def test_create_object_with_constrained_permission(self): initial_count = self._get_queryset().count() # Assign constrained permission obj_perm = ObjectPermission( name="Test permission", constraints={"pk": str(uuid.uuid4())}, # Dummy permission to deny all actions=["add"], ) obj_perm.save() obj_perm.users.add(self.user) obj_perm.object_types.add(ContentType.objects.get_for_model(self.model)) # Try GET with object-level permission self.assertHttpStatus(self.client.get(self._get_url("add")), 200) # Try to create an object (not permitted) request = { "path": self._get_url("add"), "data": post_data(self.form_data), } self.assertHttpStatus(self.client.post(**request), 200) self.assertEqual(initial_count, self._get_queryset().count()) # Check that no object was created # Update the ObjectPermission to allow creation obj_perm.constraints = {"pk__isnull": False} obj_perm.save() # Try to create an object (permitted) request = { "path": self._get_url("add"), "data": post_data(self.form_data), } self.assertHttpStatus(self.client.post(**request), 302) self.assertEqual(initial_count + 1, self._get_queryset().count()) if hasattr(self.model, "last_updated"): self.assertInstanceEqual(self._get_queryset().order_by("last_updated").last(), self.form_data) else: self.assertInstanceEqual(self._get_queryset().last(), self.form_data)
def test_bulk_edit_objects_with_constrained_permission(self): pk_list = list(self._get_queryset().values_list("pk", flat=True)[:3]) data = { "pk": pk_list, "_apply": True, # Form button } # Append the form data to the request data.update(post_data(self.bulk_edit_data)) # Dynamically determine a constraint that will *not* be matched by the updated objects. attr_name = list(self.bulk_edit_data.keys())[0] field = self.model._meta.get_field(attr_name) value = field.value_from_object(self._get_queryset().first()) # Assign constrained permission obj_perm = ObjectPermission( name="Test permission", constraints={attr_name: value}, actions=["change"], ) obj_perm.save() obj_perm.users.add(self.user) obj_perm.object_types.add(ContentType.objects.get_for_model(self.model)) # Attempt to bulk edit permitted objects into a non-permitted state response = self.client.post(self._get_url("bulk_edit"), data) self.assertHttpStatus(response, 200) # Update permission constraints obj_perm.constraints = {"pk__gt": 0} obj_perm.save() # Bulk edit permitted objects self.assertHttpStatus(self.client.post(self._get_url("bulk_edit"), data), 302) for i, instance in enumerate(self._get_queryset().filter(pk__in=pk_list)): self.assertInstanceEqual(instance, self.bulk_edit_data)
def test_create_multiple_objects_with_constrained_permission(self): initial_count = self._get_queryset().count() request = { "path": self._get_url("add"), "data": post_data(self.bulk_create_data), } # Assign constrained permission obj_perm = ObjectPermission( name="Test permission", actions=["add"], constraints={"pk": uuid.uuid4()}, # Dummy constraint to deny all ) obj_perm.save() obj_perm.users.add(self.user) obj_perm.object_types.add(ContentType.objects.get_for_model(self.model)) # Attempt to make the request with unmet constraints self.assertHttpStatus(self.client.post(**request), 200) self.assertEqual(self._get_queryset().count(), initial_count) # Update the ObjectPermission to allow creation obj_perm.constraints = {"pk__isnull": False} # Dummy constraint to allow all obj_perm.save() response = self.client.post(**request) self.assertHttpStatus(response, 302) self.assertEqual(initial_count + self.bulk_create_count, self._get_queryset().count()) matching_count = 0 for instance in self._get_queryset().all(): try: self.assertInstanceEqual(instance, self.bulk_create_data) matching_count += 1 except AssertionError: pass self.assertEqual(matching_count, self.bulk_create_count)
def test_bulk_delete_objects_with_constrained_permission(self): initial_count = self._get_queryset().count() pk_list = self._get_queryset().values_list("pk", flat=True) data = { "pk": pk_list, "confirm": True, "_confirm": True, # Form button } # Assign constrained permission obj_perm = ObjectPermission( name="Test permission", constraints={"pk": str(uuid.uuid4()) }, # Dummy permission to deny all actions=["delete"], ) obj_perm.save() obj_perm.users.add(self.user) obj_perm.object_types.add( ContentType.objects.get_for_model(self.model)) # Attempt to bulk delete non-permitted objects self.assertHttpStatus( self.client.post(self._get_url("bulk_delete"), data), 302) self.assertEqual(self._get_queryset().count(), initial_count) # Update permission constraints obj_perm.constraints = { "pk__isnull": False } # Dummy permission to allow all obj_perm.save() # Bulk delete permitted objects self.assertHttpStatus( self.client.post(self._get_url("bulk_delete"), data), 302) self.assertEqual(self._get_queryset().count(), 0)