def test_has_perm_per_object(self):
"""Assert has_perm checks per-object permissions correctly."""
from kitsune.forums.tests import RestrictedForumFactory
f1 = RestrictedForumFactory()
f2 = RestrictedForumFactory()
# Give user permission to one of the forums
u = UserFactory()
perm = 'forums_forum.view_in_forum'
ct = ContentType.objects.get_for_model(f1)
PermissionFactory(codename=perm, content_type=ct, object_id=f1.id, user=u)
assert access.has_perm(u, perm, f1)
assert not access.has_perm(u, perm, f2)
def test_read_without_permission(self):
"""Listing posts without the view_in_forum permission should 404."""
rforum = RestrictedForumFactory()
t = ThreadFactory(forum=rforum)
response = get(self.client, "forums.posts", args=[t.forum.slug, t.id])
eq_(404, response.status_code)
def test_admin_perm_thread(self):
"""Super user can do anything on any forum."""
from kitsune.forums.tests import RestrictedForumFactory
f1 = RestrictedForumFactory()
f2 = RestrictedForumFactory()
admin = UserFactory(is_staff=True, is_superuser=True)
# Loop over all forums perms and both forums
perms = ('thread_edit_forum', 'thread_delete_forum', 'post_edit_forum',
'thread_sticky_forum', 'thread_locked_forum',
'post_delete_forum', 'view_in_forum')
for perm in perms:
for forum in [f1, f2]:
assert access.has_perm(admin, 'forums_forum.' + perm, forum)
def test_reply_without_view_permission(self):
"""Posting without view_in_forum permission should 404."""
rforum = RestrictedForumFactory()
t = ThreadFactory(forum=rforum)
u = UserFactory()
self.client.login(username=u.username, password='******')
response = post(self.client, 'forums.reply', {'content': 'Blahs'},
args=[t.forum.slug, t.id])
eq_(404, response.status_code)
def test_watch_forum_without_permission(self):
"""Watching forums without the view_in_forum permission should 404.
"""
rforum = RestrictedForumFactory()
u = UserFactory()
self.client.login(username=u.username, password='******')
response = self.client.post(reverse('forums.watch_forum',
args=[rforum.slug]),
{'watch': 'yes'}, follow=False)
eq_(404, response.status_code)
def test_new_thread_without_post_permission(self):
"""Making a new thread without post permission should 403."""
rforum = RestrictedForumFactory(permission_code='forums_forum.post_in_forum')
u = UserFactory()
self.client.login(username=u.username, password='******')
with patch.object(Forum, 'allows_viewing_by', Mock(return_value=True)):
response = post(self.client, 'forums.new_thread',
{'title': 'Blahs', 'content': 'Blahs'},
args=[rforum.slug])
eq_(403, response.status_code)
def test_new_thread_without_view_permission(self):
"""Making a new thread without view permission should 404."""
rforum = RestrictedForumFactory()
ThreadFactory(forum=rforum)
u = UserFactory()
self.client.login(username=u.username, password='******')
response = post(self.client, 'forums.new_thread',
{'title': 'Blahs', 'content': 'Blahs'},
args=[rforum.slug])
eq_(404, response.status_code)
def test_reply_without_post_permission(self):
"""Posting without post_in_forum permission should 403."""
rforum = RestrictedForumFactory(permission_code='forums_forum.post_in_forum')
t = ThreadFactory(forum=rforum)
u = UserFactory()
self.client.login(username=u.username, password='******')
with patch.object(Forum, 'allows_viewing_by', Mock(return_value=True)):
response = post(self.client, 'forums.reply', {'content': 'Blahs'},
args=[t.forum.slug, t.id])
eq_(403, response.status_code)
def test_perm_is_defined_on(self):
"""Test permission relationship
Test whether we check for permission relationship, independent
of whether the permission is actually assigned to anyone.
"""
from kitsune.forums.tests import ForumFactory, RestrictedForumFactory
f1 = RestrictedForumFactory()
f2 = ForumFactory()
perm = 'forums_forum.view_in_forum'
assert access.perm_is_defined_on(perm, f1)
assert not access.perm_is_defined_on(perm, f2)
def test_watch_thread_without_permission(self):
"""Watching threads without the view_in_forum permission should 404."""
rforum = RestrictedForumFactory()
t = ThreadFactory(forum=rforum)
u = UserFactory()
self.client.login(username=u.username, password="******")
response = self.client.post(
reverse("forums.watch_thread", args=[t.forum.slug, t.id]),
{"watch": "yes"},
follow=False,
)
eq_(404, response.status_code)
def test_new_thread_without_view_permission(self):
"""Making a new thread without view permission should 404."""
rforum = RestrictedForumFactory()
ThreadFactory(forum=rforum)
u = UserFactory()
self.client.login(username=u.username, password="******")
response = post(
self.client,
"forums.new_thread",
{
"title": "Blahs",
"content": "Blahs"
},
args=[rforum.slug],
)
eq_(404, response.status_code)
def test_new_thread_without_post_permission(self):
"""Making a new thread without post permission should 403."""
rforum = RestrictedForumFactory(
permission_code="forums_forum.post_in_forum")
u = UserFactory()
self.client.login(username=u.username, password="******")
with patch.object(Forum, "allows_viewing_by", Mock(return_value=True)):
response = post(
self.client,
"forums.new_thread",
{
"title": "Blahs",
"content": "Blahs"
},
args=[rforum.slug],
)
eq_(403, response.status_code)
def test_discussion_forum_with_restricted_forums(self):
"""Tests who can see restricted forums in search form."""
# This is a long test, but it saves us from doing the setup
# twice.
forum1 = ForumFactory(name=u'ou812forum')
thread1 = ThreadFactory(forum=forum1, title=u'audio 2')
PostFactory(thread=thread1)
forum2 = RestrictedForumFactory(name=u'restrictedkeepout')
thread2 = ThreadFactory(forum=forum2, title=u'audio 2')
PostFactory(thread=thread2)
self.refresh()
# Get the Advanced Search Form as an anonymous user
response = self.client.get(reverse('search.advanced'), {'a': '2'})
eq_(200, response.status_code)
# Regular forum should show up
assert 'ou812forum' in response.content
# Restricted forum should not show up
assert 'restrictedkeepout' not in response.content
u = UserFactory()
g = GroupFactory()
g.user_set.add(u)
ct = ContentType.objects.get_for_model(forum2)
PermissionFactory(
codename='forums_forum.view_in_forum',
content_type=ct,
object_id=forum2.id,
group=g)
# Get the Advanced Search Form as a logged in user
self.client.login(username=u.username, password='******')
response = self.client.get(reverse('search.advanced'), {'a': '2'})
eq_(200, response.status_code)
# Both forums should show up for authorized user
assert 'ou812forum' in response.content
assert 'restrictedkeepout' in response.content
def test_forums_search_authorized_forums_specifying_forums(self):
"""Only authorized people can search certain forums they specified"""
# Create two threads: one in a restricted forum and one not.
forum1 = ForumFactory(name="ou812forum")
thread1 = ThreadFactory(forum=forum1)
PostFactory(thread=thread1, content="audio")
forum2 = RestrictedForumFactory(name="restrictedkeepout")
thread2 = ThreadFactory(forum=forum2)
PostFactory(thread=thread2, content="audio restricted")
self.refresh()
# Do a search as an anonymous user and specify both
# forums. Should only see the post from the unrestricted
# forum.
response = self.client.get(
reverse("search.advanced"),
{
"author": "",
"created": "0",
"created_date": "",
"updated": "0",
"updated_date": "",
"sortby": "0",
"forum": [forum1.id, forum2.id],
"a": "1",
"w": "4",
"q": "audio",
"format": "json",
},
)
eq_(200, response.status_code)
content = json.loads(response.content)
eq_(content["total"], 1)
# Do a search as an authorized user and specify both
# forums. Should see both posts.
u = UserFactory()
g = GroupFactory()
g.user_set.add(u)
ct = ContentType.objects.get_for_model(forum2)
PermissionFactory(codename="forums_forum.view_in_forum",
content_type=ct,
object_id=forum2.id,
group=g)
self.client.login(username=u.username, password="******")
response = self.client.get(
reverse("search.advanced"),
{
"author": "",
"created": "0",
"created_date": "",
"updated": "0",
"updated_date": "",
"sortby": "0",
"forum": [forum1.id, forum2.id],
"a": "1",
"w": "4",
"q": "audio",
"format": "json",
},
)
# Sees both results
eq_(200, response.status_code)
content = json.loads(response.content)
eq_(content["total"], 2)
def test_forums_search_authorized_forums_specifying_forums(self):
"""Only authorized people can search certain forums they specified"""
# Create two threads: one in a restricted forum and one not.
forum1 = ForumFactory(name=u'ou812forum')
thread1 = ThreadFactory(forum=forum1)
PostFactory(thread=thread1, content=u'audio')
forum2 = RestrictedForumFactory(name=u'restrictedkeepout')
thread2 = ThreadFactory(forum=forum2)
PostFactory(thread=thread2, content=u'audio restricted')
self.refresh()
# Do a search as an anonymous user and specify both
# forums. Should only see the post from the unrestricted
# forum.
response = self.client.get(reverse('search.advanced'), {
'author': '',
'created': '0',
'created_date': '',
'updated': '0',
'updated_date': '',
'sortby': '0',
'forum': [forum1.id, forum2.id],
'a': '1',
'w': '4',
'q': 'audio',
'format': 'json'
})
eq_(200, response.status_code)
content = json.loads(response.content)
eq_(content['total'], 1)
# Do a search as an authorized user and specify both
# forums. Should see both posts.
u = UserFactory()
g = GroupFactory()
g.user_set.add(u)
ct = ContentType.objects.get_for_model(forum2)
PermissionFactory(
codename='forums_forum.view_in_forum',
content_type=ct,
object_id=forum2.id,
group=g)
self.client.login(username=u.username, password='******')
response = self.client.get(reverse('search.advanced'), {
'author': '',
'created': '0',
'created_date': '',
'updated': '0',
'updated_date': '',
'sortby': '0',
'forum': [forum1.id, forum2.id],
'a': '1',
'w': '4',
'q': 'audio',
'format': 'json'
})
# Sees both results
eq_(200, response.status_code)
content = json.loads(response.content)
eq_(content['total'], 2)
def test_read_without_permission(self):
"""Listing threads without the view_in_forum permission should 404.
"""
rforum = RestrictedForumFactory()
response = get(self.client, "forums.threads", args=[rforum.slug])
eq_(404, response.status_code)