def test_invalid_permission_for_agreement_bases(read_only_client, mocker,
field):
# verify missing base:read permission
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=["transfer_agreement:read"])
query = f"query {{ transferAgreement(id: 1) {{ {field} {{ id }} }} }}"
assert_forbidden_request(read_only_client, query, value={field: None})
def test_shipment_mutations_cancel_as_member_of_neither_org(
read_only_client, mocker, default_shipment):
# Test case 3.2.10
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
organisation_id=3, user_id=2)
mutation = f"mutation {{ cancelShipment(id: {default_shipment['id']}) {{ id }} }}"
assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission_for_organisation_bases(unauthorized,
read_only_client,
default_organisation):
# verify missing base:read permission
org_id = default_organisation["id"]
query = f"""query {{ organisation(id: "{org_id}") {{ bases {{ id }} }} }}"""
assert_forbidden_request(read_only_client, query, value={"bases": None})
def test_invalid_permission_for_base_locations(read_only_client, mocker):
# verify missing location:read permission
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=["base:read"])
query = "query { base(id: 1) { locations { id } } }"
assert_forbidden_request(read_only_client,
query,
value={"locations": None})
def test_invalid_permission_for_beneficiary_tokens(read_only_client, mocker,
default_beneficiary):
# verify missing transaction:read permission
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=["beneficiary:read"])
id = default_beneficiary["id"]
query = f"query {{ beneficiary(id: {id}) {{ tokens }} }}"
assert_forbidden_request(read_only_client, query, value={"tokens": None})
def test_invalid_permission_for_qr_code_box(read_only_client, mocker,
default_qr_code):
# verify missing stock:read permission
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=["qr:read"])
code = default_qr_code["code"]
query = f"""query {{ qrCode(qrCode: "{code}") {{ box {{ id }} }} }}"""
assert_forbidden_request(read_only_client, query, value={"box": None})
def test_invalid_permission_for_box_field(read_only_client, mocker,
default_box, field):
# verify missing field:read permission
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=["stock:read"])
query = f"""query {{ box(labelIdentifier: "{default_box["label_identifier"]}")
{{ {field} {{ id }} }} }}"""
assert_forbidden_request(read_only_client, query, value={field: None})
def test_invalid_permission_for_resource_base(read_only_client, mocker,
default_product, resource):
# verify missing base:read permission
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=[f"{resource}:read"])
query = f"""query {{ {resource}(id: 1)
{{ base {{ id }} }} }}"""
assert_forbidden_request(read_only_client, query, value={"base": None})
def test_transfer_agreement_mutations_cancel_as_member_of_neither_org(
read_only_client, mocker, default_transfer_agreement):
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
organisation_id=3, user_id=2)
# Test case 2.2.20
agreement_id = default_transfer_agreement["id"]
mutation = f"mutation {{ cancelTransferAgreement(id: {agreement_id}) {{ id }} }}"
assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission_for_given_resource_id(read_only_client, mocker,
query):
"""Verify missing resource:read permission, or missing permission to access
specified resource (base or organisation).
"""
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=["base_1/base:read"], organisation_id=1)
assert_forbidden_request(read_only_client, f"query {{ {query} }}")
def test_shipment_mutations_update_as_member_of_non_creating_org(
read_only_client, another_shipment, default_bases):
# Test case 3.2.25
# The default user (see auth_service fixture) is member of organisation 1 but
# organisation 2 is the one that created another_shipment
mutation = _generate_update_shipment_mutation(
shipment=another_shipment,
target_base=default_bases[2],
)
assert_forbidden_request(read_only_client, mutation)
def test_shipment_mutations_update_mark_lost_boxes_as_member_of_creating_org(
read_only_client,
sent_shipment,
marked_for_shipment_box,
):
# Test case 3.2.41
mutation = _generate_update_shipment_mutation(
shipment=sent_shipment,
lost_boxes=[marked_for_shipment_box],
)
assert_forbidden_request(read_only_client, mutation)
def test_shipment_mutations_create_as_member_of_neither_org(
read_only_client, mocker, default_transfer_agreement):
# Test case 3.2.4b
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
organisation_id=3, user_id=2)
mutation = _generate_create_shipment_mutation(
source_base={"id": 0},
target_base={"id": 0},
agreement=default_transfer_agreement,
)
assert_forbidden_request(read_only_client, mutation)
def test_shipment_mutations_create_as_target_org_member_in_unidirectional_agreement(
read_only_client, default_bases, unidirectional_transfer_agreement):
# Test case 3.2.4a
# The default user (see auth_service fixture) is member of organisation 1 which is
# the target organisation in the unidirectional_transfer_agreement fixture
mutation = _generate_create_shipment_mutation(
source_base=default_bases[3],
target_base=default_bases[2],
agreement=unidirectional_transfer_agreement,
)
assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission_for_shipment_details_field(read_only_client,
mocker, default_box,
field):
# verify missing field:read permission
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=["shipment:read"])
query = f"""query {{ shipment(id: 1) {{ details
{{ {field} {{ id }} }} }} }}"""
assert_forbidden_request(read_only_client,
query,
value={"details": [{
field: None
}]})
def test_shipment_mutations_update_checked_in_boxes_as_member_of_creating_org(
read_only_client,
sent_shipment,
default_shipment_detail,
another_location,
another_product,
):
# Test case 3.2.35
mutation = _generate_update_shipment_mutation(
shipment=sent_shipment,
received_details=[default_shipment_detail],
target_location=another_location,
target_product=another_product,
)
assert_forbidden_request(read_only_client, mutation)
def test_invalid_read_permissions(unauthorized, read_only_client, resource):
"""Verify missing resource:read permission when executing query."""
# Build plural form
resources = f"{resource}s"
if resource.endswith("y"):
resources = f"{resource[:-1]}ies"
query = f"""query {{ {resources} {{ id }} }}"""
if resources == "beneficiaries":
query = "query { beneficiaries { elements { id } } }"
elif resources == "products":
query = "query { products { elements { id } } }"
assert_forbidden_request(read_only_client, query, none_data=True)
query = f"""query {{ {resource}(id: 2) {{ id }} }}"""
assert_forbidden_request(read_only_client, query)
def test_shipment_mutations_send_as_member_of_non_creating_org(
read_only_client, another_shipment):
# Test case 3.2.14
mutation = f"mutation {{ sendShipment(id: {another_shipment['id']}) {{ id }} }}"
assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission(unauthorized, read_only_client, query):
"""Verify missing resource:read permission."""
assert_forbidden_request(read_only_client, f"query {{ {query} }}")
def test_invalid_permission_for_location_boxes(read_only_client, mocker):
# verify missing stock:read permission
mocker.patch("jose.jwt.decode").return_value = create_jwt_payload(
permissions=["location:read"])
query = "query { location(id: 1) { boxes { elements { id } } } }"
assert_forbidden_request(read_only_client, query, value={"boxes": None})
def test_transfer_agreement_mutations_as_member_of_source_org(
read_only_client, reviewed_transfer_agreement, action):
# Test cases 2.2.9, 2.2.10
agreement_id = reviewed_transfer_agreement["id"]
mutation = f"mutation {{ {action}TransferAgreement(id: {agreement_id}) {{ id }} }}"
assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission_for_metrics(read_only_client, mocker):
query = "query { metrics(organisationId: 2) { numberOfSales } }"
assert_forbidden_request(read_only_client, query)
def test_invalid_write_permission(unauthorized, read_only_client, mutation):
"""Verify missing resource:write permission when executing mutation."""
assert_forbidden_request(read_only_client,
f"mutation {{ {mutation} }}",
field=operation_name(mutation))