def test_asset_patch_validation(self):
"""User's only allow to PATCH an asset that has a department their are part of, and the
PATCH department has to be one he belongs to"""
client = APIClient()
asset_dict = copy.copy(COMPLETE_ASSET)
asset_dict['department'] = 'TESTDEPT2'
asset = Asset(**asset_dict)
asset.save()
result_patch = client.patch('/assets/%s/' % asset.pk,
{"name": "asset1"})
# Not allowed because the asset belongs to TESTDEPT2
self.assert_method_is_not_listed_as_allowed('PATCH', asset)
self.assertEqual(result_patch.status_code, 403)
# We fix the department, so now the user should be allow but we try to change the
# department to another that the user doesn't belong to
asset.department = 'TESTDEPT'
set_local_user(self.user)
asset.save()
# User is in principle allowed ...
self.assert_method_is_listed_as_allowed('PATCH', asset)
# ... but not in this case
result_patch = client.patch('/assets/%s/' % asset.pk,
{"department": "TESTDEPT2"})
self.assertEqual(result_patch.status_code, 403)
# This one should be allowed
result_patch = client.patch('/assets/%s/' % asset.pk,
{"name": "asset2"})
self.assert_method_is_listed_as_allowed('PATCH', asset)
self.assertEqual(result_patch.status_code, 200)
def test_asset_put_validation(self):
"""User's only allow to PUT an asset that has a department their are part of, and the
PUT department has to be one he belongs to"""
client = APIClient()
asset_dict = copy.copy(COMPLETE_ASSET)
asset_dict['department'] = 'TESTDEPT2'
asset = Asset(**asset_dict)
asset.save()
result_put = client.put('/assets/%s/' % asset.pk, COMPLETE_ASSET)
# Not allowed because the asset belongs to TESTDEPT2
self.assert_method_is_not_listed_as_allowed('PUT', asset)
self.assertEqual(result_put.status_code, 403)
# We fix the department, so now the user should be allow but we try to change the
# department to another that the user doesn't belong to
asset.department = 'TESTDEPT'
set_local_user(self.user)
asset.save()
# User can, in principle PUT...
self.assert_method_is_listed_as_allowed('PUT', asset)
# ... but not this asset
result_put = client.put('/assets/%s/' % asset.pk, asset_dict)
self.assertEqual(result_put.status_code, 403)
# This one should be allowed
asset_dict['department'] = 'TESTDEPT'
asset_dict['name'] = 'asset2'
result_put = client.put('/assets/%s/' % asset.pk, asset_dict)
self.assert_method_is_listed_as_allowed('PUT', asset)
self.assertEqual(result_put.status_code, 200)
def initial(self, request, *args, **kwargs):
"""Runs anything that needs to occur prior to calling the method handler."""
# Perform any authentication, permissions checking etc.
super().initial(request, *args, **kwargs)
# Set the local user for the auditing framework
set_local_user(request.user)
def setUp(self):
self.user = get_user_model().objects.create_user(username='******')
self.user_lookup = UserLookup.objects.create(
user=self.user, scheme='mock', identifier=self.user.username)
set_local_user(self.user)
self.asset = Asset(name='test-asset')
self.asset.save()
def test_audit_anonymous_user(self):
set_local_user(AnonymousUser())
# test
self.test_model._meta.fields.update(
{'description': "it's a round window"})
self.test_model.save()
# check
self.assertEqual(1, Audit.objects.count())
self.assertIsNone(Audit.objects.all().first().who)
def test_asset_stats(self):
"""The asset stats endpoint reports correct statistics."""
set_local_user(
self.user) # Some user which will be used in the audit log
# A complete asset
self.create_asset_from_dict(COMPLETE_ASSET)
# An incomplete asset w/ no personal data
self.create_asset_from_dict(
merge_dicts(COMPLETE_ASSET, {'personal_data': False},
deleted_keys=['name']))
# An asset from TESTDEPT2
self.create_asset_from_dict(
merge_dicts(COMPLETE_ASSET, {'department': 'TESTDEPT2'}))
# A deleted asset
asset = self.create_asset_from_dict(COMPLETE_ASSET)
asset.deleted_at = now()
asset.save()
# Retrieve the stats
client = APIClient()
response = client.get('/stats', format='json')
self.assertDictEqual(
json.loads(response.content), {
'all': {
'total': 3,
'completed': 2,
'with_personal_data': 2
},
'by_institution': {
'TESTDEPT': {
'total': 2,
'completed': 1,
'with_personal_data': 1
},
'TESTDEPT2': {
'total': 1,
'completed': 1,
'with_personal_data': 1
},
},
})
def setUp(self):
set_local_user(self.user)
self.test_model = TestModel()
def process_request(cls, request):
set_local_user(request.user)