add permission support in apijson get(one)/head/delete, 8 test cases

Author: zhangchunlin

tests/README.md

@@ -0,0 +1,6 @@
+commands to run the tests:
+
+```
+cd tests
+nosetests --with-doctest
+```

tests/demo/apps/apijson_demo/dbinit.py

@@ -7,6 +7,7 @@
 User = models.user
 Privacy = models.privacy
 Comment = models.comment
+Comment2 = models.comment2
 Moment = models.moment
 PublicNotice = models.publicnotice
 
@@ -95,21 +96,21 @@
         "to_username" : "userb",
         "moment_id" : 1,
         "date" : "2018-12-1",
-        "content" : "comment haha",
+        "content" : "comment from usera to userb",
     },
     {
         "username" : "userb",
         "to_username" : "usera",
         "moment_id" : 2,
         "date" : "2018-12-2",
-        "content" : "comment xixi",
+        "content" : "comment from userb to usera",
     },
     {
         "username" : "userc",
         "to_username" : "usera",
         "moment_id" : 3,
         "date" : "2018-12-9",
-        "content" : "comment hoho",
+        "content" : "comment from userc to usera",
     },
 ]
 
@@ -158,6 +159,7 @@
         d["to_id"] = User.get(User.c.username==d["to_username"]).id
         print("create comment record for user '%s'"%(d["username"]))
         Comment(**d).save()
+        Comment2(**d).save()
     else:
         print("error: unknown user '%s'"%(d["username"]))
 

tests/demo/apps/apijson_demo/models.py

@@ -28,6 +28,13 @@ class Comment(Model):
     date = Field(datetime.datetime, auto_now_add=True)
     content = Field(TEXT)
 
+class Comment2(Model):
+    user_id = Reference("user")
+    to_id = Reference("user")
+    moment_id = Reference("moment")
+    date = Field(datetime.datetime, auto_now_add=True)
+    content = Field(TEXT)
+
 class PublicNotice(Model):
     date = Field(datetime.datetime, auto_now_add=True)
     content = Field(TEXT)

tests/demo/apps/apijson_demo/settings.ini

@@ -1,10 +1,18 @@
 [MODELS]
 privacy = 'apijson_demo.models.Privacy'
 comment = 'apijson_demo.models.Comment'
+comment2 = 'apijson_demo.models.Comment2'
 moment = 'apijson_demo.models.Moment'
 publicnotice = 'apijson_demo.models.PublicNotice'
 norequesttag = 'apijson_demo.models.NoRequestTag'
 
+[PERMISSIONS]
+get_comment2 = "get comment2", ["OWNER", "ADMIN"], ""
+head_comment2 = "head comment2", ["OWNER", "ADMIN"], ""
+post_comment2 = "post comment2", ["OWNER", "ADMIN"], ""
+put_comment2 = "put comment2", ["OWNER", "ADMIN"], ""
+delete_comment2 = "delete comment2", ["OWNER", "ADMIN"], ""
+
 [APIJSON_MODELS]
 user = {
     "user_id_field" : "id",
@@ -39,6 +47,14 @@ comment = {
     "PUT" : { "roles" : ["OWNER","ADMIN"] },
     "DELETE" : { "roles" : ["OWNER","ADMIN"] },
 }
+comment2 = {
+    "user_id_field" : "user_id",
+    "GET" : { "permissions":["get_comment2"] },
+    "HEAD" : { "permissions":["head_comment2"] },
+    "POST" : { "permissions":["post_comment2"] },
+    "PUT" : { "permissions":["put_comment2"]},
+    "DELETE" : {"permissions":["delete_comment2"]},
+}
 publicnotice = {
     "GET" : { "roles" : ["OWNER","LOGIN","ADMIN","UNKNOWN"] },
     "HEAD" : { "roles" : ["OWNER","LOGIN","ADMIN","UNKNOWN"] },
@@ -73,6 +89,19 @@ comment = {
     },
 }
 
+comment2 = {
+    "POST" :{
+        "ADD" :{"@role": "OWNER"},
+        "DISALLOW" : ["id"],
+        "NECESSARY" : ["moment_id","content"]
+    },
+    "PUT" :{
+        "ADD":{"@role": "OWNER"},
+        "NECESSARY" : ["id","content"],
+        "DISALLOW" : ["user_id","to_id"],
+    },
+}
+
 publicnotice = {
     "PUT" :{
         "NECESSARY" : ["id","content"],

tests/test.py

@@ -1153,7 +1153,7 @@ def test_apijson_head():
     >>> r = handler.post('/apijson/head', data=data, middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': "no login user for role 'ADMIN'"}
+    {'code': 400, 'msg': "user doesn't have role 'ADMIN'"}
 
     >>> #apijson head, without user and @role
     >>> data ='''{
@@ -1581,7 +1581,7 @@ def test_apijson_delete():
     >>> print(d)
     {'code': 400, 'msg': "model 'nonexist' not found"}
 
-    >>> #apijson delete, default to OWNER and delete other's record
+    >>> #apijson delete, try to delete other's moment
     >>> data ='''{
     ...     "moment": {
     ...         "id": 2
@@ -1591,7 +1591,7 @@ def test_apijson_delete():
     >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("usera"), middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': 'no permission'}
+    {'code': 400, 'msg': 'no role to access the data'}
 
     >>> #apijson delete, without id
     >>> data ='''{
@@ -1647,7 +1647,7 @@ def test_apijson_delete():
     >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("usera"), middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': "'moment' not accessible by role 'UNKNOWN'"}
+    {'code': 400, 'msg': "role 'UNKNOWN' has no permission to access the data"}
 
     >>> #apijson delete, with OWNER but not login
     >>> data ='''{
@@ -1667,7 +1667,7 @@ def test_apijson_delete():
     >>> r = handler.post('/apijson/delete', data=data, middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': 'need login user'}
+    {'code': 400, 'msg': 'no role to access the data'}
 
     >>> #apijson delete, with UNKNOWN role
     >>> data ='''{
@@ -1701,5 +1701,101 @@ def test_apijson_delete():
     >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("admin"), middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': "'moment' not accessible by role 'superuser'"}
+    {'code': 400, 'msg': "role 'superuser' has no permission to access the data"}
+    """
+
+def test_apijson_permission():
+    """
+    >>> application = make_simple_application(project_dir='.')
+    >>> handler = application.handler()
+
+    >>> #apijson get, query with id, access with owner
+    >>> data ='''{
+    ... "comment2":{
+    ...         "id": 1
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'user_id': 1, 'to_id': 3, 'moment_id': 1, 'date': '2018-11-01 00:00:00', 'content': 'comment from admin', 'id': 1}}
+
+    >>> #apijson get, query with id, access other's comment, expect empty result
+    >>> data ='''{
+    ... "comment2":{
+    ...         "id": 1
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("userb"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': None}
+
+    >>> #apijson get, query array
+    >>> data ='''{
+    ... "comment2":{
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("usera"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'user_id': 2, 'to_id': 3, 'moment_id': 1, 'date': '2018-12-01 00:00:00', 'content': 'comment from usera to userb', 'id': 2}}
+
+    >>> #apijson get, query one with admin as OWNER
+    >>> data ='''{
+    ... "comment2":{
+    ...        "@role":"OWNER"
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'user_id': 1, 'to_id': 3, 'moment_id': 1, 'date': '2018-11-01 00:00:00', 'content': 'comment from admin', 'id': 1}}
+
+    >>> #apijson get, query one with admin as ADMIN
+    >>> data ='''{
+    ... "comment2":{
+    ...        "@role":"ADMIN",
+    ...        "user_id": 2
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'user_id': 2, 'to_id': 3, 'moment_id': 1, 'date': '2018-12-01 00:00:00', 'content': 'comment from usera to userb', 'id': 2}}
+
+    >>> #apijson head
+    >>> data ='''{
+    ...     "comment2": {
+    ...         "user_id": 1
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/head', data=data, pre_call=pre_call_as("userc"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'code': 200, 'msg': 'success', 'count': 0}}
+
+    >>> #apijson delete with a user which have no permission
+    >>> data ='''{
+    ...     "comment2": {
+    ...         "id": 1
+    ...     },
+    ...     "@tag": "comment2"
+    ... }'''
+    >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("userc"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 400, 'msg': 'no permission'}
+
+    >>> #apijson delete with permission, ADMIN
+    >>> data ='''{
+    ...     "comment2": {
+    ...         "id": 1
+    ...     },
+    ...     "@tag": "comment2"
+    ... }'''
+    >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'id': 1, 'code': 200, 'message': 'success', 'count': 1}}
     """

uliweb_apijson/apijson/__init__.py

@@ -260,3 +260,71 @@ def associated_query_array(self):
                 params.update(refs)
             q = self._get_array_q(params)
             item[self.name] = self._get_info(q.one())
+
+def is_obj_owner(user, obj, user_id_field):
+    if user and user_id_field:
+        return obj.to_dict().get(user_id_field)==user.id
+    return False
+
+def has_obj_role(user, obj, user_id_field, as_role, *roles):
+    from uliweb import  functions
+    if as_role:
+        if as_role not in roles:
+            return False, "role '%s' has no permission to access the data"%(as_role)
+        if not functions.has_role(user, as_role):
+            return False, "user has no role '%s'"%(as_role)
+        if as_role == "OWNER":
+            if not is_obj_owner(user, obj, user_id_field):
+                return False, "user is not the owner of data"
+        return True, None
+    else:
+        for role in roles:
+            if functions.has_role(user, role):
+                if isinstance(role,str):
+                    role_name = role
+                elif hasattr(role, "name"):
+                    role_name = role.name
+                else:
+                    continue
+                if role_name == "OWNER":
+                    if is_obj_owner(user, obj, user_id_field):
+                        return True, None
+                    else:
+                        continue
+                else:
+                    return True, None
+        return False, "no role to access the data"
+
+def has_obj_permission(user, obj, user_id_field, *perms):
+    from uliweb import  functions, models
+
+    Role = models.role
+    Perm = models.permission
+
+    for name in perms:
+        perm = Perm.get(Perm.c.name == name)
+        if not perm:
+            continue
+        has, msg = functions.has_obj_role(user, obj, user_id_field, None, *list(perm.perm_roles.with_relation().all()))
+        if has:
+            return has, None
+    return False, "no permission"
+
+def has_permission_as_role(user, as_role, *perms):
+    from uliweb import  functions, models
+
+    Role = models.role
+    Perm = models.permission
+
+    flag = functions.has_role(user, as_role)
+    if not flag:
+        return False, "user has no role '%s'"%(as_role)
+
+    for name in perms:
+        perm = Perm.get(Perm.c.name==name)
+        if not perm:
+            continue
+        for role in perm.perm_roles.with_relation().all():
+            if role.name == as_role:
+                return role, None
+    return False, "no permission"

uliweb_apijson/apijson/settings.ini

@@ -19,4 +19,7 @@ user = {
 
 [FUNCTIONS]
 get_apijson_tables = "uliweb_apijson.apijson.get_apijson_tables"
-get_apijson_table = "uliweb_apijson.apijson.get_apijson_table"
+get_apijson_table = "uliweb_apijson.apijson.get_apijson_table"
+has_obj_role = "uliweb_apijson.apijson.has_obj_role"
+has_obj_permission = "uliweb_apijson.apijson.has_obj_permission"
+has_permission_as_role = "uliweb_apijson.apijson.has_permission_as_role"