def test_manager_cant_access_director(method, app, db_session):
manager = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Manager))
director = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Director))
master = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Master))
flask.g.user = manager
assert not has_privilege(
method=method, resource="employee", employee_id=director.id)
assert has_privilege(method=method,
resource="employee",
employee_id=master.id)
def test_cannot_access_other_company_employees(method, app, db_session):
"""
Even though the authenticated user is a director, they cannot access a
manager's profile because the manager works for another company.
"""
director = factories.EmployeeFactory(
company=factories.CompanyFactory(),
role=factories.RoleFactory(name="Director"))
manager = factories.EmployeeFactory(
company=factories.CompanyFactory(),
role=factories.RoleFactory(name="Manager"))
flask.g.user = director
assert not has_privilege(
method=Method.READ, resource="employee", employee_id=manager.id)
def test_insert_employee(db_session):
"""Integration test for adding and selecting Employee"""
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
employee = factories.EmployeeFactory(company=company, role=manager_role)
row = db_session.query(Employee).get(employee.id)
assert row.username == employee.username
def test_cannot_access_list(client, db_session):
""" Show 403 - Forbidden when user cannot access employee list """
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
employee = factories.EmployeeFactory(company=company, role=manager_role)
response = client.get(url_for("employee.list"))
assert response.status_code == HTTPStatus.FORBIDDEN
def test_list(client, db_session):
""" List all employees """
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
employee = factories.EmployeeFactory(company=company, role=manager_role)
response = client.get(url_for("employee.list"))
assert response.status_code == HTTPStatus.OK
assert str.encode(employee.username) in response.data
def test_can_access_same_company_employees(app, db_session):
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
me = factories.EmployeeFactory(company=company, role=manager_role)
colleague = factories.EmployeeFactory(company=company, role=manager_role)
flask.g.user = me
assert has_privilege(
method=Method.READ, resource="employee", employee_id=colleague.id)
def test_can_access_subalterns(method, app, db_session):
"""
A director of a company should be able to access
the profiles of employees with a lower role.
"""
company = factories.CompanyFactory()
director = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Director"))
master = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Master"))
manager = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Manager"))
intern = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Intern"))
flask.g.user = director
assert has_privilege(resource="employee", employee_id=manager.id)
assert has_privilege(resource="employee", employee_id=master.id)
assert has_privilege(resource="employee", employee_id=intern.id)
def test_list(client):
""" Test list is okay """
role = factories.RoleFactory(name=RoleType.Intern.name)
company = factories.CompanyFactory()
employee = factories.EmployeeFactory(company=company, role_id=role.id)
location = factories.LocationFactory(company=company)
floor = factories.FloorFactory(location=location)
with client.session_transaction() as session:
session["user_id"] = employee.id
g.user = employee
factories.TableFactory(floor_id=floor.id, name="Table 01")
factories.TableFactory(floor_id=floor.id, name="Table 02")
factories.TableFactory(floor_id=floor.id, name="Table 03")
response = client.get(url_for("/tables/"))
assert response.status_code == HTTPStatus.OK
assert b"<div><h1>Table 01</h1></div>" in response.data
assert b"<div><h1>Table 02</h1></div>" in response.data
assert b"<div><h1>Table 03</h1></div>" in response.data
assert b"<div><h1>Table " in response.data.count == 3
def data():
m = type("Models", (object, ), {})
m.registered_user = f.UserFactory.create()
m.project_member_with_perms = f.UserFactory.create()
m.project_member_without_perms = f.UserFactory.create()
m.project_owner = f.UserFactory.create()
m.other_user = f.UserFactory.create()
m.superuser = f.UserFactory.create(is_superuser=True)
m.public_project = f.ProjectFactory(is_private=False,
anon_permissions=['view_project'],
public_permissions=['view_project'])
m.public_project = attach_extra_info(
project_models.Project.objects.all()).get(id=m.public_project.id)
m.private_project1 = f.ProjectFactory(is_private=True,
anon_permissions=['view_project'],
public_permissions=['view_project'],
owner=m.project_owner)
m.private_project1 = attach_extra_info(
project_models.Project.objects.all()).get(id=m.private_project1.id)
m.private_project2 = f.ProjectFactory(is_private=True,
anon_permissions=[],
public_permissions=[],
owner=m.project_owner)
m.private_project2 = attach_extra_info(
project_models.Project.objects.all()).get(id=m.private_project2.id)
m.blocked_project = f.ProjectFactory(
is_private=True,
anon_permissions=[],
public_permissions=[],
owner=m.project_owner,
blocked_code=project_choices.BLOCKED_BY_STAFF)
m.blocked_project = attach_extra_info(
project_models.Project.objects.all()).get(id=m.blocked_project.id)
f.RoleFactory(project=m.public_project)
m.membership = f.MembershipFactory(project=m.private_project1,
user=m.project_member_with_perms,
role__project=m.private_project1,
role__permissions=list(
map(lambda x: x[0],
MEMBERS_PERMISSIONS)))
m.membership = f.MembershipFactory(project=m.private_project1,
user=m.project_member_without_perms,
role__project=m.private_project1,
role__permissions=[])
m.membership = f.MembershipFactory(project=m.private_project2,
user=m.project_member_with_perms,
role__project=m.private_project2,
role__permissions=list(
map(lambda x: x[0],
MEMBERS_PERMISSIONS)))
m.membership = f.MembershipFactory(project=m.private_project2,
user=m.project_member_without_perms,
role__project=m.private_project2,
role__permissions=[])
m.membership = f.MembershipFactory(project=m.blocked_project,
user=m.project_member_with_perms,
role__project=m.blocked_project,
role__permissions=list(
map(lambda x: x[0],
MEMBERS_PERMISSIONS)))
m.membership = f.MembershipFactory(project=m.blocked_project,
user=m.project_member_without_perms,
role__project=m.blocked_project,
role__permissions=[])
f.MembershipFactory(project=m.public_project,
user=m.project_owner,
is_admin=True)
f.MembershipFactory(project=m.private_project1,
user=m.project_owner,
is_admin=True)
f.MembershipFactory(project=m.private_project2,
user=m.project_owner,
is_admin=True)
f.MembershipFactory(project=m.blocked_project,
user=m.project_owner,
is_admin=True)
ContentType = apps.get_model("contenttypes", "ContentType")
Project = apps.get_model("projects", "Project")
project_ct = ContentType.objects.get_for_model(Project)
f.LikeFactory(content_type=project_ct,
object_id=m.public_project.pk,
user=m.project_member_with_perms)
f.LikeFactory(content_type=project_ct,
object_id=m.public_project.pk,
user=m.project_owner)
f.LikeFactory(content_type=project_ct,
object_id=m.private_project1.pk,
user=m.project_member_with_perms)
f.LikeFactory(content_type=project_ct,
object_id=m.private_project1.pk,
user=m.project_owner)
f.LikeFactory(content_type=project_ct,
object_id=m.private_project2.pk,
user=m.project_member_with_perms)
f.LikeFactory(content_type=project_ct,
object_id=m.private_project2.pk,
user=m.project_owner)
f.LikeFactory(content_type=project_ct,
object_id=m.blocked_project.pk,
user=m.project_member_with_perms)
f.LikeFactory(content_type=project_ct,
object_id=m.blocked_project.pk,
user=m.project_owner)
return m
def data():
m = type("Models", (object,), {})
m.registered_user = f.UserFactory.create()
m.project_member_with_perms = f.UserFactory.create()
m.project_member_without_perms = f.UserFactory.create()
m.project_owner = f.UserFactory.create()
m.other_user = f.UserFactory.create()
m.superuser = f.UserFactory.create(is_superuser=True)
m.public_project = f.ProjectFactory(is_private=False,
anon_permissions=['view_project'],
public_permissions=['view_project'])
m.private_project1 = f.ProjectFactory(is_private=True,
anon_permissions=['view_project'],
public_permissions=['view_project'],
owner=m.project_owner)
m.private_project2 = f.ProjectFactory(is_private=True,
anon_permissions=[],
public_permissions=[],
owner=m.project_owner)
f.RoleFactory(project=m.public_project)
m.membership = f.MembershipFactory(project=m.private_project1,
user=m.project_member_with_perms,
role__project=m.private_project1,
role__permissions=list(map(lambda x: x[0], MEMBERS_PERMISSIONS)))
m.membership = f.MembershipFactory(project=m.private_project1,
user=m.project_member_without_perms,
role__project=m.private_project1,
role__permissions=[])
m.membership = f.MembershipFactory(project=m.private_project2,
user=m.project_member_with_perms,
role__project=m.private_project2,
role__permissions=list(map(lambda x: x[0], MEMBERS_PERMISSIONS)))
m.membership = f.MembershipFactory(project=m.private_project2,
user=m.project_member_without_perms,
role__project=m.private_project2,
role__permissions=[])
f.MembershipFactory(project=m.public_project,
user=m.project_owner,
is_owner=True)
f.MembershipFactory(project=m.private_project1,
user=m.project_owner,
is_owner=True)
f.MembershipFactory(project=m.private_project2,
user=m.project_owner,
is_owner=True)
ContentType = apps.get_model("contenttypes", "ContentType")
Project = apps.get_model("projects", "Project")
project_ct = ContentType.objects.get_for_model(Project)
f.LikeFactory(content_type=project_ct, object_id=m.public_project.pk, user=m.project_member_with_perms)
f.LikeFactory(content_type=project_ct, object_id=m.public_project.pk, user=m.project_owner)
f.LikeFactory(content_type=project_ct, object_id=m.private_project1.pk, user=m.project_member_with_perms)
f.LikeFactory(content_type=project_ct, object_id=m.private_project1.pk, user=m.project_owner)
f.LikeFactory(content_type=project_ct, object_id=m.private_project2.pk, user=m.project_member_with_perms)
f.LikeFactory(content_type=project_ct, object_id=m.private_project2.pk, user=m.project_owner)
f.LikesFactory(content_type=project_ct, object_id=m.public_project.pk, count=2)
f.LikesFactory(content_type=project_ct, object_id=m.private_project1.pk, count=2)
f.LikesFactory(content_type=project_ct, object_id=m.private_project2.pk, count=2)
return m
