changeset 187:f8d5d3643572

fix Permissions class / ACL middleware to use given user u.may.xxx of course needs to check permissions xxx for the given User instance u, not for flaskg.user (the user doing the current request). Removed dirty acl tests hack that made the tests working with the now fixed bug.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 24 Apr 2011 14:52:12 +0200
parents 5dd1db45ed55
children cad306a58919
files MoinMoin/security/__init__.py MoinMoin/security/_tests/test_security.py MoinMoin/storage/backends/acl.py
diffstat 3 files changed, 7 insertions(+), 18 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/security/__init__.py	Sat Apr 23 23:51:34 2011 +0200
+++ b/MoinMoin/security/__init__.py	Sun Apr 24 14:52:12 2011 +0200
@@ -77,7 +77,7 @@
         if attr in app.cfg.acl_rights_contents:
             ns_content = app.cfg.ns_content # XXX always uses content backend
             may = flaskg.storage.get_backend(ns_content)._may
-            return lambda itemname: may(itemname, attr) # XXX does not use self.name XXX
+            return lambda itemname: may(itemname, attr, username=self.name)
         if attr in app.cfg.acl_rights_functions:
             may = app.cfg.cache.acl_functions.may
             return lambda: may(self.name, attr)
--- a/MoinMoin/security/_tests/test_security.py	Sat Apr 23 23:51:34 2011 +0200
+++ b/MoinMoin/security/_tests/test_security.py	Sun Apr 24 14:52:12 2011 +0200
@@ -11,7 +11,6 @@
 import py
 
 from flask import current_app as app
-from flask import g as flaskg
 
 from MoinMoin.security import ContentACL, ACLStringIterator
 
@@ -203,14 +202,6 @@
 
     TO DO: test unknown user?
     """
-    def setup_method(self, method):
-        # Backup user
-        self.savedUser = flaskg.user.name
-
-    def teardown_method(self, method):
-        # Restore user
-        flaskg.user.name = self.savedUser
-
     def testApplyACLByUser(self):
         """ security: applying acl by user name"""
         # This acl string...
@@ -329,7 +320,6 @@
             u.valid = True
 
             def _have_right(u, right, itemname):
-                flaskg.user = u
                 can_access = getattr(u.may, right)(itemname)
                 assert can_access, "%r may %s %r (normal)" % (u.name, right, itemname)
 
@@ -338,7 +328,6 @@
                 yield _have_right, u, right, itemname
 
             def _not_have_right(u, right, itemname):
-                flaskg.user = u
                 can_access = getattr(u.may, right)(itemname)
                 assert not can_access, "%r may not %s %r (normal)" % (u.name, right, itemname)
 
@@ -414,7 +403,6 @@
             u.valid = True
 
             def _have_right(u, right, itemname):
-                flaskg.user = u
                 can_access = getattr(u.may, right)(itemname)
                 assert can_access, "%r may %s %r (hierarchic)" % (u.name, right, itemname)
 
@@ -423,7 +411,6 @@
                 yield _have_right, u, right, itemname
 
             def _not_have_right(u, right, itemname):
-                flaskg.user = u
                 can_access = getattr(u.may, right)(itemname)
                 assert not can_access, "%r may not %s %r (hierarchic)" % (u.name, right, itemname)
 
--- a/MoinMoin/storage/backends/acl.py	Sat Apr 23 23:51:34 2011 +0200
+++ b/MoinMoin/storage/backends/acl.py	Sun Apr 24 14:52:12 2011 +0200
@@ -175,8 +175,8 @@
         default = self.default.default
         return ContentACL(self.cfg, acls, default=default, valid=self.valid)
 
-    def _may(self, itemname, right):
-        """ Check if self.username may have <right> access on item <itemname>.
+    def _may(self, itemname, right, username=None):
+        """ Check if username may have <right> access on item <itemname>.
 
         For hierarchic=False we just check the item in question.
 
@@ -194,11 +194,13 @@
 
         :param itemname: item to get permissions from
         :param right: the right to check
-
+        :param username: username to use for permissions check (default is to
+                         use the username doing the current request)
         :rtype: bool
         :returns: True if you have permission or False
         """
-        username = flaskg.user.name # XXX this is likely too inflexible / wrong
+        if username is None:
+            username = flaskg.user.name
 
         allowed = self.before.may(username, right)
         if allowed is not None: