def get_queryset(self): """Return the right base queryset depending on the situation. Note that permissions checks still apply on top of that, against the add-on as per check_object_permissions() above.""" requested = self.request.GET.get('filter') # By default we restrict to valid versions. However: # # When accessing a single version or if requesting it explicitly when # listing, admins can access all versions, including deleted ones. should_access_all_versions_included_deleted = ( (requested == 'all_with_deleted' or self.action != 'list') and self.request.user.is_authenticated() and self.request.user.is_staff) # When accessing a single version or if requesting it explicitly when # listing, reviewers and add-on authors can access all non-deleted # versions. should_access_all_versions = ( (requested == 'all' or self.action != 'list') and (AllowReviewer().has_permission(self.request, self) or AllowAddonAuthor().has_object_permission( self.request, self, self.get_addon_object()))) # Everyone can see (non deleted) beta version when they request it # explicitly. should_access_only_beta_versions = (requested == 'beta_only') if should_access_all_versions_included_deleted: self.queryset = Version.unfiltered.all() elif should_access_all_versions: self.queryset = Version.objects.all() elif should_access_only_beta_versions: self.queryset = Version.objects.filter( files__status=amo.STATUS_BETA).distinct() # Now that the base queryset has been altered, call super() to use it. qs = super(AddonVersionViewSet, self).get_queryset() # Filter with the add-on. return qs.filter(addon=self.get_addon_object())
def setUp(self): self.permission = AllowReviewer() self.request_factory = RequestFactory() self.unsafe_methods = ('patch', 'post', 'put', 'delete') self.safe_methods = ('get', 'options', 'head')
class TestAllowReviewer(TestCase): # Note: be careful when testing, under the hood we're using a method that # relies on UserProfile.groups_list, which is cached on the UserProfile # instance. def setUp(self): self.permission = AllowReviewer() self.request_factory = RequestFactory() self.unsafe_methods = ('patch', 'post', 'put', 'delete') self.safe_methods = ('get', 'options', 'head') def test_user_cannot_be_anonymous(self): request = self.request_factory.get('/') request.user = AnonymousUser() obj = Mock(spec=[]) obj.has_listed_versions = lambda: True assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission(request, myview, obj) def test_authenticated_but_not_reviewer(self): request = self.request_factory.get('/') request.user = user_factory() obj = Mock(spec=[]) obj.has_listed_versions = lambda: True assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission(request, myview, obj) def test_admin(self): user = user_factory() self.grant_permission(user, '*:*') for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user obj = Mock(spec=[]) obj.has_listed_versions = lambda: True assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) def test_reviewer_tools_access_read_only(self): user = user_factory() self.grant_permission(user, 'ReviewerTools:View') obj = Mock(spec=[]) obj.has_listed_versions = lambda: True for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_actual_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:Review') obj = Mock(spec=[]) obj.has_listed_versions = lambda: True for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) def test_no_listed_version_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:Review') obj = Mock(spec=[]) obj.has_listed_versions = lambda: False for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because it's # a safe HTTP method. assert self.permission.has_permission(request, myview) # It doesn't work with the object though, since # has_listed_versions() is returning False, we don't have enough # permissions, being a "simple" reviewer. assert not self.permission.has_object_permission( request, myview, obj) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're a # reviewer. assert self.permission.has_permission(request, myview) # As above it doesn't work with the object though. assert not self.permission.has_object_permission( request, myview, obj)
class TestAllowReviewer(TestCase): fixtures = ['base/users'] # Note: be careful when testing, under the hood we're using a method that # relies on UserProfile.groups_list, which is cached on the UserProfile # instance. def setUp(self): self.permission = AllowReviewer() self.request_factory = RequestFactory() self.unsafe_methods = ('patch', 'post', 'put', 'delete') self.safe_methods = ('get', 'options', 'head') def test_user_cannot_be_anonymous(self): request = self.request_factory.get('/') request.user = AnonymousUser() assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, Mock()) def test_authenticated_but_not_reviewer(self): request = self.request_factory.get('/') request.user = UserProfile.objects.get(pk=999) assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, Mock()) def test_admin(self): user = UserProfile.objects.get(email='*****@*****.**') for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission( request, myview, Mock()) def test_reviewer_tools_access_read_only(self): user = UserProfile.objects.get(pk=999) group = Group.objects.create(name='ReviewerTools Viewer', rules='ReviewerTools:View') GroupUser.objects.create(user=user, group=group) for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission( request, myview, Mock()) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, Mock()) def test_actual_reviewer(self): user = UserProfile.objects.get(email='*****@*****.**') for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission( request, myview, Mock())
def setUp(self): self.permission = AllowReviewer() self.request_factory = RequestFactory() self.unsafe_methods = ("patch", "post", "put", "delete") self.safe_methods = ("get", "options", "head")
class TestAllowReviewer(TestCase): fixtures = ["base/users"] # Note: be careful when testing, under the hood we're using a method that # relies on UserProfile.groups_list, which is cached on the UserProfile # instance. def setUp(self): self.permission = AllowReviewer() self.request_factory = RequestFactory() self.unsafe_methods = ("patch", "post", "put", "delete") self.safe_methods = ("get", "options", "head") def test_user_cannot_be_anonymous(self): request = self.request_factory.get("/") request.user = AnonymousUser() assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission(request, myview, Mock()) def test_authenticated_but_not_reviewer(self): request = self.request_factory.get("/") request.user = UserProfile.objects.get(pk=999) assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission(request, myview, Mock()) def test_admin(self): user = UserProfile.objects.get(email="*****@*****.**") for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)("/") request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, Mock()) def test_reviewer_tools_access_read_only(self): user = UserProfile.objects.get(pk=999) group = Group.objects.create(name="ReviewerTools Viewer", rules="ReviewerTools:View") GroupUser.objects.create(user=user, group=group) for method in self.safe_methods: request = getattr(self.request_factory, method)("/") request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, Mock()) for method in self.unsafe_methods: request = getattr(self.request_factory, method)("/") request.user = user assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission(request, myview, Mock()) def test_actual_reviewer(self): user = UserProfile.objects.get(email="*****@*****.**") for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)("/") request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, Mock())
class TestAllowReviewer(TestCase): # Note: be careful when testing, under the hood we're using a method that # relies on UserProfile.groups_list, which is cached on the UserProfile # instance. def setUp(self): self.permission = AllowReviewer() self.request_factory = RequestFactory() self.unsafe_methods = ('patch', 'post', 'put', 'delete') self.safe_methods = ('get', 'options', 'head') def test_user_cannot_be_anonymous(self): request = self.request_factory.get('/') request.user = AnonymousUser() obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda: True assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_authenticated_but_not_reviewer(self): request = self.request_factory.get('/') request.user = user_factory() obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda: True assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_admin(self): user = user_factory() self.grant_permission(user, '*:*') for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda: True assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission( request, myview, obj) def test_reviewer_tools_access_read_only(self): user = user_factory() self.grant_permission(user, 'ReviewerTools:View') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda: True for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission( request, myview, obj) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_legacy_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:Review') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda: True for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission( request, myview, obj) # Does not have access to static themes. obj.type = amo.ADDON_STATICTHEME for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_post_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:PostReview') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda: True for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission( request, myview, obj) # Does not have access to static themes. obj.type = amo.ADDON_STATICTHEME for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_theme_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:ThemeReview') obj = Mock(spec=[]) obj.type = amo.ADDON_STATICTHEME obj.has_listed_versions = lambda: True for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission( request, myview, obj) # Does not have access to other extensions. obj.type = amo.ADDON_EXTENSION for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_no_listed_version_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:Review') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda: False for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) # It doesn't work with the object though, since # has_listed_versions() is returning False, we don't have enough # permissions, being a "simple" reviewer. assert not self.permission.has_object_permission( request, myview, obj) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) # As above it doesn't work with the object though. assert not self.permission.has_object_permission( request, myview, obj)