Skip to content

C
converse.js
Commit a6e4b9c1 authored by matejcik's avatar matejcik
Browse files
Options

fix groupACL locking behavior and test it

parent 90fc3940
Hide whitespace changes
Inline Side-by-side
Showing with 73 additions and 6 deletions
weblate/accounts/auth.py
View file @ a6e4b9c1
......@@ -20,7 +20,7 @@
import sys
from django.contrib.auth.models import User
from django.contrib.auth.models import User, Permission
from django.contrib import messages
from django.shortcuts import redirect
from django.core.urlresolvers import reverse
......@@ -84,12 +84,10 @@ class WeblateUserBackend(ModelBackend):
def _get_group_permissions(self, user_obj):
"""Wrapper around _get_group_permissions to exclude groupacl
We don't want these to be applied direclty, they should work
We don't want these to be applied directly, they should work
only using group matching rules."""
perms = super(WeblateUserBackend, self)._get_group_permissions(
user_obj
)
return perms.exclude(group__groupacl__pk__gt=0)
user_groups = user_obj.groups.filter(groupacl=None)
return Permission.objects.filter(group__in=user_groups)
def authenticate(self, username=None, password=None, **kwargs):
'''
......
weblate/trans/tests/test_permissions.py
View file @ a6e4b9c1
......@@ -179,3 +179,72 @@ class GroupACLTest(ModelTestCase):
self.assertTrue(
can_author_translation(self.privileged, self.project)
)
def test_affects_unrelated(self):
lang_cs = Language.objects.get(code='cs')
lang_de = Language.objects.get(code='de')
trans_cs = Translation.objects.create(
subproject=self.subproject, language=lang_cs,
filename="this/is/not/a.template"
)
trans_de = Translation.objects.create(
subproject=self.subproject, language=lang_de,
filename="this/is/not/a.template"
)
acl = GroupACL.objects.create(language=lang_cs)
acl.groups.add(self.group)
self.assertTrue(can_edit(self.privileged, trans_cs, self.PERMISSION))
self.assertFalse(can_edit(self.user, trans_cs, self.PERMISSION))
self.assertTrue(can_edit(self.privileged, trans_de, self.PERMISSION))
self.assertTrue(can_edit(self.user, trans_de, self.PERMISSION))
def clear_permission_cache(self):
'''
Clear permission cache.
This is necessary when testing interaction of the built-in permissions
mechanism and Group ACL. The built-in mechanism will cache results
of `has_perm` and friends, but these can be affected by the Group ACL
lockout. Usually the cache will get cleared on every page request,
but here we need to do it manually.
'''
for cache in ('_perm_cache', '_user_perm_cache', '_group_perm_cache'):
delattr(self.user, cache)
delattr(self.privileged, cache)
def test_group_locked(self):
lang_cs = Language.objects.get(code='cs')
lang_de = Language.objects.get(code='de')
trans_cs = Translation.objects.create(
subproject=self.subproject, language=lang_cs,
filename="this/is/not/a.template"
)
trans_de = Translation.objects.create(
subproject=self.subproject, language=lang_de,
filename="this/is/not/a.template"
)
perm_name = 'trans.author_translation'
self.assertFalse(can_edit(self.user, trans_cs, perm_name))
self.assertFalse(can_edit(self.privileged, trans_cs, perm_name))
self.assertFalse(can_edit(self.privileged, trans_de, perm_name))
self.clear_permission_cache()
permission = Permission.objects.get(
codename='author_translation', content_type__app_label='trans'
)
self.group.permissions.add(permission)
self.assertFalse(can_edit(self.user, trans_cs, perm_name))
self.assertTrue(can_edit(self.privileged, trans_cs, perm_name))
self.assertTrue(can_edit(self.privileged, trans_de, perm_name))
self.clear_permission_cache()
acl = GroupACL.objects.create(language=lang_cs)
acl.groups.add(self.group)
self.assertTrue(can_edit(self.privileged, trans_cs, perm_name))
self.assertFalse(can_edit(self.privileged, trans_de, perm_name))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7