Commits

Anonymous committed 451b5e3

[generic-auth] Added a simple role based permission checker in the tests

Comments (0)

Files changed (2)

tests/regressiontests/generic_auth/models.py

 from django.db import models
+from django.contrib.auth.models import User
 
 class Person(models.Model):
     name = models.CharField(maxlength=20)
+
+class Article(models.Model):
+    name = models.CharField(maxlength=100)
+    body = models.TextField()
+    creator = models.ForeignKey(User)

tests/regressiontests/generic_auth/tests.py

 >>> app = get_app('generic_auth')
 >>> create_permissions(app, [], 0)
 
-Create and register an authorization handler that acts like Django's model
-level permissions
+Create and register an authorization handler that acts similarly to Django's 
+model level permissions. This version doesn't take group permissions into 
+account however.
 
 >>> def default_has_permission(user, permission, obj):
-...     p_name = "%s.%s" % (permission.content_type.app_label, permission.codename)
-...     return user.has_perm(p_name)
+...    if not user.is_active:
+...        return False
+...    if user.is_superuser:
+...        return True
+...    return permission in user.user_permissions.select_related()
 ...     
 >>> has_permission.register(default_has_permission, User, Permission, Person)
 >>> has_permission.register(default_has_permission, User, Permission)
 >>> has_permissions(user, [add_permission, delete_permission], person)
 False
 
+
+Let's create a simple role-based implementation of has_permission that allows 
+change and delete access to the creator of an object, but denies access to 
+everyone else. The creator is just a foreign key from the object in question
+to the django.contrib.auth.models.User model.
+
+First, we create the actual implementation.
+
+>>> def is_creator(user, permission, object):
+...     if user.is_superuser:
+...         return True
+...     # if no object was provided, fall back to Model level permissions
+...     if not object:
+...         return permission in user.user_permissions.select_related()
+...     return user == object.creator
+...
+
+
+The we register is_creator to handle calls to has_permission for the
+appropriate models (in this case User, Permision, and Article).
+
+>>> from django.contrib.auth.models import User, Permission
+>>> from django.contrib.auth import has_permission
+>>> from regressiontests.generic_auth.models import Article
+
+>>> has_permission.register(is_creator, User, Permission, Article)
+
+
+Create an Article for our tests, and set it's `owner` attribute to the user we
+created above.
+
+>>> article = Article(name='test', body='test', creator=user)
+>>> article.save()
+
+
+Set up some convenient reverences to the various permission objects.
+
+>>> add_permission = Article._meta.get_add_permission()
+>>> change_permission = Article._meta.get_change_permission()
+>>> delete_permission = Article._meta.get_delete_permission()
+
+Adding isn't tied to a particular object, and we haven't given the user
+permission to add Articles yet, so this should fail.
+
+>>> has_permission(user, add_permission)
+False
+
+But the user *is* the creator of `article`, so they *should* have change and
+delete permissions for that article.
+
+>>> has_permission(user, change_permission, article)
+True
+>>> has_permission(user, delete_permission, article)
+True
+
+
+Give the user add Article permissions.
+
+>>> user.user_permissions.add(add_permission)
+>>> user.save()
+
+
+Make sure it worked.
+
+>>> has_permission(user, add_permission, article)
+True
+
+
 """