class TestPrivateLink(OsfTestCase):
def setUp(self):
super(TestPrivateLink, self).setUp()
self.flaskapp = Flask('testing_private_links')
@self.flaskapp.route('/project/<pid>/')
@must_be_contributor
def project_get(**kwargs):
return 'success', 200
self.app = TestApp(self.flaskapp)
self.user = AuthUserFactory()
self.project = ProjectFactory(is_public=False)
self.link = PrivateLinkFactory()
self.link.nodes.append(self.project)
self.link.save()
@mock.patch('website.project.decorators.Auth.from_kwargs')
def test_has_private_link_key(self, mock_from_kwargs):
mock_from_kwargs.return_value = Auth(user=None)
res = self.app.get('/project/{0}'.format(self.project._primary_key),
{'view_only': self.link.key})
res = res.follow()
assert_equal(res.status_code, 200)
assert_equal(res.body, 'success')
@mock.patch('website.project.decorators.Auth.from_kwargs')
def test_does_not_have_key(self, mock_from_kwargs):
mock_from_kwargs.return_value = Auth(user=None)
res = self.app.get('/project/{0}'.format(self.project._primary_key),
{'key': None})
assert_is_redirect(res)
def setUp(self):
super(TestMustBeContributorOrPublicButNotAnonymizedDecorator, self).setUp()
self.contrib = AuthUserFactory()
self.non_contrib = AuthUserFactory()
admin = UserFactory()
self.public_project = ProjectFactory(is_public=True)
self.public_project.add_contributor(admin, auth=Auth(self.public_project.creator), permissions=['read', 'write', 'admin'])
self.private_project = ProjectFactory(is_public=False)
self.private_project.add_contributor(admin, auth=Auth(self.private_project.creator), permissions=['read', 'write', 'admin'])
self.public_project.add_contributor(self.contrib, auth=Auth(self.public_project.creator))
self.private_project.add_contributor(self.contrib, auth=Auth(self.private_project.creator))
self.public_project.save()
self.private_project.save()
self.anonymized_link_to_public_project = PrivateLinkFactory(anonymous=True)
self.anonymized_link_to_private_project = PrivateLinkFactory(anonymous=True)
self.anonymized_link_to_public_project.nodes.append(self.public_project)
self.anonymized_link_to_public_project.save()
self.anonymized_link_to_private_project.nodes.append(self.private_project)
self.anonymized_link_to_private_project.save()
self.flaskapp = Flask('Testing decorator')
@self.flaskapp.route('/project/<pid>/')
@must_be_contributor_or_public_but_not_anonymized
def project_get(**kwargs):
return 'success', 200
self.app = TestApp(self.flaskapp)
def test_public_node_user_with_private_link_can_view_comment(self):
self._set_up_public_project_with_comment()
private_link = PrivateLinkFactory(anonymous=False)
private_link.nodes.append(self.public_project)
private_link.save()
res = self.app.get('/{}comments/{}/'.format(API_BASE, self.public_comment._id), {'view_only': private_link.key}, expect_errors=True)
assert_equal(self.public_comment._id, res.json['data']['id'])
assert_equal(self.public_comment.content, res.json['data']['attributes']['content'])
def test_private_node_user_with_view_only_link_can_view_wiki(self):
self._set_up_private_project_with_wiki_page()
private_link = PrivateLinkFactory(anonymous=False)
private_link.nodes.append(self.private_project)
private_link.save()
url = furl.furl(self.private_url).add(query_params={'view_only': private_link.key}).url
res = self.app.get(url)
assert_equal(res.status_code, 200)
assert_equal(res.json['data']['id'], self.private_wiki._id)
def test_private_node_user_with_anonymous_link_cannot_see_commenter_info(self):
self._set_up_private_project_with_comment()
private_link = PrivateLinkFactory(anonymous=True)
private_link.nodes.append(self.private_project)
private_link.save()
res = self.app.get('/{}comments/{}/'.format(API_BASE, self.comment._id), {'view_only': private_link.key})
assert_equal(res.status_code, 200)
assert_equal(self.comment._id, res.json['data']['id'])
assert_equal(self.comment.content, res.json['data']['attributes']['content'])
assert_not_in('user', res.json['data']['relationships'])
def test_private_node_user_with_anonymous_link_can_view_wiki(self):
self._set_up_private_project_with_wiki_page()
private_link = PrivateLinkFactory(anonymous=True)
private_link.nodes.append(self.private_project)
private_link.save()
url = furl.furl(self.private_url).add(query_params={
'view_only': private_link.key
}).url
res = self.app.get(url)
assert_equal(res.status_code, 200)
assert_equal(res.json['data']['id'], self.private_wiki._id)
def test_file_info_with_anonymous_link(self):
link = PrivateLinkFactory(anonymous=True)
link.nodes.append(self.project)
link.save()
self._upload_file('firstfile', 'secondcontent')
url = self.project.api_url_for(
'file_info', fid=self.project.uploads[0].filename
)
res = self.app.get(url, {'view_only': link.key})
assert_not_in(self.user.fullname, res.body)
assert_not_in(self.user._id, res.body)
def test_no_warning_for_read_only_user_with_valid_link(self):
link2 = PrivateLinkFactory(anonymous=False)
link2.nodes.append(self.project)
link2.save()
self.project.add_contributor(self.user, permissions=["read"], save=True)
res = self.app.get(self.project_url, {"view_only": link2.key}, auth=self.user.auth)
assert_not_in(
"is being viewed through a private, view-only link. "
"Anyone with the link can view this project. Keep "
"the link safe.",
res.body,
)
def test_public_node_user_with_private_link_can_view_comment(self):
self._set_up_public_project_with_comment()
private_link = PrivateLinkFactory(anonymous=False)
private_link.nodes.append(self.public_project)
private_link.save()
res = self.app.get('/{}comments/{}/'.format(API_BASE,
self.public_comment._id),
{'view_only': private_link.key},
expect_errors=True)
assert_equal(self.public_comment._id, res.json['data']['id'])
assert_equal(self.public_comment.content,
res.json['data']['attributes']['content'])
def test_public_node_view_only_link_user_cannot_see_deleted_comment(self):
self._set_up_public_project_with_comment()
self.public_comment.is_deleted = True
self.public_comment.save()
private_link = PrivateLinkFactory(anonymous=False)
private_link.nodes.append(self.public_project)
private_link.save()
res = self.app.get('/{}comments/{}/'.format(API_BASE, self.public_comment._id), {'view_only': private_link.key}, expect_errors=True)
assert_equal(res.status_code, 200)
assert_is_none(res.json['data']['attributes']['content'])
def test_public_node_view_only_link_user_cannot_see_deleted_comment(self):
self._set_up_public_project_with_comment()
self.public_comment.is_deleted = True
self.public_comment.save()
private_link = PrivateLinkFactory(anonymous=False)
private_link.nodes.append(self.public_project)
private_link.save()
res = self.app.get('/{}comments/{}/'.format(API_BASE, self.public_comment._id), {'view_only': private_link.key}, expect_errors=True)
assert_equal(res.status_code, 200)
assert_is_none(res.json['data']['attributes']['content'])
class TestPrivateLinkView(OsfTestCase):
def setUp(self):
super(TestPrivateLinkView, self).setUp()
self.user = AuthUserFactory() # Is NOT a contributor
self.project = ProjectFactory(is_public=False)
self.link = PrivateLinkFactory(anonymous=True)
self.link.nodes.append(self.project)
self.link.save()
self.project_url = self.project.web_url_for('view_project')
def test_anonymous_link_hide_contributor(self):
res = self.app.get(self.project_url, {'view_only': self.link.key})
assert_in("Anonymous Contributors", res.body)
assert_not_in(self.user.fullname, res)
def test_anonymous_link_hides_citations(self):
res = self.app.get(self.project_url, {'view_only': self.link.key})
assert_not_in('Citation:', res)
def test_no_warning_for_read_only_user_with_valid_link(self):
link2 = PrivateLinkFactory(anonymous=False)
link2.nodes.append(self.project)
link2.save()
self.project.add_contributor(
self.user,
permissions=['read'],
save=True,
)
res = self.app.get(self.project_url, {'view_only': link2.key},
auth=self.user.auth)
assert_not_in(
"is being viewed through a private, view-only link. "
"Anyone with the link can view this project. Keep "
"the link safe.",
res.body
)
def test_no_warning_for_read_only_user_with_invalid_link(self):
self.project.add_contributor(
self.user,
permissions=['read'],
save=True,
)
res = self.app.get(self.project_url, {'view_only': "not_valid"},
auth=self.user.auth)
assert_not_in(
"is being viewed through a private, view-only link. "
"Anyone with the link can view this project. Keep "
"the link safe.",
res.body
)
class TestPrivateLinkView(OsfTestCase):
def setUp(self):
super(TestPrivateLinkView, self).setUp()
self.user = AuthUserFactory() # Is NOT a contributor
self.project = ProjectFactory(is_public=False)
self.link = PrivateLinkFactory(anonymous=True)
self.link.nodes.append(self.project)
self.link.save()
self.project_url = self.project.web_url_for('view_project')
def test_anonymous_link_hide_contributor(self):
res = self.app.get(self.project_url, {'view_only': self.link.key})
assert_in("Anonymous Contributors", res.body)
assert_not_in(self.user.fullname, res)
def test_anonymous_link_hides_citations(self):
res = self.app.get(self.project_url, {'view_only': self.link.key})
assert_not_in('Citation:', res)
def test_no_warning_for_read_only_user_with_valid_link(self):
link2 = PrivateLinkFactory(anonymous=False)
link2.nodes.append(self.project)
link2.save()
self.project.add_contributor(
self.user,
permissions=['read'],
save=True,
)
res = self.app.get(self.project_url, {'view_only': link2.key},
auth=self.user.auth)
assert_not_in(
"is being viewed through a private, view-only link. "
"Anyone with the link can view this project. Keep "
"the link safe.",
res.body
)
def test_no_warning_for_read_only_user_with_invalid_link(self):
self.project.add_contributor(
self.user,
permissions=['read'],
save=True,
)
res = self.app.get(self.project_url, {'view_only': "not_valid"},
auth=self.user.auth)
assert_not_in(
"is being viewed through a private, view-only link. "
"Anyone with the link can view this project. Keep "
"the link safe.",
res.body
)
def test_view_file_with_anonymous_link(self, mock_fig):
link = PrivateLinkFactory(anonymous=True)
link.nodes.append(self.project)
link.save()
mock_fig.return_value = self.figshare
url = self.project.web_url_for(
'figshare_view_file', aid='564',fid='1348803'
)
self.app.auth = self.user.auth
resp = self.app.get(url, {'view_only': link.key}).maybe_follow()
assert_equal(resp.status_int, http.OK)
assert_true('file is unpublished we cannot render it.' in resp.body)
assert_not_in('View on Figshare', resp.body)
def test_build_addon_root_for_anonymous_vols_shows_path(self):
private_link = PrivateLinkFactory()
private_link.nodes.append(self.project)
private_link.save()
project_viewer = UserFactory()
result = rubeus.build_addon_root(self.node_settings,
self.node_settings.bucket,
user=project_viewer,
private_key=private_link.key)
assert result['name'] == 'Amazon S3: {0}'.format(
self.node_settings.bucket)
def test_view_file_with_anonymous_link(self, mock_fig):
link = PrivateLinkFactory(anonymous=True)
link.nodes.append(self.project)
link.save()
mock_fig.return_value = self.figshare
url = self.project.web_url_for(
'figshare_view_file', aid='564',fid='1348803'
)
self.app.auth = self.user.auth
resp = self.app.get(url, {'view_only': link.key}).maybe_follow()
assert_equal(resp.status_int, http.OK)
assert_true('file is unpublished we cannot render it.' in resp.body)
assert_not_in('View on Figshare', resp.body)
def test_dataverse_view_file_with_anonymous_link(self, mock_fail_if_private, mock_get_files, mock_connection, mock_scrape):
link = PrivateLinkFactory(anonymous=True)
link.nodes.append(self.project)
link.save()
mock_connection.return_value = create_mock_connection()
mock_get_files.return_value = [create_mock_draft_file('foo')]
mock_scrape.return_value = ('filename', 'content')
url = self.project.api_url_for('dataverse_get_file_info', path='foo')
res = self.app.get(url, {'view_only': link.key}).maybe_follow()
assert_equal(res.status_code, 200)
assert_not_in(self.node_settings.dataverse_alias, res.body)
assert_not_in(self.node_settings.dataverse, res.body)
assert_not_in(self.node_settings.study, res.body)
def test_private_node_user_with_anonymous_link_cannot_see_commenter_info(
self):
self._set_up_private_project_with_comment()
private_link = PrivateLinkFactory(anonymous=True)
private_link.nodes.append(self.private_project)
private_link.save()
res = self.app.get(
'/{}comments/{}/'.format(API_BASE, self.comment._id),
{'view_only': private_link.key})
assert_equal(res.status_code, 200)
assert_equal(self.comment._id, res.json['data']['id'])
assert_equal(self.comment.content,
res.json['data']['attributes']['content'])
assert_not_in('user', res.json['data']['relationships'])
def test_build_addon_root_for_anonymous_vols_hides_path(self):
private_anonymous_link = PrivateLinkFactory(anonymous=True)
private_anonymous_link.nodes.append(self.project)
private_anonymous_link.save()
project_viewer = UserFactory()
result = rubeus.build_addon_root(
self.node_settings,
self.node_settings.bucket,
user=project_viewer,
private_key=private_anonymous_link.key
)
assert result['name'] == 'Amazon S3'
def test_dataverse_view_file_with_anonymous_link(self, mock_fail_if_private, mock_get_files, mock_connection, mock_scrape):
link = PrivateLinkFactory(anonymous=True)
link.nodes.append(self.project)
link.save()
mock_connection.return_value = create_mock_connection()
mock_get_files.return_value = [create_mock_draft_file('foo')]
mock_scrape.return_value = ('filename', 'content')
url = self.project.api_url_for('dataverse_get_file_info', path='foo')
res = self.app.get(url, {'view_only': link.key}).maybe_follow()
assert_equal(res.status_code, 200)
assert_not_in(self.node_settings.dataverse_alias, res.body)
assert_not_in(self.node_settings.dataverse, res.body)
assert_not_in(self.node_settings.study, res.body)
def setUp(self):
super(ViewOnlyLinkTestCase, self).setUp()
self.user = AuthUserFactory()
self.read_only_user = AuthUserFactory()
self.read_write_user = AuthUserFactory()
self.non_contributor = AuthUserFactory()
self.public_project = ProjectFactory(is_public=True, creator=self.user)
self.public_project.add_contributor(self.read_only_user, permissions=[permissions.READ])
self.public_project.add_contributor(self.read_write_user, permissions=[permissions.WRITE])
self.public_project.save()
self.view_only_link = PrivateLinkFactory(name='testlink')
self.view_only_link.nodes.append(self.public_project)
self.view_only_link.save()
def test_params_do_not_appear_on_private_project_with_anonymous_view_only_link(self):
private_link = PrivateLinkFactory(anonymous=True)
private_link.nodes.append(self.node)
private_link.save()
url = self.url + '{}/'.format(self.log_add_contributor._id)
res = self.app.get(url, {'view_only': private_link.key}, expect_errors=True)
assert_equal(res.status_code, 200)
data = res.json['data']
assert_in('attributes', data)
assert_not_in('params', data['attributes'])
body = res.body
assert_not_in(self.user._id, body)
def test_no_warning_for_read_only_user_with_valid_link(self):
link2 = PrivateLinkFactory(anonymous=False)
link2.nodes.append(self.project)
link2.save()
self.project.add_contributor(
self.user,
permissions=['read'],
save=True,
)
res = self.app.get(self.project_url, {'view_only': link2.key},
auth=self.user.auth)
assert_not_in(
"is being viewed through a private, view-only link. "
"Anyone with the link can view this project. Keep "
"the link safe.", res.body)
def setUp(self):
super(TestPrivateLink, self).setUp()
self.flaskapp = Flask('testing_private_links')
@self.flaskapp.route('/project/<pid>/')
@must_be_contributor
def project_get(**kwargs):
return 'success', 200
self.app = TestApp(self.flaskapp)
self.user = AuthUserFactory()
self.project = ProjectFactory(is_public=False)
self.link = PrivateLinkFactory()
self.link.nodes.append(self.project)
self.link.save()
def test_file_view_with_anonymous_link(self, mock_contents, mock_repo, mock_file, mock_commits):
mock_contents.return_value = None
mock_commits.return_value = [Commit.from_json({
"url": "https://api.github.com/repos/octocat/Hello-World/commits/6dcb09b5b57875f334f61aebed695e2e4193db5e",
"sha": "6dcb09b5b57875f334f61aebed695e2e4193db5e",
"commit": {
"url": "https://api.github.com/repos/octocat/Hello-World/git/commits/6dcb09b5b57875f334f61aebed695e2e4193db5e",
"author": {
"name": "Monalisa Octocat",
"email": "*****@*****.**",
"date": "2011-04-14T16:00:49Z"
}
}
})]
mock_repo.return_value = Repository.from_json({
"default_branch": "dev",
'url': u'https://api.github.com/repos/{user}/mock-repo/git/trees/dev'.format(user=self.user),
'sha': 'dev',
'private': False,
'tree': [
{u'mode': u'100644',
u'path': u'coveragerc',
u'sha': u'92029ff5ce192425d346b598d7e7dd25f5f05185',
u'size': 245,
u'type': u'file',
u'url': u'https://api.github.com/repos/{user}/mock-repo/git/blobs/92029ff5ce192425d346b598d7e7dd25f5f05185'.format(user=self.user)}]
})
mock_file.return_value = {
u'name': u'coveragerc',
u'content': u'ClRleHRCbG9iOiBTaW1wbGlmaWVkIFRleHQgUHJvY2Vzc2luZwo9PT09PT09',
u'size': 245
}
link = PrivateLinkFactory(anonymous=True)
link.nodes.append(self.project)
link.save()
url = self.project.web_url_for('github_view_file', path="coveragerc")
res = self.app.get(url, {'view_only': link.key}).maybe_follow()
assert_in("6dcb09b5b57875f334f61aebed695e2e4193db5e", res)
assert_in("Thu Apr 14 16:00:49 2011", res)
assert_in("file-version-history", res)
assert_in("icon-download-alt", res)
assert_not_in("Monalisa Octocat", res)
assert_not_in("*****@*****.**", res)
class ViewOnlyLinkTestCase(ApiTestCase):
def setUp(self):
super(ViewOnlyLinkTestCase, self).setUp()
self.user = AuthUserFactory()
self.read_only_user = AuthUserFactory()
self.read_write_user = AuthUserFactory()
self.non_contributor = AuthUserFactory()
self.public_project = ProjectFactory(is_public=True, creator=self.user)
self.public_project.add_contributor(self.read_only_user, permissions=[permissions.READ])
self.public_project.add_contributor(self.read_write_user, permissions=[permissions.WRITE])
self.public_project.save()
self.view_only_link = PrivateLinkFactory(name='testlink')
self.view_only_link.nodes.append(self.public_project)
self.view_only_link.save()
def setUp(self):
super(TestPrivateLinkView, self).setUp()
self.user = AuthUserFactory() # Is NOT a contributor
self.project = ProjectFactory(is_public=False)
self.link = PrivateLinkFactory(anonymous=True)
self.link.nodes.append(self.project)
self.link.save()
self.project_url = self.project.web_url_for('view_project')
def test_params_do_not_appear_on_private_project_with_anonymous_view_only_link(
self):
private_link = PrivateLinkFactory(anonymous=True)
private_link.nodes.append(self.node)
private_link.save()
url = self.url + '{}/'.format(self.log_add_contributor._id)
res = self.app.get(url, {'view_only': private_link.key},
expect_errors=True)
assert_equal(res.status_code, 200)
data = res.json['data']
assert_in('attributes', data)
assert_not_in('params', data['attributes'])
body = res.body
assert_not_in(self.user._id, body)
def test_file_view_with_anonymous_link(self, mock_repo, mock_file, mock_commits):
mock_commits.return_value = [Commit.from_json({
"url": "https://api.github.com/repos/octocat/Hello-World/commits/6dcb09b5b57875f334f61aebed695e2e4193db5e",
"sha": "6dcb09b5b57875f334f61aebed695e2e4193db5e",
"commit": {
"url": "https://api.github.com/repos/octocat/Hello-World/git/commits/6dcb09b5b57875f334f61aebed695e2e4193db5e",
"author": {
"name": "Monalisa Octocat",
"email": "*****@*****.**",
"date": "2011-04-14T16:00:49Z"
}
}
})]
mock_repo.return_value = Repository.from_json({
"default_branch": "dev",
'url': u'https://api.github.com/repos/{user}/mock-repo/git/trees/dev'.format(user=self.user),
'sha': 'dev',
'private': False,
'tree': [
{u'mode': u'100644',
u'path': u'coveragerc',
u'sha': u'92029ff5ce192425d346b598d7e7dd25f5f05185',
u'size': 245,
u'type': u'file',
u'url': u'https://api.github.com/repos/{user}/mock-repo/git/blobs/92029ff5ce192425d346b598d7e7dd25f5f05185'.format(user=self.user)}]
})
mock_file.return_value = {
u'name': u'coveragerc',
u'content': u'ClRleHRCbG9iOiBTaW1wbGlmaWVkIFRleHQgUHJvY2Vzc2luZwo9PT09PT09',
u'size': 245
}
link = PrivateLinkFactory(anonymous=True)
link.nodes.append(self.project)
link.save()
url = self.project.web_url_for('github_view_file', path="coveragerc")
res = self.app.get(url, {'view_only': link.key}).maybe_follow()
assert_in("6dcb09b5b57875f334f61aebed695e2e4193db5e", res)
assert_in("Thu Apr 14 16:00:49 2011", res)
assert_in("file-version-history", res)
assert_in("icon-download-alt", res)
assert_not_in("Monalisa Octocat", res)
assert_not_in("*****@*****.**", res)
class TestPrivateLinkView(OsfTestCase):
def setUp(self):
super(TestPrivateLinkView, self).setUp()
self.user = AuthUserFactory() # Is NOT a contributor
self.project = ProjectFactory(is_public=False)
self.link = PrivateLinkFactory(anonymous=True)
self.link.nodes.append(self.project)
self.link.save()
self.project_url = self.project.web_url_for('view_project')
def test_anonymous_link_hide_contributor(self):
res = self.app.get(self.project_url, {'view_only': self.link.key})
assert_in("Anonymous Contributors", res.body)
assert_not_in(self.user.fullname, res)
def test_anonymous_link_hides_citations(self):
res = self.app.get(self.project_url, {'view_only': self.link.key})
assert_not_in('Citation:', res)
def setUp(self):
super(ViewOnlyTestCase, self).setUp()
self.creation_user = AuthUserFactory()
self.viewing_user = AuthUserFactory()
self.contributing_read_user = AuthUserFactory()
self.contributing_write_user = AuthUserFactory()
self.valid_contributors = [
self.creation_user._id,
self.contributing_read_user._id,
self.contributing_write_user._id,
]
self.private_node_one = ProjectFactory(is_public=False, creator=self.creation_user, title="Private One")
self.private_node_one.add_contributor(self.contributing_read_user, permissions=[permissions.READ], save=True)
self.private_node_one.add_contributor(self.contributing_write_user, permissions=[permissions.WRITE], save=True)
self.private_node_one_anonymous_link = PrivateLinkFactory(anonymous=True)
self.private_node_one_anonymous_link.nodes.append(self.private_node_one)
self.private_node_one_anonymous_link.save()
self.private_node_one_private_link = PrivateLinkFactory(anonymous=False)
self.private_node_one_private_link.nodes.append(self.private_node_one)
self.private_node_one_private_link.save()
self.private_node_one_url = '/{}nodes/{}/'.format(API_BASE, self.private_node_one._id)
self.private_node_two = ProjectFactory(is_public=False, creator=self.creation_user, title="Private Two")
self.private_node_two.add_contributor(self.contributing_read_user, permissions=[permissions.READ], save=True)
self.private_node_two.add_contributor(self.contributing_write_user, permissions=[permissions.WRITE], save=True)
self.private_node_two_url = '/{}nodes/{}/'.format(API_BASE, self.private_node_two._id)
self.public_node_one = ProjectFactory(is_public=True, creator=self.creation_user, title="Public One")
self.public_node_one.add_contributor(self.contributing_read_user, permissions=[permissions.READ], save=True)
self.public_node_one.add_contributor(self.contributing_write_user, permissions=[permissions.WRITE], save=True)
self.public_node_one_anonymous_link = PrivateLinkFactory(anonymous=True)
self.public_node_one_anonymous_link.nodes.append(self.public_node_one)
self.public_node_one_anonymous_link.save()
self.public_node_one_private_link = PrivateLinkFactory(anonymous=False)
self.public_node_one_private_link.nodes.append(self.public_node_one)
self.public_node_one_private_link.save()
self.public_node_one_url = '/{}nodes/{}/'.format(API_BASE, self.public_node_one._id)
self.public_node_two = ProjectFactory(is_public=True, creator=self.creation_user, title="Public Two")
self.public_node_two.add_contributor(self.contributing_read_user, permissions=[permissions.READ], save=True)
self.public_node_two.add_contributor(self.contributing_write_user, permissions=[permissions.WRITE], save=True)
self.public_node_two_url = '/{}nodes/{}/'.format(API_BASE, self.public_node_two._id)
def setUp(self):
super(TestMustBeContributorOrPublicButNotAnonymizedDecorator,
self).setUp()
self.contrib = AuthUserFactory()
self.non_contrib = AuthUserFactory()
admin = UserFactory()
self.public_project = ProjectFactory(is_public=True)
self.public_project.add_contributor(
admin,
auth=Auth(self.public_project.creator),
permissions=['read', 'write', 'admin'])
self.private_project = ProjectFactory(is_public=False)
self.private_project.add_contributor(
admin,
auth=Auth(self.private_project.creator),
permissions=['read', 'write', 'admin'])
self.public_project.add_contributor(self.contrib,
auth=Auth(
self.public_project.creator))
self.private_project.add_contributor(self.contrib,
auth=Auth(
self.private_project.creator))
self.public_project.save()
self.private_project.save()
self.anonymized_link_to_public_project = PrivateLinkFactory(
anonymous=True)
self.anonymized_link_to_private_project = PrivateLinkFactory(
anonymous=True)
self.anonymized_link_to_public_project.nodes.append(
self.public_project)
self.anonymized_link_to_public_project.save()
self.anonymized_link_to_private_project.nodes.append(
self.private_project)
self.anonymized_link_to_private_project.save()
self.flaskapp = Flask('Testing decorator')
@self.flaskapp.route('/project/<pid>/')
@must_be_contributor_or_public_but_not_anonymized
def project_get(**kwargs):
return 'success', 200
self.app = TestApp(self.flaskapp)
def setUp(self):
super(TestPrivateLink, self).setUp()
self.flaskapp = Flask('testing_private_links')
@self.flaskapp.route('/project/<pid>/')
@must_be_contributor
def project_get(**kwargs):
return 'success', 200
self.app = TestApp(self.flaskapp)
self.user = AuthUserFactory()
self.project = ProjectFactory(is_public=False)
self.link = PrivateLinkFactory()
self.link.nodes.append(self.project)
self.link.save()
def test_deleted_vols_not_returned(self):
view_only_link = PrivateLinkFactory(name='testlink2')
view_only_link.nodes.append(self.public_project)
view_only_link.save()
res = self.app.get(self.url, auth=self.user.auth)
data = res.json['data']
assert_equal(res.status_code, 200)
assert_equal(len(data), 2)
view_only_link.nodes.remove(self.public_project)
view_only_link.save()
res = self.app.get(self.url, auth=self.user.auth)
data = res.json['data']
assert_equal(res.status_code, 200)
assert_equal(len(data), 1)
def _add_private_link(self, project, anonymous=False):
view_only_link = PrivateLinkFactory(anonymous=anonymous)
view_only_link.nodes.append(project)
view_only_link.save()
return view_only_link
class TestMustBeContributorOrPublicButNotAnonymizedDecorator(AuthAppTestCase):
def setUp(self):
super(TestMustBeContributorOrPublicButNotAnonymizedDecorator, self).setUp()
self.contrib = AuthUserFactory()
self.non_contrib = AuthUserFactory()
admin = UserFactory()
self.public_project = ProjectFactory(is_public=True)
self.public_project.add_contributor(admin, auth=Auth(self.public_project.creator), permissions=['read', 'write', 'admin'])
self.private_project = ProjectFactory(is_public=False)
self.private_project.add_contributor(admin, auth=Auth(self.private_project.creator), permissions=['read', 'write', 'admin'])
self.public_project.add_contributor(self.contrib, auth=Auth(self.public_project.creator))
self.private_project.add_contributor(self.contrib, auth=Auth(self.private_project.creator))
self.public_project.save()
self.private_project.save()
self.anonymized_link_to_public_project = PrivateLinkFactory(anonymous=True)
self.anonymized_link_to_private_project = PrivateLinkFactory(anonymous=True)
self.anonymized_link_to_public_project.nodes.append(self.public_project)
self.anonymized_link_to_public_project.save()
self.anonymized_link_to_private_project.nodes.append(self.private_project)
self.anonymized_link_to_private_project.save()
self.flaskapp = Flask('Testing decorator')
@self.flaskapp.route('/project/<pid>/')
@must_be_contributor_or_public_but_not_anonymized
def project_get(**kwargs):
return 'success', 200
self.app = TestApp(self.flaskapp)
def test_must_be_contributor_when_user_is_contributor_and_public_project(self):
result = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._primary_key,
user=self.contrib)
assert_equal(result, self.public_project)
def test_must_be_contributor_when_user_is_not_contributor_and_public_project(self):
result = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._primary_key,
user=self.non_contrib)
assert_equal(result, self.public_project)
def test_must_be_contributor_when_user_is_contributor_and_private_project(self):
result = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._primary_key,
user=self.contrib)
assert_equal(result, self.private_project)
def test_must_be_contributor_when_user_is_not_contributor_and_private_project_raise_error(self):
with assert_raises(HTTPError):
view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._primary_key,
user=self.non_contrib
)
def test_must_be_contributor_no_user_and_public_project(self):
res = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._primary_key,
user=None,
)
assert_equal(res, self.public_project)
def test_must_be_contributor_no_user_and_private_project(self):
res = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._primary_key,
user=None,
)
assert_is_redirect(res)
# redirects to login url
redirect_url = res.headers['Location']
login_url = cas.get_login_url(service_url='http://localhost/')
assert_equal(redirect_url, login_url)
def test_must_be_contributor_parent_admin_and_public_project(self):
user = UserFactory()
node = NodeFactory(parent=self.public_project, creator=user)
res = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._id,
nid=node._id,
user=self.public_project.creator,
)
assert_equal(res, node)
def test_must_be_contributor_parent_admin_and_private_project(self):
user = UserFactory()
node = NodeFactory(parent=self.private_project, creator=user)
res = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._id,
nid=node._id,
user=self.private_project.creator,
)
assert_equal(res, node)
def test_must_be_contributor_parent_write_public_project(self):
user = UserFactory()
node = NodeFactory(parent=self.public_project, creator=user)
self.public_project.set_permissions(self.public_project.creator, ['read', 'write'])
self.public_project.save()
with assert_raises(HTTPError) as exc_info:
view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._id,
nid=node._id,
user=self.public_project.creator,
)
assert_equal(exc_info.exception.code, 403)
def test_must_be_contributor_parent_write_private_project(self):
user = UserFactory()
node = NodeFactory(parent=self.private_project, creator=user)
self.private_project.set_permissions(self.private_project.creator, ['read', 'write'])
self.private_project.save()
with assert_raises(HTTPError) as exc_info:
view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._id,
nid=node._id,
user=self.private_project.creator,
)
assert_equal(exc_info.exception.code, 403)
@mock.patch('website.project.decorators.Auth.from_kwargs')
def test_decorator_does_allow_anonymous_link_public_project(self, mock_from_kwargs):
mock_from_kwargs.return_value = Auth(user=None)
res = self.app.get('/project/{0}'.format(self.public_project._primary_key),
{'view_only': self.anonymized_link_to_public_project.key})
res = res.follow()
assert_equal(res.status_code, 200)
@mock.patch('website.project.decorators.Auth.from_kwargs')
def test_decorator_does_not_allow_anonymous_link_private_project(self, mock_from_kwargs):
mock_from_kwargs.return_value = Auth(user=None)
res = self.app.get('/project/{0}'.format(self.private_project._primary_key),
{'view_only': self.anonymized_link_to_private_project.key})
res = res.follow(expect_errors=True)
assert_equal(res.status_code, 500)
class TestMustBeContributorOrPublicButNotAnonymizedDecorator(AuthAppTestCase):
def setUp(self):
super(TestMustBeContributorOrPublicButNotAnonymizedDecorator,
self).setUp()
self.contrib = AuthUserFactory()
self.non_contrib = AuthUserFactory()
admin = UserFactory()
self.public_project = ProjectFactory(is_public=True)
self.public_project.add_contributor(
admin,
auth=Auth(self.public_project.creator),
permissions=['read', 'write', 'admin'])
self.private_project = ProjectFactory(is_public=False)
self.private_project.add_contributor(
admin,
auth=Auth(self.private_project.creator),
permissions=['read', 'write', 'admin'])
self.public_project.add_contributor(self.contrib,
auth=Auth(
self.public_project.creator))
self.private_project.add_contributor(self.contrib,
auth=Auth(
self.private_project.creator))
self.public_project.save()
self.private_project.save()
self.anonymized_link_to_public_project = PrivateLinkFactory(
anonymous=True)
self.anonymized_link_to_private_project = PrivateLinkFactory(
anonymous=True)
self.anonymized_link_to_public_project.nodes.append(
self.public_project)
self.anonymized_link_to_public_project.save()
self.anonymized_link_to_private_project.nodes.append(
self.private_project)
self.anonymized_link_to_private_project.save()
self.flaskapp = Flask('Testing decorator')
@self.flaskapp.route('/project/<pid>/')
@must_be_contributor_or_public_but_not_anonymized
def project_get(**kwargs):
return 'success', 200
self.app = TestApp(self.flaskapp)
def test_must_be_contributor_when_user_is_contributor_and_public_project(
self):
result = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._primary_key, user=self.contrib)
assert_equal(result, self.public_project)
def test_must_be_contributor_when_user_is_not_contributor_and_public_project(
self):
result = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._primary_key, user=self.non_contrib)
assert_equal(result, self.public_project)
def test_must_be_contributor_when_user_is_contributor_and_private_project(
self):
result = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._primary_key, user=self.contrib)
assert_equal(result, self.private_project)
def test_must_be_contributor_when_user_is_not_contributor_and_private_project_raise_error(
self):
with assert_raises(HTTPError):
view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._primary_key, user=self.non_contrib)
def test_must_be_contributor_no_user_and_public_project(self):
res = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._primary_key,
user=None,
)
assert_equal(res, self.public_project)
def test_must_be_contributor_no_user_and_private_project(self):
res = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._primary_key,
user=None,
)
assert_is_redirect(res)
# redirects to login url
redirect_url = res.headers['Location']
login_url = cas.get_login_url(service_url='http://localhost/')
assert_equal(redirect_url, login_url)
def test_must_be_contributor_parent_admin_and_public_project(self):
user = UserFactory()
node = NodeFactory(parent=self.public_project, creator=user)
res = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._id,
nid=node._id,
user=self.public_project.creator,
)
assert_equal(res, node)
def test_must_be_contributor_parent_admin_and_private_project(self):
user = UserFactory()
node = NodeFactory(parent=self.private_project, creator=user)
res = view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._id,
nid=node._id,
user=self.private_project.creator,
)
assert_equal(res, node)
def test_must_be_contributor_parent_write_public_project(self):
user = UserFactory()
node = NodeFactory(parent=self.public_project, creator=user)
self.public_project.set_permissions(self.public_project.creator,
['read', 'write'])
self.public_project.save()
with assert_raises(HTTPError) as exc_info:
view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.public_project._id,
nid=node._id,
user=self.public_project.creator,
)
assert_equal(exc_info.exception.code, 403)
def test_must_be_contributor_parent_write_private_project(self):
user = UserFactory()
node = NodeFactory(parent=self.private_project, creator=user)
self.private_project.set_permissions(self.private_project.creator,
['read', 'write'])
self.private_project.save()
with assert_raises(HTTPError) as exc_info:
view_that_needs_contributor_or_public_but_not_anonymized(
pid=self.private_project._id,
nid=node._id,
user=self.private_project.creator,
)
assert_equal(exc_info.exception.code, 403)
@mock.patch('website.project.decorators.Auth.from_kwargs')
def test_decorator_does_allow_anonymous_link_public_project(
self, mock_from_kwargs):
mock_from_kwargs.return_value = Auth(user=None)
res = self.app.get(
'/project/{0}'.format(self.public_project._primary_key),
{'view_only': self.anonymized_link_to_public_project.key})
res = res.follow()
assert_equal(res.status_code, 200)
@mock.patch('website.project.decorators.Auth.from_kwargs')
def test_decorator_does_not_allow_anonymous_link_private_project(
self, mock_from_kwargs):
mock_from_kwargs.return_value = Auth(user=None)
res = self.app.get(
'/project/{0}'.format(self.private_project._primary_key),
{'view_only': self.anonymized_link_to_private_project.key})
res = res.follow(expect_errors=True)
assert_equal(res.status_code, 500)
def setUp(self):
super(ViewOnlyTestCase, self).setUp()
self.creation_user = AuthUserFactory()
self.viewing_user = AuthUserFactory()
self.contributing_read_user = AuthUserFactory()
self.contributing_write_user = AuthUserFactory()
self.valid_contributors = [
self.creation_user._id,
self.contributing_read_user._id,
self.contributing_write_user._id,
]
self.private_node_one = ProjectFactory(is_public=False,
creator=self.creation_user,
title="Private One")
self.private_node_one.add_contributor(self.contributing_read_user,
permissions=[permissions.READ],
save=True)
self.private_node_one.add_contributor(self.contributing_write_user,
permissions=[permissions.WRITE],
save=True)
self.private_node_one_anonymous_link = PrivateLinkFactory(
anonymous=True)
self.private_node_one_anonymous_link.nodes.append(
self.private_node_one)
self.private_node_one_anonymous_link.save()
self.private_node_one_private_link = PrivateLinkFactory(
anonymous=False)
self.private_node_one_private_link.nodes.append(self.private_node_one)
self.private_node_one_private_link.save()
self.private_node_one_url = '/{}nodes/{}/'.format(
API_BASE, self.private_node_one._id)
self.private_node_two = ProjectFactory(is_public=False,
creator=self.creation_user,
title="Private Two")
self.private_node_two.add_contributor(self.contributing_read_user,
permissions=[permissions.READ],
save=True)
self.private_node_two.add_contributor(self.contributing_write_user,
permissions=[permissions.WRITE],
save=True)
self.private_node_two_url = '/{}nodes/{}/'.format(
API_BASE, self.private_node_two._id)
self.public_node_one = ProjectFactory(is_public=True,
creator=self.creation_user,
title="Public One")
self.public_node_one.add_contributor(self.contributing_read_user,
permissions=[permissions.READ],
save=True)
self.public_node_one.add_contributor(self.contributing_write_user,
permissions=[permissions.WRITE],
save=True)
self.public_node_one_anonymous_link = PrivateLinkFactory(
anonymous=True)
self.public_node_one_anonymous_link.nodes.append(self.public_node_one)
self.public_node_one_anonymous_link.save()
self.public_node_one_private_link = PrivateLinkFactory(anonymous=False)
self.public_node_one_private_link.nodes.append(self.public_node_one)
self.public_node_one_private_link.save()
self.public_node_one_url = '/{}nodes/{}/'.format(
API_BASE, self.public_node_one._id)
self.public_node_two = ProjectFactory(is_public=True,
creator=self.creation_user,
title="Public Two")
self.public_node_two.add_contributor(self.contributing_read_user,
permissions=[permissions.READ],
save=True)
self.public_node_two.add_contributor(self.contributing_write_user,
permissions=[permissions.WRITE],
save=True)
self.public_node_two_url = '/{}nodes/{}/'.format(
API_BASE, self.public_node_two._id)
def _add_private_link(self, project, anonymous=False):
view_only_link = PrivateLinkFactory(anonymous=anonymous)
view_only_link.nodes.append(project)
view_only_link.save()
return view_only_link