eae881c35a
based on permissions and access. The tests were also updated to comform with the new API test class interface. Signed-off-by: Michael Price <loneviking72@gmail.com>
437 lines
16 KiB
Python
437 lines
16 KiB
Python
from __future__ import unicode_literals
|
|
|
|
from django.contrib.auth import get_user_model
|
|
from django.contrib.auth.models import Group
|
|
|
|
from rest_framework import status
|
|
|
|
from rest_api.tests import BaseAPITestCase
|
|
|
|
from ..permissions import (
|
|
permission_group_create, permission_group_delete,
|
|
permission_group_edit, permission_group_view,
|
|
permission_user_create, permission_user_delete,
|
|
permission_user_edit, permission_user_view
|
|
)
|
|
|
|
from .literals import (
|
|
TEST_GROUP_2_NAME, TEST_GROUP_2_NAME_EDITED, TEST_USER_2_EMAIL,
|
|
TEST_USER_2_PASSWORD, TEST_USER_2_USERNAME, TEST_USER_2_USERNAME_EDITED,
|
|
TEST_USER_2_PASSWORD_EDITED
|
|
)
|
|
|
|
|
|
class UserManagementUserAPITestCase(BaseAPITestCase):
|
|
def setUp(self):
|
|
super(UserManagementUserAPITestCase, self).setUp()
|
|
self.login_user()
|
|
|
|
# User create
|
|
|
|
def _create_user(self):
|
|
return get_user_model().objects.create_user(
|
|
username=TEST_USER_2_USERNAME, email=TEST_USER_2_EMAIL,
|
|
password=TEST_USER_2_PASSWORD
|
|
)
|
|
|
|
def _request_user_create(self):
|
|
return self.post(
|
|
viewname='rest_api:user-list', data={
|
|
'email': TEST_USER_2_EMAIL, 'password': TEST_USER_2_PASSWORD,
|
|
'username': TEST_USER_2_USERNAME,
|
|
}
|
|
)
|
|
|
|
def test_user_create_no_permission(self):
|
|
response = self._request_user_create()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
# Default two users, the test admin and the test user
|
|
self.assertEqual(get_user_model().objects.count(), 2)
|
|
|
|
def test_user_create_with_permission(self):
|
|
self.grant_permission(permission=permission_user_create)
|
|
response = self._request_user_create()
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
user = get_user_model().objects.get(pk=response.data['id'])
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
self.assertEqual(get_user_model().objects.count(), 3)
|
|
|
|
def _request_create_user_with_extra_data(self):
|
|
return self.post(
|
|
viewname='rest_api:user-list', data={
|
|
'email': TEST_USER_2_EMAIL, 'password': TEST_USER_2_PASSWORD,
|
|
'username': TEST_USER_2_USERNAME,
|
|
'groups_pk_list': self.groups_pk_list
|
|
}
|
|
)
|
|
|
|
def test_user_create_with_group_no_permission(self):
|
|
group_1 = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
self.groups_pk_list = '{}'.format(group_1.pk)
|
|
|
|
response = self._request_create_user_with_extra_data()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
def test_user_create_with_group_with_permission(self):
|
|
group_1 = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
self.groups_pk_list = '{}'.format(group_1.pk)
|
|
|
|
self.grant_permission(permission=permission_user_create)
|
|
response = self._request_create_user_with_extra_data()
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
|
|
user = get_user_model().objects.get(pk=response.data['id'])
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
self.assertQuerysetEqual(user.groups.all(), (repr(group_1),))
|
|
|
|
def test_user_create_with_groups_no_permission(self):
|
|
group_1 = Group.objects.create(name='test group 1')
|
|
group_2 = Group.objects.create(name='test group 2')
|
|
self.groups_pk_list = '{},{}'.format(group_1.pk, group_2.pk)
|
|
response = self._request_create_user_with_extra_data()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
def test_user_create_with_groups_with_permission(self):
|
|
group_1 = Group.objects.create(name='test group 1')
|
|
group_2 = Group.objects.create(name='test group 2')
|
|
self.groups_pk_list = '{},{}'.format(group_1.pk, group_2.pk)
|
|
self.grant_permission(permission=permission_user_create)
|
|
response = self._request_create_user_with_extra_data()
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
|
|
user = get_user_model().objects.get(pk=response.data['id'])
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
self.assertQuerysetEqual(
|
|
user.groups.all().order_by('name'), (repr(group_1), repr(group_2))
|
|
)
|
|
|
|
# User login
|
|
|
|
def test_user_create_login(self):
|
|
self._create_user()
|
|
|
|
self.assertTrue(
|
|
self.login(
|
|
username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD
|
|
)
|
|
)
|
|
|
|
# User password change
|
|
|
|
def test_user_create_login_password_change_no_access(self):
|
|
user = self._create_user()
|
|
|
|
self.patch(
|
|
viewname='rest_api:user-detail', args=(user.pk,), data={
|
|
'password': TEST_USER_2_PASSWORD_EDITED,
|
|
}
|
|
)
|
|
|
|
self.assertFalse(
|
|
self.client.login(
|
|
username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD_EDITED
|
|
)
|
|
)
|
|
|
|
def test_user_create_login_password_change_with_access(self):
|
|
user = self._create_user()
|
|
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
self.patch(
|
|
viewname='rest_api:user-detail', args=(user.pk,), data={
|
|
'password': TEST_USER_2_PASSWORD_EDITED,
|
|
}
|
|
)
|
|
|
|
self.assertTrue(
|
|
self.client.login(
|
|
username=TEST_USER_2_USERNAME, password=TEST_USER_2_PASSWORD_EDITED
|
|
)
|
|
)
|
|
|
|
# User edit
|
|
|
|
def _request_user_edit_via_put(self, user):
|
|
return self.put(
|
|
viewname='rest_api:user-detail', args=(user.pk,),
|
|
data={'username': TEST_USER_2_USERNAME_EDITED}
|
|
)
|
|
|
|
def test_user_edit_via_put_no_access(self):
|
|
user = self._create_user()
|
|
response = self._request_user_edit_via_put(user=user)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
|
|
def test_user_edit_via_put_with_access(self):
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
response = self._request_user_edit_via_put(user=user)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME_EDITED)
|
|
|
|
def _request_user_edit_via_patch(self, user):
|
|
return self.patch(
|
|
viewname='rest_api:user-detail', args=(user.pk,),
|
|
data={'username': TEST_USER_2_USERNAME_EDITED}
|
|
)
|
|
|
|
def test_user_edit_via_patch_no_access(self):
|
|
user = self._create_user()
|
|
response = self._request_user_edit_via_patch(user=user)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
|
|
def test_user_edit_via_patch_with_access(self):
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
response = self._request_user_edit_via_patch(user=user)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME_EDITED)
|
|
|
|
def _request_user_edit_via_patch_with_extra_data(self, user, group):
|
|
return self.patch(
|
|
viewname='rest_api:user-detail', args=(user.pk,),
|
|
data={'groups_pk_list': '{}'.format(group.pk)}
|
|
)
|
|
|
|
def test_user_edit_add_groups_via_patch_no_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
|
|
response = self._request_user_edit_via_patch_with_extra_data(
|
|
user=user, group=group
|
|
)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
|
|
self.assertQuerysetEqual(
|
|
user.groups.all(), ()
|
|
)
|
|
|
|
def test_user_edit_add_groups_via_patch_with_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
response = self._request_user_edit_via_patch_with_extra_data(
|
|
user=user, group=group
|
|
)
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
|
|
user.refresh_from_db()
|
|
self.assertEqual(user.username, TEST_USER_2_USERNAME)
|
|
|
|
self.assertQuerysetEqual(
|
|
user.groups.all(), (repr(group),)
|
|
)
|
|
|
|
# User delete
|
|
|
|
def _request_user_delete(self, user):
|
|
return self.delete(
|
|
viewname='rest_api:user-detail', args=(user.pk,)
|
|
)
|
|
|
|
def test_user_delete_no_access(self):
|
|
user = self._create_user()
|
|
response = self._request_user_delete(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
self.assertTrue(get_user_model().objects.filter(pk=user.pk).exists())
|
|
|
|
def test_user_delete_with_access(self):
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_delete, obj=user)
|
|
response = self._request_user_delete(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
|
|
|
|
self.assertFalse(get_user_model().objects.filter(pk=user.pk).exists())
|
|
|
|
# User view
|
|
|
|
def _request_user_group_view(self, user):
|
|
return self.get(
|
|
viewname='rest_api:users-group-list', args=(user.pk,)
|
|
)
|
|
|
|
def test_user_group_list_no_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
user.groups.add(group)
|
|
response = self._request_user_group_view(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
def test_user_group_list_with_user_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
user.groups.add(group)
|
|
self.grant_access(permission=permission_user_view, obj=user)
|
|
response = self._request_user_group_view(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
self.assertEqual(response.data['count'], 0)
|
|
|
|
def test_user_group_list_with_group_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
user.groups.add(group)
|
|
self.grant_access(permission=permission_group_view, obj=group)
|
|
response = self._request_user_group_view(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
def test_user_group_list_with_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
user.groups.add(group)
|
|
self.grant_access(permission=permission_user_view, obj=user)
|
|
self.grant_access(permission=permission_group_view, obj=group)
|
|
response = self._request_user_group_view(user=user)
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
self.assertEqual(response.data['count'], 1)
|
|
|
|
def _request_user_group_add(self, user, group):
|
|
return self.post(
|
|
viewname='rest_api:users-group-list', args=(user.pk,), data={
|
|
'group_pk_list': '{}'.format(group.pk)
|
|
}
|
|
)
|
|
|
|
def test_user_group_add_no_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
response = self._request_user_group_add(user=user, group=group)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
user.refresh_from_db()
|
|
self.assertEqual(group.user_set.first(), None)
|
|
|
|
def test_user_group_add_with_user_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
response = self._request_user_group_add(user=user, group=group)
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
# FIXME: Should this endpoint return a 201 or a 200 since
|
|
# the user is being edited and there is not resource creation
|
|
# happening.
|
|
user.refresh_from_db()
|
|
self.assertEqual(group.user_set.first(), None)
|
|
|
|
def test_user_group_add_with_group_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_group_view, obj=group)
|
|
response = self._request_user_group_add(user=user, group=group)
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
# FIXME: Should this endpoint return a 201 or a 200 since
|
|
# the user is being edited and there is not resource creation
|
|
# happening.
|
|
user.refresh_from_db()
|
|
self.assertEqual(group.user_set.first(), None)
|
|
|
|
def test_user_group_add_with_access(self):
|
|
group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
user = self._create_user()
|
|
self.grant_access(permission=permission_user_edit, obj=user)
|
|
self.grant_access(permission=permission_group_view, obj=group)
|
|
response = self._request_user_group_add(user=user, group=group)
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
# FIXME: Should this endpoint return a 201 or a 200 since
|
|
# the user is being edited and there is not resource creation
|
|
# happening.
|
|
user.refresh_from_db()
|
|
self.assertEqual(group.user_set.first(), user)
|
|
|
|
|
|
class UserManagementGroupAPITestCase(BaseAPITestCase):
|
|
def setUp(self):
|
|
super(UserManagementGroupAPITestCase, self).setUp()
|
|
self.login_user()
|
|
|
|
def _request_group_create(self):
|
|
return self.post(
|
|
viewname='rest_api:group-list', data={
|
|
'name': TEST_GROUP_2_NAME
|
|
}
|
|
)
|
|
|
|
def test_group_create_no_permission(self):
|
|
response = self._request_group_create()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
self.assertFalse(
|
|
TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True))
|
|
)
|
|
|
|
def test_group_create_with_permission(self):
|
|
self.grant_permission(permission=permission_group_create)
|
|
response = self._request_group_create()
|
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
|
self.assertTrue(
|
|
TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True))
|
|
)
|
|
|
|
def _request_group_edit_via_patch(self):
|
|
return self.patch(
|
|
viewname='rest_api:group-detail', args=(self.group.pk,),
|
|
data={
|
|
'name': TEST_GROUP_2_NAME_EDITED
|
|
}
|
|
)
|
|
|
|
def test_group_edit_via_patch_no_access(self):
|
|
self.group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
response = self._request_group_edit_via_patch()
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
|
|
self.group.refresh_from_db()
|
|
self.assertEqual(self.group.name, TEST_GROUP_2_NAME)
|
|
|
|
def test_group_edit_via_patch_with_access(self):
|
|
self.group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
self.grant_access(permission=permission_group_edit, obj=self.group)
|
|
response = self._request_group_edit_via_patch()
|
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
|
|
|
self.group.refresh_from_db()
|
|
self.assertEqual(self.group.name, TEST_GROUP_2_NAME_EDITED)
|
|
|
|
def _request_group_delete(self):
|
|
return self.delete(
|
|
viewname='rest_api:group-detail', args=(self.group.pk,)
|
|
)
|
|
|
|
def test_group_delete_no_access(self):
|
|
self.group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
response = self._request_group_delete()
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
|
self.assertTrue(
|
|
TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True))
|
|
)
|
|
|
|
def test_group_delete_with_access(self):
|
|
self.group = Group.objects.create(name=TEST_GROUP_2_NAME)
|
|
self.grant_access(permission=permission_group_delete, obj=self.group)
|
|
response = self._request_group_delete()
|
|
|
|
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
|
|
self.assertFalse(
|
|
TEST_GROUP_2_NAME in list(Group.objects.values_list('name', flat=True))
|
|
)
|