def test_access_permitted_for_active_flag(self): user = User.objects.create_user('testuser', password='******') self.assertEqual(len(Batch.access_permitted_for(user)), 0) active_project = Project.objects.create() inactive_project = Project.objects.create(active=False) Batch.objects.create( active=False, project=active_project, ) self.assertEqual(len(Batch.access_permitted_for(user)), 0) Batch.objects.create(active=False, project=inactive_project) self.assertEqual(len(Batch.access_permitted_for(user)), 0) Batch.objects.create(active=True, project=inactive_project) self.assertEqual(len(Batch.access_permitted_for(user)), 0) Batch.objects.create( active=True, project=active_project, ) self.assertEqual(len(Batch.access_permitted_for(user)), 1)
def test_available_tasks_for_anon_user(self): anon_user = AnonymousUser() user = User.objects.create_user('user', password='******') self.assertEqual(len(Batch.access_permitted_for(user)), 0) batch_protected = Batch.objects.create( active=True, login_required=True, project=self.project ) self.assertEqual(len(Batch.access_permitted_for(anon_user)), 0) self.assertEqual(len(Batch.access_permitted_for(user)), 1) Task.objects.create(batch=batch_protected) self.assertEqual(len(batch_protected.available_tasks_for(anon_user)), 0) self.assertEqual( Batch.available_task_counts_for(self.batch_query, anon_user)[batch_protected.id], 0) self.assertEqual(len(batch_protected.available_tasks_for(user)), 1) self.assertEqual( Batch.available_task_counts_for(self.batch_query, user)[batch_protected.id], 1) batch_unprotected = Batch.objects.create( active=True, login_required=False, project=self.project ) Task.objects.create(batch=batch_unprotected) self.assertEqual(len(Batch.access_permitted_for(anon_user)), 1) self.assertEqual(len(Batch.access_permitted_for(user)), 2) self.assertEqual(len(batch_unprotected.available_tasks_for(anon_user)), 1) self.assertEqual( Batch.available_task_counts_for(self.batch_query, anon_user)[batch_unprotected.id], 1) self.assertEqual(len(batch_unprotected.available_tasks_for(user)), 1) self.assertEqual( Batch.available_task_counts_for(self.batch_query, user)[batch_unprotected.id], 1)
def test_access_permitted_for_login_required(self): anonymous_user = AnonymousUser() self.assertEqual(len(Batch.access_permitted_for(anonymous_user)), 0) project = Project.objects.create() Batch.objects.create(login_required=True, project=project) self.assertEqual(len(Batch.access_permitted_for(anonymous_user)), 0) authenticated_user = User.objects.create_user('testuser', password='******') self.assertEqual(len(Batch.access_permitted_for(authenticated_user)), 1)
def index(request): """ Security behavior: - Anyone can access the page, but the page only shows the user information they have access to. """ abandoned_assignments = [] if request.user.is_authenticated: for ha in TaskAssignment.objects.filter( assigned_to=request.user).filter(completed=False): abandoned_assignments.append({ 'task': ha.task, 'task_assignment_id': ha.id }) batch_list = Batch.access_permitted_for(request.user) batch_query = Batch.objects.filter(id__in=[b.id for b in batch_list]) available_task_counts = Batch.available_task_counts_for( batch_query, request.user) batch_rows = [] for batch in batch_query.values('created_at', 'id', 'name', 'project__name'): total_tasks_available = available_task_counts[batch['id']] if total_tasks_available > 0: batch_rows.append({ 'project_name': batch['project__name'], 'batch_name': batch['name'], 'batch_published': batch['created_at'], 'assignments_available': total_tasks_available, 'preview_next_task_url': reverse('preview_next_task', kwargs={'batch_id': batch['id']}), 'accept_next_task_url': reverse('accept_next_task', kwargs={'batch_id': batch['id']}) }) return render(request, 'index.html', { 'abandoned_assignments': abandoned_assignments, 'batch_rows': batch_rows })