diff --git a/mayan/apps/document_comments/tests/test_api.py b/mayan/apps/document_comments/tests/test_api.py index d612fe5cfd..3bb499661a 100644 --- a/mayan/apps/document_comments/tests/test_api.py +++ b/mayan/apps/document_comments/tests/test_api.py @@ -1,36 +1,29 @@ from __future__ import unicode_literals -from django.contrib.auth import get_user_model from django.test import override_settings -from django.urls import reverse -from rest_framework.test import APITestCase +from rest_framework import status from documents.models import DocumentType from documents.tests.literals import ( TEST_DOCUMENT_TYPE_LABEL, TEST_SMALL_DOCUMENT_PATH ) -from user_management.tests.literals import ( - TEST_ADMIN_EMAIL, TEST_ADMIN_PASSWORD, TEST_ADMIN_USERNAME -) +from rest_api.tests import BaseAPITestCase from ..models import Comment +from ..permissions import ( + permission_comment_create, permission_comment_delete, + permission_comment_view +) from .literals import TEST_COMMENT_TEXT @override_settings(OCR_AUTO_OCR=False) -class CommentAPITestCase(APITestCase): +class CommentAPITestCase(BaseAPITestCase): def setUp(self): - self.admin_user = get_user_model().objects.create_superuser( - username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL, - password=TEST_ADMIN_PASSWORD - ) - - self.client.login( - username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD - ) - + super(CommentAPITestCase, self).setUp() + self.login_user() self.document_type = DocumentType.objects.create( label=TEST_DOCUMENT_TYPE_LABEL ) @@ -43,55 +36,94 @@ class CommentAPITestCase(APITestCase): def tearDown(self): if hasattr(self, 'document_type'): self.document_type.delete() + super(CommentAPITestCase, self).tearDown() def _create_comment(self): return self.document.comments.create( comment=TEST_COMMENT_TEXT, user=self.admin_user ) - def test_comment_create_view(self): - response = self.client.post( - reverse( - 'rest_api:comment-list', args=(self.document.pk,) - ), { + def _request_comment_create_view(self): + return self.post( + viewname='rest_api:comment-list', args=(self.document.pk,), + data={ 'comment': TEST_COMMENT_TEXT } ) - self.assertEqual(response.status_code, 201) + def test_comment_create_view_no_access(self): + response = self._request_comment_create_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(Comment.objects.count(), 0) + + def test_comment_create_view_with_access(self): + self.grant_access(permission=permission_comment_create, obj=self.document) + response = self._request_comment_create_view() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) comment = Comment.objects.first() self.assertEqual(Comment.objects.count(), 1) self.assertEqual(response.data['id'], comment.pk) - def test_comment_delete_view(self): - comment = self._create_comment() - - self.client.delete( - reverse( - 'rest_api:comment-detail', args=(self.document.pk, comment.pk,) + def _request_comment_delete_view(self): + return self.delete( + viewname='rest_api:comment-detail', args=( + self.document.pk, self.comment.pk, ) ) - self.assertEqual(Comment.objects.count(), 0) + def test_comment_delete_view_no_access(self): + self.comment = self._create_comment() + response = self._request_comment_delete_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertTrue(self.comment in Comment.objects.all()) - def test_comment_detail_view(self): - comment = self._create_comment() + def test_comment_delete_view_with_access(self): + self.comment = self._create_comment() + self.grant_access( + permission=permission_comment_delete, obj=self.document + ) + response = self._request_comment_delete_view() + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + self.assertFalse(self.comment in Comment.objects.all()) - response = self.client.get( - reverse( - 'rest_api:comment-detail', args=(self.document.pk, comment.pk,) + def _request_comment_view(self): + return self.get( + viewname='rest_api:comment-detail', args=( + self.document.pk, self.comment.pk, ) ) - self.assertEqual(response.data['comment'], comment.comment) + def test_comment_detail_view_no_access(self): + self.comment = self._create_comment() + response = self._request_comment_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - def test_comment_list_view(self): - comment = self._create_comment() + def test_comment_detail_view_with_access(self): + self.comment = self._create_comment() + self.grant_access( + permission=permission_comment_view, obj=self.document + ) + response = self._request_comment_view() + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['comment'], self.comment.comment) - response = self.client.get( - reverse('rest_api:comment-list', args=(self.document.pk,)) + def _request_comment_list_view(self): + return self.get( + viewname='rest_api:comment-list', args=(self.document.pk,) ) + def test_comment_list_view_no_access(self): + self.comment = self._create_comment() + response = self._request_comment_list_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_comment_list_view_with_access(self): + self.comment = self._create_comment() + self.grant_access( + permission=permission_comment_view, obj=self.document + ) + response = self._request_comment_list_view() + self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual( - response.data['results'][0]['comment'], comment.comment + response.data['results'][0]['comment'], self.comment.comment )