diff --git a/controller/Users.py b/controller/Users.py index 1e8ebb7..dcc6ba5 100644 --- a/controller/Users.py +++ b/controller/Users.py @@ -737,6 +737,7 @@ class Users( object ): """ anonymous = self.__database.select_one( User, User.sql_load_by_username( u"anonymous" ), use_cache = True ) notebook = self.__database.select_one( Notebook, anonymous.sql_load_notebooks( notebook_id = notebook_id ) ) + user = None if not notebook and user_id: user = self.__database.load( User, user_id ) @@ -765,6 +766,12 @@ class Users( object ): ( note.notebook_id and notebook_id != note.notebook_id ) ): return None + + # also, prevent anonymous/demo read-write or owner access to READ_WRITE_FOR_OWN_NOTES notebooks + if notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES and \ + ( read_write is True or owner is True ) and \ + ( user is None or user.username is None or user.username == u"anonymous" ): + return None return notebook diff --git a/controller/test/Test_users.py b/controller/test/Test_users.py index 3da6928..b27b83f 100644 --- a/controller/test/Test_users.py +++ b/controller/test/Test_users.py @@ -39,6 +39,7 @@ class Test_users( Test_controller ): self.email_address2 = u"out-there@example.com" self.user = None self.user2 = None + self.demo_user = None self.group = None self.group2 = None self.anonymous = None @@ -94,6 +95,10 @@ class Test_users( Test_controller ): self.database.save( self.anonymous, commit = False ) self.database.execute( self.anonymous.sql_save_notebook( self.anon_notebook.object_id, read_write = False, owner = False ), commit = False ) + self.demo_user = User.create( self.database.next_id( User ), username = None ) + self.database.save( self.demo_user, commit = False ) + self.database.execute( self.demo_user.sql_save_notebook( notebook_id1, read_write = True, owner = False, own_notes_only = True ), commit = False ) + self.database.commit() def test_signup( self ): @@ -1003,6 +1008,22 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id + def test_load_notebook_anonymous( self ): + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id ) + + assert notebook is None + + def test_load_notebook_demo( self ): + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id ) + + assert notebook + assert notebook.object_id == self.notebooks[ 0 ].object_id + + def test_load_notebook_without_access( self ): + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id ) + + assert notebook is None + def test_load_notebook_unknown_notebook( self ): notebook = cherrypy.root.users.load_notebook( self.user.object_id, u"unknownid" ) @@ -1019,19 +1040,146 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id + def test_load_notebook_read_write_anonymous( self ): + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + + def test_load_notebook_read_write_demo( self ): + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + + def test_load_notebook_read_write_without_access( self ): + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + + def test_load_notebook_read_write_own_notes( self ): + self.database.execute( self.user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook + assert notebook.object_id == self.notebooks[ 0 ].object_id + + def test_load_notebook_read_write_own_notes_anonymous( self ): + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + + def test_load_notebook_read_write_own_notes_demo( self ): + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + def test_load_notebook_owner( self ): notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, owner = True ) assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id + def test_load_notebook_owner_anonymous( self ): + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_demo( self ): + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_without_access( self ): + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_own_notes( self ): + self.database.execute( self.user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_own_notes_anonymous( self ): + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_own_notes_demo( self ): + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + def test_load_notebook_full( self ): notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id - def test_load_notebook_with_note_id( self ): + def test_load_notebook_full_anonymous( self ): + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_demo( self ): + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_without_access( self ): + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_own_notes( self ): + self.database.execute( self.user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_own_notes_anonymous( self ): + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_own_notes_demo( self ): + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_with_note_id_own_notes( self ): note = Note.create( self.database.next_id( Note ), u"