Description |
- copy exisiting tests, modify authz in setUp, adapt and extend tests
- Problem: default_role_actions is read by init_db
- Solution: nuke db after monkey-patching
- role = model.Role('Reader'), del role.actions[...]
self.PRE_MAUTHZ_RULES = copy(mauthz.default_role_actions)
mauthz.default_role_actions.remove((Role.READER, Action.CREATE))
#raise Exception(mauthz.default_role_actions)
model.Session.remove()
model.repo.rebuild_db()
- Start from the functional
is_authorized(user, Action.Create, model.Package)
-> Doing this will put 'Package' in the context field of the user_object_role table. This will trigger SQLAlchemy to attempt a join towards PackageRole? in all queries. Since for class-level role assignments there never is a PackageRole? join table entry, this will never return any results.
- have a ckan install that would not allow visitors to either list packages or list groups
- two paths: create the listing, but for each group/pkg decide that you
cannot show this
- lock down the whole page (/package/list)
- this is class-based, not object-based
is_authorized(user, Action.Package_Create, model.System())
is_authorized(user, Action.Group_Create, model.System())
[Separating Package and Group roles may be useful going forward: PackageEditor?, GroupEditor? etc]
- Find a standard way to lock down classes
- possibly add default rows in user_object_role
- introduce lock-down into controllers: group new, package new, REST equivalents,
- confirm tests
|
Description |
Authorization Groups:
(Doing this first seems more stable since we first want to "re-gain" exisiting functionality)
- Create authz.py and model tests for authorization_group-based auth
- tests: functional: create fixtures, do actual requests
lib-tests: test for membership addition, removal, group-right additions affecting all members, group-right removal, group rights affecting non-members.
# * Adapt model to get these passing
- Integration into existing controllers should be negligible but may want ot have tests
- do not want that. would mean design is broken
- Need to create a new controller for editing authz groups (will have same permissions as any other object -- Reader, Editor, Administrator)
|