def test_menu_logged_in_error_dont_show_user_loaded(self, mock_user_get): """ If the user is logged in, if we show a 500 error, do not show the user menu If the user has previously been loaded in the view, check that it's not loaded while rendering the template""" user = db_user.get_or_create('little_rsh') db_user.agree_to_gdpr(user['musicbrainz_id']) user = db_user.get_or_create('little_rsh') mock_user_get.return_value = user @self.app.route('/page_that_returns_500') @login_required def view500(): # flask-login user is loaded during @login_required, so check that the db has been queried mock_user_get.assert_called_with(user['id']) raise InternalServerError('error') self.temporary_login(user['id']) resp = self.client.get('/page_that_returns_500') data = resp.data.decode('utf-8') # item not in user menu self.assertNotIn('Your profile', data) self.assertIn('Sign in', data) # Even after rendering the template, the database has only been queried once (before the exception) mock_user_get.assert_called_once_with(user['id']) self.assertIsInstance(self.get_context_variable('current_user'), webserver.login.User)
def test_edit(self): # Should redirect to login page even if trying to edit dataset that # doesn't exist. resp = self.client.get( url_for("datasets.edit", dataset_id=self.test_uuid)) self.assertStatus(resp, 302) dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id) # Trying to edit without login resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id)) self.assertStatus(resp, 302) # Editing using another user another_user_id = user.create("another_tester") user.agree_to_gdpr("another_tester") self.temporary_login(another_user_id) resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id)) self.assert401(resp) # Editing properly self.temporary_login(self.test_user_id) resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id)) self.assert200(resp)
def test_edit_service(self): dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id) # Trying to edit without login resp = self.client.post( url_for("datasets.edit_service", dataset_id=dataset_id), headers={"Content-Type": "application/json"}, data=json.dumps(self.test_data), ) self.assert401(resp) self.assertTrue(resp.json["message"].startswith( "The server could not verify that you are authorized")) # Editing using another user another_user_id = user.create("another_tester") user.agree_to_gdpr("another_tester") self.temporary_login(another_user_id) resp = self.client.post( url_for("datasets.edit_service", dataset_id=dataset_id), headers={"Content-Type": "application/json"}, data=json.dumps(self.test_data), ) self.assert401(resp) # Editing properly self.temporary_login(self.test_user_id) resp = self.client.post( url_for("datasets.edit_service", dataset_id=dataset_id), headers={"Content-Type": "application/json"}, data=json.dumps(self.test_data), ) self.assert200(resp)
def setUp(self): super(AuthorizationTestCase, self).setUp() self.test_user_mb_name = "tester" self.test_user_id = user.create(self.test_user_mb_name) self.api_key = api_key.generate(self.test_user_id) user.agree_to_gdpr(self.test_user_mb_name)
def _test_view_with_get_dataset(self, view_name): """Check that a view that uses datasets.get_dataset to retrieve a dataset""" # no such dataset, 404 resp = self.client.get(url_for(view_name, dataset_id=self.test_uuid)) self.assert404(resp) # public dataset + not logged in, OK dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id) resp = self.client.get(url_for(view_name, dataset_id=dataset_id)) self.assert200(resp) self.temporary_login(self.test_user_id) # public dataset + logged in, ok resp = self.client.get(url_for(view_name, dataset_id=dataset_id)) self.assert200(resp) # private dataset + author, ok self.test_data["public"] = False private_dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id) resp = self.client.get(url_for(view_name, dataset_id=private_dataset_id)) self.assert200(resp) # private dataset, not author, 404 another_user_id = user.create("another_tester") user.agree_to_gdpr("another_tester") self.temporary_login(another_user_id) resp = self.client.get(url_for(view_name, dataset_id=private_dataset_id)) self.assert404(resp)
def test_menu_logged_in_error_show(self, mock_user_get): """ If the user is logged in, if we show a 400 or 404 error, show the user menu""" @self.app.route('/page_that_returns_400') def view400(): raise BadRequest('bad request') @self.app.route('/page_that_returns_404') def view404(): raise NotFound('not found') user = db_user.get_or_create('little_rsh') db_user.agree_to_gdpr(user['musicbrainz_id']) user = db_user.get_or_create('little_rsh') mock_user_get.return_value = user self.temporary_login(user['id']) resp = self.client.get('/page_that_returns_400') data = resp.data.decode('utf-8') self.assert400(resp) # username (menu header) self.assertIn('little_rsh', data) # item in user menu self.assertIn('Your profile', data) mock_user_get.assert_called_with(user['id']) resp = self.client.get('/page_that_returns_404') data = resp.data.decode('utf-8') self.assert404(resp) # username (menu header) self.assertIn('little_rsh', data) # item in user menu self.assertIn('Your profile', data) mock_user_get.assert_called_with(user['id'])
def test_delete(self): # Should redirect to login page even if trying to delete dataset that # doesn't exist. resp = self.client.get(url_for("datasets.delete", dataset_id=self.test_uuid)) self.assertStatus(resp, 302) dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id) # Trying to delete without login resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id)) self.assertStatus(resp, 302) resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id)) self.assertStatus(resp, 302) self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 1) # Deleting using another user another_user_id = user.create("another_tester") user.agree_to_gdpr("another_tester") self.temporary_login(another_user_id) resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id)) self.assert403(resp) resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id)) self.assert403(resp) self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 1) # Editing properly self.temporary_login(self.test_user_id) resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id)) self.assert200(resp) resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id)) self.assertRedirects(resp, url_for("user.profile", musicbrainz_id=self.test_user_mb_name)) self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 0)
def test_edit_service(self): dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id) # Trying to edit without login resp = self.client.post( url_for("datasets.edit_service", dataset_id=dataset_id), headers={"Content-Type": "application/json"}, data=json.dumps(self.test_data), ) self.assert401(resp) self.assertTrue(resp.json["message"].startswith("The server could not verify that you are authorized")) # Editing using another user another_user_id = user.create("another_tester") user.agree_to_gdpr("another_tester") self.temporary_login(another_user_id) resp = self.client.post( url_for("datasets.edit_service", dataset_id=dataset_id), headers={"Content-Type": "application/json"}, data=json.dumps(self.test_data), ) self.assert401(resp) # Editing properly self.temporary_login(self.test_user_id) resp = self.client.post( url_for("datasets.edit_service", dataset_id=dataset_id), headers={"Content-Type": "application/json"}, data=json.dumps(self.test_data), ) self.assert200(resp)
def test_menu_logged_in(self, mock_user_get): """ If the user is logged in, check that we perform a database query to get user data """ user = db_user.get_or_create('little_rsh') db_user.agree_to_gdpr(user['musicbrainz_id']) user = db_user.get_or_create('little_rsh') mock_user_get.return_value = user self.temporary_login(user['id']) resp = self.client.get(url_for('index.index')) data = resp.data.decode('utf-8') # username (menu header) self.assertIn('little_rsh', data) # item in user menu self.assertIn('Your profile', data) mock_user_get.assert_called_with(user['id'])
def test_gdpr_redirect(self): """Test that a user who logs in and hasn't agreed to the GDPR terms gets redirected to the preferences page""" user = db_user.get_or_create('newuser') self.temporary_login(user['id']) resp = self.client.get(url_for('index.index')) self.assertStatus(resp, 302) self.assertIn(url_for('index.gdpr_notice'), resp.location) # User accepts db_user.agree_to_gdpr(user['musicbrainz_id']) resp = self.client.get(url_for('index.index')) self.assert200(resp) self.assertIsNone(resp.location)
def gdpr_notice(): if request.method == 'GET': return render_template('index/gdpr.html', next=request.args.get('next')) elif request.method == 'POST': if request.form.get('gdpr-options') == 'agree': try: db_user.agree_to_gdpr(current_user.musicbrainz_id) except db.exceptions.DatabaseException: flash.error('Could not store agreement to GDPR terms') next = request.form.get('next') if next: return redirect(next) return redirect(url_for('index.index')) elif request.form.get('gdpr-options') == 'disagree': return redirect(url_for('login.logout', next=request.args.get('next'))) else: flash.error('You must agree to or decline our terms') return render_template('index/gdpr.html', next=request.args.get('next'))
def setUp(self): super(DatasetsViewsTestCase, self).setUp() self.test_user_mb_name = "tester" self.test_user_id = user.create(self.test_user_mb_name) user.agree_to_gdpr(self.test_user_mb_name) self.test_uuid = "123e4567-e89b-12d3-a456-426655440000" self.test_mbid_1 = "e8afe383-1478-497e-90b1-7885c7f37f6e" self.test_mbid_2 = "0dad432b-16cc-4bf0-8961-fd31d124b01b" self.test_data = { "name": "Test", "description": "", "classes": [ { "name": "Class #1", "description": "This is a description of class #1!", "recordings": [ self.test_mbid_1, self.test_mbid_2, ] }, { "name": "Class #2", "description": "", "recordings": [ self.test_mbid_1, self.test_mbid_2, ] }, ], "public": True, } # Loading the actual data because it is required to evaluate the dataset self.load_low_level_data(self.test_mbid_1) self.load_low_level_data(self.test_mbid_2)
def gdpr_notice(): if request.method == 'GET': return render_template('index/gdpr.html', next=request.args.get('next')) elif request.method == 'POST': if request.form.get('gdpr-options') == 'agree': try: db_user.agree_to_gdpr(current_user.musicbrainz_id) except db.exceptions.DatabaseException: flash.error('Could not store agreement to GDPR terms') next = request.form.get('next') if next: return redirect(next) return redirect(url_for('index.index')) elif request.form.get('gdpr-options') == 'disagree': return redirect( url_for('login.logout', next=request.args.get('next'))) else: flash.error('You must agree to or decline our terms') return render_template('index/gdpr.html', next=request.args.get('next'))
def test_edit(self): # Should redirect to login page even if trying to edit dataset that # doesn't exist. resp = self.client.get(url_for("datasets.edit", dataset_id=self.test_uuid)) self.assertStatus(resp, 302) dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id) # Trying to edit without login resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id)) self.assertStatus(resp, 302) # Editing using another user another_user_id = user.create("another_tester") user.agree_to_gdpr("another_tester") self.temporary_login(another_user_id) resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id)) self.assert401(resp) # Editing properly self.temporary_login(self.test_user_id) resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id)) self.assert200(resp)
def gdpr_notice(): form = GdprForm() if form.validate_on_submit(): if form.preference.data == 'agree': try: db_user.agree_to_gdpr(current_user.musicbrainz_id) except db.exceptions.DatabaseException: flash.error('Could not store agreement to GDPR terms') next = request.form.get('next') if next: return redirect(next) return redirect(url_for('index.index')) elif form.preference.data == 'disagree': return redirect( url_for('login.logout', next=request.args.get('next'))) else: flash.error('You must agree to or decline our terms') return render_template('index/gdpr.html', form=form, next=request.args.get('next')) else: return render_template('index/gdpr.html', form=form, next=request.args.get('next'))
def setUp(self): super(SimilarityViewsTestCase, self).setUp() self.test_user_mb_name = "tester" self.test_user_id = user.create(self.test_user_mb_name) user.agree_to_gdpr(self.test_user_mb_name)