Merge ~twom/launchpad:oci-admin-roles-need-edit into launchpad:master

Proposed by Tom Wardill
Status: Merged
Approved by: Tom Wardill
Approved revision: 416f566eebe5c94a61e3f48db4680cdc4c639c3f
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~twom/launchpad:oci-admin-roles-need-edit
Merge into: launchpad:master
Diff against target: 97 lines (+49/-9)
3 files modified
lib/lp/registry/browser/tests/test_ociproject.py (+30/-0)
lib/lp/registry/tests/test_ociproject.py (+14/-0)
lib/lp/security.py (+5/-9)
Reviewer Review Type Date Requested Status
Thiago F. Pappacena (community) Approve
Review via email: mp+384191@code.launchpad.net

Commit message

Allow edit permissions to oci_project_admin

Description of the change

The oci_project_admin team/role on a Distribution should be allowed to edit OCI Projects and OCI Project Series.
Add that to the list of allowed permissions.

To post a comment you must log in.
Revision history for this message
Thiago F. Pappacena (pappacena) wrote :

Good set of tests. Thanks!
Added a comment that might worth thinking about, but it looks good to me.

review: Approve
416f566... by Tom Wardill on 2020-05-20

Use delegated authorization

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/lib/lp/registry/browser/tests/test_ociproject.py b/lib/lp/registry/browser/tests/test_ociproject.py
2index 5a22137..5187cd6 100644
3--- a/lib/lp/registry/browser/tests/test_ociproject.py
4+++ b/lib/lp/registry/browser/tests/test_ociproject.py
5@@ -128,6 +128,36 @@ class TestOCIProjectEditView(BrowserTestCase):
6 "Name:\nnew-name\nEdit OCI project",
7 MatchesTagText(content, "name"))
8
9+ def test_edit_oci_project_ad_oci_project_admin(self):
10+ admin_person = self.factory.makePerson()
11+ admin_team = self.factory.makeTeam(members=[admin_person])
12+ original_distribution = self.factory.makeDistribution(
13+ oci_project_admin=admin_team)
14+ oci_project = self.factory.makeOCIProject(
15+ pillar=original_distribution)
16+ new_distribution = self.factory.makeDistribution(
17+ oci_project_admin=admin_team)
18+
19+ browser = self.getViewBrowser(
20+ oci_project, user=admin_person)
21+ browser.getLink("Edit OCI project").click()
22+ browser.getControl(name="field.distribution").value = [
23+ new_distribution.name]
24+ browser.getControl(name="field.name").value = "new-name"
25+ browser.getControl("Update OCI project").click()
26+
27+ content = find_main_content(browser.contents)
28+ self.assertEqual(
29+ "OCI project new-name for %s" % new_distribution.display_name,
30+ extract_text(content.h1))
31+ self.assertThat(
32+ "Distribution:\n%s\nEdit OCI project" % (
33+ new_distribution.display_name),
34+ MatchesTagText(content, "distribution"))
35+ self.assertThat(
36+ "Name:\nnew-name\nEdit OCI project",
37+ MatchesTagText(content, "name"))
38+
39 def test_edit_oci_project_sets_date_last_modified(self):
40 # Editing an OCI project sets the date_last_modified property.
41 date_created = datetime(2000, 1, 1, tzinfo=pytz.UTC)
42diff --git a/lib/lp/registry/tests/test_ociproject.py b/lib/lp/registry/tests/test_ociproject.py
43index fdddb4c..6ac98bb 100644
44--- a/lib/lp/registry/tests/test_ociproject.py
45+++ b/lib/lp/registry/tests/test_ociproject.py
46@@ -58,6 +58,20 @@ class TestOCIProject(TestCaseWithFactory):
47 registrant)
48 self.assertProvides(series, IOCIProjectSeries)
49
50+ def test_newSeries_as_oci_project_admin(self):
51+ admin_person = self.factory.makePerson()
52+ admin_team = self.factory.makeTeam(members=[admin_person])
53+ distribution = self.factory.makeDistribution(
54+ oci_project_admin=admin_team)
55+ oci_project = self.factory.makeOCIProject(pillar=distribution)
56+ registrant = self.factory.makePerson()
57+ with person_logged_in(admin_person):
58+ series = oci_project.newSeries(
59+ 'test-series',
60+ 'test-summary',
61+ registrant)
62+ self.assertProvides(series, IOCIProjectSeries)
63+
64 def test_newSeries_bad_permissions(self):
65 distribution = self.factory.makeDistribution()
66 registrant = self.factory.makePerson()
67diff --git a/lib/lp/security.py b/lib/lp/security.py
68index 0eec9f3..f7d7bf8 100644
69--- a/lib/lp/security.py
70+++ b/lib/lp/security.py
71@@ -3462,21 +3462,17 @@ class EditOCIProject(AuthorizationBase):
72
73 def checkAuthenticated(self, user):
74 """Maintainers, drivers, and admins can drive projects."""
75- # XXX twom 2019-10-29 This ideally shouldn't be driver, but a
76- # new role name that cascades upwards from the OCIProject
77- # to the pillar
78 return (user.in_admin or
79- user.isDriver(self.obj.pillar))
80+ user.isDriver(self.obj.pillar) or
81+ user.inTeam(self.obj.pillar.oci_project_admin))
82
83
84-class EditOCIProjectSeries(AuthorizationBase):
85+class EditOCIProjectSeries(DelegatedAuthorization):
86 permission = 'launchpad.Edit'
87 usedfor = IOCIProjectSeries
88
89- def checkAuthenticated(self, user):
90- """Maintainers, drivers, and admins can drive projects."""
91- return (user.in_admin or
92- user.isDriver(self.obj.oci_project.pillar))
93+ def __init__(self, obj):
94+ super(EditOCIProjectSeries, self).__init__(obj, obj.oci_project)
95
96
97 class ViewOCIRecipeBuildRequest(DelegatedAuthorization):

Subscribers

People subscribed via source and target branches

to status/vote changes: