diff --git a/mayan/apps/rest_api/tests/base.py b/mayan/apps/rest_api/tests/base.py index 3e044ae2b1..5f7f90352f 100644 --- a/mayan/apps/rest_api/tests/base.py +++ b/mayan/apps/rest_api/tests/base.py @@ -57,6 +57,7 @@ class BaseAPITestCase(UserMixin, APITestCase): self.assertTrue(logged_in) self.assertTrue(user.is_authenticated) + return user.is_authenticated def login_user(self): self.login(username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD) diff --git a/mayan/apps/user_management/tests/literals.py b/mayan/apps/user_management/tests/literals.py index a527b2967a..17577445a3 100644 --- a/mayan/apps/user_management/tests/literals.py +++ b/mayan/apps/user_management/tests/literals.py @@ -13,8 +13,15 @@ TEST_ADMIN_USERNAME = 'test_admin' TEST_GROUP_NAME = 'test group' TEST_GROUP_2_NAME = 'test group 2' TEST_GROUP_NAME_EDITED = 'test group edited' +TEST_GROUP_2_NAME_EDITED = 'test group 2 edited' TEST_USER_EMAIL = 'user@example.com' TEST_USER_PASSWORD = 'test user password' TEST_USER_PASSWORD_EDITED = 'test user password edited' TEST_USER_USERNAME = 'test_user' TEST_USER_USERNAME_EDITED = 'test_user_edited' + +TEST_USER_2_EMAIL = 'user2@example.com' +TEST_USER_2_PASSWORD = 'test user 2 password' +TEST_USER_2_PASSWORD_EDITED = 'test user 2 password edited' +TEST_USER_2_USERNAME = 'test_user_2' +TEST_USER_2_USERNAME_EDITED = 'test_user_2_edited' diff --git a/mayan/apps/user_management/tests/test_api.py b/mayan/apps/user_management/tests/test_api.py index 8ca4476924..7297648713 100644 --- a/mayan/apps/user_management/tests/test_api.py +++ b/mayan/apps/user_management/tests/test_api.py @@ -2,309 +2,435 @@ from __future__ import unicode_literals from django.contrib.auth import get_user_model from django.contrib.auth.models import Group -from django.urls import reverse + +from rest_framework import status from rest_api.tests import BaseAPITestCase -from ..tests.literals import ( - TEST_ADMIN_EMAIL, TEST_ADMIN_PASSWORD, TEST_ADMIN_USERNAME +from ..permissions import ( + permission_group_create, permission_group_delete, + permission_group_edit, permission_group_view, + permission_user_create, permission_user_delete, + permission_user_edit, permission_user_view ) from .literals import ( - TEST_GROUP_NAME, TEST_GROUP_NAME_EDITED, TEST_USER_EMAIL, - TEST_USER_PASSWORD, TEST_USER_USERNAME, TEST_USER_USERNAME_EDITED + TEST_GROUP_2_NAME, TEST_GROUP_2_NAME_EDITED, TEST_USER_2_EMAIL, + TEST_USER_2_PASSWORD, TEST_USER_2_USERNAME, TEST_USER_2_USERNAME_EDITED, + TEST_USER_2_PASSWORD_EDITED ) class UserManagementUserAPITestCase(BaseAPITestCase): def setUp(self): super(UserManagementUserAPITestCase, self).setUp() + self.login_user() - self.admin_user = get_user_model().objects.create_superuser( - username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL, - password=TEST_ADMIN_PASSWORD + # User create + + def _create_user(self): + return get_user_model().objects.create_user( + username=TEST_USER_2_USERNAME, email=TEST_USER_2_EMAIL, + password=TEST_USER_2_PASSWORD ) - self.client.login( - username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD - ) - - def tearDown(self): - get_user_model().objects.all().delete() - super(UserManagementUserAPITestCase, self).tearDown() - - def test_user_create(self): - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': TEST_USER_PASSWORD, - 'username': TEST_USER_USERNAME, + def _request_user_create(self): + return self.post( + viewname='rest_api:user-list', data={ + 'email': TEST_USER_2_EMAIL, 'password': TEST_USER_2_PASSWORD, + 'username': TEST_USER_2_USERNAME, } ) - self.assertEqual(response.status_code, 201) + def test_user_create_no_permission(self): + response = self._request_user_create() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + # Default two users, the test admin and the test user + self.assertEqual(get_user_model().objects.count(), 2) + def test_user_create_with_permission(self): + self.grant_permission(permission=permission_user_create) + response = self._request_user_create() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) user = get_user_model().objects.get(pk=response.data['id']) - self.assertEqual(user.username, TEST_USER_USERNAME) + self.assertEqual(user.username, TEST_USER_2_USERNAME) + self.assertEqual(get_user_model().objects.count(), 3) - def test_user_create_with_group(self): - group_1 = Group.objects.create(name='test group 1') - - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': TEST_USER_PASSWORD, - 'username': TEST_USER_USERNAME, - 'groups_pk_list': '{}'.format(group_1.pk) + def _request_create_user_with_extra_data(self): + return self.post( + viewname='rest_api:user-list', data={ + 'email': TEST_USER_2_EMAIL, 'password': TEST_USER_2_PASSWORD, + 'username': TEST_USER_2_USERNAME, + 'groups_pk_list': self.groups_pk_list } ) - self.assertEqual(response.status_code, 201) + def test_user_create_with_group_no_permission(self): + group_1 = Group.objects.create(name=TEST_GROUP_2_NAME) + self.groups_pk_list = '{}'.format(group_1.pk) + + response = self._request_create_user_with_extra_data() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_user_create_with_group_with_permission(self): + group_1 = Group.objects.create(name=TEST_GROUP_2_NAME) + self.groups_pk_list = '{}'.format(group_1.pk) + + self.grant_permission(permission=permission_user_create) + response = self._request_create_user_with_extra_data() + + self.assertEqual(response.status_code, status.HTTP_201_CREATED) user = get_user_model().objects.get(pk=response.data['id']) - self.assertEqual(user.username, TEST_USER_USERNAME) + self.assertEqual(user.username, TEST_USER_2_USERNAME) self.assertQuerysetEqual(user.groups.all(), (repr(group_1),)) - def test_user_create_with_groups(self): + def test_user_create_with_groups_no_permission(self): group_1 = Group.objects.create(name='test group 1') group_2 = Group.objects.create(name='test group 2') + self.groups_pk_list = '{},{}'.format(group_1.pk, group_2.pk) + response = self._request_create_user_with_extra_data() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': TEST_USER_PASSWORD, - 'username': TEST_USER_USERNAME, - 'groups_pk_list': '{},{}'.format(group_1.pk, group_2.pk) - } - ) + def test_user_create_with_groups_with_permission(self): + group_1 = Group.objects.create(name='test group 1') + group_2 = Group.objects.create(name='test group 2') + self.groups_pk_list = '{},{}'.format(group_1.pk, group_2.pk) + self.grant_permission(permission=permission_user_create) + response = self._request_create_user_with_extra_data() - self.assertEqual(response.status_code, 201) + self.assertEqual(response.status_code, status.HTTP_201_CREATED) user = get_user_model().objects.get(pk=response.data['id']) - self.assertEqual(user.username, TEST_USER_USERNAME) + self.assertEqual(user.username, TEST_USER_2_USERNAME) self.assertQuerysetEqual( user.groups.all().order_by('name'), (repr(group_1), repr(group_2)) ) - def test_user_create_login(self): - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': TEST_USER_PASSWORD, - 'username': TEST_USER_USERNAME, - } - ) + # User login - self.assertEqual(response.status_code, 201) + def test_user_create_login(self): + self._create_user() self.assertTrue( - self.client.login( - username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD + self.login( + username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD ) ) - def test_user_create_login_password_change(self): - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': 'bad_password', - 'username': TEST_USER_USERNAME, + # User password change + + def test_user_create_login_password_change_no_access(self): + user = self._create_user() + + self.patch( + viewname='rest_api:user-detail', args=(user.pk,), data={ + 'password': TEST_USER_2_PASSWORD_EDITED, } ) - self.assertEqual(response.status_code, 201) - self.assertFalse( self.client.login( - username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD + username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD_EDITED ) ) - user = get_user_model().objects.get(pk=response.data['id']) + def test_user_create_login_password_change_with_access(self): + user = self._create_user() - response = self.client.patch( - reverse('rest_api:user-detail', args=(user.pk,)), data={ - 'password': TEST_USER_PASSWORD, + self.grant_access(permission=permission_user_edit, obj=user) + self.patch( + viewname='rest_api:user-detail', args=(user.pk,), data={ + 'password': TEST_USER_2_PASSWORD_EDITED, } ) self.assertTrue( self.client.login( - username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD + username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD_EDITED ) ) - def test_user_edit_via_put(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME + # User edit + + def _request_user_edit_via_put(self, user): + return self.put( + viewname='rest_api:user-detail', args=(user.pk,), + data={'username': TEST_USER_2_USERNAME_EDITED} ) - response = self.client.put( - reverse('rest_api:user-detail', args=(user.pk,)), - data={'username': TEST_USER_USERNAME_EDITED} - ) + def test_user_edit_via_put_no_access(self): + user = self._create_user() + response = self._request_user_edit_via_put(user=user) - self.assertEqual(response.status_code, 200) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) user.refresh_from_db() - self.assertEqual(user.username, TEST_USER_USERNAME_EDITED) + self.assertEqual(user.username, TEST_USER_2_USERNAME) - def test_user_edit_via_patch(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) + def test_user_edit_via_put_with_access(self): + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + response = self._request_user_edit_via_put(user=user) - response = self.client.patch( - reverse('rest_api:user-detail', args=(user.pk,)), - data={'username': TEST_USER_USERNAME_EDITED} - ) - - self.assertEqual(response.status_code, 200) + self.assertEqual(response.status_code, status.HTTP_200_OK) user.refresh_from_db() - self.assertEqual(user.username, TEST_USER_USERNAME_EDITED) + self.assertEqual(user.username, TEST_USER_2_USERNAME_EDITED) - def test_user_edit_remove_groups_via_patch(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) - group_1 = Group.objects.create(name='test group 1') - user.groups.add(group_1) - - response = self.client.patch( - reverse('rest_api:user-detail', args=(user.pk,)), + def _request_user_edit_via_patch(self, user): + return self.patch( + viewname='rest_api:user-detail', args=(user.pk,), + data={'username': TEST_USER_2_USERNAME_EDITED} ) - self.assertEqual(response.status_code, 200) + def test_user_edit_via_patch_no_access(self): + user = self._create_user() + response = self._request_user_edit_via_patch(user=user) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) user.refresh_from_db() + self.assertEqual(user.username, TEST_USER_2_USERNAME) + + def test_user_edit_via_patch_with_access(self): + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + response = self._request_user_edit_via_patch(user=user) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + + user.refresh_from_db() + self.assertEqual(user.username, TEST_USER_2_USERNAME_EDITED) + + def _request_user_edit_via_patch_with_extra_data(self, user, group): + return self.patch( + viewname='rest_api:user-detail', args=(user.pk,), + data={'groups_pk_list': '{}'.format(group.pk)} + ) + + def test_user_edit_add_groups_via_patch_no_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + + response = self._request_user_edit_via_patch_with_extra_data( + user=user, group=group + ) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + user.refresh_from_db() + self.assertEqual(user.username, TEST_USER_2_USERNAME) + self.assertQuerysetEqual( - user.groups.all().order_by('name'), (repr(group_1),) + user.groups.all(), () ) - def test_user_edit_add_groups_via_patch(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) - group_1 = Group.objects.create(name='test group 1') - - response = self.client.patch( - reverse('rest_api:user-detail', args=(user.pk,)), - data={'groups_pk_list': '{}'.format(group_1.pk)} + def test_user_edit_add_groups_via_patch_with_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + response = self._request_user_edit_via_patch_with_extra_data( + user=user, group=group ) - self.assertEqual(response.status_code, 200) + self.assertEqual(response.status_code, status.HTTP_200_OK) user.refresh_from_db() + self.assertEqual(user.username, TEST_USER_2_USERNAME) + self.assertQuerysetEqual( - user.groups.all().order_by('name'), (repr(group_1),) + user.groups.all(), (repr(group),) ) - def test_user_delete(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME + # User delete + + def _request_user_delete(self, user): + return self.delete( + viewname='rest_api:user-detail', args=(user.pk,) ) - response = self.client.delete( - reverse('rest_api:user-detail', args=(user.pk,)) + def test_user_delete_no_access(self): + user = self._create_user() + response = self._request_user_delete(user=user) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + self.assertTrue(get_user_model().objects.filter(pk=user.pk).exists()) + + def test_user_delete_with_access(self): + user = self._create_user() + self.grant_access(permission=permission_user_delete, obj=user) + response = self._request_user_delete(user=user) + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + + self.assertFalse(get_user_model().objects.filter(pk=user.pk).exists()) + + # User view + + def _request_user_group_view(self, user): + return self.get( + viewname='rest_api:users-group-list', args=(user.pk,) ) - self.assertEqual(response.status_code, 204) - - with self.assertRaises(get_user_model().DoesNotExist): - get_user_model().objects.get(pk=user.pk) - - def test_user_group_list(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) + def test_user_group_list_no_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() user.groups.add(group) + response = self._request_user_group_view(user=user) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - response = self.client.get( - reverse('rest_api:users-group-list', args=(user.pk,)) - ) + def test_user_group_list_with_user_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + user.groups.add(group) + self.grant_access(permission=permission_user_view, obj=user) + response = self._request_user_group_view(user=user) + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['count'], 0) - self.assertEqual(response.status_code, 200) - self.assertEqual(response.json()['results'][0]['name'], TEST_GROUP_NAME) + def test_user_group_list_with_group_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + user.groups.add(group) + self.grant_access(permission=permission_group_view, obj=group) + response = self._request_user_group_view(user=user) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - def test_user_group_add(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) + def test_user_group_list_with_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + user.groups.add(group) + self.grant_access(permission=permission_user_view, obj=user) + self.grant_access(permission=permission_group_view, obj=group) + response = self._request_user_group_view(user=user) + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['count'], 1) - response = self.client.post( - reverse( - 'rest_api:users-group-list', args=(user.pk,) - ), data={ + def _request_user_group_add(self, user, group): + return self.post( + viewname='rest_api:users-group-list', args=(user.pk,), data={ 'group_pk_list': '{}'.format(group.pk) } ) - self.assertEqual(response.status_code, 201) + def test_user_group_add_no_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + response = self._request_user_group_add(user=user, group=group) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + user.refresh_from_db() + self.assertEqual(group.user_set.first(), None) + + def test_user_group_add_with_user_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + response = self._request_user_group_add(user=user, group=group) + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + # FIXME: Should this endpoint return a 201 or a 200 since + # the user is being edited and there is not resource creation + # happening. + user.refresh_from_db() + self.assertEqual(group.user_set.first(), None) + + def test_user_group_add_with_group_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + self.grant_access(permission=permission_group_view, obj=group) + response = self._request_user_group_add(user=user, group=group) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + # FIXME: Should this endpoint return a 201 or a 200 since + # the user is being edited and there is not resource creation + # happening. + user.refresh_from_db() + self.assertEqual(group.user_set.first(), None) + + def test_user_group_add_with_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + self.grant_access(permission=permission_group_view, obj=group) + response = self._request_user_group_add(user=user, group=group) + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + # FIXME: Should this endpoint return a 201 or a 200 since + # the user is being edited and there is not resource creation + # happening. + user.refresh_from_db() self.assertEqual(group.user_set.first(), user) class UserManagementGroupAPITestCase(BaseAPITestCase): def setUp(self): super(UserManagementGroupAPITestCase, self).setUp() - self.admin_user = get_user_model().objects.create_superuser( - username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL, - password=TEST_ADMIN_PASSWORD - ) + self.login_user() - self.client.login( - username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD - ) - - def tearDown(self): - get_user_model().objects.all().delete() - super(UserManagementGroupAPITestCase, self).tearDown() - - def test_group_create(self): - response = self.client.post( - reverse('rest_api:group-list'), data={'name': TEST_GROUP_NAME} - ) - - self.assertEqual(response.status_code, 201) - - group = Group.objects.get(pk=response.data['id']) - self.assertEqual(group.name, TEST_GROUP_NAME) - - def test_group_edit_via_put(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - response = self.client.put( - reverse('rest_api:group-detail', args=(group.pk,)), data={ - 'name': TEST_GROUP_NAME_EDITED + def _request_group_create(self): + return self.post( + viewname='rest_api:group-list', data={ + 'name': TEST_GROUP_2_NAME } ) - self.assertEqual(response.status_code, 200) + def test_group_create_no_permission(self): + response = self._request_group_create() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertFalse( + TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True)) + ) - group.refresh_from_db() - self.assertEqual(group.name, TEST_GROUP_NAME_EDITED) + def test_group_create_with_permission(self): + self.grant_permission(permission=permission_group_create) + response = self._request_group_create() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + self.assertTrue( + TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True)) + ) - def test_group_edit_via_patch(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - response = self.client.patch( - reverse('rest_api:group-detail', args=(group.pk,)), data={ - 'name': TEST_GROUP_NAME_EDITED + def _request_group_edit_via_patch(self): + return self.patch( + viewname='rest_api:group-detail', args=(self.group.pk,), + data={ + 'name': TEST_GROUP_2_NAME_EDITED } ) - self.assertEqual(response.status_code, 200) + def test_group_edit_via_patch_no_access(self): + self.group = Group.objects.create(name=TEST_GROUP_2_NAME) + response = self._request_group_edit_via_patch() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - group.refresh_from_db() - self.assertEqual(group.name, TEST_GROUP_NAME_EDITED) + self.group.refresh_from_db() + self.assertEqual(self.group.name, TEST_GROUP_2_NAME) - def test_group_delete(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - response = self.client.delete( - reverse('rest_api:group-detail', args=(group.pk,)) + def test_group_edit_via_patch_with_access(self): + self.group = Group.objects.create(name=TEST_GROUP_2_NAME) + self.grant_access(permission=permission_group_edit, obj=self.group) + response = self._request_group_edit_via_patch() + self.assertEqual(response.status_code, status.HTTP_200_OK) + + self.group.refresh_from_db() + self.assertEqual(self.group.name, TEST_GROUP_2_NAME_EDITED) + + def _request_group_delete(self): + return self.delete( + viewname='rest_api:group-detail', args=(self.group.pk,) ) - self.assertEqual(response.status_code, 204) - self.assertEqual(Group.objects.count(), 0) + def test_group_delete_no_access(self): + self.group = Group.objects.create(name=TEST_GROUP_2_NAME) + response = self._request_group_delete() + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertTrue( + TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True)) + ) + + def test_group_delete_with_access(self): + self.group = Group.objects.create(name=TEST_GROUP_2_NAME) + self.grant_access(permission=permission_group_delete, obj=self.group) + response = self._request_group_delete() + + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + self.assertFalse( + TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True)) + )