WIP

test/test_db.py

@@ -43,6 +43,7 @@ def test_permissions(app):
     john = app.db.save(schema.User(name="john", email="john@foo", password="powerfulCat"))
     players = app.db.save(schema.Group(name="players", members=[john]))
     notes = app.db.save(schema.Page(name="notes"))
+    note0 = notes.add_member(schema.Page(name="note0"))
 
     # default no access
     assert not players.can_read(notes)
@@ -51,6 +52,8 @@ def test_permissions(app):
     assert not john.can_read(notes)
     assert not john.can_write(notes)
     assert not john.can_delete(notes)
+    assert not players.can_read(note0)
+    assert not john.can_read(note0)
 
     # set to rw, no delete
     notes.set_permissions(players, [schema.Permissions.READ, schema.Permissions.WRITE])
@@ -60,15 +63,33 @@ def test_permissions(app):
     assert players.can_write(notes)
     assert not players.can_delete(notes)
 
+    # propagated
+    note0 = app.db.Page.get(doc_id=note0.doc_id)
+    assert players.can_read(note0)
+    assert players.can_write(note0)
+    assert not players.can_delete(note0)
+    assert not john.can_delete(note0)
+
     # members of the group inherit group permissions
     assert john.can_read(notes)
+    assert john.can_read(note0)
     assert john.can_write(notes)
-    assert not john.can_delete(notes)
+    assert john.can_write(note0)
 
     # permissions are the union of user + group permissions
     notes.set_permissions(john, [schema.Permissions.DELETE])
+    notes = app.db.Page.get(doc_id=notes.doc_id)
+    note0 = app.db.Page.get(doc_id=note0.doc_id)
     assert not players.can_delete(notes)
+    assert not players.can_delete(note0)
     assert john.can_delete(notes)
+    assert john.can_delete(note0)
+
+    # user perms always override inherited permissions
+    note0.set_permissions(john, [])
+    note0 = app.db.Page.get(doc_id=note0.doc_id)
+    assert not john.can_read(note0)
+    assert players.can_read(note0)
 
 
 def test_bootstrap(app):