Allow regular users to do write requests

8a6018f9 · Christoph Ziebuhr · oroulet · ec227ba7 · 8a6018f9 · 8a6018f9
Commit 8a6018f9 authored Oct 11, 2024 by Christoph Ziebuhr Committed by oroulet Oct 16, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 15 deletions

asyncua/crypto/permission_rules.py asyncua/crypto/permission_rules.py +8 -8

tests/test_permissions.py tests/test_permissions.py +9 -7

No files found.
--- a/asyncua/crypto/permission_rules.py
+++ b/asyncua/crypto/permission_rules.py
 from asyncua import ua
 from asyncua.server.users import UserRole
-WRITE_TYPES = [
+ADMIN_TYPES = [
-    ua.ObjectIds.WriteRequest_Encoding_DefaultBinary,
    ua.ObjectIds.RegisterServerRequest_Encoding_DefaultBinary,
    ua.ObjectIds.RegisterServer2Request_Encoding_DefaultBinary,
    ua.ObjectIds.AddNodesRequest_Encoding_DefaultBinary,
@@ -11,11 +10,12 @@ WRITE_TYPES = [
    ua.ObjectIds.DeleteReferencesRequest_Encoding_DefaultBinary,
 ]
-READ_TYPES = [
+USER_TYPES = [
    ua.ObjectIds.CreateSessionRequest_Encoding_DefaultBinary,
    ua.ObjectIds.CloseSessionRequest_Encoding_DefaultBinary,
    ua.ObjectIds.ActivateSessionRequest_Encoding_DefaultBinary,
    ua.ObjectIds.ReadRequest_Encoding_DefaultBinary,
+    ua.ObjectIds.WriteRequest_Encoding_DefaultBinary,
    ua.ObjectIds.BrowseRequest_Encoding_DefaultBinary,
    ua.ObjectIds.GetEndpointsRequest_Encoding_DefaultBinary,
    ua.ObjectIds.FindServersRequest_Encoding_DefaultBinary,
@@ -49,15 +49,15 @@ class PermissionRuleset:
 class SimpleRoleRuleset(PermissionRuleset):
    """
    Standard simple role-based ruleset.
-    Admins alone can write, admins and users can read, and anonymous users can't do anything.
+    Admins alone can change address space, admins and users can read/write, and anonymous users can't do anything.
    """
    def __init__(self):
-        write_ids = list(map(ua.NodeId, WRITE_TYPES))
+        admin_ids = list(map(ua.NodeId, ADMIN_TYPES))
-        read_ids = list(map(ua.NodeId, READ_TYPES))
+        user_ids = list(map(ua.NodeId, USER_TYPES))
        self._permission_dict = {
-            UserRole.Admin: set().union(write_ids, read_ids),
+            UserRole.Admin: set().union(admin_ids, user_ids),
-            UserRole.User: set().union(read_ids),
+            UserRole.User: set().union(user_ids),
            UserRole.Anonymous: set()
        }

--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@@ -88,9 +88,9 @@ async def test_permissions_admin(srv_crypto_one_cert):
        assert await clt.get_objects_node().get_children()
        objects = clt.nodes.objects
        child = await objects.get_child(['0:MyObject', '0:MyVariable'])
-        await child.read_value()
        await child.set_value(42.0)
+        assert await child.read_value() == 42.0
+        await child.add_property(0, "MyProperty1", 3)
 async def test_permissions_user(srv_crypto_one_cert):
    clt = Client(uri_crypto_cert)
@@ -106,9 +106,10 @@ async def test_permissions_user(srv_crypto_one_cert):
        assert await clt.get_objects_node().get_children()
        objects = clt.nodes.objects
        child = await objects.get_child(['0:MyObject', '0:MyVariable'])
-        await child.read_value()
+        await child.set_value(44.0)
+        assert await child.read_value() == 44.0
        with pytest.raises(ua.uaerrors.BadUserAccessDenied):
-            await child.set_value(42)
+            await child.add_property(0, "MyProperty2", 3)
 async def test_permissions_anonymous(srv_crypto_one_cert):
@@ -121,6 +122,7 @@ async def test_permissions_anonymous(srv_crypto_one_cert):
        server_certificate=srv_crypto_params[0][1],
        mode=ua.MessageSecurityMode.SignAndEncrypt
    )
-    await clt.connect()
+    async with clt:
-    await clt.get_endpoints()
+        await clt.get_endpoints()
-    await clt.disconnect()
+        with pytest.raises(ua.uaerrors.BadUserAccessDenied):
+            await clt.nodes.objects.get_children()