def test_slugification(self):
document = InformationDocument(title_en="titlea", text_en="text")
self.assertEqual(document.url_title, '')
document.save()
self.assertEqual(document.url_title, "titlea")
document.url_title = "bla/KEKS-kekskeks"
document.save()
self.assertEqual(document.url_title, "bla/keks-kekskeks")
def test_slugification(self):
document = InformationDocument(title="titlea", text="text")
self.assertEqual(document.url_title, "")
document.save()
self.assertEqual(document.url_title, "titlea")
document.url_title = "bla-keks-kekskeks"
document.save()
self.assertEqual(document.url_title, "bla-keks-kekskeks")
def setUp(self):
self.user = UserProfile.objects.create_superuser('test', 'test', '*****@*****.**', 'test', 'test')
self.user.is_active = True
self.user.is_verified = True
self.user.save()
self.user2 = mommy.make(UserProfile, is_superuser=True)
document = InformationDocument(title="title", text="text", author=self.user)
with transaction.atomic(), reversion.create_revision():
document.save()
reversion.set_user(self.user)
reversion.set_comment('test version')
def setUp(self):
self.user = UserProfile.objects.create_user("testuser")
self.user.save()
self.group = Group.objects.create(name="test_group")
for permission in get_perms_for_model(InformationDocument):
permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename)
assign_perm(permission_name, self.group)
self.group.save()
document = InformationDocument(title="title", text="text", author=self.user)
document.save()
def test_url_shows_document(self):
title = "Document title"
text = "This is the document text."
author = self.user
document = InformationDocument(title=title, text=text, author=author)
document.save()
assign_perm(InformationDocument.VIEW_PERMISSION_NAME, author, document)
self.assertTrue(author.has_perm(InformationDocument.VIEW_PERMISSION_NAME, document))
self.assertTrue(document.get_view_url(), msg="InformationDocument should return a URL")
response = self.app.get(document.get_view_url(), user=author)
self.assertIn(title.encode("utf-8"), response.body, msg="The displayed page should contain the document's title")
class TestVersions(WebTest):
csrf_checks = False
def setUp(self):
self.user = UserProfile.objects.create_superuser(username="******", email="*****@*****.**", password="******")
self.user.is_verified = True
self.user.is_active = True
self.user.save()
self.document = InformationDocument(title="title", text="text", author=self.user)
with transaction.atomic(), reversion.create_revision():
self.document.save()
reversion.set_user(self.user)
reversion.set_comment('test version')
def test_get_version_page(self):
response = self.app.get(reverse('information_pages:versions', args=[self.document.url_title]), status=403)
self.assertEqual(response.status_code, 403)
response = self.app.get(reverse('information_pages:versions', args=[self.document.url_title]), user=self.user)
self.assertEqual(response.status_code, 200)
def test_save_version(self):
# first get all current versions of the document from the database
document = Document.objects.get()
versions = reversion.get_for_object(document)
self.assertEqual(len(versions), 1)
# get the editor page and add a new revision
response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user=self.user)
self.assertEqual(response.status_code, 200)
form = response.form
new_string = self.document.text + "\nHallo Bibi Blocksberg!!"
form.set('text', new_string)
form.set('comment', 'hallo Bibi Blocksberg')
response = form.submit().follow()
self.assertEqual(response.status_code, 200)
# check whether number of versions increased
versions = reversion.get_for_object(self.document)
self.assertEqual(len(versions), 2)
# check whether the comment of the version correct
self.assertEqual(versions[0].revision.comment, 'hallo Bibi Blocksberg')
self.assertEqual(versions[1].revision.comment, 'test version')
class TestAttachments(WebTest):
"""
Tests creating, viewing and deleting attachments
InformationDocuments are used as testclass. It is assumed that the behavior is similar with other documenttypes
"""
csrf_checks = False
def setUp(self):
self.user = UserProfile.objects.create_superuser("test", "test", "*****@*****.**")
self.group = Group.objects.create(name="testgroup")
for permission in get_perms_for_model(InformationDocument):
permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename)
assign_perm(permission_name, self.group)
self.group.save()
self.group_user = UserProfile.objects.create_user("groupuser", "test", "*****@*****.**")
self.group_user.groups.add(self.group)
self.group_user.save()
self.document = InformationDocument(author=self.user, title="test", text="blabla")
self.document.save()
self.content = "test content of test attachment"
attachment_file = ContentFile(self.content)
self.attachment = Attachment.objects.create(document=self.document)
self.attachment.file.save('temp.txt', attachment_file)
self.attachment.save()
def tearDown(self):
for attachment in self.document.attachments.all():
attachment.file.delete()
self.attachment.file.delete()
def test_create_attachment(self):
upload_files = [
('file', 'test.txt', bytes(tempfile.SpooledTemporaryFile(max_size=10000, prefix='txt', mode='r')))
]
# test that user who has no change permission on a document can not add an attachment
# and neither see the corresponding page
normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**")
response = self.app.get(
reverse('information_pages:attachments', args=[self.document.url_title]),
user=normal_user,
expect_errors=True
)
self.assertEqual(response.status_code, 403)
response = self.app.post(
reverse('information_pages:attachments', args=[self.document.url_title]),
content_type='multipart/form-data',
upload_files=upload_files,
user=normal_user,
expect_errors=True
)
self.assertEqual(response.status_code, 403)
# test that user who is allowed to view the document may not add attachments to it
# and neither see the corresponding page
assign_perm("view_informationdocument", normal_user, self.document)
response = self.app.get(
reverse('information_pages:attachments', args=[self.document.url_title]),
user=normal_user,
expect_errors=True
)
self.assertEqual(response.status_code, 403)
response = self.app.post(
reverse('information_pages:attachments', args=[self.document.url_title]),
content_type='multipart/form-data',
upload_files=upload_files,
user=normal_user,
expect_errors=True
)
self.assertEqual(response.status_code, 403)
# test that member of group who has according permissions is allowed to upload attachments
# and to see the corresponding page
response = self.app.get(reverse('information_pages:attachments', args=[self.document.url_title]), user=self.group_user)
self.assertEqual(response.status_code, 200)
response = self.app.post(
reverse('information_pages:attachments', args=[self.document.url_title]),
content_type='multipart/form-data',
upload_files=upload_files,
user=self.group_user
)
self.assertEqual(response.status_code, 200)
# test that superuser is allowed to upload attachments and to see the corresponding page
response = self.app.get(reverse('information_pages:attachments', args=[self.document.url_title]), user=self.user)
self.assertEqual(response.status_code, 200)
response = self.app.post(
reverse('information_pages:attachments', args=[self.document.url_title]),
content_type='multipart/form-data',
upload_files=upload_files,
user=self.user
)
self.assertEqual(response.status_code, 200)
def test_delete_attachment(self):
params = {
'id': self.attachment.id,
}
# try to delete an attachment as user with no permissions at all (anonymous user)
response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")
response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work")
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error")
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True)
self.assertEqual(
response.status_code,
403,
msg="If users have no permissions they should not be able to delete an attachment"
)
# try to delete an attachment as user with no permissions
normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**")
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
self.assertEqual(
response.status_code,
403,
msg="If users have no permissions they should not be able to delete an attachment"
)
# try to delete an attachment as user with wrong permissions
assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user)
self.assertEqual(
response.status_code,
403,
msg="If users has no permissions they should not be able to delete an attachment"
)
# try to delete an attachment as user with correct permissions
response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user)
self.assertEqual(
response.status_code,
200,
msg="Users with the correct permissions for a document should be able to delete an attachment"
)
# re create the attachment
self.attachment.save()
# try to delete an attachment as superuser
response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user)
self.assertEqual(
response.status_code,
200,
msg="Users with the correct permissions for a document should be able to delete an attachment"
)
def test_view_attachment(self):
params = {
'attachment_id': self.attachment.id,
}
# test that a user with insufficient permissions is not allowed to view/download an attachment
# be an anonymous user
response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method")
response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True)
self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")
# test viewing an attachment using a user with insufficient permissions
normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**")
assign_perm('change_informationdocument', normal_user, self.document)
response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user)
self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions")
# grant the correct permission to the user an try again
assign_perm(InformationDocument.get_view_permission(), normal_user, self.document)
response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
# try the same with a user that is in a group having the correct permission
response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
# make sure that a superuser is always allowed to download an attachment
response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user)
self.assertEqual(
response.status_code,
200,
msg="Users with sufficient permissions should be able to download an attachment"
)
self.assertEqual(
response.body.decode('utf-8'),
self.content,
msg="An attachment that has been downloaded should contain its original content"
)
class TestEditor(WebTest):
csrf_checks = False
def setUp(self):
self.user = UserProfile.objects.create_superuser(username="******", email="*****@*****.**", password="******")
self.user.is_verified = True
self.user.is_active = True
self.user.save()
self.document = InformationDocument(title="title", text="text", author=self.user)
self.document.save()
def test_get_editor(self):
response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), status=403)
self.assertEqual(response.status_code, 403)
response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******")
self.assertEqual(response.status_code, 200)
form = response.form
self.assertEqual(form.get('title').value, self.document.title)
self.assertEqual(form.get('text').value, self.document.text)
form.set('comment', 'changed title')
form.set('title', 'new-title')
response = form.submit('submit')
self.assertRedirects(response, reverse('information_pages:edit', args=['new-title']))
document = Document.objects.get(url_title='new-title')
self.assertEqual(document.url_title, 'new-title')
def test_editor_error(self):
for string in ['', ' ']:
response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******")
form = response.form
form.set('title', string)
response = form.submit('submit')
self.assertEqual(response.status_code, 200)
self.assertIn('has-error', str(response.body))
def test_editor_permissions_for_single_user(self):
test_user = UserProfile.objects.create_user("testuser2")
assign_perm(InformationDocument.VIEW_PERMISSION_NAME, test_user, self.document)
# test that test_user is not allowed to use editor
response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******", status=403)
self.assertEqual(response.status_code, 403)
# give that user the necessary permission and check again
assign_perm('change_informationdocument', test_user, self.document)
# it should work now
response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******")
self.assertEqual(response.status_code, 200)
def test_editor_permissions_for_groups(self):
test_user = UserProfile.objects.create_user("testuser2")
test_group = Group.objects.create(name="testgroup")
test_user.groups.add(test_group)
assign_perm(InformationDocument.VIEW_PERMISSION_NAME, test_group, self.document)
# user should not be able to use the editor
response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******", status=403)
self.assertEqual(response.status_code, 403)
# add permission to group
assign_perm('change_informationdocument', test_group, self.document)
# user should now be able to use the editor
response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******")
self.assertEqual(response.status_code, 200)
