36a51eeb73
Instead of inserting the path of the apps into the Python app, the apps are now referenced by their full import path. This solves name clashes with external or native Python libraries. Example: Mayan statistics app vs. Python new statistics library. Every app reference is now prepended with 'mayan.apps'. Existing config.yml files need to be updated manually. Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
431 lines
16 KiB
Python
431 lines
16 KiB
Python
from __future__ import unicode_literals
|
|
|
|
from django.contrib.auth import get_user_model
|
|
from django.contrib.auth.models import Group
|
|
|
|
from rest_framework import status
|
|
|
|
from mayan.apps.rest_api.tests import BaseAPITestCase
|
|
|
|
from ..permissions import (
|
|
permission_group_create, permission_group_delete,
|
|
permission_group_edit, permission_group_view,
|
|
permission_user_create, permission_user_delete,
|
|
permission_user_edit, permission_user_view
|
|
)
|
|
|
|
from .literals import (
|
|
TEST_GROUP_2_NAME, TEST_GROUP_2_NAME_EDITED, TEST_USER_2_EMAIL,
|
|
TEST_USER_2_PASSWORD, TEST_USER_2_USERNAME, TEST_USER_2_USERNAME_EDITED,
|
|
TEST_USER_2_PASSWORD_EDITED
|
|
)
|
|
from .mixins import UserTestMixin
|
|
|
|
|
|
class UserManagementUserAPITestCase(UserTestMixin, BaseAPITestCase):
|
|
def setUp(self):
|
|
super(UserManagementUserAPITestCase, self).setUp()
|
|
self.login_user()
|
|
|
|
# User create
|
|
def _request_user_create(self):
|
|
return self.post(
|
|
viewname='rest_api:user-list', data={
|
|
'email': TEST_USER_2_EMAIL, 'password': TEST_USER_2_PASSWORD,
|
|
'username': TEST_USER_2_USERNAME,
|
|
}
|
|
)
|
|
|
|
def test_user_create_no_permission(self):
|
|
response = self._request_user_create()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
# Default two users, the test admin and the test user
|
|
self.assertEqual(get_user_model().objects.count(), 2)
|
|
|
|
def test_user_create_with_permission(self):
|
|
self.grant_permission(permission=permission_user_create)
|
|
response = self._request_user_create()
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
user = get_user_model().objects.get(pk=response.data['id'])
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
self.assertEqual(get_user_model().objects.count(), 3)
|
|
|
|
def _request_create_user_with_extra_data(self):
|
|
return self.post(
|
|
viewname='rest_api:user-list', data={
|
|
'email': TEST_USER_2_EMAIL, 'password': TEST_USER_2_PASSWORD,
|
|
'username': TEST_USER_2_USERNAME,
|
|
'groups_pk_list': self.groups_pk_list
|
|
}
|
|
)
|
|
|
|
def test_user_create_with_group_no_permission(self):
|
|
group_1 = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
self.groups_pk_list = '{}'.format(group_1.pk)
|
|
|
|
response = self._request_create_user_with_extra_data()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
def test_user_create_with_group_with_permission(self):
|
|
group_1 = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
self.groups_pk_list = '{}'.format(group_1.pk)
|
|
|
|
self.grant_permission(permission=permission_user_create)
|
|
response = self._request_create_user_with_extra_data()
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
|
|
user = get_user_model().objects.get(pk=response.data['id'])
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
self.assertQuerysetEqual(user.groups.all(), (repr(group_1),))
|
|
|
|
def test_user_create_with_groups_no_permission(self):
|
|
group_1 = Group.objects.create(name='test group 1')
|
|
group_2 = Group.objects.create(name='test group 2')
|
|
self.groups_pk_list = '{},{}'.format(group_1.pk, group_2.pk)
|
|
response = self._request_create_user_with_extra_data()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
def test_user_create_with_groups_with_permission(self):
|
|
group_1 = Group.objects.create(name='test group 1')
|
|
group_2 = Group.objects.create(name='test group 2')
|
|
self.groups_pk_list = '{},{}'.format(group_1.pk, group_2.pk)
|
|
self.grant_permission(permission=permission_user_create)
|
|
response = self._request_create_user_with_extra_data()
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
|
|
user = get_user_model().objects.get(pk=response.data['id'])
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
self.assertQuerysetEqual(
|
|
user.groups.all().order_by('name'), (repr(group_1), repr(group_2))
|
|
)
|
|
|
|
# User login
|
|
|
|
def test_user_create_login(self):
|
|
self._create_user()
|
|
|
|
self.assertTrue(
|
|
self.login(
|
|
username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD
|
|
)
|
|
)
|
|
|
|
# User password change
|
|
|
|
def test_user_create_login_password_change_no_access(self):
|
|
user = self._create_user()
|
|
|
|
self.patch(
|
|
viewname='rest_api:user-detail', args=(user.pk,), data={
|
|
'password': TEST_USER_2_PASSWORD_EDITED,
|
|
}
|
|
)
|
|
|
|
self.assertFalse(
|
|
self.client.login(
|
|
username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD_EDITED
|
|
)
|
|
)
|
|
|
|
def test_user_create_login_password_change_with_access(self):
|
|
user = self._create_user()
|
|
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
self.patch(
|
|
viewname='rest_api:user-detail', args=(user.pk,), data={
|
|
'password': TEST_USER_2_PASSWORD_EDITED,
|
|
}
|
|
)
|
|
|
|
self.assertTrue(
|
|
self.client.login(
|
|
username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD_EDITED
|
|
)
|
|
)
|
|
|
|
# User edit
|
|
|
|
def _request_user_edit_via_put(self, user):
|
|
return self.put(
|
|
viewname='rest_api:user-detail', args=(user.pk,),
|
|
data={'username': TEST_USER_2_USERNAME_EDITED}
|
|
)
|
|
|
|
def test_user_edit_via_put_no_access(self):
|
|
user = self._create_user()
|
|
response = self._request_user_edit_via_put(user=user)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
|
|
def test_user_edit_via_put_with_access(self):
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
response = self._request_user_edit_via_put(user=user)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME_EDITED)
|
|
|
|
def _request_user_edit_via_patch(self, user):
|
|
return self.patch(
|
|
viewname='rest_api:user-detail', args=(user.pk,),
|
|
data={'username': TEST_USER_2_USERNAME_EDITED}
|
|
)
|
|
|
|
def test_user_edit_via_patch_no_access(self):
|
|
user = self._create_user()
|
|
response = self._request_user_edit_via_patch(user=user)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
|
|
def test_user_edit_via_patch_with_access(self):
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
response = self._request_user_edit_via_patch(user=user)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME_EDITED)
|
|
|
|
def _request_user_edit_via_patch_with_extra_data(self, user, group):
|
|
return self.patch(
|
|
viewname='rest_api:user-detail', args=(user.pk,),
|
|
data={'groups_pk_list': '{}'.format(group.pk)}
|
|
)
|
|
|
|
def test_user_edit_add_groups_via_patch_no_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
|
|
response = self._request_user_edit_via_patch_with_extra_data(
|
|
user=user, group=group
|
|
)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
|
|
self.assertQuerysetEqual(
|
|
user.groups.all(), ()
|
|
)
|
|
|
|
def test_user_edit_add_groups_via_patch_with_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
response = self._request_user_edit_via_patch_with_extra_data(
|
|
user=user, group=group
|
|
)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
|
|
self.assertQuerysetEqual(
|
|
user.groups.all(), (repr(group),)
|
|
)
|
|
|
|
# User delete
|
|
|
|
def _request_user_delete(self, user):
|
|
return self.delete(
|
|
viewname='rest_api:user-detail', args=(user.pk,)
|
|
)
|
|
|
|
def test_user_delete_no_access(self):
|
|
user = self._create_user()
|
|
response = self._request_user_delete(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
self.assertTrue(get_user_model().objects.filter(pk=user.pk).exists())
|
|
|
|
def test_user_delete_with_access(self):
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_delete, obj=user)
|
|
response = self._request_user_delete(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
|
|
|
|
self.assertFalse(get_user_model().objects.filter(pk=user.pk).exists())
|
|
|
|
# User view
|
|
|
|
def _request_user_group_view(self, user):
|
|
return self.get(
|
|
viewname='rest_api:users-group-list', args=(user.pk,)
|
|
)
|
|
|
|
def test_user_group_list_no_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
user.groups.add(group)
|
|
response = self._request_user_group_view(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
def test_user_group_list_with_user_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
user.groups.add(group)
|
|
self.grant_access(permission=permission_user_view, obj=user)
|
|
response = self._request_user_group_view(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
self.assertEqual(response.data['count'], 0)
|
|
|
|
def test_user_group_list_with_group_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
user.groups.add(group)
|
|
self.grant_access(permission=permission_group_view, obj=group)
|
|
response = self._request_user_group_view(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
def test_user_group_list_with_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
user.groups.add(group)
|
|
self.grant_access(permission=permission_user_view, obj=user)
|
|
self.grant_access(permission=permission_group_view, obj=group)
|
|
response = self._request_user_group_view(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
self.assertEqual(response.data['count'], 1)
|
|
|
|
def _request_user_group_add(self, user, group):
|
|
return self.post(
|
|
viewname='rest_api:users-group-list', args=(user.pk,), data={
|
|
'group_pk_list': '{}'.format(group.pk)
|
|
}
|
|
)
|
|
|
|
def test_user_group_add_no_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
response = self._request_user_group_add(user=user, group=group)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
user.refresh_from_db()
|
|
self.assertEqual(group.user_set.first(), None)
|
|
|
|
def test_user_group_add_with_user_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
response = self._request_user_group_add(user=user, group=group)
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
# FIXME: Should this endpoint return a 201 or a 200 since
|
|
# the user is being edited and there is not resource creation
|
|
# happening.
|
|
user.refresh_from_db()
|
|
self.assertEqual(group.user_set.first(), None)
|
|
|
|
def test_user_group_add_with_group_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_group_view, obj=group)
|
|
response = self._request_user_group_add(user=user, group=group)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
# FIXME: Should this endpoint return a 201 or a 200 since
|
|
# the user is being edited and there is not resource creation
|
|
# happening.
|
|
user.refresh_from_db()
|
|
self.assertEqual(group.user_set.first(), None)
|
|
|
|
def test_user_group_add_with_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
self.grant_access(permission=permission_group_view, obj=group)
|
|
response = self._request_user_group_add(user=user, group=group)
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
# FIXME: Should this endpoint return a 201 or a 200 since
|
|
# the user is being edited and there is not resource creation
|
|
# happening.
|
|
user.refresh_from_db()
|
|
self.assertEqual(group.user_set.first(), user)
|
|
|
|
|
|
class UserManagementGroupAPITestCase(BaseAPITestCase):
|
|
def setUp(self):
|
|
super(UserManagementGroupAPITestCase, self).setUp()
|
|
self.login_user()
|
|
|
|
def _request_group_create(self):
|
|
return self.post(
|
|
viewname='rest_api:group-list', data={
|
|
'name': TEST_GROUP_2_NAME
|
|
}
|
|
)
|
|
|
|
def test_group_create_no_permission(self):
|
|
response = self._request_group_create()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
self.assertFalse(
|
|
TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True))
|
|
)
|
|
|
|
def test_group_create_with_permission(self):
|
|
self.grant_permission(permission=permission_group_create)
|
|
response = self._request_group_create()
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
self.assertTrue(
|
|
TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True))
|
|
)
|
|
|
|
def _request_group_edit_via_patch(self):
|
|
return self.patch(
|
|
viewname='rest_api:group-detail', args=(self.group.pk,),
|
|
data={
|
|
'name': TEST_GROUP_2_NAME_EDITED
|
|
}
|
|
)
|
|
|
|
def test_group_edit_via_patch_no_access(self):
|
|
self.group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
response = self._request_group_edit_via_patch()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
self.group.refresh_from_db()
|
|
self.assertEqual(self.group.name, TEST_GROUP_2_NAME)
|
|
|
|
def test_group_edit_via_patch_with_access(self):
|
|
self.group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
self.grant_access(permission=permission_group_edit, obj=self.group)
|
|
response = self._request_group_edit_via_patch()
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
|
|
self.group.refresh_from_db()
|
|
self.assertEqual(self.group.name, TEST_GROUP_2_NAME_EDITED)
|
|
|
|
def _request_group_delete(self):
|
|
return self.delete(
|
|
viewname='rest_api:group-detail', args=(self.group.pk,)
|
|
)
|
|
|
|
def test_group_delete_no_access(self):
|
|
self.group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
response = self._request_group_delete()
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
self.assertTrue(
|
|
TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True))
|
|
)
|
|
|
|
def test_group_delete_with_access(self):
|
|
self.group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
self.grant_access(permission=permission_group_delete, obj=self.group)
|
|
response = self._request_group_delete()
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
|
|
self.assertFalse(
|
|
TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True))
|
|
)
|