From 948ce7fe033883b18f4bd5f7cab53f21c5f2874f Mon Sep 17 00:00:00 2001
From: Joseph Kocherhans <joseph@jkocherhans.com>
Date: Wed, 8 Nov 2006 23:53:19 +0000
Subject: [PATCH] [generic-auth] Added a simple role based permission checker
 in the tests

git-svn-id: http://code.djangoproject.com/svn/django/branches/generic-auth@4055 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 tests/regressiontests/generic_auth/models.py |  6 ++
 tests/regressiontests/generic_auth/tests.py  | 80 +++++++++++++++++++-
 2 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/tests/regressiontests/generic_auth/models.py b/tests/regressiontests/generic_auth/models.py
index 1852b1892c..6525e64375 100644
--- a/tests/regressiontests/generic_auth/models.py
+++ b/tests/regressiontests/generic_auth/models.py
@@ -1,4 +1,10 @@
 from django.db import models
+from django.contrib.auth.models import User
 
 class Person(models.Model):
     name = models.CharField(maxlength=20)
+
+class Article(models.Model):
+    name = models.CharField(maxlength=100)
+    body = models.TextField()
+    creator = models.ForeignKey(User)
diff --git a/tests/regressiontests/generic_auth/tests.py b/tests/regressiontests/generic_auth/tests.py
index 96c9d1bbdc..7e5ccdcf6b 100644
--- a/tests/regressiontests/generic_auth/tests.py
+++ b/tests/regressiontests/generic_auth/tests.py
@@ -9,12 +9,16 @@
 >>> app = get_app('generic_auth')
 >>> create_permissions(app, [], 0)
 
-Create and register an authorization handler that acts like Django's model
-level permissions
+Create and register an authorization handler that acts similarly to Django's 
+model level permissions. This version doesn't take group permissions into 
+account however.
 
 >>> def default_has_permission(user, permission, obj):
-...     p_name = "%s.%s" % (permission.content_type.app_label, permission.codename)
-...     return user.has_perm(p_name)
+...    if not user.is_active:
+...        return False
+...    if user.is_superuser:
+...        return True
+...    return permission in user.user_permissions.select_related()
 ...     
 >>> has_permission.register(default_has_permission, User, Permission, Person)
 >>> has_permission.register(default_has_permission, User, Permission)
@@ -70,4 +74,72 @@ True
 >>> has_permissions(user, [add_permission, delete_permission], person)
 False
 
+
+Let's create a simple role-based implementation of has_permission that allows 
+change and delete access to the creator of an object, but denies access to 
+everyone else. The creator is just a foreign key from the object in question
+to the django.contrib.auth.models.User model.
+
+First, we create the actual implementation.
+
+>>> def is_creator(user, permission, object):
+...     if user.is_superuser:
+...         return True
+...     # if no object was provided, fall back to Model level permissions
+...     if not object:
+...         return permission in user.user_permissions.select_related()
+...     return user == object.creator
+...
+
+
+The we register is_creator to handle calls to has_permission for the
+appropriate models (in this case User, Permision, and Article).
+
+>>> from django.contrib.auth.models import User, Permission
+>>> from django.contrib.auth import has_permission
+>>> from regressiontests.generic_auth.models import Article
+
+>>> has_permission.register(is_creator, User, Permission, Article)
+
+
+Create an Article for our tests, and set it's `owner` attribute to the user we
+created above.
+
+>>> article = Article(name='test', body='test', creator=user)
+>>> article.save()
+
+
+Set up some convenient reverences to the various permission objects.
+
+>>> add_permission = Article._meta.get_add_permission()
+>>> change_permission = Article._meta.get_change_permission()
+>>> delete_permission = Article._meta.get_delete_permission()
+
+Adding isn't tied to a particular object, and we haven't given the user
+permission to add Articles yet, so this should fail.
+
+>>> has_permission(user, add_permission)
+False
+
+But the user *is* the creator of `article`, so they *should* have change and
+delete permissions for that article.
+
+>>> has_permission(user, change_permission, article)
+True
+>>> has_permission(user, delete_permission, article)
+True
+
+
+Give the user add Article permissions.
+
+>>> user.user_permissions.add(add_permission)
+>>> user.save()
+
+
+Make sure it worked.
+
+>>> has_permission(user, add_permission, article)
+True
+
+
 """