matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update the django_gpg app APIs to check for user access. Update corresponding tests.

Browse Source 
Signed-off-by: Michael Price <loneviking72@gmail.com>
This commit is contained in:
Michael Price
2018-02-15 23:45:49 -04:00
committed by Roberto Rosario
parent d3e4876511
commit 57bb282dbc
2 changed files with 68 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
mayan/apps/django_gpg/api_views.py
View File

@@ -14,10 +14,8 @@ from .serializers import KeySerializer
class APIKeyListView(generics.ListCreateAPIView): class APIKeyListView(generics.ListCreateAPIView):
filter_backends = (MayanObjectPermissionsFilter,) filter_backends = (MayanObjectPermissionsFilter,)
mayan_object_permissions = { mayan_object_permissions = {'GET': (permission_key_view,)}
'GET': (permission_key_view,), mayan_view_permissions = {'POST': (permission_key_upload,)}
'POST': (permission_key_upload,)
}
permission_classes = (MayanPermission,) permission_classes = (MayanPermission,)
queryset = Key.objects.all() queryset = Key.objects.all()
serializer_class = KeySerializer serializer_class = KeySerializer

94
mayan/apps/django_gpg/tests/test_api.py
View File

@@ -1,15 +1,15 @@
from __future__ import unicode_literals from __future__ import unicode_literals
from django.contrib.auth import get_user_model
from django.test import override_settings from django.test import override_settings
from django.urls import reverse
from rest_framework import status
from rest_api.tests import BaseAPITestCase from rest_api.tests import BaseAPITestCase
from user_management.tests.literals import (
TEST_ADMIN_EMAIL, TEST_ADMIN_PASSWORD, TEST_ADMIN_USERNAME
)
from ..models import Key from ..models import Key
from ..permissions import (
permission_key_delete, permission_key_upload, permission_key_view
)
from .literals import TEST_KEY_DATA, TEST_KEY_FINGERPRINT from .literals import TEST_KEY_DATA, TEST_KEY_FINGERPRINT
@@ -18,42 +18,80 @@ from .literals import TEST_KEY_DATA, TEST_KEY_FINGERPRINT
class KeyAPITestCase(BaseAPITestCase): class KeyAPITestCase(BaseAPITestCase):
def setUp(self): def setUp(self):
super(KeyAPITestCase, self).setUp() super(KeyAPITestCase, self).setUp()
self.admin_user = get_user_model().objects.create_superuser( self.login_user()
username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL,
password=TEST_ADMIN_PASSWORD
)
self.client.login(
username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD
)
def _create_key(self): def _create_key(self):
return Key.objects.create(key_data=TEST_KEY_DATA) return Key.objects.create(key_data=TEST_KEY_DATA)
def test_key_create_view(self): # Key creation by upload
response = self.client.post(
reverse('rest_api:key-list'), { def _request_key_create_view(self):
return self.post(
viewname='rest_api:key-list', data={
'key_data': TEST_KEY_DATA 'key_data': TEST_KEY_DATA
} }
) )
def test_key_create_view_no_permission(self):
response = self._request_key_create_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(Key.objects.all().count(), 0)
def test_key_create_view_with_permission(self):
self.grant_permission(permission=permission_key_upload)
response = self._request_key_create_view()
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertEqual(response.data['fingerprint'], TEST_KEY_FINGERPRINT) self.assertEqual(response.data['fingerprint'], TEST_KEY_FINGERPRINT)
key = Key.objects.first() key = Key.objects.first()
self.assertEqual(Key.objects.count(), 1) self.assertEqual(Key.objects.count(), 1)
self.assertEqual(key.fingerprint, TEST_KEY_FINGERPRINT) self.assertEqual(key.fingerprint, TEST_KEY_FINGERPRINT)
def test_key_delete_view(self): # Key deletion
key = self._create_key()
self.client.delete(reverse('rest_api:key-detail', args=(key.pk,))) def _request_key_delete_view(self):
return self.delete(
self.assertEqual(Key.objects.count(), 0) viewname='rest_api:key-detail', args=(self.key.pk,)
def test_key_detail_view(self):
key = self._create_key()
response = self.client.get(
reverse('rest_api:key-detail', args=(key.pk,))
) )
self.assertEqual(response.data['fingerprint'], key.fingerprint) def test_key_delete_view_no_access(self):
self.key = self._create_key()
response = self._request_key_delete_view()
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
self.assertEqual(Key.objects.count(), 1)
def test_key_delete_view_with_access(self):
self.key = self._create_key()
self.grant_access(
permission=permission_key_delete, obj=self.key
)
response = self._request_key_delete_view()
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
self.assertEqual(Key.objects.count(), 0)
# Key detail
def _request_key_detail_view(self):
return self.get(
viewname='rest_api:key-detail', args=(self.key.pk,)
)
def test_key_detail_view_no_access(self):
self.key = self._create_key()
response = self._request_key_detail_view()
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
def test_key_detail_view_with_access(self):
self.key = self._create_key()
self.grant_access(
permission=permission_key_view, obj=self.key
)
response = self._request_key_detail_view()
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(
response.data['fingerprint'], self.key.fingerprint
)