Commit f672038e authored by Michal Čihař's avatar Michal Čihař

Merge pull request #1008 from matejcik/groupacl-bug

fix groupACL locking behavior
parents 54830e15 a6e4b9c1
...@@ -20,7 +20,7 @@ ...@@ -20,7 +20,7 @@
import sys import sys
from django.contrib.auth.models import User from django.contrib.auth.models import User, Permission
from django.contrib import messages from django.contrib import messages
from django.shortcuts import redirect from django.shortcuts import redirect
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
...@@ -84,12 +84,10 @@ class WeblateUserBackend(ModelBackend): ...@@ -84,12 +84,10 @@ class WeblateUserBackend(ModelBackend):
def _get_group_permissions(self, user_obj): def _get_group_permissions(self, user_obj):
"""Wrapper around _get_group_permissions to exclude groupacl """Wrapper around _get_group_permissions to exclude groupacl
We don't want these to be applied direclty, they should work We don't want these to be applied directly, they should work
only using group matching rules.""" only using group matching rules."""
perms = super(WeblateUserBackend, self)._get_group_permissions( user_groups = user_obj.groups.filter(groupacl=None)
user_obj return Permission.objects.filter(group__in=user_groups)
)
return perms.exclude(group__groupacl__pk__gt=0)
def authenticate(self, username=None, password=None, **kwargs): def authenticate(self, username=None, password=None, **kwargs):
''' '''
......
...@@ -179,3 +179,72 @@ class GroupACLTest(ModelTestCase): ...@@ -179,3 +179,72 @@ class GroupACLTest(ModelTestCase):
self.assertTrue( self.assertTrue(
can_author_translation(self.privileged, self.project) can_author_translation(self.privileged, self.project)
) )
def test_affects_unrelated(self):
lang_cs = Language.objects.get(code='cs')
lang_de = Language.objects.get(code='de')
trans_cs = Translation.objects.create(
subproject=self.subproject, language=lang_cs,
filename="this/is/not/a.template"
)
trans_de = Translation.objects.create(
subproject=self.subproject, language=lang_de,
filename="this/is/not/a.template"
)
acl = GroupACL.objects.create(language=lang_cs)
acl.groups.add(self.group)
self.assertTrue(can_edit(self.privileged, trans_cs, self.PERMISSION))
self.assertFalse(can_edit(self.user, trans_cs, self.PERMISSION))
self.assertTrue(can_edit(self.privileged, trans_de, self.PERMISSION))
self.assertTrue(can_edit(self.user, trans_de, self.PERMISSION))
def clear_permission_cache(self):
'''
Clear permission cache.
This is necessary when testing interaction of the built-in permissions
mechanism and Group ACL. The built-in mechanism will cache results
of `has_perm` and friends, but these can be affected by the Group ACL
lockout. Usually the cache will get cleared on every page request,
but here we need to do it manually.
'''
for cache in ('_perm_cache', '_user_perm_cache', '_group_perm_cache'):
delattr(self.user, cache)
delattr(self.privileged, cache)
def test_group_locked(self):
lang_cs = Language.objects.get(code='cs')
lang_de = Language.objects.get(code='de')
trans_cs = Translation.objects.create(
subproject=self.subproject, language=lang_cs,
filename="this/is/not/a.template"
)
trans_de = Translation.objects.create(
subproject=self.subproject, language=lang_de,
filename="this/is/not/a.template"
)
perm_name = 'trans.author_translation'
self.assertFalse(can_edit(self.user, trans_cs, perm_name))
self.assertFalse(can_edit(self.privileged, trans_cs, perm_name))
self.assertFalse(can_edit(self.privileged, trans_de, perm_name))
self.clear_permission_cache()
permission = Permission.objects.get(
codename='author_translation', content_type__app_label='trans'
)
self.group.permissions.add(permission)
self.assertFalse(can_edit(self.user, trans_cs, perm_name))
self.assertTrue(can_edit(self.privileged, trans_cs, perm_name))
self.assertTrue(can_edit(self.privileged, trans_de, perm_name))
self.clear_permission_cache()
acl = GroupACL.objects.create(language=lang_cs)
acl.groups.add(self.group)
self.assertTrue(can_edit(self.privileged, trans_cs, perm_name))
self.assertFalse(can_edit(self.privileged, trans_de, perm_name))
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment