def test_reviewer_can_update_nested_comment_fields_draft_registration(self):
user = AuthUserFactory()
user.system_tags.append(PREREG_ADMIN_TAG)
user.save()
payload = {
"data": {
"id": self.prereg_draft_registration._id,
"type": "draft_registrations",
"attributes": {
"registration_metadata": {
'q7': {
'value': {
'question': {
'comments': [{'value': 'Add some clarity here.'}]
}
}
}
}
}
}
}
url = '/{}nodes/{}/draft_registrations/{}/'.format(API_BASE, self.public_project._id, self.prereg_draft_registration._id)
res = self.app.put_json_api(url, payload, auth=user.auth, expect_errors=True)
assert_equal(res.status_code, 200)
assert_equal(res.json['data']['attributes']['registration_metadata']['q7']['value']['question']['comments'][0]['value'], 'Add some clarity here.')
def test_claim_user_registered_with_correct_password(self):
reg_user = AuthUserFactory()
reg_user.set_password('killerqueen')
reg_user.save()
url = self.user.get_claim_url(self.project._primary_key)
# Follow to password re-enter page
res = self.app.get(url, auth=reg_user.auth).follow(auth=reg_user.auth)
# verify that the "Claim Account" form is returned
assert_in('Claim Contributor', res.body)
form = res.forms['claimContributorForm']
form['password'] = '******'
res = form.submit(auth=reg_user.auth).follow(auth=reg_user.auth)
self.project.reload()
self.user.reload()
# user is now a contributor to the project
assert_in(reg_user._primary_key, self.project.contributors)
# the unregistered user (self.user) is removed as a contributor, and their
assert_not_in(self.user._primary_key, self.project.contributors)
# unclaimed record for the project has been deleted
assert_not_in(self.project._primary_key, self.user.unclaimed_records)
class TestMenbibAuthViews(OsfTestCase):
def setUp(self):
self.app = TestApp(app)
self.user = AuthUserFactory()
self.app.authenticate(*self.user.auth)
def test_menbib_oauth_start(self):
url = api_url_for('menbib_oauth_start_user')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.menbib.views.auth.finish_auth')
def test_menbib_oauth_finish(self, mock_finish):
mock_finish.return_value = AuthResult('mytokenabc', 'myrefreshabc', 'cool', '3600')
url = api_url_for('menbib_oauth_finish')
res = self.app.get(url)
assert_is_redirect(res)
def test_menbib_oauth_delete_user(self):
self.user.add_addon('menbib')
user_settings = self.user.get_addon('menbib')
user_settings.access_token = '12345abc'
assert_true(user_settings.has_auth)
self.user.save()
url = api_url_for('menbib_oauth_delete_user')
res = self.app.delete(url)
user_settings.reload()
assert_false(user_settings.has_auth)
class TestDataverseRestrictions(DataverseAddonTestCase, OsfTestCase):
def setUp(self):
super(DataverseAddonTestCase, self).setUp()
# Nasty contributor who will try to access content that he shouldn't
# have access to
self.contrib = AuthUserFactory()
self.project.add_contributor(self.contrib, auth=Auth(self.user))
self.project.save()
@mock.patch('addons.dataverse.views.client.connect_from_settings')
def test_restricted_set_dataset_not_owner(self, mock_connection):
mock_connection.return_value = create_mock_connection()
# Contributor has dataverse auth, but is not the node authorizer
self.contrib.add_addon('dataverse')
self.contrib.save()
url = api_url_for('dataverse_set_config', pid=self.project._primary_key)
params = {
'dataverse': {'alias': 'ALIAS1'},
'dataset': {'doi': 'doi:12.3456/DVN/00002'},
}
res = self.app.post_json(url, params, auth=self.contrib.auth,
expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
class TestUserSettingsModel(OsfTestCase):
def setUp(self):
super(TestUserSettingsModel, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('badges', override=True)
self.usersettings = self.user.get_addon('badges')
self.usersettings.save()
def test_can_award(self):
assert_false(self.usersettings.can_award)
create_mock_badge(self.usersettings)
assert_true(self.usersettings.can_award)
def test_to_openbadge(self):
self.user.fullname = 'HoneyBadger'
self.user.username = '******'
self.user.save()
test = {'name': 'HoneyBadger', 'email': '*****@*****.**'}
assert_equal(self.usersettings.to_openbadge(), test)
def test_badges(self):
create_mock_badge(self.usersettings)
create_mock_badge(self.usersettings)
assert_equal(len(self.usersettings.badges), 2)
create_mock_badge(self.usersettings)
assert_equal(len(self.usersettings.badges), 3)
def test_revoke_didnt_award(self):
badgeid = self.user_settings.badges[0]._id
initnum = len(self.project.badgeassertion__awarded)
assert_true(self.user_settings.can_award)
url = api_url_for('award_badge', pid=self.project._id)
ret = self.app.post_json(url, {'badgeid': badgeid}, auth=self.user.auth)
self.project.reload()
assert_equals(ret.status_int, 200)
assert_equals(initnum + 1, len(self.project.badgeassertion__awarded))
assertion = self.project.badgeassertion__awarded[0]
revoke = api_url_for('revoke_badge', pid=self.project._id)
user2 = AuthUserFactory()
user2.add_addon('badges', override=True)
user2.save()
user2.reload()
ret = self.app.post_json(revoke,
{
'id': assertion._id,
'reason': ''
}, auth=user2.auth, expect_errors=True)
self.project.reload()
self.user_settings.reload()
assertion.reload()
assert_equals(ret.status_int, 400)
assert_false(assertion.revoked)
assert_true(self.project.badgeassertion__awarded[0]._id, assertion._id)
assert_false(assertion._id in self.user_settings.revocation_list)
def test_reviewer_cannot_update_nested_value_fields_draft_registration(self):
user = AuthUserFactory()
user.system_tags.append(PREREG_ADMIN_TAG)
user.save()
payload = {
"data": {
"id": self.prereg_draft_registration._id,
"type": "draft_registrations",
"attributes": {
"registration_metadata": {
'q7': {
'value': {
'question': {
'value': 'This is the answer'
}
}
}
}
}
}
}
url = '/{}nodes/{}/draft_registrations/{}/'.format(API_BASE, self.public_project._id, self.prereg_draft_registration._id)
res = self.app.put_json_api(url, payload, auth=user.auth, expect_errors=True)
assert_equal(res.status_code, 400)
assert_equal(res.json['errors'][0]['detail'], "Additional properties are not allowed (u'value' was unexpected)")
def test_cannnot_make_primary_email_for_another_user(self):
user1 = AuthUserFactory()
user2 = AuthUserFactory()
email = '*****@*****.**'
user1.emails.append(email)
user1.save()
url = api_url_for('update_user')
header = {
'id':
user1.username,
'emails': [{
'address': user1.username,
'primary': False,
'confirmed': True
}, {
'address': email,
'primary': True,
'confirmed': True
}]
}
res = self.app.put_json(url,
header,
auth=user2.auth,
expect_errors=True)
assert_equal(res.status_code, 403)
class TestDataverseRestrictions(DataverseAddonTestCase):
def setUp(self):
super(DataverseAddonTestCase, self).setUp()
# Nasty contributor who will try to access content that he shouldn't
# have access to
self.contrib = AuthUserFactory()
self.project.add_contributor(self.contrib, auth=Auth(self.user))
self.project.save()
@mock.patch('website.addons.dataverse.views.config.connect_from_settings')
def test_restricted_set_study_not_owner(self, mock_connection):
mock_connection.return_value = create_mock_connection()
# Contributor has dataverse auth, but is not the node authorizer
self.contrib.add_addon('dataverse')
self.contrib.save()
url = api_url_for('set_dataverse_and_study',
pid=self.project._primary_key)
params = {
'dataverse': {
'alias': 'ALIAS1'
},
'study': {
'hdl': 'doi:12.3456/DVN/00002'
},
}
res = self.app.post_json(url,
params,
auth=self.contrib.auth,
expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
def setUp(self):
self.yesterday = datetime.today() - timedelta(1)
self.a_while_ago = datetime.today() - timedelta(2)
super(TestUserCount, self).setUp()
for i in range(0, 3):
u = AuthUserFactory()
u.is_registered = True
u.password = '******' + str(i)
u.date_confirmed = self.yesterday
u.save()
u = AuthUserFactory()
u.is_registered = True
u.password = '******'
u.date_confirmed = self.a_while_ago
u.save()
for i in range(0, 2):
u = AuthUserFactory()
u.date_confirmed = None
u.save()
u = AuthUserFactory()
u.date_disabled = self.yesterday
u.save()
u = AuthUserFactory()
u.date_disabled = self.a_while_ago
u.save()
modify_user_dates_in_mongo(self.yesterday)
def test_oauth_delete_user_two_osf_user(self, mock_revoke_token,
mock_github_user):
mock_revoke_token.return_value = True
user = mock.Mock()
user.id = "testing user id"
user.login = "******"
mock_github_user.return_value = user
views.auth.create_and_attach_oauth(self.user_settings,
"testing acess token",
"testing token type")
user2 = AuthUserFactory()
user2.add_addon('github')
user2.save()
user_settings2 = user2.get_addon('github')
views.auth.create_and_attach_oauth(user_settings2,
"testing access token",
"testing token type")
url = api_url_for("github_oauth_delete_user")
self.app.delete(url, auth=self.user.auth)
self.user_settings.reload()
user_settings2.reload()
assert_false(self.user_settings.oauth_token_type)
assert_false(self.user_settings.oauth_access_token)
assert_false(self.user_settings.github_user_name)
assert_false(self.user_settings.oauth_settings)
assert_true(user_settings2.oauth_settings)
assert_equal(user_settings2.oauth_token_type, "testing token type")
assert_equal(user_settings2.oauth_access_token, "testing access token")
assert_equal(user_settings2.github_user_name, "testing user")
class TestUserSettingsModel(OsfTestCase):
def setUp(self):
super(TestUserSettingsModel, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('badges', override=True)
self.usersettings = self.user.get_addon('badges')
self.usersettings.save()
def test_can_award(self):
assert_false(self.usersettings.can_award)
create_mock_badge(self.usersettings)
assert_true(self.usersettings.can_award)
def test_to_openbadge(self):
self.user.fullname = 'HoneyBadger'
self.user.username = '******'
self.user.save()
test = {
'name': 'HoneyBadger',
'email': '*****@*****.**'
}
assert_equal(self.usersettings.to_openbadge(), test)
def test_badges(self):
create_mock_badge(self.usersettings)
create_mock_badge(self.usersettings)
assert_equal(len(self.usersettings.badges), 2)
create_mock_badge(self.usersettings)
assert_equal(len(self.usersettings.badges), 3)
class TestUserGet(AdminTestCase):
def setUp(self):
super(TestUserGet, self).setUp()
User.remove()
self.user_1 = AuthUserFactory()
self.auth = Auth(user=self.user_1)
self.project = ProjectFactory(creator=self.user_1)
self.project.add_unregistered_contributor(
email='*****@*****.**',
fullname='Weezy F. Baby',
auth=self.auth
)
self.user_3 = AuthUserFactory()
self.user_3.date_confirmed = None
self.user_3.save()
self.user_4 = AuthUserFactory()
def test_get_all_user_count(self):
time_now = datetime.utcnow()
count = get_all_user_count(time_now)
nt.assert_equal(count, 4)
def test_get_unregistered_users(self):
count = get_unregistered_users()
nt.assert_equal(count, 1)
def test_revoke_didnt_award(self):
badgeid = self.user_settings.badges[0]._id
initnum = len(self.project.badgeassertion__awarded)
assert_true(self.user_settings.can_award)
url = api_url_for('award_badge', pid=self.project._id)
ret = self.app.post_json(url, {'badgeid': badgeid},
auth=self.user.auth)
self.project.reload()
assert_equals(ret.status_int, 200)
assert_equals(initnum + 1, len(self.project.badgeassertion__awarded))
assertion = self.project.badgeassertion__awarded[0]
revoke = api_url_for('revoke_badge', pid=self.project._id)
user2 = AuthUserFactory()
user2.add_addon('badges', override=True)
user2.save()
user2.reload()
ret = self.app.post_json(revoke, {
'id': assertion._id,
'reason': ''
},
auth=user2.auth,
expect_errors=True)
self.project.reload()
self.user_settings.reload()
assertion.reload()
assert_equals(ret.status_int, 400)
assert_false(assertion.revoked)
assert_true(self.project.badgeassertion__awarded[0]._id, assertion._id)
assert_false(assertion._id in self.user_settings.revocation_list)
def setUp(self):
self.yesterday = datetime.today() - timedelta(1)
self.a_while_ago = datetime.today() - timedelta(2)
super(TestUserCount, self).setUp()
for i in range(0, 3):
u = AuthUserFactory()
u.is_registered = True
u.password = '******' + str(i)
u.date_confirmed = self.yesterday
u.save()
u = AuthUserFactory()
u.is_registered = True
u.password = '******'
u.date_confirmed = self.a_while_ago
u.save()
for i in range(0, 2):
u = AuthUserFactory()
u.date_confirmed = None
u.save()
u = AuthUserFactory()
u.date_disabled = self.yesterday
u.save()
u = AuthUserFactory()
u.date_disabled = self.a_while_ago
u.save()
modify_user_dates_in_mongo(self.yesterday)
def test_claim_user_registered_with_correct_password(self):
reg_user = AuthUserFactory()
reg_user.set_password('killerqueen')
reg_user.save()
url = self.user.get_claim_url(self.project._primary_key)
# Follow to password re-enter page
res = self.app.get(url, auth=reg_user.auth).follow(auth=reg_user.auth)
# verify that the "Claim Account" form is returned
assert_in('Claim Contributor', res.body)
form = res.forms['claimContributorForm']
form['password'] = '******'
res = form.submit(auth=reg_user.auth).follow(auth=reg_user.auth)
self.project.reload()
self.user.reload()
# user is now a contributor to the project
assert_in(reg_user._primary_key, self.project.contributors)
# the unregistered user (self.user) is removed as a contributor, and their
assert_not_in(self.user._primary_key, self.project.contributors)
# unclaimed record for the project has been deleted
assert_not_in(self.project._primary_key, self.user.unclaimed_records)
def setUp(self):
self.yesterday = datetime.today() - timedelta(1)
self.a_while_ago = datetime.today() - timedelta(2)
super(TestUserCount, self).setUp()
for i in range(0, 3):
u = AuthUserFactory()
u.is_registered = True
u.password = '******' + str(i)
u.date_confirmed = self.yesterday
u.save()
# Make one of those 3 a depth user
for i in range(LOG_THRESHOLD + 1):
NodeLogFactory(action='file_added', user=u)
u = AuthUserFactory()
u.is_registered = True
u.password = '******'
u.date_confirmed = self.a_while_ago
u.save()
for i in range(LOG_THRESHOLD + 1):
NodeLogFactory(action='file_added', user=u)
for i in range(0, 2):
u = AuthUserFactory()
u.date_confirmed = None
u.save()
u = AuthUserFactory()
u.date_disabled = self.yesterday
u.save()
u = AuthUserFactory()
u.date_disabled = self.a_while_ago
u.save()
modify_user_dates_in_mongo(self.yesterday)
def test_revoke_remote_access_not_called(self, mock_decorator, mock_revoke):
mock_decorator.return_value = self.user
user2 = AuthUserFactory()
user2.external_accounts.append(self.external_account)
user2.save()
self.user_settings.delete()
assert_equal(mock_revoke.call_count, 0)
def test_oauth_delete_user_two_osf_user(self, mock_revoke_token, mock_github_user):
mock_revoke_token.return_value = True
user = mock.Mock()
user.id = "testing user id"
user.login = "******"
mock_github_user.return_value = user
views.auth.create_and_attach_oauth(self.user_settings, "testing acess token", "testing token type")
user2 = AuthUserFactory()
user2.add_addon('github')
user2.save()
user_settings2 = user2.get_addon('github')
views.auth.create_and_attach_oauth(user_settings2, "testing access token", "testing token type")
url = api_url_for("github_oauth_delete_user")
self.app.delete(url, auth=self.user.auth)
self.user_settings.reload()
user_settings2.reload()
assert_false(self.user_settings.oauth_token_type)
assert_false(self.user_settings.oauth_access_token)
assert_false(self.user_settings.github_user_name)
assert_false(self.user_settings.oauth_settings)
assert_true(user_settings2.oauth_settings)
assert_equal(user_settings2.oauth_token_type, "testing token type")
assert_equal(user_settings2.oauth_access_token, "testing access token")
assert_equal(user_settings2.github_user_name, "testing user")
class TestBoxIntegration(OsfTestCase):
def setUp(self):
super(TestBoxIntegration, self).setUp()
self.user = AuthUserFactory()
# User is logged in
self.app.authenticate(*self.user.auth)
def test_cant_start_oauth_if_already_authorized(self):
# User already has box authorized
self.user.add_addon('box')
self.user.save()
settings = self.user.get_addon('box')
oauth = BoxOAuthSettings(user_id='fa;l', access_token='a;lkjadl;kas')
oauth.save()
settings.oauth_settings = oauth
settings.save()
assert_true(self.user.get_addon('box').has_auth)
# Tries to start oauth again
url = api_url_for('box_oauth_start_user')
res = self.app.get(url).follow()
# Is redirected back to settings page
assert_equal(
res.request.path,
web_url_for('user_addons')
)
class TestUsers(ApiTestCase):
def setUp(self):
super(TestUsers, self).setUp()
self.user_one = AuthUserFactory()
self.user_two = AuthUserFactory()
def tearDown(self):
super(TestUsers, self).tearDown()
def test_returns_200(self):
res = self.app.get('/{}users/'.format(API_BASE))
assert_equal(res.status_code, 200)
assert_equal(res.content_type, 'application/vnd.api+json')
def test_find_user_in_users(self):
url = "/{}users/".format(API_BASE)
res = self.app.get(url)
user_son = res.json['data']
ids = [each['id'] for each in user_son]
assert_in(self.user_two._id, ids)
def test_all_users_in_users(self):
url = "/{}users/".format(API_BASE)
res = self.app.get(url)
user_son = res.json['data']
ids = [each['id'] for each in user_son]
assert_in(self.user_one._id, ids)
assert_in(self.user_two._id, ids)
def test_find_multiple_in_users(self):
url = "/{}users/?filter[fullname]=fred".format(API_BASE)
res = self.app.get(url)
user_json = res.json['data']
ids = [each['id'] for each in user_json]
assert_in(self.user_one._id, ids)
assert_in(self.user_two._id, ids)
def test_find_single_user_in_users(self):
url = "/{}users/?filter[fullname]=my".format(API_BASE)
self.user_one.fullname = 'My Mom'
self.user_one.save()
res = self.app.get(url)
user_json = res.json['data']
ids = [each['id'] for each in user_json]
assert_in(self.user_one._id, ids)
assert_not_in(self.user_two._id, ids)
def test_find_no_user_in_users(self):
url = "/{}users/?filter[fullname]=NotMyMom".format(API_BASE)
res = self.app.get(url)
user_json = res.json['data']
ids = [each['id'] for each in user_json]
assert_not_in(self.user_one._id, ids)
assert_not_in(self.user_two._id, ids)
class TestUsers(ApiTestCase):
def setUp(self):
super(TestUsers, self).setUp()
self.user_one = AuthUserFactory()
self.user_two = AuthUserFactory()
def tearDown(self):
super(TestUsers, self).tearDown()
def test_returns_200(self):
res = self.app.get('/{}users/'.format(API_BASE))
assert_equal(res.status_code, 200)
def test_find_user_in_users(self):
url = "/{}users/".format(API_BASE)
res = self.app.get(url)
user_son = res.json['data']
ids = [each['id'] for each in user_son]
assert_in(self.user_two._id, ids)
def test_all_users_in_users(self):
url = "/{}users/".format(API_BASE)
res = self.app.get(url)
user_son = res.json['data']
ids = [each['id'] for each in user_son]
assert_in(self.user_one._id, ids)
assert_in(self.user_two._id, ids)
def test_find_multiple_in_users(self):
url = "/{}users/?filter[fullname]=fred".format(API_BASE)
res = self.app.get(url)
user_json = res.json['data']
ids = [each['id'] for each in user_json]
assert_in(self.user_one._id, ids)
assert_in(self.user_two._id, ids)
def test_find_single_user_in_users(self):
url = "/{}users/?filter[fullname]=my".format(API_BASE)
self.user_one.fullname = 'My Mom'
self.user_one.save()
res = self.app.get(url)
user_json = res.json['data']
ids = [each['id'] for each in user_json]
assert_in(self.user_one._id, ids)
assert_not_in(self.user_two._id, ids)
def test_find_no_user_in_users(self):
url = "/{}users/?filter[fullname]=NotMyMom".format(API_BASE)
res = self.app.get(url)
user_json = res.json['data']
ids = [each['id'] for each in user_json]
assert_not_in(self.user_one._id, ids)
assert_not_in(self.user_two._id, ids)
def test_many_users_each_with_the_same_github(self):
user = AuthUserFactory()
user.add_addon('github')
user.external_accounts.append(self.oauth_settings)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res['provider']['name'] == 'github'][0]
assert_equal(github_res['users']['total'], 2)
def test_reviewer_cannot_create_draft_registration(self):
user = AuthUserFactory()
user.system_tags.append(PREREG_ADMIN_TAG)
user.save()
assert_in(self.read_only_user._id, self.public_project.contributors)
res = self.app.post_json_api(self.url, self.payload, auth=user.auth, expect_errors=True)
assert_equal(res.status_code, 403)
def test_reviewer_cannot_delete_draft_registration(self):
user = AuthUserFactory()
user.system_tags.append(PREREG_ADMIN_TAG)
user.save()
res = self.app.delete_json_api(self.url, auth=user.auth, expect_errors=True)
assert_equal(res.status_code, 403)
assert_equal(res.json['errors'][0]['detail'], 'You do not have permission to perform this action.')
def test_many_users_each_with_the_same_github_enabled(self):
user = AuthUserFactory()
user.add_addon("github")
user.external_accounts.append(self.external_account)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res["provider"]["name"] == "github"][0]
assert_equal(github_res["users"]["enabled"], 2)
def test_revoke_remote_access_not_called(self, mock_decorator,
mock_revoke):
mock_decorator.return_value = self.user
user2 = AuthUserFactory()
user2.external_accounts.append(self.external_account)
user2.save()
self.user_settings.delete()
assert_equal(mock_revoke.call_count, 0)
class TestCheckPreregAuth(OsfTestCase):
def setUp(self):
super(TestCheckPreregAuth, self).setUp()
ensure_schemas()
self.prereg_challenge_admin_user = AuthUserFactory()
self.prereg_challenge_admin_user.system_tags.append(
settings.PREREG_ADMIN_TAG)
self.prereg_challenge_admin_user.save()
prereg_schema = MetaSchema.find_one(
Q('name', 'eq', 'Prereg Challenge') & Q('schema_version', 'eq', 2))
self.user = AuthUserFactory()
self.node = factories.ProjectFactory(creator=self.user)
self.parent = factories.ProjectFactory()
self.child = factories.NodeFactory(parent=self.parent)
self.draft_registration = factories.DraftRegistrationFactory(
initiator=self.user,
registration_schema=prereg_schema,
branched_from=self.parent)
def test_has_permission_download_prereg_challenge_admin(self):
res = views.check_access(self.draft_registration.branched_from,
Auth(user=self.prereg_challenge_admin_user),
'download', None)
assert_true(res)
def test_has_permission_download_on_component_prereg_challenge_admin(self):
try:
res = views.check_access(
self.draft_registration.branched_from.nodes[0],
Auth(user=self.prereg_challenge_admin_user), 'download', None)
except Exception:
self.fail()
assert_true(res)
def test_has_permission_download_not_prereg_challenge_admin(self):
new_user = AuthUserFactory()
with assert_raises(HTTPError) as exc_info:
views.check_access(self.draft_registration.branched_from,
Auth(user=new_user), 'download', None)
assert_equal(exc_info.exception.code, http.FORBIDDEN)
def test_has_permission_download_prereg_challenge_admin_not_draft(self):
with assert_raises(HTTPError) as exc_info:
views.check_access(self.node,
Auth(user=self.prereg_challenge_admin_user),
'download', None)
assert_equal(exc_info.exception.code, http.FORBIDDEN)
def test_has_permission_write_prereg_challenge_admin(self):
with assert_raises(HTTPError) as exc_info:
views.check_access(self.draft_registration.branched_from,
Auth(user=self.prereg_challenge_admin_user),
'write', None)
assert_equal(exc_info.exception.code, http.FORBIDDEN)
class TestCheckPreregAuth(OsfTestCase):
def setUp(self):
super(TestCheckPreregAuth, self).setUp()
ensure_schemas()
self.prereg_challenge_admin_user = AuthUserFactory()
self.prereg_challenge_admin_user.system_tags.append(settings.PREREG_ADMIN_TAG)
self.prereg_challenge_admin_user.save()
prereg_schema = MetaSchema.find_one(
Q('name', 'eq', 'Prereg Challenge') &
Q('schema_version', 'eq', 2)
)
self.user = AuthUserFactory()
self.node = factories.ProjectFactory(creator=self.user)
self.parent = factories.ProjectFactory()
self.child = factories.NodeFactory(parent=self.parent)
self.draft_registration = factories.DraftRegistrationFactory(
initiator=self.user,
registration_schema=prereg_schema,
branched_from=self.parent
)
def test_has_permission_download_prereg_challenge_admin(self):
res = views.check_access(self.draft_registration.branched_from,
Auth(user=self.prereg_challenge_admin_user), 'download', None)
assert_true(res)
def test_has_permission_download_on_component_prereg_challenge_admin(self):
try:
res = views.check_access(self.draft_registration.branched_from.nodes[0],
Auth(user=self.prereg_challenge_admin_user), 'download', None)
except Exception:
self.fail()
assert_true(res)
def test_has_permission_download_not_prereg_challenge_admin(self):
new_user = AuthUserFactory()
with assert_raises(HTTPError) as exc_info:
views.check_access(self.draft_registration.branched_from,
Auth(user=new_user), 'download', None)
assert_equal(exc_info.exception.code, http.FORBIDDEN)
def test_has_permission_download_prereg_challenge_admin_not_draft(self):
with assert_raises(HTTPError) as exc_info:
views.check_access(self.node,
Auth(user=self.prereg_challenge_admin_user), 'download', None)
assert_equal(exc_info.exception.code, http.FORBIDDEN)
def test_has_permission_write_prereg_challenge_admin(self):
with assert_raises(HTTPError) as exc_info:
views.check_access(self.draft_registration.branched_from,
Auth(user=self.prereg_challenge_admin_user), 'write', None)
assert_equal(exc_info.exception.code, http.FORBIDDEN)
class TestCommentViews(OsfTestCase):
def setUp(self):
super(TestCommentViews, self).setUp()
self.project = ProjectFactory(is_public=True)
self.user = AuthUserFactory()
self.project.add_contributor(self.user)
self.project.save()
self.user.save()
def test_view_project_comments_updates_user_comments_view_timestamp(self):
url = self.project.api_url_for('update_comments_timestamp')
res = self.app.put_json(url, {
'page': 'node',
'rootId': self.project._id
}, auth=self.user.auth)
self.user.reload()
user_timestamp = self.user.comments_viewed_timestamp[self.project._id]
view_timestamp = dt.datetime.utcnow()
assert_datetime_equal(user_timestamp, view_timestamp)
def test_confirm_non_contrib_viewers_dont_have_pid_in_comments_view_timestamp(self):
non_contributor = AuthUserFactory()
url = self.project.api_url_for('update_comments_timestamp')
res = self.app.put_json(url, {
'page': 'node',
'rootId': self.project._id
}, auth=self.user.auth)
non_contributor.reload()
assert_not_in(self.project._id, non_contributor.comments_viewed_timestamp)
def test_view_comments_updates_user_comments_view_timestamp_files(self):
osfstorage = self.project.get_addon('osfstorage')
root_node = osfstorage.get_root()
test_file = root_node.append_file('test_file')
test_file.create_version(self.user, {
'object': '06d80e',
'service': 'cloud',
osfstorage_settings.WATERBUTLER_RESOURCE: 'osf',
}, {
'size': 1337,
'contentType': 'img/png'
}).save()
url = self.project.api_url_for('update_comments_timestamp')
res = self.app.put_json(url, {
'page': 'files',
'rootId': test_file._id
}, auth=self.user.auth)
self.user.reload()
user_timestamp = self.user.comments_viewed_timestamp[test_file._id]
view_timestamp = dt.datetime.utcnow()
assert_datetime_equal(user_timestamp, view_timestamp)
class TestCommentViews(OsfTestCase):
def setUp(self):
super(TestCommentViews, self).setUp()
self.project = ProjectFactory(is_public=True)
self.user = AuthUserFactory()
self.project.add_contributor(self.user)
self.project.save()
self.user.save()
def test_view_project_comments_updates_user_comments_view_timestamp(self):
url = self.project.api_url_for('update_comments_timestamp')
res = self.app.put_json(url, {
'page': 'node',
'rootId': self.project._id
}, auth=self.user.auth)
self.user.reload()
user_timestamp = self.user.comments_viewed_timestamp[self.project._id]['node']
view_timestamp = dt.datetime.utcnow()
assert_datetime_equal(user_timestamp, view_timestamp)
def test_confirm_non_contrib_viewers_dont_have_pid_in_comments_view_timestamp(self):
non_contributor = AuthUserFactory()
url = self.project.api_url_for('update_comments_timestamp')
res = self.app.put_json(url, {
'page': 'node',
'rootId': self.project._id
}, auth=self.user.auth)
non_contributor.reload()
assert_not_in(self.project._id, non_contributor.comments_viewed_timestamp)
def test_view_comments_updates_user_comments_view_timestamp_files(self):
osfstorage = self.project.get_addon('osfstorage')
root_node = osfstorage.get_root()
test_file = root_node.append_file('test_file')
test_file.create_version(self.user, {
'object': '06d80e',
'service': 'cloud',
osfstorage_settings.WATERBUTLER_RESOURCE: 'osf',
}, {
'size': 1337,
'contentType': 'img/png'
}).save()
url = self.project.api_url_for('update_comments_timestamp')
res = self.app.put_json(url, {
'page': 'files',
'rootId': test_file._id
}, auth=self.user.auth)
self.user.reload()
user_timestamp = self.user.comments_viewed_timestamp[self.project._id]['files'][test_file._id]
view_timestamp = dt.datetime.utcnow()
assert_datetime_equal(user_timestamp, view_timestamp)
def test_many_users_each_with_a_different_github(self):
user = AuthUserFactory()
user.add_addon('github')
oauth_settings2 = GitHubAccountFactory(display_name='hmoco2')
oauth_settings2.save()
user.external_accounts.append(oauth_settings2)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res['provider']['name'] == 'github'][0]
assert_equal(github_res['users']['total'], 2)
def test_github_enabled_not_linked_or_authorized(self):
user = AuthUserFactory()
user.add_addon("github")
user.external_accounts.append(self.external_account)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res["provider"]["name"] == "github"][0]
assert_equal(github_res["users"]["enabled"], 2)
assert_equal(github_res["users"]["authorized"], 1)
assert_equal(github_res["users"]["linked"], 1)
def test_reviewer_can_see_draft_registration(self):
user = AuthUserFactory()
user.system_tags.append(PREREG_ADMIN_TAG)
user.save()
res = self.app.get(self.url, auth=user.auth)
assert_equal(res.status_code, 200)
data = res.json['data']
assert_equal(data['attributes']['registration_supplement'], self.schema._id)
assert_equal(data['id'], self.draft_registration._id)
assert_equal(data['attributes']['registration_metadata'], {})
def test_github_enabled_not_linked_or_authorized(self):
user = AuthUserFactory()
user.add_addon('github')
user.external_accounts.append(self.external_account)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res['provider']['name'] == 'github'][0]
assert_equal(github_res['users']['enabled'], 2)
assert_equal(github_res['users']['authorized'], 1)
assert_equal(github_res['users']['linked'], 1)
def test_many_users_each_with_the_same_github(self):
user = AuthUserFactory()
user.add_addon('github')
user.external_accounts.append(self.oauth_settings)
user.save()
results = AddonSnapshot().get_events()
github_res = [
res for res in results if res['provider']['name'] == 'github'
][0]
assert_equal(github_res['users']['total'], 2)
def test_dropbox_get_share_emails_returns_error_if_not_authorizer(self):
contrib = AuthUserFactory()
contrib.add_addon('dropbox')
contrib.save()
self.project.add_contributor(contrib, auth=Auth(self.user))
self.project.save()
url = api_url_for('dropbox_get_share_emails', pid=self.project._primary_key)
# Non-authorizing contributor sends request
res = self.app.get(url, auth=contrib.auth, expect_errors=True)
assert_equal(res.status_code, httplib.FORBIDDEN)
class TestAuthViews(OsfTestCase):
def setUp(self):
super(TestAuthViews, self).setUp()
self.user = AuthUserFactory()
# Log user in
self.app.authenticate(*self.user.auth)
def test_dropbox_oauth_start(self):
url = api_url_for('dropbox_oauth_start_user')
res = self.app.get(url)
assert_is_redirect(res)
assert_in('&force_reapprove=true', res.location)
@mock.patch('website.addons.dropbox.views.auth.DropboxOAuth2Flow.finish')
@mock.patch('website.addons.dropbox.views.auth.get_client_from_user_settings')
def test_dropbox_oauth_finish(self, mock_get, mock_finish):
mock_client = mock.MagicMock()
mock_client.account_info.return_value = {'display_name': 'Mr. Drop Box'}
mock_get.return_value = mock_client
mock_finish.return_value = ('mytoken123', 'mydropboxid', 'done')
url = api_url_for('dropbox_oauth_finish')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.dropbox.client.DropboxClient.disable_access_token')
def test_dropbox_oauth_delete_user(self, mock_disable_access_token):
self.user.add_addon('dropbox')
settings = self.user.get_addon('dropbox')
settings.access_token = '12345abc'
settings.save()
assert_true(settings.has_auth)
self.user.save()
url = api_url_for('dropbox_oauth_delete_user')
self.app.delete(url)
settings.reload()
assert_false(settings.has_auth)
@mock.patch('website.addons.dropbox.client.DropboxClient.disable_access_token')
def test_dropbox_oauth_delete_user_with_invalid_credentials(self, mock_disable_access_token):
self.user.add_addon('dropbox')
settings = self.user.get_addon('dropbox')
settings.access_token = '12345abc'
settings.save()
assert_true(settings.has_auth)
mock_response = mock.Mock()
mock_response.status = 401
mock_disable_access_token.side_effect = ErrorResponse(mock_response, "The given OAuth 2 access token doesn't exist or has expired.")
self.user.save()
url = api_url_for('dropbox_oauth_delete_user')
self.app.delete(url)
settings.reload()
assert_false(settings.has_auth)
def test_add_provider_with_no_permissions(self):
new_user = AuthUserFactory()
new_user.save()
res = self.app.post_json_api(
self.preprint_preprint_providers_url,
self.create_payload(self.preprint_provider_one._id),
auth=new_user.auth,
expect_errors=True,
)
assert_equal(res.status_code, 403)
def test_node_with_no_permissions(self):
user = AuthUserFactory()
user.affiliated_institutions.append(self.institution1)
user.save()
res = self.app.put_json_api(
self.node_institutions_url,
self.create_payload([self.institution1._id]),
auth=user.auth,
expect_errors=True,
)
assert_equal(res.status_code, 403)
def test_node_with_no_permissions(self):
user = AuthUserFactory()
user.affiliated_institutions.append(self.institution1)
user.save()
res = self.app.put_json_api(
self.node_institutions_url,
self.create_payload([self.institution1._id]),
auth=user.auth,
expect_errors=True,
)
assert_equal(res.status_code, 403)
def test_add_provider_with_no_permissions(self):
new_user = AuthUserFactory()
new_user.save()
res = self.app.post_json_api(
self.preprint_preprint_providers_url,
self.create_payload(self.preprint_provider_one._id),
auth=new_user.auth,
expect_errors=True,
)
assert_equal(res.status_code, 403)
def test_reviewer_cannot_create_draft_registration(self):
user = AuthUserFactory()
user.system_tags.append(PREREG_ADMIN_TAG)
user.save()
assert_in(self.read_only_user._id, self.public_project.contributors)
res = self.app.post_json_api(self.url,
self.payload,
auth=user.auth,
expect_errors=True)
assert_equal(res.status_code, 403)
class TestAuthViews(OsfTestCase):
def setUp(self):
super(TestAuthViews, self).setUp()
self.user = AuthUserFactory()
# Log user in
self.app.authenticate(*self.user.auth)
def test_box_oauth_start(self):
url = api_url_for('box_oauth_start_user')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.box.views.auth.box_oauth_finish')
@mock.patch('website.addons.box.views.auth.finish_auth')
@mock.patch('website.addons.box.views.auth.BoxClient')
def test_box_oauth_finish(self, mock_get, mock_finish, mock_oauth):
mock_client = mock.MagicMock()
mock_client.get_user_info.return_value = {
'name': 'Mr. Box',
'id': '1234567890'
}
mock_get.return_value = mock_client
mock_finish.return_value = {
'token_type': 'something',
'access_token': 'something',
'refresh_token': 'something'
}
mock_oauth.return_value = ('mytoken123', 'myboxid', 'done')
url = api_url_for('box_oauth_finish')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.box.views.auth.flash')
def test_box_oauth_finish_cancelled(self, mock_flash):
url = api_url_for('box_oauth_finish', error='User declined!')
res = self.app.get(url)
assert_is_redirect(res)
mock_flash.assert_called_once()
@mock.patch('website.addons.box.model.BoxOAuthSettings.revoke_access_token'
)
def test_box_oauth_delete_user(self, mock_disable_access_token):
self.user.add_addon('box')
settings = self.user.get_addon('box')
oauth = BoxOAuthSettings(user_id='fa;l', access_token='a;lkjadl;kas')
oauth.save()
settings.oauth_settings = oauth
settings.save()
assert_true(settings.has_auth)
self.user.save()
url = api_url_for('box_oauth_delete_user')
self.app.delete(url)
settings.reload()
assert_false(settings.has_auth)
def test_correct_view_permissions(self):
user = AuthUserFactory()
view_permission = Permission.objects.get(codename='view_conference')
user.user_permissions.add(view_permission)
user.save()
request = RequestFactory().get(reverse('meetings:list'))
request.user = user
response = MeetingListView.as_view()(request)
nt.assert_equal(response.status_code, 200)
class TestUserSpamListView(AdminTestCase):
def setUp(self):
super(TestUserSpamListView, self).setUp()
self.project = ProjectFactory(is_public=True)
self.user_1 = AuthUserFactory()
self.user_2 = AuthUserFactory()
self.project.add_contributor(self.user_1)
self.project.add_contributor(self.user_2)
self.project.save()
self.user_1.save()
self.user_2.save()
self.comment_1 = CommentFactory(node=self.project, user=self.user_1)
self.comment_2 = CommentFactory(node=self.project, user=self.user_1)
self.comment_3 = CommentFactory(node=self.project, user=self.user_1)
self.comment_4 = CommentFactory(node=self.project, user=self.user_1)
self.comment_5 = CommentFactory(node=self.project, user=self.user_2)
self.comment_6 = CommentFactory(node=self.project, user=self.user_2)
self.comment_1.report_abuse(user=self.user_2,
save=True,
category='spam')
self.comment_2.report_abuse(user=self.user_2,
save=True,
category='spam')
self.comment_3.report_abuse(user=self.user_2,
save=True,
category='spam')
self.comment_4.report_abuse(user=self.user_2,
save=True,
category='spam')
self.comment_5.report_abuse(user=self.user_1,
save=True,
category='spam')
self.comment_6.report_abuse(user=self.user_1,
save=True,
category='spam')
self.request = RequestFactory().get('/fake_path')
self.view = UserSpamList()
self.view = setup_view(self.view,
self.request,
user_id=self.user_1._id)
def test_get_user_spam(self):
res = list(self.view.get_queryset())
nt.assert_equal(len(res), 4)
def test_get_context_data(self):
self.view.object_list = self.view.get_queryset()
res = self.view.get_context_data()
nt.assert_is_instance(res['spam'], list)
nt.assert_is_instance(res['spam'][0], dict)
nt.assert_equal(res['status'], '1')
nt.assert_equal(res['page_number'], 1)
nt.assert_equal(res['user_id'], self.user_1._id)
def test_github_enabled_not_linked_or_authorized(self):
user = AuthUserFactory()
user.add_addon('github')
user.external_accounts.append(self.external_account)
user.save()
results = AddonSnapshot().get_events()
github_res = [
res for res in results if res['provider']['name'] == 'github'
][0]
assert_equal(github_res['users']['enabled'], 2)
assert_equal(github_res['users']['authorized'], 1)
assert_equal(github_res['users']['linked'], 1)
def test_many_users_each_with_a_different_github(self):
user = AuthUserFactory()
user.add_addon('github')
oauth_settings2 = GitHubAccountFactory(display_name='hmoco2')
oauth_settings2.save()
user.external_accounts.append(oauth_settings2)
user.save()
results = AddonSnapshot().get_events()
github_res = [
res for res in results if res['provider']['name'] == 'github'
][0]
assert_equal(github_res['users']['total'], 2)
def test_many_users_each_with_a_different_github(self):
user = AuthUserFactory()
user.add_addon("github")
oauth_settings2 = GitHubAccountFactory(display_name="hmoco2")
oauth_settings2.save()
user.external_accounts.append(oauth_settings2)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res["provider"]["name"] == "github"][0]
assert_equal(github_res["users"]["enabled"], 2)
assert_equal(github_res["users"]["authorized"], 1)
assert_equal(github_res["users"]["linked"], 1)
class TestUserDetail(ApiTestCase):
def setUp(self):
super(TestUserDetail, self).setUp()
self.user_one = AuthUserFactory()
self.user_one.social['twitter'] = 'howtopizza'
self.user_one.save()
self.user_two = AuthUserFactory()
def tearDown(self):
super(TestUserDetail, self).tearDown()
def test_gets_200(self):
url = "/{}users/{}/".format(API_BASE, self.user_one._id)
res = self.app.get(url)
assert_equal(res.status_code, 200)
assert_equal(res.content_type, 'application/vnd.api+json')
def test_get_correct_pk_user(self):
url = "/{}users/{}/".format(API_BASE, self.user_one._id)
res = self.app.get(url)
user_json = res.json['data']
assert_equal(user_json['attributes']['fullname'],
self.user_one.fullname)
assert_equal(user_json['attributes']['twitter'], 'howtopizza')
def test_get_incorrect_pk_user_logged_in(self):
url = "/{}users/{}/".format(API_BASE, self.user_two._id)
res = self.app.get(url)
user_json = res.json['data']
assert_not_equal(user_json['attributes']['fullname'],
self.user_one.fullname)
def test_get_incorrect_pk_user_not_logged_in(self):
url = "/{}users/{}/".format(API_BASE, self.user_two._id)
res = self.app.get(url, auth=self.user_one.auth)
user_json = res.json['data']
assert_not_equal(user_json['attributes']['fullname'],
self.user_one.fullname)
assert_equal(user_json['attributes']['fullname'],
self.user_two.fullname)
def test_user_detail_takes_profile_image_size_param(self):
size = 42
url = "/{}users/{}/?profile_image_size={}".format(
API_BASE, self.user_one._id, size)
res = self.app.get(url)
user_json = res.json['data']
profile_image_url = user_json['attributes']['profile_image_url']
query_dict = urlparse.parse_qs(
urlparse.urlparse(profile_image_url).query)
assert_equal(int(query_dict.get('size')[0]), size)
def test_cannnot_make_primary_email_for_another_user(self):
user1 = AuthUserFactory()
user2 = AuthUserFactory()
email = '*****@*****.**'
user1.emails.append(email)
user1.save()
url = api_url_for('update_user')
header = {'id': user1.username,
'emails': [{'address': user1.username, 'primary': False, 'confirmed': True},
{'address': email, 'primary': True, 'confirmed': True}
]}
res = self.app.put_json(url, header, auth=user2.auth, expect_errors=True)
assert_equal(res.status_code, 403)
class TestDeactivatedUser(ApiTestCase):
def setUp(self):
super(TestDeactivatedUser, self).setUp()
self.user = AuthUserFactory()
def test_deactivated_user_returns_410_response(self):
url = '/{}users/{}/'.format(API_BASE, self.user._id)
res = self.app.get(url, auth=self.user.auth, expect_errors=False)
assert_equal(res.status_code, 200)
self.user.is_disabled = True
self.user.save()
res = self.app.get(url, auth=self.user.auth, expect_errors=True)
assert_equal(res.status_code, 410)
