def test_stored_payment_sources_restriction(
mocker, staff_api_client, customer_user, permission_manage_users
):
# Only owner of storedPaymentSources can fetch it.
card = CreditCardInfo(
last_4="5678", exp_year=2020, exp_month=12, name_on_card="JohnDoe"
)
source = CustomerSource(id="test1", gateway="dummy", credit_card_info=card)
mocker.patch(
"saleor.graphql.account.resolvers.gateway.list_payment_sources",
return_value=[source],
autospec=True,
)
customer_user_id = graphene.Node.to_global_id("User", customer_user.pk)
query = """
query PaymentSources($id: ID!) {
user(id: $id) {
storedPaymentSources {
creditCardInfo {
firstDigits
}
}
}
}
"""
variables = {"id": customer_user_id}
response = staff_api_client.post_graphql(
query, variables, permissions=[permission_manage_users]
)
assert_no_permission(response)
def test_query_gift_card_with_permissions(
staff_api_client, gift_card, permission_manage_gift_card, permission_manage_users
):
query = """
query giftCard($id: ID!) {
giftCard(id: $id){
id
displayCode
user {
email
}
}
}
"""
gift_card_id = graphene.Node.to_global_id("GiftCard", gift_card.pk)
variables = {"id": gift_card_id}
# Query should fail without manage_users permission.
response = staff_api_client.post_graphql(
query, variables, permissions=[permission_manage_gift_card]
)
assert_no_permission(response)
# Query should succeed with manage_users and manage_gift_card permissions.
response = staff_api_client.post_graphql(
query,
variables,
permissions=[permission_manage_gift_card, permission_manage_users],
)
content = get_graphql_content(response)
data = content["data"]["giftCard"]
assert data["id"] == gift_card_id
assert data["displayCode"] == gift_card.display_code
assert data["user"]["email"] == gift_card.user.email
def post_graphql(
self,
query,
variables=None,
permissions=None,
check_no_permissions=True,
**kwargs,
):
"""Dedicated helper for posting GraphQL queries.
Sets the `application/json` content type and json.dumps the variables
if present.
"""
data = {"query": query}
if variables is not None:
data["variables"] = variables
if data:
data = json.dumps(data, cls=DjangoJSONEncoder)
kwargs["content_type"] = "application/json"
if permissions:
if check_no_permissions:
response = super().post(API_PATH, data, **kwargs)
assert_no_permission(response)
if self.app:
self.app.permissions.add(*permissions)
else:
self.user.user_permissions.add(*permissions)
result = super().post(API_PATH, data, **kwargs)
flush_post_commit_hooks()
return result
def test_query_stock_requires_permission(staff_api_client, stock):
assert not staff_api_client.user.has_perm(
ProductPermissions.MANAGE_PRODUCTS)
stock_id = graphene.Node.to_global_id("Stock", stock.pk)
response = staff_api_client.post_graphql(QUERY_STOCK,
variables={"id": stock_id})
assert_no_permission(response)
def test_webhook_delete_when_app_doesnt_exist(app_api_client, app):
app.delete()
query = WEBHOOK_DELETE_BY_APP
webhook_id = graphene.Node.to_global_id("Webhook", 1)
variables = {"id": webhook_id}
response = app_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
def test_app_token_create_no_permissions(staff_api_client, staff_user):
app = App.objects.create(name="New_app")
query = APP_TOKEN_CREATE_MUTATION
id = graphene.Node.to_global_id("App", app.id)
variables = {"name": "Default token", "app": id}
response = staff_api_client.post_graphql(query,
variables={"input": variables})
assert_no_permission(response)
def test_service_account_token_create_no_permissions(staff_api_client,
staff_user):
app = App.objects.create(name="New_sa")
query = SERVICE_ACCOUNT_TOKEN_CREATE_MUTATION
id = graphene.Node.to_global_id("ServiceAccount", app.id)
variables = {"name": "Default token", "serviceAccount": id}
response = staff_api_client.post_graphql(query,
variables={"input": variables})
assert_no_permission(response)
def test_webhook_delete_by_inactive_app(app_api_client, webhook):
app = webhook.app
app.is_active = False
app.save()
query = WEBHOOK_DELETE_BY_APP
webhook_id = graphene.Node.to_global_id("Webhook", webhook.pk)
variables = {"id": webhook_id}
response = app_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
def test_app_token_delete_no_permissions(staff_api_client, staff_user, app):
query = APP_TOKEN_DELETE_MUTATION
token = app.tokens.get()
id = graphene.Node.to_global_id("AppToken", token.id)
variables = {"id": id}
response = staff_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
token.refresh_from_db()
def test_webhook_update_not_allowed_by_app(app_api_client, app, webhook):
query = WEBHOOK_UPDATE
webhook_id = graphene.Node.to_global_id("Webhook", webhook.pk)
variables = {
"id": webhook_id,
"events": [WebhookEventTypeEnum.ORDER_CREATED.name],
"is_active": False,
}
response = app_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
def test_app_update_no_permission(app, staff_api_client, staff_user):
query = APP_UPDATE_MUTATION
id = graphene.Node.to_global_id("App", app.id)
variables = {
"id": id,
"is_active": False,
"permissions": [PermissionEnum.MANAGE_PRODUCTS.name],
}
response = staff_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
def test_assign_menu(
staff_api_client,
menu,
permission_manage_menus,
permission_manage_settings,
site_settings,
):
query = """
mutation AssignMenu($menu: ID, $navigationType: NavigationType!) {
assignNavigation(menu: $menu, navigationType: $navigationType) {
errors {
field
message
}
menu {
name
}
}
}
"""
# test mutations fails without proper permissions
menu_id = graphene.Node.to_global_id("Menu", menu.pk)
variables = {"menu": menu_id, "navigationType": NavigationType.MAIN.name}
response = staff_api_client.post_graphql(query, variables)
assert_no_permission(response)
staff_api_client.user.user_permissions.add(permission_manage_menus)
staff_api_client.user.user_permissions.add(permission_manage_settings)
# test assigning main menu
response = staff_api_client.post_graphql(query, variables)
content = get_graphql_content(response)
assert content["data"]["assignNavigation"]["menu"]["name"] == menu.name
site_settings.refresh_from_db()
assert site_settings.top_menu.name == menu.name
# test assigning secondary menu
variables = {
"menu": menu_id,
"navigationType": NavigationType.SECONDARY.name
}
response = staff_api_client.post_graphql(query, variables)
content = get_graphql_content(response)
assert content["data"]["assignNavigation"]["menu"]["name"] == menu.name
site_settings.refresh_from_db()
assert site_settings.bottom_menu.name == menu.name
# test unasigning menu
variables = {"id": None, "navigationType": NavigationType.MAIN.name}
response = staff_api_client.post_graphql(query, variables)
content = get_graphql_content(response)
assert not content["data"]["assignNavigation"]["menu"]
site_settings.refresh_from_db()
assert site_settings.top_menu is None
def test_webhook_create_app_doesnt_exist(app_api_client, app):
app.delete()
query = WEBHOOK_CREATE_BY_APP
variables = {
"target_url": "https://www.example.com",
"events": [WebhookEventTypeEnum.ORDER_CREATED.name],
"name": "",
}
response = app_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
def test_webhook_create_without_app(app_api_client, app):
app_api_client.app = None
app_api_client.app_token = None
query = WEBHOOK_CREATE_BY_APP
variables = {
"target_url": "https://www.example.com",
"events": [WebhookEventTypeEnum.ORDER_CREATED.name],
"name": "",
}
response = app_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
def test_webhook_create_by_staff_without_permission(staff_api_client, app):
query = WEBHOOK_CREATE_BY_STAFF
app_id = graphene.Node.to_global_id("App", app.pk)
variables = {
"target_url": "https://www.example.com",
"events": [WebhookEventTypeEnum.ORDER_CREATED.name],
"app": app_id,
}
response = staff_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
assert Webhook.objects.count() == 0
def test_query_plugin_configuration_as_customer_user(user_api_client,
settings):
settings.PLUGINS = [
"saleor.graphql.plugins.tests.test_plugins.PluginSample"
]
manager = get_plugins_manager()
sample_plugin = manager.get_plugin(PluginSample.PLUGIN_ID)
variables = {"id": sample_plugin.PLUGIN_ID}
response = user_api_client.post_graphql(PLUGIN_QUERY, variables)
assert_no_permission(response)
def test_fulfillment_update_metadata_user_has_no_permision(
staff_api_client, staff_user, update_metadata_mutation,
update_metadata_variables):
assert not staff_user.has_perm(OrderPermissions.MANAGE_ORDERS)
response = staff_api_client.post_graphql(
update_metadata_mutation,
update_metadata_variables,
permissions=[],
check_no_permissions=False,
)
assert_no_permission(response)
def test_webhook_create_by_staff_with_inactive_service_account(
staff_api_client, app):
app.is_active = False
query = WEBHOOK_CREATE_BY_STAFF
service_account_id = graphene.Node.to_global_id("ServiceAccount", app.pk)
variables = {
"target_url": "https://www.example.com",
"events": [WebhookEventTypeEnum.ORDER_CREATED.name],
"service_account": service_account_id,
}
response = staff_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
assert Webhook.objects.count() == 0
def post_multipart(self, *args, permissions=None, **kwargs):
"""Send a multipart POST request.
This is used to send multipart requests to GraphQL API when e.g.
uploading files.
"""
kwargs["content_type"] = MULTIPART_CONTENT
if permissions:
response = super().post(API_PATH, *args, **kwargs)
assert_no_permission(response)
self.user.user_permissions.add(*permissions)
return super().post(API_PATH, *args, **kwargs)
def test_update_gift_card_without_premissions(staff_api_client, gift_card):
new_code = "new_test_code"
balance = 150
assert gift_card.code != new_code
assert gift_card.current_balance != balance
variables = {
"id": graphene.Node.to_global_id("GiftCard", gift_card.id),
"balance": balance,
"userEmail": staff_api_client.user.email,
}
response = staff_api_client.post_graphql(UPDATE_GIFT_CARD_MUTATION, variables)
assert_no_permission(response)
def test_fulfillment_clear_meta_user_has_no_permission(
staff_api_client,
staff_user,
fulfillment,
clear_meta_variables,
clear_metadata_mutation,
):
assert not staff_user.has_perm(OrderPermissions.MANAGE_ORDERS)
fulfillment.store_value_in_metadata(items={"foo": "bar"})
fulfillment.save()
response = staff_api_client.post_graphql(clear_metadata_mutation,
clear_meta_variables)
assert_no_permission(response)
def test_staff_clear_meta_without_permissions(staff_api_client,
customer_with_meta, mutation):
user_id = graphene.Node.to_global_id("User", customer_with_meta.id)
variables = {
"id": user_id,
"input": {
"namespace": PUBLIC_META_NAMESPACE,
"clientName": META_CLIENT,
"key": PUBLIC_KEY,
},
}
response = staff_api_client.post_graphql(mutation, variables)
assert_no_permission(response)
def test_webhook_create_inactive_app(app_api_client, app, permission_manage_orders):
app.is_active = False
app.save()
query = WEBHOOK_CREATE_BY_APP
variables = {
"target_url": "https://www.example.com",
"events": [WebhookEventTypeEnum.ORDER_CREATED.name],
"name": "",
}
response = app_api_client.post_graphql(
query, variables=variables, permissions=[permission_manage_orders]
)
assert_no_permission(response)
def test_apps_query_no_permission(staff_api_client, permission_manage_users,
permission_manage_staff, app):
variables = {"filter": {}}
response = staff_api_client.post_graphql(QUERY_APPS_WITH_FILTER,
variables,
permissions=[])
assert_no_permission(response)
response = staff_api_client.post_graphql(
QUERY_APPS_WITH_FILTER,
variables,
permissions=[permission_manage_users, permission_manage_staff],
)
assert_no_permission(response)
def test_create_gift_card_without_premissions(staff_api_client):
code = "mirumee"
start_date = date(day=1, month=1, year=2018)
end_date = date(day=1, month=1, year=2019)
initial_balance = 100
variables = {
"code": code,
"startDate": start_date.isoformat(),
"endDate": end_date.isoformat(),
"balance": initial_balance,
"userEmail": staff_api_client.user.email,
}
response = staff_api_client.post_graphql(CREATE_GIFT_CARD_MUTATION, variables)
assert_no_permission(response)
def test_staff_update_meta_without_permissions(staff_api_client,
customer_with_meta, mutation):
user_id = graphene.Node.to_global_id("User", customer_with_meta.id)
variables = {
"id": user_id,
"input": {
"namespace": "new_namespace",
"clientName": "client_name",
"key": "meta_key",
"value": "value",
},
}
response = staff_api_client.post_graphql(mutation, variables)
assert_no_permission(response)
def test_service_accounts_query_no_permission(staff_api_client,
permission_manage_users,
permission_manage_staff, app):
variables = {"filter": {}}
response = staff_api_client.post_graphql(
QUERY_SERVICE_ACCOUNTS_WITH_FILTER, variables, permissions=[])
assert_no_permission(response)
response = staff_api_client.post_graphql(
QUERY_SERVICE_ACCOUNTS_WITH_FILTER,
variables,
permissions=[permission_manage_users, permission_manage_staff],
)
assert_no_permission(response)
def test_service_account_create_mutation_no_permissions(
permission_manage_service_accounts,
permission_manage_products,
staff_api_client,
staff_user,
):
query = SERVICE_ACCOUNT_CREATE_MUTATION
variables = {
"name": "New integration",
"is_active": True,
"permissions": [PermissionEnum.MANAGE_PRODUCTS.name],
}
response = staff_api_client.post_graphql(query, variables=variables)
assert_no_permission(response)
def test_query_gift_card_without_premissions(
user_api_client, gift_card_created_by_staff
):
query = """
query giftCard($id: ID!) {
giftCard(id: $id){
id
}
}
"""
gift_card_id = graphene.Node.to_global_id("GiftCard", gift_card_created_by_staff.pk)
variables = {"id": gift_card_id}
response = user_api_client.post_graphql(query, variables)
assert_no_permission(response)
def test_plugin_configuration_update_as_customer_user(user_api_client,
settings):
settings.PLUGINS = ["saleor.plugins.tests.sample_plugins.PluginSample"]
manager = get_plugins_manager()
plugin = manager.get_plugin(PluginSample.PLUGIN_ID)
variables = {
"id": plugin.PLUGIN_ID,
"active": True,
"configuration": [{
"name": "Username",
"value": "user"
}],
}
response = user_api_client.post_graphql(PLUGIN_UPDATE_MUTATION, variables)
assert_no_permission(response)
