def test_403_csrf_exception(self): self.c = self.client_class(enforce_csrf_checks=True) for accept_type in self.ACCEPT_TYPES: resp = self.post(self.ISSUE_API_URL, {}, headers={'HTTP_ACCEPT': accept_type, 'CONTENT_TYPE': 'application/json'}) assert_in(accept_type, resp['Content-Type']) assert_http_forbidden(resp)
def test_only_superuser_may_add_user(self): USERNAME = '******' resp = self.post('%sadd/' % self.USER_UI_URL, data={'add-is-user-username': USERNAME, 'add-is-user-password': '******'}) assert_http_forbidden(resp) assert_false(User.objects.filter(username=USERNAME).exists())
def test_only_superuser_may_add_user(self): USERNAME = '******' resp = self.post('%sadd/' % self.USER_UI_URL, data={'add-is-user-username': USERNAME, 'add-is-user-password': '******'}) assert_http_forbidden(resp) assert_false(User.objects.filter(username=USERNAME).exists())
def test_403_exception(self): user = self.get_user_obj() for accept_type in self.ACCEPT_TYPES: resp = self.get('%s%s/' % (self.USER_API_URL, user.pk), headers={'HTTP_ACCEPT': accept_type}) assert_in(accept_type, resp['Content-Type']) assert_http_forbidden(resp)
def test_user_with_permission_should_do_allowed_operations(self): self.sync_permissions() issue = self.create_issue() user = self.create_user('new_user', 'password', '*****@*****.**') logged_user = self.logged_user.user issue_read_permission = Perm.objects.get( codename='{}__{}'.format('issue', 'read')) issue_create_permission = Perm.objects.get( codename='{}__{}'.format('issue', 'create')) user_delete_permission = Perm.objects.get( codename='{}__{}'.format('user', 'delete')) user_update_permission = Perm.objects.get( codename='{}__{}'.format('user', 'update')) logged_user.fperms.add(issue_read_permission, issue_create_permission, user_delete_permission, user_update_permission) # API # Generic read, post assert_http_forbidden(self.get('/api/user/')) assert_http_ok(self.get('/api/issue/')) assert_http_forbidden(self.post('/api/user/', {})) assert_http_bad_request(self.post('/api/issue/', {})) # API # Generic read, put, patch, delete assert_http_forbidden(self.get('/api/user/{}/'.format(user.pk))) assert_http_ok(self.get('/api/issue/{}/'.format(issue.pk))) assert_http_bad_request(self.put('/api/user/{}/'.format(user.pk), {})) assert_http_forbidden(self.put('/api/issue/{}/'.format(issue.pk), {})) assert_http_accepted(self.delete('/api/user/{}/'.format(user.pk))) assert_http_forbidden(self.delete('/api/issue/{}/'.format(issue.pk)))
def test_user_can_update_only_itself(self): user = self.get_user_obj() resp = self.put('%s%s/' % (self.USER_API_URL, user.pk), data={}) assert_http_forbidden(resp) user = self.logged_user.user resp = self.put('%s%s/' % (self.USER_API_URL, user.pk), data={}) assert_valid_JSON_response(resp)
def test_user_can_read_only_itself(self): resp = self.get( ('%s%s/') % (self.USER_API_URL, self.logged_user.user.pk)) assert_valid_JSON_response(resp) user = self.get_user_obj() resp = self.get(('%s%s/') % (self.USER_API_URL, user.pk)) assert_http_forbidden(resp)
def test_403_exception(self): self.get_user_obj() for accept_type in self.ACCEPT_TYPES: resp = self.post(self.USER_API_URL, headers={'HTTP_ACCEPT': accept_type}, data={}) assert_in(accept_type, resp['Content-Type']) assert_http_forbidden(resp)
def test_only_superuser_may_edit_user(self): user = self.get_user_obj() resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk)) assert_http_forbidden(resp) CHANGED_USERNAME = '******' self.post('%s%s/' % (self.USER_UI_URL, user.pk), data={'edit-is-user-username': CHANGED_USERNAME}) assert_http_forbidden(resp) assert_not_equal(User.objects.get(pk=user.pk).username, CHANGED_USERNAME)
def test_only_superuser_may_edit_user(self): user = self.get_user_obj() resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk)) assert_http_forbidden(resp) CHANGED_USERNAME = '******' self.post('%s%s/' % (self.USER_UI_URL, user.pk), data={'edit-is-user-username': CHANGED_USERNAME}) assert_http_forbidden(resp) assert_not_equal(User.objects.get(pk=user.pk).username, CHANGED_USERNAME)
def test_issue_can_be_created_only_via_user(self): before_issue_count = Issue.objects.count() user_data = self.get_user_data() issue_data = self.get_issue_data(exclude=['leader']) user_data['leading_issue'] = issue_data resp = self.post(self.USER_API_URL, data=user_data) assert_valid_JSON_created_response(resp) assert_equal(Issue.objects.count(), before_issue_count + 1) resp = self.post(self.ISSUE_API_URL, data=self.get_issue_data()) assert_http_forbidden(resp) assert_equal(Issue.objects.count(), before_issue_count + 1)
def test_user_with_permission_should_do_allowed_operations(self): self.sync_permissions() issue = self.create_issue() user = self.create_user('new_user', 'password', '*****@*****.**') logged_user = self.logged_user.user issue_read_permission = Perm.objects.get( codename='{}__{}'.format('issue', 'read')) issue_create_permission = Perm.objects.get( codename='{}__{}'.format('issue', 'create')) user_delete_permission = Perm.objects.get( codename='{}__{}'.format('user', 'delete')) user_update_permission = Perm.objects.get( codename='{}__{}'.format('user', 'update')) logged_user.fperms.add(issue_read_permission, issue_create_permission, user_delete_permission, user_update_permission) # List assert_http_forbidden(self.get('/user/')) assert_http_ok(self.get('/issue/')) # Add assert_http_forbidden(self.get('/user/add/')) assert_http_ok(self.get('/issue/add/')) assert_http_forbidden(self.post('/user/add/', {})) assert_http_ok(self.post('/issue/add/', {})) # Detail assert_http_ok(self.get('/user/{}/'.format(user.pk))) assert_http_ok(self.get('/issue/{}/'.format(issue.pk))) assert_http_ok(self.post('/user/{}/'.format(user.pk), {})) assert_http_forbidden(self.post('/issue/{}/'.format(issue.pk), {}))
def test_user_permissions_should_be_cached(self): self.sync_permissions() self.create_issue() self.create_user('new_user', 'password', '*****@*****.**') logged_user = self.logged_user.user assert_http_forbidden(self.get('/api/issue/')) issue_read_permission = Perm.objects.get( codename='{}__{}'.format('issue', 'read')) # Add permission but permissions are still cached logged_user.fperms.add(issue_read_permission) assert_http_forbidden(self.get('/api/issue/')) # clear cache reset permissions cache.clear() assert_http_ok(self.get('/api/issue/'))
def test_superuser_should_not_delete_another_superuser(self): user = self.get_user_obj(is_superuser=True) resp = self.delete('%s%s/' % (self.USER_API_URL, user.pk)) assert_http_forbidden(resp)
def test_only_superuser_can_add_new_user(self): resp = self.post(self.USER_API_URL, data=self.get_user_data()) assert_http_forbidden(resp)
def test_403_exception(self): user = self.get_user_obj() for accept_type in self.ACCEPT_TYPES: resp = self.get('%s%s/' % (self.USER_API_URL, user.pk), headers={'HTTP_ACCEPT': accept_type}) assert_in(accept_type, resp['Content-Type']) assert_http_forbidden(resp)
def test_user_without_permission_should_do_nothing(self): issue = self.create_issue() user = self.create_user('new_user', 'password', '*****@*****.**') # Generic read, post assert_http_forbidden(self.get('/api/user/')) assert_http_forbidden(self.get('/api/issue/')) assert_http_forbidden(self.post('/api/user/', {})) assert_http_forbidden(self.post('/api/issue/', {})) # Generic read, put, patch, delete assert_http_forbidden(self.get('/api/user/{}/'.format(user.pk))) assert_http_forbidden(self.get('/api/issue/{}/'.format(issue.pk))) assert_http_forbidden(self.put('/api/user/{}/'.format(user.pk), {})) assert_http_forbidden(self.put('/api/issue/{}/'.format(issue.pk), {})) assert_http_forbidden(self.delete('/api/user/{}/'.format(user.pk))) assert_http_forbidden(self.delete('/api/issue/{}/'.format(issue.pk)))
def test_only_superuser_can_delete_new_user(self): user = self.get_user_obj() resp = self.delete('%s%s/' % (self.USER_API_URL, user.pk)) assert_http_forbidden(resp)
def test_user_without_permission_should_do_nothing(self): issue = self.create_issue() user = self.create_user('new_user', 'password', '*****@*****.**') # List assert_http_forbidden(self.get('/user/')) assert_http_forbidden(self.get('/issue/')) # Add assert_http_forbidden(self.get('/user/add/')) assert_http_forbidden(self.get('/issue/add/')) assert_http_forbidden(self.post('/user/add/', {})) assert_http_forbidden(self.post('/issue/add/', {})) # Detail assert_http_forbidden(self.get('/user/{}/'.format(user.pk))) assert_http_forbidden(self.get('/issue/{}/'.format(issue.pk))) assert_http_forbidden(self.post('/user/{}/'.format(user.pk), {})) assert_http_forbidden(self.post('/issue/{}/'.format(issue.pk), {}))