controller.Users.load_notebook() now disallows read-write access for anonymous/demo users to "own notes only" notebooks.
This commit is contained in:
parent
a97cec4369
commit
3dad16d187
|
@ -737,6 +737,7 @@ class Users( object ):
|
|||
"""
|
||||
anonymous = self.__database.select_one( User, User.sql_load_by_username( u"anonymous" ), use_cache = True )
|
||||
notebook = self.__database.select_one( Notebook, anonymous.sql_load_notebooks( notebook_id = notebook_id ) )
|
||||
user = None
|
||||
|
||||
if not notebook and user_id:
|
||||
user = self.__database.load( User, user_id )
|
||||
|
@ -766,6 +767,12 @@ class Users( object ):
|
|||
):
|
||||
return None
|
||||
|
||||
# also, prevent anonymous/demo read-write or owner access to READ_WRITE_FOR_OWN_NOTES notebooks
|
||||
if notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES and \
|
||||
( read_write is True or owner is True ) and \
|
||||
( user is None or user.username is None or user.username == u"anonymous" ):
|
||||
return None
|
||||
|
||||
return notebook
|
||||
|
||||
def check_group( self, user_id, group_id, admin = False ):
|
||||
|
|
|
@ -39,6 +39,7 @@ class Test_users( Test_controller ):
|
|||
self.email_address2 = u"out-there@example.com"
|
||||
self.user = None
|
||||
self.user2 = None
|
||||
self.demo_user = None
|
||||
self.group = None
|
||||
self.group2 = None
|
||||
self.anonymous = None
|
||||
|
@ -94,6 +95,10 @@ class Test_users( Test_controller ):
|
|||
self.database.save( self.anonymous, commit = False )
|
||||
self.database.execute( self.anonymous.sql_save_notebook( self.anon_notebook.object_id, read_write = False, owner = False ), commit = False )
|
||||
|
||||
self.demo_user = User.create( self.database.next_id( User ), username = None )
|
||||
self.database.save( self.demo_user, commit = False )
|
||||
self.database.execute( self.demo_user.sql_save_notebook( notebook_id1, read_write = True, owner = False, own_notes_only = True ), commit = False )
|
||||
|
||||
self.database.commit()
|
||||
|
||||
def test_signup( self ):
|
||||
|
@ -1003,6 +1008,22 @@ class Test_users( Test_controller ):
|
|||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_anonymous( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_demo( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_without_access( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_unknown_notebook( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.user.object_id, u"unknownid" )
|
||||
|
||||
|
@ -1019,19 +1040,146 @@ class Test_users( Test_controller ):
|
|||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_read_write_anonymous( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_read_write_demo( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_read_write_without_access( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, read_write = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_read_write_own_notes( self ):
|
||||
self.database.execute( self.user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_read_write_own_notes_anonymous( self ):
|
||||
self.database.execute( self.anonymous.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_read_write_own_notes_demo( self ):
|
||||
self.database.execute( self.demo_user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_owner( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, owner = True )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_owner_anonymous( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_owner_demo( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_owner_without_access( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_owner_own_notes( self ):
|
||||
self.database.execute( self.user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_owner_own_notes_anonymous( self ):
|
||||
self.database.execute( self.anonymous.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_owner_own_notes_demo( self ):
|
||||
self.database.execute( self.demo_user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_full( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_with_note_id( self ):
|
||||
def test_load_notebook_full_anonymous( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_full_demo( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_full_without_access( self ):
|
||||
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_full_own_notes( self ):
|
||||
self.database.execute( self.user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_full_own_notes_anonymous( self ):
|
||||
self.database.execute( self.anonymous.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_full_own_notes_demo( self ):
|
||||
self.database.execute( self.demo_user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id, read_write = True, owner = True )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_with_note_id_own_notes( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
|
@ -1049,7 +1197,55 @@ class Test_users( Test_controller ):
|
|||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_with_note_id_by_another_user( self ):
|
||||
def test_load_notebook_with_note_id_own_notes_anonymous( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.anonymous.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
self.database.execute( self.anonymous.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_with_note_id_own_notes_demo( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.demo_user.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
self.database.execute( self.demo_user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_with_note_id_own_notes_without_access( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.user2.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_with_note_id_own_notes_by_another_user( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi from another user</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
|
@ -1066,7 +1262,7 @@ class Test_users( Test_controller ):
|
|||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_with_unknown_note_id( self ):
|
||||
def test_load_notebook_with_unknown_note_id_own_notes( self ):
|
||||
self.database.execute( self.user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
@ -1079,7 +1275,7 @@ class Test_users( Test_controller ):
|
|||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_with_stub_note( self ):
|
||||
def test_load_notebook_with_stub_note_own_notes( self ):
|
||||
# don't fully create a note, but reserve an id for it
|
||||
note_id = self.database.next_id( Note )
|
||||
|
||||
|
@ -1093,7 +1289,47 @@ class Test_users( Test_controller ):
|
|||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_with_note_id_in_another_notebook( self ):
|
||||
def test_load_notebook_with_stub_note_own_notes_anonymous( self ):
|
||||
# don't fully create a note, but reserve an id for it
|
||||
note_id = self.database.next_id( Note )
|
||||
|
||||
self.database.execute( self.anonymous.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_with_stub_note_own_notes_demo( self ):
|
||||
# don't fully create a note, but reserve an id for it
|
||||
note_id = self.database.next_id( Note )
|
||||
|
||||
self.database.execute( self.demo_user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note_id )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_with_stub_note_own_notes_without_access( self ):
|
||||
# don't fully create a note, but reserve an id for it
|
||||
note_id = self.database.next_id( Note )
|
||||
|
||||
self.database.execute( self.user2.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_with_note_id_own_notes_in_another_notebook( self ):
|
||||
self.database.execute( self.user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
@ -1117,6 +1353,46 @@ class Test_users( Test_controller ):
|
|||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_read_write_with_note_id_anonymous( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.anonymous.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_read_write_with_note_id_demo( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.demo_user.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_read_write_with_note_id_without_access( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.user2.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_read_write_with_note_id_by_another_user( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi from another user</h3>",
|
||||
|
@ -1163,6 +1439,58 @@ class Test_users( Test_controller ):
|
|||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_read_only_with_note_id_anonymous( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.anonymous.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
self.database.execute( self.anonymous.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.anonymous.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_read_only_with_note_id_demo( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.demo_user.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
self.database.execute( self.demo_user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.demo_user.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_read_only_with_note_id_without_access( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi</h3>",
|
||||
notebook_id = self.notebooks[ 0 ].object_id,
|
||||
user_id = self.user2.object_id,
|
||||
)
|
||||
self.database.save( note )
|
||||
|
||||
self.database.execute( self.user2.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_ONLY, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.user2.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note.object_id )
|
||||
|
||||
assert notebook is None
|
||||
|
||||
def test_load_notebook_read_only_with_note_id_by_another_user( self ):
|
||||
note = Note.create(
|
||||
self.database.next_id( Note ), u"<h3>hi from another user</h3>",
|
||||
|
|
Reference in New Issue
Block a user