external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

change(models.user): can_edit_user should check account type id priority

Browse source 
The credential alone does not completely encapsulate our new
requirements for editing an account.

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-12-27 00:07:44 -08:00
parent b27dab99d8
commit 260b67c49e
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
2 changed files with 79 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
aurweb/models/user.py
View file

@ -182,14 +182,24 @@ class User(Base):
aurweb.models.account_type.TRUSTED_USER_AND_DEV_ID, aurweb.models.account_type.TRUSTED_USER_AND_DEV_ID,
} }
def can_edit_user(self, user): def can_edit_user(self, target: "User") -> bool:
""" Can this account record edit the target user? It must either
be the target user or a user with enough permissions to do so.
:param user: Target user
:return: Boolean indicating whether this instance can edit `user`
""" """
return self == user or self.is_trusted_user() or self.is_developer() Whether this User instance can edit `target`.
This User can edit user `target` if we both: have credentials and
self.AccountTypeID is greater or equal to `target`.AccountTypeID.
In short, a user must at least have credentials and be at least
the same account type as the target.
User < Trusted User < Developer < Trusted User & Developer
:param target: Target User to be edited
:return: Boolean indicating whether `self` can edit `target`
"""
from aurweb.auth import creds
has_cred = self.has_credential(creds.ACCOUNT_EDIT, approved=[target])
return has_cred and self.AccountTypeID >= target.AccountTypeID
def voted_for(self, package) -> bool: def voted_for(self, package) -> bool:
""" Has this User voted for package? """ """ Has this User voted for package? """

66
test/test_user.py
View file

@ -12,6 +12,7 @@ import aurweb.models.account_type as at
from aurweb import db from aurweb import db
from aurweb.auth import creds from aurweb.auth import creds
from aurweb.models.account_type import DEVELOPER_ID, TRUSTED_USER_AND_DEV_ID, TRUSTED_USER_ID, USER_ID
from aurweb.models.ban import Ban from aurweb.models.ban import Ban
from aurweb.models.package import Package from aurweb.models.package import Package
from aurweb.models.package_base import PackageBase from aurweb.models.package_base import PackageBase
@ -28,12 +29,36 @@ def setup(db_test):
return return
def create_user(username: str, account_type_id: int):
with db.begin():
user = db.create(User, Username=username,
Email=f"{username}@example.org",
RealName=username.title(), Passwd="testPassword",
AccountTypeID=account_type_id)
return user
@pytest.fixture @pytest.fixture
def user() -> User: def user() -> User:
with db.begin(): user = create_user("test", USER_ID)
user = db.create(User, Username="test", Email="test@example.org", yield user
RealName="Test User", Passwd="testPassword",
AccountTypeID=at.USER_ID)
@pytest.fixture
def tu_user() -> User:
user = create_user("test_tu", TRUSTED_USER_ID)
yield user
@pytest.fixture
def dev_user() -> User:
user = create_user("test_dev", DEVELOPER_ID)
yield user
@pytest.fixture
def tu_and_dev_user() -> User:
user = create_user("test_tu_and_dev", TRUSTED_USER_AND_DEV_ID)
yield user yield user
@ -256,3 +281,36 @@ def test_user_notified(user: User, package: Package):
def test_user_packages(user: User, package: Package): def test_user_packages(user: User, package: Package):
assert package in user.packages() assert package in user.packages()
def test_can_edit_user(user: User, tu_user: User, dev_user: User,
tu_and_dev_user: User):
# User can edit.
assert user.can_edit_user(user)
# User cannot edit.
assert not user.can_edit_user(tu_user)
assert not user.can_edit_user(dev_user)
assert not user.can_edit_user(tu_and_dev_user)
# Trusted User can edit.
assert tu_user.can_edit_user(user)
assert tu_user.can_edit_user(tu_user)
# Trusted User cannot edit.
assert not tu_user.can_edit_user(dev_user)
assert not tu_user.can_edit_user(tu_and_dev_user)
# Developer can edit.
assert dev_user.can_edit_user(user)
assert dev_user.can_edit_user(tu_user)
assert dev_user.can_edit_user(dev_user)
# Developer cannot edit.
assert not dev_user.can_edit_user(tu_and_dev_user)
# Trusted User & Developer can edit.
assert tu_and_dev_user.can_edit_user(user)
assert tu_and_dev_user.can_edit_user(tu_user)
assert tu_and_dev_user.can_edit_user(dev_user)
assert tu_and_dev_user.can_edit_user(tu_and_dev_user)