_acs-tcl__test_inheritance_and_custom_permissions (private)

 _acs-tcl__test_inheritance_and_custom_permissions

Defined in packages/acs-tcl/tcl/test/test-permissions-procs.tcl

Partial Call Graph (max 5 caller/called nodes):
%3 aa_false aa_false (public) aa_log aa_log (public) aa_log_result aa_log_result (public) aa_run_with_teardown aa_run_with_teardown (public) aa_section aa_section (public) _acs-tcl__test_inheritance_and_custom_permissions _acs-tcl__test_inheritance_and_custom_permissions _acs-tcl__test_inheritance_and_custom_permissions->aa_false _acs-tcl__test_inheritance_and_custom_permissions->aa_log _acs-tcl__test_inheritance_and_custom_permissions->aa_log_result _acs-tcl__test_inheritance_and_custom_permissions->aa_run_with_teardown _acs-tcl__test_inheritance_and_custom_permissions->aa_section

Testcases:
No testcase defined.
Source code:
        
        set _aa_export {}
        set body_count 1
        foreach testcase_body {{
        #
        # Create a couple of test users
        #
        set all_parties [list]

        for {set i 1} {$i <= 4} {incr i} {
            set user_id [dict get [acs::test::user::create] user_id]
            set user_$i $user_id
            lappend all_parties $user_id
        }

        set admin_user [dict get [acs::test::user::create -admin] user_id]
        lappend all_parties $admin_user

        aa_run_with_teardown -rollback -test_code {
            #
            # To test permissions on some object, we create 2
            # subsites. The second subsite inherits the permission
            # context from the first.
            #
            set test_subsite_1 [site_node::instantiate_and_mount  -node_name test-subsite-[db_nextval acs_object_id_seq]  -package_key acs-subsite]
            set test_subsite_2 [site_node::instantiate_and_mount  -node_name test-subsite-[db_nextval acs_object_id_seq]  -package_key acs-subsite  -context_id $test_subsite_1]

            #
            # One advantage of using subsites to test is that they
            # come with their own application group for free.
            #
            set test_group_1 [application_group::group_id_from_package_id  -package_id $test_subsite_1]
            set test_group_2 [application_group::group_id_from_package_id  -package_id $test_subsite_2]
            lappend all_parties $test_group_1
            lappend all_parties $test_group_2

            #
            # Split the test users in the two application groups.
            #
            group::add_member  -no_perm_check  -group_id $test_group_1  -user_id $user_1
            group::add_member  -no_perm_check  -group_id $test_group_1  -user_id $user_2

            group::add_member  -no_perm_check  -group_id $test_group_2  -user_id $user_3
            group::add_member  -no_perm_check  -group_id $test_group_2  -user_id $user_4

            #
            # Grant admin privilege for users of group 1 in the first subsite.
            #
            permission::grant -party_id $test_group_1 -object_id $test_subsite_1 -privilege "admin"

            #
            # Grant admin privilege for user_4 in the second subsite.
            #
            permission::grant -party_id $user_4 -object_id $test_subsite_2 -privilege "admin"

            #
            # Do a roundtrip on the inheritance settings api
            #
            aa_section "Check inheritance API"

            aa_true "Default inherit status is true"  [permission::inherit_p -object_id $test_subsite_2]

            permission::toggle_inherit -object_id $test_subsite_2
            aa_false "Inheritance off"  [permission::inherit_p -object_id $test_subsite_2]

            permission::toggle_inherit -object_id $test_subsite_2
            aa_true "Inheritance on"  [permission::inherit_p -object_id $test_subsite_2]

            #
            # We do this twice to check for consistency
            #
            permission::set_not_inherit -object_id $test_subsite_2
            aa_false "Inheritance off"  [permission::inherit_p -object_id $test_subsite_2]
            permission::set_not_inherit -object_id $test_subsite_2
            aa_false "Inheritance off"  [permission::inherit_p -object_id $test_subsite_2]

            #
            # We do this twice to check for consistency
            #
            permission::set_inherit -object_id $test_subsite_2
            aa_true "Inheritance on"  [permission::inherit_p -object_id $test_subsite_2]
            permission::set_inherit -object_id $test_subsite_2
            aa_true "Inheritance on"  [permission::inherit_p -object_id $test_subsite_2]

            #
            # Now verify permissions in various inheritance settings
            #

            aa_section "Standard permission - Inheritance ON"

            #
            # System parameters affect how permissions are cached, so
            # to have a consistent behavior on different
            # installations, we flush manually.
            #
            foreach party_id $all_parties {
                permission::cache_flush -party_id $party_id
            }

            for {set i 1} {$i <= 2} {incr i} {
                set user_id [set user_$i]
                aa_true "User '$user_id' from group 1, is an admin of subsite 2"  [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege "admin"]
            }
            for {set i 3} {$i <= 4} {incr i} {
                set user_id [set user_$i]
                aa_false "User '$user_id' from group 2, is NOT an admin of subsite 1"  [permission::permission_p -party_id $user_id -object_id $test_subsite_1 -privilege "admin"]
            }
            aa_true "User 4 has admin privilege on subsite 2"  [permission::permission_p -party_id $user_4 -object_id $test_subsite_2 -privilege "admin"]
            aa_true "Group 1 has admin privilege on subsite 2"  [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege "admin"]
            aa_true "SWA has admin privilege on subsite 2"  [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege "admin"]

            set parties_with_permissions [list]
            foreach entry [permission::get_parties_with_permission  -object_id $test_subsite_2  -privilege admin] {
                lassign $entry party_name party_id
                lappend parties_with_permissions $party_id
            }
            foreach party_id [list $test_group_1 $user_1 $user_2 $user_4 $admin_user] {
                aa_true "'$party_id' belongs to the parties with admin privileges '$parties_with_permissions'"  {$party_id in $parties_with_permissions}
            }
            foreach party_id [list $test_group_2 $user_3] {
                aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'"  {$party_id ni $parties_with_permissions}
            }

            aa_section "Standard permission - Inheritance OFF"

            permission::toggle_inherit -object_id $test_subsite_2

            foreach party_id $all_parties {
                permission::cache_flush -party_id $party_id
            }

            for {set i 1} {$i <= 2} {incr i} {
                set user_id [set user_$i]
                aa_false "User '$user_id' from group 1, is NOT an admin of subsite 2"  [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege "admin"]
            }
            for {set i 3} {$i <= 4} {incr i} {
                set user_id [set user_$i]
                aa_false "User '$user_id' from group 2, is NOT an admin of subsite 1"  [permission::permission_p -party_id $user_id -object_id $test_subsite_1 -privilege "admin"]
            }
            aa_true "User 4 has admin privilege on subsite 2"  [permission::permission_p -party_id $user_4 -object_id $test_subsite_2 -privilege "admin"]
            aa_false "Group 1 has NO admin privilege on subsite 2"  [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege "admin"]
            aa_true "SWA has admin privilege on subsite 2"  [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege "admin"]

            set parties_with_permissions [list]
            foreach entry [permission::get_parties_with_permission  -object_id $test_subsite_2  -privilege admin] {
                lassign $entry party_name party_id
                lappend parties_with_permissions $party_id
            }
            foreach party_id [list $user_4 $admin_user] {
                aa_true "'$party_id' belongs to the parties with admin privileges '$parties_with_permissions'"  {$party_id in $parties_with_permissions}
            }
            foreach party_id [list $test_group_1 $test_group_2 $user_1 $user_2 $user_3] {
                aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'"  {$party_id ni $parties_with_permissions}
            }


            aa_section "Create a custom user-defined permission"

            set privilege __test_permission
            aa_log "Creating a custom permission"
            ::acs::dc call acs_privilege create_privilege -privilege $privilege

            aa_log "Grant '$privilege' for users of group 1 in the first subsite."
            permission::grant -party_id $test_group_1 -object_id $test_subsite_1 -privilege $privilege

            aa_log "Grant '$privilege' for user_4 in the second subsite."
            permission::grant -party_id $user_4 -object_id $test_subsite_2 -privilege $privilege


            aa_section "Custom non-child permission - Inheritance ON"

            permission::set_inherit -object_id $test_subsite_2

            foreach party_id $all_parties {
                permission::cache_flush -party_id $party_id
            }

            for {set i 1} {$i <= 2} {incr i} {
                set user_id [set user_$i]
                aa_true "User '$user_id' from group 1, is has '$privilege' of subsite 2"  [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege]
            }
            for {set i 3} {$i <= 4} {incr i} {
                set user_id [set user_$i]
                aa_false "User '$user_id' from group 2, has NOT '$privilege' of subsite 1"  [permission::permission_p -party_id $user_id -object_id $test_subsite_1 -privilege $privilege]
            }
            aa_true "User 4 has $privilege privilege on subsite 2"  [permission::permission_p -party_id $user_4 -object_id $test_subsite_2 -privilege $privilege]
            aa_true "Group 1 has $privilege privilege on subsite 2"  [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege $privilege]
            #
            # An SWA does not have a custom non-child permission when
            # this is inherited, because it is not a member of any
            # party having it.
            #
            # The only parties with this permission are those we have
            # set explicitly.
            #
            aa_false "SWA has NOT $privilege privilege on subsite 2"  [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege $privilege]

            set parties_with_permissions [list]
            foreach entry [permission::get_parties_with_permission  -object_id $test_subsite_2  -privilege $privilege] {
                lassign $entry party_name party_id
                lappend parties_with_permissions $party_id
            }
            foreach party_id [list $test_group_1 $user_1 $user_2 $user_4] {
                aa_true "'$party_id' belongs to the parties with $privilege privileges '$parties_with_permissions'"  {$party_id in $parties_with_permissions}
            }
            foreach party_id [list $test_group_2 $user_3 $admin_user] {
                aa_true "'$party_id' does NOT belong to the parties with $privilege privileges '$parties_with_permissions'"  {$party_id ni $parties_with_permissions}
            }


            aa_section "Custom non-child permission - Inheritance OFF"

            permission::set_not_inherit -object_id $test_subsite_2

            foreach party_id $all_parties {
                permission::cache_flush -party_id $party_id
            }

            for {set i 1} {$i <= 2} {incr i} {
                set user_id [set user_$i]
                aa_false "User '$user_id' from group 1, is NOT an admin of subsite 2"  [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege "admin"]
            }
            for {set i 3} {$i <= 4} {incr i} {
                set user_id [set user_$i]
                aa_false "User '$user_id' from group 2, is NOT an admin of subsite 1"  [permission::permission_p -party_id $user_id -object_id $test_subsite_1 -privilege "admin"]
            }
            aa_true "User 4 has admin privilege on subsite 2"  [permission::permission_p -party_id $user_4 -object_id $test_subsite_2 -privilege "admin"]
            aa_false "Group 1 has NO admin privilege on subsite 2"  [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege "admin"]
            #
            # Maybe counterintuitively, an SWA will have permission
            # here when inheritance is off, because in this case the
            # object's context will be forced to the root context,
            # where the SWA has admin privilege.
            #
            aa_true "SWA has admin privilege on subsite 2"  [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege "admin"]

            set parties_with_permissions [list]
            foreach entry [permission::get_parties_with_permission  -object_id $test_subsite_2  -privilege admin] {
                lassign $entry party_name party_id
                lappend parties_with_permissions $party_id
            }
            foreach party_id [list $user_4 $admin_user] {
                aa_true "'$party_id' belongs to the parties with admin privileges '$parties_with_permissions'"  {$party_id in $parties_with_permissions}
            }
            foreach party_id [list $test_group_1 $test_group_2 $user_1 $user_2 $user_3] {
                aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'"  {$party_id ni $parties_with_permissions}
            }

            aa_section "Custom permission child of a standard permission - Inheritance ON"

            aa_log "Making the privilege a child of the read privilege"
            ::acs::dc call acs_privilege add_child  -privilege read -child_privilege $privilege

            permission::set_inherit -object_id $test_subsite_2

            foreach party_id $all_parties {
                permission::cache_flush -party_id $party_id
            }

            #
            # As the new privilege is a child of the read privilege,
            # members of Group 2 will also have this permission.
            #
            for {set i 1} {$i <= 2} {incr i} {
                set user_id [set user_$i]
                aa_true "User '$user_id' from group 1, is has '$privilege' on subsite 2"  [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege]
            }
            for {set i 3} {$i <= 4} {incr i} {
                set user_id [set user_$i]
                aa_true "User '$user_id' from group 2, is has '$privilege' on subsite 2"  [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege]
            }
            aa_true "Group 1 has $privilege privilege on subsite 2"  [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege $privilege]
            aa_true "SWA has $privilege privilege on subsite 2"  [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege $privilege]
            #
            # Group 2 itself won't have permission, as default read
            # for members is obtained through the relationship
            # segment.
            #
            aa_false "Group 2 has NOT $privilege privilege on subsite 2"  [permission::permission_p -party_id $test_group_2 -object_id $test_subsite_2 -privilege $privilege]
            set test_group_2_members [group::get_rel_segment -group_id $test_group_2 -type membership_rel]
            aa_true "Group 2 membership rel has $privilege privilege on subsite 2"  [permission::permission_p -party_id $test_group_2_members -object_id $test_subsite_2 -privilege $privilege]

            set parties_with_permissions [list]
            foreach entry [permission::get_parties_with_permission  -object_id $test_subsite_2  -privilege $privilege] {
                lassign $entry party_name party_id
                lappend parties_with_permissions $party_id
            }
            foreach party_id [list $test_group_1 $test_group_2_members $user_1 $user_2 $user_3 $user_4] {
                aa_true "'$party_id' belongs to the parties with $privilege privileges '$parties_with_permissions'"  {$party_id in $parties_with_permissions}
            }
            foreach party_id [list $test_group_2] {
                aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'"  {$party_id ni $parties_with_permissions}
            }


            aa_section "Custom permission child of a standard permission - Inheritance OFF"

            permission::set_not_inherit -object_id $test_subsite_2

            foreach party_id $all_parties {
                permission::cache_flush -party_id $party_id
            }

            #
            # Group 1 does not inherit this permission now.
            #
            for {set i 1} {$i <= 2} {incr i} {
                set user_id [set user_$i]
                aa_false "User '$user_id' from group 1, is has NOT '$privilege' on subsite 2"  [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege]
            }
            #
            # Group 2 still has it by means of the privilege being a child of read
            #
            for {set i 3} {$i <= 4} {incr i} {
                set user_id [set user_$i]
                aa_true "User '$user_id' from group 2, is has '$privilege' on subsite 2"  [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege]
            }
            aa_false "Group 1 has NOT $privilege privilege on subsite 2"  [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege $privilege]
            aa_true "SWA has $privilege privilege on subsite 2"  [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege $privilege]
            aa_false "Group 2 has NOT $privilege privilege on subsite 2"  [permission::permission_p -party_id $test_group_2 -object_id $test_subsite_2 -privilege $privilege]
            set test_group_2_members [group::get_rel_segment -group_id $test_group_2 -type membership_rel]
            aa_true "Group 2 membership rel has $privilege privilege on subsite 2"  [permission::permission_p -party_id $test_group_2_members -object_id $test_subsite_2 -privilege $privilege]

            set parties_with_permissions [list]
            foreach entry [permission::get_parties_with_permission  -object_id $test_subsite_2  -privilege $privilege] {
                lassign $entry party_name party_id
                lappend parties_with_permissions $party_id
            }
            foreach party_id [list $test_group_2_members $user_3 $user_4] {
                aa_true "'$party_id' belongs to the parties with $privilege privileges '$parties_with_permissions'"  {$party_id in $parties_with_permissions}
            }
            foreach party_id [list $test_group_1 $test_group_2 $user_1 $user_2] {
                aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'"  {$party_id ni $parties_with_permissions}
            }

        } -teardown_code {
            foreach user_id [list $user_1 $user_2 $user_3 $user_4 $admin_user] {
                acs::test::user::delete  -user_id $user_id  -delete_created_acs_objects
            }
        }
    }} {
          aa_log "Running testcase body $body_count"
          set ::__aa_test_indent [info level]
          set catch_val [catch $testcase_body msg]
          if {$catch_val != 0 && $catch_val != 2} {
              aa_log_result "fail" "test_inheritance_and_custom_permissions (body $body_count): Error during execution: $msg, stack trace: \n$::errorInfo"
          }
          incr body_count
        }
XQL Not present:
Generic, PostgreSQL, Oracle
[ hide source ] | [ make this the default ]
Show another procedure: