def test_views_measures_permissions(self, certificate_data, init_db_data):
db_data = init_db_data
# sign in user
auth_header = self._auth_cert_login(certificate_data)
# get authenticated user account
uacc = self._get_uacc(db_data, 'multi-site')
assert uacc is not None
# GET list:
# 4 measures in DB, but user 'multi-site' is only allowed
# to list measures for 2 sites
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
measure_data = response.json[0]
# verify that parent site IDs are in allowed site IDs
for measure in response.json:
site_id = dba.get_parent(Measure, measure['id'])
assert uacc.verify_scope(sites=[site_id])
allowed_measure_id = str(measure_data['id'])
not_allowed_measure_id = str(db_data['measures'][-1])
allowed_sensor_id = str(measure_data['sensor_id'])
not_allowed_sensor_id = str(db_data['sensors'][-1])
# GET:
# allowed measure (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_measure_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
# not allowed measure (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=not_allowed_measure_id)
assert response.status_code == 403
# POST:
# user role is allowed to post a new measure on allowed site
response = self.post_item(headers=auth_header,
name='New measure',
observation_type='Temperature',
medium='Air',
unit='DegreeCelsius',
value_properties={
'vmin': -50,
'vmax': 50
},
sensor_id=allowed_sensor_id)
assert response.status_code == 201
# not allowed
response = self.post_item(headers=auth_header,
name='New sensor 2',
observation_type='Temperature',
medium='Air',
unit='DegreeCelsius',
value_properties={
'vmin': -50,
'vmax': 50
},
sensor_id=not_allowed_sensor_id)
assert response.status_code == 403
# an allowed measure has been created...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 4
# UPDATE:
# allowed measure (in fact parent site)
headers = auth_header.copy()
headers.update({'If-Match': etag_value})
response = self.put_item(headers=headers,
item_id=allowed_measure_id,
name='Updated-name',
observation_type='Temperature',
medium='Air',
unit='DegreeCelsius',
method='OnChange',
outdoor=True,
on_index=False,
set_point=False,
sensor_id=allowed_sensor_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# not allowed measure (in fact parent site)
response = self.put_item(headers=headers,
item_id=not_allowed_measure_id,
name='Updated-name',
observation_type='Temperature',
medium='Air',
unit='DegreeCelsius',
method='OnChange',
sensor_id=not_allowed_sensor_id)
assert response.status_code == 403
# DELETE:
# XXX: refresh etag value, update != get_item_by_id response...weird...
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_measure_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# allowed measure (in fact parent site)
response = self.delete_item(headers=headers,
item_id=allowed_measure_id)
assert response.status_code == 204
# not allowed measure (in fact parent site)
response = self.delete_item(headers=headers,
item_id=not_allowed_measure_id)
assert response.status_code == 403
# an allowed measure has been deleted...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
def test_views_windows_permissions(self, certificate_data, init_db_data):
db_data = init_db_data
# sign in user
auth_header = self._auth_cert_login(certificate_data)
# get authenticated user account
uacc = self._get_uacc(db_data, 'multi-site')
assert uacc is not None
# GET list:
# 4 windows in DB, but user 'multi-site' is only allowed
# to list windows for 2 sites
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
window_data = response.json[0]
# verify that parent site IDs are in allowed site IDs
for window in response.json:
site_id = dba.get_parent(Facade, window['facade_id'])
assert uacc.verify_scope(sites=[site_id])
not_allowed_window_id = str(db_data['windows'][-1])
allowed_facade_id = str(window_data['facade_id'])
not_allowed_facade_id = str(db_data['facades'][-1])
# POST:
# user role is allowed to post a new window on allowed site
response = self.post_item(headers=auth_header,
name='New window',
covering='Curtain',
facade_id=allowed_facade_id,
surface_info={'area': 2.2},
orientation='South_West',
u_value=2.12)
assert response.status_code == 201
window_data = response.json
allowed_window_id = str(window_data['id'])
# not allowed
response = self.post_item(headers=auth_header,
name='New window 2',
covering='Curtain',
facade_id=not_allowed_facade_id,
surface_info={'area': 2.2},
orientation='South_West',
u_value=2.12)
assert response.status_code == 403
# an allowed window has been created...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 4
# GET:
# allowed window (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_window_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
# not allowed window (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=not_allowed_window_id)
assert response.status_code == 403
# UPDATE:
# allowed window (in fact parent site)
headers = auth_header.copy()
headers.update({'If-Match': etag_value})
response = self.put_item(headers=headers,
item_id=allowed_window_id,
name='Updated-name',
covering=window_data['covering'],
orientation=window_data['orientation'],
surface_info=window_data['surface_info'],
u_value=window_data['u_value'],
facade_id=allowed_facade_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# not allowed window (in fact parent site)
response = self.put_item(headers=headers,
item_id=not_allowed_window_id,
name='Updated-name',
covering=window_data['covering'],
orientation=window_data['orientation'],
surface_info=window_data['surface_info'],
u_value=window_data['u_value'],
facade_id=not_allowed_facade_id)
assert response.status_code == 403
# DELETE:
# allowed slab (in fact parent site)
response = self.delete_item(headers=headers, item_id=allowed_window_id)
assert response.status_code == 204
# not allowed slab (in fact parent site)
response = self.delete_item(headers=headers,
item_id=not_allowed_window_id)
assert response.status_code == 403
# an allowed slab has been deleted...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
def test_views_facades_permissions(self, certificate_data, init_db_data):
db_data = init_db_data
# sign in user
auth_header = self._auth_cert_login(certificate_data)
# get authenticated user account
uacc = self._get_uacc(db_data, 'multi-site')
assert uacc is not None
# GET list:
# 4 facades in DB, but user 'multi-site' is only allowed
# to list facades for 2 sites
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
facade_data = response.json[0]
# verify that parent site IDs are in allowed site IDs
for facade in response.json:
site_id = dba.get_parent(Building, facade['building_id'])
assert uacc.verify_scope(sites=[site_id])
allowed_facade_id = str(facade_data['id'])
not_allowed_facade_id = str(db_data['facades'][-1])
allowed_building_id = str(facade_data['building_id'])
not_allowed_building_id = str(db_data['buildings'][-1])
# GET:
# allowed facade (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_facade_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
# not allowed facade (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=not_allowed_facade_id)
assert response.status_code == 403
# POST:
# user role is allowed to post a new facade on allowed site
response = self.post_item(headers=auth_header,
name='New facade',
distance_unit='metric',
spaces=[],
surface_info={'area': 42},
windows_wall_ratio=0.14,
orientation='East',
building_id=allowed_building_id)
assert response.status_code == 201
# not allowed
response = self.post_item(headers=auth_header,
name='New facade 2',
distance_unit='metric',
spaces=[],
surface_info={'area': 42},
windows_wall_ratio=0.14,
orientation='East',
building_id=not_allowed_building_id)
assert response.status_code == 403
# an allowed facade has been created...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 4
# UPDATE:
# allowed facade (in fact parent site)
headers = auth_header.copy()
headers.update({'If-Match': etag_value})
response = self.put_item(headers=headers,
item_id=allowed_facade_id,
name='Updated-name',
spaces=facade_data['spaces'],
orientation='South_West',
windows_wall_ratio=0.3,
surface_info=facade_data['surface_info'],
building_id=allowed_building_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# not allowed facade (in fact parent site)
response = self.put_item(headers=headers,
item_id=not_allowed_facade_id,
name='Updated-name',
spaces=facade_data['spaces'],
orientation='South_West',
windows_wall_ratio=0.3,
surface_info=facade_data['surface_info'],
building_id=not_allowed_building_id)
assert response.status_code == 403
# DELETE:
# allowed facade (in fact parent site)
response = self.delete_item(headers=headers, item_id=allowed_facade_id)
assert response.status_code == 204
# not allowed facade (in fact parent site)
response = self.delete_item(headers=headers,
item_id=not_allowed_facade_id)
assert response.status_code == 403
# an allowed facade has been deleted...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
def test_views_zones_permissions(self, certificate_data, init_db_data):
db_data = init_db_data
# sign in user
auth_header = self._auth_cert_login(certificate_data)
# get authenticated user account
uacc = self._get_uacc(db_data, 'multi-site')
assert uacc is not None
# GET list:
# 4 zones in DB, but user 'multi-site' is only allowed
# to list zones for 2 sites
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
zone_data = response.json[0]
# verify that parent site IDs are in allowed site IDs
for zone in response.json:
site_id = dba.get_parent(Building, zone['building_id'])
assert uacc.verify_scope(sites=[site_id])
allowed_zone_id = str(zone_data['id'])
not_allowed_zone_id = str(db_data['zones'][-1])
allowed_building_id = str(zone_data['building_id'])
not_allowed_building_id = str(db_data['buildings'][-1])
# GET:
# allowed zone (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_zone_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
# not allowed zone (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=not_allowed_zone_id)
assert response.status_code == 403
# POST:
# user role is allowed to post a new zone on allowed site
response = self.post_item(headers=auth_header,
name='New zone',
zones=[],
spaces=[],
building_id=allowed_building_id)
assert response.status_code == 201
# not allowed
response = self.post_item(headers=auth_header,
name='New zone 2',
zones=[],
spaces=[],
building_id=not_allowed_building_id)
assert response.status_code == 403
# an allowed zone has been created...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 4
# UPDATE:
# allowed zone (in fact parent site)
headers = auth_header.copy()
headers.update({'If-Match': etag_value})
response = self.put_item(headers=headers,
item_id=allowed_zone_id,
name='Updated-name',
zones=[],
sapces=zone_data['spaces'],
building_id=allowed_building_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# not allowed zone (in fact parent site)
response = self.put_item(headers=headers,
item_id=not_allowed_zone_id,
name='Updated-name',
zones=[],
sapces=zone_data['spaces'],
building_id=not_allowed_building_id)
assert response.status_code == 403
# DELETE:
# allowed zone (in fact parent site)
response = self.delete_item(headers=headers, item_id=allowed_zone_id)
assert response.status_code == 204
# not allowed zone (in fact parent site)
response = self.delete_item(headers=headers,
item_id=not_allowed_zone_id)
assert response.status_code == 403
# an allowed zone has been deleted...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
def test_views_slabs_permissions(self, certificate_data, init_db_data):
db_data = init_db_data
# sign in user
auth_header = self._auth_cert_login(certificate_data)
# get authenticated user account
uacc = self._get_uacc(db_data, 'multi-site')
assert uacc is not None
# GET list:
# 4 slabs in DB, but user 'multi-site' is only allowed
# to list slabs for 2 sites
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
slab_data = response.json[0]
# verify that parent site IDs are in allowed site IDs
for slab in response.json:
site_id = dba.get_parent(Building, slab['building_id'])
assert uacc.verify_scope(sites=[site_id])
not_allowed_slab_id = str(db_data['slabs'][-1])
allowed_building_id = str(slab_data['building_id'])
not_allowed_building_id = str(db_data['buildings'][-1])
# POST:
# user role is allowed to post a new slab on allowed site
response = self.post_item(headers=auth_header,
name='New slab',
kind='Roof',
floors=[],
surface_info={'area': 51},
building_id=allowed_building_id)
assert response.status_code == 201
slab_data = response.json
allowed_slab_id = str(slab_data['id'])
# not allowed
response = self.post_item(headers=auth_header,
name='New slab 2',
kind='Roof',
floors=[],
surface_info={'area': 51},
building_id=not_allowed_building_id)
assert response.status_code == 403
# an allowed slab has been created...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 4
# GET:
# allowed slab (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_slab_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
# not allowed slab (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=not_allowed_slab_id)
assert response.status_code == 403
# UPDATE:
# allowed slab (in fact parent site)
headers = auth_header.copy()
headers.update({'If-Match': etag_value})
response = self.put_item(headers=headers,
item_id=allowed_slab_id,
name='Updated-name',
kind=slab_data['kind'],
floors=slab_data['floors'],
surface_info=slab_data['surface_info'],
building_id=allowed_building_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# not allowed slab (in fact parent site)
response = self.put_item(headers=headers,
item_id=not_allowed_slab_id,
name='Updated-name',
kind=slab_data['kind'],
floors=slab_data['floors'],
surface_info=slab_data['surface_info'],
building_id=not_allowed_building_id)
assert response.status_code == 403
# DELETE:
# allowed slab (in fact parent site)
response = self.delete_item(headers=headers, item_id=allowed_slab_id)
assert response.status_code == 204
# not allowed slab (in fact parent site)
response = self.delete_item(headers=headers,
item_id=not_allowed_slab_id)
assert response.status_code == 403
# an allowed slab has been deleted...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
def test_views_sensors_permissions(self, certificate_data, init_db_data):
db_data = init_db_data
# sign in user
auth_header = self._auth_cert_login(certificate_data)
# get authenticated user account
uacc = self._get_uacc(db_data, 'multi-site')
assert uacc is not None
# GET list:
# 4 sensors in DB, but user 'multi-site' is only allowed
# to list sensors for 2 sites
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
sensor_data = response.json[0]
# verify that parent site IDs are in allowed site IDs
for sensor in response.json:
site_id = dba.get_parent(Sensor, sensor['id'])
assert uacc.verify_scope(sites=[site_id])
allowed_sensor_id = str(sensor_data['id'])
not_allowed_sensor_id = str(db_data['sensors'][-1])
allowed_site_id = str(db_data['sites'][0])
not_allowed_site_id = str(db_data['sites'][-1])
# GET:
# allowed sensor (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_sensor_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
# not allowed sensor (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=not_allowed_sensor_id)
assert response.status_code == 403
# POST:
# user role is allowed to post a new sensor on allowed site
response = self.post_item(
headers=auth_header,
name='New sensor',
static=False,
localization={'building_id': allowed_site_id})
assert response.status_code == 201
# not allowed
response = self.post_item(
headers=auth_header,
name='New sensor 2',
static=False,
localization={'building_id': not_allowed_site_id})
assert response.status_code == 403
# an allowed sensor has been created...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 4
# UPDATE:
# allowed sensor (in fact parent site)
headers = auth_header.copy()
headers.update({'If-Match': etag_value})
response = self.put_item(headers=headers,
item_id=allowed_sensor_id,
name='Updated-name',
static=sensor_data['static'],
localization=sensor_data['localization'])
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# not allowed sensor (in fact parent site)
response = self.put_item(headers=headers,
item_id=not_allowed_sensor_id,
name='Updated-name',
static=sensor_data['static'],
localization=sensor_data['localization'])
assert response.status_code == 403
# DELETE:
# allowed sensor (in fact parent site)
response = self.delete_item(headers=headers, item_id=allowed_sensor_id)
assert response.status_code == 204
# not allowed sensor (in fact parent site)
response = self.delete_item(headers=headers,
item_id=not_allowed_sensor_id)
assert response.status_code == 403
# an allowed sensor has been deleted...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
def test_views_floors_permissions(self, certificate_data, init_db_data):
db_data = init_db_data
# sign in user
auth_header = self._auth_cert_login(certificate_data)
# get authenticated user account
uacc = self._get_uacc(db_data, 'multi-site')
assert uacc is not None
# GET list:
# 4 floors in DB, but user 'multi-site' is only allowed
# to list floors for 2 sites
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
floor_data = response.json[0]
# verify that parent site IDs are in allowed site IDs
for floor in response.json:
site_id = dba.get_parent(Floor, floor['id'])
assert uacc.verify_scope(sites=[site_id])
allowed_floor_id = str(floor_data['id'])
not_allowed_floor_id = str(db_data['floors'][-1])
allowed_building_id = str(floor_data['building_id'])
not_allowed_building_id = str(db_data['buildings'][-1])
# GET:
# allowed floor (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_floor_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
# not allowed floor (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=not_allowed_floor_id)
assert response.status_code == 403
# POST:
# user role is allowed to post a new floor on allowed site
response = self.post_item(headers=auth_header,
name='New floor',
kind='Floor',
level=69,
spatial_info={
'area': 42,
'max_height': 2.4
},
building_id=allowed_building_id)
assert response.status_code == 201
# not allowed
response = self.post_item(headers=auth_header,
name='New building 2',
kind='Floor',
level=69,
spatial_info={
'area': 42,
'max_height': 2.4
},
building_id=not_allowed_building_id)
assert response.status_code == 403
# an allowed floor has been created...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 4
# UPDATE:
# allowed floor (in fact parent site)
headers = auth_header.copy()
headers.update({'If-Match': etag_value})
response = self.put_item(headers=headers,
item_id=allowed_floor_id,
name='Updated-name',
kind='Floor',
level=69,
spatial_info={
'area': 42,
'max_height': 2.4
},
building_id=allowed_building_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# not allowed floor (in fact parent site)
response = self.put_item(headers=headers,
item_id=not_allowed_floor_id,
name='Updated-name',
kind='Floor',
level=69,
spatial_info={
'area': 42,
'max_height': 2.4
},
building_id=not_allowed_building_id)
assert response.status_code == 403
# DELETE:
# allowed floor (in fact parent site)
response = self.delete_item(headers=headers, item_id=allowed_floor_id)
assert response.status_code == 204
# not allowed floor (in fact parent site)
response = self.delete_item(headers=headers,
item_id=not_allowed_floor_id)
assert response.status_code == 403
# an allowed floor has been deleted...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
def test_views_spaces_permissions(self, certificate_data, init_db_data):
db_data = init_db_data
# sign in user
auth_header = self._auth_cert_login(certificate_data)
# get authenticated user account
uacc = self._get_uacc(db_data, 'multi-site')
assert uacc is not None
# GET list:
# 4 spaces in DB, but user 'multi-site' is only allowed
# to list spaces for 2 sites
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
space_data = response.json[0]
# verify that parent site IDs are in allowed site IDs
for space in response.json:
site_id = dba.get_parent(Space, space['id'])
assert uacc.verify_scope([site_id])
allowed_space_id = str(space_data['id'])
not_allowed_space_id = str(db_data['spaces'][-1])
allowed_floor_id = str(space_data['floor_id'])
not_allowed_floor_id = str(db_data['floors'][-1])
# GET:
# allowed space (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_space_id)
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
# not allowed space (in fact parent site)
response = self.get_item_by_id(headers=auth_header,
item_id=not_allowed_space_id)
assert response.status_code == 403
# POST:
# user role is allowed to post a new space on allowed site
response = self.post_item(headers=auth_header,
name='New space',
kind='Kitchen',
floor_id=allowed_floor_id,
occupancy={
'nb_permanents': 6,
'nb_max': 66
},
spatial_info={
'area': 10,
'max_height': 2
})
assert response.status_code == 201
# not allowed
response = self.post_item(headers=auth_header,
name='New space 2',
kind='Kitchen',
floor_id=not_allowed_floor_id,
occupancy={
'nb_permanents': 6,
'nb_max': 66
},
spatial_info={
'area': 10,
'max_height': 2
})
assert response.status_code == 403
# an allowed floor has been created...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 4
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_space_id)
assert response.status_code == 200
# UPDATE:
# allowed space (in fact parent site)
headers = auth_header.copy()
headers.update({'If-Match': etag_value})
response = self.put_item(headers=headers,
item_id=allowed_space_id,
name='Updated-name',
kind='Cafeteria',
floor_id=allowed_floor_id,
occupancy={
'nb_permanents': 6,
'nb_max': 66
},
spatial_info={
'area': 10,
'max_height': 2
})
assert response.status_code == 200
etag_value = response.headers.get('etag', None)
headers.update({'If-Match': etag_value})
# not allowed space (in fact parent site)
response = self.put_item(headers=headers,
item_id=not_allowed_space_id,
name='Updated-name',
kind='Cafeteria',
floor_id=not_allowed_floor_id,
occupancy={
'nb_permanents': 6,
'nb_max': 66
},
spatial_info={
'area': 10,
'max_height': 2
})
assert response.status_code == 403
response = self.get_item_by_id(headers=auth_header,
item_id=allowed_space_id)
assert response.status_code == 200
# DELETE:
# allowed space (in fact parent site)
response = self.delete_item(headers=headers, item_id=allowed_space_id)
assert response.status_code == 204
# not allowed space (in fact parent site)
response = self.delete_item(headers=headers,
item_id=not_allowed_space_id)
assert response.status_code == 403
# an allowed space has been deleted...
response = self.get_items(headers=auth_header)
assert response.status_code == 200
assert len(response.json) == 3
