def test_demote_editor(self):
"""Editors should be able to demote editors to viewers."""
embargoed_foia = FOIARequestFactory(embargo=True)
editor = UserFactory()
embargoed_foia.add_editor(editor)
nose.tools.assert_true(embargoed_foia.has_perm(editor, "view"))
nose.tools.assert_true(embargoed_foia.has_perm(editor, "change"))
embargoed_foia.demote_editor(editor)
nose.tools.assert_false(embargoed_foia.has_perm(editor, "change"))
def test_get_viewable_edit_collaborator(self):
"""Test get viewable for an edit collaborator"""
foia = FOIARequestFactory(composer__status="filed", embargo=True)
foia.add_editor(self.user)
assert_true(FOIAComposer.objects.get_viewable(self.staff).exists())
assert_true(FOIAComposer.objects.get_viewable(self.user).exists())
assert_false(FOIAComposer.objects.get_viewable(self.anon).exists())
class TestFOIANotes(TestCase):
"""Allow editors to attach notes to a request."""
def setUp(self):
self.foia = FOIARequestFactory()
self.editor = UserFactory()
self.viewer = UserFactory()
self.foia.add_editor(self.editor)
self.foia.add_viewer(self.viewer)
self.data = {
'action': 'add_note',
'note': u'Lorem ipsum dolor su ament.'
}
self.url = self.foia.get_absolute_url()
self.view = Detail.as_view()
self.kwargs = {
'jurisdiction': self.foia.jurisdiction.slug,
'jidx': self.foia.jurisdiction.id,
'slug': self.foia.slug,
'idx': self.foia.id
}
UserFactory(username='******')
def test_add_note(self):
"""User with edit permission should be able to create a note."""
response = http_post_response(
self.url, self.view, self.data, self.editor, **self.kwargs
)
self.foia.refresh_from_db()
eq_(response.status_code, 302)
eq_(self.foia.notes.count() > 0, True)
def test_add_sans_permission(self):
"""Normies and viewers cannot add notes."""
response = http_post_response(
self.url, self.view, self.data, self.viewer, **self.kwargs
)
self.foia.refresh_from_db()
eq_(response.status_code, 302)
eq_(self.foia.notes.count(), 0)
class TestRequestSharing(TestCase):
"""Allow people to edit and view another user's request."""
def setUp(self):
self.foia = FOIARequestFactory()
self.editor = UserFactory()
self.creator = self.foia.user
def test_add_editor(self):
"""Editors should be able to add editors to the request."""
new_editor = self.editor
self.foia.add_editor(new_editor)
nose.tools.assert_true(self.foia.has_editor(new_editor))
def test_remove_editor(self):
"""Editors should be able to remove editors from the request."""
editor_to_remove = self.editor
# first we add the editor, otherwise we would have nothing to remove!
self.foia.add_editor(editor_to_remove)
nose.tools.assert_true(self.foia.has_editor(editor_to_remove))
# now we remove the editor we just added
self.foia.remove_editor(editor_to_remove)
nose.tools.assert_false(self.foia.has_editor(editor_to_remove))
def test_editor_permission(self):
"""Editors should have the same abilities and permissions as creators."""
new_editor = self.editor
self.foia.add_editor(new_editor)
nose.tools.ok_(self.foia.has_perm(new_editor, "change"))
def test_add_viewer(self):
"""Editors should be able to add viewers to the request."""
new_viewer = UserFactory()
self.foia.add_viewer(new_viewer)
nose.tools.ok_(self.foia.has_viewer(new_viewer))
def test_remove_viewer(self):
"""Editors should be able to remove viewers from the request."""
viewer_to_remove = UserFactory()
# first we add the viewer, otherwise we would have nothing to remove!
self.foia.add_viewer(viewer_to_remove)
nose.tools.ok_(self.foia.has_viewer(viewer_to_remove))
# now we remove the viewer we just added
self.foia.remove_viewer(viewer_to_remove)
nose.tools.assert_false(self.foia.has_viewer(viewer_to_remove))
def test_viewer_permission(self):
"""Viewers should be able to see the request if it is embargoed."""
embargoed_foia = FOIARequestFactory(embargo=True)
viewer = UserFactory()
normie = UserFactory()
embargoed_foia.add_viewer(viewer)
nose.tools.assert_true(embargoed_foia.has_perm(viewer, "view"))
nose.tools.assert_false(embargoed_foia.has_perm(normie, "view"))
def test_promote_viewer(self):
"""Editors should be able to promote viewers to editors."""
embargoed_foia = FOIARequestFactory(embargo=True)
viewer = UserFactory()
embargoed_foia.add_viewer(viewer)
nose.tools.assert_true(embargoed_foia.has_perm(viewer, "view"))
nose.tools.assert_false(embargoed_foia.has_perm(viewer, "change"))
embargoed_foia.promote_viewer(viewer)
nose.tools.assert_true(embargoed_foia.has_perm(viewer, "change"))
def test_demote_editor(self):
"""Editors should be able to demote editors to viewers."""
embargoed_foia = FOIARequestFactory(embargo=True)
editor = UserFactory()
embargoed_foia.add_editor(editor)
nose.tools.assert_true(embargoed_foia.has_perm(editor, "view"))
nose.tools.assert_true(embargoed_foia.has_perm(editor, "change"))
embargoed_foia.demote_editor(editor)
nose.tools.assert_false(embargoed_foia.has_perm(editor, "change"))
def test_access_key(self):
"""Editors should be able to generate a secure access key to view an embargoed request."""
embargoed_foia = FOIARequestFactory(embargo=True)
access_key = embargoed_foia.generate_access_key()
nose.tools.assert_true(
access_key == embargoed_foia.access_key,
"The key in the URL should match the key saved to the request.",
)
embargoed_foia.generate_access_key()
nose.tools.assert_false(
access_key == embargoed_foia.access_key,
"After regenerating the link, the key should no longer match.",
)
def test_do_not_grant_creator_access(self):
"""Creators should not be granted access as editors or viewers"""
self.foia.add_editor(self.creator)
nose.tools.assert_false(self.foia.has_editor(self.creator))
self.foia.add_viewer(self.creator)
nose.tools.assert_false(self.foia.has_viewer(self.creator))
# but the creator should still be able to both view and edit!
nose.tools.assert_true(self.foia.has_perm(self.creator, "change"))
nose.tools.assert_true(self.foia.has_perm(self.creator, "view"))
class TestRequestSharingViews(TestCase):
"""Tests access and implementation of view methods for sharing requests."""
def setUp(self):
self.factory = RequestFactory()
self.foia = FOIARequestFactory()
self.creator = self.foia.user
self.editor = UserFactory()
self.viewer = UserFactory()
self.staff = UserFactory(is_staff=True)
self.normie = UserFactory()
self.foia.add_editor(self.editor)
self.foia.add_viewer(self.viewer)
self.foia.save()
UserFactory(username='******')
def reset_access_key(self):
"""Simple helper to reset access key betweeen tests"""
self.foia.access_key = None
assert_false(self.foia.access_key)
def test_access_key_allowed(self):
"""
A POST request for a private share link should generate and return an access key.
Editors and staff should be allowed to do this.
"""
self.reset_access_key()
data = {'action': 'generate_key'}
request = self.factory.post(self.foia.get_absolute_url(), data)
request = mock_middleware(request)
# editors should be able to generate the key
request.user = self.editor
response = Detail.as_view()(
request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
self.foia.refresh_from_db()
eq_(response.status_code, 302)
assert_true(self.foia.access_key)
# staff should be able to generate the key
self.reset_access_key()
request.user = self.staff
response = Detail.as_view()(
request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
self.foia.refresh_from_db()
eq_(response.status_code, 302)
assert_true(self.foia.access_key)
def test_access_key_not_allowed(self):
"""Visitors and normies should not be allowed to generate an access key."""
self.reset_access_key()
data = {'action': 'generate_key'}
request = self.factory.post(self.foia.get_absolute_url(), data)
request = mock_middleware(request)
# viewers should not be able to generate the key
request.user = self.viewer
response = Detail.as_view()(
request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
self.foia.refresh_from_db()
eq_(response.status_code, 302)
assert_false(self.foia.access_key)
# normies should not be able to generate the key
self.reset_access_key()
request.user = self.normie
response = Detail.as_view()(
request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
self.foia.refresh_from_db()
eq_(response.status_code, 302)
assert_false(self.foia.access_key)
def test_grant_edit_access(self):
"""Editors should be able to add editors."""
user1 = UserFactory()
user2 = UserFactory()
edit_data = {
'action': 'grant_access',
'users': [user1.pk, user2.pk],
'access': 'edit'
}
edit_request = self.factory.post(
self.foia.get_absolute_url(), edit_data
)
edit_request = mock_middleware(edit_request)
edit_request.user = self.editor
edit_response = Detail.as_view()(
edit_request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
eq_(edit_response.status_code, 302)
assert_true(self.foia.has_editor(user1) and self.foia.has_editor(user2))
def test_grant_view_access(self):
"""Editors should be able to add viewers."""
user1 = UserFactory()
user2 = UserFactory()
view_data = {
'action': 'grant_access',
'users': [user1.pk, user2.pk],
'access': 'view'
}
view_request = self.factory.post(
self.foia.get_absolute_url(), view_data
)
view_request = mock_middleware(view_request)
view_request.user = self.editor
view_response = Detail.as_view()(
view_request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
eq_(view_response.status_code, 302)
assert_true(self.foia.has_viewer(user1) and self.foia.has_viewer(user2))
def test_demote_editor(self):
"""Editors should be able to demote editors to viewers."""
user = UserFactory()
self.foia.add_editor(user)
assert_true(self.foia.has_editor(user))
data = {'action': 'demote', 'user': user.pk}
request = self.factory.post(self.foia.get_absolute_url(), data)
request = mock_middleware(request)
request.user = self.editor
response = Detail.as_view()(
request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
eq_(response.status_code, 302)
assert_false(self.foia.has_editor(user))
assert_true(self.foia.has_viewer(user))
def test_promote_viewer(self):
"""Editors should be able to promote viewers to editors."""
user = UserFactory()
self.foia.add_viewer(user)
assert_true(self.foia.has_viewer(user))
data = {'action': 'promote', 'user': user.pk}
request = self.factory.post(self.foia.get_absolute_url(), data)
request = mock_middleware(request)
request.user = self.editor
response = Detail.as_view()(
request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
eq_(response.status_code, 302)
assert_false(self.foia.has_viewer(user))
assert_true(self.foia.has_editor(user))
def test_revoke_edit_access(self):
"""Editors should be able to revoke access from an editor."""
an_editor = UserFactory()
self.foia.add_editor(an_editor)
data = {'action': 'revoke_access', 'user': an_editor.pk}
request = self.factory.post(self.foia.get_absolute_url(), data)
request = mock_middleware(request)
request.user = self.editor
response = Detail.as_view()(
request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
eq_(response.status_code, 302)
assert_false(self.foia.has_editor(an_editor))
def test_revoke_view_access(self):
"""Editors should be able to revoke access from a viewer."""
a_viewer = UserFactory()
self.foia.add_viewer(a_viewer)
data = {'action': 'revoke_access', 'user': a_viewer.pk}
request = self.factory.post(self.foia.get_absolute_url(), data)
request = mock_middleware(request)
request.user = self.editor
response = Detail.as_view()(
request,
jurisdiction=self.foia.jurisdiction.slug,
jidx=self.foia.jurisdiction.id,
slug=self.foia.slug,
idx=self.foia.id
)
eq_(response.status_code, 302)
assert_false(self.foia.has_viewer(a_viewer))
class TestRequestSharing(TestCase):
"""Allow people to edit and view another user's request."""
def setUp(self):
self.foia = FOIARequestFactory()
self.editor = UserFactory()
self.creator = self.foia.user
def test_add_editor(self):
"""Editors should be able to add editors to the request."""
new_editor = self.editor
self.foia.add_editor(new_editor)
assert_true(self.foia.has_editor(new_editor))
def test_remove_editor(self):
"""Editors should be able to remove editors from the request."""
editor_to_remove = self.editor
# first we add the editor, otherwise we would have nothing to remove!
self.foia.add_editor(editor_to_remove)
assert_true(self.foia.has_editor(editor_to_remove))
# now we remove the editor we just added
self.foia.remove_editor(editor_to_remove)
assert_false(self.foia.has_editor(editor_to_remove))
def test_editor_permission(self):
"""Editors should have the same abilities and permissions as creators."""
new_editor = self.editor
self.foia.add_editor(new_editor)
ok_(self.foia.has_perm(new_editor, 'change'))
def test_add_viewer(self):
"""Editors should be able to add viewers to the request."""
new_viewer = UserFactory()
self.foia.add_viewer(new_viewer)
ok_(self.foia.has_viewer(new_viewer))
def test_remove_viewer(self):
"""Editors should be able to remove viewers from the request."""
viewer_to_remove = UserFactory()
# first we add the viewer, otherwise we would have nothing to remove!
self.foia.add_viewer(viewer_to_remove)
ok_(self.foia.has_viewer(viewer_to_remove))
# now we remove the viewer we just added
self.foia.remove_viewer(viewer_to_remove)
assert_false(self.foia.has_viewer(viewer_to_remove))
def test_viewer_permission(self):
"""Viewers should be able to see the request if it is embargoed."""
embargoed_foia = FOIARequestFactory(embargo=True)
viewer = UserFactory()
normie = UserFactory()
embargoed_foia.add_viewer(viewer)
assert_true(embargoed_foia.has_perm(viewer, 'view'))
assert_false(embargoed_foia.has_perm(normie, 'view'))
def test_promote_viewer(self):
"""Editors should be able to promote viewers to editors."""
embargoed_foia = FOIARequestFactory(embargo=True)
viewer = UserFactory()
embargoed_foia.add_viewer(viewer)
assert_true(embargoed_foia.has_perm(viewer, 'view'))
assert_false(embargoed_foia.has_perm(viewer, 'change'))
embargoed_foia.promote_viewer(viewer)
assert_true(embargoed_foia.has_perm(viewer, 'change'))
def test_demote_editor(self):
"""Editors should be able to demote editors to viewers."""
embargoed_foia = FOIARequestFactory(embargo=True)
editor = UserFactory()
embargoed_foia.add_editor(editor)
assert_true(embargoed_foia.has_perm(editor, 'view'))
assert_true(embargoed_foia.has_perm(editor, 'change'))
embargoed_foia.demote_editor(editor)
assert_false(embargoed_foia.has_perm(editor, 'change'))
def test_access_key(self):
"""Editors should be able to generate a secure access key to view an embargoed request."""
embargoed_foia = FOIARequestFactory(embargo=True)
access_key = embargoed_foia.generate_access_key()
assert_true(
access_key == embargoed_foia.access_key,
'The key in the URL should match the key saved to the request.')
embargoed_foia.generate_access_key()
assert_false(
access_key == embargoed_foia.access_key,
'After regenerating the link, the key should no longer match.')
def test_creator_access(self):
"""Creators should not be granted access as editors or viewers"""
self.foia.add_editor(self.creator)
assert_false(self.foia.has_editor(self.creator))
self.foia.add_viewer(self.creator)
assert_false(self.foia.has_viewer(self.creator))
# but the creator should still be able to both view and edit!
assert_true(self.foia.has_perm(self.creator, 'view'))
assert_true(self.foia.has_perm(self.creator, 'change'))
def test_org_share(self):
"""Test sharing with your organization"""
org = OrganizationFactory()
user = UserFactory()
MembershipFactory(user=user, organization=org, active=False)
self.foia.embargo = True
self.foia.composer.organization = org
# fellow org member cannot view it before sharing is turned on
assert_false(self.foia.has_perm(user, 'view'))
self.creator.profile.org_share = True
# now org member can view it
assert_true(self.foia.has_perm(user, 'view'))
# non-org member still cannot view it
assert_false(self.foia.has_perm(self.editor, 'view'))
