From eae881c35a6f0ca2079d2546160c82ec0b847594 Mon Sep 17 00:00:00 2001 From: Michael Price Date: Sat, 17 Feb 2018 02:19:16 -0400 Subject: [PATCH] Update the user management app API tests to test for fail and success scenarios based on permissions and access. The tests were also updated to comform with the new API test class interface. Signed-off-by: Michael Price --- mayan/apps/rest_api/tests/base.py | 1 + mayan/apps/user_management/tests/literals.py | 7 + mayan/apps/user_management/tests/test_api.py | 504 ++++++++++++------- 3 files changed, 323 insertions(+), 189 deletions(-) diff --git a/mayan/apps/rest_api/tests/base.py b/mayan/apps/rest_api/tests/base.py index 3e044ae2b1..5f7f90352f 100644 --- a/mayan/apps/rest_api/tests/base.py +++ b/mayan/apps/rest_api/tests/base.py @@ -57,6 +57,7 @@ class BaseAPITestCase(UserMixin, APITestCase): self.assertTrue(logged_in) self.assertTrue(user.is_authenticated) + return user.is_authenticated def login_user(self): self.login(username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD) diff --git a/mayan/apps/user_management/tests/literals.py b/mayan/apps/user_management/tests/literals.py index a527b2967a..17577445a3 100644 --- a/mayan/apps/user_management/tests/literals.py +++ b/mayan/apps/user_management/tests/literals.py @@ -13,8 +13,15 @@ TEST_ADMIN_USERNAME = 'test_admin' TEST_GROUP_NAME = 'test group' TEST_GROUP_2_NAME = 'test group 2' TEST_GROUP_NAME_EDITED = 'test group edited' +TEST_GROUP_2_NAME_EDITED = 'test group 2 edited' TEST_USER_EMAIL = 'user@example.com' TEST_USER_PASSWORD = 'test user password' TEST_USER_PASSWORD_EDITED = 'test user password edited' TEST_USER_USERNAME = 'test_user' TEST_USER_USERNAME_EDITED = 'test_user_edited' + +TEST_USER_2_EMAIL = 'user2@example.com' +TEST_USER_2_PASSWORD = 'test user 2 password' +TEST_USER_2_PASSWORD_EDITED = 'test user 2 password edited' +TEST_USER_2_USERNAME = 'test_user_2' +TEST_USER_2_USERNAME_EDITED = 'test_user_2_edited' diff --git a/mayan/apps/user_management/tests/test_api.py b/mayan/apps/user_management/tests/test_api.py index 8ca4476924..7297648713 100644 --- a/mayan/apps/user_management/tests/test_api.py +++ b/mayan/apps/user_management/tests/test_api.py @@ -2,309 +2,435 @@ from __future__ import unicode_literals from django.contrib.auth import get_user_model from django.contrib.auth.models import Group -from django.urls import reverse + +from rest_framework import status from rest_api.tests import BaseAPITestCase -from ..tests.literals import ( - TEST_ADMIN_EMAIL, TEST_ADMIN_PASSWORD, TEST_ADMIN_USERNAME +from ..permissions import ( + permission_group_create, permission_group_delete, + permission_group_edit, permission_group_view, + permission_user_create, permission_user_delete, + permission_user_edit, permission_user_view ) from .literals import ( - TEST_GROUP_NAME, TEST_GROUP_NAME_EDITED, TEST_USER_EMAIL, - TEST_USER_PASSWORD, TEST_USER_USERNAME, TEST_USER_USERNAME_EDITED + TEST_GROUP_2_NAME, TEST_GROUP_2_NAME_EDITED, TEST_USER_2_EMAIL, + TEST_USER_2_PASSWORD, TEST_USER_2_USERNAME, TEST_USER_2_USERNAME_EDITED, + TEST_USER_2_PASSWORD_EDITED ) class UserManagementUserAPITestCase(BaseAPITestCase): def setUp(self): super(UserManagementUserAPITestCase, self).setUp() + self.login_user() - self.admin_user = get_user_model().objects.create_superuser( - username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL, - password=TEST_ADMIN_PASSWORD + # User create + + def _create_user(self): + return get_user_model().objects.create_user( + username=TEST_USER_2_USERNAME, email=TEST_USER_2_EMAIL, + password=TEST_USER_2_PASSWORD ) - self.client.login( - username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD - ) - - def tearDown(self): - get_user_model().objects.all().delete() - super(UserManagementUserAPITestCase, self).tearDown() - - def test_user_create(self): - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': TEST_USER_PASSWORD, - 'username': TEST_USER_USERNAME, + def _request_user_create(self): + return self.post( + viewname='rest_api:user-list', data={ + 'email': TEST_USER_2_EMAIL, 'password': TEST_USER_2_PASSWORD, + 'username': TEST_USER_2_USERNAME, } ) - self.assertEqual(response.status_code, 201) + def test_user_create_no_permission(self): + response = self._request_user_create() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + # Default two users, the test admin and the test user + self.assertEqual(get_user_model().objects.count(), 2) + def test_user_create_with_permission(self): + self.grant_permission(permission=permission_user_create) + response = self._request_user_create() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) user = get_user_model().objects.get(pk=response.data['id']) - self.assertEqual(user.username, TEST_USER_USERNAME) + self.assertEqual(user.username, TEST_USER_2_USERNAME) + self.assertEqual(get_user_model().objects.count(), 3) - def test_user_create_with_group(self): - group_1 = Group.objects.create(name='test group 1') - - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': TEST_USER_PASSWORD, - 'username': TEST_USER_USERNAME, - 'groups_pk_list': '{}'.format(group_1.pk) + def _request_create_user_with_extra_data(self): + return self.post( + viewname='rest_api:user-list', data={ + 'email': TEST_USER_2_EMAIL, 'password': TEST_USER_2_PASSWORD, + 'username': TEST_USER_2_USERNAME, + 'groups_pk_list': self.groups_pk_list } ) - self.assertEqual(response.status_code, 201) + def test_user_create_with_group_no_permission(self): + group_1 = Group.objects.create(name=TEST_GROUP_2_NAME) + self.groups_pk_list = '{}'.format(group_1.pk) + + response = self._request_create_user_with_extra_data() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + def test_user_create_with_group_with_permission(self): + group_1 = Group.objects.create(name=TEST_GROUP_2_NAME) + self.groups_pk_list = '{}'.format(group_1.pk) + + self.grant_permission(permission=permission_user_create) + response = self._request_create_user_with_extra_data() + + self.assertEqual(response.status_code, status.HTTP_201_CREATED) user = get_user_model().objects.get(pk=response.data['id']) - self.assertEqual(user.username, TEST_USER_USERNAME) + self.assertEqual(user.username, TEST_USER_2_USERNAME) self.assertQuerysetEqual(user.groups.all(), (repr(group_1),)) - def test_user_create_with_groups(self): + def test_user_create_with_groups_no_permission(self): group_1 = Group.objects.create(name='test group 1') group_2 = Group.objects.create(name='test group 2') + self.groups_pk_list = '{},{}'.format(group_1.pk, group_2.pk) + response = self._request_create_user_with_extra_data() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': TEST_USER_PASSWORD, - 'username': TEST_USER_USERNAME, - 'groups_pk_list': '{},{}'.format(group_1.pk, group_2.pk) - } - ) + def test_user_create_with_groups_with_permission(self): + group_1 = Group.objects.create(name='test group 1') + group_2 = Group.objects.create(name='test group 2') + self.groups_pk_list = '{},{}'.format(group_1.pk, group_2.pk) + self.grant_permission(permission=permission_user_create) + response = self._request_create_user_with_extra_data() - self.assertEqual(response.status_code, 201) + self.assertEqual(response.status_code, status.HTTP_201_CREATED) user = get_user_model().objects.get(pk=response.data['id']) - self.assertEqual(user.username, TEST_USER_USERNAME) + self.assertEqual(user.username, TEST_USER_2_USERNAME) self.assertQuerysetEqual( user.groups.all().order_by('name'), (repr(group_1), repr(group_2)) ) - def test_user_create_login(self): - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': TEST_USER_PASSWORD, - 'username': TEST_USER_USERNAME, - } - ) + # User login - self.assertEqual(response.status_code, 201) + def test_user_create_login(self): + self._create_user() self.assertTrue( - self.client.login( - username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD + self.login( + username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD ) ) - def test_user_create_login_password_change(self): - response = self.client.post( - reverse('rest_api:user-list'), data={ - 'email': TEST_USER_EMAIL, 'password': 'bad_password', - 'username': TEST_USER_USERNAME, + # User password change + + def test_user_create_login_password_change_no_access(self): + user = self._create_user() + + self.patch( + viewname='rest_api:user-detail', args=(user.pk,), data={ + 'password': TEST_USER_2_PASSWORD_EDITED, } ) - self.assertEqual(response.status_code, 201) - self.assertFalse( self.client.login( - username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD + username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD_EDITED ) ) - user = get_user_model().objects.get(pk=response.data['id']) + def test_user_create_login_password_change_with_access(self): + user = self._create_user() - response = self.client.patch( - reverse('rest_api:user-detail', args=(user.pk,)), data={ - 'password': TEST_USER_PASSWORD, + self.grant_access(permission=permission_user_edit, obj=user) + self.patch( + viewname='rest_api:user-detail', args=(user.pk,), data={ + 'password': TEST_USER_2_PASSWORD_EDITED, } ) self.assertTrue( self.client.login( - username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD + username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD_EDITED ) ) - def test_user_edit_via_put(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME + # User edit + + def _request_user_edit_via_put(self, user): + return self.put( + viewname='rest_api:user-detail', args=(user.pk,), + data={'username': TEST_USER_2_USERNAME_EDITED} ) - response = self.client.put( - reverse('rest_api:user-detail', args=(user.pk,)), - data={'username': TEST_USER_USERNAME_EDITED} - ) + def test_user_edit_via_put_no_access(self): + user = self._create_user() + response = self._request_user_edit_via_put(user=user) - self.assertEqual(response.status_code, 200) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) user.refresh_from_db() - self.assertEqual(user.username, TEST_USER_USERNAME_EDITED) + self.assertEqual(user.username, TEST_USER_2_USERNAME) - def test_user_edit_via_patch(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) + def test_user_edit_via_put_with_access(self): + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + response = self._request_user_edit_via_put(user=user) - response = self.client.patch( - reverse('rest_api:user-detail', args=(user.pk,)), - data={'username': TEST_USER_USERNAME_EDITED} - ) - - self.assertEqual(response.status_code, 200) + self.assertEqual(response.status_code, status.HTTP_200_OK) user.refresh_from_db() - self.assertEqual(user.username, TEST_USER_USERNAME_EDITED) + self.assertEqual(user.username, TEST_USER_2_USERNAME_EDITED) - def test_user_edit_remove_groups_via_patch(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) - group_1 = Group.objects.create(name='test group 1') - user.groups.add(group_1) - - response = self.client.patch( - reverse('rest_api:user-detail', args=(user.pk,)), + def _request_user_edit_via_patch(self, user): + return self.patch( + viewname='rest_api:user-detail', args=(user.pk,), + data={'username': TEST_USER_2_USERNAME_EDITED} ) - self.assertEqual(response.status_code, 200) + def test_user_edit_via_patch_no_access(self): + user = self._create_user() + response = self._request_user_edit_via_patch(user=user) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) user.refresh_from_db() + self.assertEqual(user.username, TEST_USER_2_USERNAME) + + def test_user_edit_via_patch_with_access(self): + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + response = self._request_user_edit_via_patch(user=user) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + + user.refresh_from_db() + self.assertEqual(user.username, TEST_USER_2_USERNAME_EDITED) + + def _request_user_edit_via_patch_with_extra_data(self, user, group): + return self.patch( + viewname='rest_api:user-detail', args=(user.pk,), + data={'groups_pk_list': '{}'.format(group.pk)} + ) + + def test_user_edit_add_groups_via_patch_no_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + + response = self._request_user_edit_via_patch_with_extra_data( + user=user, group=group + ) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + user.refresh_from_db() + self.assertEqual(user.username, TEST_USER_2_USERNAME) + self.assertQuerysetEqual( - user.groups.all().order_by('name'), (repr(group_1),) + user.groups.all(), () ) - def test_user_edit_add_groups_via_patch(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) - group_1 = Group.objects.create(name='test group 1') - - response = self.client.patch( - reverse('rest_api:user-detail', args=(user.pk,)), - data={'groups_pk_list': '{}'.format(group_1.pk)} + def test_user_edit_add_groups_via_patch_with_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + response = self._request_user_edit_via_patch_with_extra_data( + user=user, group=group ) - self.assertEqual(response.status_code, 200) + self.assertEqual(response.status_code, status.HTTP_200_OK) user.refresh_from_db() + self.assertEqual(user.username, TEST_USER_2_USERNAME) + self.assertQuerysetEqual( - user.groups.all().order_by('name'), (repr(group_1),) + user.groups.all(), (repr(group),) ) - def test_user_delete(self): - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME + # User delete + + def _request_user_delete(self, user): + return self.delete( + viewname='rest_api:user-detail', args=(user.pk,) ) - response = self.client.delete( - reverse('rest_api:user-detail', args=(user.pk,)) + def test_user_delete_no_access(self): + user = self._create_user() + response = self._request_user_delete(user=user) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + self.assertTrue(get_user_model().objects.filter(pk=user.pk).exists()) + + def test_user_delete_with_access(self): + user = self._create_user() + self.grant_access(permission=permission_user_delete, obj=user) + response = self._request_user_delete(user=user) + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + + self.assertFalse(get_user_model().objects.filter(pk=user.pk).exists()) + + # User view + + def _request_user_group_view(self, user): + return self.get( + viewname='rest_api:users-group-list', args=(user.pk,) ) - self.assertEqual(response.status_code, 204) - - with self.assertRaises(get_user_model().DoesNotExist): - get_user_model().objects.get(pk=user.pk) - - def test_user_group_list(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) + def test_user_group_list_no_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() user.groups.add(group) + response = self._request_user_group_view(user=user) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - response = self.client.get( - reverse('rest_api:users-group-list', args=(user.pk,)) - ) + def test_user_group_list_with_user_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + user.groups.add(group) + self.grant_access(permission=permission_user_view, obj=user) + response = self._request_user_group_view(user=user) + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['count'], 0) - self.assertEqual(response.status_code, 200) - self.assertEqual(response.json()['results'][0]['name'], TEST_GROUP_NAME) + def test_user_group_list_with_group_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + user.groups.add(group) + self.grant_access(permission=permission_group_view, obj=group) + response = self._request_user_group_view(user=user) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - def test_user_group_add(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - user = get_user_model().objects.create_user( - email=TEST_USER_EMAIL, password=TEST_USER_PASSWORD, - username=TEST_USER_USERNAME - ) + def test_user_group_list_with_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + user.groups.add(group) + self.grant_access(permission=permission_user_view, obj=user) + self.grant_access(permission=permission_group_view, obj=group) + response = self._request_user_group_view(user=user) + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['count'], 1) - response = self.client.post( - reverse( - 'rest_api:users-group-list', args=(user.pk,) - ), data={ + def _request_user_group_add(self, user, group): + return self.post( + viewname='rest_api:users-group-list', args=(user.pk,), data={ 'group_pk_list': '{}'.format(group.pk) } ) - self.assertEqual(response.status_code, 201) + def test_user_group_add_no_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + response = self._request_user_group_add(user=user, group=group) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + user.refresh_from_db() + self.assertEqual(group.user_set.first(), None) + + def test_user_group_add_with_user_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + response = self._request_user_group_add(user=user, group=group) + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + # FIXME: Should this endpoint return a 201 or a 200 since + # the user is being edited and there is not resource creation + # happening. + user.refresh_from_db() + self.assertEqual(group.user_set.first(), None) + + def test_user_group_add_with_group_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + self.grant_access(permission=permission_group_view, obj=group) + response = self._request_user_group_add(user=user, group=group) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + # FIXME: Should this endpoint return a 201 or a 200 since + # the user is being edited and there is not resource creation + # happening. + user.refresh_from_db() + self.assertEqual(group.user_set.first(), None) + + def test_user_group_add_with_access(self): + group = Group.objects.create(name=TEST_GROUP_2_NAME) + user = self._create_user() + self.grant_access(permission=permission_user_edit, obj=user) + self.grant_access(permission=permission_group_view, obj=group) + response = self._request_user_group_add(user=user, group=group) + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + # FIXME: Should this endpoint return a 201 or a 200 since + # the user is being edited and there is not resource creation + # happening. + user.refresh_from_db() self.assertEqual(group.user_set.first(), user) class UserManagementGroupAPITestCase(BaseAPITestCase): def setUp(self): super(UserManagementGroupAPITestCase, self).setUp() - self.admin_user = get_user_model().objects.create_superuser( - username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL, - password=TEST_ADMIN_PASSWORD - ) + self.login_user() - self.client.login( - username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD - ) - - def tearDown(self): - get_user_model().objects.all().delete() - super(UserManagementGroupAPITestCase, self).tearDown() - - def test_group_create(self): - response = self.client.post( - reverse('rest_api:group-list'), data={'name': TEST_GROUP_NAME} - ) - - self.assertEqual(response.status_code, 201) - - group = Group.objects.get(pk=response.data['id']) - self.assertEqual(group.name, TEST_GROUP_NAME) - - def test_group_edit_via_put(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - response = self.client.put( - reverse('rest_api:group-detail', args=(group.pk,)), data={ - 'name': TEST_GROUP_NAME_EDITED + def _request_group_create(self): + return self.post( + viewname='rest_api:group-list', data={ + 'name': TEST_GROUP_2_NAME } ) - self.assertEqual(response.status_code, 200) + def test_group_create_no_permission(self): + response = self._request_group_create() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertFalse( + TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True)) + ) - group.refresh_from_db() - self.assertEqual(group.name, TEST_GROUP_NAME_EDITED) + def test_group_create_with_permission(self): + self.grant_permission(permission=permission_group_create) + response = self._request_group_create() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + self.assertTrue( + TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True)) + ) - def test_group_edit_via_patch(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - response = self.client.patch( - reverse('rest_api:group-detail', args=(group.pk,)), data={ - 'name': TEST_GROUP_NAME_EDITED + def _request_group_edit_via_patch(self): + return self.patch( + viewname='rest_api:group-detail', args=(self.group.pk,), + data={ + 'name': TEST_GROUP_2_NAME_EDITED } ) - self.assertEqual(response.status_code, 200) + def test_group_edit_via_patch_no_access(self): + self.group = Group.objects.create(name=TEST_GROUP_2_NAME) + response = self._request_group_edit_via_patch() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - group.refresh_from_db() - self.assertEqual(group.name, TEST_GROUP_NAME_EDITED) + self.group.refresh_from_db() + self.assertEqual(self.group.name, TEST_GROUP_2_NAME) - def test_group_delete(self): - group = Group.objects.create(name=TEST_GROUP_NAME) - response = self.client.delete( - reverse('rest_api:group-detail', args=(group.pk,)) + def test_group_edit_via_patch_with_access(self): + self.group = Group.objects.create(name=TEST_GROUP_2_NAME) + self.grant_access(permission=permission_group_edit, obj=self.group) + response = self._request_group_edit_via_patch() + self.assertEqual(response.status_code, status.HTTP_200_OK) + + self.group.refresh_from_db() + self.assertEqual(self.group.name, TEST_GROUP_2_NAME_EDITED) + + def _request_group_delete(self): + return self.delete( + viewname='rest_api:group-detail', args=(self.group.pk,) ) - self.assertEqual(response.status_code, 204) - self.assertEqual(Group.objects.count(), 0) + def test_group_delete_no_access(self): + self.group = Group.objects.create(name=TEST_GROUP_2_NAME) + response = self._request_group_delete() + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertTrue( + TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True)) + ) + + def test_group_delete_with_access(self): + self.group = Group.objects.create(name=TEST_GROUP_2_NAME) + self.grant_access(permission=permission_group_delete, obj=self.group) + response = self._request_group_delete() + + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + self.assertFalse( + TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True)) + )