_acs-tcl__test_inheritance_and_custom_permissions (private)
_acs-tcl__test_inheritance_and_custom_permissions
Defined in packages/acs-tcl/tcl/test/test-permissions-procs.tcl
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
Source code: set _aa_export {} set body_count 1 foreach testcase_body {{ # # Create a couple of test users # set all_parties [list] for {set i 1} {$i <= 4} {incr i} { set user_id [dict get [acs::test::user::create] user_id] set user_$i $user_id lappend all_parties $user_id } set admin_user [dict get [acs::test::user::create -admin] user_id] lappend all_parties $admin_user aa_run_with_teardown -rollback -test_code { # # To test permissions on some object, we create 2 # subsites. The second subsite inherits the permission # context from the first. # set test_subsite_1 [site_node::instantiate_and_mount -node_name test-subsite-[db_nextval acs_object_id_seq] -package_key acs-subsite] set test_subsite_2 [site_node::instantiate_and_mount -node_name test-subsite-[db_nextval acs_object_id_seq] -package_key acs-subsite -context_id $test_subsite_1] # # One advantage of using subsites to test is that they # come with their own application group for free. # set test_group_1 [application_group::group_id_from_package_id -package_id $test_subsite_1] set test_group_2 [application_group::group_id_from_package_id -package_id $test_subsite_2] lappend all_parties $test_group_1 lappend all_parties $test_group_2 # # Split the test users in the two application groups. # group::add_member -no_perm_check -group_id $test_group_1 -user_id $user_1 group::add_member -no_perm_check -group_id $test_group_1 -user_id $user_2 group::add_member -no_perm_check -group_id $test_group_2 -user_id $user_3 group::add_member -no_perm_check -group_id $test_group_2 -user_id $user_4 # # Grant admin privilege for users of group 1 in the first subsite. # permission::grant -party_id $test_group_1 -object_id $test_subsite_1 -privilege "admin" # # Grant admin privilege for user_4 in the second subsite. # permission::grant -party_id $user_4 -object_id $test_subsite_2 -privilege "admin" # # Do a roundtrip on the inheritance settings api # aa_section "Check inheritance API" aa_true "Default inherit status is true" [permission::inherit_p -object_id $test_subsite_2] permission::toggle_inherit -object_id $test_subsite_2 aa_false "Inheritance off" [permission::inherit_p -object_id $test_subsite_2] permission::toggle_inherit -object_id $test_subsite_2 aa_true "Inheritance on" [permission::inherit_p -object_id $test_subsite_2] # # We do this twice to check for consistency # permission::set_not_inherit -object_id $test_subsite_2 aa_false "Inheritance off" [permission::inherit_p -object_id $test_subsite_2] permission::set_not_inherit -object_id $test_subsite_2 aa_false "Inheritance off" [permission::inherit_p -object_id $test_subsite_2] # # We do this twice to check for consistency # permission::set_inherit -object_id $test_subsite_2 aa_true "Inheritance on" [permission::inherit_p -object_id $test_subsite_2] permission::set_inherit -object_id $test_subsite_2 aa_true "Inheritance on" [permission::inherit_p -object_id $test_subsite_2] # # Now verify permissions in various inheritance settings # aa_section "Standard permission - Inheritance ON" # # System parameters affect how permissions are cached, so # to have a consistent behavior on different # installations, we flush manually. # foreach party_id $all_parties { permission::cache_flush -party_id $party_id } for {set i 1} {$i <= 2} {incr i} { set user_id [set user_$i] aa_true "User '$user_id' from group 1, is an admin of subsite 2" [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege "admin"] } for {set i 3} {$i <= 4} {incr i} { set user_id [set user_$i] aa_false "User '$user_id' from group 2, is NOT an admin of subsite 1" [permission::permission_p -party_id $user_id -object_id $test_subsite_1 -privilege "admin"] } aa_true "User 4 has admin privilege on subsite 2" [permission::permission_p -party_id $user_4 -object_id $test_subsite_2 -privilege "admin"] aa_true "Group 1 has admin privilege on subsite 2" [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege "admin"] aa_true "SWA has admin privilege on subsite 2" [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege "admin"] set parties_with_permissions [list] foreach entry [permission::get_parties_with_permission -object_id $test_subsite_2 -privilege admin] { lassign $entry party_name party_id lappend parties_with_permissions $party_id } foreach party_id [list $test_group_1 $user_1 $user_2 $user_4 $admin_user] { aa_true "'$party_id' belongs to the parties with admin privileges '$parties_with_permissions'" {$party_id in $parties_with_permissions} } foreach party_id [list $test_group_2 $user_3] { aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'" {$party_id ni $parties_with_permissions} } aa_section "Standard permission - Inheritance OFF" permission::toggle_inherit -object_id $test_subsite_2 foreach party_id $all_parties { permission::cache_flush -party_id $party_id } for {set i 1} {$i <= 2} {incr i} { set user_id [set user_$i] aa_false "User '$user_id' from group 1, is NOT an admin of subsite 2" [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege "admin"] } for {set i 3} {$i <= 4} {incr i} { set user_id [set user_$i] aa_false "User '$user_id' from group 2, is NOT an admin of subsite 1" [permission::permission_p -party_id $user_id -object_id $test_subsite_1 -privilege "admin"] } aa_true "User 4 has admin privilege on subsite 2" [permission::permission_p -party_id $user_4 -object_id $test_subsite_2 -privilege "admin"] aa_false "Group 1 has NO admin privilege on subsite 2" [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege "admin"] aa_true "SWA has admin privilege on subsite 2" [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege "admin"] set parties_with_permissions [list] foreach entry [permission::get_parties_with_permission -object_id $test_subsite_2 -privilege admin] { lassign $entry party_name party_id lappend parties_with_permissions $party_id } foreach party_id [list $user_4 $admin_user] { aa_true "'$party_id' belongs to the parties with admin privileges '$parties_with_permissions'" {$party_id in $parties_with_permissions} } foreach party_id [list $test_group_1 $test_group_2 $user_1 $user_2 $user_3] { aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'" {$party_id ni $parties_with_permissions} } aa_section "Create a custom user-defined permission" set privilege __test_permission aa_log "Creating a custom permission" ::acs::dc call acs_privilege create_privilege -privilege $privilege aa_log "Grant '$privilege' for users of group 1 in the first subsite." permission::grant -party_id $test_group_1 -object_id $test_subsite_1 -privilege $privilege aa_log "Grant '$privilege' for user_4 in the second subsite." permission::grant -party_id $user_4 -object_id $test_subsite_2 -privilege $privilege aa_section "Custom non-child permission - Inheritance ON" permission::set_inherit -object_id $test_subsite_2 foreach party_id $all_parties { permission::cache_flush -party_id $party_id } for {set i 1} {$i <= 2} {incr i} { set user_id [set user_$i] aa_true "User '$user_id' from group 1, is has '$privilege' of subsite 2" [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege] } for {set i 3} {$i <= 4} {incr i} { set user_id [set user_$i] aa_false "User '$user_id' from group 2, has NOT '$privilege' of subsite 1" [permission::permission_p -party_id $user_id -object_id $test_subsite_1 -privilege $privilege] } aa_true "User 4 has $privilege privilege on subsite 2" [permission::permission_p -party_id $user_4 -object_id $test_subsite_2 -privilege $privilege] aa_true "Group 1 has $privilege privilege on subsite 2" [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege $privilege] # # An SWA does not have a custom non-child permission when # this is inherited, because it is not a member of any # party having it. # # The only parties with this permission are those we have # set explicitly. # aa_false "SWA has NOT $privilege privilege on subsite 2" [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege $privilege] set parties_with_permissions [list] foreach entry [permission::get_parties_with_permission -object_id $test_subsite_2 -privilege $privilege] { lassign $entry party_name party_id lappend parties_with_permissions $party_id } foreach party_id [list $test_group_1 $user_1 $user_2 $user_4] { aa_true "'$party_id' belongs to the parties with $privilege privileges '$parties_with_permissions'" {$party_id in $parties_with_permissions} } foreach party_id [list $test_group_2 $user_3 $admin_user] { aa_true "'$party_id' does NOT belong to the parties with $privilege privileges '$parties_with_permissions'" {$party_id ni $parties_with_permissions} } aa_section "Custom non-child permission - Inheritance OFF" permission::set_not_inherit -object_id $test_subsite_2 foreach party_id $all_parties { permission::cache_flush -party_id $party_id } for {set i 1} {$i <= 2} {incr i} { set user_id [set user_$i] aa_false "User '$user_id' from group 1, is NOT an admin of subsite 2" [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege "admin"] } for {set i 3} {$i <= 4} {incr i} { set user_id [set user_$i] aa_false "User '$user_id' from group 2, is NOT an admin of subsite 1" [permission::permission_p -party_id $user_id -object_id $test_subsite_1 -privilege "admin"] } aa_true "User 4 has admin privilege on subsite 2" [permission::permission_p -party_id $user_4 -object_id $test_subsite_2 -privilege "admin"] aa_false "Group 1 has NO admin privilege on subsite 2" [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege "admin"] # # Maybe counterintuitively, an SWA will have permission # here when inheritance is off, because in this case the # object's context will be forced to the root context, # where the SWA has admin privilege. # aa_true "SWA has admin privilege on subsite 2" [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege "admin"] set parties_with_permissions [list] foreach entry [permission::get_parties_with_permission -object_id $test_subsite_2 -privilege admin] { lassign $entry party_name party_id lappend parties_with_permissions $party_id } foreach party_id [list $user_4 $admin_user] { aa_true "'$party_id' belongs to the parties with admin privileges '$parties_with_permissions'" {$party_id in $parties_with_permissions} } foreach party_id [list $test_group_1 $test_group_2 $user_1 $user_2 $user_3] { aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'" {$party_id ni $parties_with_permissions} } aa_section "Custom permission child of a standard permission - Inheritance ON" aa_log "Making the privilege a child of the read privilege" ::acs::dc call acs_privilege add_child -privilege read -child_privilege $privilege permission::set_inherit -object_id $test_subsite_2 foreach party_id $all_parties { permission::cache_flush -party_id $party_id } # # As the new privilege is a child of the read privilege, # members of Group 2 will also have this permission. # for {set i 1} {$i <= 2} {incr i} { set user_id [set user_$i] aa_true "User '$user_id' from group 1, is has '$privilege' on subsite 2" [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege] } for {set i 3} {$i <= 4} {incr i} { set user_id [set user_$i] aa_true "User '$user_id' from group 2, is has '$privilege' on subsite 2" [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege] } aa_true "Group 1 has $privilege privilege on subsite 2" [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege $privilege] aa_true "SWA has $privilege privilege on subsite 2" [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege $privilege] # # Group 2 itself won't have permission, as default read # for members is obtained through the relationship # segment. # aa_false "Group 2 has NOT $privilege privilege on subsite 2" [permission::permission_p -party_id $test_group_2 -object_id $test_subsite_2 -privilege $privilege] set test_group_2_members [group::get_rel_segment -group_id $test_group_2 -type membership_rel] aa_true "Group 2 membership rel has $privilege privilege on subsite 2" [permission::permission_p -party_id $test_group_2_members -object_id $test_subsite_2 -privilege $privilege] set parties_with_permissions [list] foreach entry [permission::get_parties_with_permission -object_id $test_subsite_2 -privilege $privilege] { lassign $entry party_name party_id lappend parties_with_permissions $party_id } foreach party_id [list $test_group_1 $test_group_2_members $user_1 $user_2 $user_3 $user_4] { aa_true "'$party_id' belongs to the parties with $privilege privileges '$parties_with_permissions'" {$party_id in $parties_with_permissions} } foreach party_id [list $test_group_2] { aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'" {$party_id ni $parties_with_permissions} } aa_section "Custom permission child of a standard permission - Inheritance OFF" permission::set_not_inherit -object_id $test_subsite_2 foreach party_id $all_parties { permission::cache_flush -party_id $party_id } # # Group 1 does not inherit this permission now. # for {set i 1} {$i <= 2} {incr i} { set user_id [set user_$i] aa_false "User '$user_id' from group 1, is has NOT '$privilege' on subsite 2" [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege] } # # Group 2 still has it by means of the privilege being a child of read # for {set i 3} {$i <= 4} {incr i} { set user_id [set user_$i] aa_true "User '$user_id' from group 2, is has '$privilege' on subsite 2" [permission::permission_p -party_id $user_id -object_id $test_subsite_2 -privilege $privilege] } aa_false "Group 1 has NOT $privilege privilege on subsite 2" [permission::permission_p -party_id $test_group_1 -object_id $test_subsite_2 -privilege $privilege] aa_true "SWA has $privilege privilege on subsite 2" [permission::permission_p -party_id $admin_user -object_id $test_subsite_2 -privilege $privilege] aa_false "Group 2 has NOT $privilege privilege on subsite 2" [permission::permission_p -party_id $test_group_2 -object_id $test_subsite_2 -privilege $privilege] set test_group_2_members [group::get_rel_segment -group_id $test_group_2 -type membership_rel] aa_true "Group 2 membership rel has $privilege privilege on subsite 2" [permission::permission_p -party_id $test_group_2_members -object_id $test_subsite_2 -privilege $privilege] set parties_with_permissions [list] foreach entry [permission::get_parties_with_permission -object_id $test_subsite_2 -privilege $privilege] { lassign $entry party_name party_id lappend parties_with_permissions $party_id } foreach party_id [list $test_group_2_members $user_3 $user_4] { aa_true "'$party_id' belongs to the parties with $privilege privileges '$parties_with_permissions'" {$party_id in $parties_with_permissions} } foreach party_id [list $test_group_1 $test_group_2 $user_1 $user_2] { aa_true "'$party_id' does NOT belong to the parties with admin privileges '$parties_with_permissions'" {$party_id ni $parties_with_permissions} } } -teardown_code { foreach user_id [list $user_1 $user_2 $user_3 $user_4 $admin_user] { acs::test::user::delete -user_id $user_id -delete_created_acs_objects } } }} { aa_log "Running testcase body $body_count" set ::__aa_test_indent [info level] set catch_val [catch $testcase_body msg] if {$catch_val != 0 && $catch_val != 2} { aa_log_result "fail" "test_inheritance_and_custom_permissions (body $body_count): Error during execution: $msg, stack trace: \n$::errorInfo" } incr body_count }XQL Not present: Generic, PostgreSQL, Oracle