def test_view_attachment(self):
params = {
'attachment_id': self.attachment.id,
}
# test that a user with insufficient permissions is not allowed to view/download an attachment
# be an anonymous user
response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method")
response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")
# test viewing an attachment using a user with insufficient permissions
normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**")
assign_perm('change_informationdocument', normal_user, self.document)
response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user)
self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")
# grant the correct permission to the user an try again
assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
# try the same with a user that is in a group having the correct permission
response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
# make sure that a superuser is always allowed to download an attachment
response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
def test_delete_attachment(self):
params = {
'id': self.attachment.id,
}
# try to delete an attachment as user with no permissions at all (anonymous user)
response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")
response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error")
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
redirect_url = reverse('login') + '?next=' + reverse('documents:delete_attachment')
self.assertRedirects(
response,
redirect_url,
msg_prefix="If the site is visited by anonymous users they should see the login page"
)
# try to delete an attachment as user with no permissions
normal_user = mommy.make(UserProfile)
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
self.assertEqual(
response.status_code,
403,
msg="If users have no permissions they should not be able to delete an attachment"
)
# try to delete an attachment as user with wrong permissions
assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
self.assertEqual(
response.status_code,
403,
msg="If users has no permissions they should not be able to delete an attachment"
)
# try to delete an attachment as user with correct permissions
response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user)
self.assertEqual(
response.status_code,
200,
msg="Users with the correct permissions for a document should be able to delete an attachment"
)
# re create the attachment
self.attachment.save()
# try to delete an attachment as superuser
response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user)
self.assertEqual(
response.status_code,
200,
msg="Users with the correct permissions for a document should be able to delete an attachment"
)
def test_delete_attachment(self):
params = {
'id': self.attachment.id,
}
# try to delete an attachment as user with no permissions at all (anonymous user)
response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")
response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error")
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
self.assertEqual(
response.status_code,
403,
msg="If users have no permissions they should not be able to delete an attachment"
)
# try to delete an attachment as user with no permissions
normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**")
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
self.assertEqual(
response.status_code,
403,
msg="If users have no permissions they should not be able to delete an attachment"
)
# try to delete an attachment as user with wrong permissions
assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
self.assertEqual(
response.status_code,
403,
msg="If users has no permissions they should not be able to delete an attachment"
)
# try to delete an attachment as user with correct permissions
response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user)
self.assertEqual(
response.status_code,
200,
msg="Users with the correct permissions for a document should be able to delete an attachment"
)
# re create the attachment
self.attachment.save()
# try to delete an attachment as superuser
response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user)
self.assertEqual(
response.status_code,
200,
msg="Users with the correct permissions for a document should be able to delete an attachment"
)
def view_information(request, title):
document = get_object_or_error(InformationDocument, request.user, [InformationDocument.get_view_permission()], url_title=title)
md = markdown.Markdown(safe_mode='escape', extensions=[TocExtension(baselevel=2)])
text = md.convert(document.text)
return render(request, 'information_pages_base.html', {
'document': document,
'text': text,
'toc': md.toc,
'attachments': document.attachments.all(),
'active_page': 'view',
})
def view_information(request, title):
document = get_object_or_error(InformationDocument, request.user, [InformationDocument.get_view_permission()], url_title=title)
md = markdown.Markdown(safe_mode='escape', extensions=[TocExtension(baselevel=2)])
text = md.convert(document.text)
anonymous_rights = get_anonymous_user().has_perm(InformationDocument.VIEW_PERMISSION_NAME, document)
edit_rights = request.user.has_perm("change_informationdocument", document)
permission_warning = edit_rights and not anonymous_rights
return render(request, 'information_pages_base.html', {
'document': document,
'text': text,
'toc': md.toc,
'attachments': document.attachments.all().order_by('index'),
'active_page': 'view',
'permission_warning' : permission_warning,
})
def view_information(request, title):
document = get_object_or_error(InformationDocument,
request.user,
[InformationDocument.get_view_permission()],
url_title=title)
md = markdown.Markdown(safe_mode='escape',
extensions=[TocExtension(baselevel=2)])
text = md.convert(document.text)
anonymous_rights = get_anonymous_user().has_perm(
InformationDocument.VIEW_PERMISSION_NAME, document)
edit_rights = request.user.has_perm("change_informationdocument", document)
permission_warning = edit_rights and not anonymous_rights
return render(
request, 'information_pages_base.html', {
'document': document,
'text': text,
'toc': md.toc,
'attachments': document.attachments.all().order_by('index'),
'active_page': 'view',
'permission_warning': permission_warning,
})
def test_view_attachment(self):
params = {
'hash_value': self.attachment.hash_value,
}
# test that a user with insufficient permissions is not allowed to view/download an attachment
# be an anonymous user
response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method")
response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 302)
response = response.follow()
self.assertTemplateUsed(response, 'login.html', msg_prefix="Anonymous users should see the login page")
# test viewing an attachment using a user with insufficient permissions
normal_user = mommy.make(UserProfile)
assign_perm('change_informationdocument', normal_user, self.document)
response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user)
self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")
# grant the correct permission to the user an try again
assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
# try the same with a user that is in a group having the correct permission
response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
# make sure that a superuser is always allowed to download an attachment
response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
