Best Python code snippet using lisa_python
test_permissions_anonymous.py
Source:test_permissions_anonymous.py
1# -*- coding: utf-8 -*-2# test_permissions_anonymous.py - Waqas Bhatti (wbhatti@astro.princeton.edu) -3# Aug 20184# License: MIT - see the LICENSE file for the full text.5"""6This tests permissions for anonymous users.7"""8import os.path9import pytest10from authnzerver import permissions11######################12## ANONYMOUS ACCESS ##13######################14@pytest.mark.parametrize(15 "access,target,expected",16 [17 # anonymous -> self-owned private collection18 ((2, "anonymous", "list"), ("collection", 2, "private", ""), False),19 ((2, "anonymous", "view"), ("collection", 2, "private", ""), False),20 ((2, "anonymous", "create"), ("collection", 2, "private", ""), False),21 ((2, "anonymous", "edit"), ("collection", 2, "private", ""), False),22 ((2, "anonymous", "delete"), ("collection", 2, "private", ""), False),23 (24 (2, "anonymous", "change_visibility"),25 ("collection", 2, "private", ""),26 False,27 ),28 (29 (2, "anonymous", "change_owner"),30 ("collection", 2, "private", ""),31 False,32 ),33 # anonymous -> self-owned shared collection34 ((2, "anonymous", "list"), ("collection", 2, "shared", ""), False),35 ((2, "anonymous", "view"), ("collection", 2, "shared", ""), False),36 ((2, "anonymous", "create"), ("collection", 2, "shared", ""), False),37 ((2, "anonymous", "edit"), ("collection", 2, "shared", ""), False),38 ((2, "anonymous", "delete"), ("collection", 2, "shared", ""), False),39 (40 (2, "anonymous", "change_visibility"),41 ("collection", 2, "shared", ""),42 False,43 ),44 (45 (2, "anonymous", "change_owner"),46 ("collection", 2, "shared", ""),47 False,48 ),49 # anonymous -> self-owned public collection50 ((2, "anonymous", "list"), ("collection", 2, "public", ""), False),51 ((2, "anonymous", "view"), ("collection", 2, "public", ""), False),52 ((2, "anonymous", "create"), ("collection", 2, "public", ""), False),53 ((2, "anonymous", "edit"), ("collection", 2, "public", ""), False),54 ((2, "anonymous", "delete"), ("collection", 2, "public", ""), False),55 (56 (2, "anonymous", "change_visibility"),57 ("collection", 2, "public", ""),58 False,59 ),60 (61 (2, "anonymous", "change_owner"),62 ("collection", 2, "public", ""),63 False,64 ),65 # anonymous -> public collection from others66 ((2, "anonymous", "list"), ("collection", 1, "public", ""), True),67 ((2, "anonymous", "view"), ("collection", 1, "public", ""), True),68 ((2, "anonymous", "create"), ("collection", 1, "public", ""), False),69 ((2, "anonymous", "edit"), ("collection", 1, "public", ""), False),70 ((2, "anonymous", "delete"), ("collection", 1, "public", ""), False),71 (72 (2, "anonymous", "change_visibility"),73 ("collection", 1, "public", ""),74 False,75 ),76 (77 (2, "anonymous", "change_owner"),78 ("collection", 1, "public", ""),79 False,80 ),81 # anonymous -> shared collection from others82 (83 (2, "anonymous", "list"),84 ("collection", 1, "shared", "2,5,6"),85 False,86 ),87 (88 (2, "anonymous", "view"),89 ("collection", 1, "shared", "2,5,6"),90 False,91 ),92 (93 (2, "anonymous", "create"),94 ("collection", 1, "shared", "2,5,6"),95 False,96 ),97 (98 (2, "anonymous", "edit"),99 ("collection", 1, "shared", "2,5,6"),100 False,101 ),102 (103 (2, "anonymous", "delete"),104 ("collection", 1, "shared", "2,5,6"),105 False,106 ),107 (108 (2, "anonymous", "change_visibility"),109 ("collection", 1, "shared", "2,5,6"),110 False,111 ),112 (113 (2, "anonymous", "change_owner"),114 ("collection", 1, "shared", "2,5,6"),115 False,116 ),117 # anonymous -> shared from others but not shared to this118 # user (should all fail)119 ((2, "anonymous", "list"), ("collection", 1, "shared", "5,6"), False),120 ((2, "anonymous", "view"), ("collection", 1, "shared", "5,6"), False),121 (122 (2, "anonymous", "create"),123 ("collection", 1, "shared", "5,6"),124 False,125 ),126 ((2, "anonymous", "edit"), ("collection", 1, "shared", "5,6"), False),127 (128 (2, "anonymous", "delete"),129 ("collection", 1, "shared", "5,6"),130 False,131 ),132 (133 (2, "anonymous", "change_visibility"),134 ("collection", 1, "shared", "5,6"),135 False,136 ),137 (138 (2, "anonymous", "change_owner"),139 ("collection", 1, "shared", "5,6"),140 False,141 ),142 # anonymous -> private collection from others143 ((2, "anonymous", "list"), ("collection", 1, "private", ""), False),144 ((2, "anonymous", "view"), ("collection", 1, "private", ""), False),145 ((2, "anonymous", "create"), ("collection", 1, "private", ""), False),146 ((2, "anonymous", "edit"), ("collection", 1, "private", ""), False),147 ((2, "anonymous", "delete"), ("collection", 1, "private", ""), False),148 (149 (2, "anonymous", "change_visibility"),150 ("collection", 1, "private", ""),151 False,152 ),153 (154 (2, "anonymous", "change_owner"),155 ("collection", 1, "private", ""),156 False,157 ),158 ],159)160def test_check_anonymous_access_to_collection(access, target, expected):161 """162 This checks user access.163 """164 userid, role, action = access165 target_name, target_owner, target_visibility, target_sharedwith = target166 # load the default permissions model167 modpath = os.path.abspath(os.path.dirname(__file__))168 permpath = os.path.abspath(169 os.path.join(modpath, "..", "default-permissions-model.json")170 )171 assert (172 permissions.load_policy_and_check_access(173 permpath,174 userid=userid,175 role=role,176 action=action,177 target_name=target_name,178 target_owner=target_owner,179 target_visibility=target_visibility,180 target_sharedwith=target_sharedwith,181 )182 is expected183 )184@pytest.mark.parametrize(185 "access,target,expected",186 [187 # anonymous -> self-owned private dataset188 ((2, "anonymous", "list"), ("dataset", 2, "private", ""), True),189 ((2, "anonymous", "view"), ("dataset", 2, "private", ""), True),190 ((2, "anonymous", "create"), ("dataset", 2, "private", ""), True),191 ((2, "anonymous", "edit"), ("dataset", 2, "private", ""), False),192 ((2, "anonymous", "delete"), ("dataset", 2, "private", ""), False),193 (194 (2, "anonymous", "change_visibility"),195 ("dataset", 2, "private", ""),196 False,197 ),198 (199 (2, "anonymous", "change_owner"),200 ("dataset", 2, "private", ""),201 False,202 ),203 # anonymous -> self-owned shared dataset204 ((2, "anonymous", "list"), ("dataset", 2, "shared", ""), True),205 ((2, "anonymous", "view"), ("dataset", 2, "shared", ""), True),206 ((2, "anonymous", "create"), ("dataset", 2, "shared", ""), True),207 ((2, "anonymous", "edit"), ("dataset", 2, "shared", ""), False),208 ((2, "anonymous", "delete"), ("dataset", 2, "shared", ""), False),209 (210 (2, "anonymous", "change_visibility"),211 ("dataset", 2, "shared", ""),212 False,213 ),214 (215 (2, "anonymous", "change_owner"),216 ("dataset", 2, "shared", ""),217 False,218 ),219 # anonymous -> self-owned public dataset220 ((2, "anonymous", "list"), ("dataset", 2, "public", ""), True),221 ((2, "anonymous", "view"), ("dataset", 2, "public", ""), True),222 ((2, "anonymous", "create"), ("dataset", 2, "public", ""), True),223 ((2, "anonymous", "edit"), ("dataset", 2, "public", ""), False),224 ((2, "anonymous", "delete"), ("dataset", 2, "public", ""), False),225 (226 (2, "anonymous", "change_visibility"),227 ("dataset", 2, "public", ""),228 False,229 ),230 (231 (2, "anonymous", "change_owner"),232 ("dataset", 2, "public", ""),233 False,234 ),235 # anonymous -> public dataset from others236 ((2, "anonymous", "list"), ("dataset", 1, "public", ""), True),237 ((2, "anonymous", "view"), ("dataset", 1, "public", ""), True),238 ((2, "anonymous", "create"), ("dataset", 1, "public", ""), False),239 ((2, "anonymous", "edit"), ("dataset", 1, "public", ""), False),240 ((2, "anonymous", "delete"), ("dataset", 1, "public", ""), False),241 (242 (2, "anonymous", "change_visibility"),243 ("dataset", 1, "public", ""),244 False,245 ),246 (247 (2, "anonymous", "change_owner"),248 ("dataset", 1, "public", ""),249 False,250 ),251 # anonymous -> shared dataset from others252 ((2, "anonymous", "list"), ("dataset", 1, "shared", "2,5,6"), False),253 ((2, "anonymous", "view"), ("dataset", 1, "shared", "2,5,6"), False),254 ((2, "anonymous", "create"), ("dataset", 1, "shared", "2,5,6"), False),255 ((2, "anonymous", "edit"), ("dataset", 1, "shared", "2,5,6"), False),256 ((2, "anonymous", "delete"), ("dataset", 1, "shared", "2,5,6"), False),257 (258 (2, "anonymous", "change_visibility"),259 ("dataset", 1, "shared", "2,5,6"),260 False,261 ),262 (263 (2, "anonymous", "change_owner"),264 ("dataset", 1, "shared", "2,5,6"),265 False,266 ),267 # anonymous -> shared from others but not shared to this268 # user (should all fail)269 ((2, "anonymous", "list"), ("dataset", 1, "shared", "5,6"), False),270 ((2, "anonymous", "view"), ("dataset", 1, "shared", "5,6"), False),271 ((2, "anonymous", "create"), ("dataset", 1, "shared", "5,6"), False),272 ((2, "anonymous", "edit"), ("dataset", 1, "shared", "5,6"), False),273 ((2, "anonymous", "delete"), ("dataset", 1, "shared", "5,6"), False),274 (275 (2, "anonymous", "change_visibility"),276 ("dataset", 1, "shared", "5,6"),277 False,278 ),279 (280 (2, "anonymous", "change_owner"),281 ("dataset", 1, "shared", "5,6"),282 False,283 ),284 # anonymous -> private dataset from others285 ((2, "anonymous", "list"), ("dataset", 1, "private", ""), False),286 ((2, "anonymous", "view"), ("dataset", 1, "private", ""), False),287 ((2, "anonymous", "create"), ("dataset", 1, "private", ""), False),288 ((2, "anonymous", "edit"), ("dataset", 1, "private", ""), False),289 ((2, "anonymous", "delete"), ("dataset", 1, "private", ""), False),290 (291 (2, "anonymous", "change_visibility"),292 ("dataset", 1, "private", ""),293 False,294 ),295 (296 (2, "anonymous", "change_owner"),297 ("dataset", 1, "private", ""),298 False,299 ),300 ],301)302def test_check_anonymous_access_to_dataset(access, target, expected):303 """304 This checks user access.305 """306 userid, role, action = access307 target_name, target_owner, target_visibility, target_sharedwith = target308 # load the default permissions model309 modpath = os.path.abspath(os.path.dirname(__file__))310 permpath = os.path.abspath(311 os.path.join(modpath, "..", "default-permissions-model.json")312 )313 assert (314 permissions.load_policy_and_check_access(315 permpath,316 userid=userid,317 role=role,318 action=action,319 target_name=target_name,320 target_owner=target_owner,321 target_visibility=target_visibility,322 target_sharedwith=target_sharedwith,323 )324 is expected325 )326@pytest.mark.parametrize(327 "access,target,expected",328 [329 # anonymous -> self-owned private object330 ((2, "anonymous", "list"), ("object", 2, "private", ""), False),331 ((2, "anonymous", "view"), ("object", 2, "private", ""), False),332 ((2, "anonymous", "create"), ("object", 2, "private", ""), False),333 ((2, "anonymous", "edit"), ("object", 2, "private", ""), False),334 ((2, "anonymous", "delete"), ("object", 2, "private", ""), False),335 (336 (2, "anonymous", "change_visibility"),337 ("object", 2, "private", ""),338 False,339 ),340 (341 (2, "anonymous", "change_owner"),342 ("object", 2, "private", ""),343 False,344 ),345 # anonymous -> self-owned shared object346 ((2, "anonymous", "list"), ("object", 2, "shared", ""), False),347 ((2, "anonymous", "view"), ("object", 2, "shared", ""), False),348 ((2, "anonymous", "create"), ("object", 2, "shared", ""), False),349 ((2, "anonymous", "edit"), ("object", 2, "shared", ""), False),350 ((2, "anonymous", "delete"), ("object", 2, "shared", ""), False),351 (352 (2, "anonymous", "change_visibility"),353 ("object", 2, "shared", ""),354 False,355 ),356 ((2, "anonymous", "change_owner"), ("object", 2, "shared", ""), False),357 # anonymous -> self-owned public object (should all fail)358 ((2, "anonymous", "list"), ("object", 2, "public", ""), False),359 ((2, "anonymous", "view"), ("object", 2, "public", ""), False),360 ((2, "anonymous", "create"), ("object", 2, "public", ""), False),361 ((2, "anonymous", "edit"), ("object", 2, "public", ""), False),362 ((2, "anonymous", "delete"), ("object", 2, "public", ""), False),363 (364 (2, "anonymous", "change_visibility"),365 ("object", 2, "public", ""),366 False,367 ),368 ((2, "anonymous", "change_owner"), ("object", 2, "public", ""), False),369 # anonymous -> public object from others (list, view OK)370 ((2, "anonymous", "list"), ("object", 1, "public", ""), True),371 ((2, "anonymous", "view"), ("object", 1, "public", ""), True),372 ((2, "anonymous", "create"), ("object", 1, "public", ""), False),373 ((2, "anonymous", "edit"), ("object", 1, "public", ""), False),374 ((2, "anonymous", "delete"), ("object", 1, "public", ""), False),375 (376 (2, "anonymous", "change_visibility"),377 ("object", 1, "public", ""),378 False,379 ),380 ((2, "anonymous", "change_owner"), ("object", 1, "public", ""), False),381 # anonymous -> shared object from others (should all fail)382 ((2, "anonymous", "list"), ("object", 1, "shared", "2,5,6"), False),383 ((2, "anonymous", "view"), ("object", 1, "shared", "2,5,6"), False),384 ((2, "anonymous", "create"), ("object", 1, "shared", "2,5,6"), False),385 ((2, "anonymous", "edit"), ("object", 1, "shared", "2,5,6"), False),386 ((2, "anonymous", "delete"), ("object", 1, "shared", "2,5,6"), False),387 (388 (2, "anonymous", "change_visibility"),389 ("object", 1, "shared", "2,5,6"),390 False,391 ),392 (393 (2, "anonymous", "change_owner"),394 ("object", 1, "shared", "2,5,6"),395 False,396 ),397 # anonymous -> shared from others but not shared to this398 # user (should all fail)399 ((2, "anonymous", "list"), ("object", 1, "shared", "5,6"), False),400 ((2, "anonymous", "view"), ("object", 1, "shared", "5,6"), False),401 ((2, "anonymous", "create"), ("object", 1, "shared", "5,6"), False),402 ((2, "anonymous", "edit"), ("object", 1, "shared", "5,6"), False),403 ((2, "anonymous", "delete"), ("object", 1, "shared", "5,6"), False),404 (405 (2, "anonymous", "change_visibility"),406 ("object", 1, "shared", "5,6"),407 False,408 ),409 (410 (2, "anonymous", "change_owner"),411 ("object", 1, "shared", "5,6"),412 False,413 ),414 # anonymous -> private object from others (should all fail)415 ((2, "anonymous", "list"), ("object", 1, "private", ""), False),416 ((2, "anonymous", "view"), ("object", 1, "private", ""), False),417 ((2, "anonymous", "create"), ("object", 1, "private", ""), False),418 ((2, "anonymous", "edit"), ("object", 1, "private", ""), False),419 ((2, "anonymous", "delete"), ("object", 1, "private", ""), False),420 (421 (2, "anonymous", "change_visibility"),422 ("object", 1, "private", ""),423 False,424 ),425 (426 (2, "anonymous", "change_owner"),427 ("object", 1, "private", ""),428 False,429 ),430 ],431)432def test_check_anonymous_access_to_object(access, target, expected):433 """434 This checks user access.435 """436 userid, role, action = access437 target_name, target_owner, target_visibility, target_sharedwith = target438 # load the default permissions model439 modpath = os.path.abspath(os.path.dirname(__file__))440 permpath = os.path.abspath(441 os.path.join(modpath, "..", "default-permissions-model.json")442 )443 assert (444 permissions.load_policy_and_check_access(445 permpath,446 userid=userid,447 role=role,448 action=action,449 target_name=target_name,450 target_owner=target_owner,451 target_visibility=target_visibility,452 target_sharedwith=target_sharedwith,453 )454 is expected455 )456@pytest.mark.parametrize(457 "access,target,expected",458 [459 # anonymous -> self-owned private users460 ((2, "anonymous", "list"), ("user", 2, "private", ""), False),461 ((2, "anonymous", "view"), ("user", 2, "private", ""), False),462 ((2, "anonymous", "create"), ("user", 2, "private", ""), False),463 ((2, "anonymous", "edit"), ("user", 2, "private", ""), False),464 ((2, "anonymous", "delete"), ("user", 2, "private", ""), False),465 (466 (2, "anonymous", "change_visibility"),467 ("user", 2, "private", ""),468 False,469 ),470 ((2, "anonymous", "change_owner"), ("user", 2, "private", ""), False),471 # anonymous -> self-owned shared users472 ((2, "anonymous", "list"), ("user", 2, "shared", ""), False),473 ((2, "anonymous", "view"), ("user", 2, "shared", ""), False),474 ((2, "anonymous", "create"), ("user", 2, "shared", ""), False),475 ((2, "anonymous", "edit"), ("user", 2, "shared", ""), False),476 ((2, "anonymous", "delete"), ("user", 2, "shared", ""), False),477 (478 (2, "anonymous", "change_visibility"),479 ("user", 2, "shared", ""),480 False,481 ),482 ((2, "anonymous", "change_owner"), ("user", 2, "shared", ""), False),483 # anonymous -> self-owned public users (should all fail)484 ((2, "anonymous", "list"), ("user", 2, "public", ""), False),485 ((2, "anonymous", "view"), ("user", 2, "public", ""), False),486 ((2, "anonymous", "create"), ("user", 2, "public", ""), False),487 ((2, "anonymous", "edit"), ("user", 2, "public", ""), False),488 ((2, "anonymous", "delete"), ("user", 2, "public", ""), False),489 (490 (2, "anonymous", "change_visibility"),491 ("user", 2, "public", ""),492 False,493 ),494 ((2, "anonymous", "change_owner"), ("user", 2, "public", ""), False),495 # anonymous -> public users from others (should all fail)496 ((2, "anonymous", "list"), ("user", 1, "public", ""), False),497 ((2, "anonymous", "view"), ("user", 1, "public", ""), False),498 ((2, "anonymous", "create"), ("user", 1, "public", ""), False),499 ((2, "anonymous", "edit"), ("user", 1, "public", ""), False),500 ((2, "anonymous", "delete"), ("user", 1, "public", ""), False),501 (502 (2, "anonymous", "change_visibility"),503 ("user", 1, "public", ""),504 False,505 ),506 ((2, "anonymous", "change_owner"), ("user", 1, "public", ""), False),507 # anonymous -> shared users from others (should all fail)508 ((2, "anonymous", "list"), ("user", 1, "shared", "2,5,6"), False),509 ((2, "anonymous", "view"), ("user", 1, "shared", "2,5,6"), False),510 ((2, "anonymous", "create"), ("user", 1, "shared", "2,5,6"), False),511 ((2, "anonymous", "edit"), ("user", 1, "shared", "2,5,6"), False),512 ((2, "anonymous", "delete"), ("user", 1, "shared", "2,5,6"), False),513 (514 (2, "anonymous", "change_visibility"),515 ("user", 1, "shared", "2,5,6"),516 False,517 ),518 (519 (2, "anonymous", "make_shared"),520 ("user", 1, "shared", "2,5,6"),521 False,522 ),523 (524 (2, "anonymous", "change_owner"),525 ("user", 1, "shared", "2,5,6"),526 False,527 ),528 # anonymous -> shared from others but not shared to this529 # user (should all fail)530 ((2, "anonymous", "list"), ("user", 1, "shared", "5,6"), False),531 ((2, "anonymous", "view"), ("user", 1, "shared", "5,6"), False),532 ((2, "anonymous", "create"), ("user", 1, "shared", "5,6"), False),533 ((2, "anonymous", "edit"), ("user", 1, "shared", "5,6"), False),534 ((2, "anonymous", "delete"), ("user", 1, "shared", "5,6"), False),535 (536 (2, "anonymous", "change_visibility"),537 ("user", 1, "shared", "5,6"),538 False,539 ),540 (541 (2, "anonymous", "change_owner"),542 ("user", 1, "shared", "5,6"),543 False,544 ),545 # anonymous -> private users from others (should all fail)546 ((2, "anonymous", "list"), ("user", 1, "private", ""), False),547 ((2, "anonymous", "view"), ("user", 1, "private", ""), False),548 ((2, "anonymous", "create"), ("user", 1, "private", ""), False),549 ((2, "anonymous", "edit"), ("user", 1, "private", ""), False),550 ((2, "anonymous", "delete"), ("user", 1, "private", ""), False),551 (552 (2, "anonymous", "change_visibility"),553 ("user", 1, "private", ""),554 False,555 ),556 ((2, "anonymous", "change_owner"), ("user", 1, "private", ""), False),557 ],558)559def test_check_anonymous_access_to_users(access, target, expected):560 """561 This checks user access.562 """563 userid, role, action = access564 target_name, target_owner, target_visibility, target_sharedwith = target565 # load the default permissions model566 modpath = os.path.abspath(os.path.dirname(__file__))567 permpath = os.path.abspath(568 os.path.join(modpath, "..", "default-permissions-model.json")569 )570 assert (571 permissions.load_policy_and_check_access(572 permpath,573 userid=userid,574 role=role,575 action=action,576 target_name=target_name,577 target_owner=target_owner,578 target_visibility=target_visibility,579 target_sharedwith=target_sharedwith,580 )581 is expected582 )583@pytest.mark.parametrize(584 "access,target,expected",585 [586 # anonymous -> self-owned private sessions587 ((2, "anonymous", "list"), ("session", 2, "private", ""), False),588 ((2, "anonymous", "view"), ("session", 2, "private", ""), False),589 ((2, "anonymous", "create"), ("session", 2, "private", ""), False),590 ((2, "anonymous", "edit"), ("session", 2, "private", ""), False),591 ((2, "anonymous", "delete"), ("session", 2, "private", ""), False),592 (593 (2, "anonymous", "change_visibility"),594 ("session", 2, "private", ""),595 False,596 ),597 (598 (2, "anonymous", "change_owner"),599 ("session", 2, "private", ""),600 False,601 ),602 # anonymous -> self-owned shared sessions603 ((2, "anonymous", "list"), ("session", 2, "shared", ""), False),604 ((2, "anonymous", "view"), ("session", 2, "shared", ""), False),605 ((2, "anonymous", "create"), ("session", 2, "shared", ""), False),606 ((2, "anonymous", "edit"), ("session", 2, "shared", ""), False),607 ((2, "anonymous", "delete"), ("session", 2, "shared", ""), False),608 (609 (2, "anonymous", "change_visibility"),610 ("session", 2, "shared", ""),611 False,612 ),613 (614 (2, "anonymous", "change_owner"),615 ("session", 2, "shared", ""),616 False,617 ),618 # anonymous -> self-owned public sessions (should all fail)619 ((2, "anonymous", "list"), ("session", 2, "public", ""), False),620 ((2, "anonymous", "view"), ("session", 2, "public", ""), False),621 ((2, "anonymous", "create"), ("session", 2, "public", ""), False),622 ((2, "anonymous", "edit"), ("session", 2, "public", ""), False),623 ((2, "anonymous", "delete"), ("session", 2, "public", ""), False),624 (625 (2, "anonymous", "change_visibility"),626 ("session", 2, "public", ""),627 False,628 ),629 (630 (2, "anonymous", "change_owner"),631 ("session", 2, "public", ""),632 False,633 ),634 # anonymous -> public sessions from others (should all fail)635 ((2, "anonymous", "list"), ("session", 1, "public", ""), False),636 ((2, "anonymous", "view"), ("session", 1, "public", ""), False),637 ((2, "anonymous", "create"), ("session", 1, "public", ""), False),638 ((2, "anonymous", "edit"), ("session", 1, "public", ""), False),639 ((2, "anonymous", "delete"), ("session", 1, "public", ""), False),640 (641 (2, "anonymous", "change_visibility"),642 ("session", 1, "public", ""),643 False,644 ),645 (646 (2, "anonymous", "change_owner"),647 ("session", 1, "public", ""),648 False,649 ),650 # anonymous -> shared sessions from others (should all fail)651 ((2, "anonymous", "list"), ("session", 1, "shared", "2,5,6"), False),652 ((2, "anonymous", "view"), ("session", 1, "shared", "2,5,6"), False),653 ((2, "anonymous", "create"), ("session", 1, "shared", "2,5,6"), False),654 ((2, "anonymous", "edit"), ("session", 1, "shared", "2,5,6"), False),655 ((2, "anonymous", "delete"), ("session", 1, "shared", "2,5,6"), False),656 (657 (2, "anonymous", "change_visibility"),658 ("session", 1, "shared", "2,5,6"),659 False,660 ),661 (662 (2, "anonymous", "change_owner"),663 ("session", 1, "shared", "2,5,6"),664 False,665 ),666 # anonymous -> shared from others but not shared to this667 # user (should all fail)668 ((2, "anonymous", "list"), ("session", 1, "shared", "5,6"), False),669 ((2, "anonymous", "view"), ("session", 1, "shared", "5,6"), False),670 ((2, "anonymous", "create"), ("session", 1, "shared", "5,6"), False),671 ((2, "anonymous", "edit"), ("session", 1, "shared", "5,6"), False),672 ((2, "anonymous", "delete"), ("session", 1, "shared", "5,6"), False),673 (674 (2, "anonymous", "change_visibility"),675 ("session", 1, "shared", "5,6"),676 False,677 ),678 (679 (2, "anonymous", "change_owner"),680 ("session", 1, "shared", "5,6"),681 False,682 ),683 # anonymous -> private sessions from others (should all fail)684 ((2, "anonymous", "list"), ("session", 1, "private", ""), False),685 ((2, "anonymous", "view"), ("session", 1, "private", ""), False),686 ((2, "anonymous", "create"), ("session", 1, "private", ""), False),687 ((2, "anonymous", "edit"), ("session", 1, "private", ""), False),688 ((2, "anonymous", "delete"), ("session", 1, "private", ""), False),689 (690 (2, "anonymous", "change_visibility"),691 ("session", 1, "private", ""),692 False,693 ),694 (695 (2, "anonymous", "change_owner"),696 ("session", 1, "private", ""),697 False,698 ),699 ],700)701def test_check_anonymous_access_to_sessions(access, target, expected):702 """703 This checks user access.704 """705 userid, role, action = access706 target_name, target_owner, target_visibility, target_sharedwith = target707 # load the default permissions model708 modpath = os.path.abspath(os.path.dirname(__file__))709 permpath = os.path.abspath(710 os.path.join(modpath, "..", "default-permissions-model.json")711 )712 assert (713 permissions.load_policy_and_check_access(714 permpath,715 userid=userid,716 role=role,717 action=action,718 target_name=target_name,719 target_owner=target_owner,720 target_visibility=target_visibility,721 target_sharedwith=target_sharedwith,722 )723 is expected724 )725@pytest.mark.parametrize(726 "access,target,expected",727 [728 # anonymous -> self-owned private apikeys729 ((2, "anonymous", "list"), ("apikey", 2, "private", ""), False),730 ((2, "anonymous", "view"), ("apikey", 2, "private", ""), False),731 ((2, "anonymous", "create"), ("apikey", 2, "private", ""), False),732 ((2, "anonymous", "edit"), ("apikey", 2, "private", ""), False),733 ((2, "anonymous", "delete"), ("apikey", 2, "private", ""), False),734 (735 (2, "anonymous", "change_visibility"),736 ("apikey", 2, "private", ""),737 False,738 ),739 (740 (2, "anonymous", "change_owner"),741 ("apikey", 2, "private", ""),742 False,743 ),744 # anonymous -> self-owned shared apikeys745 ((2, "anonymous", "list"), ("apikey", 2, "shared", ""), False),746 ((2, "anonymous", "view"), ("apikey", 2, "shared", ""), False),747 ((2, "anonymous", "create"), ("apikey", 2, "shared", ""), False),748 ((2, "anonymous", "edit"), ("apikey", 2, "shared", ""), False),749 ((2, "anonymous", "delete"), ("apikey", 2, "shared", ""), False),750 (751 (2, "anonymous", "change_visibility"),752 ("apikey", 2, "shared", ""),753 False,754 ),755 ((2, "anonymous", "change_owner"), ("apikey", 2, "shared", ""), False),756 # anonymous -> self-owned public apikeys (should all fail)757 ((2, "anonymous", "list"), ("apikey", 2, "public", ""), False),758 ((2, "anonymous", "view"), ("apikey", 2, "public", ""), False),759 ((2, "anonymous", "create"), ("apikey", 2, "public", ""), False),760 ((2, "anonymous", "edit"), ("apikey", 2, "public", ""), False),761 ((2, "anonymous", "delete"), ("apikey", 2, "public", ""), False),762 (763 (2, "anonymous", "change_visibility"),764 ("apikey", 2, "public", ""),765 False,766 ),767 ((2, "anonymous", "change_owner"), ("apikey", 2, "public", ""), False),768 # anonymous -> public apikeys from others (should all fail)769 ((2, "anonymous", "list"), ("apikey", 1, "public", ""), False),770 ((2, "anonymous", "view"), ("apikey", 1, "public", ""), False),771 ((2, "anonymous", "create"), ("apikey", 1, "public", ""), False),772 ((2, "anonymous", "edit"), ("apikey", 1, "public", ""), False),773 ((2, "anonymous", "delete"), ("apikey", 1, "public", ""), False),774 (775 (2, "anonymous", "change_visibility"),776 ("apikey", 1, "public", ""),777 False,778 ),779 ((2, "anonymous", "change_owner"), ("apikey", 1, "public", ""), False),780 # anonymous -> shared apikeys from others (should all fail)781 ((2, "anonymous", "list"), ("apikey", 1, "shared", "2,5,6"), False),782 ((2, "anonymous", "view"), ("apikey", 1, "shared", "2,5,6"), False),783 ((2, "anonymous", "create"), ("apikey", 1, "shared", "2,5,6"), False),784 ((2, "anonymous", "edit"), ("apikey", 1, "shared", "2,5,6"), False),785 ((2, "anonymous", "delete"), ("apikey", 1, "shared", "2,5,6"), False),786 (787 (2, "anonymous", "change_visibility"),788 ("apikey", 1, "shared", "2,5,6"),789 False,790 ),791 (792 (2, "anonymous", "change_owner"),793 ("apikey", 1, "shared", "2,5,6"),794 False,795 ),796 # anonymous -> shared from others but not shared to this797 # user (should all fail)798 ((2, "anonymous", "list"), ("apikey", 1, "shared", "5,6"), False),799 ((2, "anonymous", "view"), ("apikey", 1, "shared", "5,6"), False),800 ((2, "anonymous", "create"), ("apikey", 1, "shared", "5,6"), False),801 ((2, "anonymous", "edit"), ("apikey", 1, "shared", "5,6"), False),802 ((2, "anonymous", "delete"), ("apikey", 1, "shared", "5,6"), False),803 (804 (2, "anonymous", "change_visibility"),805 ("apikey", 1, "shared", "5,6"),806 False,807 ),808 (809 (2, "anonymous", "change_owner"),810 ("apikey", 1, "shared", "5,6"),811 False,812 ),813 # anonymous -> private apikeys from others (should all fail)814 ((2, "anonymous", "list"), ("apikey", 1, "private", ""), False),815 ((2, "anonymous", "view"), ("apikey", 1, "private", ""), False),816 ((2, "anonymous", "create"), ("apikey", 1, "private", ""), False),817 ((2, "anonymous", "edit"), ("apikey", 1, "private", ""), False),818 ((2, "anonymous", "delete"), ("apikey", 1, "private", ""), False),819 (820 (2, "anonymous", "change_visibility"),821 ("apikey", 1, "private", ""),822 False,823 ),824 (825 (2, "anonymous", "change_owner"),826 ("apikey", 1, "private", ""),827 False,828 ),829 ],830)831def test_check_anonymous_access_to_apikeys(access, target, expected):832 """833 This checks user access.834 """835 userid, role, action = access836 target_name, target_owner, target_visibility, target_sharedwith = target837 # load the default permissions model838 modpath = os.path.abspath(os.path.dirname(__file__))839 permpath = os.path.abspath(840 os.path.join(modpath, "..", "default-permissions-model.json")841 )842 assert (843 permissions.load_policy_and_check_access(844 permpath,845 userid=userid,846 role=role,847 action=action,848 target_name=target_name,849 target_owner=target_owner,850 target_visibility=target_visibility,851 target_sharedwith=target_sharedwith,852 )853 is expected854 )855@pytest.mark.parametrize(856 "access,target,expected",857 [858 # anonymous -> self-owned private preferences859 ((2, "anonymous", "list"), ("preference", 2, "private", ""), False),860 ((2, "anonymous", "view"), ("preference", 2, "private", ""), False),861 ((2, "anonymous", "create"), ("preference", 2, "private", ""), False),862 ((2, "anonymous", "edit"), ("preference", 2, "private", ""), False),863 ((2, "anonymous", "delete"), ("preference", 2, "private", ""), False),864 (865 (2, "anonymous", "change_visibility"),866 ("preference", 2, "private", ""),867 False,868 ),869 (870 (2, "anonymous", "change_owner"),871 ("preference", 2, "private", ""),872 False,873 ),874 # anonymous -> self-owned shared preferences875 ((2, "anonymous", "list"), ("preference", 2, "shared", ""), False),876 ((2, "anonymous", "view"), ("preference", 2, "shared", ""), False),877 ((2, "anonymous", "create"), ("preference", 2, "shared", ""), False),878 ((2, "anonymous", "edit"), ("preference", 2, "shared", ""), False),879 ((2, "anonymous", "delete"), ("preference", 2, "shared", ""), False),880 (881 (2, "anonymous", "change_visibility"),882 ("preference", 2, "shared", ""),883 False,884 ),885 (886 (2, "anonymous", "change_owner"),887 ("preference", 2, "shared", ""),888 False,889 ),890 # anonymous -> self-owned public preferences (should all fail)891 ((2, "anonymous", "list"), ("preference", 2, "public", ""), False),892 ((2, "anonymous", "view"), ("preference", 2, "public", ""), False),893 ((2, "anonymous", "create"), ("preference", 2, "public", ""), False),894 ((2, "anonymous", "edit"), ("preference", 2, "public", ""), False),895 ((2, "anonymous", "delete"), ("preference", 2, "public", ""), False),896 (897 (2, "anonymous", "change_visibility"),898 ("preference", 2, "public", ""),899 False,900 ),901 (902 (2, "anonymous", "change_owner"),903 ("preference", 2, "public", ""),904 False,905 ),906 # anonymous -> public preferences from others (should all fail)907 ((2, "anonymous", "list"), ("preference", 1, "public", ""), False),908 ((2, "anonymous", "view"), ("preference", 1, "public", ""), False),909 ((2, "anonymous", "create"), ("preference", 1, "public", ""), False),910 ((2, "anonymous", "edit"), ("preference", 1, "public", ""), False),911 ((2, "anonymous", "delete"), ("preference", 1, "public", ""), False),912 (913 (2, "anonymous", "change_visibility"),914 ("preference", 1, "public", ""),915 False,916 ),917 (918 (2, "anonymous", "change_owner"),919 ("preference", 1, "public", ""),920 False,921 ),922 # anonymous -> shared preferences from others (should all fail)923 (924 (2, "anonymous", "list"),925 ("preference", 1, "shared", "2,5,6"),926 False,927 ),928 (929 (2, "anonymous", "view"),930 ("preference", 1, "shared", "2,5,6"),931 False,932 ),933 (934 (2, "anonymous", "create"),935 ("preference", 1, "shared", "2,5,6"),936 False,937 ),938 (939 (2, "anonymous", "edit"),940 ("preference", 1, "shared", "2,5,6"),941 False,942 ),943 (944 (2, "anonymous", "delete"),945 ("preference", 1, "shared", "2,5,6"),946 False,947 ),948 (949 (2, "anonymous", "change_visibility"),950 ("preference", 1, "shared", "2,5,6"),951 False,952 ),953 (954 (2, "anonymous", "change_owner"),955 ("preference", 1, "shared", "2,5,6"),956 False,957 ),958 # anonymous -> shared from others but not shared to this959 # user (should all fail)960 ((2, "anonymous", "list"), ("preference", 1, "shared", "5,6"), False),961 ((2, "anonymous", "view"), ("preference", 1, "shared", "5,6"), False),962 (963 (2, "anonymous", "create"),964 ("preference", 1, "shared", "5,6"),965 False,966 ),967 ((2, "anonymous", "edit"), ("preference", 1, "shared", "5,6"), False),968 (969 (2, "anonymous", "delete"),970 ("preference", 1, "shared", "5,6"),971 False,972 ),973 (974 (2, "anonymous", "change_visibility"),975 ("preference", 1, "shared", "5,6"),976 False,977 ),978 (979 (2, "anonymous", "change_owner"),980 ("preference", 1, "shared", "5,6"),981 False,982 ),983 # anonymous -> private preferences from others (should all fail)984 ((2, "anonymous", "list"), ("preference", 1, "private", ""), False),985 ((2, "anonymous", "view"), ("preference", 1, "private", ""), False),986 ((2, "anonymous", "create"), ("preference", 1, "private", ""), False),987 ((2, "anonymous", "edit"), ("preference", 1, "private", ""), False),988 ((2, "anonymous", "delete"), ("preference", 1, "private", ""), False),989 (990 (2, "anonymous", "change_visibility"),991 ("preference", 1, "private", ""),992 False,993 ),994 (995 (2, "anonymous", "change_owner"),996 ("preference", 1, "private", ""),997 False,998 ),999 ],1000)1001def test_check_anonymous_access_to_preferences(access, target, expected):1002 """1003 This checks user access.1004 """1005 userid, role, action = access1006 target_name, target_owner, target_visibility, target_sharedwith = target1007 # load the default permissions model1008 modpath = os.path.abspath(os.path.dirname(__file__))1009 permpath = os.path.abspath(1010 os.path.join(modpath, "..", "default-permissions-model.json")1011 )1012 assert (1013 permissions.load_policy_and_check_access(1014 permpath,1015 userid=userid,1016 role=role,1017 action=action,1018 target_name=target_name,1019 target_owner=target_owner,1020 target_visibility=target_visibility,1021 target_sharedwith=target_sharedwith,1022 )1023 is expected...
test_permissions_superuser.py
Source:test_permissions_superuser.py
1# -*- coding: utf-8 -*-2# test_permissions_superuser.py - Waqas Bhatti (wbhatti@astro.princeton.edu) -3# Aug 20184# License: MIT - see the LICENSE file for the full text.5"""This tests permissions for superusers.6"""7import os.path8import pytest9from authnzerver import permissions10######################11## SUPERUSER ACCESS ##12######################13@pytest.mark.parametrize(14 "access,target,expected",15 [16 # superuser -> self-owned private collection17 ((2, "superuser", "list"), ("collection", 2, "private", ""), True),18 ((2, "superuser", "view"), ("collection", 2, "private", ""), True),19 ((2, "superuser", "create"), ("collection", 2, "private", ""), True),20 ((2, "superuser", "edit"), ("collection", 2, "private", ""), True),21 ((2, "superuser", "delete"), ("collection", 2, "private", ""), True),22 (23 (2, "superuser", "change_visibility"),24 ("collection", 2, "private", ""),25 True,26 ),27 (28 (2, "superuser", "change_owner"),29 ("collection", 2, "private", ""),30 True,31 ),32 # superuser -> self-owned shared collection33 ((2, "superuser", "list"), ("collection", 2, "shared", ""), True),34 ((2, "superuser", "view"), ("collection", 2, "shared", ""), True),35 ((2, "superuser", "create"), ("collection", 2, "shared", ""), True),36 ((2, "superuser", "edit"), ("collection", 2, "shared", ""), True),37 ((2, "superuser", "delete"), ("collection", 2, "shared", ""), True),38 (39 (2, "superuser", "change_visibility"),40 ("collection", 2, "shared", ""),41 True,42 ),43 (44 (2, "superuser", "change_owner"),45 ("collection", 2, "shared", ""),46 True,47 ),48 # superuser -> self-owned public collection49 ((2, "superuser", "list"), ("collection", 2, "public", ""), True),50 ((2, "superuser", "view"), ("collection", 2, "public", ""), True),51 ((2, "superuser", "create"), ("collection", 2, "public", ""), True),52 ((2, "superuser", "edit"), ("collection", 2, "public", ""), True),53 ((2, "superuser", "delete"), ("collection", 2, "public", ""), True),54 (55 (2, "superuser", "change_visibility"),56 ("collection", 2, "public", ""),57 True,58 ),59 (60 (2, "superuser", "change_owner"),61 ("collection", 2, "public", ""),62 True,63 ),64 # superuser -> public collection from others65 ((2, "superuser", "list"), ("collection", 1, "public", ""), True),66 ((2, "superuser", "view"), ("collection", 1, "public", ""), True),67 ((2, "superuser", "create"), ("collection", 1, "public", ""), True),68 ((2, "superuser", "edit"), ("collection", 1, "public", ""), True),69 ((2, "superuser", "delete"), ("collection", 1, "public", ""), True),70 (71 (2, "superuser", "change_visibility"),72 ("collection", 1, "public", ""),73 True,74 ),75 (76 (2, "superuser", "change_owner"),77 ("collection", 1, "public", ""),78 True,79 ),80 # superuser -> shared collection from others81 ((2, "superuser", "list"), ("collection", 1, "shared", "2,5,6"), True),82 ((2, "superuser", "view"), ("collection", 1, "shared", "2,5,6"), True),83 (84 (2, "superuser", "create"),85 ("collection", 1, "shared", "2,5,6"),86 True,87 ),88 ((2, "superuser", "edit"), ("collection", 1, "shared", "2,5,6"), True),89 (90 (2, "superuser", "delete"),91 ("collection", 1, "shared", "2,5,6"),92 True,93 ),94 (95 (2, "superuser", "change_visibility"),96 ("collection", 1, "shared", "2,5,6"),97 True,98 ),99 (100 (2, "superuser", "change_owner"),101 ("collection", 1, "shared", "2,5,6"),102 True,103 ),104 # superuser -> shared from others but not shared to this105 # user106 ((2, "superuser", "list"), ("collection", 1, "shared", "5,6"), True),107 ((2, "superuser", "view"), ("collection", 1, "shared", "5,6"), True),108 ((2, "superuser", "create"), ("collection", 1, "shared", "5,6"), True),109 ((2, "superuser", "edit"), ("collection", 1, "shared", "5,6"), True),110 ((2, "superuser", "delete"), ("collection", 1, "shared", "5,6"), True),111 (112 (2, "superuser", "change_visibility"),113 ("collection", 1, "shared", "5,6"),114 True,115 ),116 (117 (2, "superuser", "change_owner"),118 ("collection", 1, "shared", "5,6"),119 True,120 ),121 # superuser -> private collection from others122 ((2, "superuser", "list"), ("collection", 1, "private", ""), True),123 ((2, "superuser", "view"), ("collection", 1, "private", ""), True),124 ((2, "superuser", "create"), ("collection", 1, "private", ""), True),125 ((2, "superuser", "edit"), ("collection", 1, "private", ""), True),126 ((2, "superuser", "delete"), ("collection", 1, "private", ""), True),127 (128 (2, "superuser", "change_visibility"),129 ("collection", 1, "private", ""),130 True,131 ),132 (133 (2, "superuser", "change_owner"),134 ("collection", 1, "private", ""),135 True,136 ),137 ],138)139def test_superuser_access_to_collection(access, target, expected):140 """141 This checks user access.142 """143 userid, role, action = access144 target_name, target_owner, target_visibility, target_sharedwith = target145 # load the default permissions model146 modpath = os.path.abspath(os.path.dirname(__file__))147 permpath = os.path.abspath(148 os.path.join(modpath, "..", "default-permissions-model.json")149 )150 assert (151 permissions.load_policy_and_check_access(152 permpath,153 userid=userid,154 role=role,155 action=action,156 target_name=target_name,157 target_owner=target_owner,158 target_visibility=target_visibility,159 target_sharedwith=target_sharedwith,160 )161 is expected162 )163@pytest.mark.parametrize(164 "access,target,expected",165 [166 # superuser -> self-owned private dataset167 ((2, "superuser", "list"), ("dataset", 2, "private", ""), True),168 ((2, "superuser", "view"), ("dataset", 2, "private", ""), True),169 ((2, "superuser", "create"), ("dataset", 2, "private", ""), True),170 ((2, "superuser", "edit"), ("dataset", 2, "private", ""), True),171 ((2, "superuser", "delete"), ("dataset", 2, "private", ""), True),172 (173 (2, "superuser", "change_visibility"),174 ("dataset", 2, "private", ""),175 True,176 ),177 (178 (2, "superuser", "change_owner"),179 ("dataset", 2, "private", ""),180 True,181 ),182 # superuser -> self-owned shared dataset183 ((2, "superuser", "list"), ("dataset", 2, "shared", ""), True),184 ((2, "superuser", "view"), ("dataset", 2, "shared", ""), True),185 ((2, "superuser", "create"), ("dataset", 2, "shared", ""), True),186 ((2, "superuser", "edit"), ("dataset", 2, "shared", ""), True),187 ((2, "superuser", "delete"), ("dataset", 2, "shared", ""), True),188 (189 (2, "superuser", "change_visibility"),190 ("dataset", 2, "shared", ""),191 True,192 ),193 ((2, "superuser", "change_owner"), ("dataset", 2, "shared", ""), True),194 # superuser -> self-owned public dataset195 ((2, "superuser", "list"), ("dataset", 2, "public", ""), True),196 ((2, "superuser", "view"), ("dataset", 2, "public", ""), True),197 ((2, "superuser", "create"), ("dataset", 2, "public", ""), True),198 ((2, "superuser", "edit"), ("dataset", 2, "public", ""), True),199 ((2, "superuser", "delete"), ("dataset", 2, "public", ""), True),200 (201 (2, "superuser", "change_visibility"),202 ("dataset", 2, "public", ""),203 True,204 ),205 ((2, "superuser", "change_owner"), ("dataset", 2, "public", ""), True),206 # superuser -> public dataset from others207 ((2, "superuser", "list"), ("dataset", 1, "public", ""), True),208 ((2, "superuser", "view"), ("dataset", 1, "public", ""), True),209 ((2, "superuser", "create"), ("dataset", 1, "public", ""), True),210 ((2, "superuser", "edit"), ("dataset", 1, "public", ""), True),211 ((2, "superuser", "delete"), ("dataset", 1, "public", ""), True),212 (213 (2, "superuser", "change_visibility"),214 ("dataset", 1, "public", ""),215 True,216 ),217 ((2, "superuser", "change_owner"), ("dataset", 1, "public", ""), True),218 # superuser -> shared dataset from others219 ((2, "superuser", "list"), ("dataset", 1, "shared", "2,5,6"), True),220 ((2, "superuser", "view"), ("dataset", 1, "shared", "2,5,6"), True),221 ((2, "superuser", "create"), ("dataset", 1, "shared", "2,5,6"), True),222 ((2, "superuser", "edit"), ("dataset", 1, "shared", "2,5,6"), True),223 ((2, "superuser", "delete"), ("dataset", 1, "shared", "2,5,6"), True),224 (225 (2, "superuser", "change_visibility"),226 ("dataset", 1, "shared", "2,5,6"),227 True,228 ),229 (230 (2, "superuser", "change_owner"),231 ("dataset", 1, "shared", "2,5,6"),232 True,233 ),234 # superuser -> shared from others but not shared to this235 # user236 ((2, "superuser", "list"), ("dataset", 1, "shared", "5,6"), True),237 ((2, "superuser", "view"), ("dataset", 1, "shared", "5,6"), True),238 ((2, "superuser", "create"), ("dataset", 1, "shared", "5,6"), True),239 ((2, "superuser", "edit"), ("dataset", 1, "shared", "5,6"), True),240 ((2, "superuser", "delete"), ("dataset", 1, "shared", "5,6"), True),241 (242 (2, "superuser", "change_visibility"),243 ("dataset", 1, "shared", "5,6"),244 True,245 ),246 (247 (2, "superuser", "change_owner"),248 ("dataset", 1, "shared", "5,6"),249 True,250 ),251 # superuser -> private dataset from others252 ((2, "superuser", "list"), ("dataset", 1, "private", ""), True),253 ((2, "superuser", "view"), ("dataset", 1, "private", ""), True),254 ((2, "superuser", "create"), ("dataset", 1, "private", ""), True),255 ((2, "superuser", "edit"), ("dataset", 1, "private", ""), True),256 ((2, "superuser", "delete"), ("dataset", 1, "private", ""), True),257 (258 (2, "superuser", "change_visibility"),259 ("dataset", 1, "private", ""),260 True,261 ),262 (263 (2, "superuser", "change_owner"),264 ("dataset", 1, "private", ""),265 True,266 ),267 ],268)269def test_superuser_access_to_dataset(access, target, expected):270 """271 This checks user access.272 """273 userid, role, action = access274 target_name, target_owner, target_visibility, target_sharedwith = target275 # load the default permissions model276 modpath = os.path.abspath(os.path.dirname(__file__))277 permpath = os.path.abspath(278 os.path.join(modpath, "..", "default-permissions-model.json")279 )280 assert (281 permissions.load_policy_and_check_access(282 permpath,283 userid=userid,284 role=role,285 action=action,286 target_name=target_name,287 target_owner=target_owner,288 target_visibility=target_visibility,289 target_sharedwith=target_sharedwith,290 )291 is expected292 )293@pytest.mark.parametrize(294 "access,target,expected",295 [296 # superuser -> self-owned private object297 ((2, "superuser", "list"), ("object", 2, "private", ""), True),298 ((2, "superuser", "view"), ("object", 2, "private", ""), True),299 ((2, "superuser", "create"), ("object", 2, "private", ""), True),300 ((2, "superuser", "edit"), ("object", 2, "private", ""), True),301 ((2, "superuser", "delete"), ("object", 2, "private", ""), True),302 (303 (2, "superuser", "change_visibility"),304 ("object", 2, "private", ""),305 True,306 ),307 ((2, "superuser", "change_owner"), ("object", 2, "private", ""), True),308 # superuser -> self-owned shared object309 ((2, "superuser", "list"), ("object", 2, "shared", ""), True),310 ((2, "superuser", "view"), ("object", 2, "shared", ""), True),311 ((2, "superuser", "create"), ("object", 2, "shared", ""), True),312 ((2, "superuser", "edit"), ("object", 2, "shared", ""), True),313 ((2, "superuser", "delete"), ("object", 2, "shared", ""), True),314 (315 (2, "superuser", "change_visibility"),316 ("object", 2, "shared", ""),317 True,318 ),319 ((2, "superuser", "change_owner"), ("object", 2, "shared", ""), True),320 # superuser -> self-owned public object321 ((2, "superuser", "list"), ("object", 2, "public", ""), True),322 ((2, "superuser", "view"), ("object", 2, "public", ""), True),323 ((2, "superuser", "create"), ("object", 2, "public", ""), True),324 ((2, "superuser", "edit"), ("object", 2, "public", ""), True),325 ((2, "superuser", "delete"), ("object", 2, "public", ""), True),326 (327 (2, "superuser", "change_visibility"),328 ("object", 2, "public", ""),329 True,330 ),331 ((2, "superuser", "change_owner"), ("object", 2, "public", ""), True),332 # superuser -> public object from others (list, view OK)333 ((2, "superuser", "list"), ("object", 1, "public", ""), True),334 ((2, "superuser", "view"), ("object", 1, "public", ""), True),335 ((2, "superuser", "create"), ("object", 1, "public", ""), True),336 ((2, "superuser", "edit"), ("object", 1, "public", ""), True),337 ((2, "superuser", "delete"), ("object", 1, "public", ""), True),338 (339 (2, "superuser", "change_visibility"),340 ("object", 1, "public", ""),341 True,342 ),343 ((2, "superuser", "change_owner"), ("object", 1, "public", ""), True),344 # superuser -> shared object from others345 ((2, "superuser", "list"), ("object", 1, "shared", "2,5,6"), True),346 ((2, "superuser", "view"), ("object", 1, "shared", "2,5,6"), True),347 ((2, "superuser", "create"), ("object", 1, "shared", "2,5,6"), True),348 ((2, "superuser", "edit"), ("object", 1, "shared", "2,5,6"), True),349 ((2, "superuser", "delete"), ("object", 1, "shared", "2,5,6"), True),350 (351 (2, "superuser", "change_visibility"),352 ("object", 1, "shared", "2,5,6"),353 True,354 ),355 (356 (2, "superuser", "change_owner"),357 ("object", 1, "shared", "2,5,6"),358 True,359 ),360 # superuser -> shared from others but not shared to this361 # user362 ((2, "superuser", "list"), ("object", 1, "shared", "5,6"), True),363 ((2, "superuser", "view"), ("object", 1, "shared", "5,6"), True),364 ((2, "superuser", "create"), ("object", 1, "shared", "5,6"), True),365 ((2, "superuser", "edit"), ("object", 1, "shared", "5,6"), True),366 ((2, "superuser", "delete"), ("object", 1, "shared", "5,6"), True),367 (368 (2, "superuser", "change_visibility"),369 ("object", 1, "shared", "5,6"),370 True,371 ),372 (373 (2, "superuser", "change_owner"),374 ("object", 1, "shared", "5,6"),375 True,376 ),377 # superuser -> private object from others378 ((2, "superuser", "list"), ("object", 1, "private", ""), True),379 ((2, "superuser", "view"), ("object", 1, "private", ""), True),380 ((2, "superuser", "create"), ("object", 1, "private", ""), True),381 ((2, "superuser", "edit"), ("object", 1, "private", ""), True),382 ((2, "superuser", "delete"), ("object", 1, "private", ""), True),383 (384 (2, "superuser", "change_visibility"),385 ("object", 1, "private", ""),386 True,387 ),388 ((2, "superuser", "change_owner"), ("object", 1, "private", ""), True),389 ],390)391def test_superuser_access_to_object(access, target, expected):392 """393 This checks user access.394 """395 userid, role, action = access396 target_name, target_owner, target_visibility, target_sharedwith = target397 # load the default permissions model398 modpath = os.path.abspath(os.path.dirname(__file__))399 permpath = os.path.abspath(400 os.path.join(modpath, "..", "default-permissions-model.json")401 )402 assert (403 permissions.load_policy_and_check_access(404 permpath,405 userid=userid,406 role=role,407 action=action,408 target_name=target_name,409 target_owner=target_owner,410 target_visibility=target_visibility,411 target_sharedwith=target_sharedwith,412 )413 is expected414 )415@pytest.mark.parametrize(416 "access,target,expected",417 [418 # superuser -> self-owned private users419 ((2, "superuser", "list"), ("user", 2, "private", ""), False),420 ((2, "superuser", "view"), ("user", 2, "private", ""), False),421 ((2, "superuser", "create"), ("user", 2, "private", ""), False),422 ((2, "superuser", "edit"), ("user", 2, "private", ""), False),423 ((2, "superuser", "delete"), ("user", 2, "private", ""), False),424 (425 (2, "superuser", "change_visibility"),426 ("user", 2, "private", ""),427 False,428 ),429 ((2, "superuser", "change_owner"), ("user", 2, "private", ""), False),430 # superuser -> self-owned shared users431 ((2, "superuser", "list"), ("user", 2, "shared", ""), False),432 ((2, "superuser", "view"), ("user", 2, "shared", ""), False),433 ((2, "superuser", "create"), ("user", 2, "shared", ""), False),434 ((2, "superuser", "edit"), ("user", 2, "shared", ""), False),435 ((2, "superuser", "delete"), ("user", 2, "shared", ""), False),436 (437 (2, "superuser", "change_visibility"),438 ("user", 2, "shared", ""),439 False,440 ),441 ((2, "superuser", "change_owner"), ("user", 2, "shared", ""), False),442 # superuser -> self-owned public users443 ((2, "superuser", "list"), ("user", 2, "public", ""), False),444 ((2, "superuser", "view"), ("user", 2, "public", ""), False),445 ((2, "superuser", "create"), ("user", 2, "public", ""), False),446 ((2, "superuser", "edit"), ("user", 2, "public", ""), False),447 ((2, "superuser", "delete"), ("user", 2, "public", ""), False),448 (449 (2, "superuser", "change_visibility"),450 ("user", 2, "public", ""),451 False,452 ),453 ((2, "superuser", "change_owner"), ("user", 2, "public", ""), False),454 # superuser -> public users from others455 ((2, "superuser", "list"), ("user", 1, "public", ""), False),456 ((2, "superuser", "view"), ("user", 1, "public", ""), False),457 ((2, "superuser", "create"), ("user", 1, "public", ""), False),458 ((2, "superuser", "edit"), ("user", 1, "public", ""), False),459 ((2, "superuser", "delete"), ("user", 1, "public", ""), False),460 (461 (2, "superuser", "change_visibility"),462 ("user", 1, "public", ""),463 False,464 ),465 ((2, "superuser", "change_owner"), ("user", 1, "public", ""), False),466 # superuser -> shared users from others467 ((2, "superuser", "list"), ("user", 1, "shared", "2,5,6"), False),468 ((2, "superuser", "view"), ("user", 1, "shared", "2,5,6"), False),469 ((2, "superuser", "create"), ("user", 1, "shared", "2,5,6"), False),470 ((2, "superuser", "edit"), ("user", 1, "shared", "2,5,6"), False),471 ((2, "superuser", "delete"), ("user", 1, "shared", "2,5,6"), False),472 (473 (2, "superuser", "change_visibility"),474 ("user", 1, "shared", "2,5,6"),475 False,476 ),477 (478 (2, "superuser", "change_owner"),479 ("user", 1, "shared", "2,5,6"),480 False,481 ),482 # superuser -> shared from others but not shared to this483 # user484 ((2, "superuser", "list"), ("user", 1, "shared", "5,6"), False),485 ((2, "superuser", "view"), ("user", 1, "shared", "5,6"), False),486 ((2, "superuser", "create"), ("user", 1, "shared", "5,6"), False),487 ((2, "superuser", "edit"), ("user", 1, "shared", "5,6"), False),488 ((2, "superuser", "delete"), ("user", 1, "shared", "5,6"), False),489 (490 (2, "superuser", "change_visibility"),491 ("user", 1, "shared", "5,6"),492 False,493 ),494 (495 (2, "superuser", "change_owner"),496 ("user", 1, "shared", "5,6"),497 False,498 ),499 # superuser -> private users from others500 ((2, "superuser", "list"), ("user", 1, "private", ""), True),501 ((2, "superuser", "view"), ("user", 1, "private", ""), True),502 ((2, "superuser", "create"), ("user", 1, "private", ""), True),503 ((2, "superuser", "edit"), ("user", 1, "private", ""), True),504 ((2, "superuser", "delete"), ("user", 1, "private", ""), True),505 (506 (2, "superuser", "change_visibility"),507 ("user", 1, "private", ""),508 False,509 ),510 ((2, "superuser", "change_owner"), ("user", 1, "private", ""), False),511 ],512)513def test_superuser_access_to_users(access, target, expected):514 """515 This checks user access.516 """517 userid, role, action = access518 target_name, target_owner, target_visibility, target_sharedwith = target519 # load the default permissions model520 modpath = os.path.abspath(os.path.dirname(__file__))521 permpath = os.path.abspath(522 os.path.join(modpath, "..", "default-permissions-model.json")523 )524 assert (525 permissions.load_policy_and_check_access(526 permpath,527 userid=userid,528 role=role,529 action=action,530 target_name=target_name,531 target_owner=target_owner,532 target_visibility=target_visibility,533 target_sharedwith=target_sharedwith,534 )535 is expected536 )537@pytest.mark.parametrize(538 "access,target,expected",539 [540 # superuser -> self-owned private sessions541 ((2, "superuser", "list"), ("session", 2, "private", ""), False),542 ((2, "superuser", "view"), ("session", 2, "private", ""), False),543 ((2, "superuser", "create"), ("session", 2, "private", ""), False),544 ((2, "superuser", "edit"), ("session", 2, "private", ""), False),545 ((2, "superuser", "delete"), ("session", 2, "private", ""), False),546 (547 (2, "superuser", "change_visibility"),548 ("session", 2, "private", ""),549 False,550 ),551 (552 (2, "superuser", "change_owner"),553 ("session", 2, "private", ""),554 False,555 ),556 # superuser -> self-owned shared sessions557 ((2, "superuser", "list"), ("session", 2, "shared", ""), False),558 ((2, "superuser", "view"), ("session", 2, "shared", ""), False),559 ((2, "superuser", "create"), ("session", 2, "shared", ""), False),560 ((2, "superuser", "edit"), ("session", 2, "shared", ""), False),561 ((2, "superuser", "delete"), ("session", 2, "shared", ""), False),562 (563 (2, "superuser", "change_visibility"),564 ("session", 2, "shared", ""),565 False,566 ),567 (568 (2, "superuser", "change_owner"),569 ("session", 2, "shared", ""),570 False,571 ),572 # superuser -> self-owned public sessions573 ((2, "superuser", "list"), ("session", 2, "public", ""), False),574 ((2, "superuser", "view"), ("session", 2, "public", ""), False),575 ((2, "superuser", "create"), ("session", 2, "public", ""), False),576 ((2, "superuser", "edit"), ("session", 2, "public", ""), False),577 ((2, "superuser", "delete"), ("session", 2, "public", ""), False),578 (579 (2, "superuser", "change_visibility"),580 ("session", 2, "public", ""),581 False,582 ),583 (584 (2, "superuser", "change_owner"),585 ("session", 2, "public", ""),586 False,587 ),588 # superuser -> public sessions from others589 ((2, "superuser", "list"), ("session", 1, "public", ""), False),590 ((2, "superuser", "view"), ("session", 1, "public", ""), False),591 ((2, "superuser", "create"), ("session", 1, "public", ""), False),592 ((2, "superuser", "edit"), ("session", 1, "public", ""), False),593 ((2, "superuser", "delete"), ("session", 1, "public", ""), False),594 (595 (2, "superuser", "change_visibility"),596 ("session", 1, "public", ""),597 False,598 ),599 (600 (2, "superuser", "change_owner"),601 ("session", 1, "public", ""),602 False,603 ),604 # superuser -> shared sessions from others605 ((2, "superuser", "list"), ("session", 1, "shared", "2,5,6"), False),606 ((2, "superuser", "view"), ("session", 1, "shared", "2,5,6"), False),607 ((2, "superuser", "create"), ("session", 1, "shared", "2,5,6"), False),608 ((2, "superuser", "edit"), ("session", 1, "shared", "2,5,6"), False),609 ((2, "superuser", "delete"), ("session", 1, "shared", "2,5,6"), False),610 (611 (2, "superuser", "change_visibility"),612 ("session", 1, "shared", "2,5,6"),613 False,614 ),615 (616 (2, "superuser", "change_owner"),617 ("session", 1, "shared", "2,5,6"),618 False,619 ),620 # superuser -> shared from others but not shared to this621 # user622 ((2, "superuser", "list"), ("session", 1, "shared", "5,6"), False),623 ((2, "superuser", "view"), ("session", 1, "shared", "5,6"), False),624 ((2, "superuser", "create"), ("session", 1, "shared", "5,6"), False),625 ((2, "superuser", "edit"), ("session", 1, "shared", "5,6"), False),626 ((2, "superuser", "delete"), ("session", 1, "shared", "5,6"), False),627 (628 (2, "superuser", "change_visibility"),629 ("session", 1, "shared", "5,6"),630 False,631 ),632 (633 (2, "superuser", "change_owner"),634 ("session", 1, "shared", "5,6"),635 False,636 ),637 # superuser -> private sessions from others638 ((2, "superuser", "list"), ("session", 1, "private", ""), True),639 ((2, "superuser", "view"), ("session", 1, "private", ""), True),640 ((2, "superuser", "create"), ("session", 1, "private", ""), False),641 ((2, "superuser", "edit"), ("session", 1, "private", ""), False),642 ((2, "superuser", "delete"), ("session", 1, "private", ""), True),643 (644 (2, "superuser", "change_visibility"),645 ("session", 1, "private", ""),646 False,647 ),648 (649 (2, "superuser", "change_owner"),650 ("session", 1, "private", ""),651 False,652 ),653 ],654)655def test_superuser_access_to_sessions(access, target, expected):656 """657 This checks user access.658 """659 userid, role, action = access660 target_name, target_owner, target_visibility, target_sharedwith = target661 # load the default permissions model662 modpath = os.path.abspath(os.path.dirname(__file__))663 permpath = os.path.abspath(664 os.path.join(modpath, "..", "default-permissions-model.json")665 )666 assert (667 permissions.load_policy_and_check_access(668 permpath,669 userid=userid,670 role=role,671 action=action,672 target_name=target_name,673 target_owner=target_owner,674 target_visibility=target_visibility,675 target_sharedwith=target_sharedwith,676 )677 is expected678 )679@pytest.mark.parametrize(680 "access,target,expected",681 [682 # superuser -> self-owned private apikeys683 ((2, "superuser", "list"), ("apikey", 2, "private", ""), True),684 ((2, "superuser", "view"), ("apikey", 2, "private", ""), True),685 ((2, "superuser", "create"), ("apikey", 2, "private", ""), True),686 ((2, "superuser", "edit"), ("apikey", 2, "private", ""), False),687 ((2, "superuser", "delete"), ("apikey", 2, "private", ""), True),688 (689 (2, "superuser", "change_visibility"),690 ("apikey", 2, "private", ""),691 False,692 ),693 (694 (2, "superuser", "change_owner"),695 ("apikey", 2, "private", ""),696 False,697 ),698 # superuser -> self-owned shared apikeys699 ((2, "superuser", "list"), ("apikey", 2, "shared", ""), False),700 ((2, "superuser", "view"), ("apikey", 2, "shared", ""), False),701 ((2, "superuser", "create"), ("apikey", 2, "shared", ""), False),702 ((2, "superuser", "edit"), ("apikey", 2, "shared", ""), False),703 ((2, "superuser", "delete"), ("apikey", 2, "shared", ""), False),704 (705 (2, "superuser", "change_visibility"),706 ("apikey", 2, "shared", ""),707 False,708 ),709 ((2, "superuser", "change_owner"), ("apikey", 2, "shared", ""), False),710 # superuser -> self-owned public apikeys711 ((2, "superuser", "list"), ("apikey", 2, "public", ""), False),712 ((2, "superuser", "view"), ("apikey", 2, "public", ""), False),713 ((2, "superuser", "create"), ("apikey", 2, "public", ""), False),714 ((2, "superuser", "edit"), ("apikey", 2, "public", ""), False),715 ((2, "superuser", "delete"), ("apikey", 2, "public", ""), False),716 (717 (2, "superuser", "change_visibility"),718 ("apikey", 2, "public", ""),719 False,720 ),721 ((2, "superuser", "change_owner"), ("apikey", 2, "public", ""), False),722 # superuser -> public apikeys from others723 ((2, "superuser", "list"), ("apikey", 1, "public", ""), False),724 ((2, "superuser", "view"), ("apikey", 1, "public", ""), False),725 ((2, "superuser", "create"), ("apikey", 1, "public", ""), False),726 ((2, "superuser", "edit"), ("apikey", 1, "public", ""), False),727 ((2, "superuser", "delete"), ("apikey", 1, "public", ""), False),728 (729 (2, "superuser", "change_visibility"),730 ("apikey", 1, "public", ""),731 False,732 ),733 ((2, "superuser", "change_owner"), ("apikey", 1, "public", ""), False),734 # superuser -> shared apikeys from others735 ((2, "superuser", "list"), ("apikey", 1, "shared", "2,5,6"), False),736 ((2, "superuser", "view"), ("apikey", 1, "shared", "2,5,6"), False),737 ((2, "superuser", "create"), ("apikey", 1, "shared", "2,5,6"), False),738 ((2, "superuser", "edit"), ("apikey", 1, "shared", "2,5,6"), False),739 ((2, "superuser", "delete"), ("apikey", 1, "shared", "2,5,6"), False),740 (741 (2, "superuser", "change_visibility"),742 ("apikey", 1, "shared", "2,5,6"),743 False,744 ),745 (746 (2, "superuser", "change_owner"),747 ("apikey", 1, "shared", "2,5,6"),748 False,749 ),750 # superuser -> shared from others but not shared to this751 # user752 ((2, "superuser", "list"), ("apikey", 1, "shared", "5,6"), False),753 ((2, "superuser", "view"), ("apikey", 1, "shared", "5,6"), False),754 ((2, "superuser", "create"), ("apikey", 1, "shared", "5,6"), False),755 ((2, "superuser", "edit"), ("apikey", 1, "shared", "5,6"), False),756 ((2, "superuser", "delete"), ("apikey", 1, "shared", "5,6"), False),757 (758 (2, "superuser", "change_visibility"),759 ("apikey", 1, "shared", "5,6"),760 False,761 ),762 (763 (2, "superuser", "change_owner"),764 ("apikey", 1, "shared", "5,6"),765 False,766 ),767 # superuser -> private apikeys from others768 ((2, "superuser", "list"), ("apikey", 1, "private", ""), True),769 ((2, "superuser", "view"), ("apikey", 1, "private", ""), True),770 ((2, "superuser", "create"), ("apikey", 1, "private", ""), True),771 ((2, "superuser", "edit"), ("apikey", 1, "private", ""), False),772 ((2, "superuser", "delete"), ("apikey", 1, "private", ""), True),773 (774 (2, "superuser", "change_visibility"),775 ("apikey", 1, "private", ""),776 False,777 ),778 (779 (2, "superuser", "change_owner"),780 ("apikey", 1, "private", ""),781 False,782 ),783 ],784)785def test_superuser_access_to_apikeys(access, target, expected):786 """787 This checks user access.788 """789 userid, role, action = access790 target_name, target_owner, target_visibility, target_sharedwith = target791 # load the default permissions model792 modpath = os.path.abspath(os.path.dirname(__file__))793 permpath = os.path.abspath(794 os.path.join(modpath, "..", "default-permissions-model.json")795 )796 assert (797 permissions.load_policy_and_check_access(798 permpath,799 userid=userid,800 role=role,801 action=action,802 target_name=target_name,803 target_owner=target_owner,804 target_visibility=target_visibility,805 target_sharedwith=target_sharedwith,806 )807 is expected808 )809@pytest.mark.parametrize(810 "access,target,expected",811 [812 # superuser -> self-owned private preferences813 ((2, "superuser", "list"), ("preference", 2, "private", ""), True),814 ((2, "superuser", "view"), ("preference", 2, "private", ""), True),815 ((2, "superuser", "create"), ("preference", 2, "private", ""), False),816 ((2, "superuser", "edit"), ("preference", 2, "private", ""), True),817 ((2, "superuser", "delete"), ("preference", 2, "private", ""), False),818 (819 (2, "superuser", "change_visibility"),820 ("preference", 2, "private", ""),821 False,822 ),823 (824 (2, "superuser", "change_owner"),825 ("preference", 2, "private", ""),826 False,827 ),828 # superuser -> self-owned shared preferences829 ((2, "superuser", "list"), ("preference", 2, "shared", ""), False),830 ((2, "superuser", "view"), ("preference", 2, "shared", ""), False),831 ((2, "superuser", "create"), ("preference", 2, "shared", ""), False),832 ((2, "superuser", "edit"), ("preference", 2, "shared", ""), False),833 ((2, "superuser", "delete"), ("preference", 2, "shared", ""), False),834 (835 (2, "superuser", "change_visibility"),836 ("preference", 2, "shared", ""),837 False,838 ),839 (840 (2, "superuser", "change_owner"),841 ("preference", 2, "shared", ""),842 False,843 ),844 # superuser -> self-owned public preferences845 ((2, "superuser", "list"), ("preference", 2, "public", ""), False),846 ((2, "superuser", "view"), ("preference", 2, "public", ""), False),847 ((2, "superuser", "create"), ("preference", 2, "public", ""), False),848 ((2, "superuser", "edit"), ("preference", 2, "public", ""), False),849 ((2, "superuser", "delete"), ("preference", 2, "public", ""), False),850 (851 (2, "superuser", "change_visibility"),852 ("preference", 2, "public", ""),853 False,854 ),855 (856 (2, "superuser", "change_owner"),857 ("preference", 2, "public", ""),858 False,859 ),860 # superuser -> public preferences from others861 ((2, "superuser", "list"), ("preference", 1, "public", ""), False),862 ((2, "superuser", "view"), ("preference", 1, "public", ""), False),863 ((2, "superuser", "create"), ("preference", 1, "public", ""), False),864 ((2, "superuser", "edit"), ("preference", 1, "public", ""), False),865 ((2, "superuser", "delete"), ("preference", 1, "public", ""), False),866 (867 (2, "superuser", "change_visibility"),868 ("preference", 1, "public", ""),869 False,870 ),871 (872 (2, "superuser", "change_owner"),873 ("preference", 1, "public", ""),874 False,875 ),876 # superuser -> shared preferences from others877 (878 (2, "superuser", "list"),879 ("preference", 1, "shared", "2,5,6"),880 False,881 ),882 (883 (2, "superuser", "view"),884 ("preference", 1, "shared", "2,5,6"),885 False,886 ),887 (888 (2, "superuser", "create"),889 ("preference", 1, "shared", "2,5,6"),890 False,891 ),892 (893 (2, "superuser", "edit"),894 ("preference", 1, "shared", "2,5,6"),895 False,896 ),897 (898 (2, "superuser", "delete"),899 ("preference", 1, "shared", "2,5,6"),900 False,901 ),902 (903 (2, "superuser", "change_visibility"),904 ("preference", 1, "shared", "2,5,6"),905 False,906 ),907 (908 (2, "superuser", "change_owner"),909 ("preference", 1, "shared", "2,5,6"),910 False,911 ),912 # superuser -> shared from others but not shared to this913 # user914 ((2, "superuser", "list"), ("preference", 1, "shared", "5,6"), False),915 ((2, "superuser", "view"), ("preference", 1, "shared", "5,6"), False),916 (917 (2, "superuser", "create"),918 ("preference", 1, "shared", "5,6"),919 False,920 ),921 ((2, "superuser", "edit"), ("preference", 1, "shared", "5,6"), False),922 (923 (2, "superuser", "delete"),924 ("preference", 1, "shared", "5,6"),925 False,926 ),927 (928 (2, "superuser", "change_visibility"),929 ("preference", 1, "shared", "5,6"),930 False,931 ),932 (933 (2, "superuser", "change_owner"),934 ("preference", 1, "shared", "5,6"),935 False,936 ),937 # superuser -> private preferences from others938 ((2, "superuser", "list"), ("preference", 1, "private", ""), True),939 ((2, "superuser", "view"), ("preference", 1, "private", ""), True),940 ((2, "superuser", "create"), ("preference", 1, "private", ""), False),941 ((2, "superuser", "edit"), ("preference", 1, "private", ""), True),942 ((2, "superuser", "delete"), ("preference", 1, "private", ""), False),943 (944 (2, "superuser", "change_visibility"),945 ("preference", 1, "private", ""),946 False,947 ),948 (949 (2, "superuser", "change_owner"),950 ("preference", 1, "private", ""),951 False,952 ),953 ],954)955def test_superuser_access_to_preferences(access, target, expected):956 """957 This checks user access.958 """959 userid, role, action = access960 target_name, target_owner, target_visibility, target_sharedwith = target961 # load the default permissions model962 modpath = os.path.abspath(os.path.dirname(__file__))963 permpath = os.path.abspath(964 os.path.join(modpath, "..", "default-permissions-model.json")965 )966 assert (967 permissions.load_policy_and_check_access(968 permpath,969 userid=userid,970 role=role,971 action=action,972 target_name=target_name,973 target_owner=target_owner,974 target_visibility=target_visibility,975 target_sharedwith=target_sharedwith,976 )977 is expected...
test_permissions_staff.py
Source:test_permissions_staff.py
1# -*- coding: utf-8 -*-2# test_permissions_staff.py - Waqas Bhatti (wbhatti@astro.princeton.edu) - Aug3# 20184# License: MIT - see the LICENSE file for the full text.5"""6This tests permissions for staff users.7"""8import os.path9import pytest10from authnzerver import permissions11######################12## STAFF ACCESS ##13######################14@pytest.mark.parametrize(15 "access,target,expected",16 [17 # staff -> self-owned private collection18 ((2, "staff", "list"), ("collection", 2, "private", ""), True),19 ((2, "staff", "view"), ("collection", 2, "private", ""), True),20 ((2, "staff", "create"), ("collection", 2, "private", ""), True),21 ((2, "staff", "edit"), ("collection", 2, "private", ""), True),22 ((2, "staff", "delete"), ("collection", 2, "private", ""), True),23 (24 (2, "staff", "change_visibility"),25 ("collection", 2, "private", ""),26 True,27 ),28 ((2, "staff", "change_owner"), ("collection", 2, "private", ""), True),29 # staff -> self-owned shared collection30 ((2, "staff", "list"), ("collection", 2, "shared", ""), True),31 ((2, "staff", "view"), ("collection", 2, "shared", ""), True),32 ((2, "staff", "create"), ("collection", 2, "shared", ""), True),33 ((2, "staff", "edit"), ("collection", 2, "shared", ""), True),34 ((2, "staff", "delete"), ("collection", 2, "shared", ""), True),35 (36 (2, "staff", "change_visibility"),37 ("collection", 2, "shared", ""),38 True,39 ),40 ((2, "staff", "change_owner"), ("collection", 2, "shared", ""), True),41 # staff -> self-owned public collection42 ((2, "staff", "list"), ("collection", 2, "public", ""), True),43 ((2, "staff", "view"), ("collection", 2, "public", ""), True),44 ((2, "staff", "create"), ("collection", 2, "public", ""), True),45 ((2, "staff", "edit"), ("collection", 2, "public", ""), True),46 ((2, "staff", "delete"), ("collection", 2, "public", ""), True),47 (48 (2, "staff", "change_visibility"),49 ("collection", 2, "public", ""),50 True,51 ),52 ((2, "staff", "change_owner"), ("collection", 2, "public", ""), True),53 # staff -> public collection from others54 ((2, "staff", "list"), ("collection", 1, "public", ""), True),55 ((2, "staff", "view"), ("collection", 1, "public", ""), True),56 ((2, "staff", "create"), ("collection", 1, "public", ""), False),57 ((2, "staff", "edit"), ("collection", 1, "public", ""), True),58 ((2, "staff", "delete"), ("collection", 1, "public", ""), True),59 (60 (2, "staff", "change_visibility"),61 ("collection", 1, "public", ""),62 True,63 ),64 ((2, "staff", "change_owner"), ("collection", 1, "public", ""), True),65 # staff -> shared collection from others66 ((2, "staff", "list"), ("collection", 1, "shared", "2,5,6"), True),67 ((2, "staff", "view"), ("collection", 1, "shared", "2,5,6"), True),68 ((2, "staff", "create"), ("collection", 1, "shared", "2,5,6"), False),69 ((2, "staff", "edit"), ("collection", 1, "shared", "2,5,6"), True),70 ((2, "staff", "delete"), ("collection", 1, "shared", "2,5,6"), False),71 (72 (2, "staff", "change_visibility"),73 ("collection", 1, "shared", "2,5,6"),74 False,75 ),76 (77 (2, "staff", "change_owner"),78 ("collection", 1, "shared", "2,5,6"),79 False,80 ),81 # staff -> shared from others but not shared to this82 # user83 ((2, "staff", "list"), ("collection", 1, "shared", "5,6"), True),84 ((2, "staff", "view"), ("collection", 1, "shared", "5,6"), True),85 ((2, "staff", "create"), ("collection", 1, "shared", "5,6"), False),86 ((2, "staff", "edit"), ("collection", 1, "shared", "5,6"), True),87 ((2, "staff", "delete"), ("collection", 1, "shared", "5,6"), False),88 (89 (2, "staff", "change_visibility"),90 ("collection", 1, "shared", "5,6"),91 False,92 ),93 (94 (2, "staff", "change_owner"),95 ("collection", 1, "shared", "5,6"),96 False,97 ),98 # staff -> private collection from others99 ((2, "staff", "list"), ("collection", 1, "private", ""), True),100 ((2, "staff", "view"), ("collection", 1, "private", ""), False),101 ((2, "staff", "create"), ("collection", 1, "private", ""), False),102 ((2, "staff", "edit"), ("collection", 1, "private", ""), False),103 ((2, "staff", "delete"), ("collection", 1, "private", ""), False),104 (105 (2, "staff", "change_visibility"),106 ("collection", 1, "private", ""),107 False,108 ),109 (110 (2, "staff", "change_owner"),111 ("collection", 1, "private", ""),112 False,113 ),114 ],115)116def test_staff_access_to_collection(access, target, expected):117 """118 This checks user access.119 """120 userid, role, action = access121 target_name, target_owner, target_visibility, target_sharedwith = target122 # load the default permissions model123 modpath = os.path.abspath(os.path.dirname(__file__))124 permpath = os.path.abspath(125 os.path.join(modpath, "..", "default-permissions-model.json")126 )127 assert (128 permissions.load_policy_and_check_access(129 permpath,130 userid=userid,131 role=role,132 action=action,133 target_name=target_name,134 target_owner=target_owner,135 target_visibility=target_visibility,136 target_sharedwith=target_sharedwith,137 )138 is expected139 )140@pytest.mark.parametrize(141 "access,target,expected",142 [143 # staff -> self-owned private dataset144 ((2, "staff", "list"), ("dataset", 2, "private", ""), True),145 ((2, "staff", "view"), ("dataset", 2, "private", ""), True),146 ((2, "staff", "create"), ("dataset", 2, "private", ""), True),147 ((2, "staff", "edit"), ("dataset", 2, "private", ""), True),148 ((2, "staff", "delete"), ("dataset", 2, "private", ""), True),149 (150 (2, "staff", "change_visibility"),151 ("dataset", 2, "private", ""),152 True,153 ),154 ((2, "staff", "change_owner"), ("dataset", 2, "private", ""), True),155 # staff -> self-owned shared dataset156 ((2, "staff", "list"), ("dataset", 2, "shared", ""), True),157 ((2, "staff", "view"), ("dataset", 2, "shared", ""), True),158 ((2, "staff", "create"), ("dataset", 2, "shared", ""), True),159 ((2, "staff", "edit"), ("dataset", 2, "shared", ""), True),160 ((2, "staff", "delete"), ("dataset", 2, "shared", ""), True),161 (162 (2, "staff", "change_visibility"),163 ("dataset", 2, "shared", ""),164 True,165 ),166 ((2, "staff", "change_owner"), ("dataset", 2, "shared", ""), True),167 # staff -> self-owned public dataset168 ((2, "staff", "list"), ("dataset", 2, "public", ""), True),169 ((2, "staff", "view"), ("dataset", 2, "public", ""), True),170 ((2, "staff", "create"), ("dataset", 2, "public", ""), True),171 ((2, "staff", "edit"), ("dataset", 2, "public", ""), True),172 ((2, "staff", "delete"), ("dataset", 2, "public", ""), True),173 (174 (2, "staff", "change_visibility"),175 ("dataset", 2, "public", ""),176 True,177 ),178 ((2, "staff", "change_owner"), ("dataset", 2, "public", ""), True),179 # staff -> public dataset from others180 ((2, "staff", "list"), ("dataset", 1, "public", ""), True),181 ((2, "staff", "view"), ("dataset", 1, "public", ""), True),182 ((2, "staff", "create"), ("dataset", 1, "public", ""), False),183 ((2, "staff", "edit"), ("dataset", 1, "public", ""), True),184 ((2, "staff", "delete"), ("dataset", 1, "public", ""), True),185 (186 (2, "staff", "change_visibility"),187 ("dataset", 1, "public", ""),188 True,189 ),190 ((2, "staff", "change_owner"), ("dataset", 1, "public", ""), True),191 # staff -> shared dataset from others192 ((2, "staff", "list"), ("dataset", 1, "shared", "2,5,6"), True),193 ((2, "staff", "view"), ("dataset", 1, "shared", "2,5,6"), True),194 ((2, "staff", "create"), ("dataset", 1, "shared", "2,5,6"), False),195 ((2, "staff", "edit"), ("dataset", 1, "shared", "2,5,6"), True),196 ((2, "staff", "delete"), ("dataset", 1, "shared", "2,5,6"), False),197 (198 (2, "staff", "change_visibility"),199 ("dataset", 1, "shared", "2,5,6"),200 False,201 ),202 (203 (2, "staff", "change_owner"),204 ("dataset", 1, "shared", "2,5,6"),205 False,206 ),207 # staff -> shared from others but not shared to this208 # user209 ((2, "staff", "list"), ("dataset", 1, "shared", "5,6"), True),210 ((2, "staff", "view"), ("dataset", 1, "shared", "5,6"), True),211 ((2, "staff", "create"), ("dataset", 1, "shared", "5,6"), False),212 ((2, "staff", "edit"), ("dataset", 1, "shared", "5,6"), True),213 ((2, "staff", "delete"), ("dataset", 1, "shared", "5,6"), False),214 (215 (2, "staff", "change_visibility"),216 ("dataset", 1, "shared", "5,6"),217 False,218 ),219 ((2, "staff", "change_owner"), ("dataset", 1, "shared", "5,6"), False),220 # staff -> private dataset from others221 ((2, "staff", "list"), ("dataset", 1, "private", ""), True),222 ((2, "staff", "view"), ("dataset", 1, "private", ""), False),223 ((2, "staff", "create"), ("dataset", 1, "private", ""), False),224 ((2, "staff", "edit"), ("dataset", 1, "private", ""), False),225 ((2, "staff", "delete"), ("dataset", 1, "private", ""), False),226 (227 (2, "staff", "change_visibility"),228 ("dataset", 1, "private", ""),229 False,230 ),231 ((2, "staff", "change_owner"), ("dataset", 1, "private", ""), False),232 ],233)234def test_staff_access_to_dataset(access, target, expected):235 """236 This checks user access.237 """238 userid, role, action = access239 target_name, target_owner, target_visibility, target_sharedwith = target240 # load the default permissions model241 modpath = os.path.abspath(os.path.dirname(__file__))242 permpath = os.path.abspath(243 os.path.join(modpath, "..", "default-permissions-model.json")244 )245 assert (246 permissions.load_policy_and_check_access(247 permpath,248 userid=userid,249 role=role,250 action=action,251 target_name=target_name,252 target_owner=target_owner,253 target_visibility=target_visibility,254 target_sharedwith=target_sharedwith,255 )256 is expected257 )258@pytest.mark.parametrize(259 "access,target,expected",260 [261 # staff -> self-owned private object262 ((2, "staff", "list"), ("object", 2, "private", ""), True),263 ((2, "staff", "view"), ("object", 2, "private", ""), True),264 ((2, "staff", "create"), ("object", 2, "private", ""), True),265 ((2, "staff", "edit"), ("object", 2, "private", ""), True),266 ((2, "staff", "delete"), ("object", 2, "private", ""), True),267 (268 (2, "staff", "change_visibility"),269 ("object", 2, "private", ""),270 True,271 ),272 ((2, "staff", "change_owner"), ("object", 2, "private", ""), True),273 # staff -> self-owned shared object274 ((2, "staff", "list"), ("object", 2, "shared", ""), True),275 ((2, "staff", "view"), ("object", 2, "shared", ""), True),276 ((2, "staff", "create"), ("object", 2, "shared", ""), True),277 ((2, "staff", "edit"), ("object", 2, "shared", ""), True),278 ((2, "staff", "delete"), ("object", 2, "shared", ""), True),279 ((2, "staff", "change_visibility"), ("object", 2, "shared", ""), True),280 ((2, "staff", "change_owner"), ("object", 2, "shared", ""), True),281 # staff -> self-owned public object282 ((2, "staff", "list"), ("object", 2, "public", ""), True),283 ((2, "staff", "view"), ("object", 2, "public", ""), True),284 ((2, "staff", "create"), ("object", 2, "public", ""), True),285 ((2, "staff", "edit"), ("object", 2, "public", ""), True),286 ((2, "staff", "delete"), ("object", 2, "public", ""), True),287 ((2, "staff", "change_visibility"), ("object", 2, "public", ""), True),288 ((2, "staff", "change_owner"), ("object", 2, "public", ""), True),289 # staff -> public object from others (list, view OK)290 ((2, "staff", "list"), ("object", 1, "public", ""), True),291 ((2, "staff", "view"), ("object", 1, "public", ""), True),292 ((2, "staff", "create"), ("object", 1, "public", ""), False),293 ((2, "staff", "edit"), ("object", 1, "public", ""), True),294 ((2, "staff", "delete"), ("object", 1, "public", ""), True),295 ((2, "staff", "change_visibility"), ("object", 1, "public", ""), True),296 ((2, "staff", "change_owner"), ("object", 1, "public", ""), True),297 # staff -> shared object from others298 ((2, "staff", "list"), ("object", 1, "shared", "2,5,6"), True),299 ((2, "staff", "view"), ("object", 1, "shared", "2,5,6"), True),300 ((2, "staff", "create"), ("object", 1, "shared", "2,5,6"), False),301 ((2, "staff", "edit"), ("object", 1, "shared", "2,5,6"), True),302 ((2, "staff", "delete"), ("object", 1, "shared", "2,5,6"), False),303 (304 (2, "staff", "change_visibility"),305 ("object", 1, "shared", "2,5,6"),306 False,307 ),308 (309 (2, "staff", "change_owner"),310 ("object", 1, "shared", "2,5,6"),311 False,312 ),313 # staff -> shared from others but not shared to this314 # user315 ((2, "staff", "list"), ("object", 1, "shared", "5,6"), True),316 ((2, "staff", "view"), ("object", 1, "shared", "5,6"), True),317 ((2, "staff", "create"), ("object", 1, "shared", "5,6"), False),318 ((2, "staff", "edit"), ("object", 1, "shared", "5,6"), True),319 ((2, "staff", "delete"), ("object", 1, "shared", "5,6"), False),320 (321 (2, "staff", "change_visibility"),322 ("object", 1, "shared", "5,6"),323 False,324 ),325 ((2, "staff", "change_owner"), ("object", 1, "shared", "5,6"), False),326 # staff -> private object from others327 ((2, "staff", "list"), ("object", 1, "private", ""), True),328 ((2, "staff", "view"), ("object", 1, "private", ""), False),329 ((2, "staff", "create"), ("object", 1, "private", ""), False),330 ((2, "staff", "edit"), ("object", 1, "private", ""), False),331 ((2, "staff", "delete"), ("object", 1, "private", ""), False),332 (333 (2, "staff", "change_visibility"),334 ("object", 1, "private", ""),335 False,336 ),337 ((2, "staff", "change_owner"), ("object", 1, "private", ""), False),338 ],339)340def test_staff_access_to_object(access, target, expected):341 """342 This checks user access.343 """344 userid, role, action = access345 target_name, target_owner, target_visibility, target_sharedwith = target346 # load the default permissions model347 modpath = os.path.abspath(os.path.dirname(__file__))348 permpath = os.path.abspath(349 os.path.join(modpath, "..", "default-permissions-model.json")350 )351 assert (352 permissions.load_policy_and_check_access(353 permpath,354 userid=userid,355 role=role,356 action=action,357 target_name=target_name,358 target_owner=target_owner,359 target_visibility=target_visibility,360 target_sharedwith=target_sharedwith,361 )362 is expected363 )364@pytest.mark.parametrize(365 "access,target,expected",366 [367 # staff -> self-owned private users368 ((2, "staff", "list"), ("user", 2, "private", ""), False),369 ((2, "staff", "view"), ("user", 2, "private", ""), False),370 ((2, "staff", "create"), ("user", 2, "private", ""), False),371 ((2, "staff", "edit"), ("user", 2, "private", ""), False),372 ((2, "staff", "delete"), ("user", 2, "private", ""), False),373 ((2, "staff", "change_visibility"), ("user", 2, "private", ""), False),374 ((2, "staff", "change_owner"), ("user", 2, "private", ""), False),375 # staff -> self-owned shared users376 ((2, "staff", "list"), ("user", 2, "shared", ""), False),377 ((2, "staff", "view"), ("user", 2, "shared", ""), False),378 ((2, "staff", "create"), ("user", 2, "shared", ""), False),379 ((2, "staff", "edit"), ("user", 2, "shared", ""), False),380 ((2, "staff", "delete"), ("user", 2, "shared", ""), False),381 ((2, "staff", "change_visibility"), ("user", 2, "shared", ""), False),382 ((2, "staff", "change_owner"), ("user", 2, "shared", ""), False),383 # staff -> self-owned public users384 ((2, "staff", "list"), ("user", 2, "public", ""), False),385 ((2, "staff", "view"), ("user", 2, "public", ""), False),386 ((2, "staff", "create"), ("user", 2, "public", ""), False),387 ((2, "staff", "edit"), ("user", 2, "public", ""), False),388 ((2, "staff", "delete"), ("user", 2, "public", ""), False),389 ((2, "staff", "change_visibility"), ("user", 2, "public", ""), False),390 ((2, "staff", "change_owner"), ("user", 2, "public", ""), False),391 # staff -> public users from others392 ((2, "staff", "list"), ("user", 1, "public", ""), False),393 ((2, "staff", "view"), ("user", 1, "public", ""), False),394 ((2, "staff", "create"), ("user", 1, "public", ""), False),395 ((2, "staff", "edit"), ("user", 1, "public", ""), False),396 ((2, "staff", "delete"), ("user", 1, "public", ""), False),397 ((2, "staff", "change_visibility"), ("user", 1, "public", ""), False),398 ((2, "staff", "change_owner"), ("user", 1, "public", ""), False),399 # staff -> shared users from others400 ((2, "staff", "list"), ("user", 1, "shared", "2,5,6"), False),401 ((2, "staff", "view"), ("user", 1, "shared", "2,5,6"), False),402 ((2, "staff", "create"), ("user", 1, "shared", "2,5,6"), False),403 ((2, "staff", "edit"), ("user", 1, "shared", "2,5,6"), False),404 ((2, "staff", "delete"), ("user", 1, "shared", "2,5,6"), False),405 (406 (2, "staff", "change_visibility"),407 ("user", 1, "shared", "2,5,6"),408 False,409 ),410 ((2, "staff", "change_owner"), ("user", 1, "shared", "2,5,6"), False),411 # staff -> shared from others but not shared to this412 # user413 ((2, "staff", "list"), ("user", 1, "shared", "5,6"), False),414 ((2, "staff", "view"), ("user", 1, "shared", "5,6"), False),415 ((2, "staff", "create"), ("user", 1, "shared", "5,6"), False),416 ((2, "staff", "edit"), ("user", 1, "shared", "5,6"), False),417 ((2, "staff", "delete"), ("user", 1, "shared", "5,6"), False),418 (419 (2, "staff", "change_visibility"),420 ("user", 1, "shared", "5,6"),421 False,422 ),423 ((2, "staff", "change_owner"), ("user", 1, "shared", "5,6"), False),424 # staff -> private users from others425 ((2, "staff", "list"), ("user", 1, "private", ""), True),426 ((2, "staff", "view"), ("user", 1, "private", ""), False),427 ((2, "staff", "create"), ("user", 1, "private", ""), False),428 ((2, "staff", "edit"), ("user", 1, "private", ""), False),429 ((2, "staff", "delete"), ("user", 1, "private", ""), False),430 ((2, "staff", "change_visibility"), ("user", 1, "private", ""), False),431 ((2, "staff", "change_owner"), ("user", 1, "private", ""), False),432 ],433)434def test_staff_access_to_users(access, target, expected):435 """436 This checks user access.437 """438 userid, role, action = access439 target_name, target_owner, target_visibility, target_sharedwith = target440 # load the default permissions model441 modpath = os.path.abspath(os.path.dirname(__file__))442 permpath = os.path.abspath(443 os.path.join(modpath, "..", "default-permissions-model.json")444 )445 assert (446 permissions.load_policy_and_check_access(447 permpath,448 userid=userid,449 role=role,450 action=action,451 target_name=target_name,452 target_owner=target_owner,453 target_visibility=target_visibility,454 target_sharedwith=target_sharedwith,455 )456 is expected457 )458@pytest.mark.parametrize(459 "access,target,expected",460 [461 # staff -> self-owned private sessions462 ((2, "staff", "list"), ("session", 2, "private", ""), False),463 ((2, "staff", "view"), ("session", 2, "private", ""), False),464 ((2, "staff", "create"), ("session", 2, "private", ""), False),465 ((2, "staff", "edit"), ("session", 2, "private", ""), False),466 ((2, "staff", "delete"), ("session", 2, "private", ""), False),467 (468 (2, "staff", "change_visibility"),469 ("session", 2, "private", ""),470 False,471 ),472 ((2, "staff", "change_owner"), ("session", 2, "private", ""), False),473 # staff -> self-owned shared sessions474 ((2, "staff", "list"), ("session", 2, "shared", ""), False),475 ((2, "staff", "view"), ("session", 2, "shared", ""), False),476 ((2, "staff", "create"), ("session", 2, "shared", ""), False),477 ((2, "staff", "edit"), ("session", 2, "shared", ""), False),478 ((2, "staff", "delete"), ("session", 2, "shared", ""), False),479 (480 (2, "staff", "change_visibility"),481 ("session", 2, "shared", ""),482 False,483 ),484 ((2, "staff", "change_owner"), ("session", 2, "shared", ""), False),485 # staff -> self-owned public sessions486 ((2, "staff", "list"), ("session", 2, "public", ""), False),487 ((2, "staff", "view"), ("session", 2, "public", ""), False),488 ((2, "staff", "create"), ("session", 2, "public", ""), False),489 ((2, "staff", "edit"), ("session", 2, "public", ""), False),490 ((2, "staff", "delete"), ("session", 2, "public", ""), False),491 (492 (2, "staff", "change_visibility"),493 ("session", 2, "public", ""),494 False,495 ),496 ((2, "staff", "change_owner"), ("session", 2, "public", ""), False),497 # staff -> public sessions from others498 ((2, "staff", "list"), ("session", 1, "public", ""), False),499 ((2, "staff", "view"), ("session", 1, "public", ""), False),500 ((2, "staff", "create"), ("session", 1, "public", ""), False),501 ((2, "staff", "edit"), ("session", 1, "public", ""), False),502 ((2, "staff", "delete"), ("session", 1, "public", ""), False),503 (504 (2, "staff", "change_visibility"),505 ("session", 1, "public", ""),506 False,507 ),508 ((2, "staff", "change_owner"), ("session", 1, "public", ""), False),509 # staff -> shared sessions from others510 ((2, "staff", "list"), ("session", 1, "shared", "2,5,6"), False),511 ((2, "staff", "view"), ("session", 1, "shared", "2,5,6"), False),512 ((2, "staff", "create"), ("session", 1, "shared", "2,5,6"), False),513 ((2, "staff", "edit"), ("session", 1, "shared", "2,5,6"), False),514 ((2, "staff", "delete"), ("session", 1, "shared", "2,5,6"), False),515 (516 (2, "staff", "change_visibility"),517 ("session", 1, "shared", "2,5,6"),518 False,519 ),520 (521 (2, "staff", "change_owner"),522 ("session", 1, "shared", "2,5,6"),523 False,524 ),525 # staff -> shared from others but not shared to this526 # user527 ((2, "staff", "list"), ("session", 1, "shared", "5,6"), False),528 ((2, "staff", "view"), ("session", 1, "shared", "5,6"), False),529 ((2, "staff", "create"), ("session", 1, "shared", "5,6"), False),530 ((2, "staff", "edit"), ("session", 1, "shared", "5,6"), False),531 ((2, "staff", "delete"), ("session", 1, "shared", "5,6"), False),532 (533 (2, "staff", "change_visibility"),534 ("session", 1, "shared", "5,6"),535 False,536 ),537 ((2, "staff", "change_owner"), ("session", 1, "shared", "5,6"), False),538 # staff -> private sessions from others539 ((2, "staff", "list"), ("session", 1, "private", ""), True),540 ((2, "staff", "view"), ("session", 1, "private", ""), False),541 ((2, "staff", "create"), ("session", 1, "private", ""), False),542 ((2, "staff", "edit"), ("session", 1, "private", ""), False),543 ((2, "staff", "delete"), ("session", 1, "private", ""), False),544 (545 (2, "staff", "change_visibility"),546 ("session", 1, "private", ""),547 False,548 ),549 ((2, "staff", "change_owner"), ("session", 1, "private", ""), False),550 ],551)552def test_staff_access_to_sessions(access, target, expected):553 """554 This checks user access.555 """556 userid, role, action = access557 target_name, target_owner, target_visibility, target_sharedwith = target558 # load the default permissions model559 modpath = os.path.abspath(os.path.dirname(__file__))560 permpath = os.path.abspath(561 os.path.join(modpath, "..", "default-permissions-model.json")562 )563 assert (564 permissions.load_policy_and_check_access(565 permpath,566 userid=userid,567 role=role,568 action=action,569 target_name=target_name,570 target_owner=target_owner,571 target_visibility=target_visibility,572 target_sharedwith=target_sharedwith,573 )574 is expected575 )576@pytest.mark.parametrize(577 "access,target,expected",578 [579 # staff -> self-owned private apikeys580 ((2, "staff", "list"), ("apikey", 2, "private", ""), True),581 ((2, "staff", "view"), ("apikey", 2, "private", ""), True),582 ((2, "staff", "create"), ("apikey", 2, "private", ""), True),583 ((2, "staff", "edit"), ("apikey", 2, "private", ""), False),584 ((2, "staff", "delete"), ("apikey", 2, "private", ""), True),585 (586 (2, "staff", "change_visibility"),587 ("apikey", 2, "private", ""),588 False,589 ),590 ((2, "staff", "change_owner"), ("apikey", 2, "private", ""), False),591 # staff -> self-owned shared apikeys592 ((2, "staff", "list"), ("apikey", 2, "shared", ""), False),593 ((2, "staff", "view"), ("apikey", 2, "shared", ""), False),594 ((2, "staff", "create"), ("apikey", 2, "shared", ""), False),595 ((2, "staff", "edit"), ("apikey", 2, "shared", ""), False),596 ((2, "staff", "delete"), ("apikey", 2, "shared", ""), False),597 (598 (2, "staff", "change_visibility"),599 ("apikey", 2, "shared", ""),600 False,601 ),602 ((2, "staff", "change_owner"), ("apikey", 2, "shared", ""), False),603 # staff -> self-owned public apikeys604 ((2, "staff", "list"), ("apikey", 2, "public", ""), False),605 ((2, "staff", "view"), ("apikey", 2, "public", ""), False),606 ((2, "staff", "create"), ("apikey", 2, "public", ""), False),607 ((2, "staff", "edit"), ("apikey", 2, "public", ""), False),608 ((2, "staff", "delete"), ("apikey", 2, "public", ""), False),609 (610 (2, "staff", "change_visibility"),611 ("apikey", 2, "public", ""),612 False,613 ),614 ((2, "staff", "change_owner"), ("apikey", 2, "public", ""), False),615 # staff -> public apikeys from others616 ((2, "staff", "list"), ("apikey", 1, "public", ""), False),617 ((2, "staff", "view"), ("apikey", 1, "public", ""), False),618 ((2, "staff", "create"), ("apikey", 1, "public", ""), False),619 ((2, "staff", "edit"), ("apikey", 1, "public", ""), False),620 ((2, "staff", "delete"), ("apikey", 1, "public", ""), False),621 (622 (2, "staff", "change_visibility"),623 ("apikey", 1, "public", ""),624 False,625 ),626 ((2, "staff", "change_owner"), ("apikey", 1, "public", ""), False),627 # staff -> shared apikeys from others628 ((2, "staff", "list"), ("apikey", 1, "shared", "2,5,6"), False),629 ((2, "staff", "view"), ("apikey", 1, "shared", "2,5,6"), False),630 ((2, "staff", "create"), ("apikey", 1, "shared", "2,5,6"), False),631 ((2, "staff", "edit"), ("apikey", 1, "shared", "2,5,6"), False),632 ((2, "staff", "delete"), ("apikey", 1, "shared", "2,5,6"), False),633 (634 (2, "staff", "change_visibility"),635 ("apikey", 1, "shared", "2,5,6"),636 False,637 ),638 (639 (2, "staff", "change_owner"),640 ("apikey", 1, "shared", "2,5,6"),641 False,642 ),643 # staff -> shared from others but not shared to this644 # user645 ((2, "staff", "list"), ("apikey", 1, "shared", "5,6"), False),646 ((2, "staff", "view"), ("apikey", 1, "shared", "5,6"), False),647 ((2, "staff", "create"), ("apikey", 1, "shared", "5,6"), False),648 ((2, "staff", "edit"), ("apikey", 1, "shared", "5,6"), False),649 ((2, "staff", "delete"), ("apikey", 1, "shared", "5,6"), False),650 (651 (2, "staff", "change_visibility"),652 ("apikey", 1, "shared", "5,6"),653 False,654 ),655 ((2, "staff", "change_owner"), ("apikey", 1, "shared", "5,6"), False),656 # staff -> private apikeys from others657 ((2, "staff", "list"), ("apikey", 1, "private", ""), True),658 ((2, "staff", "view"), ("apikey", 1, "private", ""), False),659 ((2, "staff", "create"), ("apikey", 1, "private", ""), False),660 ((2, "staff", "edit"), ("apikey", 1, "private", ""), False),661 ((2, "staff", "delete"), ("apikey", 1, "private", ""), False),662 (663 (2, "staff", "change_visibility"),664 ("apikey", 1, "private", ""),665 False,666 ),667 ((2, "staff", "change_owner"), ("apikey", 1, "private", ""), False),668 ],669)670def test_staff_access_to_apikeys(access, target, expected):671 """672 This checks user access.673 """674 userid, role, action = access675 target_name, target_owner, target_visibility, target_sharedwith = target676 # load the default permissions model677 modpath = os.path.abspath(os.path.dirname(__file__))678 permpath = os.path.abspath(679 os.path.join(modpath, "..", "default-permissions-model.json")680 )681 assert (682 permissions.load_policy_and_check_access(683 permpath,684 userid=userid,685 role=role,686 action=action,687 target_name=target_name,688 target_owner=target_owner,689 target_visibility=target_visibility,690 target_sharedwith=target_sharedwith,691 )692 is expected693 )694@pytest.mark.parametrize(695 "access,target,expected",696 [697 # staff -> self-owned private preferences698 ((2, "staff", "list"), ("preference", 2, "private", ""), True),699 ((2, "staff", "view"), ("preference", 2, "private", ""), True),700 ((2, "staff", "create"), ("preference", 2, "private", ""), False),701 ((2, "staff", "edit"), ("preference", 2, "private", ""), True),702 ((2, "staff", "delete"), ("preference", 2, "private", ""), False),703 (704 (2, "staff", "change_visibility"),705 ("preference", 2, "private", ""),706 False,707 ),708 (709 (2, "staff", "change_owner"),710 ("preference", 2, "private", ""),711 False,712 ),713 # staff -> self-owned shared preferences714 ((2, "staff", "list"), ("preference", 2, "shared", ""), False),715 ((2, "staff", "view"), ("preference", 2, "shared", ""), False),716 ((2, "staff", "create"), ("preference", 2, "shared", ""), False),717 ((2, "staff", "edit"), ("preference", 2, "shared", ""), False),718 ((2, "staff", "delete"), ("preference", 2, "shared", ""), False),719 (720 (2, "staff", "change_visibility"),721 ("preference", 2, "shared", ""),722 False,723 ),724 ((2, "staff", "change_owner"), ("preference", 2, "shared", ""), False),725 # staff -> self-owned public preferences726 ((2, "staff", "list"), ("preference", 2, "public", ""), False),727 ((2, "staff", "view"), ("preference", 2, "public", ""), False),728 ((2, "staff", "create"), ("preference", 2, "public", ""), False),729 ((2, "staff", "edit"), ("preference", 2, "public", ""), False),730 ((2, "staff", "delete"), ("preference", 2, "public", ""), False),731 (732 (2, "staff", "change_visibility"),733 ("preference", 2, "public", ""),734 False,735 ),736 ((2, "staff", "change_owner"), ("preference", 2, "public", ""), False),737 # staff -> public preferences from others738 ((2, "staff", "list"), ("preference", 1, "public", ""), False),739 ((2, "staff", "view"), ("preference", 1, "public", ""), False),740 ((2, "staff", "create"), ("preference", 1, "public", ""), False),741 ((2, "staff", "edit"), ("preference", 1, "public", ""), False),742 ((2, "staff", "delete"), ("preference", 1, "public", ""), False),743 (744 (2, "staff", "change_visibility"),745 ("preference", 1, "public", ""),746 False,747 ),748 ((2, "staff", "change_owner"), ("preference", 1, "public", ""), False),749 # staff -> shared preferences from others750 ((2, "staff", "list"), ("preference", 1, "shared", "2,5,6"), False),751 ((2, "staff", "view"), ("preference", 1, "shared", "2,5,6"), False),752 ((2, "staff", "create"), ("preference", 1, "shared", "2,5,6"), False),753 ((2, "staff", "edit"), ("preference", 1, "shared", "2,5,6"), False),754 ((2, "staff", "delete"), ("preference", 1, "shared", "2,5,6"), False),755 (756 (2, "staff", "change_visibility"),757 ("preference", 1, "shared", "2,5,6"),758 False,759 ),760 (761 (2, "staff", "change_owner"),762 ("preference", 1, "shared", "2,5,6"),763 False,764 ),765 # staff -> shared from others but not shared to this766 # user767 ((2, "staff", "list"), ("preference", 1, "shared", "5,6"), False),768 ((2, "staff", "view"), ("preference", 1, "shared", "5,6"), False),769 ((2, "staff", "create"), ("preference", 1, "shared", "5,6"), False),770 ((2, "staff", "edit"), ("preference", 1, "shared", "5,6"), False),771 ((2, "staff", "delete"), ("preference", 1, "shared", "5,6"), False),772 (773 (2, "staff", "change_visibility"),774 ("preference", 1, "shared", "5,6"),775 False,776 ),777 (778 (2, "staff", "change_owner"),779 ("preference", 1, "shared", "5,6"),780 False,781 ),782 # staff -> private preferences from others783 ((2, "staff", "list"), ("preference", 1, "private", ""), True),784 ((2, "staff", "view"), ("preference", 1, "private", ""), False),785 ((2, "staff", "create"), ("preference", 1, "private", ""), False),786 ((2, "staff", "edit"), ("preference", 1, "private", ""), False),787 ((2, "staff", "delete"), ("preference", 1, "private", ""), False),788 (789 (2, "staff", "change_visibility"),790 ("preference", 1, "private", ""),791 False,792 ),793 (794 (2, "staff", "change_owner"),795 ("preference", 1, "private", ""),796 False,797 ),798 ],799)800def test_staff_access_to_preferences(access, target, expected):801 """802 This checks user access.803 """804 userid, role, action = access805 target_name, target_owner, target_visibility, target_sharedwith = target806 # load the default permissions model807 modpath = os.path.abspath(os.path.dirname(__file__))808 permpath = os.path.abspath(809 os.path.join(modpath, "..", "default-permissions-model.json")810 )811 assert (812 permissions.load_policy_and_check_access(813 permpath,814 userid=userid,815 role=role,816 action=action,817 target_name=target_name,818 target_owner=target_owner,819 target_visibility=target_visibility,820 target_sharedwith=target_sharedwith,821 )822 is expected...
Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.
You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.
Get 100 minutes of automation test minutes FREE!!