def test_draft_questionnaire_is_listed_in_controls_data_if_user_is_inspector(): control = factories.ControlFactory() factories.QuestionnaireFactory(control=control, is_draft=False, title='MUST BE LISTED') factories.QuestionnaireFactory(control=control, is_draft=True, title='MUST ALSO BE LISTED') user = utils.make_inspector_user(control) response = list_control(user) assert response.status_code == 200 assert 'MUST BE LISTED' in str(response.content) assert 'MUST ALSO BE LISTED' in str(response.content)
def test_as_auditor_questionnaire_is_not_listed_if_not_associated_with_user_control(): control_in = factories.ControlFactory() control_out = factories.ControlFactory() factories.QuestionnaireFactory(control=control_in, is_draft=False, title='MUST BE LISTED') factories.QuestionnaireFactory(control=control_out, is_draft=False, title='MUST NOT BE LISTED') user = utils.make_audited_user(control_in) response = list_control(user) assert response.status_code == 200 assert 'MUST BE LISTED' in str(response.content) assert 'MUST NOT BE LISTED' not in str(response.content)
def test_no_access_to_questionnaire_api_if_control_is_not_associated_with_the_user( ): questionnaire_in = factories.QuestionnaireFactory() questionnaire_out = factories.QuestionnaireFactory() assert questionnaire_in.control.id != questionnaire_out.control.id user = utils.make_inspector_user(questionnaire_in.control) # create payload = make_create_payload(questionnaire_out.control.id) clear_saved_data() assert create_questionnaire(user, payload).status_code != 201 assert_no_data_is_saved()
def test_as_auditor_questionnaire_is_not_listed_if_associated_with_deleted_control(): control_active = factories.ControlFactory() control_deleted = factories.ControlFactory() factories.QuestionnaireFactory( control=control_active, is_draft=False, title='MUST BE LISTED') factories.QuestionnaireFactory( control=control_deleted, is_draft=False, title='MUST NOT BE LISTED') user = utils.make_audited_user(control_active) user.profile.controls.add(control_deleted) control_deleted.delete() response = list_control(user) assert response.status_code == 200 assert 'MUST BE LISTED' in str(response.content) assert 'MUST NOT BE LISTED' not in str(response.content)
def test_audited_cannot_download_questionnaire_file_if_draft(client): questionnaire = factories.QuestionnaireFactory(is_draft=True) user = utils.make_audited_user(questionnaire.control) utils.login(client, user=user) url = reverse('send-questionnaire-file', args=[questionnaire.id]) response = client.get(url) assert response.status_code == 404
def test_send_response_file_list_does_not_contais_files_from_other_questionnaire( client): response_file_1 = factories.ResponseFileFactory(is_deleted=False) questionnaire_1 = response_file_1.question.theme.questionnaire questionnaire_1.is_draft = False questionnaire_1.save() assert not questionnaire_1.is_draft # Questionnaire 2 in same control as questionnaire 1 questionnaire_2 = factories.QuestionnaireFactory( control=questionnaire_1.control) questionnaire_2.is_draft = False questionnaire_2.save() assert not questionnaire_2.is_draft theme_2 = factories.ThemeFactory(questionnaire=questionnaire_2) question_2 = factories.QuestionFactory(theme=theme_2) response_file_2 = factories.ResponseFileFactory(is_deleted=False, question=question_2) user = utils.make_audited_user(questionnaire_1.control) files = get_files_for_export(questionnaire_1) assert len(files) == 1 assert files[0].file.name == response_file_1.file.name
def test_can_access_questionnaire_api_if_control_is_associated_with_the_user(): questionnaire = factories.QuestionnaireFactory() # create inspector_user = utils.make_inspector_user(questionnaire.control) payload = make_create_payload(questionnaire.control.id) assert create_questionnaire(inspector_user, payload).status_code == 201
def test_no_access_to_questionnaire_api_for_anonymous(): questionnaire = factories.QuestionnaireFactory() # retrieve is never allowed response = utils.get_resource_without_login(client, 'questionnaire', questionnaire.id) assert response.status_code == 403 # update payload = make_update_payload(questionnaire) response = utils.update_resource_without_login(client, 'questionnaire', payload) assert response.status_code == 403 # delete is never allowed response = utils.delete_resource_without_login(client, 'questionnaire', questionnaire.id) assert response.status_code == 403 # create clear_saved_data() payload = make_create_payload(questionnaire.control.id) response = utils.create_resource_without_login(client, 'questionnaire', payload) assert response.status_code == 403 assert_no_data_is_saved()
def increment_ids(): # We create objects for nothing, to increment ids. Otherwise question.id = theme.id = qr.id = 1, and some errors # are not detected. for _ in range(5): factories.ThemeFactory() for _ in range(5): factories.QuestionnaireFactory() clear_saved_data()
def test_send_response_file_list_fails_for_draft_questionnaire_for_audited( client): questionnaire = factories.QuestionnaireFactory(is_draft=True) user = utils.make_audited_user(questionnaire.control) response = get_response_list(client, user, questionnaire.id) assert response.status_code != 200
def test_send_response_file_list_fails_for_draft_questionnaire_for_inspector( client): questionnaire = factories.QuestionnaireFactory(is_draft=True) user = utils.make_inspector_user(questionnaire.control) utils.login(client, user=user) url = reverse('send-response-file-list', args=[questionnaire.id]) response = client.get(url) assert response.status_code != 200
def test_send_response_file_list_works_for_inspector_if_the_control_is_associated_with_the_user( client): questionnaire = factories.QuestionnaireFactory(is_draft=False) user = utils.make_inspector_user(questionnaire.control) response = get_response_list(client, user, questionnaire.id) assert response.status_code == 200
def test_user_cannot_set_editor_if_they_cannot_access_the_questionnaire(): control = factories.ControlFactory() user = utils.make_inspector_user(control=None, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True) response = call_api(user, questionnaire.id, user.id) assert 400 <= response.status_code < 500
def test_send_response_file_list_fails_for_inspector_if_the_control_is_not_associated_with_the_user( client): questionnaire = factories.QuestionnaireFactory(is_draft=False) unauthorized_control = factories.ControlFactory() user = utils.make_inspector_user(unauthorized_control) response = get_response_list(client, user, questionnaire.id) assert response.status_code != 200
def test_audited_cannot_access_api(): control = factories.ControlFactory() user = utils.make_audited_user(control) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user) assert_questionnaire_has_editor(questionnaire, user) response = call_api(user, questionnaire.id, user.id) assert 400 <= response.status_code < 500 assert_questionnaire_has_editor(questionnaire, user)
def test_download_questionnaire_file_fails_if_the_control_is_not_associated_with_the_user( client): questionnaire = factories.QuestionnaireFactory(is_draft=False) unauthorized_control = factories.ControlFactory() assert unauthorized_control != questionnaire.control user = utils.make_audited_user(unauthorized_control) utils.login(client, user=user) url = reverse('send-questionnaire-file', args=[questionnaire.id]) response = client.get(url) assert response.status_code != 200
def __init__(self, client): questionnaire = factories.QuestionnaireFactory(is_draft=False) self.filename = questionnaire.basename user = utils.make_audited_user(questionnaire.control) utils.login(client, user=user) url = reverse('send-questionnaire-file', args=[questionnaire.id]) self.response = client.get(url)
def test_no_questionnaire_update_if_control_is_deleted(): increment_ids() questionnaire = factories.QuestionnaireFactory() user = utils.make_inspector_user(questionnaire.control) payload = make_update_payload(questionnaire) questionnaire.control.delete() response = update_questionnaire(user, payload) assert 403 <= response.status_code <= 404
def test_noneditor_can_get_rights_on_questionnaire_without_editor(): control = factories.ControlFactory() user = utils.make_inspector_user(control, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=None) assert_questionnaire_has_editor(questionnaire, None) response = call_api(user, questionnaire.id, user.id) assert response.status_code == 200 assert_questionnaire_has_editor(questionnaire, user)
def test_can_access_questionnaire_page_if_control_is_associated_with_the_user( client): questionnaire = factories.QuestionnaireFactory() user = factories.UserFactory() user.profile.controls.add(questionnaire.control) user.profile.save() utils.login(client, user=user) url = reverse('questionnaire-detail', args=[questionnaire.id]) response = client.get(url) assert response.status_code == 200
def test_questionnaire_draft_update__non_editor_cannot_update(): increment_ids() questionnaire = factories.QuestionnaireFactory() control = questionnaire.control non_editor = utils.make_inspector_user(control, assign_questionnaire_editor=False) payload = make_update_payload(questionnaire) payload['description'] = 'this is a great questionnaire.' response = update_questionnaire(non_editor, payload) assert 400 <= response.status_code < 500
def test_no_access_to_editor_api_for_deleted_control(): control = factories.ControlFactory() user = utils.make_inspector_user(control, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user) assert_questionnaire_has_editor(questionnaire, user) control.delete() response = call_api(user, questionnaire.id, user.id) assert response.status_code == 404
def test_editor_can_transfer_rights(): control = factories.ControlFactory() user = utils.make_inspector_user(control, assign_questionnaire_editor=False) other_user = utils.make_inspector_user(control, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user) assert_questionnaire_has_editor(questionnaire, user) response = call_api(user, questionnaire.id, other_user.id) assert response.status_code == 200 assert_questionnaire_has_editor(questionnaire, other_user)
def test_inspector_cannot_update_published_questionnaire(): increment_ids() control = factories.ControlFactory() user = utils.make_inspector_user(control) questionnaire = factories.QuestionnaireFactory(is_draft=False, control=control, editor=user) payload = make_update_payload(questionnaire) # Here we are trying to update a questionnaire that's already published response = update_questionnaire(user, payload) assert 400 <= response.status_code < 500
def __init__(self, client): questionnaire = factories.QuestionnaireFactory() self.filename = questionnaire.basename user = factories.UserFactory() user.profile.controls.add(questionnaire.control) user.profile.save() utils.login(client, user=user) url = reverse('send-questionnaire-file', args=[questionnaire.id]) self.response = client.get(url)
def test_query_without_editor_is_refused(): control = factories.ControlFactory() user = utils.make_inspector_user(control, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user) assert_questionnaire_has_editor(questionnaire, user) utils.login(client, user=user) url = reverse('update-editor', args=[questionnaire.id]) post_data = { } response = client.put(url, post_data, format='json') assert 400 <= response.status_code < 500 assert_questionnaire_has_editor(questionnaire, user)
def test_cannot_get_questionnaire_even_if_control_is_associated_with_the_user( ): # Retrieve is disabled questionnaire = factories.QuestionnaireFactory() audited_user = utils.make_audited_user(questionnaire.control) inspector_user = utils.make_inspector_user(questionnaire.control) assert get_questionnaire(audited_user, questionnaire.id).status_code == 405 assert get_questionnaire(inspector_user, questionnaire.id).status_code == 405 # list is disabled assert list_questionnaires(audited_user).status_code == 405 assert list_questionnaires(inspector_user).status_code == 405
def access_questionnaire_page( client, page_name, is_control_associated_with_user, profile_type, is_draft=False, assign_questionnaire_editor=True): questionnaire = factories.QuestionnaireFactory(is_draft=is_draft) control = questionnaire.control if is_control_associated_with_user: user = utils.make_user( profile_type, control, assign_questionnaire_editor=assign_questionnaire_editor) else: user = utils.make_user(profile_type, None) utils.login(client, user=user) url = reverse(page_name, args=[questionnaire.id]) response = client.get(url) return response
def test_no_modifying_questionnaire_if_not_inspector(): questionnaire = factories.QuestionnaireFactory() audited_user = utils.make_audited_user(questionnaire.control) # update payload = make_update_payload(questionnaire) assert update_questionnaire(audited_user, payload).status_code == 403 # delete assert delete_questionnaire(audited_user, questionnaire.id).status_code == 403 # create clear_saved_data() payload = make_create_payload(questionnaire.control.id) assert create_questionnaire(audited_user, payload).status_code == 403 assert_no_data_is_saved()
def test_questionnaire_update__questionnaire_update(): increment_ids() # Qr with no themes or questions. questionnaire = factories.QuestionnaireFactory() user = utils.make_inspector_user(questionnaire.control) payload = make_update_payload(questionnaire) payload['description'] = 'this is a great questionnaire.' payload['is_draft'] = False assert Questionnaire.objects.all().count() == 1 assert payload['description'] != questionnaire.description response = update_questionnaire(user, payload) assert response.status_code == 200 # Data is saved assert Questionnaire.objects.all().count() == 1 saved_qr = Questionnaire.objects.get(id=questionnaire.id) assert saved_qr.description != questionnaire.description assert saved_qr.description == payload['description'] assert saved_qr.is_draft == False