Changeset 78af3d1 in OpenWorkouts-current
- Timestamp:
- Feb 9, 2019, 9:42:52 PM (5 years ago)
- Branches:
- current, feature/docs, master
- Children:
- 56caf3d
- Parents:
- 55470f9
- Location:
- ow
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
ow/models/user.py
r55470f9 r78af3d1 6 6 import bcrypt 7 7 from repoze.folder import Folder 8 from pyramid.security import Allow 8 from pyramid.security import Allow, Deny, Everyone, ALL_PERMISSIONS 9 9 10 10 from ow.catalog import get_catalog, reindex_object … … 18 18 def __acl__(self): 19 19 permissions = [ 20 (Allow, str(self.uid), 'view'), 20 21 (Allow, str(self.uid), 'edit'), 21 ( Allow, str(self.uid), 'view'),22 (Deny, Everyone, ALL_PERMISSIONS), 22 23 ] 23 24 return permissions -
ow/models/workout.py
r55470f9 r78af3d1 6 6 import gpxpy 7 7 from repoze.folder import Folder 8 from pyramid.security import Allow, Everyone8 from pyramid.security import Allow, Deny, Everyone, ALL_PERMISSIONS 9 9 10 10 from ow.utilities import ( … … 29 29 it (for now). If not, everybody can view it, only admins can edit it. 30 30 """ 31 # Default permissions31 uid = self.__parent__.uid 32 32 permissions = [ 33 (Allow, Everyone, 'view'), 34 (Allow, 'group:admins', 'edit') 33 (Allow, str(uid), 'view'), 34 (Allow, str(uid), 'edit'), 35 (Allow, str(uid), 'delete'), 36 (Deny, Everyone, ALL_PERMISSIONS) 35 37 ] 36 37 uid = getattr(self.__parent__, 'uid', None)38 if uid is not None:39 # Change permissions in case this workout has an owner40 permissions = [41 (Allow, str(uid), 'view'),42 (Allow, str(uid), 'edit'),43 ]44 38 return permissions 45 39 -
ow/tests/models/test_user.py
r55470f9 r78af3d1 3 3 4 4 import pytest 5 from pyramid.security import Allow 5 from pyramid.security import Allow, Everyone, Deny, ALL_PERMISSIONS 6 6 7 7 from ow.models.root import OpenWorkouts … … 33 33 def test__acl__(self, root): 34 34 uid = str(root['john'].uid) 35 permissions = [(Allow, uid, 'edit'), (Allow, uid, 'view')] 35 permissions = [ 36 (Allow, uid, 'view'), 37 (Allow, uid, 'edit'), 38 (Deny, Everyone, ALL_PERMISSIONS), 39 ] 36 40 assert root['john'].__acl__() == permissions 37 41 -
ow/tests/models/test_workout.py
r55470f9 r78af3d1 6 6 7 7 import pytest 8 from pyramid.security import Allow, Everyone 8 from pyramid.security import Allow, Everyone, Deny, ALL_PERMISSIONS 9 9 10 10 from ow.models.workout import Workout … … 33 33 def test__acl__(self, root): 34 34 # First check permissions for a workout without parent 35 permissions = [(Allow, Everyone, 'view'), 36 (Allow, 'group:admins', 'edit')] 37 workout = Workout() 38 assert workout.__acl__() == permissions 39 35 workout = Workout() 36 with pytest.raises(AttributeError): 37 workout.__acl__() 40 38 # Now permissions on a workout that has been added to a user 41 39 uid = str(root['john'].uid) 42 permissions = [(Allow, uid, 'view'), (Allow, uid, 'edit')] 43 assert root['john']['1'].__acl__() == permissions 40 workout = root['john']['1'] 41 permissions = [ 42 (Allow, uid, 'view'), 43 (Allow, uid, 'edit'), 44 (Allow, uid, 'delete'), 45 (Deny, Everyone, ALL_PERMISSIONS) 46 ] 47 assert workout.__acl__() == permissions 44 48 45 49 def test_runthrough(self, root): -
ow/views/workout.py
r55470f9 r78af3d1 23 23 @view_config( 24 24 context=User, 25 permission='edit', 25 26 name='add-workout-manually', 26 27 renderer='ow:templates/add_manual_workout.pt') … … 59 60 @view_config( 60 61 context=User, 62 permission='edit', 61 63 name='add-workout', 62 64 renderer='ow:templates/add_workout.pt') … … 93 95 @view_config( 94 96 context=Workout, 97 permission='edit', 95 98 name='edit', 96 99 renderer='ow:templates/edit_manual_workout.pt') … … 139 142 @view_config( 140 143 context=Workout, 144 permission='edit', 141 145 name='update-from-file', 142 146 renderer='ow:templates/update_workout_from_file.pt') … … 167 171 @view_config( 168 172 context=Workout, 173 permission='delete', 169 174 name='delete', 170 175 renderer='ow:templates/delete_workout.pt') … … 184 189 @view_config( 185 190 context=Workout, 191 permission='view', 186 192 renderer='ow:templates/workout.pt') 187 193 def workout(context, request): … … 212 218 For now, simply return the gpx file if it has been attached to the 213 219 workout. 220 221 This view requires no permission, as we access it from an non-authenticated 222 request in a separate job, to generate the static map screenshot. 214 223 """ 215 224 if not context.has_gpx: … … 229 238 def workout_map(context, request): 230 239 """ 231 Render a page that has only a map with tracking info 240 Render a page that has only a map with tracking info. 241 This view requires no permission, as we access it from an non-authenticated 242 request in a separate job, to generate the static map screenshot. 232 243 """ 233 244 start_point = {}
Note: See TracChangeset
for help on using the changeset viewer.