def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
enrollment_id = dbsession.query(models.Enrollment.id).filter(
models.Study.name == u'test_study').scalar()
data = {
'ofmetadata_-collect_date': '2015-01-01',
'ofmetadata_-version': '2015-01-01',
'ofmetadata_-state': 'pending-entry',
}
res = app.post(
self.url.format(enrollment_id),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
xhr=True,
params=data)
assert 403 == res.status_code
def test_not_owner(self, app, dbsession):
import transaction
from occams import models
with transaction.manager:
dbsession.add(models.User(key='somebody_else'))
environ = make_environ(userid='somebody_else')
app.get(self.url, extra_environ=environ, status=403)
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
enrollment_id = dbsession.query(models.Enrollment.id).filter(
models.Study.name == u'test_study').scalar()
data = {
'ofmetadata_-collect_date': '2015-01-01',
'ofmetadata_-version': '2015-01-01',
'ofmetadata_-state': 'pending-entry',
}
res = app.post(self.url.format(enrollment_id),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
xhr=True,
params=data)
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
patient = dbsession.query(models.Patient).filter(
models.Patient.pid == u'123').one()
data = {
'initials': patient.initials,
'nurse': patient.nurse,
'site_id': patient.site_id,
'pid': patient.pid,
'site': patient.site_id
}
res = app.put_json(
self.url.format('123'),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
study_id = dbsession.query(models.Study.id).filter(
models.Study.name == u'test_study').scalar()
enrollment_id = dbsession.query(models.Enrollment.id).filter(
models.Study.name == u'test_study').scalar()
data = {
'study': study_id,
'consent_date': '2014-12-22',
'latest_consent_date': '2015-01-01',
'reference_number': ''
}
res = app.put_json(self.url.format(enrollment_id),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
site = dbsession.query(models.Site).filter(
models.Site.name == u'UCSD').one()
site_id = site.id
data = {
'site': site_id,
'references': []
}
res = app.post_json(
self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
study_id = dbsession.query(models.Study.id).filter(
models.Study.name == u'test_study').scalar()
data = {
'consent_date': '2015-01-01',
'latest_consent_date': '2015-01-01',
'study': study_id
}
res = app.post_json(self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
visit_date = dbsession.query(models.Visit.visit_date).filter(
models.Patient.pid == u'123').scalar()
cycle_id = dbsession.query(models.Cycle.id).filter(
models.Cycle.name == u'TestCycle').scalar()
data = {
'cycles': [cycle_id],
'visit_date': '2015-01-02'
}
res = app.put_json(
self.url.format(visit_date),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
cycle_id = dbsession.query(models.Cycle.id).filter(
models.Cycle.name == u'TestCycle').scalar()
data = {
'cycles': [cycle_id],
'visit_date': '2015-01-01',
'include_forms': False,
'include_speciman': False
}
res = app.post_json(
self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
form_id = dbsession.query(models.Schema.id).filter(
models.Schema.name == u'test_schema').scalar()
data = {
'schema': form_id,
'collect_date': '2015-01-01'
}
res = app.post_json(
self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
patient = dbsession.query(
models.Patient).filter(models.Patient.pid == u'123').one()
data = {
'initials': patient.initials,
'nurse': patient.nurse,
'site_id': patient.site_id,
'pid': patient.pid,
'site': patient.site_id
}
res = app.put_json(self.url.format('123'),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(self.url.format('123'),
extra_environ=environ,
status='*')
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
study_id = dbsession.query(models.Study.id).filter(
models.Study.name == u'test_study').scalar()
enrollment_id = dbsession.query(models.Enrollment.id).filter(
models.Study.name == u'test_study').scalar()
data = {
'study': study_id,
'consent_date': '2014-12-22',
'latest_consent_date': '2015-01-01',
'reference_number': ''
}
res = app.put_json(
self.url.format(enrollment_id),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
cycle_id = dbsession.query(models.Cycle.id).filter(
models.Cycle.name == u'TestCycle').scalar()
data = {
'cycles': [cycle_id],
'visit_date': '2015-01-01',
'include_forms': False,
'include_speciman': False
}
res = app.post_json(self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_randomize_ajax_not_allowed(self, app, dbsession, factories,
group):
import uuid
from occams import models
enrollment = dbsession.query(models.Enrollment).one()
url = '/studies/patients/{pid}/enrollments/{eid}/randomization'.format(
pid=enrollment.patient.pid, eid=enrollment.id)
environ = make_environ(userid=USERID, groups=[group])
headers = {
'X-CSRF-Token': get_csrf_token(app, environ),
'X-REQUESTED-WITH': str('XMLHttpRequest')
}
res = app.get(
url,
extra_environ=environ,
status='*',
headers=headers,
xhr=True,
)
assert 403 == res.status_code
procid = str(uuid.uuid4())
# CHALLENGE
res = app.post(url,
extra_environ=environ,
status='*',
headers=headers,
xhr=True,
params={'procid': procid})
assert 403 == res.status_code
# ENTRY
res = app.post(url,
extra_environ=environ,
status='*',
headers=headers,
xhr=True,
params={'procid': procid})
assert 403 == res.status_code
# VERIFY
res = app.post(url,
extra_environ=environ,
status='*',
headers=headers,
xhr=True,
params={'procid': procid})
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.post(
self.url,
extra_environ=environ,
xhr=True,
status='*')
assert 403 == res.status_code
def test_allowed(self, app, dbsession, group):
environ = make_environ(groups=[group])
csrf_token = get_csrf_token(app, environ)
app.delete(self.url,
extra_environ=environ,
headers={'X-CSRF-Token': csrf_token},
xhr=True,
status=200)
def test_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
entity_id = dbsession.query(models.Entity.id).filter(
models.Entity.schema.has(name=u'test_schema')).scalar()
res = app.get(self.url.format(entity_id), extra_environ=environ)
assert 200 == res.status_code
def test_manage_external_services(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(
self.url,
extra_environ=environ,
params={})
assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(self.url,
extra_environ=environ,
status='*',
xhr=True,
params={})
assert 403 == res.status_code
def test_filtered_site(self, app, dbsession):
"""
Any authenticated user can view a site resources, but the listing
is filterd based on what sites they have access.
"""
environ = make_environ(userid=USERID, groups=['ucsd:member'])
res = app.get(
self.url, extra_environ=environ, xhr=True, status='*')
assert 200 == res.status_code
assert all('ucsd' == s['name'] for s in res.json['sites'])
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
entity_id = dbsession.query(models.Entity.id).filter(
models.Entity.schema.has(name=u'test_schema')).scalar()
res = app.get(
self.url.format(entity_id), extra_environ=environ, status='*')
assert 403 == res.status_code
def test_external_services(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(self.url,
extra_environ=environ,
status='*',
xhr=True,
params={})
assert 200 == res.status_code
def test_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(
self.url,
extra_environ=environ,
status='*',
xhr=True,
params={})
assert 200 == res.status_code
def test_not_owner(self, app, dbsession):
import transaction
from occams import models
with transaction.manager:
dbsession.add(models.User(key='somebody_else'))
environ = make_environ(userid='somebody_else')
csrf_token = get_csrf_token(app, environ)
app.delete(self.url,
extra_environ=environ,
headers={'X-CSRF-Token': csrf_token},
xhr=True,
status=403)
def test_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(self.url, extra_environ=environ, xhr=True)
data = res.json
csrf_token = get_csrf_token(app, environ)
res = app.delete_json(self.url,
extra_environ=environ,
status='*',
headers={'X-CSRF-Token': csrf_token},
params=data)
assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
res = app.delete_json(self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params={})
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
res = app.delete_json(
self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params={})
assert 403 == res.status_code
def test_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
form_id = dbsession.query(models.Schema.id).filter(
models.Schema.name == u'test_schema').scalar()
entity_id = dbsession.query(models.Entity.id).filter(
models.Entity.schema_id == form_id).scalar()
res = app.post(
self.url.format(entity_id), extra_environ=environ)
assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
form_id = dbsession.query(models.Schema.id).filter(
models.Schema.name == u'test_schema').scalar()
entity_id = dbsession.query(models.Entity.id).filter(
models.Entity.schema_id == form_id).scalar()
res = app.post(self.url.format(entity_id),
extra_environ=environ,
status='*')
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
enrollment_id = dbsession.query(models.Enrollment.id).filter(
models.Study.name == u'test_study').scalar()
data = {'id_1': enrollment_id}
res = app.get(self.url.format(enrollment_id),
extra_environ=environ,
status='*',
xhr=True,
params=data)
assert 403 == res.status_code
def test_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(self.url, extra_environ=environ, xhr=True)
data = res.json
csrf_token = get_csrf_token(app, environ)
res = app.delete_json(
self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token
},
params=data)
assert 200 == res.status_code
def test_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
data = {
'name': u'test',
'title': u'test_title',
'short_title': u'test2',
'code': u'test3',
'consent_date': '2015-01-01'
}
res = app.post_json(self.url,
extra_environ=environ,
status='*',
headers={'X-CSRF-Token': csrf_token},
params=data)
assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
enrollment_id = dbsession.query(models.Enrollment.id).filter(
models.Study.name == u'test_study').scalar()
res = app.delete_json(self.url.format(enrollment_id),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params={})
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
enrollment_id = dbsession.query(models.Enrollment.id).filter(
models.Study.name == u'test_study').scalar()
data = {
'id_1': enrollment_id
}
res = app.get(
self.url.format(enrollment_id),
extra_environ=environ,
status='*',
xhr=True,
params=data)
assert 403 == res.status_code
def test_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
data = {'name': u'test',
'title': u'test_title',
'short_title': u'test2',
'code': u'test3',
'consent_date': '2015-01-01'}
res = app.post_json(
self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token
},
params=data)
assert 200 == res.status_code
def test_not_allowed(self, app, group):
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
data = {
'title': 'test_study Week 1',
'week': '1'
}
res = app.post_json(
self.url.format('test_study'),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
enrollment_id = dbsession.query(models.Enrollment.id).filter(
models.Study.name == u'test_study').scalar()
res = app.delete_json(
self.url.format(enrollment_id),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params={})
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
visit_date = dbsession.query(models.Visit.visit_date).filter(
models.Patient.pid == u'123').scalar()
res = app.delete(self.url.format(visit_date),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
xhr=True,
params={})
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
visit_date = dbsession.query(models.Visit.visit_date).filter(
models.Patient.pid == u'123').scalar()
res = app.delete(
self.url.format(visit_date),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
xhr=True,
params={})
assert 403 == res.status_code
def test_allowed(self, app, group):
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
data = {
'name': 'TestDelete',
'title': 'TestDelete',
'week': 4
}
res = app.put_json(
self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
site = dbsession.query(
models.Site).filter(models.Site.name == u'UCSD').one()
site_id = site.id
data = {'site': site_id, 'references': []}
res = app.post_json(self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
schema = dbsession.query(
models.Schema).filter(models.Schema.name == u'test_schema').one()
schema_id = schema.id
data = {'collect_date': '2015-01-01', 'schema': schema_id}
res = app.post_json(self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 403 == res.status_code
def test_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
form_id = dbsession.query(models.Schema.id).filter(
models.Schema.name == u'test_schema').scalar()
entity_id = dbsession.query(models.Entity.id).filter(
models.Entity.schema_id == form_id).scalar()
res = app.delete_json(self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params={'forms': [entity_id]})
assert 200 == res.status_code
def test_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
form_id = dbsession.query(models.Schema.id).filter(
models.Schema.name == u'test_schema').scalar()
entity_id = dbsession.query(models.Entity.id).filter(
models.Entity.schema_id == form_id).scalar()
res = app.delete_json(
self.url,
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params={'forms': [entity_id]})
assert 200 == res.status_code
def test_allowed(self, app, dbsession, group):
from occams import models
environ = make_environ(userid=USERID, groups=[group])
csrf_token = get_csrf_token(app, environ)
visit_date = dbsession.query(models.Visit.visit_date).filter(
models.Patient.pid == u'123').scalar()
cycle_id = dbsession.query(models.Cycle.id).filter(
models.Cycle.name == u'TestCycle').scalar()
data = {'cycles': [cycle_id], 'visit_date': '2015-01-02'}
res = app.put_json(self.url.format(visit_date),
extra_environ=environ,
status='*',
headers={
'X-CSRF-Token': csrf_token,
'X-REQUESTED-WITH': str('XMLHttpRequest')
},
params=data)
assert 200 == res.status_code
def test_randomize_ajax_not_allowed(self, app, dbsession, factories, group):
import uuid
from occams import models
enrollment = dbsession.query(models.Enrollment).one()
url = '/studies/patients/{pid}/enrollments/{eid}/randomization'.format(
pid=enrollment.patient.pid,
eid=enrollment.id
)
environ = make_environ(userid=USERID, groups=[group])
headers = {
'X-CSRF-Token': get_csrf_token(app, environ),
'X-REQUESTED-WITH': str('XMLHttpRequest')
}
res = app.get(
url,
extra_environ=environ,
status='*',
headers=headers,
xhr=True,
)
assert 403 == res.status_code
procid = str(uuid.uuid4())
# CHALLENGE
res = app.post(
url,
extra_environ=environ,
status='*',
headers=headers,
xhr=True,
params={'procid': procid}
)
assert 403 == res.status_code
# ENTRY
res = app.post(
url,
extra_environ=environ,
status='*',
headers=headers,
xhr=True,
params={'procid': procid}
)
assert 403 == res.status_code
# VERIFY
res = app.post(
url,
extra_environ=environ,
status='*',
headers=headers,
xhr=True,
params={'procid': procid}
)
assert 403 == res.status_code
def test_allowed(self, app, dbsession, group):
environ = make_environ(groups=[group])
app.get(self.url, extra_environ=environ, status=200)
def test_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(self.url, extra_environ=environ)
assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
app.get(self.url, extra_environ=environ, status=403)
def test_not_allowed(self, app, dbsession, group):
environ = make_environ(userid=USERID, groups=[group])
res = app.get(
self.url.format('123'), extra_environ=environ, status='*')
assert 403 == res.status_code
