANYONE),
permissions._GetPermissionKey(
self.COMMITTER_USER_ID, self.archived_project,
expired_before=self.NOW + 1))
# If not expired yet, the user's committe role still counts.
self.assertEqual(
(permissions.COMMITTER_ROLE, project_pb2.ProjectState.ARCHIVED,
project_pb2.ProjectAccess.ANYONE),
permissions._GetPermissionKey(
self.COMMITTER_USER_ID, self.archived_project,
expired_before=self.NOW - 1))
def testGetPermissionKey_DefinedRoles(self):
self.assertEqual(
(permissions.OWNER_ROLE, project_pb2.ProjectState.LIVE,
project_pb2.ProjectAccess.ANYONE),
permissions._GetPermissionKey(
self.OWNER_USER_ID, self.live_project))
self.assertEqual(
(permissions.COMMITTER_ROLE, project_pb2.ProjectState.LIVE,
project_pb2.ProjectAccess.ANYONE),
permissions._GetPermissionKey(
self.COMMITTER_USER_ID, self.live_project))
self.assertEqual(
(permissions.CONTRIBUTOR_ROLE, project_pb2.ProjectState.LIVE,
project_pb2.ProjectAccess.ANYONE),
permissions._GetPermissionKey(
self.CONTRIB_USER_ID, self.live_project))
def testGetPermissionKey_Nonmember(self):
self.assertEqual(
(permissions.USER_ROLE, project_pb2.ProjectState.LIVE,
project_pb2.ProjectAccess.ANYONE),
permissions._GetPermissionKey(
999L, self.live_project))
def testPermissionsImmutable(self):
self.assertTrue(isinstance(
permissions.EMPTY_PERMISSIONSET.perm_names, frozenset))
self.assertTrue(isinstance(
permissions.READ_ONLY_PERMISSIONSET.perm_names, frozenset))
self.assertTrue(isinstance(
permissions.COMMITTER_ACTIVE_PERMISSIONSET.perm_names, frozenset))
self.assertTrue(isinstance(
permissions.OWNER_ACTIVE_PERMISSIONSET.perm_names, frozenset))
def testGetExtraPerms(self):
project = project_pb2.Project()
project.committer_ids.append(222L)
project.extra_perms.append(project_pb2.Project.ExtraPerms(
member_id=222L, perms=['a', 'b', 'c']))
# User 1 is a former member with left-over extra perms that don't count.
project.extra_perms.append(project_pb2.Project.ExtraPerms(
member_id=111L, perms=['a', 'b', 'c']))
self.assertListEqual(
[],
permissions.GetExtraPerms(project, 111L))
self.assertListEqual(
['a', 'b', 'c'],
permissions.GetExtraPerms(project, 222L))
self.assertListEqual(
[],
permissions.GetExtraPerms(project, 333L))
def testAnonUsersCannotDelete(self):
perms = permissions.PermissionSet([permissions.DELETE_ANY])
# No logged in user, no perms specfied.
self.assertFalse(permissions.CanDelete(
framework_constants.NO_USER_SPECIFIED, set(), None, 0, 0, None, []))
# No logged in user, even with perms from somewhere.
self.assertFalse(permissions.CanDelete(
framework_constants.NO_USER_SPECIFIED, set(), perms, 0, 0, None, []))
# No logged in user, even if artifact was already deleted.
self.assertFalse(permissions.CanDelete(
framework_constants.NO_USER_SPECIFIED, set(), perms,
111L, 111L, None, []))
# No logged in user, even if artifact was already deleted by project owner.
self.assertFalse(permissions.CanDelete(
framework_constants.NO_USER_SPECIFIED, set(), perms,
111L, 222L, None, []))
def testProjectOwnerCanDeleteAnyArtifact(self):
perms = permissions.PermissionSet([permissions.DELETE_ANY])
# No artifact owner, and not already deleted.
self.assertTrue(permissions.CanDelete(
111L, {111L}, perms, 0, 0, None, []))
# I already deleted, can undelete.
self.assertTrue(permissions.CanDelete(
111L, {111L}, perms, 111L, 0, None, []))
# I can delete my own thing.
self.assertTrue(permissions.CanDelete(
111L, {111L}, perms, 0, 111L, None, []))
# I can also delete another user's artifacts, because I have DELETE_ANY.
self.assertTrue(permissions.CanDelete(
111L, {111L}, perms, 0, 222L, None, []))
# I can always undelete, even if another PO deleted it.
self.assertTrue(permissions.CanDelete(
111L, {111L}, perms, 333L, 222L, None, []))
def testUserCanDeleteTheirOwnStuff(self):
perms = permissions.PermissionSet([permissions.DELETE_OWN])
# I can delete/withdraw my artifact or comment.
self.assertTrue(permissions.CanDelete(
111L, {111L}, perms, 0, 111L, None, []))
# I can undelete what I deleted.
self.assertTrue(permissions.CanDelete(
111L, {111L}, perms, 111L, 111L, None, []))
# I cannot undelete if someone else deleted my spam.
self.assertFalse(permissions.CanDelete(
111L, {111L}, perms, 222L, 111L, None, []))
# I cannot delete other people's stuff.
self.assertFalse(permissions.CanDelete(
111L, {111L}, perms, 0, 222L, None, []))
# I cannot undelete what other people withdrew.
self.assertFalse(permissions.CanDelete(
111L, {111L}, perms, 222L, 222L, None, []))
def testCanViewNormalArifact(self):
# Anyone can view a non-restricted artifact.
self.assertTrue(permissions.CanView(
{111L}, permissions.READ_ONLY_PERMISSIONSET,
self.live_project, []))
def testCanCreateProject_NoPerms(self):
"""Signed out users cannot create projects."""
self.assertFalse(permissions.CanCreateProject(
permissions.EMPTY_PERMISSIONSET))
self.assertFalse(permissions.CanCreateProject(
permissions.READ_ONLY_PERMISSIONSET))
def testCanCreateProject_Admin(self):
"""Site admins can create projects."""
self.assertTrue(permissions.CanCreateProject(
permissions.ADMIN_PERMISSIONSET))
def testCanCreateProject_RegularUser(self):
"""Signed in non-admins can create a project if settings allow ANYONE."""
try:
orig_restriction = settings.project_creation_restriction
ANYONE = site_pb2.UserTypeRestriction.ANYONE
ADMIN_ONLY = site_pb2.UserTypeRestriction.ADMIN_ONLY
NO_ONE = site_pb2.UserTypeRestriction.NO_ONE
perms = permissions.PermissionSet([permissions.CREATE_PROJECT])
settings.project_creation_restriction = ANYONE
self.assertTrue(permissions.CanCreateProject(perms))
settings.project_creation_restriction = ADMIN_ONLY
self.assertFalse(permissions.CanCreateProject(perms))
settings.project_creation_restriction = NO_ONE
self.assertFalse(permissions.CanCreateProject(perms))
self.assertFalse(permissions.CanCreateProject(
permissions.ADMIN_PERMISSIONSET))
finally:
settings.project_creation_restriction = orig_restriction
def testCanCreateGroup_AnyoneWithCreateGroup(self):
orig_setting = settings.group_creation_restriction
try:
settings.group_creation_restriction = site_pb2.UserTypeRestriction.ANYONE
self.assertTrue(permissions.CanCreateGroup(
permissions.PermissionSet([permissions.CREATE_GROUP])))
self.assertFalse(permissions.CanCreateGroup(
permissions.PermissionSet([])))
finally:
settings.group_creation_restriction = orig_setting
def testCanCreateGroup_AdminOnly(self):
orig_setting = settings.group_creation_restriction
try:
ADMIN_ONLY = site_pb2.UserTypeRestriction.ADMIN_ONLY
settings.group_creation_restriction = ADMIN_ONLY
self.assertTrue(permissions.CanCreateGroup(
permissions.PermissionSet([permissions.ADMINISTER_SITE])))
self.assertFalse(permissions.CanCreateGroup(
permissions.PermissionSet([permissions.CREATE_GROUP])))
self.assertFalse(permissions.CanCreateGroup(
permissions.PermissionSet([])))
finally:
settings.group_creation_restriction = orig_setting
def testCanCreateGroup_UnspecifiedSetting(self):
orig_setting = settings.group_creation_restriction
try:
settings.group_creation_restriction = None
self.assertFalse(permissions.CanCreateGroup(
permissions.PermissionSet([permissions.ADMINISTER_SITE])))
self.assertFalse(permissions.CanCreateGroup(
permissions.PermissionSet([permissions.CREATE_GROUP])))
self.assertFalse(permissions.CanCreateGroup(
permissions.PermissionSet([])))
finally:
settings.group_creation_restriction = orig_setting
def testCanEditGroup_HasPerm(self):
self.assertTrue(permissions.CanEditGroup(
permissions.PermissionSet([permissions.EDIT_GROUP]), None, None))
def testCanEditGroup_IsOwner(self):
self.assertTrue(permissions.CanEditGroup(
permissions.PermissionSet([]), {111L}, {111L}))
def testCanEditGroup_Otherwise(self):
self.assertFalse(permissions.CanEditGroup(
permissions.PermissionSet([]), {111L}, {222L}))
def testCanViewGroup_HasPerm(self):
self.assertTrue(permissions.CanViewGroup(
permissions.PermissionSet([permissions.VIEW_GROUP]),
None, None, None, None, None))
def testCanViewGroup_IsMemberOfFriendProject(self):
group_settings = usergroup_pb2.MakeSettings('owners', friend_projects=[890])
self.assertFalse(permissions.CanViewGroup(
permissions.PermissionSet([]),
{111L}, group_settings, {222L}, {333L}, {789}))
self.assertTrue(permissions.CanViewGroup(
permissions.PermissionSet([]),
{111L}, group_settings, {222L}, {333L}, {789, 890}))
def testCanViewGroup_VisibleToOwner(self):
group_settings = usergroup_pb2.MakeSettings('owners')
self.assertFalse(permissions.CanViewGroup(
permissions.PermissionSet([]),
{111L}, group_settings, {222L}, {333L}, {789}))
self.assertFalse(permissions.CanViewGroup(
permissions.PermissionSet([]),
{222L}, group_settings, {222L}, {333L}, {789}))
self.assertTrue(permissions.CanViewGroup(
permissions.PermissionSet([]),
{333L}, group_settings, {222L}, {333L}, {789}))
def testCanViewGroup_IsVisibleToMember(self):
group_settings = usergroup_pb2.MakeSettings('members')
self.assertFalse(permissions.CanViewGroup(
permissions.PermissionSet([]),
{111L}, group_settings, {222L}, {333L}, {789}))
self.assertTrue(permissions.CanViewGroup(
permissions.PermissionSet([]),
{222L}, group_settings, {222L}, {333L}, {789}))
self.assertTrue(permissions.CanViewGroup(
permissions.PermissionSet([]),
{333L}, group_settings, {222L}, {333L}, {789}))
def testCanViewGroup_AnyoneCanView(self):
group_settings = usergroup_pb2.MakeSettings('anyone')
self.assertTrue(permissions.CanViewGroup(
permissions.PermissionSet([]),
{111L}, group_settings, {222L}, {333L}, {789}))
def testIsBanned_AnonUser(self):
user_view = framework_views.UserView(None, None, True)
self.assertFalse(permissions.IsBanned(None, user_view))
def testIsBanned_NormalUser(self):
user = user_pb2.User()
user_view = framework_views.UserView(None, None, True)
self.assertFalse(permissions.IsBanned(user, user_view))
def testIsBanned_BannedUser(self):
user = user_pb2.User()
user.banned = 'spammer'
user_view = framework_views.UserView(None, None, True)
self.assertTrue(permissions.IsBanned(user, user_view))
def testIsBanned_BadDomainUser(self):
settings.banned_user_domains = ['spammer.com', 'phisher.com']
user = user_pb2.User()
user_view = framework_views.UserView(None, None, True)
user_view.domain = 'spammer.com'
self.assertTrue(permissions.IsBanned(user, user_view))
def testGetCustomPermissions(self):
project = project_pb2.Project()
self.assertListEqual([], permissions.GetCustomPermissions(project))
project.extra_perms.append(project_pb2.Project.ExtraPerms(
perms=['Core', 'Elite', 'Gold']))
self.assertListEqual(['Core', 'Elite', 'Gold'],
permissions.GetCustomPermissions(project))
project.extra_perms.append(project_pb2.Project.ExtraPerms(
perms=['Silver', 'Gold', 'Bronze']))
self.assertListEqual(['Bronze', 'Core', 'Elite', 'Gold', 'Silver'],
permissions.GetCustomPermissions(project))
def testUserCanViewProject(self):
self.mox.StubOutWithMock(time, 'time')
for _ in range(8):
time.time().AndReturn(self.NOW)
self.mox.ReplayAll()
self.assertTrue(permissions.UserCanViewProject(
self.member, {self.COMMITTER_USER_ID}, self.live_project))
self.assertTrue(permissions.UserCanViewProject(
None, None, self.live_project))
self.archived_project.delete_time = self.NOW + 1
self.assertFalse(permissions.UserCanViewProject(
None, None, self.archived_project))
self.assertTrue(permissions.UserCanViewProject(
self.owner, {self.OWNER_USER_ID}, self.archived_project))
self.assertTrue(permissions.UserCanViewProject(
self.site_admin, {self.SITE_ADMIN_USER_ID},
self.archived_project))
self.archived_project.delete_time = self.NOW - 1
self.assertFalse(permissions.UserCanViewProject(
None, None, self.archived_project))
self.assertFalse(permissions.UserCanViewProject(
self.owner, {self.OWNER_USER_ID}, self.archived_project))
self.assertTrue(permissions.UserCanViewProject(
self.site_admin, {self.SITE_ADMIN_USER_ID},
self.archived_project))
self.mox.VerifyAll()
def CheckExpired(self, state, expected_to_be_reapable):
proj = project_pb2.Project()
proj.state = state
proj.delete_time = self.NOW + 1
self.assertFalse(permissions.IsExpired(proj))
proj.delete_time = self.NOW - 1
self.assertEqual(expected_to_be_reapable, permissions.IsExpired(proj))
proj.delete_time = self.NOW - 1
self.assertFalse(permissions.IsExpired(proj, expired_before=self.NOW - 2))
def testIsExpired_Live(self):
self.CheckExpired(project_pb2.ProjectState.LIVE, False)
def testIsExpired_Archived(self):
self.mox.StubOutWithMock(time, 'time')
for _ in range(2):
time.time().AndReturn(self.NOW)
self.mox.ReplayAll()
self.CheckExpired(project_pb2.ProjectState.ARCHIVED, True)
self.mox.VerifyAll()
class PermissionsCheckTest(unittest.TestCase):
def setUp(self):
self.perms = permissions.PermissionSet(['a', 'b', 'c'])
self.proj = project_pb2.Project()
self.proj.committer_ids.append(111L)
self.proj.extra_perms.append(project_pb2.Project.ExtraPerms(
member_id=111L, perms=['d']))
# Note: z is an example of a perm that the user does not have.
# Note: q is an example of an irrelevant perm that the user does not have.
def DoCanUsePerm(self, perm, project='default', user_id=None, restrict=''):
"""Wrapper function to call CanUsePerm()."""
if project == 'default':
project = self.proj
return self.perms.CanUsePerm(
perm, {user_id or 111L}, project, restrict.split())
def testHasPermNoRestrictions(self):
self.assertTrue(self.DoCanUsePerm('a'))
self.assertTrue(self.DoCanUsePerm('A'))
self.assertFalse(self.DoCanUsePerm('z'))
self.assertTrue(self.DoCanUsePerm('d'))
self.assertFalse(self.DoCanUsePerm('d', user_id=222L))
self.assertFalse(self.DoCanUsePerm('d', project=project_pb2.Project()))
def testHasPermOperationRestrictions(self):
self.assertTrue(self.DoCanUsePerm('a', restrict='Restrict-a-b'))
self.assertTrue(self.DoCanUsePerm('a', restrict='Restrict-b-z'))
self.assertTrue(self.DoCanUsePerm('a', restrict='Restrict-a-d'))
self.assertTrue(self.DoCanUsePerm('d', restrict='Restrict-d-a'))
self.assertTrue(self.DoCanUsePerm(
'd', restrict='Restrict-q-z Restrict-q-d Restrict-d-a'))
self.assertFalse(self.DoCanUsePerm('a', restrict='Restrict-a-z'))
self.assertFalse(self.DoCanUsePerm('d', restrict='Restrict-d-z'))
self.assertFalse(self.DoCanUsePerm(
'd', restrict='Restrict-d-a Restrict-d-z'))
def testHasPermOutsideProjectScope(self):
self.assertTrue(self.DoCanUsePerm('a', project=None))
self.assertTrue(self.DoCanUsePerm(
'a', project=None, restrict='Restrict-a-c'))
self.assertTrue(self.DoCanUsePerm(
'a', project=None, restrict='Restrict-q-z'))
self.assertFalse(self.DoCanUsePerm('z', project=None))
self.assertFalse(self.DoCanUsePerm(
'a', project=None, restrict='Restrict-a-d'))
class CanViewProjectContributorListTest(unittest.TestCase):
def testCanViewProjectContributorList_NoProject(self):
mr = testing_helpers.MakeMonorailRequest(path='/')
self.assertFalse(permissions.CanViewContributorList(mr))
def testCanViewProjectContributorList_NormalProject(self):
project = project_pb2.Project()
mr = testing_helpers.MakeMonorailRequest(
path='/p/proj/', project=project)
self.assertTrue(permissions.CanViewContributorList(mr))
def testCanViewProjectContributorList_ProjectWithOptionSet(self):
project = project_pb2.Project()
project.only_owners_see_contributors = True
for perms in [permissions.READ_ONLY_PERMISSIONSET,
permissions.CONTRIBUTOR_ACTIVE_PERMISSIONSET,
permissions.CONTRIBUTOR_INACTIVE_PERMISSIONSET]:
mr = testing_helpers.MakeMonorailRequest(
path='/p/proj/', project=project, perms=perms)
self.assertFalse(permissions.CanViewContributorList(mr))
for perms in [permissions.COMMITTER_ACTIVE_PERMISSIONSET,
permissions.COMMITTER_INACTIVE_PERMISSIONSET,
permissions.OWNER_ACTIVE_PERMISSIONSET,
permissions.OWNER_INACTIVE_PERMISSIONSET,
permissions.ADMIN_PERMISSIONSET]:
mr = testing_helpers.MakeMonorailRequest(
path='/p/proj/', project=project, perms=perms)
self.assertTrue(permissions.CanViewContributorList(mr))
class ShouldCheckForAbandonmentTest(unittest.TestCase):
def setUp(self):
self.mr = testing_helpers.Blank(
project=project_pb2.Project(),
auth=monorailrequest.AuthData())
def testOwner(self):
self.mr.auth.effective_ids = {111L}
self.mr.perms = permissions.OWNER_ACTIVE_PERMISSIONSET
self.assertTrue(permissions.ShouldCheckForAbandonment(self.mr))
def testNonOwner(self):
self.mr.auth.effective_ids = {222L}
self.mr.perms = permissions.COMMITTER_ACTIVE_PERMISSIONSET
self.assertFalse(permissions.ShouldCheckForAbandonment(self.mr))
self.mr.perms = permissions.CONTRIBUTOR_ACTIVE_PERMISSIONSET
self.assertFalse(permissions.ShouldCheckForAbandonment(self.mr))
self.mr.perms = permissions.USER_PERMISSIONSET
self.assertFalse(permissions.ShouldCheckForAbandonment(self.mr))
self.mr.perms = permissions.EMPTY_PERMISSIONSET
self.assertFalse(permissions.ShouldCheckForAbandonment(self.mr))
def testSiteAdmin(self):
self.mr.auth.effective_ids = {111L}
self.mr.perms = permissions.ADMIN_PERMISSIONSET
self.assertFalse(permissions.ShouldCheckForAbandonment(self.mr))
class RestrictionLabelsTest(unittest.TestCase):
ORIG_SUMMARY = 'this is the orginal summary'
ORIG_LABELS = ['one', 'two']
def testGetRestrictions_NoIssue(self):
self.assertEqual([], permissions.GetRestrictions(None))
def testGetRestrictions(self):
art = fake.MakeTestIssue(
789, 1, self.ORIG_SUMMARY, 'New', 0L, labels=self.ORIG_LABELS)
self.assertEquals([], permissions.GetRestrictions(art))
art = fake.MakeTestIssue(
789, 1, self.ORIG_SUMMARY, 'New', 0L,
labels=['Restrict-MissingThirdPart', 'Hot'])
self.assertEquals([], permissions.GetRestrictions(art))
art = fake.MakeTestIssue(
789, 1, self.ORIG_SUMMARY, 'New', 0L,
labels=['Restrict-View-Core', 'Hot'])
self.assertEquals(['restrict-view-core'], permissions.GetRestrictions(art))
art = fake.MakeTestIssue(
789, 1, self.ORIG_SUMMARY, 'New', 0L,
labels=['Restrict-View-Core', 'Hot'],
derived_labels=['Color-Red', 'Restrict-EditIssue-GoldMembers'])
self.assertEquals(
['restrict-view-core', 'restrict-editissue-goldmembers'],
permissions.GetRestrictions(art))
art = fake.MakeTestIssue(
789, 1, self.ORIG_SUMMARY, 'New', 0L,
labels=['restrict-view-core', 'hot'],
derived_labels=['Color-Red', 'RESTRICT-EDITISSUE-GOLDMEMBERS'])
self.assertEquals(
['restrict-view-core', 'restrict-editissue-goldmembers'],
permissions.GetRestrictions(art))
REPORTER_ID = 111L
OWNER_ID = 222L
CC_ID = 333L
OTHER_ID = 444L
class IssuePermissionsTest(unittest.TestCase):
REGULAR_ISSUE = tracker_pb2.Issue()
REGULAR_ISSUE.reporter_id = REPORTER_ID
DELETED_ISSUE = tracker_pb2.Issue()
DELETED_ISSUE.deleted = True
DELETED_ISSUE.reporter_id = REPORTER_ID
RESTRICTED_ISSUE = tracker_pb2.Issue()
RESTRICTED_ISSUE.reporter_id = REPORTER_ID
RESTRICTED_ISSUE.owner_id = OWNER_ID
RESTRICTED_ISSUE.cc_ids.append(CC_ID)
RESTRICTED_ISSUE.labels.append('Restrict-View-Commit')
RESTRICTED_ISSUE2 = tracker_pb2.Issue()
RESTRICTED_ISSUE2.reporter_id = REPORTER_ID
# RESTRICTED_ISSUE2 has no owner
RESTRICTED_ISSUE2.cc_ids.append(CC_ID)
RESTRICTED_ISSUE2.labels.append('Restrict-View-Commit')
RESTRICTED_ISSUE3 = tracker_pb2.Issue()
RESTRICTED_ISSUE3.reporter_id = REPORTER_ID
RESTRICTED_ISSUE3.owner_id = OWNER_ID
# Restrict to a permission that no one has.
RESTRICTED_ISSUE3.labels.append('Restrict-EditIssue-Foo')
PROJECT = project_pb2.Project()
def testCanViewIssue_Deleted(self):
self.assertFalse(permissions.CanViewIssue(
{REPORTER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.DELETED_ISSUE))
self.assertTrue(permissions.CanViewIssue(
{REPORTER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.DELETED_ISSUE, allow_viewing_deleted=True))
self.assertTrue(permissions.CanViewIssue(
{REPORTER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
def testCanViewIssue_Regular(self):
self.assertTrue(permissions.CanViewIssue(
{REPORTER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanViewIssue(
{REPORTER_ID}, permissions.COMMITTER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanViewIssue(
{REPORTER_ID},
permissions.CONTRIBUTOR_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanViewIssue(
{REPORTER_ID}, permissions.USER_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanViewIssue(
{REPORTER_ID}, permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanViewIssue(
set(), permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
def testCanViewIssue_Restricted(self):
# Project owner can always view issue.
self.assertTrue(permissions.CanViewIssue(
{OTHER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# Member can view because they have Commit perm.
self.assertTrue(permissions.CanViewIssue(
{OTHER_ID}, permissions.COMMITTER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# Contributors normally do not have Commit perm.
self.assertFalse(permissions.CanViewIssue(
{OTHER_ID}, permissions.CONTRIBUTOR_ACTIVE_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# Non-members do not have Commit perm.
self.assertFalse(permissions.CanViewIssue(
{OTHER_ID}, permissions.USER_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# Anon user's do not have Commit perm.
self.assertFalse(permissions.CanViewIssue(
set(), permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
def testCanViewIssue_RestrictedParticipants(self):
# Reporter can always view issue
self.assertTrue(permissions.CanViewIssue(
{REPORTER_ID}, permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# Issue owner can always view issue
self.assertTrue(permissions.CanViewIssue(
{OWNER_ID}, permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# CC'd user can always view issue
self.assertTrue(permissions.CanViewIssue(
{CC_ID}, permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# Non-participants cannot view issue if they don't have the needed perm.
self.assertFalse(permissions.CanViewIssue(
{OTHER_ID}, permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# Anon user's do not have Commit perm.
self.assertFalse(permissions.CanViewIssue(
set(), permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE))
# Anon user's cannot match owner 0.
self.assertFalse(permissions.CanViewIssue(
set(), permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE2))
def testCannotViewIssueIfCannotViewProject(self):
"""Cross-project search should not be a backdoor to viewing issues."""
# Reporter cannot view issue if they not long have access to the project.
self.assertFalse(permissions.CanViewIssue(
{REPORTER_ID}, permissions.EMPTY_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
# Issue owner cannot always view issue
self.assertFalse(permissions.CanViewIssue(
{OWNER_ID}, permissions.EMPTY_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
# CC'd user cannot always view issue
self.assertFalse(permissions.CanViewIssue(
{CC_ID}, permissions.EMPTY_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
# Non-participants cannot view issue if they don't have the needed perm.
self.assertFalse(permissions.CanViewIssue(
{OTHER_ID}, permissions.EMPTY_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
# Anon user's do not have Commit perm.
self.assertFalse(permissions.CanViewIssue(
set(), permissions.EMPTY_PERMISSIONSET, self.PROJECT,
self.REGULAR_ISSUE))
# Anon user's cannot match owner 0.
self.assertFalse(permissions.CanViewIssue(
set(), permissions.EMPTY_PERMISSIONSET, self.PROJECT,
self.REGULAR_ISSUE))
def testCanEditIssue(self):
# Non-members and contributors cannot edit issues,
# even if they reported them.
self.assertFalse(permissions.CanEditIssue(
{REPORTER_ID}, permissions.READ_ONLY_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertFalse(permissions.CanEditIssue(
{REPORTER_ID}, permissions.CONTRIBUTOR_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
# Project committers and project owners can edit issues, regardless
# of their role in the issue.
self.assertTrue(permissions.CanEditIssue(
{REPORTER_ID}, permissions.COMMITTER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanEditIssue(
{REPORTER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanEditIssue(
{OWNER_ID}, permissions.COMMITTER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanEditIssue(
{OWNER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanEditIssue(
{OTHER_ID}, permissions.COMMITTER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
self.assertTrue(permissions.CanEditIssue(
{OTHER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.REGULAR_ISSUE))
def testCanEditIssue_Restricted(self):
# Project committers cannot edit issues with a restriction to a custom
# permission that they don't have.
self.assertFalse(permissions.CanEditIssue(
{OTHER_ID}, permissions.COMMITTER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE3))
# *Issue* owners can always edit the issues that they own, even if
# those issues are restricted to perms that they don't have.
self.assertTrue(permissions.CanEditIssue(
{OWNER_ID}, permissions.CONTRIBUTOR_ACTIVE_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE3))
# Project owners can always edit, they cannot lock themselves out.
self.assertTrue(permissions.CanEditIssue(
{OTHER_ID}, permissions.OWNER_ACTIVE_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE3))
# A committer with edit permission but not view permission
# should not be able to edit the issue.
self.assertFalse(permissions.CanEditIssue(
{OTHER_ID}, permissions.CONTRIBUTOR_ACTIVE_PERMISSIONSET,
self.PROJECT, self.RESTRICTED_ISSUE2))
def testCanCommentIssue_HasPerm(self):
self.assertTrue(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([permissions.ADD_ISSUE_COMMENT]),
None, None))
self.assertFalse(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([]),
None, None))
def testCanCommentIssue_HasExtraPerm(self):
project = project_pb2.Project()
project.committer_ids.append(111L)
extra_perm = project_pb2.Project.ExtraPerms(
member_id=111L, perms=[permissions.ADD_ISSUE_COMMENT])
project.extra_perms.append(extra_perm)
self.assertTrue(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([]),
project, None))
self.assertFalse(permissions.CanCommentIssue(
{222L}, permissions.PermissionSet([]),
project, None))
def testCanCommentIssue_Restricted(self):
issue = tracker_pb2.Issue(labels=['Restrict-AddIssueComment-CoreTeam'])
# User is granted exactly the perm they need specifically in this issue.
self.assertTrue(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([]),
None, issue, granted_perms=['addissuecomment']))
# User is granted CoreTeam, which satifies the restriction, and allows
# them to use the AddIssueComment permission that they have and would
# normally be able to use in an unrestricted issue.
self.assertTrue(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([permissions.ADD_ISSUE_COMMENT]),
None, issue, granted_perms=['coreteam']))
# User was granted CoreTeam, but never had AddIssueComment.
self.assertFalse(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([]),
None, issue, granted_perms=['coreteam']))
# User has AddIssueComment, but cannot satisfy restriction.
self.assertFalse(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([permissions.ADD_ISSUE_COMMENT]),
None, issue))
def testCanCommentIssue_Granted(self):
self.assertTrue(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([]),
None, None, granted_perms=['addissuecomment']))
self.assertFalse(permissions.CanCommentIssue(
{111L}, permissions.PermissionSet([]),
None, None))
def testCanViewComponentDef_ComponentAdmin(self):
cd = tracker_pb2.ComponentDef(admin_ids=[111L])
perms = permissions.PermissionSet([])
self.assertTrue(permissions.CanViewComponentDef(
{111L}, perms, None, cd))
self.assertFalse(permissions.CanViewComponentDef(
{999L}, perms, None, cd))
def testCanViewComponentDef_NormalUser(self):
cd = tracker_pb2.ComponentDef()
self.assertTrue(permissions.CanViewComponentDef(
{111L}, permissions.PermissionSet([permissions.VIEW]),
None, cd))
self.assertFalse(permissions.CanViewComponentDef(
{111L}, permissions.PermissionSet([]),
None, cd))
def testCanEditComponentDef_ComponentAdmin(self):
cd = tracker_pb2.ComponentDef(admin_ids=[111L], path='Whole')
sub_cd = tracker_pb2.ComponentDef(admin_ids=[222L], path='Whole>Part')
config = tracker_bizobj.MakeDefaultProjectIssueConfig(789)
config.component_defs.append(cd)
config.component_defs.append(sub_cd)
perms = permissions.PermissionSet([])
self.assertTrue(permissions.CanEditComponentDef(
{111L}, perms, None, cd, config))
self.assertFalse(permissions.CanEditComponentDef(
{222L}, perms, None, cd, config))
self.assertFalse(permissions.CanEditComponentDef(
{999L}, perms, None, cd, config))
self.assertTrue(permissions.CanEditComponentDef(
{111L}, perms, None, sub_cd, config))
self.assertTrue(permissions.CanEditComponentDef(
{222L}, perms, None, sub_cd, config))
self.assertFalse(permissions.CanEditComponentDef(
{999L}, perms, None, sub_cd, config))
def testCanEditComponentDef_ProjectOwners(self):
cd = tracker_pb2.ComponentDef(path='Whole')
config = tracker_bizobj.MakeDefaultProjectIssueConfig(789)
config.component_defs.append(cd)
self.assertTrue(permissions.CanEditComponentDef(
{111L}, permissions.PermissionSet([permissions.EDIT_PROJECT]),
None, cd, config))
self.assertFalse(permissions.CanEditComponentDef(
{111L}, permissions.PermissionSet([]),
None, cd, config))
def testCanViewFieldDef_FieldAdmin(self):
fd = tracker_pb2.FieldDef(admin_ids=[111L])
perms = permissions.PermissionSet([])
self.assertTrue(permissions.CanViewFieldDef(
{111L}, perms, None, fd))
self.assertFalse(permissions.CanViewFieldDef(
{999L}, perms, None, fd))
def testCanViewFieldDef_NormalUser(self):
fd = tracker_pb2.FieldDef()
self.assertTrue(permissions.CanViewFieldDef(
{111L}, permissions.PermissionSet([permissions.VIEW]),
None, fd))
self.assertFalse(permissions.CanViewFieldDef(
{111L}, permissions.PermissionSet([]),
None, fd))
def testCanEditFieldDef_FieldAdmin(self):
fd = tracker_pb2.FieldDef(admin_ids=[111L])
perms = permissions.PermissionSet([])
self.assertTrue(permissions.CanEditFieldDef(
{111L}, perms, None, fd))
self.assertFalse(permissions.CanEditFieldDef(
{999L}, perms, None, fd))
def testCanEditFieldDef_ProjectOwners(self):
fd = tracker_pb2.FieldDef()
self.assertTrue(permissions.CanEditFieldDef(
{111L}, permissions.PermissionSet([permissions.EDIT_PROJECT]),
None, fd))
self.assertFalse(permissions.CanEditFieldDef(
{111L}, permissions.PermissionSet([]),
None, fd))
def testCanViewTemplate_TemplateAdmin(self):
td = tracker_pb2.TemplateDef(admin_ids=[111L])
perms = permissions.PermissionSet([])
self.assertTrue(permissions.CanViewTemplate(
{111L}, perms, None, td))
self.assertFalse(permissions.CanViewTemplate(
{999L}, perms, None, td))
def testCanViewTemplate_MembersOnly(self):
td = tracker_pb2.TemplateDef(members_only=True)
project = project_pb2.Project(committer_ids=[111L])
self.assertTrue(permissions.CanViewTemplate(
{111L}, permissions.PermissionSet([]),
project, td))
self.assertFalse(permissions.CanViewTemplate(
{999L}, permissions.PermissionSet([]),
project, td))
def testCanViewTemplate_AnyoneWhoCanViewProject(self):
td = tracker_pb2.TemplateDef()
self.assertTrue(permissions.CanViewTemplate(
{111L}, permissions.PermissionSet([permissions.VIEW]),
None, td))
self.assertFalse(permissions.CanViewTemplate(
{111L}, permissions.PermissionSet([]),
None, td))
def testCanEditTemplate_TemplateAdmin(self):
td = tracker_pb2.TemplateDef(admin_ids=[111L])
perms = permissions.PermissionSet([])
self.assertTrue(permissions.CanEditTemplate(
{111L}, perms, None, td))
self.assertFalse(permissions.CanEditTemplate(
{999L}, perms, None, td))
def testCanEditTemplate_ProjectOwners(self):
td = tracker_pb2.TemplateDef()
self.assertTrue(permissions.CanEditTemplate(
{111L}, permissions.PermissionSet([permissions.EDIT_PROJECT]),
None, td))
self.assertFalse(permissions.CanEditTemplate(
{111L}, permissions.PermissionSet([]),
None, td))
if __name__ == '__main__':
unittest.main()