~launchpad-pqm/launchpad/devel

« back to all changes in this revision

Viewing changes to lib/lp/registry/tests/test_team_webservice.py

[r=sinzui][bug=904295] Write tests to ensure limited view permission
        for teams works with the API

Show diffs side-by-side

added added

removed removed

Lines of Context:
4
4
__metaclass__ = type
5
5
 
6
6
import httplib
7
 
 
8
 
from lazr.restfulclient.errors import HTTPError
9
 
 
10
 
from canonical.testing.layers import DatabaseFunctionalLayer
 
7
import transaction
 
8
 
 
9
from zope.component import getUtility
 
10
from lazr.restfulclient.errors import (
 
11
    HTTPError,
 
12
    Unauthorized,
 
13
    )
 
14
 
 
15
from canonical.testing.layers import (
 
16
    AppServerLayer,
 
17
    DatabaseFunctionalLayer, 
 
18
    )
11
19
from lp.registry.interfaces.person import (
12
20
    PersonVisibility,
13
21
    TeamSubscriptionPolicy,
14
22
    )
 
23
from lp.services.features.testing import FeatureFixture
 
24
from lp.soyuz.enums import ArchivePurpose
 
25
from lp.soyuz.interfaces.archive import IArchiveSet
15
26
from lp.testing import (
 
27
    ExpectedException,
16
28
    launchpadlib_for,
17
29
    login_person,
18
30
    logout,
 
31
    person_logged_in,
19
32
    TestCaseWithFactory,
20
33
    )
21
34
 
93
106
            [membership.team.name
94
107
                for membership in self.person.team_memberships])
95
108
        logout()
 
109
 
 
110
 
 
111
class TestTeamLimitedViewAccess(TestCaseWithFactory):
 
112
    """Tests for team limitedView access via the webservice."""
 
113
 
 
114
    layer = AppServerLayer
 
115
 
 
116
    def setUp(self):
 
117
        super(TestTeamLimitedViewAccess, self).setUp()
 
118
        flag = 'disclosure.extra_private_team_LimitedView_security.enabled'
 
119
        flags = FeatureFixture({flag: 'true'})
 
120
        flags.setUp()
 
121
        self.addCleanup(flags.cleanUp)
 
122
 
 
123
        # Make a private team.
 
124
        team_owner = self.factory.makePerson()
 
125
        db_team = self.factory.makeTeam(
 
126
            name='private-team', owner=team_owner,
 
127
            visibility=PersonVisibility.PRIVATE,
 
128
            subscription_policy=TeamSubscriptionPolicy.RESTRICTED)
 
129
        # Create a P3A for the team.
 
130
        with person_logged_in(team_owner):
 
131
            getUtility(IArchiveSet).new(
 
132
                owner=db_team, purpose=ArchivePurpose.PPA,
 
133
                private=True, name='private-ppa')
 
134
        # Create an authorised user with limitedView permission on the team.
 
135
        # We do that by subscribing the team and the user to the same
 
136
        # private bug.
 
137
        self.bug_owner = self.factory.makePerson()
 
138
        bug = self.factory.makeBug(owner=self.bug_owner, private=True)
 
139
        self.authorised_person = self.factory.makePerson()
 
140
        with person_logged_in(self.bug_owner):
 
141
            bug.subscribe(db_team, self.bug_owner)
 
142
            bug.subscribe(self.authorised_person, self.bug_owner)
 
143
            self.bug_id = bug.id
 
144
        self.factory.makeProduct(name='some-product', bug_supervisor=db_team)
 
145
        transaction.commit()
 
146
 
 
147
    def test_unauthorised_cannot_see_team(self):
 
148
        # Test that an unauthorised user cannot see the team.
 
149
        some_person = self.factory.makePerson()
 
150
        launchpad = self.factory.makeLaunchpadService(some_person)
 
151
        with ExpectedException(KeyError, '.*'):
 
152
            launchpad.people['private-team']
 
153
 
 
154
    def test_unauthorised_cannot_navigate_to_team_details(self):
 
155
        # Test that a user cannot get a team reference from another model
 
156
        # object and use that to access unauthorised details.
 
157
        some_person = self.factory.makePerson()
 
158
        launchpad = self.factory.makeLaunchpadService(some_person)
 
159
        team = launchpad.projects['some-product'].bug_supervisor
 
160
        failure_regex = '.*permission to see.*'
 
161
        with ExpectedException(ValueError, failure_regex):
 
162
            print team.name
 
163
 
 
164
    def test_authorised_user_can_see_team_limitedView_details(self):
 
165
        # Test that a user with limitedView permission can access the team and
 
166
        # see attributes/methods on the IPersonLimitedView interface.
 
167
        launchpad = self.factory.makeLaunchpadService(self.authorised_person)
 
168
        team = launchpad.people['private-team']
 
169
        self.assertEqual('private-team', team.name)
 
170
        ppa = team.getPPAByName(name='private-ppa')
 
171
        self.assertEqual('private-ppa', ppa.name)
 
172
 
 
173
    def test_authorised_user_cannot_see_restricted_team_details(self):
 
174
        # Test that a user with limitedView permission on a team cannot see
 
175
        # prohibited detail, like attributes on IPersonViewRestricted.
 
176
        launchpad = self.factory.makeLaunchpadService(self.authorised_person)
 
177
        team = launchpad.people['private-team']
 
178
        self.assertIn(':redacted', team.homepage_content)
 
179
        failure_regex = '(.|\n)*api_activemembers.*launchpad.View(.|\n)*'
 
180
        with ExpectedException(Unauthorized, failure_regex):
 
181
            members = team.members
 
182
            print members.total_size