diff --git a/docs/topics/.development.rst.swp b/docs/topics/.development.rst.swp deleted file mode 100644 index 57cb51857d..0000000000 Binary files a/docs/topics/.development.rst.swp and /dev/null differ diff --git a/mayan/apps/tags/tests/test_api.py b/mayan/apps/tags/tests/test_api.py index 97f8752f62..ba05f45704 100644 --- a/mayan/apps/tags/tests/test_api.py +++ b/mayan/apps/tags/tests/test_api.py @@ -1,18 +1,20 @@ from __future__ import unicode_literals -from django.contrib.auth import get_user_model from django.test import override_settings -from django.urls import reverse from django.utils.encoding import force_text +from rest_framework import status + from documents.models import DocumentType +from documents.permissions import permission_document_view from documents.tests import TEST_DOCUMENT_TYPE_LABEL, TEST_SMALL_DOCUMENT_PATH from rest_api.tests import BaseAPITestCase -from user_management.tests.literals import ( - TEST_ADMIN_EMAIL, TEST_ADMIN_PASSWORD, TEST_ADMIN_USERNAME -) from ..models import Tag +from ..permissions import ( + permission_tag_attach, permission_tag_create, permission_tag_delete, + permission_tag_edit, permission_tag_remove, permission_tag_view +) from .literals import ( TEST_TAG_COLOR, TEST_TAG_COLOR_EDITED, TEST_TAG_LABEL, @@ -24,14 +26,7 @@ from .literals import ( class TagAPITestCase(BaseAPITestCase): def setUp(self): super(TagAPITestCase, self).setUp() - self.admin_user = get_user_model().objects.create_superuser( - username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL, - password=TEST_ADMIN_PASSWORD - ) - - self.client.login( - username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD - ) + self.login_user() def tearDown(self): if hasattr(self, 'document_type'): @@ -39,7 +34,9 @@ class TagAPITestCase(BaseAPITestCase): super(TagAPITestCase, self).tearDown() def _create_tag(self): - return Tag.objects.create(color=TEST_TAG_COLOR, label=TEST_TAG_LABEL) + return Tag.objects.create( + color=TEST_TAG_COLOR, label=TEST_TAG_LABEL + ) def _document_create(self): self.document_type = DocumentType.objects.create( @@ -53,130 +50,297 @@ class TagAPITestCase(BaseAPITestCase): return document - def test_tag_create_view(self): - response = self.client.post( - reverse('rest_api:tag-list'), { + def _request_tag_create(self): + return self.post( + viewname='rest_api:tag-list', data={ 'label': TEST_TAG_LABEL, 'color': TEST_TAG_COLOR } ) - tag = Tag.objects.first() - self.assertEqual(response.data['id'], tag.pk) - self.assertEqual(response.data['label'], TEST_TAG_LABEL) - self.assertEqual(response.data['color'], TEST_TAG_COLOR) - - self.assertEqual(Tag.objects.count(), 1) - self.assertEqual(tag.label, TEST_TAG_LABEL) - self.assertEqual(tag.color, TEST_TAG_COLOR) - - def test_tag_create_with_documents_view(self): - response = self.client.post( - reverse('rest_api:tag-list'), { - 'label': TEST_TAG_LABEL, 'color': TEST_TAG_COLOR - } - ) - - tag = Tag.objects.first() - self.assertEqual(response.data['id'], tag.pk) - self.assertEqual(response.data['label'], TEST_TAG_LABEL) - self.assertEqual(response.data['color'], TEST_TAG_COLOR) - - self.assertEqual(Tag.objects.count(), 1) - self.assertEqual(tag.label, TEST_TAG_LABEL) - self.assertEqual(tag.color, TEST_TAG_COLOR) - - def test_tag_delete_view(self): - tag = self._create_tag() - - self.client.delete(reverse('rest_api:tag-detail', args=(tag.pk,))) - + def test_tag_create_view_no_permission(self): + response = self._request_tag_create() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(Tag.objects.count(), 0) - def test_tag_document_list_view(self): - tag = self._create_tag() - document = self._document_create() - tag.documents.add(document) + def test_tag_create_view_with_permission(self): + self.grant_permission(permission=permission_tag_create) + response = self._request_tag_create() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) - response = self.client.get( - reverse('rest_api:tag-document-list', args=(tag.pk,)) + tag = Tag.objects.first() + self.assertEqual(response.data['id'], tag.pk) + self.assertEqual(response.data['label'], TEST_TAG_LABEL) + self.assertEqual(response.data['color'], TEST_TAG_COLOR) + + self.assertEqual(Tag.objects.count(), 1) + self.assertEqual(tag.label, TEST_TAG_LABEL) + self.assertEqual(tag.color, TEST_TAG_COLOR) + + def _request_tag_delete(self): + return self.delete(viewname='rest_api:tag-detail', args=(self.tag.pk,)) + + def test_tag_delete_view_no_access(self): + self.tag = self._create_tag() + response = self._request_tag_delete() + self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + self.assertTrue(self.tag in Tag.objects.all()) + + def test_tag_delete_view_with_access(self): + self.tag = self._create_tag() + self.grant_access(permission=permission_tag_delete, obj=self.tag) + response = self._request_tag_delete() + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + self.assertFalse(self.tag in Tag.objects.all()) + + def _request_tag_document_list_view(self): + return self.get( + viewname='rest_api:tag-document-list', args=(self.tag.pk,) ) + def test_tag_document_list_view_no_access(self): + self.tag = self._create_tag() + document = self._document_create() + self.tag.documents.add(document) + + response = self._request_tag_document_list_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_tag_document_list_view_with_tag_access(self): + self.tag = self._create_tag() + document = self._document_create() + self.tag.documents.add(document) + self.grant_access(permission=permission_tag_view, obj=self.tag) + response = self._request_tag_document_list_view() + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['count'], 0) + + def test_tag_document_list_view_with_document_access(self): + self.tag = self._create_tag() + document = self._document_create() + self.tag.documents.add(document) + self.grant_access(permission=permission_document_view, obj=document) + response = self._request_tag_document_list_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_tag_document_list_view_with_access(self): + self.tag = self._create_tag() + document = self._document_create() + self.tag.documents.add(document) + self.grant_access(permission=permission_tag_view, obj=self.tag) + self.grant_access(permission=permission_document_view, obj=document) + response = self._request_tag_document_list_view() + self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual( response.data['results'][0]['uuid'], force_text(document.uuid) ) - def test_tag_edit_via_patch(self): - tag = self._create_tag() - - self.client.patch( - reverse('rest_api:tag-detail', args=(tag.pk,)), - { + def _request_tag_edit_via_patch(self): + return self.patch( + viewname='rest_api:tag-detail', args=(self.tag.pk,), data={ 'label': TEST_TAG_LABEL_EDITED, 'color': TEST_TAG_COLOR_EDITED } ) - tag.refresh_from_db() + def test_tag_edit_via_patch_no_access(self): + self.tag = self._create_tag() + response = self._request_tag_edit_via_patch() + self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + self.tag.refresh_from_db() + self.assertEqual(self.tag.label, TEST_TAG_LABEL) + self.assertEqual(self.tag.color, TEST_TAG_COLOR) - self.assertEqual(tag.label, TEST_TAG_LABEL_EDITED) - self.assertEqual(tag.color, TEST_TAG_COLOR_EDITED) + def test_tag_edit_via_patch_with_access(self): + self.tag = self._create_tag() + self.grant_access(permission=permission_tag_edit, obj=self.tag) + response = self._request_tag_edit_via_patch() + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.tag.refresh_from_db() + self.assertEqual(self.tag.label, TEST_TAG_LABEL_EDITED) + self.assertEqual(self.tag.color, TEST_TAG_COLOR_EDITED) - def test_tag_edit_via_put(self): - tag = self._create_tag() - - self.client.put( - reverse('rest_api:tag-detail', args=(tag.pk,)), - { + def _request_tag_edit_via_put(self): + return self.put( + viewname='rest_api:tag-detail', args=(self.tag.pk,), data={ 'label': TEST_TAG_LABEL_EDITED, 'color': TEST_TAG_COLOR_EDITED } ) - tag.refresh_from_db() + def test_tag_edit_via_put_no_access(self): + self.tag = self._create_tag() + response = self._request_tag_edit_via_put() + self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + self.tag.refresh_from_db() + self.assertEqual(self.tag.label, TEST_TAG_LABEL) + self.assertEqual(self.tag.color, TEST_TAG_COLOR) - self.assertEqual(tag.label, TEST_TAG_LABEL_EDITED) - self.assertEqual(tag.color, TEST_TAG_COLOR_EDITED) + def test_tag_edit_via_put_with_access(self): + self.tag = self._create_tag() + self.grant_access(permission=permission_tag_edit, obj=self.tag) + response = self._request_tag_edit_via_put() + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.tag.refresh_from_db() + self.assertEqual(self.tag.label, TEST_TAG_LABEL_EDITED) + self.assertEqual(self.tag.color, TEST_TAG_COLOR_EDITED) - def test_document_attach_tag_view(self): - tag = self._create_tag() - document = self._document_create() - - self.client.post( - reverse('rest_api:document-tag-list', args=(document.pk,)), - {'tag_pk': tag.pk} - ) - self.assertQuerysetEqual(document.tags.all(), (repr(tag),)) - - def test_document_tag_detail_view(self): - tag = self._create_tag() - document = self._document_create() - tag.documents.add(document) - - response = self.client.get( - reverse('rest_api:document-tag-detail', args=(document.pk, tag.pk)) + def _request_document_attach_tag(self): + return self.post( + viewname='rest_api:document-tag-list', args=(self.document.pk,), + data={'tag_pk': self.tag.pk} ) - self.assertEqual(response.data['label'], tag.label) + def test_document_attach_tag_view_no_access(self): + self.tag = self._create_tag() + self.document = self._document_create() - def test_document_tag_list_view(self): - tag = self._create_tag() - document = self._document_create() - tag.documents.add(document) + response = self._request_document_attach_tag() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + self.assertFalse(self.tag in self.document.tags.all()) - response = self.client.get( - reverse('rest_api:document-tag-list', args=(document.pk,)) - ) - self.assertEqual(response.data['results'][0]['label'], tag.label) + def test_document_attach_tag_view_with_document_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.grant_access(permission=permission_tag_attach, obj=self.document) + response = self._request_document_attach_tag() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + self.assertFalse(self.tag in self.document.tags.all()) - def test_document_tag_remove_view(self): - tag = self._create_tag() - document = self._document_create() - tag.documents.add(document) + def test_document_attach_tag_view_with_tag_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.grant_access(permission=permission_tag_attach, obj=self.tag) + response = self._request_document_attach_tag() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + self.assertFalse(self.tag in self.document.tags.all()) - self.client.delete( - reverse( - 'rest_api:document-tag-detail', args=(document.pk, tag.pk) - ), + def test_document_attach_tag_view_with_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.grant_access(permission=permission_tag_attach, obj=self.document) + self.grant_access(permission=permission_tag_attach, obj=self.tag) + response = self._request_document_attach_tag() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + self.assertTrue(self.tag in self.document.tags.all()) + + def _request_document_tag_detail_view(self): + return self.get( + viewname='rest_api:document-tag-detail', args=( + self.document.pk, self.tag.pk + ) ) - self.assertEqual(tag.documents.count(), 0) + def test_document_tag_detail_view_no_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + response = self._request_document_tag_detail_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_document_tag_detail_view_with_document_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_document_view, obj=self.document) + response = self._request_document_tag_detail_view() + self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + + def test_document_tag_detail_view_with_tag_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_tag_view, obj=self.tag) + response = self._request_document_tag_detail_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_document_tag_detail_view_with_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_tag_view, obj=self.tag) + self.grant_access(permission=permission_document_view, obj=self.document) + response = self._request_document_tag_detail_view() + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['label'], self.tag.label) + + def _request_document_tag_list_view(self): + return self.get( + viewname='rest_api:document-tag-list', args=(self.document.pk,) + ) + + def test_document_tag_list_view_no_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + response = self._request_document_tag_list_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_document_tag_list_view_with_document_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_document_view, obj=self.document) + response = self._request_document_tag_list_view() + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['count'], 0) + + def test_document_tag_list_view_with_tag_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_tag_view, obj=self.tag) + response = self._request_document_tag_list_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_document_tag_list_view_with_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_document_view, obj=self.document) + self.grant_access(permission=permission_tag_view, obj=self.tag) + response = self._request_document_tag_list_view() + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['results'][0]['label'], self.tag.label) + + def _request_document_tag_remove(self): + return self.delete( + viewname='rest_api:document-tag-detail', args=( + self.document.pk, self.tag.pk + ) + ) + + def test_document_tag_remove_view_no_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + response = self._request_document_tag_remove() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertTrue(self.tag in self.document.tags.all()) + + def test_document_tag_remove_view_with_document_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_tag_remove, obj=self.document) + response = self._request_document_tag_remove() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertTrue(self.tag in self.document.tags.all()) + + def test_document_tag_remove_view_with_tag_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_tag_remove, obj=self.tag) + response = self._request_document_tag_remove() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertTrue(self.tag in self.document.tags.all()) + + def test_document_tag_remove_view_with_access(self): + self.tag = self._create_tag() + self.document = self._document_create() + self.tag.documents.add(self.document) + self.grant_access(permission=permission_document_view, obj=self.document) + self.grant_access(permission=permission_tag_remove, obj=self.tag) + response = self._request_document_tag_remove() + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + self.assertFalse(self.tag in self.document.tags.all())