diff --git a/mayan/apps/permissions/tests/literals.py b/mayan/apps/permissions/tests/literals.py index 0cb9977ae7..52d75bdea2 100644 --- a/mayan/apps/permissions/tests/literals.py +++ b/mayan/apps/permissions/tests/literals.py @@ -1,4 +1,5 @@ from __future__ import unicode_literals +TEST_ROLE_2_LABEL = 'test role 2' TEST_ROLE_LABEL = 'test role' TEST_ROLE_LABEL_EDITED = 'test role label edited' diff --git a/mayan/apps/permissions/tests/test_api.py b/mayan/apps/permissions/tests/test_api.py index f68789277e..6de0d27db0 100644 --- a/mayan/apps/permissions/tests/test_api.py +++ b/mayan/apps/permissions/tests/test_api.py @@ -1,95 +1,121 @@ from __future__ import unicode_literals -from django.contrib.auth import get_user_model from django.contrib.auth.models import Group -from django.urls import reverse + +from rest_framework import status from rest_api.tests import BaseAPITestCase -from user_management.tests.literals import ( - TEST_ADMIN_EMAIL, TEST_ADMIN_PASSWORD, TEST_ADMIN_USERNAME, - TEST_GROUP_NAME -) +from user_management.tests.literals import TEST_GROUP_2_NAME from ..classes import Permission from ..models import Role -from ..permissions import permission_role_view +from ..permissions import ( + permission_role_create, permission_role_delete, + permission_role_edit, permission_role_view +) -from .literals import TEST_ROLE_LABEL, TEST_ROLE_LABEL_EDITED +from .literals import ( + TEST_ROLE_2_LABEL, TEST_ROLE_LABEL, TEST_ROLE_LABEL_EDITED +) class PermissionAPITestCase(BaseAPITestCase): def setUp(self): super(PermissionAPITestCase, self).setUp() - self.admin_user = get_user_model().objects.create_superuser( - username=TEST_ADMIN_USERNAME, email=TEST_ADMIN_EMAIL, - password=TEST_ADMIN_PASSWORD - ) - - self.client.login( - username=TEST_ADMIN_USERNAME, password=TEST_ADMIN_PASSWORD - ) - + self.login_user() Permission.invalidate_cache() def test_permissions_list_view(self): - response = self.client.get(reverse('rest_api:permission-list')) - self.assertEqual(response.status_code, 200) + response = self.get(viewname='rest_api:permission-list') + self.assertEqual(response.status_code, status.HTTP_200_OK) - def _create_role(self): - self.role = Role.objects.create(label=TEST_ROLE_LABEL) + # Role view - def test_roles_list_view(self): - self._create_role() + def test_roles_list_view_no_access(self): + response = self.get(viewname='rest_api:role-list') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['count'], 0) - response = self.client.get(reverse('rest_api:role-list')) - self.assertEqual(response.status_code, 200) - self.assertEqual(response.data['results'][0]['label'], TEST_ROLE_LABEL) + def test_roles_list_view_with_access(self): + self.grant_access( + permission=permission_role_view, obj=self.role + ) + response = self.get(viewname='rest_api:role-list') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(response.data['count'], 1) + self.assertEqual(response.data['results'][0]['label'], self.role.label) + + # Role create def _role_create_request(self, extra_data=None): data = { - 'label': TEST_ROLE_LABEL + 'label': TEST_ROLE_2_LABEL } if extra_data: data.update(extra_data) - return self.client.post( - reverse('rest_api:role-list'), data=data + return self.post( + viewname='rest_api:role-list', data=data ) - def test_role_create_view(self): + def test_role_create_view_no_permission(self): response = self._role_create_request() - role = Role.objects.first() - - self.assertEqual(response.status_code, 201) - self.assertEqual(response.data, {'label': role.label, 'id': role.pk}) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(Role.objects.count(), 1) - self.assertEqual(role.label, TEST_ROLE_LABEL) + + def test_role_create_view_with_permission(self): + self.grant_permission(permission=permission_role_create) + response = self._role_create_request() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + + role = Role.objects.get(label=TEST_ROLE_2_LABEL) + self.assertEqual(response.data, {'label': role.label, 'id': role.pk}) + self.assertEqual(Role.objects.count(), 2) + self.assertEqual(role.label, TEST_ROLE_2_LABEL) def _create_group(self): - self.group = Group.objects.create(name=TEST_GROUP_NAME) + self.group_2 = Group.objects.create(name=TEST_GROUP_2_NAME) - def test_role_create_complex_view(self): + def _request_role_create_with_extra_data(self): self._create_group() - response = self._role_create_request( + return self._role_create_request( extra_data={ - 'groups_pk_list': '{}'.format(self.group.pk), + 'groups_pk_list': '{}'.format(self.group_2.pk), 'permissions_pk_list': '{}'.format(permission_role_view.pk) } ) - self.assertEqual(response.status_code, 201) + + def test_role_create_complex_view_no_permission(self): + response = self._request_role_create_with_extra_data() + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(Role.objects.count(), 1) - self.assertEqual(Role.objects.first().label, TEST_ROLE_LABEL) + self.assertEqual( + list(Role.objects.values_list('label', flat=True)), + [TEST_ROLE_LABEL] + ) + + def test_role_create_complex_view_with_permission(self): + self.grant_permission(permission=permission_role_create) + response = self._request_role_create_with_extra_data() + + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + self.assertEqual(Role.objects.count(), 2) + role = Role.objects.get(label=TEST_ROLE_2_LABEL) + self.assertEqual(role.label, TEST_ROLE_2_LABEL) self.assertQuerysetEqual( - Role.objects.first().groups.all(), (repr(self.group),) + role.groups.all(), (repr(self.group_2),) ) self.assertQuerysetEqual( - Role.objects.first().permissions.all(), + role.permissions.all(), (repr(permission_role_view.stored_permission),) ) - def _role_edit_request(self, extra_data=None, request_type='patch'): + # Role edit + + def _request_role_edit(self, extra_data=None, request_type='patch'): data = { 'label': TEST_ROLE_LABEL_EDITED } @@ -97,72 +123,125 @@ class PermissionAPITestCase(BaseAPITestCase): if extra_data: data.update(extra_data) - return getattr(self.client, request_type)( - reverse('rest_api:role-detail', args=(self.role.pk,)), data=data + return getattr(self, request_type)( + viewname='rest_api:role-detail', args=(self.role.pk,), + data=data ) - def test_role_edit_via_patch(self): - self._create_role() - response = self._role_edit_request() - self.assertEqual(response.status_code, 200) - self.assertEqual(Role.objects.first().label, TEST_ROLE_LABEL_EDITED) + def test_role_edit_via_patch_no_access(self): + response = self._request_role_edit(request_type='patch') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.role.refresh_from_db() + self.assertEqual(self.role.label, TEST_ROLE_LABEL) - def test_role_edit_complex_via_patch(self): - Role.objects.all().delete() - Group.objects.all().delete() + def test_role_edit_via_patch_with_access(self): + self.grant_access(permission=permission_role_edit, obj=self.role) + response = self._request_role_edit(request_type='patch') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.role.refresh_from_db() + self.assertEqual(self.role.label, TEST_ROLE_LABEL_EDITED) - self._create_role() + def _request_role_edit_via_patch_with_extra_data(self): self._create_group() - - response = self._role_edit_request( + return self._request_role_edit( extra_data={ - 'groups_pk_list': '{}'.format(self.group.pk), + 'groups_pk_list': '{}'.format(self.group_2.pk), 'permissions_pk_list': '{}'.format(permission_role_view.pk) - } + }, + request_type='patch' ) - self.assertEqual(response.status_code, 200) - self.assertEqual(Role.objects.first().label, TEST_ROLE_LABEL_EDITED) + + def test_role_edit_complex_via_patch_no_access(self): + response = self._request_role_edit_via_patch_with_extra_data() + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.role.refresh_from_db() + self.assertEqual(self.role.label, TEST_ROLE_LABEL) + self.assertQuerysetEqual( - Role.objects.first().groups.all(), (repr(self.group),) + self.role.groups.all(), (repr(self.group),) + ) + self.assertQuerysetEqual(self.role.permissions.all(), ()) + + def test_role_edit_complex_via_patch_with_access(self): + self.grant_access(permission=permission_role_edit, obj=self.role) + response = self._request_role_edit_via_patch_with_extra_data() + + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.role.refresh_from_db() + self.assertEqual(self.role.label, TEST_ROLE_LABEL_EDITED) + self.assertQuerysetEqual( + self.role.groups.all(), (repr(self.group_2),) ) self.assertQuerysetEqual( - Role.objects.first().permissions.all(), + self.role.permissions.all(), (repr(permission_role_view.stored_permission),) ) - def test_role_edit_via_put(self): - self._create_role() - response = self._role_edit_request(request_type='put') - self.assertEqual(response.status_code, 200) - self.assertEqual(Role.objects.first().label, TEST_ROLE_LABEL_EDITED) + def test_role_edit_via_put_no_access(self): + response = self._request_role_edit(request_type='put') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.role.refresh_from_db() + self.assertEqual(self.role.label, TEST_ROLE_LABEL) - def test_role_edit_complex_via_put(self): - Role.objects.all().delete() - Group.objects.all().delete() + def test_role_edit_via_put_with_access(self): + self.grant_access(permission=permission_role_edit, obj=self.role) + response = self._request_role_edit(request_type='put') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.role.refresh_from_db() + self.assertEqual(self.role.label, TEST_ROLE_LABEL_EDITED) - self._create_role() + def _request_role_edit_via_put_with_extra_data(self): self._create_group() - response = self._role_edit_request( + return self._request_role_edit( extra_data={ - 'groups_pk_list': '{}'.format(self.group.pk), + 'groups_pk_list': '{}'.format(self.group_2.pk), 'permissions_pk_list': '{}'.format(permission_role_view.pk) }, request_type='put' ) - self.assertEqual(response.status_code, 200) - self.assertEqual(Role.objects.first().label, TEST_ROLE_LABEL_EDITED) + + def test_role_edit_complex_via_put_no_access(self): + response = self._request_role_edit_via_put_with_extra_data() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.role.refresh_from_db() + self.assertEqual(self.role.label, TEST_ROLE_LABEL) self.assertQuerysetEqual( - Role.objects.first().groups.all(), (repr(self.group),) + self.role.groups.all(), (repr(self.group),) ) self.assertQuerysetEqual( - Role.objects.first().permissions.all(), + self.role.permissions.all(), + () + ) + + def test_role_edit_complex_via_put_with_access(self): + self.grant_access(permission=permission_role_edit, obj=self.role) + response = self._request_role_edit_via_put_with_extra_data() + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.role.refresh_from_db() + self.assertEqual(self.role.label, TEST_ROLE_LABEL_EDITED) + self.assertQuerysetEqual( + self.role.groups.all(), (repr(self.group_2),) + ) + self.assertQuerysetEqual( + self.role.permissions.all(), (repr(permission_role_view.stored_permission),) ) - def test_role_delete_view(self): - self._create_role() - response = self.client.delete( - reverse('rest_api:role-detail', args=(self.role.pk,)) + # Role delete + + def _request_role_delete_view(self): + return self.delete( + viewname='rest_api:role-detail', args=(self.role.pk,) ) - self.assertEqual(response.status_code, 204) + + def test_role_delete_view_no_access(self): + response = self._request_role_delete_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(Role.objects.count(), 1) + + def test_role_delete_view_with_access(self): + self.grant_access(permission=permission_role_delete, obj=self.role) + response = self._request_role_delete_view() + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) self.assertEqual(Role.objects.count(), 0) diff --git a/mayan/apps/user_management/tests/literals.py b/mayan/apps/user_management/tests/literals.py index dcff243e64..a527b2967a 100644 --- a/mayan/apps/user_management/tests/literals.py +++ b/mayan/apps/user_management/tests/literals.py @@ -11,6 +11,7 @@ TEST_ADMIN_PASSWORD = 'test admin password' TEST_ADMIN_USERNAME = 'test_admin' TEST_GROUP_NAME = 'test group' +TEST_GROUP_2_NAME = 'test group 2' TEST_GROUP_NAME_EDITED = 'test group edited' TEST_USER_EMAIL = 'user@example.com' TEST_USER_PASSWORD = 'test user password'