def test_api_permissions_admin_user(admin_user):
users = [admin_user, UserFactory(), UserFactory(), UserFactory(), UserFactory()]
get_default_shop()
viewset = UserViewSet()
client = _get_client(admin_user)
permission_key = make_permission_config_key(viewset)
# set API disabled
config.set(None, permission_key, PermissionLevel.DISABLED)
assert client.get("/api/test/user/").status_code == status.HTTP_403_FORBIDDEN
assert client.post("/api/test/user/", {"email": "*****@*****.**"}).status_code == status.HTTP_403_FORBIDDEN
# set API Public WRITE - access granted
config.set(None, permission_key, PermissionLevel.PUBLIC_WRITE)
response = client.get("/api/test/user/")
assert response.status_code == status.HTTP_200_OK
user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"])
for ix, user in enumerate(user_data):
assert users[ix].id == user["id"]
# DELETE data too
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT
users.pop()
# set API Public READ - access granted
config.set(None, permission_key, PermissionLevel.PUBLIC_READ)
response = client.get("/api/test/user/")
assert response.status_code == status.HTTP_200_OK
user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"])
for ix, user in enumerate(user_data):
assert users[ix].id == user["id"]
# DELETE data - YES
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT
users.pop()
# set API authenticated readonly - access only for readonly
config.set(None, permission_key, PermissionLevel.AUTHENTICATED_READ)
response = client.get("/api/test/user/")
assert response.status_code == status.HTTP_200_OK
user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"])
for ix, user in enumerate(user_data):
assert users[ix].id == user["id"]
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT
users.pop()
# set API authenticated write - access granted
config.set(None, permission_key, PermissionLevel.AUTHENTICATED_WRITE)
assert client.get("/api/test/user/").status_code == status.HTTP_200_OK
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT
users.pop()
# set API admin only - aaaww yess
config.set(None, permission_key, PermissionLevel.ADMIN)
assert client.get("/api/test/user/").status_code == status.HTTP_200_OK
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT
# as we deleted all users, we have left with just one - us
get_user_model().objects.count() == 1
def test_api_permissions_anonymous():
users = [UserFactory(), UserFactory(), UserFactory(), UserFactory()]
get_default_shop()
viewset = UserViewSet()
client = _get_client()
permission_key = make_permission_config_key(viewset)
# set API disabled
config.set(None, permission_key, PermissionLevel.DISABLED)
assert client.get("/api/test/user/").status_code == status.HTTP_401_UNAUTHORIZED
assert client.post("/api/test/user/", {"email": "*****@*****.**"}).status_code == status.HTTP_401_UNAUTHORIZED
# set API Public WRITE - access granted
config.set(None, permission_key, PermissionLevel.PUBLIC_WRITE)
response = client.get("/api/test/user/")
assert response.status_code == status.HTTP_200_OK
user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"])
for ix, user in enumerate(user_data):
assert users[ix].id == user["id"]
# DELETE data too
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT
users.pop()
# set API Public READ - access granted to read
config.set(None, permission_key, PermissionLevel.PUBLIC_READ)
response = client.get("/api/test/user/")
assert response.status_code == status.HTTP_200_OK
user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"])
for ix, user in enumerate(user_data):
assert users[ix].id == user["id"]
# DELETE data - nope, not a safe method
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_401_UNAUTHORIZED
# set API authenticated readonly - no access
config.set(None, permission_key, PermissionLevel.AUTHENTICATED_READ)
assert client.get("/api/test/user/").status_code == status.HTTP_401_UNAUTHORIZED
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_401_UNAUTHORIZED
# set API authenticated write - no access
config.set(None, permission_key, PermissionLevel.AUTHENTICATED_WRITE)
assert client.get("/api/test/user/").status_code == status.HTTP_401_UNAUTHORIZED
assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_401_UNAUTHORIZED
# set API admin only - not a chance
config.set(None, permission_key, PermissionLevel.ADMIN)
assert client.get("/api/test/user/").status_code == status.HTTP_401_UNAUTHORIZED
# Remove None values before posting data since posting None data is not cool
assert (
client.put("/api/test/user/", {k: v for k, v in user_data[0].items() if v is not None}).status_code
== status.HTTP_401_UNAUTHORIZED
)
def test_admin(rf):
get_default_shop()
# just visit to make sure GET is ok
request = apply_request_middleware(rf.get("/"))
response = APIPermissionView.as_view()(request)
assert response.status_code == 200
perm_key = make_permission_config_key(UserViewSet())
assert configuration.get(None, perm_key) is None
# now post the form to see what happens
request = apply_request_middleware(
rf.post("/", {perm_key: PermissionLevel.ADMIN}))
response = APIPermissionView.as_view()(request)
assert response.status_code == 302 # good
assert int(configuration.get(None, perm_key)) == PermissionLevel.ADMIN
def __init__(self, **kwargs):
super(APIPermissionForm, self).__init__(**kwargs)
# create a choice field for each entry in the router
# this way it will be easy to set permisions based on each viewset
# but they must be beautifully configured with name and description
# to become more presentable to the merchant
for __, viewset, basename in api_urls.router.registry:
viewset_instance = viewset()
field_name = make_permission_config_key(viewset_instance)
initial = configuration.get(None, field_name, DEFAULT_PERMISSION)
if issubclass(viewset, PermissionHelperMixin):
help_text = viewset.get_help_text()
else:
help_text = viewset_instance.get_view_description()
self.fields[field_name] = forms.ChoiceField(
label=(viewset_instance.get_view_name() or basename),
help_text=help_text,
initial=initial,
required=False,
choices=self.API_PERMISSION_CHOICES)