witten
/
luminotes
Archived
1
0
Fork 0
Code Releases Activity

controller.Users.load_notebook() now disallows read-write access for anonymous/demo users to "own notes only" notebooks.

This commit is contained in:
Dan Helfman 2008-11-04 10:29:19 -08:00
parent a97cec4369
commit 3dad16d187
2 changed files with 340 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
controller/Users.py
View File

@ -737,6 +737,7 @@ class Users( object ):
"""
anonymous = self.__database.select_one( User, User.sql_load_by_username( u"anonymous" ), use_cache = True )
notebook = self.__database.select_one( Notebook, anonymous.sql_load_notebooks( notebook_id = notebook_id ) )
user = None
if not notebook and user_id:
user = self.__database.load( User, user_id )
@ -765,6 +766,12 @@ class Users( object ):
( note.notebook_id and notebook_id != note.notebook_id )
):
return None
# also, prevent anonymous/demo read-write or owner access to READ_WRITE_FOR_OWN_NOTES notebooks
if notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES and \
( read_write is True or owner is True ) and \
( user is None or user.username is None or user.username == u"anonymous" ):
return None
return notebook

338
controller/test/Test_users.py
View File

@ -39,6 +39,7 @@ class Test_users( Test_controller ):
self.email_address2 = u"out-there@example.com"
self.user = None
self.user2 = None
self.demo_user = None
self.group = None
self.group2 = None
self.anonymous = None
@ -94,6 +95,10 @@ class Test_users( Test_controller ):
self.database.save( self.anonymous, commit = False )
self.database.execute( self.anonymous.sql_save_notebook( self.anon_notebook.object_id, read_write = False, owner = False ), commit = False )
self.demo_user = User.create( self.database.next_id( User ), username = None )
self.database.save( self.demo_user, commit = False )
self.database.execute( self.demo_user.sql_save_notebook( notebook_id1, read_write = True, owner = False, own_notes_only = True ), commit = False )
self.database.commit()
def test_signup( self ):
@ -1003,6 +1008,22 @@ class Test_users( Test_controller ):
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_anonymous( self ):
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id )
assert notebook is None
def test_load_notebook_demo( self ):
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id )
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_without_access( self ):
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id )
assert notebook is None
def test_load_notebook_unknown_notebook( self ):
notebook = cherrypy.root.users.load_notebook( self.user.object_id, u"unknownid" )
@ -1019,19 +1040,146 @@ class Test_users( Test_controller ):
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_read_write_anonymous( self ):
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True )
assert notebook is None
def test_load_notebook_read_write_demo( self ):
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True )
assert notebook is None
def test_load_notebook_read_write_without_access( self ):
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, read_write = True )
assert notebook is None
def test_load_notebook_read_write_own_notes( self ):
self.database.execute( self.user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True )
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_read_write_own_notes_anonymous( self ):
self.database.execute( self.anonymous.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True )
assert notebook is None
def test_load_notebook_read_write_own_notes_demo( self ):
self.database.execute( self.demo_user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True )
assert notebook is None
def test_load_notebook_owner( self ):
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, owner = True )
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_owner_anonymous( self ):
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, owner = True )
assert notebook is None
def test_load_notebook_owner_demo( self ):
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, owner = True )
assert notebook is None
def test_load_notebook_owner_without_access( self ):
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, owner = True )
assert notebook is None
def test_load_notebook_owner_own_notes( self ):
self.database.execute( self.user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, owner = True )
assert notebook is None
def test_load_notebook_owner_own_notes_anonymous( self ):
self.database.execute( self.anonymous.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, owner = True )
assert notebook is None
def test_load_notebook_owner_own_notes_demo( self ):
self.database.execute( self.demo_user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, owner = True )
assert notebook is None
def test_load_notebook_full( self ):
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_with_note_id( self ):
def test_load_notebook_full_anonymous( self ):
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
assert notebook is None
def test_load_notebook_full_demo( self ):
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
assert notebook is None
def test_load_notebook_full_without_access( self ):
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
assert notebook is None
def test_load_notebook_full_own_notes( self ):
self.database.execute( self.user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
assert notebook is None
def test_load_notebook_full_own_notes_anonymous( self ):
self.database.execute( self.anonymous.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
assert notebook is None
def test_load_notebook_full_own_notes_demo( self ):
self.database.execute( self.demo_user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
assert notebook is None
def test_load_notebook_with_note_id_own_notes( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
@ -1049,7 +1197,55 @@ class Test_users( Test_controller ):
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_with_note_id_by_another_user( self ):
def test_load_notebook_with_note_id_own_notes_anonymous( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.anonymous.object_id,
)
self.database.save( note )
self.database.execute( self.anonymous.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook is None
def test_load_notebook_with_note_id_own_notes_demo( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.demo_user.object_id,
)
self.database.save( note )
self.database.execute( self.demo_user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_with_note_id_own_notes_without_access( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.user2.object_id,
)
self.database.save( note )
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook is None
def test_load_notebook_with_note_id_own_notes_by_another_user( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi from another user</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
@ -1066,7 +1262,7 @@ class Test_users( Test_controller ):
assert notebook is None
def test_load_notebook_with_unknown_note_id( self ):
def test_load_notebook_with_unknown_note_id_own_notes( self ):
self.database.execute( self.user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
@ -1079,7 +1275,7 @@ class Test_users( Test_controller ):
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_with_stub_note( self ):
def test_load_notebook_with_stub_note_own_notes( self ):
# don't fully create a note, but reserve an id for it
note_id = self.database.next_id( Note )
@ -1093,7 +1289,47 @@ class Test_users( Test_controller ):
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_with_note_id_in_another_notebook( self ):
def test_load_notebook_with_stub_note_own_notes_anonymous( self ):
# don't fully create a note, but reserve an id for it
note_id = self.database.next_id( Note )
self.database.execute( self.anonymous.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id,
note_id = note_id )
assert notebook is None
def test_load_notebook_with_stub_note_own_notes_demo( self ):
# don't fully create a note, but reserve an id for it
note_id = self.database.next_id( Note )
self.database.execute( self.demo_user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id,
note_id = note_id )
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_with_stub_note_own_notes_without_access( self ):
# don't fully create a note, but reserve an id for it
note_id = self.database.next_id( Note )
self.database.execute( self.user2.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id,
note_id = note_id )
assert notebook is None
def test_load_notebook_with_note_id_own_notes_in_another_notebook( self ):
self.database.execute( self.user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
) )
@ -1117,6 +1353,46 @@ class Test_users( Test_controller ):
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_read_write_with_note_id_anonymous( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.anonymous.object_id,
)
self.database.save( note )
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook is None
def test_load_notebook_read_write_with_note_id_demo( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.demo_user.object_id,
)
self.database.save( note )
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_read_write_with_note_id_without_access( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.user2.object_id,
)
self.database.save( note )
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook is None
def test_load_notebook_read_write_with_note_id_by_another_user( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi from another user</h3>",
@ -1163,6 +1439,58 @@ class Test_users( Test_controller ):
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_read_only_with_note_id_anonymous( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.anonymous.object_id,
)
self.database.save( note )
self.database.execute( self.anonymous.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook is None
def test_load_notebook_read_only_with_note_id_demo( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.demo_user.object_id,
)
self.database.save( note )
self.database.execute( self.demo_user.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook
assert notebook.object_id == self.notebooks[ 0 ].object_id
def test_load_notebook_read_only_with_note_id_without_access( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi</h3>",
notebook_id = self.notebooks[ 0 ].object_id,
user_id = self.user2.object_id,
)
self.database.save( note )
self.database.execute( self.user2.sql_update_access(
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False,
) )
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id,
note_id = note.object_id )
assert notebook is None
def test_load_notebook_read_only_with_note_id_by_another_user( self ):
note = Note.create(
self.database.next_id( Note ), u"<h3>hi from another user</h3>",