def test_add_order_log(mdb): """ Confirm that logs are created when orders are added. Checks: * Confirm that a log entry is created after order is added. """ indata = { "order": { "description": "Test add order log description", "title": "Test add order log title", } } indata["order"].update(TEST_LABEL) session = requests.Session() helpers.as_user(session, USERS["edit"]) response = helpers.make_request(session, "/api/v1/order", method="POST", data=indata, ret_json=True) assert response.code == 200 assert "id" in response.data assert len(response.data["id"]) == 38 order = mdb["orders"].find_one({"_id": response.data["id"]}) logs = list(mdb["logs"].find({ "data_type": "order", "data._id": response.data["id"] })) assert len(logs) == 1 assert logs[0]["data"] == order assert logs[0]["action"] == "add"
def test_delete_user(mdb): """Test deleting users (added when testing to add users)""" re_users = re.compile("@added.example.com") users = list(mdb["users"].find({"email": re_users}, {"_id": 1})) if not users: assert False session = requests.Session() i = 0 while i < len(users): for role in USERS: as_user(session, USERS[role]) response = make_request(session, f'/api/v1/user/{users[i]["_id"]}', method="DELETE") if role in ("users", "root"): assert response.code == 200 assert not response.data assert not mdb["users"].find_one({"_id": users[i]["_id"]}) assert mdb["logs"].find_one({ "data._id": users[i]["_id"], "action": "delete", "data_type": "user", }) i += 1 if i >= len(users): break elif role == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 403 assert not response.data
def test_delete_collection_bad(): """ Confirm that bad deletion attempts are handled correctly. Checks: * Random string as base user -> 403 * Random string as data user -> 404 * Random uuid as data user -> 404 """ session = requests.Session() as_user(session, USERS["base"]) for _ in range(2): response = make_request(session, f"/api/v1/collection/{random_string()}", method="DELETE") assert response.code == 403 assert not response.data as_user(session, USERS["data"]) for _ in range(2): response = make_request(session, f"/api/v1/collection/{random_string()}", method="DELETE") assert response.code == 404 assert not response.data for _ in range(2): response = make_request(session, f"/api/v1/collection/{uuid.uuid4()}", method="DELETE") assert response.code == 404 assert not response.data
def test_get_dataset_logs_permissions(mdb): """ Get dataset logs. Assert that DATA_MANAGEMENT or user in editors is required. """ dataset_data = mdb["datasets"].aggregate([{"$sample": {"size": 1}}]).next() order_data = mdb["orders"].find_one({"datasets": dataset_data["_id"]}) user_data = mdb["users"].find_one( {"$or": [{ "_id": { "$in": order_data["editors"] } }]}) responses = helpers.make_request_all_roles( f'/api/v1/dataset/{dataset_data["_id"]}/log', ret_json=True) for response in responses: if response.role in ("data", "root"): assert response.code == 200 assert "logs" in response.data elif response.role == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 403 assert not response.data session = requests.Session() helpers.as_user(session, user_data["auth_ids"][0]) response = helpers.make_request( session, f'/api/v1/dataset/{dataset_data["_id"]}/log', ret_json=True) assert response.code == 200 assert "logs" in response.data
def test_key_login(): """Test API key login for all users""" session = requests.Session() helpers.as_user(session, None) for i, userid in enumerate(helpers.USERS): response = helpers.make_request( session, "/api/v1/login/apikey", data={ "api-user": helpers.USERS[userid], "api-key": str(i - 1) }, method="POST", ) if userid == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 200 assert not response.data response = helpers.make_request(session, "/api/v1/developer/loginhello") assert response.code == 200 assert response.data == {"test": "success"}
def test_get_dataset(mdb): """ Confirm that datasets are returned correctly. Tests: * Confirm that the correct dataset is returned * Confirm that the dataset is not listed in ``related`` """ session = requests.Session() order_id = helpers.add_order() ds_id = helpers.add_dataset(order_id) ds_id2 = helpers.add_dataset(order_id) coll_id = helpers.add_collection([ds_id]) coll_id2 = helpers.add_collection([ds_id]) helpers.as_user(session, helpers.USERS["edit"]) order_data = mdb["orders"].find_one({"_id": order_id}) response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}") assert response.code == 200 result = response.data["dataset"] assert result["order"]["id"] == str(order_id) assert set(entry["id"] for entry in result["related"]) == {str(ds_id2)} assert set(entry["id"] for entry in result["collections"]) == { str(coll_id), str(coll_id2) } assert set(entry["id"] for entry in result["authors"]) == set( str(entry) for entry in order_data["authors"]) assert set(entry["id"] for entry in result["generators"]) == set( str(entry) for entry in order_data["generators"]) assert result["organisation"]["id"] == str(order_data["organisation"]) assert set(entry["id"] for entry in result["editors"]) == set( str(entry) for entry in order_data["editors"]) helpers.as_user(session, helpers.USERS["base"]) order_data = mdb["orders"].find_one({"_id": order_id}) response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}") assert response.code == 200 result = response.data["dataset"] assert "order" not in result assert set(entry["id"] for entry in result["related"]) == {str(ds_id2)} assert set(entry["id"] for entry in result["collections"]) == { str(coll_id), str(coll_id2) } assert set(entry["id"] for entry in result["authors"]) == set( str(entry) for entry in order_data["authors"]) assert set(entry["id"] for entry in result["generators"]) == set( str(entry) for entry in order_data["generators"]) assert result["organisation"]["id"] == str(order_data["organisation"]) assert "editors" not in result mdb["orders"].delete_one({"_id": order_id}) mdb["datasets"].delete_one({"_id": ds_id}) mdb["datasets"].delete_one({"_id": ds_id2}) mdb["collections"].delete_one({"_id": coll_id}) mdb["collections"].delete_one({"_id": coll_id2})
def test_info_add_dataset(): """Confirm that the redirect information works as intended.""" session = requests.session() helpers.as_user(session, helpers.USERS["data"]) response = helpers.make_request(session, "/api/v1/dataset", ret_json=False, method="POST") assert response.data == "Use http://localhost:5000/api/v1/order/-identifier-/dataset instead"
def test_get_collection_logs_permissions(mdb): """ Confirm that collection logs can only be accessed by the intended users. Checks: * DATA_MANAGEMENT can access any log. * DATA_EDIT can access entries where they are editors. * User in editors, but not DATA_EDIT cannot access logs. * Other users cannot access logs. """ collections = list(mdb["collections"].aggregate([{ "$sample": { "size": 5 } }])) session = requests.Session() helpers.as_user(session, helpers.USERS["data"]) for collection in collections: response = make_request(session, f'/api/v1/collection/{collection["_id"]}/log', ret_json=True) assert response.code == 200 assert "logs" in response.data coll_id = helpers.add_collection() responses = make_request_all_roles(f"/api/v1/collection/{coll_id}/log", ret_json=True) for response in responses: if response.role in ("edit", "data", "root"): assert response.code == 200 assert "logs" in response.data elif response.role == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 403 assert not response.data base_user = mdb["users"].find_one({"auth_ids": helpers.USERS["base"]}) mdb["collections"].update_one({"_id": coll_id}, {"$set": { "editors": [base_user["_id"]] }}) for collection in collections: responses = make_request_all_roles( f'/api/v1/collection/{collection["_id"]}/log', ret_json=True) for response in responses: if response.role in ("data", "root"): assert response.code == 200 assert "logs" in response.data elif response.role == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 403 assert not response.data
def test_dataset_update_bad(dataset_for_tests): """Confirm that bad requests will be rejected.""" indata = {"dataset": {"title": "Updated title"}} ds_uuid = helpers.random_string() responses = helpers.make_request_all_roles(f"/api/v1/dataset/{ds_uuid}", method="PATCH", data=indata) for response in responses: if response.role in ("edit", "data", "root"): assert response.code == 404 elif response.role == "no-login": assert response.code == 401 else: assert response.code == 403 assert not response.data ds_uuid = uuid.uuid4().hex responses = helpers.make_request_all_roles(f"/api/v1/dataset/{ds_uuid}", method="PATCH", data=indata) for response in responses: if response.role in ("edit", "data", "root"): assert response.code == 404 elif response.role == "no-login": assert response.code == 401 else: assert response.code == 403 assert not response.data ds_uuid = dataset_for_tests session = requests.Session() helpers.as_user(session, helpers.USERS["data"]) indata = {"title": ""} response = helpers.make_request(session, f"/api/v1/dataset/{ds_uuid}", method="PATCH", data=indata) assert response.code == 400 assert not response.data indata = {"dataset": {"extra": "asd"}} response = helpers.make_request(session, f"/api/v1/dataset/{ds_uuid}", method="PATCH", data=indata) assert response.code == 400 assert not response.data indata = {"dataset": {"timestamp": "asd"}} response = helpers.make_request(session, f"/api/v1/dataset/{ds_uuid}", method="PATCH", data=indata) assert response.code == 400 assert not response.data
def test_logout(): """Assure that session is cleared after logging out.""" session = requests.Session() helpers.as_user(session, helpers.USERS["root"]) response = helpers.make_request(session, "/api/v1/user/me") for field in response.data["user"]: assert response.data["user"][field] response = helpers.make_request(session, "/api/v1/logout", ret_json=False) response = helpers.make_request(session, "/api/v1/user/me") for field in response.data["user"]: assert not response.data["user"][field]
def test_add_dataset_data(mdb): """ Confirm that values are set correctly and logs are created. Checks: * All values can be set correctly * Dataset is added correctly to the order * Description is escaped """ order_id = helpers.add_order() indata = { "dataset": { "title": "New add dataset data title", "description": "<br />", "tags": ["testing", "add_dataset"], } } indata["dataset"].update(TEST_LABEL) session = requests.session() helpers.as_user(session, USERS["data"]) response = helpers.make_request( session, f"/api/v1/order/{order_id}/dataset", method="POST", data=indata, ret_json=True, ) assert response.code == 200 assert "id" in response.data assert len(response.data["id"]) == 38 order_info = mdb["orders"].find_one({"_id": order_id}) assert len(order_info["datasets"]) == 1 added_ds = mdb["datasets"].find_one({"_id": response.data["id"]}) for key in indata["dataset"]: if key == "description": assert added_ds[key] == "<br />" else: assert added_ds[key] == indata["dataset"][key] response = helpers.make_request( session, f"/api/v1/order/{order_id}/dataset", method="POST", data=indata, ret_json=True, ) assert response.code == 200 assert "id" in response.data assert len(response.data["id"]) == 38 order_info = mdb["orders"].find_one({"_id": order_id}) assert len(order_info["datasets"]) == 2
def test_update_user(mdb): """Update the info for a user.""" user_info = mdb["users"].find_one({"auth_ids": USERS["base"]}) indata = {} responses = make_request_all_roles(f'/api/v1/user/{user_info["_id"]}', ret_json=True, method="PATCH", data=indata) for response in responses: if response.role in ("users", "root"): assert response.code == 400 new_user_info = mdb["users"].find_one( {"auth_ids": { "$in": user_info["auth_ids"] }}) assert user_info == new_user_info elif response.role == "no-login": assert response.code == 401 else: assert response.code == 403 assert not response.data indata = { "user": { "affiliation": "Updated University", "name": "Updated name" } } session = requests.session() for user_type in USERS: as_user(session, USERS[user_type]) response = make_request( session, f'/api/v1/user/{user_info["_id"]}', ret_json=True, method="PATCH", data=indata, ) if user_type in ("users", "root"): assert response.code == 200 assert not response.data new_user_info = mdb["users"].find_one( {"auth_ids": user_info["auth_ids"]}) for key in indata["user"]: assert new_user_info[key] == indata["user"][key] mdb["users"].update_one(new_user_info, {"$set": user_info}) elif user_type == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 403 assert not response.data
def test_list_all_orders(mdb): """ Confirm that orders are listed correctly. Checks: * DATA_MANAGEMENT lists all orders * DATA_EDIT gets all orders where they are editors * Other users get 403 or 401 * Order should contain id, title, tags, properties """ nr_orders = mdb["orders"].count_documents({}) responses = helpers.make_request_all_roles("/api/v1/order", ret_json=True) for response in responses: if response.role in ("data", "root"): assert response.code == 200 assert len(response.data["orders"]) == nr_orders assert set(response.data["orders"][0].keys()) == { "id", "properties", "tags", "title", } elif response.role == "no-login": assert response.code == 401 assert not response.data elif response.role == "edit": assert response.code == 200 edit_user = mdb["users"].find_one( {"auth_ids": helpers.USERS["edit"]}) edit_orders = mdb["orders"].count_documents( {"editors": edit_user["_id"]}) assert len(response.data["orders"]) == edit_orders else: assert response.code == 403 assert not response.data order_id = next(mdb["orders"].aggregate([{"$sample": {"size": 1}}])) user_info = mdb["users"].find_one({"_id": order_id["editors"][0]}) order_count = mdb["orders"].count_documents({"editors": user_info["_id"]}) session = requests.Session() helpers.as_user(session, user_info["auth_ids"][0]) response = helpers.make_request(session, "/api/v1/order", ret_json=True) assert response.code == 200 assert len(response.data["orders"]) == order_count assert set(response.data["orders"][0].keys()) == { "id", "properties", "tags", "title", }
def test_dataset_update_permissions(mdb): """ Confirm that permissions for updating datasets are correct. Checks: * DATA_MANAGER can update any dataset * DATA_EDIT can update datasets where they are editors (in the order) * Other users cannot update any dataset, even if they are editors """ session = requests.Session() order_id = helpers.add_order() ds_id = helpers.add_dataset(order_id) indata = {"dataset": {"title": "Updated dataset permissions title"}} responses = helpers.make_request_all_roles(f"/api/v1/dataset/{ds_id}", method="PATCH", data=indata) for response in responses: if response.role in ("edit", "data", "root"): assert response.code == 200 elif response.role == "no-login": assert response.code == 401 else: assert response.code == 403 assert not response.data indata = {"dataset": {"title": "Updated dataset permissions title 2"}} edit_user = mdb["users"].find_one({"auth_ids": helpers.USERS["edit"]}) mdb["orders"].update_one({"_id": order_id}, {"$pull": { "editors": edit_user["_id"] }}) helpers.as_user(session, helpers.USERS["edit"]) response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}", method="PATCH", data=indata) assert response.code == 403 assert not response.data base_user = mdb["users"].find_one({"auth_ids": helpers.USERS["base"]}) mdb["orders"].update_one({"_id": order_id}, {"$push": { "editors": base_user["_id"] }}) helpers.as_user(session, helpers.USERS["base"]) response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}", method="PATCH", data=indata) assert response.code == 403 assert not response.data
def test_get_order_data(mdb): """ Confirm that the retrieved data is from the correct order and contain the correct data. Checks: * Request multiple orders by uuid, one at a time. - Request the order and confirm that it contains the correct data. """ session = requests.Session() as_user(session, USERS["data"]) orders = list(mdb["orders"].aggregate([{"$sample": {"size": 3}}])) for entry in orders: # to simplify comparison entry["_id"] = str(entry["_id"]) # user entries for key in ("authors", "generators", "editors"): entry[key] = utils.user_uuid_data(entry[key], mdb) entry["organisation"] = utils.user_uuid_data(entry["organisation"], mdb)[0] for i, ds in enumerate(entry["datasets"]): entry["datasets"][i] = next(mdb["datasets"].aggregate([{ "$match": { "_id": ds } }, { "$project": { "_id": 1, "title": 1 } }])) entry["datasets"][i]["_id"] = str(entry["datasets"][i]["_id"]) response = make_request(session, f'/api/v1/order/{entry["_id"]}') assert response.code == 200 data = response.data["order"] assert len(entry) == len(data) for field in entry: if field in ("authors", "datasets", "generators", "editors"): assert len(entry[field]) == len(data[field]) assert set(subentry["_id"] for subentry in entry[field]) == set( subentry["id"] for subentry in data[field]) elif field == "_id": assert entry["_id"] == data["id"] elif field == "organisation": assert entry[field]["_id"] == data[field]["id"] else: assert entry[field] == data[field]
def test_update_current_user(mdb): """Update the info about the current user.""" session = requests.Session() indata = {"user": {}} for user in USERS: as_user(session, USERS[user]) user_info = mdb["users"].find_one({"auth_ids": USERS[user]}) response = make_request(session, "/api/v1/user/me", ret_json=True, method="PATCH", data=indata) if user != "no-login": assert response.code == 400 else: assert response.code == 401 assert not response.data new_user_info = mdb["users"].find_one({"auth_ids": USERS[user]}) assert user_info == new_user_info indata = { "user": { "affiliation": "Updated University", "name": "Updated name" } } session = requests.Session() for user in USERS: as_user(session, USERS[user]) user_info = mdb["users"].find_one({"auth_ids": USERS[user]}) response = make_request(session, "/api/v1/user/me", ret_json=True, method="PATCH", data=indata) if user != "no-login": assert response.code == 200 assert not response.data new_user_info = mdb["users"].find_one({"auth_ids": USERS[user]}) for key in new_user_info: if key in indata["user"].keys(): assert new_user_info[key] == indata["user"][key] else: mdb["users"].update_one(new_user_info, {"$set": user_info}) else: assert response.code == 401 assert not response.data
def test_get_collection_logs_bad(): """Confirm that bad identifiers return 404.""" session = requests.session() helpers.as_user(session, helpers.USERS["data"]) for _ in range(3): response = make_request(session, f"/api/v1/collection/{uuid.uuid4()}/log", ret_json=True) assert response.code == 404 assert not response.data response = make_request( session, f"/api/v1/collection/{helpers.random_string()}/log", ret_json=True) assert response.code == 404 assert not response.data
def test_get_order_logs_bad(): """ Request the logs for multiple orders. Confirm that bad identifiers give response 404. """ session = requests.session() for _ in range(2): as_user(session, USERS["data"]) response = make_request(session, f"/api/v1/order/{uuid.uuid4()}/log", ret_json=True) assert response.code == 404 response = make_request(session, f"/api/v1/order/{random_string()}/log", ret_json=True) assert response.code == 404
def test_add_dataset_log(mdb): """ Confirm that logs are added correctly when datasets are added. Checks: * An add log is created for the dataset * An edit log is created for the order """ order_id = helpers.add_order() indata = { "dataset": { "title": "New add dataset log title", "description": "<br />", "tags": ["testing", "add_dataset"], } } indata["dataset"].update(TEST_LABEL) session = requests.session() helpers.as_user(session, USERS["data"]) response = helpers.make_request( session, f"/api/v1/order/{order_id}/dataset", method="POST", data=indata, ret_json=True, ) assert response.code == 200 assert "id" in response.data ds_add_log_count = mdb["logs"].count_documents({ "data_type": "dataset", "data._id": response.data["id"], "action": "add", }) assert ds_add_log_count == 1 order_edit_log_count = mdb["logs"].count_documents({ "data_type": "order", "data._id": order_id, "action": "edit" }) assert order_edit_log_count == 1
def test_delete_order_bad(): """Confirm that bad uuids get an appropriate response.""" session = requests.Session() as_user(session, USERS["data"]) for _ in range(2): response = make_request(session, f"/api/v1/order/{random_string()}", method="DELETE") assert response.code == 404 assert not response.data for _ in range(2): response = make_request(session, f"/api/v1/order/{uuid.uuid4()}", method="DELETE") assert response.code == 404 assert not response.data
def test_delete_bad(): """Confirm that bad identifiers return 404.""" session = requests.Session() helpers.as_user(session, helpers.USERS["data"]) for _ in range(3): ds_uuid = helpers.random_string() response = helpers.make_request(session, f"/api/v1/dataset/{ds_uuid}", method="DELETE") assert response.code == 404 assert not response.data ds_uuid = uuid.uuid4() response = helpers.make_request(session, f"/api/v1/dataset/{ds_uuid}", method="DELETE") assert response.code == 404 assert not response.data
def test_get_order_logs_permissions(mdb): """ Confirm that only the intended users can access the logs. Checks: * DATA_MANAGEMENT can access logs for any order * DATA_EDIT required to be in editors """ order_data = mdb["orders"].aggregate([{"$sample": {"size": 1}}]).next() edit_user = mdb["users"].find_one({"auth_ids": USERS["edit"]}) # in case the edit user is an editor mdb["orders"].update_one({"_id": order_data["_id"]}, {"$pull": { "editors": edit_user["_id"] }}) responses = helpers.make_request_all_roles( f'/api/v1/order/{order_data["_id"]}/log', ret_json=True) for response in responses: if response.role in ("data", "root"): assert response.code == 200 assert "logs" in response.data elif response.role == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 403 assert not response.data session = requests.Session() mdb["orders"].update_one({"_id": order_data["_id"]}, {"$push": { "editors": edit_user["_id"] }}) print(mdb["orders"].find_one({"_id": order_data["_id"]})) print(edit_user) helpers.as_user(session, USERS["edit"]) response = make_request(session, f'/api/v1/order/{order_data["_id"]}/log', ret_json=True) assert response.code == 200 assert "logs" in response.data
def test_get_dataset_logs(mdb): """ Request the logs for multiple datasets. Confirm that the logs contain only the intended fields. """ session = requests.session() datasets = mdb["datasets"].aggregate([{"$sample": {"size": 2}}]) for dataset in datasets: logs = list(mdb["logs"].find({ "data_type": "dataset", "data._id": dataset["_id"] })) helpers.as_user(session, helpers.USERS["data"]) response = helpers.make_request( session, f'/api/v1/dataset/{dataset["_id"]}/log', ret_json=True) assert response.data["data_type"] == "dataset" assert response.data["entry_id"] == str(dataset["_id"]) assert len(response.data["logs"]) == len(logs) assert response.code == 200
def test_list_user_datasets_with_datasets(mdb): """ Confirm that users get the correct datasets. Tests: * Select a few users, confirm that the returned datasets are correct * Confirm that the included fields are the intended ones """ session = requests.Session() orders = mdb["orders"].aggregate([{ "$match": { "datasets": { "$not": { "$size": 0 } } } }, { "$sample": { "size": 2 } }]) user_uuids = list( itertools.chain.from_iterable(order["editors"] for order in orders)) users = mdb["users"].find({"_id": {"$in": list(user_uuids)}}) for user in users: user_orders = list(mdb["orders"].find({"editors": user["_id"]}, {"datasets": 1})) user_datasets = list( itertools.chain.from_iterable(order["datasets"] for order in user_orders)) user_datasets = [str(uuid) for uuid in user_datasets] helpers.as_user(session, user["auth_ids"][0]) response = helpers.make_request(session, "/api/v1/dataset/user") assert response.code == 200 assert len(user_datasets) == len(response.data["datasets"]) assert set( entry["id"] for entry in response.data["datasets"]) == set(user_datasets)
def test_get_user_logs(mdb): """ Request the logs for multiple users. Confirm that the logs contain only the intended fields. """ session = requests.session() users = mdb["users"].aggregate([{"$sample": {"size": 2}}]) for user in users: logs = list(mdb["logs"].find({ "data_type": "user", "data._id": user["_id"] })) as_user(session, USERS["users"]) response = make_request(session, f'/api/v1/user/{user["_id"]}/log', ret_json=True) assert response.data["data_type"] == "user" assert response.data["entry_id"] == str(user["_id"]) assert len(response.data["logs"]) == len(logs) assert response.code == 200
def test_get_collection_logs(mdb): """ Request the logs for multiple collections. Confirm that the logs contain only the intended fields. """ session = requests.session() collections = mdb["collections"].aggregate([{"$sample": {"size": 2}}]) for collection in collections: logs = list(mdb["logs"].find({ "data_type": "collection", "data._id": collection["_id"] })) as_user(session, USERS["data"]) response = make_request(session, f'/api/v1/collection/{collection["_id"]}/log', ret_json=True) assert response.data["data_type"] == "collection" assert response.data["entry_id"] == str(collection["_id"]) assert len(response.data["logs"]) == len(logs) assert response.code == 200
def test_get_order_permissions(mdb): """ Confirm that only the correct users can access order information. Checks: * DATA_MANAGEMENT can access any order * DATA_EDIT can access orders where they are * Other users cannot access data """ session = requests.Session() orders = list(mdb["orders"].aggregate([{ "$match": { "auth_ids": USER_RE } }, { "$sample": { "size": 2 } }])) for entry in orders: owner = mdb["users"].find_one({"_id": entry["editors"][0]}) responses = helpers.make_request_all_roles( f'/api/v1/entry/{entry["_id"]}', ret_json=True) for response in responses: if response.role in ("data", "root"): assert response.code == 200 elif response.role == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 403 assert not response.data helpers.as_user(session, owner["auth_ids"][0]) response = make_request(session, f'/api/v1/entry/{entry["_id"]}') assert response.code == 200
def test_dataset_update_data(mdb): """ Confirm that the dataset is updated correctly. Tests: * All fields are correctly updated * Confirm that description is escaped * Confirm that a log entry is created """ session = requests.Session() ds_id = helpers.add_dataset(helpers.add_order()) indata = { "dataset": { "description": "<br />", "title": "Test title - dataset update data", } } indata["dataset"].update(TEST_LABEL) helpers.as_user(session, helpers.USERS["data"]) response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}", method="PATCH", data=indata) assert response.code == 200 assert not response.data dataset = mdb["datasets"].find_one({"_id": ds_id}) assert dataset["title"] == indata["dataset"]["title"] assert dataset["description"] == "<br />" assert mdb["logs"].find_one({ "data._id": ds_id, "action": "edit", "data_type": "dataset" })
def test_delete_dataset_permissions(mdb): """ Confirm that permissions for deleting datasets are correct. Checks: * DATA_MANAGER can delete any dataset * DATA_EDIT can delete dataset where they are editors (in the order) * Other users cannot delete any dataset, even if they are editors """ order_id = helpers.add_order() ds_id = helpers.add_dataset(order_id) session = requests.Session() for role in helpers.USERS: helpers.as_user(session, helpers.USERS[role]) response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}", method="DELETE", ret_json=True) if role in ("edit", "data", "root"): assert response.code == 200 ds_id = helpers.add_dataset(order_id) elif role == "no-login": assert response.code == 401 else: assert response.code == 403 assert not response.data edit_user = mdb["users"].find_one({"auth_ids": helpers.USERS["edit"]}) mdb["orders"].update_one({"_id": order_id}, {"$pull": { "editors": edit_user["_id"] }}) helpers.as_user(session, helpers.USERS["edit"]) response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}", method="DELETE", ret_json=True) assert response.code == 403 assert not response.data base_user = mdb["users"].find_one({"auth_ids": helpers.USERS["base"]}) mdb["orders"].update_one({"_id": order_id}, {"$push": { "editors": base_user["_id"] }}) helpers.as_user(session, helpers.USERS["base"]) response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}", method="DELETE", ret_json=True) assert response.code == 403 assert not response.data
def test_add_user(mdb): """Add a user.""" indata = {"user": {"email": "*****@*****.**"}} session = requests.Session() for role in USERS: as_user(session, USERS[role]) response = make_request(session, "/api/v1/user", ret_json=True, method="POST", data=indata) if role in ("users", "root", "edit"): assert response.code == 200 assert "id" in response.data new_user_info = mdb["users"].find_one({"_id": response.data["id"]}) assert indata["user"]["email"] == new_user_info["email"] indata["user"]["email"] = "new_" + indata["user"]["email"] elif role == "no-login": assert response.code == 401 assert not response.data else: assert response.code == 403 assert not response.data indata = { "user": { "affiliation": "Added University", "name": "Added name", "email": "*****@*****.**", "permissions": ["DATA_EDIT"], } } session = requests.session() as_user(session, USERS["edit"]) response = make_request(session, "/api/v1/user", ret_json=True, method="POST", data=indata) assert response.code == 403 as_user(session, USERS["root"]) response = make_request(session, "/api/v1/user", ret_json=True, method="POST", data=indata) assert response.code == 200 assert "id" in response.data new_user_info = mdb["users"].find_one({"_id": response.data["id"]}) for key in indata["user"]: assert new_user_info[key] == indata["user"][key]