diff options
| author | Jannis Leidel <jannis@leidel.info> | 2009-12-10 01:05:35 +0000 |
|---|---|---|
| committer | Jannis Leidel <jannis@leidel.info> | 2009-12-10 01:05:35 +0000 |
| commit | 9bf652dfd6a738fd841471f6abd71cba1b206d9f (patch) | |
| tree | 91dde2a8b9f13ca46250152c9fa165d043eeaad3 /django | |
| parent | 2c2f5aee4d44836779fcd74c7782368914f9cfd1 (diff) | |
Fixed #11010 - Add a foundation for object permissions to authentication backends. Thanks to Florian Apolloner for writing the initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11807 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/auth/__init__.py | 7 | ||||
| -rw-r--r-- | django/contrib/auth/backends.py | 2 | ||||
| -rw-r--r-- | django/contrib/auth/models.py | 57 | ||||
| -rw-r--r-- | django/contrib/auth/tests/__init__.py | 1 | ||||
| -rw-r--r-- | django/contrib/auth/tests/auth_backends.py | 149 |
5 files changed, 200 insertions, 16 deletions
diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py index b89aee1682..eda3e386d3 100644 --- a/django/contrib/auth/__init__.py +++ b/django/contrib/auth/__init__.py @@ -1,4 +1,5 @@ import datetime +from warnings import warn from django.core.exceptions import ImproperlyConfigured from django.utils.importlib import import_module @@ -19,6 +20,12 @@ def load_backend(path): cls = getattr(mod, attr) except AttributeError: raise ImproperlyConfigured, 'Module "%s" does not define a "%s" authentication backend' % (module, attr) + try: + getattr(cls, 'supports_object_permissions') + except AttributeError: + warn("Authentication backends without a `supports_object_permissions` attribute are deprecated. Please define it in %s." % cls, + PendingDeprecationWarning) + cls.supports_object_permissions = False return cls() def get_backends(): diff --git a/django/contrib/auth/backends.py b/django/contrib/auth/backends.py index 05f98358b7..80a6bef136 100644 --- a/django/contrib/auth/backends.py +++ b/django/contrib/auth/backends.py @@ -11,6 +11,8 @@ class ModelBackend(object): """ Authenticates against django.contrib.auth.models.User. """ + supports_object_permissions = False + # TODO: Model, login attribute name and password attribute name should be # configurable. def authenticate(self, username=None, password=None): diff --git a/django/contrib/auth/models.py b/django/contrib/auth/models.py index 55fbb39bec..053761cb56 100644 --- a/django/contrib/auth/models.py +++ b/django/contrib/auth/models.py @@ -121,7 +121,8 @@ class UserManager(models.Manager): return ''.join([choice(allowed_chars) for i in range(length)]) class User(models.Model): - """Users within the Django authentication system are represented by this model. + """ + Users within the Django authentication system are represented by this model. Username and password are required. Other fields are optional. """ @@ -151,11 +152,16 @@ class User(models.Model): return "/users/%s/" % urllib.quote(smart_str(self.username)) def is_anonymous(self): - "Always returns False. This is a way of comparing User objects to anonymous users." + """ + Always returns False. This is a way of comparing User objects to + anonymous users. + """ return False def is_authenticated(self): - """Always return True. This is a way to tell if the user has been authenticated in templates. + """ + Always return True. This is a way to tell if the user has been + authenticated in templates. """ return True @@ -194,30 +200,41 @@ class User(models.Model): def has_usable_password(self): return self.password != UNUSABLE_PASSWORD - def get_group_permissions(self): + def get_group_permissions(self, obj=None): """ Returns a list of permission strings that this user has through his/her groups. This method queries all available auth backends. + If an object is passed in, only permissions matching this object + are returned. """ permissions = set() for backend in auth.get_backends(): if hasattr(backend, "get_group_permissions"): - permissions.update(backend.get_group_permissions(self)) + if obj is not None and backend.supports_object_permissions: + group_permissions = backend.get_group_permissions(self, obj) + else: + group_permissions = backend.get_group_permissions(self) + permissions.update(group_permissions) return permissions - def get_all_permissions(self): + def get_all_permissions(self, obj=None): permissions = set() for backend in auth.get_backends(): if hasattr(backend, "get_all_permissions"): - permissions.update(backend.get_all_permissions(self)) + if obj is not None and backend.supports_object_permissions: + all_permissions = backend.get_all_permissions(self, obj) + else: + all_permissions = backend.get_all_permissions(self) + permissions.update(all_permissions) return permissions - def has_perm(self, perm): + def has_perm(self, perm, obj=None): """ Returns True if the user has the specified permission. This method queries all available auth backends, but returns immediately if any backend returns True. Thus, a user who has permission from a single - auth backend is assumed to have permission in general. + auth backend is assumed to have permission in general. If an object + is provided, permissions for this specific object are checked. """ # Inactive users have no permissions. if not self.is_active: @@ -230,14 +247,22 @@ class User(models.Model): # Otherwise we need to check the backends. for backend in auth.get_backends(): if hasattr(backend, "has_perm"): - if backend.has_perm(self, perm): - return True + if obj is not None and backend.supports_object_permissions: + if backend.has_perm(self, perm, obj): + return True + else: + if backend.has_perm(self, perm): + return True return False - def has_perms(self, perm_list): - """Returns True if the user has each of the specified permissions.""" + def has_perms(self, perm_list, obj=None): + """ + Returns True if the user has each of the specified permissions. + If object is passed, it checks if the user has all required perms + for this object. + """ for perm in perm_list: - if not self.has_perm(perm): + if not self.has_perm(perm, obj): return False return True @@ -358,10 +383,10 @@ class AnonymousUser(object): return self._user_permissions user_permissions = property(_get_user_permissions) - def has_perm(self, perm): + def has_perm(self, perm, obj=None): return False - def has_perms(self, perm_list): + def has_perms(self, perm_list, obj=None): return False def has_module_perms(self, module): diff --git a/django/contrib/auth/tests/__init__.py b/django/contrib/auth/tests/__init__.py index 14428d0fc8..9a078cf643 100644 --- a/django/contrib/auth/tests/__init__.py +++ b/django/contrib/auth/tests/__init__.py @@ -4,6 +4,7 @@ from django.contrib.auth.tests.views \ from django.contrib.auth.tests.forms import FORM_TESTS from django.contrib.auth.tests.remote_user \ import RemoteUserTest, RemoteUserNoCreateTest, RemoteUserCustomTest +from django.contrib.auth.tests.auth_backends import BackendTest, RowlevelBackendTest from django.contrib.auth.tests.tokens import TOKEN_GENERATOR_TESTS # The password for the fixture data users is 'password' diff --git a/django/contrib/auth/tests/auth_backends.py b/django/contrib/auth/tests/auth_backends.py new file mode 100644 index 0000000000..bf5611aef0 --- /dev/null +++ b/django/contrib/auth/tests/auth_backends.py @@ -0,0 +1,149 @@ +from django.conf import settings +from django.contrib.auth.models import User, Group, Permission, AnonymousUser +from django.contrib.contenttypes.models import ContentType +from django.test import TestCase + + +class BackendTest(TestCase): + + backend = 'django.contrib.auth.backends.ModelBackend' + + def setUp(self): + self.curr_auth = settings.AUTHENTICATION_BACKENDS + settings.AUTHENTICATION_BACKENDS = (self.backend,) + User.objects.create_user('test', 'test@example.com', 'test') + + def tearDown(self): + settings.AUTHENTICATION_BACKENDS = self.curr_auth + + def test_has_perm(self): + user = User.objects.get(username='test') + self.assertEqual(user.has_perm('auth.test'), False) + user.is_staff = True + user.save() + self.assertEqual(user.has_perm('auth.test'), False) + user.is_superuser = True + user.save() + self.assertEqual(user.has_perm('auth.test'), True) + user.is_staff = False + user.is_superuser = False + user.save() + self.assertEqual(user.has_perm('auth.test'), False) + + def test_custom_perms(self): + user = User.objects.get(username='test') + content_type=ContentType.objects.get_for_model(Group) + perm = Permission.objects.create(name='test', content_type=content_type, codename='test') + user.user_permissions.add(perm) + user.save() + + # reloading user to purge the _perm_cache + user = User.objects.get(username='test') + self.assertEqual(user.get_all_permissions() == set([u'auth.test']), True) + self.assertEqual(user.get_group_permissions(), set([])) + self.assertEqual(user.has_module_perms('Group'), False) + self.assertEqual(user.has_module_perms('auth'), True) + perm = Permission.objects.create(name='test2', content_type=content_type, codename='test2') + user.user_permissions.add(perm) + user.save() + perm = Permission.objects.create(name='test3', content_type=content_type, codename='test3') + user.user_permissions.add(perm) + user.save() + user = User.objects.get(username='test') + self.assertEqual(user.get_all_permissions(), set([u'auth.test2', u'auth.test', u'auth.test3'])) + self.assertEqual(user.has_perm('test'), False) + self.assertEqual(user.has_perm('auth.test'), True) + self.assertEqual(user.has_perms(['auth.test2', 'auth.test3']), True) + perm = Permission.objects.create(name='test_group', content_type=content_type, codename='test_group') + group = Group.objects.create(name='test_group') + group.permissions.add(perm) + group.save() + user.groups.add(group) + user = User.objects.get(username='test') + exp = set([u'auth.test2', u'auth.test', u'auth.test3', u'auth.test_group']) + self.assertEqual(user.get_all_permissions(), exp) + self.assertEqual(user.get_group_permissions(), set([u'auth.test_group'])) + self.assertEqual(user.has_perms(['auth.test3', 'auth.test_group']), True) + + user = AnonymousUser() + self.assertEqual(user.has_perm('test'), False) + self.assertEqual(user.has_perms(['auth.test2', 'auth.test3']), False) + + +class TestObj(object): + pass + + +class SimpleRowlevelBackend(object): + supports_object_permissions = True + + def has_perm(self, user, perm, obj=None): + if not obj: + return # We only support row level perms + + if isinstance(obj, TestObj): + if user.username == 'test2': + return True + elif isinstance(user, AnonymousUser) and perm == 'anon': + return True + return False + + def get_all_permissions(self, user, obj=None): + if not obj: + return [] # We only support row level perms + + if not isinstance(obj, TestObj): + return ['none'] + + if user.username == 'test2': + return ['simple', 'advanced'] + else: + return ['simple'] + + def get_group_permissions(self, user, obj=None): + if not obj: + return # We only support row level perms + + if not isinstance(obj, TestObj): + return ['none'] + + if 'test_group' in [group.name for group in user.groups.all()]: + return ['group_perm'] + else: + return ['none'] + + +class RowlevelBackendTest(TestCase): + + backend = 'django.contrib.auth.tests.auth_backends.SimpleRowlevelBackend' + + def setUp(self): + self.curr_auth = settings.AUTHENTICATION_BACKENDS + settings.AUTHENTICATION_BACKENDS = self.curr_auth + (self.backend,) + self.user1 = User.objects.create_user('test', 'test@example.com', 'test') + self.user2 = User.objects.create_user('test2', 'test2@example.com', 'test') + self.user3 = AnonymousUser() + self.user4 = User.objects.create_user('test4', 'test4@example.com', 'test') + + def tearDown(self): + settings.AUTHENTICATION_BACKENDS = self.curr_auth + + def test_has_perm(self): + self.assertEqual(self.user1.has_perm('perm', TestObj()), False) + self.assertEqual(self.user2.has_perm('perm', TestObj()), True) + self.assertEqual(self.user2.has_perm('perm'), False) + self.assertEqual(self.user2.has_perms(['simple', 'advanced'], TestObj()), True) + self.assertEqual(self.user3.has_perm('perm', TestObj()), False) + self.assertEqual(self.user3.has_perm('anon', TestObj()), False) + self.assertEqual(self.user3.has_perms(['simple', 'advanced'], TestObj()), False) + + def test_get_all_permissions(self): + self.assertEqual(self.user1.get_all_permissions(TestObj()), set(['simple'])) + self.assertEqual(self.user2.get_all_permissions(TestObj()), set(['simple', 'advanced'])) + self.assertEqual(self.user2.get_all_permissions(), set([])) + + def test_get_group_permissions(self): + content_type=ContentType.objects.get_for_model(Group) + group = Group.objects.create(name='test_group') + self.user4.groups.add(group) + self.assertEqual(self.user4.get_group_permissions(TestObj()), set(['group_perm'])) |
