@@ -103,7 +103,12 @@ def layerFilterSubsetString(self, layer):
103103 if not self ._active :
104104 return super (RestrictedAccessControl , self ).layerFilterSubsetString (layer )
105105
106- return "pk = 1" if layer .name () == "Hello_SubsetString" else None
106+ if layer .name () == "Hello_SubsetString" :
107+ return "pk = 1"
108+ elif layer .name () == "Hello_Project_SubsetString" :
109+ return "pkuid = 6 or pkuid = 7"
110+ else :
111+ return None
107112
108113 def layerPermissions (self , layer ):
109114 """ Return the layer rights """
@@ -861,6 +866,42 @@ def test_wms_getmap_subsetstring(self):
861866 response , headers = self ._get_restricted (query_string )
862867 self ._img_diff_error (response , headers , "Restricted_WMS_GetMap" )
863868
869+ def test_wms_getmap_projectsubsetstring (self ):
870+ """ test that project set layer subsetStrings are honored"""
871+ query_string = "&" .join (["%s=%s" % i for i in {
872+ "MAP" : urllib .quote (self .projectPath ),
873+ "SERVICE" : "WMS" ,
874+ "VERSION" : "1.1.1" ,
875+ "REQUEST" : "GetMap" ,
876+ "LAYERS" : "Hello_Project_SubsetString" ,
877+ "STYLES" : "" ,
878+ "FORMAT" : "image/png" ,
879+ "BBOX" : "-16817707,-4710778,5696513,14587125" ,
880+ "HEIGHT" : "500" ,
881+ "WIDTH" : "500" ,
882+ "SRS" : "EPSG:3857"
883+ }.items ()])
884+
885+ response , headers = self ._get_fullaccess (query_string )
886+ self ._img_diff_error (response , headers , "WMS_GetMap_projectsubstring" )
887+
888+ query_string = "&" .join (["%s=%s" % i for i in {
889+ "MAP" : urllib .quote (self .projectPath ),
890+ "SERVICE" : "WMS" ,
891+ "VERSION" : "1.1.1" ,
892+ "REQUEST" : "GetMap" ,
893+ "LAYERS" : "Hello_Project_SubsetString" ,
894+ "STYLES" : "" ,
895+ "FORMAT" : "image/png" ,
896+ "BBOX" : "-16817707,-4710778,5696513,14587125" ,
897+ "HEIGHT" : "500" ,
898+ "WIDTH" : "500" ,
899+ "SRS" : "EPSG:3857"
900+ }.items ()])
901+
902+ response , headers = self ._get_restricted (query_string )
903+ self ._img_diff_error (response , headers , "Restricted_WMS_GetMap_projectsubstring" )
904+
864905 def test_wms_getfeatureinfo_subsetstring (self ):
865906 query_string = "&" .join (["%s=%s" % i for i in {
866907 "SERVICE" : "WMS" ,
@@ -930,6 +971,113 @@ def test_wms_getfeatureinfo_subsetstring2(self):
930971 str (response ).find ("<qgs:pk>" ) != - 1 ,
931972 "Unexpected result result in GetFeatureInfo Hello/2\n %s" % response )
932973
974+ def test_wms_getfeatureinfo_projectsubsetstring (self ):
975+ """test that layer subsetStrings set in projects are honored. This test checks for a feature which should be filtered
976+ out by the project set layer subsetString
977+ """
978+ query_string = "&" .join (["%s=%s" % i for i in {
979+ "SERVICE" : "WMS" ,
980+ "VERSION" : "1.1.1" ,
981+ "REQUEST" : "GetFeatureInfo" ,
982+ "LAYERS" : "Hello_Project_SubsetString" ,
983+ "QUERY_LAYERS" : "Hello_Project_SubsetString" ,
984+ "STYLES" : "" ,
985+ "FORMAT" : "image/png" ,
986+ "BBOX" : "-16817707,-4710778,5696513,14587125" ,
987+ "HEIGHT" : "500" ,
988+ "WIDTH" : "500" ,
989+ "SRS" : "EPSG:3857" ,
990+ "FEATURE_COUNT" : "10" ,
991+ "INFO_FORMAT" : "application/vnd.ogc.gml" ,
992+ "X" : "56" ,
993+ "Y" : "144" ,
994+ "MAP" : urllib .quote (self .projectPath )
995+ }.items ()])
996+
997+ response , headers = self ._get_fullaccess (query_string )
998+ self .assertFalse (
999+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1000+ "Project set layer subsetString not honored in WMS GetFeatureInfo/1\n %s" % response )
1001+
1002+ response , headers = self ._get_restricted (query_string )
1003+ self .assertFalse (
1004+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1005+ "Project set layer subsetString not honored in WMS GetFeatureInfo when access control applied/1\n %s" % response )
1006+
1007+ def test_wms_getfeatureinfo_projectsubsetstring2 (self ):
1008+ """test that layer subsetStrings set in projects are honored. This test checks for a feature which should be pass
1009+ both project set layer subsetString and access control filters
1010+ """
1011+ query_string = "&" .join (["%s=%s" % i for i in {
1012+ "SERVICE" : "WMS" ,
1013+ "VERSION" : "1.1.1" ,
1014+ "REQUEST" : "GetFeatureInfo" ,
1015+ "LAYERS" : "Hello_Project_SubsetString" ,
1016+ "QUERY_LAYERS" : "Hello_Project_SubsetString" ,
1017+ "STYLES" : "" ,
1018+ "FORMAT" : "image/png" ,
1019+ "BBOX" : "-1623412,3146330,-1603412,3166330" ,
1020+ "HEIGHT" : "500" ,
1021+ "WIDTH" : "500" ,
1022+ "SRS" : "EPSG:3857" ,
1023+ "FEATURE_COUNT" : "10" ,
1024+ "INFO_FORMAT" : "application/vnd.ogc.gml" ,
1025+ "X" : "146" ,
1026+ "Y" : "160" ,
1027+ "MAP" : urllib .quote (self .projectPath )
1028+ }.items ()])
1029+
1030+ response , headers = self ._get_fullaccess (query_string )
1031+ self .assertTrue (
1032+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1033+ "No result result in GetFeatureInfo Hello/2\n %s" % response )
1034+ self .assertTrue (
1035+ str (response ).find ("<qgs:pk>7</qgs:pk>" ) != - 1 ,
1036+ "No good result result in GetFeatureInfo Hello/2\n %s" % response )
1037+
1038+ response , headers = self ._get_restricted (query_string )
1039+ self .assertTrue (
1040+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1041+ "No result result in GetFeatureInfo Hello/2\n %s" % response )
1042+ self .assertTrue (
1043+ str (response ).find ("<qgs:pk>7</qgs:pk>" ) != - 1 ,
1044+ "No good result result in GetFeatureInfo Hello/2\n %s" % response )
1045+
1046+ def test_wms_getfeatureinfo_projectsubsetstring2 (self ):
1047+ """test that layer subsetStrings set in projects are honored. This test checks for a feature which should be pass
1048+ the project set layer subsetString but fail the access control checks
1049+ """
1050+ query_string = "&" .join (["%s=%s" % i for i in {
1051+ "SERVICE" : "WMS" ,
1052+ "VERSION" : "1.1.1" ,
1053+ "REQUEST" : "GetFeatureInfo" ,
1054+ "LAYERS" : "Hello_Project_SubsetString" ,
1055+ "QUERY_LAYERS" : "Hello_Project_SubsetString" ,
1056+ "STYLES" : "" ,
1057+ "FORMAT" : "image/png" ,
1058+ "BBOX" : "3415650,2018968,3415750,2019968" ,
1059+ "HEIGHT" : "500" ,
1060+ "WIDTH" : "500" ,
1061+ "SRS" : "EPSG:3857" ,
1062+ "FEATURE_COUNT" : "10" ,
1063+ "INFO_FORMAT" : "application/vnd.ogc.gml" ,
1064+ "X" : "146" ,
1065+ "Y" : "160" ,
1066+ "MAP" : urllib .quote (self .projectPath )
1067+ }.items ()])
1068+
1069+ response , headers = self ._get_fullaccess (query_string )
1070+ self .assertTrue (
1071+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1072+ "No result result in GetFeatureInfo Hello/2\n %s" % response )
1073+ self .assertTrue (
1074+ str (response ).find ("<qgs:pk>8</qgs:pk>" ) != - 1 ,
1075+ "No good result result in GetFeatureInfo Hello/2\n %s" % response )
1076+
1077+ response , headers = self ._get_restricted (query_string )
1078+ self .assertFalse (
1079+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1080+ "Unexpected result from GetFeatureInfo Hello/2\n %s" % response )
9331081
9341082# # WFS # # WFS # # WFS # #
9351083
@@ -980,6 +1128,88 @@ def test_wfs_getfeature_subsetstring2(self):
9801128 str (response ).find ("<qgs:pk>" ) != - 1 ,
9811129 "Unexpected result in GetFeature\n %s" % response )
9821130
1131+ def test_wfs_getfeature_project_subsetstring (self ):
1132+ """Tests access control with a subset string already applied to a layer in a project
1133+ 'Hello_Project_SubsetString' layer has a subsetString of "pkuid in (7,8)"
1134+ This test checks for retrieving a feature which should be available in with/without access control
1135+ """
1136+ data = """<?xml version="1.0" encoding="UTF-8"?>
1137+ <wfs:GetFeature {xml_ns}>
1138+ <wfs:Query typeName="Hello_Project_SubsetString" srsName="EPSG:3857" xmlns:feature="http://www.qgis.org/gml">
1139+ <ogc:Filter xmlns:ogc="http://www.opengis.net/ogc"><ogc:PropertyIsEqualTo>
1140+ <ogc:PropertyName>pkuid</ogc:PropertyName>
1141+ <ogc:Literal>7</ogc:Literal>
1142+ </ogc:PropertyIsEqualTo></ogc:Filter></wfs:Query></wfs:GetFeature>""" .format (xml_ns = XML_NS )
1143+
1144+ # should be one result
1145+ response , headers = self ._post_fullaccess (data )
1146+ self .assertTrue (
1147+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1148+ "No result in GetFeature\n %s" % response )
1149+ self .assertTrue (
1150+ str (response ).find ("<qgs:pk>7</qgs:pk>" ) != - 1 ,
1151+ "Feature with pkuid=7 not found in GetFeature\n %s" % response )
1152+
1153+ response , headers = self ._post_restricted (data )
1154+ self .assertTrue (
1155+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1156+ "No result in GetFeature\n %s" % response )
1157+ self .assertTrue (
1158+ str (response ).find ("<qgs:pk>7</qgs:pk>" ) != - 1 ,
1159+ "Feature with pkuid=7 not found in GetFeature, has been incorrectly filtered out by access controls\n %s" % response )
1160+
1161+ def test_wfs_getfeature_project_subsetstring2 (self ):
1162+ """Tests access control with a subset string already applied to a layer in a project
1163+ 'Hello_Project_SubsetString' layer has a subsetString of "pkuid in (7,8)"
1164+ This test checks for a feature which should be filtered out by access controls
1165+ """
1166+ data = """<?xml version="1.0" encoding="UTF-8"?>
1167+ <wfs:GetFeature {xml_ns}>
1168+ <wfs:Query typeName="Hello_Project_SubsetString" srsName="EPSG:3857" xmlns:feature="http://www.qgis.org/gml">
1169+ <ogc:Filter xmlns:ogc="http://www.opengis.net/ogc"><ogc:PropertyIsEqualTo>
1170+ <ogc:PropertyName>pkuid</ogc:PropertyName>
1171+ <ogc:Literal>8</ogc:Literal>
1172+ </ogc:PropertyIsEqualTo></ogc:Filter></wfs:Query></wfs:GetFeature>""" .format (xml_ns = XML_NS )
1173+
1174+ # should be one result
1175+ response , headers = self ._post_fullaccess (data )
1176+ self .assertTrue (
1177+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1178+ "No result in GetFeature\n %s" % response )
1179+ self .assertTrue (
1180+ str (response ).find ("<qgs:pk>8</qgs:pk>" ) != - 1 ,
1181+ "Feature with pkuid=8 not found in GetFeature\n %s" % response )
1182+
1183+ response , headers = self ._post_restricted (data )
1184+ self .assertFalse (
1185+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1186+ "Feature with pkuid=8 was found in GetFeature, but should have been filtered out by access controls\n %s" % response )
1187+
1188+ def test_wfs_getfeature_project_subsetstring3 (self ):
1189+ """Tests access control with a subset string already applied to a layer in a project
1190+ 'Hello_Project_SubsetString' layer has a subsetString of "pkuid in (7,8)"
1191+ This test checks for a features which should be filtered out by project subsetStrings.
1192+ Eg pkuid 6 passes the access control checks, but should not be shown because of project layer subsetString
1193+ """
1194+ data = """<?xml version="1.0" encoding="UTF-8"?>
1195+ <wfs:GetFeature {xml_ns}>
1196+ <wfs:Query typeName="Hello_Project_SubsetString" srsName="EPSG:3857" xmlns:feature="http://www.qgis.org/gml">
1197+ <ogc:Filter xmlns:ogc="http://www.opengis.net/ogc"><ogc:PropertyIsEqualTo>
1198+ <ogc:PropertyName>pkuid</ogc:PropertyName>
1199+ <ogc:Literal>6</ogc:Literal>
1200+ </ogc:PropertyIsEqualTo></ogc:Filter></wfs:Query></wfs:GetFeature>""" .format (xml_ns = XML_NS )
1201+
1202+ # should be no results, since pkuid 1 should be filtered out by project subsetString
1203+ response , headers = self ._post_fullaccess (data )
1204+ self .assertTrue (
1205+ str (response ).find ("<qgs:pk>" ) == - 1 ,
1206+ "Project based layer subsetString not respected in GetFeature\n %s" % response )
1207+
1208+ response , headers = self ._post_restricted (data )
1209+ self .assertFalse (
1210+ str (response ).find ("<qgs:pk>" ) != - 1 ,
1211+ "Project based layer subsetString not respected in GetFeature with restricted access\n %s" % response )
1212+
9831213 def _handle_request (self , restricted , * args ):
9841214 accesscontrol ._active = restricted
9851215 result = self ._result (server .handleRequest (* args ))
0 commit comments