matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add event tests to document comments app

Browse Source 
Switch view to return an HTTP 404 on lack of authorization
instead of an HTTP 403.

Signed-off-by: Roberto Rosario <Roberto.Rosario@mayan-edms.com>
This commit is contained in:
Roberto Rosario
2018-12-30 16:05:37 -04:00
parent 45ceab024d
commit ffeb580c15
8 changed files with 161 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
mayan/apps/document_comments/api_views.py
View File

@@ -1,10 +1,8 @@
from __future__ import absolute_import, unicode_literals from __future__ import absolute_import, unicode_literals
from django.shortcuts import get_object_or_404
from rest_framework import generics from rest_framework import generics
from mayan.apps.acls.models import AccessControlList from mayan.apps.common.mixins import ExternalObjectViewMixin
from mayan.apps.documents.models import Document from mayan.apps.documents.models import Document
from .permissions import ( from .permissions import (
@@ -14,27 +12,22 @@ from .permissions import (
from .serializers import CommentSerializer, WritableCommentSerializer from .serializers import CommentSerializer, WritableCommentSerializer
class APICommentListView(generics.ListCreateAPIView): class APICommentListView(ExternalObjectViewMixin, generics.ListCreateAPIView):
""" """
get: Returns a list of all the document comments. get: Returns a list of all the document comments.
post: Create a new document comment. post: Create a new document comment.
""" """
external_object_pk_url_kwarg = 'document_pk'
external_object_class = Document
def get_document(self): def get_document(self):
return self.get_external_object()
def get_external_object_permission(self):
if self.request.method == 'GET': if self.request.method == 'GET':
permission_required = permission_comment_view return permission_comment_view
else: else:
permission_required = permission_comment_create return permission_comment_create
document = get_object_or_404(
klass=Document, pk=self.kwargs['document_pk']
)
AccessControlList.objects.check_access(
permissions=permission_required, user=self.request.user,
obj=document
)
return document
def get_queryset(self): def get_queryset(self):
return self.get_document().comments.all() return self.get_document().comments.all()
@@ -66,30 +59,24 @@ class APICommentListView(generics.ListCreateAPIView):
return context return context
class APICommentView(generics.RetrieveDestroyAPIView): class APICommentView(ExternalObjectViewMixin, generics.RetrieveDestroyAPIView):
""" """
delete: Delete the selected document comment. delete: Delete the selected document comment.
get: Returns the details of the selected document comment. get: Returns the details of the selected document comment.
""" """
external_object_pk_url_kwarg = 'document_pk'
external_object_class = Document
lookup_url_kwarg = 'comment_pk' lookup_url_kwarg = 'comment_pk'
serializer_class = CommentSerializer serializer_class = CommentSerializer
def get_document(self): def get_document(self):
return self.get_external_object()
def get_external_object_permission(self):
if self.request.method == 'GET': if self.request.method == 'GET':
permission_required = permission_comment_view return permission_comment_view
else: else:
permission_required = permission_comment_delete return permission_comment_delete
document = get_object_or_404(
klass=Document, pk=self.kwargs['document_pk']
)
AccessControlList.objects.check_access(
permissions=permission_required, user=self.request.user,
obj=document
)
return document
def get_queryset(self): def get_queryset(self):
return self.get_document().comments.all() return self.get_document().comments.all()

7
mayan/apps/document_comments/apps.py
View File

@@ -12,7 +12,7 @@ from mayan.apps.events import ModelEventType
from mayan.apps.navigation import SourceColumn from mayan.apps.navigation import SourceColumn
from .events import ( from .events import (
event_document_comment_create, event_document_comment_delete event_document_comment_created, event_document_comment_deleted
) )
from .links import ( from .links import (
link_comment_add, link_comment_delete, link_comments_for_document link_comment_add, link_comment_delete, link_comments_for_document
@@ -32,6 +32,7 @@ class DocumentCommentsApp(MayanAppConfig):
verbose_name = _('Document comments') verbose_name = _('Document comments')
def ready(self): def ready(self):
from actstream import registry
super(DocumentCommentsApp, self).ready() super(DocumentCommentsApp, self).ready()
Document = apps.get_model( Document = apps.get_model(
@@ -42,7 +43,7 @@ class DocumentCommentsApp(MayanAppConfig):
ModelEventType.register( ModelEventType.register(
model=Document, event_types=( model=Document, event_types=(
event_document_comment_create, event_document_comment_delete event_document_comment_created, event_document_comment_deleted
) )
) )
@@ -86,3 +87,5 @@ class DocumentCommentsApp(MayanAppConfig):
menu_facet.bind_links( menu_facet.bind_links(
links=(link_comments_for_document,), sources=(Document,) links=(link_comments_for_document,), sources=(Document,)
) )
registry.register(Comment)

4
mayan/apps/document_comments/events.py
View File

@@ -8,9 +8,9 @@ namespace = EventTypeNamespace(
name='document_comments', label=_('Document comments') name='document_comments', label=_('Document comments')
) )
event_document_comment_create = namespace.add_event_type( event_document_comment_created = namespace.add_event_type(
name='create', label=_('Document comment created') name='create', label=_('Document comment created')
) )
event_document_comment_delete = namespace.add_event_type( event_document_comment_deleted = namespace.add_event_type(
name='delete', label=_('Document comment deleted') name='delete', label=_('Document comment deleted')
) )

12
mayan/apps/document_comments/models.py
View File

@@ -10,7 +10,7 @@ from django.utils.translation import ugettext_lazy as _
from mayan.apps.documents.models import Document from mayan.apps.documents.models import Document
from .events import ( from .events import (
event_document_comment_create, event_document_comment_delete event_document_comment_created, event_document_comment_deleted
) )
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@@ -49,11 +49,11 @@ class Comment(models.Model):
user = kwargs.pop('_user', None) user = kwargs.pop('_user', None)
super(Comment, self).delete(*args, **kwargs) super(Comment, self).delete(*args, **kwargs)
if user: if user:
event_document_comment_delete.commit( event_document_comment_deleted.commit(
actor=user, target=self.document actor=user, target=self.document
) )
else: else:
event_document_comment_delete.commit(target=self.document) event_document_comment_deleted.commit(target=self.document)
def save(self, *args, **kwargs): def save(self, *args, **kwargs):
user = kwargs.pop('_user', None) or self.user user = kwargs.pop('_user', None) or self.user
@@ -61,15 +61,15 @@ class Comment(models.Model):
super(Comment, self).save(*args, **kwargs) super(Comment, self).save(*args, **kwargs)
if is_new: if is_new:
if user: if user:
event_document_comment_create.commit( event_document_comment_created.commit(
actor=user, target=self.document actor=user, action_object=self.document, target=self
) )
logger.info( logger.info(
'Comment "%s" added to document "%s" by user "%s"', 'Comment "%s" added to document "%s" by user "%s"',
self.comment, self.document, user self.comment, self.document, user
) )
else: else:
event_document_comment_create.commit(target=self.document) event_document_comment_created.commit(target=self.document)
logger.info( logger.info(
'Comment "%s" added to document "%s"', self.comment, 'Comment "%s" added to document "%s"', self.comment,
self.document self.document

31
mayan/apps/document_comments/tests/mixins.py Normal file
View File

@@ -0,0 +1,31 @@
from __future__ import unicode_literals
from ..models import Comment
from .literals import TEST_COMMENT_TEXT
class CommentsTestMixin(object):
def _create_comment(self, user=None):
self.test_comment = self.document.comments.create(
comment=TEST_COMMENT_TEXT,
user=user or self.user or self.admin_user
)
def _request_document_comment_add_view(self):
response = self.post(
viewname='comments:comment_add',
kwargs={'document_pk': self.document.pk},
data={'comment': TEST_COMMENT_TEXT}
)
self.test_comment = Comment.objects.filter(
document=self.document.pk
).first()
return response
def _request_document_comment_delete_view(self):
return self.post(
viewname='comments:comment_delete',
kwargs={'comment_pk': self.test_comment.pk},
)

68
mayan/apps/document_comments/tests/test_api.py
View File

@@ -12,102 +12,98 @@ from ..permissions import (
) )
from .literals import TEST_COMMENT_TEXT from .literals import TEST_COMMENT_TEXT
from .mixins import CommentsTestMixin
class CommentAPITestCase(DocumentTestMixin, BaseAPITestCase): class CommentAPITestCase(CommentsTestMixin, DocumentTestMixin, BaseAPITestCase):
def setUp(self): def setUp(self):
super(CommentAPITestCase, self).setUp() super(CommentAPITestCase, self).setUp()
self.login_user() self.login_user()
def _create_comment(self): def _request_api_comment_create_view(self):
return self.document.comments.create(
comment=TEST_COMMENT_TEXT, user=self.admin_user
)
def _request_comment_create_view(self):
return self.post( return self.post(
viewname='rest_api:comment-list', kwargs={'document_pk': self.document.pk}, viewname='rest_api:comment-list',
data={ kwargs={'document_pk': self.document.pk}, data={
'comment': TEST_COMMENT_TEXT 'comment': TEST_COMMENT_TEXT
} }
) )
def test_comment_create_view_no_access(self): def test_comment_create_view_no_access(self):
response = self._request_comment_create_view() response = self._request_api_comment_create_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
self.assertEqual(Comment.objects.count(), 0) self.assertEqual(Comment.objects.count(), 0)
def test_comment_create_view_with_access(self): def test_comment_create_view_with_access(self):
self.grant_access(permission=permission_comment_create, obj=self.document) self.grant_access(permission=permission_comment_create, obj=self.document)
response = self._request_comment_create_view() response = self._request_api_comment_create_view()
self.assertEqual(response.status_code, status.HTTP_201_CREATED) self.assertEqual(response.status_code, status.HTTP_201_CREATED)
comment = Comment.objects.first() comment = Comment.objects.first()
self.assertEqual(Comment.objects.count(), 1) self.assertEqual(Comment.objects.count(), 1)
self.assertEqual(response.data['id'], comment.pk) self.assertEqual(response.data['id'], comment.pk)
def _request_comment_delete_view(self): def _request_api_comment_delete_view(self):
return self.delete( return self.delete(
viewname='rest_api:comment-detail', kwargs={ viewname='rest_api:comment-detail', kwargs={
'document_pk': self.document.pk, 'document_pk': self.document.pk,
'comment_pk': self.comment.pk 'comment_pk': self.test_comment.pk
} }
) )
def test_comment_delete_view_no_access(self): def test_comment_delete_view_no_access(self):
self.comment = self._create_comment() self._create_comment()
response = self._request_comment_delete_view() response = self._request_api_comment_delete_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
self.assertTrue(self.comment in Comment.objects.all()) self.assertTrue(self.test_comment in Comment.objects.all())
def test_comment_delete_view_with_access(self): def test_comment_delete_view_with_access(self):
self.comment = self._create_comment() self._create_comment()
self.grant_access( self.grant_access(
permission=permission_comment_delete, obj=self.document permission=permission_comment_delete, obj=self.document
) )
response = self._request_comment_delete_view() response = self._request_api_comment_delete_view()
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
self.assertFalse(self.comment in Comment.objects.all()) self.assertFalse(self.test_comment in Comment.objects.all())
def _request_comment_view(self): def _request_api_comment_detail_view(self):
return self.get( return self.get(
viewname='rest_api:comment-detail', kwargs={ viewname='rest_api:comment-detail', kwargs={
'document_pk': self.document.pk, 'document_pk': self.document.pk,
'comment_pk': self.comment.pk 'comment_pk': self.test_comment.pk
} }
) )
def test_comment_detail_view_no_access(self): def test_comment_detail_view_no_access(self):
self.comment = self._create_comment() self._create_comment()
response = self._request_comment_view() response = self._request_api_comment_detail_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
def test_comment_detail_view_with_access(self): def test_comment_detail_view_with_access(self):
self.comment = self._create_comment() self._create_comment()
self.grant_access( self.grant_access(
permission=permission_comment_view, obj=self.document permission=permission_comment_view, obj=self.document
) )
response = self._request_comment_view() response = self._request_api_comment_detail_view()
self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['comment'], self.comment.comment) self.assertEqual(response.data['comment'], self.test_comment.comment)
def _request_comment_list_view(self): def _request_api_comment_list_view(self):
return self.get( return self.get(
viewname='rest_api:comment-list', viewname='rest_api:comment-list',
kwargs={'document_pk': self.document.pk} kwargs={'document_pk': self.document.pk}
) )
def test_comment_list_view_no_access(self): def test_comment_list_view_no_access(self):
self.comment = self._create_comment() self._create_comment()
response = self._request_comment_list_view() response = self._request_api_comment_list_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
def test_comment_list_view_with_access(self): def test_comment_list_view_with_access(self):
self.comment = self._create_comment() self._create_comment()
self.grant_access( self.grant_access(
permission=permission_comment_view, obj=self.document permission=permission_comment_view, obj=self.document
) )
response = self._request_comment_list_view() response = self._request_api_comment_list_view()
self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual( self.assertEqual(
response.data['results'][0]['comment'], self.comment.comment response.data['results'][0]['comment'], self.test_comment.comment
) )

65
mayan/apps/document_comments/tests/test_events.py Normal file
View File

@@ -0,0 +1,65 @@
from __future__ import unicode_literals
from actstream.models import Action
from mayan.apps.documents.tests import GenericDocumentViewTestCase
from ..events import (
event_document_comment_created, event_document_comment_deleted
)
from ..permissions import permission_comment_create, permission_comment_delete
from .mixins import CommentsTestMixin
class CommentEventsTestCase(CommentsTestMixin, GenericDocumentViewTestCase):
def setUp(self):
super(CommentEventsTestCase, self).setUp()
self.login_user()
def test_comment_created_event_no_permissions(self):
Action.objects.all().delete()
response = self._request_document_comment_add_view()
self.assertEqual(response.status_code, 404)
self.assertEqual(Action.objects.count(), 0)
def test_comment_created_event_with_permissions(self):
Action.objects.all().delete()
self.grant_access(
obj=self.document, permission=permission_comment_create
)
response = self._request_document_comment_add_view()
self.assertEqual(response.status_code, 302)
event = Action.objects.first()
self.assertEqual(event.verb, event_document_comment_created.id)
self.assertEqual(event.action_object, self.document)
self.assertEqual(event.target, self.test_comment)
self.assertEqual(event.actor, self.user)
def test_comment_deleted_event_no_permissions(self):
self._create_comment()
Action.objects.all().delete()
response = self._request_document_comment_delete_view()
self.assertEqual(response.status_code, 404)
self.assertEqual(Action.objects.count(), 0)
def test_comment_deleted_event_with_access(self):
self._create_comment()
Action.objects.all().delete()
self.grant_access(
obj=self.document, permission=permission_comment_delete
)
response = self._request_document_comment_delete_view()
self.assertEqual(response.status_code, 302)
event = Action.objects.first()
self.assertEqual(event.verb, event_document_comment_deleted.id)
self.assertEqual(event.target, self.document)
self.assertEqual(event.actor, self.user)

16
mayan/apps/document_comments/tests/test_views.py
View File

@@ -8,20 +8,14 @@ from ..permissions import (
) )
from .literals import TEST_COMMENT_TEXT from .literals import TEST_COMMENT_TEXT
from .mixins import CommentsTestMixin
class CommentsViewsTestCase(GenericDocumentViewTestCase): class CommentsViewsTestCase(CommentsTestMixin, GenericDocumentViewTestCase):
def setUp(self): def setUp(self):
super(CommentsViewsTestCase, self).setUp() super(CommentsViewsTestCase, self).setUp()
self.login_user() self.login_user()
def _request_document_comment_add_view(self):
return self.post(
viewname='comments:comment_add',
kwargs={'document_pk': self.document.pk},
data={'comment': TEST_COMMENT_TEXT}
)
def test_document_comment_add_view_no_permission(self): def test_document_comment_add_view_no_permission(self):
response = self._request_document_comment_add_view() response = self._request_document_comment_add_view()
self.assertEqual(response.status_code, 404) self.assertEqual(response.status_code, 404)
@@ -40,12 +34,6 @@ class CommentsViewsTestCase(GenericDocumentViewTestCase):
user=self.user, comment=TEST_COMMENT_TEXT user=self.user, comment=TEST_COMMENT_TEXT
) )
def _request_document_comment_delete_view(self):
return self.post(
viewname='comments:comment_delete',
kwargs={'comment_pk': self.test_comment.pk},
)
def test_document_comment_delete_view_no_permission(self): def test_document_comment_delete_view_no_permission(self):
self._create_test_comment() self._create_test_comment()