feat: add permission checks for menus, view routes

2024-08-14 21:20:00 -05:00 · 2024-08-14 21:20:00 -05:00 · e3942ce65e
commit e3942ce65e
parent 675b51cac2
11 changed files with 537 additions and 40 deletions
--- a/tests/views/test_master.py
+++ b/tests/views/test_master.py
@ -331,6 +331,64 @@ class TestMasterView(WebTestCase):
    # support methods
    ##############################

+    def test_has_perm(self):
+        model = self.app.model
+        auth = self.app.get_auth_handler()
+
+        with patch.multiple(master.MasterView, create=True,
+                            model_name='Setting'):
+            view = self.make_view()
+
+            # anonymous user
+            self.assertFalse(view.has_perm('list'))
+            self.assertFalse(self.request.has_perm('list'))
+
+            # reset
+            del self.request.user_permissions
+
+            # make user with perms
+            barney = model.User(username='barney')
+            self.session.add(barney)
+            blokes = model.Role(name="Blokes")
+            self.session.add(blokes)
+            barney.roles.append(blokes)
+            auth.grant_permission(blokes, 'settings.list')
+            self.session.commit()
+
+            # this user has perms
+            self.request.user = barney
+            self.assertTrue(view.has_perm('list'))
+            self.assertTrue(self.request.has_perm('settings.list'))
+
+    def test_has_any_perm(self):
+        model = self.app.model
+        auth = self.app.get_auth_handler()
+
+        with patch.multiple(master.MasterView, create=True,
+                            model_name='Setting'):
+            view = self.make_view()
+
+            # anonymous user
+            self.assertFalse(view.has_any_perm('list', 'view'))
+            self.assertFalse(self.request.has_any_perm('settings.list', 'settings.view'))
+
+            # reset
+            del self.request.user_permissions
+
+            # make user with perms
+            barney = model.User(username='barney')
+            self.session.add(barney)
+            blokes = model.Role(name="Blokes")
+            self.session.add(blokes)
+            barney.roles.append(blokes)
+            auth.grant_permission(blokes, 'settings.view')
+            self.session.commit()
+
+            # this user has perms
+            self.request.user = barney
+            self.assertTrue(view.has_any_perm('list', 'view'))
+            self.assertTrue(self.request.has_any_perm('settings.list', 'settings.view'))
+
    def test_render_to_response(self):
        self.pyramid_config.include('wuttaweb.views.common')
        self.pyramid_config.include('wuttaweb.views.auth')
@ -387,6 +445,28 @@ class TestMasterView(WebTestCase):
            grid = view.make_model_grid(session=self.session)
            self.assertIs(grid.model_class, model.Setting)

+        # no actions by default
+        with patch.multiple(master.MasterView, create=True,
+                            model_class=model.Setting):
+            grid = view.make_model_grid(session=self.session)
+            self.assertEqual(grid.actions, [])
+
+        # now let's test some more actions logic
+        with patch.multiple(master.MasterView, create=True,
+                            model_class=model.Setting,
+                            viewable=True,
+                            editable=True,
+                            deletable=True):
+
+            # should have 3 actions now, but for lack of perms
+            grid = view.make_model_grid(session=self.session)
+            self.assertEqual(len(grid.actions), 0)
+
+            # but root user has perms, so gets 3 actions
+            with patch.object(self.request, 'is_root', new=True):
+                grid = view.make_model_grid(session=self.session)
+            self.assertEqual(len(grid.actions), 3)
+
    def test_get_grid_data(self):
        model = self.app.model
        self.app.save_setting(self.session, 'foo', 'bar')
@ -468,6 +548,57 @@ class TestMasterView(WebTestCase):
            self.request.matchdict = {'name': 'blarg'}
            self.assertRaises(HTTPNotFound, view.get_instance, session=self.session)

+    def test_get_action_url_view(self):
+        model = self.app.model
+        setting = model.Setting(name='foo', value='bar')
+        self.session.add(setting)
+        self.session.commit()
+
+        with patch.multiple(master.MasterView, create=True,
+                            model_class=model.Setting):
+            master.MasterView.defaults(self.pyramid_config)
+            view = self.make_view()
+            url = view.get_action_url_view(setting, 0)
+            self.assertEqual(url, self.request.route_url('settings.view', name='foo'))
+
+    def test_get_action_url_edit(self):
+        model = self.app.model
+        setting = model.Setting(name='foo', value='bar')
+        self.session.add(setting)
+        self.session.commit()
+        with patch.multiple(master.MasterView, create=True,
+                            model_class=model.Setting):
+            master.MasterView.defaults(self.pyramid_config)
+            view = self.make_view()
+
+            # typical
+            url = view.get_action_url_edit(setting, 0)
+            self.assertEqual(url, self.request.route_url('settings.edit', name='foo'))
+
+            # but null if instance not editable
+            with patch.object(view, 'is_editable', return_value=False):
+                url = view.get_action_url_edit(setting, 0)
+                self.assertIsNone(url)
+
+    def test_get_action_url_delete(self):
+        model = self.app.model
+        setting = model.Setting(name='foo', value='bar')
+        self.session.add(setting)
+        self.session.commit()
+        with patch.multiple(master.MasterView, create=True,
+                            model_class=model.Setting):
+            master.MasterView.defaults(self.pyramid_config)
+            view = self.make_view()
+
+            # typical
+            url = view.get_action_url_delete(setting, 0)
+            self.assertEqual(url, self.request.route_url('settings.delete', name='foo'))
+
+            # but null if instance not deletable
+            with patch.object(view, 'is_deletable', return_value=False):
+                url = view.get_action_url_delete(setting, 0)
+                self.assertIsNone(url)
+
    def test_make_model_form(self):
        model = self.app.model

--- a/tests/views/test_roles.py
+++ b/tests/views/test_roles.py
@ -31,6 +31,42 @@ class TestRoleView(WebTestCase):
        view.configure_grid(grid)
        self.assertTrue(grid.is_linked('name'))

+    def test_is_editable(self):
+        model = self.app.model
+        auth = self.app.get_auth_handler()
+        blokes = model.Role(name="Blokes")
+        self.session.add(blokes)
+        self.session.commit()
+        view = self.make_view()
+
+        admin = auth.get_role_administrator(self.session)
+        authed = auth.get_role_authenticated(self.session)
+        anon = auth.get_role_anonymous(self.session)
+
+        # editable by default
+        self.assertTrue(view.is_editable(blokes))
+
+        # built-in roles not editable by default
+        self.assertFalse(view.is_editable(admin))
+        self.assertFalse(view.is_editable(authed))
+        self.assertFalse(view.is_editable(anon))
+
+        # reset
+        del self.request.user_permissions
+
+        barney = model.User(username='barney')
+        self.session.add(barney)
+        barney.roles.append(blokes)
+        auth.grant_permission(blokes, 'roles.edit_builtin')
+        self.session.commit()
+
+        # user with perms can edit *some* built-in
+        self.request.user = barney
+        self.assertTrue(view.is_editable(authed))
+        self.assertTrue(view.is_editable(anon))
+        # nb. not this one yet
+        self.assertFalse(view.is_editable(admin))
+
    def test_is_deletable(self):
        model = self.app.model
        auth = self.app.get_auth_handler()