def test_403_csrf_exception(self):
self.c = self.client_class(enforce_csrf_checks=True)
for accept_type in self.ACCEPT_TYPES:
resp = self.post(self.ISSUE_API_URL, {}, headers={'HTTP_ACCEPT': accept_type,
'CONTENT_TYPE': 'application/json'})
assert_in(accept_type, resp['Content-Type'])
assert_http_forbidden(resp)
def test_only_superuser_may_add_user(self):
USERNAME = '******'
resp = self.post('%sadd/' % self.USER_UI_URL, data={'add-is-user-username': USERNAME,
'add-is-user-password': '******'})
assert_http_forbidden(resp)
assert_false(User.objects.filter(username=USERNAME).exists())
def test_only_superuser_may_add_user(self):
USERNAME = '******'
resp = self.post('%sadd/' % self.USER_UI_URL, data={'add-is-user-username': USERNAME,
'add-is-user-password': '******'})
assert_http_forbidden(resp)
assert_false(User.objects.filter(username=USERNAME).exists())
def test_403_exception(self):
user = self.get_user_obj()
for accept_type in self.ACCEPT_TYPES:
resp = self.get('%s%s/' % (self.USER_API_URL, user.pk),
headers={'HTTP_ACCEPT': accept_type})
assert_in(accept_type, resp['Content-Type'])
assert_http_forbidden(resp)
def test_user_with_permission_should_do_allowed_operations(self):
self.sync_permissions()
issue = self.create_issue()
user = self.create_user('new_user', 'password', '*****@*****.**')
logged_user = self.logged_user.user
issue_read_permission = Perm.objects.get(
codename='{}__{}'.format('issue', 'read'))
issue_create_permission = Perm.objects.get(
codename='{}__{}'.format('issue', 'create'))
user_delete_permission = Perm.objects.get(
codename='{}__{}'.format('user', 'delete'))
user_update_permission = Perm.objects.get(
codename='{}__{}'.format('user', 'update'))
logged_user.fperms.add(issue_read_permission, issue_create_permission,
user_delete_permission, user_update_permission)
# API
# Generic read, post
assert_http_forbidden(self.get('/api/user/'))
assert_http_ok(self.get('/api/issue/'))
assert_http_forbidden(self.post('/api/user/', {}))
assert_http_bad_request(self.post('/api/issue/', {}))
# API
# Generic read, put, patch, delete
assert_http_forbidden(self.get('/api/user/{}/'.format(user.pk)))
assert_http_ok(self.get('/api/issue/{}/'.format(issue.pk)))
assert_http_bad_request(self.put('/api/user/{}/'.format(user.pk), {}))
assert_http_forbidden(self.put('/api/issue/{}/'.format(issue.pk), {}))
assert_http_accepted(self.delete('/api/user/{}/'.format(user.pk)))
assert_http_forbidden(self.delete('/api/issue/{}/'.format(issue.pk)))
def test_user_can_update_only_itself(self):
user = self.get_user_obj()
resp = self.put('%s%s/' % (self.USER_API_URL, user.pk), data={})
assert_http_forbidden(resp)
user = self.logged_user.user
resp = self.put('%s%s/' % (self.USER_API_URL, user.pk), data={})
assert_valid_JSON_response(resp)
def test_user_can_read_only_itself(self):
resp = self.get(
('%s%s/') % (self.USER_API_URL, self.logged_user.user.pk))
assert_valid_JSON_response(resp)
user = self.get_user_obj()
resp = self.get(('%s%s/') % (self.USER_API_URL, user.pk))
assert_http_forbidden(resp)
def test_403_exception(self):
self.get_user_obj()
for accept_type in self.ACCEPT_TYPES:
resp = self.post(self.USER_API_URL,
headers={'HTTP_ACCEPT': accept_type},
data={})
assert_in(accept_type, resp['Content-Type'])
assert_http_forbidden(resp)
def test_only_superuser_may_edit_user(self):
user = self.get_user_obj()
resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk))
assert_http_forbidden(resp)
CHANGED_USERNAME = '******'
self.post('%s%s/' % (self.USER_UI_URL, user.pk), data={'edit-is-user-username': CHANGED_USERNAME})
assert_http_forbidden(resp)
assert_not_equal(User.objects.get(pk=user.pk).username, CHANGED_USERNAME)
def test_only_superuser_may_edit_user(self):
user = self.get_user_obj()
resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk))
assert_http_forbidden(resp)
CHANGED_USERNAME = '******'
self.post('%s%s/' % (self.USER_UI_URL, user.pk), data={'edit-is-user-username': CHANGED_USERNAME})
assert_http_forbidden(resp)
assert_not_equal(User.objects.get(pk=user.pk).username, CHANGED_USERNAME)
def test_issue_can_be_created_only_via_user(self):
before_issue_count = Issue.objects.count()
user_data = self.get_user_data()
issue_data = self.get_issue_data(exclude=['leader'])
user_data['leading_issue'] = issue_data
resp = self.post(self.USER_API_URL, data=user_data)
assert_valid_JSON_created_response(resp)
assert_equal(Issue.objects.count(), before_issue_count + 1)
resp = self.post(self.ISSUE_API_URL, data=self.get_issue_data())
assert_http_forbidden(resp)
assert_equal(Issue.objects.count(), before_issue_count + 1)
def test_user_with_permission_should_do_allowed_operations(self):
self.sync_permissions()
issue = self.create_issue()
user = self.create_user('new_user', 'password', '*****@*****.**')
logged_user = self.logged_user.user
issue_read_permission = Perm.objects.get(
codename='{}__{}'.format('issue', 'read'))
issue_create_permission = Perm.objects.get(
codename='{}__{}'.format('issue', 'create'))
user_delete_permission = Perm.objects.get(
codename='{}__{}'.format('user', 'delete'))
user_update_permission = Perm.objects.get(
codename='{}__{}'.format('user', 'update'))
logged_user.fperms.add(issue_read_permission, issue_create_permission,
user_delete_permission, user_update_permission)
# List
assert_http_forbidden(self.get('/user/'))
assert_http_ok(self.get('/issue/'))
# Add
assert_http_forbidden(self.get('/user/add/'))
assert_http_ok(self.get('/issue/add/'))
assert_http_forbidden(self.post('/user/add/', {}))
assert_http_ok(self.post('/issue/add/', {}))
# Detail
assert_http_ok(self.get('/user/{}/'.format(user.pk)))
assert_http_ok(self.get('/issue/{}/'.format(issue.pk)))
assert_http_ok(self.post('/user/{}/'.format(user.pk), {}))
assert_http_forbidden(self.post('/issue/{}/'.format(issue.pk), {}))
def test_user_permissions_should_be_cached(self):
self.sync_permissions()
self.create_issue()
self.create_user('new_user', 'password', '*****@*****.**')
logged_user = self.logged_user.user
assert_http_forbidden(self.get('/api/issue/'))
issue_read_permission = Perm.objects.get(
codename='{}__{}'.format('issue', 'read'))
# Add permission but permissions are still cached
logged_user.fperms.add(issue_read_permission)
assert_http_forbidden(self.get('/api/issue/'))
# clear cache reset permissions
cache.clear()
assert_http_ok(self.get('/api/issue/'))
def test_superuser_should_not_delete_another_superuser(self):
user = self.get_user_obj(is_superuser=True)
resp = self.delete('%s%s/' % (self.USER_API_URL, user.pk))
assert_http_forbidden(resp)
def test_only_superuser_can_add_new_user(self):
resp = self.post(self.USER_API_URL, data=self.get_user_data())
assert_http_forbidden(resp)
def test_403_exception(self):
user = self.get_user_obj()
for accept_type in self.ACCEPT_TYPES:
resp = self.get('%s%s/' % (self.USER_API_URL, user.pk), headers={'HTTP_ACCEPT': accept_type})
assert_in(accept_type, resp['Content-Type'])
assert_http_forbidden(resp)
def test_user_without_permission_should_do_nothing(self):
issue = self.create_issue()
user = self.create_user('new_user', 'password', '*****@*****.**')
# Generic read, post
assert_http_forbidden(self.get('/api/user/'))
assert_http_forbidden(self.get('/api/issue/'))
assert_http_forbidden(self.post('/api/user/', {}))
assert_http_forbidden(self.post('/api/issue/', {}))
# Generic read, put, patch, delete
assert_http_forbidden(self.get('/api/user/{}/'.format(user.pk)))
assert_http_forbidden(self.get('/api/issue/{}/'.format(issue.pk)))
assert_http_forbidden(self.put('/api/user/{}/'.format(user.pk), {}))
assert_http_forbidden(self.put('/api/issue/{}/'.format(issue.pk), {}))
assert_http_forbidden(self.delete('/api/user/{}/'.format(user.pk)))
assert_http_forbidden(self.delete('/api/issue/{}/'.format(issue.pk)))
def test_only_superuser_can_delete_new_user(self):
user = self.get_user_obj()
resp = self.delete('%s%s/' % (self.USER_API_URL, user.pk))
assert_http_forbidden(resp)
def test_user_without_permission_should_do_nothing(self):
issue = self.create_issue()
user = self.create_user('new_user', 'password', '*****@*****.**')
# List
assert_http_forbidden(self.get('/user/'))
assert_http_forbidden(self.get('/issue/'))
# Add
assert_http_forbidden(self.get('/user/add/'))
assert_http_forbidden(self.get('/issue/add/'))
assert_http_forbidden(self.post('/user/add/', {}))
assert_http_forbidden(self.post('/issue/add/', {}))
# Detail
assert_http_forbidden(self.get('/user/{}/'.format(user.pk)))
assert_http_forbidden(self.get('/issue/{}/'.format(issue.pk)))
assert_http_forbidden(self.post('/user/{}/'.format(user.pk), {}))
assert_http_forbidden(self.post('/issue/{}/'.format(issue.pk), {}))
