From 3dad16d1870d96568dbe158e65c8735422db8ce1 Mon Sep 17 00:00:00 2001 From: Dan Helfman Date: Tue, 4 Nov 2008 10:29:19 -0800 Subject: [PATCH] controller.Users.load_notebook() now disallows read-write access for anonymous/demo users to "own notes only" notebooks. --- controller/Users.py | 7 + controller/test/Test_users.py | 338 +++++++++++++++++++++++++++++++++- 2 files changed, 340 insertions(+), 5 deletions(-) diff --git a/controller/Users.py b/controller/Users.py index 1e8ebb7..dcc6ba5 100644 --- a/controller/Users.py +++ b/controller/Users.py @@ -737,6 +737,7 @@ class Users( object ): """ anonymous = self.__database.select_one( User, User.sql_load_by_username( u"anonymous" ), use_cache = True ) notebook = self.__database.select_one( Notebook, anonymous.sql_load_notebooks( notebook_id = notebook_id ) ) + user = None if not notebook and user_id: user = self.__database.load( User, user_id ) @@ -765,6 +766,12 @@ class Users( object ): ( note.notebook_id and notebook_id != note.notebook_id ) ): return None + + # also, prevent anonymous/demo read-write or owner access to READ_WRITE_FOR_OWN_NOTES notebooks + if notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES and \ + ( read_write is True or owner is True ) and \ + ( user is None or user.username is None or user.username == u"anonymous" ): + return None return notebook diff --git a/controller/test/Test_users.py b/controller/test/Test_users.py index 3da6928..b27b83f 100644 --- a/controller/test/Test_users.py +++ b/controller/test/Test_users.py @@ -39,6 +39,7 @@ class Test_users( Test_controller ): self.email_address2 = u"out-there@example.com" self.user = None self.user2 = None + self.demo_user = None self.group = None self.group2 = None self.anonymous = None @@ -94,6 +95,10 @@ class Test_users( Test_controller ): self.database.save( self.anonymous, commit = False ) self.database.execute( self.anonymous.sql_save_notebook( self.anon_notebook.object_id, read_write = False, owner = False ), commit = False ) + self.demo_user = User.create( self.database.next_id( User ), username = None ) + self.database.save( self.demo_user, commit = False ) + self.database.execute( self.demo_user.sql_save_notebook( notebook_id1, read_write = True, owner = False, own_notes_only = True ), commit = False ) + self.database.commit() def test_signup( self ): @@ -1003,6 +1008,22 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id + def test_load_notebook_anonymous( self ): + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id ) + + assert notebook is None + + def test_load_notebook_demo( self ): + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id ) + + assert notebook + assert notebook.object_id == self.notebooks[ 0 ].object_id + + def test_load_notebook_without_access( self ): + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id ) + + assert notebook is None + def test_load_notebook_unknown_notebook( self ): notebook = cherrypy.root.users.load_notebook( self.user.object_id, u"unknownid" ) @@ -1019,19 +1040,146 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id + def test_load_notebook_read_write_anonymous( self ): + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + + def test_load_notebook_read_write_demo( self ): + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + + def test_load_notebook_read_write_without_access( self ): + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + + def test_load_notebook_read_write_own_notes( self ): + self.database.execute( self.user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook + assert notebook.object_id == self.notebooks[ 0 ].object_id + + def test_load_notebook_read_write_own_notes_anonymous( self ): + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + + def test_load_notebook_read_write_own_notes_demo( self ): + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True ) + + assert notebook is None + def test_load_notebook_owner( self ): notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, owner = True ) assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id + def test_load_notebook_owner_anonymous( self ): + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_demo( self ): + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_without_access( self ): + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_own_notes( self ): + self.database.execute( self.user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_own_notes_anonymous( self ): + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + + def test_load_notebook_owner_own_notes_demo( self ): + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, owner = True ) + + assert notebook is None + def test_load_notebook_full( self ): notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id - def test_load_notebook_with_note_id( self ): + def test_load_notebook_full_anonymous( self ): + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_demo( self ): + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_without_access( self ): + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_own_notes( self ): + self.database.execute( self.user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_own_notes_anonymous( self ): + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_full_own_notes_demo( self ): + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True ) + + assert notebook is None + + def test_load_notebook_with_note_id_own_notes( self ): note = Note.create( self.database.next_id( Note ), u"

hi

", notebook_id = self.notebooks[ 0 ].object_id, @@ -1049,7 +1197,55 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id - def test_load_notebook_with_note_id_by_another_user( self ): + def test_load_notebook_with_note_id_own_notes_anonymous( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.anonymous.object_id, + ) + self.database.save( note ) + + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook is None + + def test_load_notebook_with_note_id_own_notes_demo( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.demo_user.object_id, + ) + self.database.save( note ) + + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook + assert notebook.object_id == self.notebooks[ 0 ].object_id + + def test_load_notebook_with_note_id_own_notes_without_access( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.user2.object_id, + ) + self.database.save( note ) + + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook is None + + def test_load_notebook_with_note_id_own_notes_by_another_user( self ): note = Note.create( self.database.next_id( Note ), u"

hi from another user

", notebook_id = self.notebooks[ 0 ].object_id, @@ -1066,7 +1262,7 @@ class Test_users( Test_controller ): assert notebook is None - def test_load_notebook_with_unknown_note_id( self ): + def test_load_notebook_with_unknown_note_id_own_notes( self ): self.database.execute( self.user.sql_update_access( self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, ) ) @@ -1079,7 +1275,7 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id - def test_load_notebook_with_stub_note( self ): + def test_load_notebook_with_stub_note_own_notes( self ): # don't fully create a note, but reserve an id for it note_id = self.database.next_id( Note ) @@ -1093,7 +1289,47 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id - def test_load_notebook_with_note_id_in_another_notebook( self ): + def test_load_notebook_with_stub_note_own_notes_anonymous( self ): + # don't fully create a note, but reserve an id for it + note_id = self.database.next_id( Note ) + + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, + note_id = note_id ) + + assert notebook is None + + def test_load_notebook_with_stub_note_own_notes_demo( self ): + # don't fully create a note, but reserve an id for it + note_id = self.database.next_id( Note ) + + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, + note_id = note_id ) + + assert notebook + assert notebook.object_id == self.notebooks[ 0 ].object_id + + def test_load_notebook_with_stub_note_own_notes_without_access( self ): + # don't fully create a note, but reserve an id for it + note_id = self.database.next_id( Note ) + + self.database.execute( self.user2.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, + note_id = note_id ) + + assert notebook is None + + def test_load_notebook_with_note_id_own_notes_in_another_notebook( self ): self.database.execute( self.user.sql_update_access( self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False, ) ) @@ -1117,6 +1353,46 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id + def test_load_notebook_read_write_with_note_id_anonymous( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.anonymous.object_id, + ) + self.database.save( note ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook is None + + def test_load_notebook_read_write_with_note_id_demo( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.demo_user.object_id, + ) + self.database.save( note ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook + assert notebook.object_id == self.notebooks[ 0 ].object_id + + def test_load_notebook_read_write_with_note_id_without_access( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.user2.object_id, + ) + self.database.save( note ) + + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook is None + def test_load_notebook_read_write_with_note_id_by_another_user( self ): note = Note.create( self.database.next_id( Note ), u"

hi from another user

", @@ -1163,6 +1439,58 @@ class Test_users( Test_controller ): assert notebook assert notebook.object_id == self.notebooks[ 0 ].object_id + def test_load_notebook_read_only_with_note_id_anonymous( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.anonymous.object_id, + ) + self.database.save( note ) + + self.database.execute( self.anonymous.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook is None + + def test_load_notebook_read_only_with_note_id_demo( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.demo_user.object_id, + ) + self.database.save( note ) + + self.database.execute( self.demo_user.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook + assert notebook.object_id == self.notebooks[ 0 ].object_id + + def test_load_notebook_read_only_with_note_id_without_access( self ): + note = Note.create( + self.database.next_id( Note ), u"

hi

", + notebook_id = self.notebooks[ 0 ].object_id, + user_id = self.user2.object_id, + ) + self.database.save( note ) + + self.database.execute( self.user2.sql_update_access( + self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False, + ) ) + + notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, + note_id = note.object_id ) + + assert notebook is None + def test_load_notebook_read_only_with_note_id_by_another_user( self ): note = Note.create( self.database.next_id( Note ), u"

hi from another user

",