Example #1
0
File: tests.py Project: tzwenn/1327
	def setUp(self):
		self.user = UserProfile.objects.create_superuser('test', 'test', '[email protected]', 'test', 'test')
		self.user.is_active = True
		self.user.is_verified = True
		self.user.save()
		self.user2 = mommy.make(UserProfile, is_superuser=True)

		document = InformationDocument(title="title", text="text", author=self.user)
		with transaction.atomic(), reversion.create_revision():
				document.save()
				reversion.set_user(self.user)
				reversion.set_comment('test version')
Example #2
0
File: tests.py Project: tzwenn/1327
	def setUp(self):
		self.user = UserProfile.objects.create_user("testuser")
		self.user.save()

		self.group = Group.objects.create(name="test_group")
		for permission in get_perms_for_model(InformationDocument):
			permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename)
			assign_perm(permission_name, self.group)
		self.group.save()

		document = InformationDocument(title="title", text="text", author=self.user)
		document.save()
Example #3
0
File: tests.py Project: tzwenn/1327
	def test_url_shows_document(self):
		title = "Document title"
		text = "This is the document text."
		author = self.user
		document = InformationDocument(title=title, text=text, author=author)
		document.save()

		assign_perm(InformationDocument.VIEW_PERMISSION_NAME, author, document)
		self.assertTrue(author.has_perm(InformationDocument.VIEW_PERMISSION_NAME, document))

		self.assertTrue(document.get_view_url(), msg="InformationDocument should return a URL")

		response = self.app.get(document.get_view_url(), user=author)

		self.assertIn(title.encode("utf-8"), response.body, msg="The displayed page should contain the document's title")
Example #4
0
File: tests.py Project: tzwenn/1327
	def test_view_attachment(self):
		params = {
			'attachment_id': self.attachment.id,
		}

		# test that a user with insufficient permissions is not allowed to view/download an attachment
		# be an anonymous user
		response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method")

		response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")

		# test viewing an attachment using a user with insufficient permissions
		normal_user = UserProfile.objects.create_user("normal", "test", "[email protected]")
		assign_perm('change_informationdocument', normal_user, self.document)

		response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user)
		self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")

		# grant the correct permission to the user an try again
		assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)

		response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)

		# try the same with a user that is in a group having the correct permission
		response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)

		# make sure that a superuser is always allowed to download an attachment
		response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)
Example #5
0
	def test_delete_attachment(self):
		params = {
			'id': self.attachment.id,
		}

		# try to delete an attachment as user with no permissions at all (anonymous user)
		response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")

		response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
		self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")

		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error")

		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
		redirect_url = reverse('login') + '?next=' + reverse('documents:delete_attachment')
		self.assertRedirects(
			response,
			redirect_url,
			msg_prefix="If the site is visited by anonymous users they should see the login page"
		)

		# try to delete an attachment as user with no permissions
		normal_user = mommy.make(UserProfile)
		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
		self.assertEqual(
			response.status_code,
			403,
			msg="If users have no permissions they should not be able to delete an attachment"
		)

		# try to delete an attachment as user with wrong permissions
		assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
		self.assertEqual(
			response.status_code,
			403,
			msg="If users has no permissions they should not be able to delete an attachment"
		)

		# try to delete an attachment as user with correct permissions
		response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with the correct permissions for a document should be able to delete an attachment"
		)

		# re create the attachment
		self.attachment.save()

		# try to delete an attachment as superuser
		response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with the correct permissions for a document should be able to delete an attachment"
		)
Example #6
0
File: tests.py Project: tzwenn/1327
	def setUp(self):
		self.user = UserProfile.objects.create_superuser(username="testuser", email="[email protected]", password="top_secret")
		self.user.is_verified = True
		self.user.is_active = True
		self.user.save()

		self.document = InformationDocument(title="title", text="text", author=self.user)
		self.document.save()
Example #7
0
File: tests.py Project: tzwenn/1327
class TestVersions(WebTest):
	csrf_checks = False

	def setUp(self):
		self.user = UserProfile.objects.create_superuser(username="testuser", email="[email protected]", password="top_secret")
		self.user.is_verified = True
		self.user.is_active = True
		self.user.save()

		self.document = InformationDocument(title="title", text="text", author=self.user)
		with transaction.atomic(), reversion.create_revision():
			self.document.save()
			reversion.set_user(self.user)
			reversion.set_comment('test version')

	def test_get_version_page(self):
		response = self.app.get(reverse('information_pages:versions', args=[self.document.url_title]), status=403)
		self.assertEqual(response.status_code, 403)

		response = self.app.get(reverse('information_pages:versions', args=[self.document.url_title]), user=self.user)
		self.assertEqual(response.status_code, 200)

	def test_save_version(self):
		# first get all current versions of the document from the database
		document = Document.objects.get()
		versions = reversion.get_for_object(document)
		self.assertEqual(len(versions), 1)

		# get the editor page and add a new revision
		response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user=self.user)
		self.assertEqual(response.status_code, 200)

		form = response.form
		new_string = self.document.text + "\nHallo Bibi Blocksberg!!"
		form.set('text', new_string)
		form.set('comment', 'hallo Bibi Blocksberg')
		response = form.submit().follow()
		self.assertEqual(response.status_code, 200)

		# check whether number of versions increased
		versions = reversion.get_for_object(self.document)
		self.assertEqual(len(versions), 2)

		# check whether the comment of the version correct
		self.assertEqual(versions[0].revision.comment, 'hallo Bibi Blocksberg')
		self.assertEqual(versions[1].revision.comment, 'test version')
Example #8
0
File: tests.py Project: tzwenn/1327
	def test_delete_attachment(self):
		params = {
			'id': self.attachment.id,
		}

		# try to delete an attachment as user with no permissions at all (anonymous user)
		response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")

		response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
		self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")

		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error")

		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
		self.assertEqual(
			response.status_code,
			403,
			msg="If users have no permissions they should not be able to delete an attachment"
		)

		# try to delete an attachment as user with no permissions
		normal_user = UserProfile.objects.create_user("normal", "test", "[email protected]")
		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
		self.assertEqual(
			response.status_code,
			403,
			msg="If users have no permissions they should not be able to delete an attachment"
		)

		# try to delete an attachment as user with wrong permissions
		assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
		self.assertEqual(
			response.status_code,
			403,
			msg="If users has no permissions they should not be able to delete an attachment"
		)

		# try to delete an attachment as user with correct permissions
		response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with the correct permissions for a document should be able to delete an attachment"
		)

		# re create the attachment
		self.attachment.save()

		# try to delete an attachment as superuser
		response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with the correct permissions for a document should be able to delete an attachment"
		)
Example #9
0
File: tests.py Project: tzwenn/1327
	def setUp(self):
		self.user = UserProfile.objects.create_superuser(username="testuser", email="[email protected]", password="top_secret")
		self.user.is_verified = True
		self.user.is_active = True
		self.user.save()

		self.document = InformationDocument(title="title", text="text", author=self.user)
		with transaction.atomic(), reversion.create_revision():
			self.document.save()
			reversion.set_user(self.user)
			reversion.set_comment('test version')
Example #10
0
File: views.py Project: tzwenn/1327
def view_information(request, title):
	document = get_object_or_error(InformationDocument, request.user, [InformationDocument.get_view_permission()], url_title=title)

	md = markdown.Markdown(safe_mode='escape', extensions=[TocExtension(baselevel=2)])
	text = md.convert(document.text)

	return render(request, 'information_pages_base.html', {
		'document': document,
		'text': text,
		'toc': md.toc,
		'attachments': document.attachments.all(),
		'active_page': 'view',
	})
Example #11
0
    def test_slugification(self):
        document = InformationDocument(title="titlea", text="text")
        self.assertEqual(document.url_title, "")
        document.save()
        self.assertEqual(document.url_title, "titlea")

        document.url_title = "bla-keks-kekskeks"
        document.save()
        self.assertEqual(document.url_title, "bla-keks-kekskeks")
Example #12
0
File: views.py Project: Nef10/1327
def view_information(request, title):
	document = get_object_or_error(InformationDocument, request.user, [InformationDocument.get_view_permission()], url_title=title)

	md = markdown.Markdown(safe_mode='escape', extensions=[TocExtension(baselevel=2)])
	text = md.convert(document.text)

	anonymous_rights = get_anonymous_user().has_perm(InformationDocument.VIEW_PERMISSION_NAME, document)
	edit_rights = request.user.has_perm("change_informationdocument", document)
	permission_warning = edit_rights and not anonymous_rights

	return render(request, 'information_pages_base.html', {
		'document': document,
		'text': text,
		'toc': md.toc,
		'attachments': document.attachments.all().order_by('index'),
		'active_page': 'view',
		'permission_warning' : permission_warning,
	})
Example #13
0
File: tests.py Project: tzwenn/1327
	def setUp(self):
		self.user = UserProfile.objects.create_superuser("test", "test", "[email protected]")

		self.group = Group.objects.create(name="testgroup")
		for permission in get_perms_for_model(InformationDocument):
			permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename)
			assign_perm(permission_name, self.group)
		self.group.save()

		self.group_user = UserProfile.objects.create_user("groupuser", "test", "[email protected]")
		self.group_user.groups.add(self.group)
		self.group_user.save()

		self.document = InformationDocument(author=self.user, title="test", text="blabla")
		self.document.save()

		self.content = "test content of test attachment"
		attachment_file = ContentFile(self.content)
		self.attachment = Attachment.objects.create(document=self.document)
		self.attachment.file.save('temp.txt', attachment_file)
		self.attachment.save()
Example #14
0
File: tests.py Project: tzwenn/1327
class TestAttachments(WebTest):
	"""
		Tests creating, viewing and deleting attachments
		InformationDocuments are used as testclass. It is assumed that the behavior is similar with other documenttypes
	"""

	csrf_checks = False

	def setUp(self):
		self.user = UserProfile.objects.create_superuser("test", "test", "[email protected]")

		self.group = Group.objects.create(name="testgroup")
		for permission in get_perms_for_model(InformationDocument):
			permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename)
			assign_perm(permission_name, self.group)
		self.group.save()

		self.group_user = UserProfile.objects.create_user("groupuser", "test", "[email protected]")
		self.group_user.groups.add(self.group)
		self.group_user.save()

		self.document = InformationDocument(author=self.user, title="test", text="blabla")
		self.document.save()

		self.content = "test content of test attachment"
		attachment_file = ContentFile(self.content)
		self.attachment = Attachment.objects.create(document=self.document)
		self.attachment.file.save('temp.txt', attachment_file)
		self.attachment.save()

	def tearDown(self):
		for attachment in self.document.attachments.all():
			attachment.file.delete()
		self.attachment.file.delete()

	def test_create_attachment(self):
		upload_files = [
			('file', 'test.txt', bytes(tempfile.SpooledTemporaryFile(max_size=10000, prefix='txt', mode='r')))
		]

		# test that user who has no change permission on a document can not add an attachment
		# and neither see the corresponding page
		normal_user = UserProfile.objects.create_user("normal", "test", "[email protected]")

		response = self.app.get(
			reverse('information_pages:attachments', args=[self.document.url_title]),
			user=normal_user,
			expect_errors=True
		)
		self.assertEqual(response.status_code, 403)

		response = self.app.post(
			reverse('information_pages:attachments', args=[self.document.url_title]),
			content_type='multipart/form-data',
			upload_files=upload_files,
			user=normal_user,
			expect_errors=True
		)
		self.assertEqual(response.status_code, 403)

		# test that user who is allowed to view the document may not add attachments to it
		# and neither see the corresponding page
		assign_perm("view_informationdocument", normal_user, self.document)

		response = self.app.get(
			reverse('information_pages:attachments', args=[self.document.url_title]),
			user=normal_user,
			expect_errors=True
		)
		self.assertEqual(response.status_code, 403)

		response = self.app.post(
			reverse('information_pages:attachments', args=[self.document.url_title]),
			content_type='multipart/form-data',
			upload_files=upload_files,
			user=normal_user,
			expect_errors=True
		)
		self.assertEqual(response.status_code, 403)

		# test that member of group who has according permissions is allowed to upload attachments
		# and to see the corresponding page
		response = self.app.get(reverse('information_pages:attachments', args=[self.document.url_title]), user=self.group_user)
		self.assertEqual(response.status_code, 200)

		response = self.app.post(
			reverse('information_pages:attachments', args=[self.document.url_title]),
			content_type='multipart/form-data',
			upload_files=upload_files,
			user=self.group_user
		)
		self.assertEqual(response.status_code, 200)

		# test that superuser is allowed to upload attachments and to see the corresponding page
		response = self.app.get(reverse('information_pages:attachments', args=[self.document.url_title]), user=self.user)
		self.assertEqual(response.status_code, 200)

		response = self.app.post(
			reverse('information_pages:attachments', args=[self.document.url_title]),
			content_type='multipart/form-data',
			upload_files=upload_files,
			user=self.user
		)
		self.assertEqual(response.status_code, 200)

	def test_delete_attachment(self):
		params = {
			'id': self.attachment.id,
		}

		# try to delete an attachment as user with no permissions at all (anonymous user)
		response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")

		response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
		self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")

		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error")

		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
		self.assertEqual(
			response.status_code,
			403,
			msg="If users have no permissions they should not be able to delete an attachment"
		)

		# try to delete an attachment as user with no permissions
		normal_user = UserProfile.objects.create_user("normal", "test", "[email protected]")
		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
		self.assertEqual(
			response.status_code,
			403,
			msg="If users have no permissions they should not be able to delete an attachment"
		)

		# try to delete an attachment as user with wrong permissions
		assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
		response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
		self.assertEqual(
			response.status_code,
			403,
			msg="If users has no permissions they should not be able to delete an attachment"
		)

		# try to delete an attachment as user with correct permissions
		response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with the correct permissions for a document should be able to delete an attachment"
		)

		# re create the attachment
		self.attachment.save()

		# try to delete an attachment as superuser
		response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with the correct permissions for a document should be able to delete an attachment"
		)

	def test_view_attachment(self):
		params = {
			'attachment_id': self.attachment.id,
		}

		# test that a user with insufficient permissions is not allowed to view/download an attachment
		# be an anonymous user
		response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method")

		response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")

		# test viewing an attachment using a user with insufficient permissions
		normal_user = UserProfile.objects.create_user("normal", "test", "[email protected]")
		assign_perm('change_informationdocument', normal_user, self.document)

		response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user)
		self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")

		# grant the correct permission to the user an try again
		assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)

		response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)

		# try the same with a user that is in a group having the correct permission
		response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)

		# make sure that a superuser is always allowed to download an attachment
		response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)
Example #15
0
File: tests.py Project: tzwenn/1327
class TestEditor(WebTest):
	csrf_checks = False

	def setUp(self):
		self.user = UserProfile.objects.create_superuser(username="testuser", email="[email protected]", password="top_secret")
		self.user.is_verified = True
		self.user.is_active = True
		self.user.save()

		self.document = InformationDocument(title="title", text="text", author=self.user)
		self.document.save()

	def test_get_editor(self):
		response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), status=403)
		self.assertEqual(response.status_code, 403)

		response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="testuser")
		self.assertEqual(response.status_code, 200)

		form = response.form
		self.assertEqual(form.get('title').value, self.document.title)
		self.assertEqual(form.get('text').value, self.document.text)

		form.set('comment', 'changed title')
		form.set('title', 'new-title')
		response = form.submit('submit')
		self.assertRedirects(response, reverse('information_pages:edit', args=['new-title']))

		document = Document.objects.get(url_title='new-title')
		self.assertEqual(document.url_title, 'new-title')

	def test_editor_error(self):
		for string in ['', ' ']:

			response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="testuser")

			form = response.form
			form.set('title', string)
			response = form.submit('submit')
			self.assertEqual(response.status_code, 200)
			self.assertIn('has-error', str(response.body))

	def test_editor_permissions_for_single_user(self):
		test_user = UserProfile.objects.create_user("testuser2")

		assign_perm(InformationDocument.VIEW_PERMISSION_NAME, test_user, self.document)

		# test that test_user is not allowed to use editor
		response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="testuser2", status=403)
		self.assertEqual(response.status_code, 403)

		# give that user the necessary permission and check again
		assign_perm('change_informationdocument', test_user, self.document)

		# it should work now
		response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="testuser2")
		self.assertEqual(response.status_code, 200)

	def test_editor_permissions_for_groups(self):
		test_user = UserProfile.objects.create_user("testuser2")
		test_group = Group.objects.create(name="testgroup")
		test_user.groups.add(test_group)

		assign_perm(InformationDocument.VIEW_PERMISSION_NAME, test_group, self.document)

		# user should not be able to use the editor
		response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="testuser2", status=403)
		self.assertEqual(response.status_code, 403)

		# add permission to group
		assign_perm('change_informationdocument', test_group, self.document)

		# user should now be able to use the editor
		response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="testuser2")
		self.assertEqual(response.status_code, 200)
Example #16
0
	def test_view_attachment(self):
		params = {
			'hash_value': self.attachment.hash_value,
		}

		# test that a user with insufficient permissions is not allowed to view/download an attachment
		# be an anonymous user
		response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method")

		response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True)
		self.assertEqual(response.status_code, 302)
		response = response.follow()
		self.assertTemplateUsed(response, 'login.html', msg_prefix="Anonymous users should see the login page")

		# test viewing an attachment using a user with insufficient permissions
		normal_user = mommy.make(UserProfile)
		assign_perm('change_informationdocument', normal_user, self.document)

		response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user)
		self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")

		# grant the correct permission to the user an try again
		assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)

		response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)

		# try the same with a user that is in a group having the correct permission
		response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)

		# make sure that a superuser is always allowed to download an attachment
		response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user)
		self.assertEqual(
			response.status_code,
			200,
			msg="Users with sufficient permissions should be able to download an attachment"
		)
		self.assertEqual(
			response.body.decode('utf-8'),
			self.content,
			msg="An attachment that has been downloaded should contain its original content"
		)