fix groupACL locking behavior and test it

a6e4b9c1 · matejcik · 90fc3940 · a6e4b9c1 · a6e4b9c1
Commit a6e4b9c1 authored Mar 08, 2016 by matejcik
Hide whitespace changes
Inline Side-by-side

Showing with 73 additions and 6 deletions

weblate/accounts/auth.py weblate/accounts/auth.py +4 -6

weblate/trans/tests/test_permissions.py weblate/trans/tests/test_permissions.py +69 -0

No files found.
--- a/weblate/accounts/auth.py
+++ b/weblate/accounts/auth.py
@@ -20,7 +20,7 @@
 import sys
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, Permission
 from django.contrib import messages
 from django.shortcuts import redirect
 from django.core.urlresolvers import reverse
@@ -84,12 +84,10 @@ class WeblateUserBackend(ModelBackend):
    def _get_group_permissions(self, user_obj):
        """Wrapper around _get_group_permissions to exclude groupacl
-        We don't want these to be applied direclty, they should work
+        We don't want these to be applied directly, they should work
        only using group matching rules."""
-        perms = super(WeblateUserBackend, self)._get_group_permissions(
+        user_groups = user_obj.groups.filter(groupacl=None)
-            user_obj
+        return Permission.objects.filter(group__in=user_groups)
-        )
-        return perms.exclude(group__groupacl__pk__gt=0)
    def authenticate(self, username=None, password=None, **kwargs):
        '''

--- a/weblate/trans/tests/test_permissions.py
+++ b/weblate/trans/tests/test_permissions.py
@@ -179,3 +179,72 @@ class GroupACLTest(ModelTestCase):
        self.assertTrue(
            can_author_translation(self.privileged, self.project)
        )
+    def test_affects_unrelated(self):
+        lang_cs = Language.objects.get(code='cs')
+        lang_de = Language.objects.get(code='de')
+        trans_cs = Translation.objects.create(
+            subproject=self.subproject, language=lang_cs,
+            filename="this/is/not/a.template"
+        )
+        trans_de = Translation.objects.create(
+            subproject=self.subproject, language=lang_de,
+            filename="this/is/not/a.template"
+        )
+        acl = GroupACL.objects.create(language=lang_cs)
+        acl.groups.add(self.group)
+        self.assertTrue(can_edit(self.privileged, trans_cs, self.PERMISSION))
+        self.assertFalse(can_edit(self.user, trans_cs, self.PERMISSION))
+        self.assertTrue(can_edit(self.privileged, trans_de, self.PERMISSION))
+        self.assertTrue(can_edit(self.user, trans_de, self.PERMISSION))
+    def clear_permission_cache(self):
+        '''
+        Clear permission cache.
+        This is necessary when testing interaction of the built-in permissions
+        mechanism and Group ACL. The built-in mechanism will cache results
+        of `has_perm` and friends, but these can be affected by the Group ACL
+        lockout. Usually the cache will get cleared on every page request,
+        but here we need to do it manually.
+        '''
+        for cache in ('_perm_cache', '_user_perm_cache', '_group_perm_cache'):
+            delattr(self.user, cache)
+            delattr(self.privileged, cache)
+    def test_group_locked(self):
+        lang_cs = Language.objects.get(code='cs')
+        lang_de = Language.objects.get(code='de')
+        trans_cs = Translation.objects.create(
+            subproject=self.subproject, language=lang_cs,
+            filename="this/is/not/a.template"
+        )
+        trans_de = Translation.objects.create(
+            subproject=self.subproject, language=lang_de,
+            filename="this/is/not/a.template"
+        )
+        perm_name = 'trans.author_translation'
+        self.assertFalse(can_edit(self.user, trans_cs, perm_name))
+        self.assertFalse(can_edit(self.privileged, trans_cs, perm_name))
+        self.assertFalse(can_edit(self.privileged, trans_de, perm_name))
+        self.clear_permission_cache()
+        permission = Permission.objects.get(
+            codename='author_translation', content_type__app_label='trans'
+        )
+        self.group.permissions.add(permission)
+        self.assertFalse(can_edit(self.user, trans_cs, perm_name))
+        self.assertTrue(can_edit(self.privileged, trans_cs, perm_name))
+        self.assertTrue(can_edit(self.privileged, trans_de, perm_name))
+        self.clear_permission_cache()
+        acl = GroupACL.objects.create(language=lang_cs)
+        acl.groups.add(self.group)
+        self.assertTrue(can_edit(self.privileged, trans_cs, perm_name))
+        self.assertFalse(can_edit(self.privileged, trans_de, perm_name))