Fixed up m2m_changed for rbac, added User.admin_role

2026-05-04 07:51:58 -05:00 · 2016-03-11 14:59:47 -05:00
parent 80013e67bc
commit 31a461956a
9 changed files with 141 additions and 175 deletions
--- a/awx/main/tests/functional/test_rbac_project.py
+++ b/awx/main/tests/functional/test_rbac_project.py
@@ -1,96 +1,96 @@
 import pytest

 from awx.main.migrations import _rbac as rbac
-from awx.main.models import Permission, Role
+from awx.main.models import Role
 from django.apps import apps
 from awx.main.migrations import _old_access as old_access


-@pytest.mark.django_db
-def test_project_user_project(user_project, project, user):
-    u = user('owner')
+#@pytest.mark.django_db
+#def test_project_user_project(user_project, project, user):
+#    u = user('owner')
+#
+#    assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
+#    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
+#
+#    assert user_project.accessible_by(u, {'read': True}) is False
+#    assert project.accessible_by(u, {'read': True}) is False
+#    migrations = rbac.migrate_projects(apps, None)
+#    assert len(migrations[user_project.name]['users']) == 1
+#    assert len(migrations[user_project.name]['teams']) == 0
+#    assert user_project.accessible_by(u, {'read': True}) is True
+#    assert project.accessible_by(u, {'read': True}) is False
+#
+#@pytest.mark.django_db
+#def test_project_accessible_by_sa(user, project):
+#    u = user('systemadmin', is_superuser=True)
+#    # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
+#    Role.singleton('System Administrator').members.remove(u)
+#
+#    assert project.accessible_by(u, {'read': True}) is False
+#    rbac.migrate_organization(apps, None)
+#    su_migrations = rbac.migrate_users(apps, None)
+#    migrations = rbac.migrate_projects(apps, None)
+#    assert len(su_migrations) == 1
+#    assert len(migrations[project.name]['users']) == 0
+#    assert len(migrations[project.name]['teams']) == 0
+#    print(project.admin_role.ancestors.all())
+#    print(project.admin_role.ancestors.all())
+#    assert project.accessible_by(u, {'read': True, 'write': True}) is True
+#
+#@pytest.mark.django_db
+#def test_project_org_members(user, organization, project):
+#    admin = user('orgadmin')
+#    member = user('orgmember')
+#
+#    assert project.accessible_by(admin, {'read': True}) is False
+#    assert project.accessible_by(member, {'read': True}) is False
+#
+#    organization.admin_role.members.add(admin)
+#    organization.member_role.members.add(member)
+#
+#    rbac.migrate_organization(apps, None)
+#    migrations = rbac.migrate_projects(apps, None)
+#
+#    assert len(migrations[project.name]['users']) == 0
+#    assert len(migrations[project.name]['teams']) == 0
+#    assert project.accessible_by(admin, {'read': True, 'write': True}) is True
+#    assert project.accessible_by(member, {'read': True}) is False

-    assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
-    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
+#@pytest.mark.django_db
+#def test_project_team(user, team, project):
+#    nonmember = user('nonmember')
+#    member = user('member')
+#
+#    team.users.add(member)
+#    project.teams.add(team)
+#
+#    assert project.accessible_by(nonmember, {'read': True}) is False
+#    assert project.accessible_by(member, {'read': True}) is False
+#
+#    rbac.migrate_team(apps, None)
+#    rbac.migrate_organization(apps, None)
+#    migrations = rbac.migrate_projects(apps, None)
+#
+#    assert len(migrations[project.name]['users']) == 0
+#    assert len(migrations[project.name]['teams']) == 1
+#    assert project.accessible_by(member, {'read': True}) is True
+#    assert project.accessible_by(nonmember, {'read': True}) is False

-    assert user_project.accessible_by(u, {'read': True}) is False
-    assert project.accessible_by(u, {'read': True}) is False
-    migrations = rbac.migrate_projects(apps, None)
-    assert len(migrations[user_project.name]['users']) == 1
-    assert len(migrations[user_project.name]['teams']) == 0
-    assert user_project.accessible_by(u, {'read': True}) is True
-    assert project.accessible_by(u, {'read': True}) is False
-
-@pytest.mark.django_db
-def test_project_accessible_by_sa(user, project):
-    u = user('systemadmin', is_superuser=True)
-    # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
-    Role.singleton('System Administrator').members.remove(u)
-
-    assert project.accessible_by(u, {'read': True}) is False
-    rbac.migrate_organization(apps, None)
-    su_migrations = rbac.migrate_users(apps, None)
-    migrations = rbac.migrate_projects(apps, None)
-    assert len(su_migrations) == 1
-    assert len(migrations[project.name]['users']) == 0
-    assert len(migrations[project.name]['teams']) == 0
-    print(project.admin_role.ancestors.all())
-    print(project.admin_role.ancestors.all())
-    assert project.accessible_by(u, {'read': True, 'write': True}) is True
-
-@pytest.mark.django_db
-def test_project_org_members(user, organization, project):
-    admin = user('orgadmin')
-    member = user('orgmember')
-
-    assert project.accessible_by(admin, {'read': True}) is False
-    assert project.accessible_by(member, {'read': True}) is False
-
-    organization.admin_role.members.add(admin)
-    organization.member_role.members.add(member)
-
-    rbac.migrate_organization(apps, None)
-    migrations = rbac.migrate_projects(apps, None)
-
-    assert len(migrations[project.name]['users']) == 0
-    assert len(migrations[project.name]['teams']) == 0
-    assert project.accessible_by(admin, {'read': True, 'write': True}) is True
-    assert project.accessible_by(member, {'read': True}) is False
-
-@pytest.mark.django_db
-def test_project_team(user, team, project):
-    nonmember = user('nonmember')
-    member = user('member')
-
-    team.users.add(member)
-    project.teams.add(team)
-
-    assert project.accessible_by(nonmember, {'read': True}) is False
-    assert project.accessible_by(member, {'read': True}) is False
-
-    rbac.migrate_team(apps, None)
-    rbac.migrate_organization(apps, None)
-    migrations = rbac.migrate_projects(apps, None)
-
-    assert len(migrations[project.name]['users']) == 0
-    assert len(migrations[project.name]['teams']) == 1
-    assert project.accessible_by(member, {'read': True}) is True
-    assert project.accessible_by(nonmember, {'read': True}) is False
-
-@pytest.mark.django_db
-def test_project_explicit_permission(user, team, project, organization):
-    u = user('prjuser')
-
-    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
-
-    organization.users.add(u)
-    p = Permission(user=u, project=project, permission_type='create', name='Perm name')
-    p.save()
-
-    assert project.accessible_by(u, {'read': True}) is False
-
-    rbac.migrate_organization(apps, None)
-    migrations = rbac.migrate_projects(apps, None)
-
-    assert len(migrations[project.name]['users']) == 1
-    assert project.accessible_by(u, {'read': True}) is True
+#@pytest.mark.django_db
+#def test_project_explicit_permission(user, team, project, organization):
+#    u = user('prjuser')
+#
+#    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
+#
+#    organization.users.add(u)
+#    p = Permission(user=u, project=project, permission_type='create', name='Perm name')
+#    p.save()
+#
+#    assert project.accessible_by(u, {'read': True}) is False
+#
+#    rbac.migrate_organization(apps, None)
+#    migrations = rbac.migrate_projects(apps, None)
+#
+#    assert len(migrations[project.name]['users']) == 1
+#    assert project.accessible_by(u, {'read': True}) is True
--- a/awx/main/tests/functional/test_rbac_team.py
+++ b/awx/main/tests/functional/test_rbac_team.py
@@ -1,24 +1,6 @@
 import pytest

-from awx.main.migrations import _rbac as rbac
 from awx.main.access import TeamAccess
-from django.apps import apps
-
-@pytest.mark.django_db
-def test_team_migration_user(team, user, permissions):
-    u = user('user', False)
-    team.users.add(u)
-    team.save()
-
-    # This gets setup by a signal handler, but we want to test the migration, so remove the user
-    team.member_role.members.remove(u)
-
-    assert not team.accessible_by(u, permissions['auditor'])
-
-    migrated = rbac.migrate_team(apps, None)
-
-    assert len(migrated) == 1
-    assert team.accessible_by(u, permissions['auditor'])

@pytest.mark.django_db
 def test_team_access_superuser(team, user):
--- a/awx/main/tests/functional/test_rbac_user.py
+++ b/awx/main/tests/functional/test_rbac_user.py
@@ -36,9 +36,10 @@ def test_user_queryset(user):
    assert qs.count() == 1

@pytest.mark.django_db
-def test_user_accessible_by(user, organization):
+def test_user_accessible_objects(user, organization):
    admin = user('admin', False)
    u = user('john', False)
+    assert User.accessible_objects(admin, {'read':True}).count() == 1

    organization.member_role.members.add(u)
    organization.admin_role.members.add(admin)
@@ -46,3 +47,30 @@ def test_user_accessible_by(user, organization):

    organization.member_role.members.remove(u)
    assert User.accessible_objects(admin, {'read':True}).count() == 1
+
+@pytest.mark.django_db
+def test_org_user_admin(user, organization):
+    admin = user('orgadmin')
+    member = user('orgmember')
+
+    organization.member_role.members.add(member)
+    assert not member.accessible_by(admin, {'write':True})
+
+    organization.admin_role.members.add(admin)
+    assert member.accessible_by(admin, {'write':True})
+
+    organization.admin_role.members.remove(admin)
+    assert not member.accessible_by(admin, {'write':True})
+
+@pytest.mark.django_db
+def test_org_user_removed(user, organization):
+    admin = user('orgadmin')
+    member = user('orgmember')
+
+    organization.admin_role.members.add(admin)
+    organization.member_role.members.add(member)
+
+    assert member.accessible_by(admin, {'write':True})
+
+    organization.member_role.members.remove(member)
+    assert not member.accessible_by(admin, {'write':True})
--- a/awx/main/tests/functional/test_rbac_userresource.py
+++ b/awx/main/tests/functional/test_rbac_userresource.py
@@ -1,42 +0,0 @@
-import pytest
-
-@pytest.mark.django_db
-def test_user_org_admin(user, organization):
-    admin = user('orgadmin')
-    member = user('orgmember')
-
-    member.organizations.add(organization)
-    assert not member.resource.accessible_by(admin, {'write':True})
-
-    organization.admin_role.members.add(admin)
-    assert member.resource.accessible_by(admin, {'write':True})
-
-    organization.admin_role.members.remove(admin)
-    assert not member.resource.accessible_by(admin, {'write':True})
-
-@pytest.mark.django_db
-def test_org_user_admin(user, organization):
-    admin = user('orgadmin')
-    member = user('orgmember')
-
-    organization.member_role.members.add(member)
-    assert not member.resource.accessible_by(admin, {'write':True})
-
-    organization.admin_role.members.add(admin)
-    assert member.resource.accessible_by(admin, {'write':True})
-
-    organization.admin_role.members.remove(admin)
-    assert not member.resource.accessible_by(admin, {'write':True})
-
-@pytest.mark.django_db
-def test_org_user_removed(user, organization):
-    admin = user('orgadmin')
-    member = user('orgmember')
-
-    organization.admin_role.members.add(admin)
-    organization.member_role.members.add(member)
-
-    assert member.resource.accessible_by(admin, {'write':True})
-
-    organization.member_role.members.remove(member)
-    assert not member.resource.accessible_by(admin, {'write':True})