def test_comparison_method(self, create_club, role_model_instances):
district1, school1, club1 = role_model_instances()
role1 = Role.create(district1)
role1.permissions.add('modify-district', 'create-school')
role2 = Role.create(district1, school1)
role2.permissions.add('modify-school', 'create-club')
role3 = Role.create(district1, school1, club1)
role3.permissions.add('modify-club')
# Test when exactly equal
assert role1._comparison(role1) == 0
# Test when role is higher level than other
assert role1._comparison(role2) == 1
assert role1._comparison(role3) == 1
assert role2._comparison(role3) == 1
# Test when role is less than other
assert role3._comparison(role2) == -1
assert role3._comparison(role1) == -1
assert role2._comparison(role1) == -1
temp_role = Role.create(district1)
temp_role.permissions.add('modify-district')
# Test when same level as other role but more perms
assert role1._comparison(temp_role) == 0
# Test when same level as other role but fewer perms
assert temp_role._comparison(role1) == 0
def test_comparison_operators(self, create_club, role_model_instances):
district1, school1, club1 = role_model_instances()
role1 = Role.create(district1)
role1.permissions.add('modify-district', 'create-school')
role2 = Role.create(district1, school1)
role2.permissions.add('modify-school', 'create-club')
role3 = Role.create(district1, school1, club1)
role3.permissions.add('modify-club')
# Test when exactly equal
assert role1 == role1
# Test when role is higher level than other
assert role1 > role2
assert role1 > role3
assert role2 > role3
# Test when role is less than other
assert role3 < role2
assert role3 < role1
assert role2 < role1
# Test <= and >=
assert role1 >= role2
assert role1 >= role1
assert role2 <= role1
assert role2 <= role2
def test_allowed_higher_level(self, role_model_instances):
d1, s1, c1 = role_model_instances()
role = Role.create(d1)
input_str = f'District-{d1.id}/School-{s1.id}/perms=[create-club, modify-school]'
assert Role.from_str(input_str).is_allowed(role=role) == True
def test_not_allowed(self, create_club, role_model_instances):
d1, s1, c1 = role_model_instances()
d2, s2, c2 = role_model_instances()
role = Role.create(d1, s1, c1)
role.permissions.add('modify-club')
input_str = f'District-{d2.id}/School-{s2.id}/Club-{c2.id}/perms=[add-admin]'
assert role.is_allowed(role=Role.from_str(input_str)) == False
def test_role_from_str_given_perms(self, role_model_instances):
d1, s1, c1 = role_model_instances()
# The possible perms for School Admins are 'create-club', 'modify-school', 'hide-school'
role_expected = Role.create(d1, s1)
role_expected.permissions.add('modify-school', 'hide-school')
given_str = f'District-{d1.id}/School-{s1.id}'
role_test = Role.from_str(
given_str, perms=['modify-school', 'hide-school'])
assert str(role_expected) == str(role_test)
def test_from_start_model(self, role_model_instances):
d1, s1, c1 = role_model_instances()
district_admin_role = Role.from_start_model(d1)
assert str(district_admin_role) == f'District-{d1.id}/perms=[]'
school_admin_role = Role.from_start_model(s1)
assert str(
school_admin_role) == f'District-{d1.id}/School-{s1.id}/perms=[]'
club_admin_role = Role.from_start_model(c1)
assert str(
club_admin_role) == f'District-{d1.id}/School-{s1.id}/Club-{c1.id}/perms=[]'
def test_higher_access_level(self, perm_const_override, create_test_prof, role_model_instances, role_test_data):
min_role, min_perms = role_test_data
district1, school1, club1 = role_model_instances()
start_model = school1
min_role = Role.from_start_model(start_model)
min_role.permissions.add(*min_perms)
# Case 5 -- Higher level access same school
district_admin = create_test_prof(num=1)
valid_role = Role.create(district1)
valid_role.give_role(district_admin)
assert min_role.is_allowed(user=district_admin) is True
def test_is_allowed_perms_1_layer_multi_param_str(self, role_model_instances):
d1, s1, c1 = role_model_instances()
role = Role.create(d1)
role.permissions.add('modify-district', 'create-school')
input_str = f'District-{d1.id}/perms=[modify-district]'
assert role.is_allowed(role=Role.from_str(input_str)) is False
input_str = f'District-{d1.id}/perms=[create-school, modify-district]'
assert role.is_allowed(role=Role.from_str(input_str)) is True
input_str = f'District-{d1.id}/perms=[]'
assert role.is_allowed(role=Role.from_str(input_str)) is False
def test_same_access_level_diff_perms(self, perm_const_override, create_test_prof, role_model_instances, role_test_data):
min_role, min_perms = role_test_data
district1, school1, club1 = role_model_instances()
start_model = school1
min_role = Role.from_start_model(start_model)
min_role.permissions.add(*min_perms)
# Case 3 -- Same level access but does not have right permission
school_admin = create_test_prof(num=1)
invalid_role = Role.create(district1, school1)
invalid_role.permissions.add('hide-school')
assert min_role.is_allowed(user=school_admin) is False
def test_give_profile_role(self, create_club, create_test_prof, role_model_instances):
prof = create_test_prof(1)
district1, school1, club1 = role_model_instances()
role = Role.create(district1, school1, club1)
role.permissions.add('modify-club')
role.give_role(prof)
role_model = RoleModel.get_role(role)
assert role_model in list(prof.roles.all())
role2 = Role.create(district1, school1, club1)
role_model2 = RoleModel.from_role(role2)
assert role_model2 not in list(prof.roles.all())
def test_low_access_level(self, perm_const_override, create_test_prof, role_model_instances, role_test_data):
min_hier, min_perms = role_test_data
district1, school1, club1 = role_model_instances()
start_model = school1
min_role = Role.from_start_model(start_model)
min_role.permissions.add(*min_perms)
# Case 1 -- Lower access user tries to access higher permission level resource
club_editor = create_test_prof(num=1)
invalid_role = Role.create(district1, school1, club1)
invalid_role.permissions.add('modify-club')
invalid_role.give_role(club_editor)
assert min_role.is_allowed(user=club_editor) is False
def test_role_from_str(self, role_model_instances):
d1, s1, c1 = role_model_instances()
# The possible perms for School Admins are 'create-club', 'modify-school', 'hide-school'
role_expected = Role.create(d1, s1)
role_expected.permissions.add('modify-school', 'hide-school')
perm_str = f'District-{d1.id}/School-{s1.id}/perms=[modify-school, hide-school]'
role_test = Role.from_str(perm_str)
assert str(role_expected) == str(role_test)
perm_str = f'District-{d1.id}/School-{s1.id}/perms=[]'
role_test = Role.from_str(perm_str)
assert role_test.permissions.permissions == set()
def test_same_access_level(self, perm_const_override, create_test_prof, role_model_instances, role_test_data):
min_role, min_perms = role_test_data
district1, school1, club1 = role_model_instances()
start_model = school1
min_role = Role.from_start_model(start_model)
min_role.permissions.add(*min_perms)
# Case 2 -- Same level access with correct permission tries to access resource
school_admin = create_test_prof(num=1)
valid_role = Role.create(district1, school1)
valid_role.permissions.add('modify-school', 'hide-school')
valid_role.give_role(school_admin)
assert min_role.is_allowed(user=school_admin) is True
def test_is_allowed_perms_3_layer_str(self, create_club, role_model_instances):
d1, s1, c1 = role_model_instances()
role = Role.create(d1)
role.permissions.add('modify-district', 'create-school')
# Check that School-2 is a part of District-1, and Club-52 is a part of School-2
input_str = f'District-{d1.id}/School-{s1.id}/Club-{c1.id}/perms=[modify-club]'
assert Role.from_str(input_str).is_allowed(role=role) == True
d2, s2, c2 = role_model_instances()
# Check that School-5 is not a part of District-1 and Club-1 not part of School-5, raises exception
input_str = f'District-{d1.id}/School-{s2.id}/Club-{c2.id}/perms=[update-club]'
with pytest.raises(InvalidRoleCreated):
assert role.is_allowed(role=Role.from_str(input_str))
def test_create(self, db, role_model_instances):
d1, s1, c1 = role_model_instances()
r1 = Role.from_start_model(c1)
r1_model = RoleModel.from_role(r1)
invited = InvitedUser.create("*****@*****.**", roles=[r1])
assert invited.email == "*****@*****.**"
assert list(invited.roles.all()) == [r1_model]
def test_same_access_level_diff_inst(self, perm_const_override, create_test_prof, role_model_instances, role_test_data):
min_role, min_perms = role_test_data
district1, school1, club1 = role_model_instances()
start_model = school1
min_role = Role.from_start_model(start_model)
min_role.permissions.add(*min_perms)
# Case 4 -- Same level access but on a different school instance
school_admin = create_test_prof(num=1)
district2, school2, club2 = role_model_instances()
invalid_role = Role.create(district2, school2)
invalid_role.permissions.add('modify-school')
invalid_role.give_role(school_admin)
assert min_role.is_allowed(user=school_admin) is False
def test_get_admins(self, role_model_instances, create_test_prof):
d1, s1, c1 = role_model_instances()
profiles = [create_test_prof(i) for i in range(2)]
role = Role.from_start_model(s1)
role.permissions.add('modify-school')
for prof in profiles:
role.give_role(prof)
role2 = Role.from_start_model(s1)
role2.permissions.add('hide-club')
other_prof = create_test_prof(3)
role2.give_role(other_prof)
assert list(role.get_admins()) == profiles
assert role.get_admins(perms=['create-club']) == None
assert set(role.get_admins(perms=['__any__'])) == set(
[other_prof, *profiles])
def test_get_editors(db, role_model_instances, create_test_prof,
perm_const_override):
d1, s1, c1 = role_model_instances()
profiles = [create_test_prof(i) for i in range(3)]
role = Role.from_start_model(c1)
role.permissions.add('hide-club')
for prof in profiles:
role.give_role(prof)
# Tests what happens if there are multiple RoleModel instances with the same role_name
role2 = Role.from_start_model(c1)
role2.permissions.add('add-admin')
profiles.append(create_test_prof(4))
role2.give_role(profiles[-1])
for prof in profiles:
assert prof in list(c1.editors)
def test_no_permissions_given(self, role_model_instances, create_test_prof):
prof = create_test_prof(num=1)
district1, school1, club1 = role_model_instances()
role = Role.create(district1, school1, club1)
assert role.is_allowed(user=prof) is False
role.give_role(prof)
assert role.is_allowed(user=prof) is True
def test_user_create_from_invited(self, role_model_instances):
d1, s1, c1 = role_model_instances()
d2, s2, c2 = role_model_instances()
r1 = Role.from_start_model(c1)
r2 = Role.from_start_model(c2)
r1_model = RoleModel.from_role(r1)
r2_model = RoleModel.from_role(r2)
invited = InvitedUser.create(email="*****@*****.**", roles=[r1, r2])
invited_roles = list(invited.roles.all())
user = Profile.create_profile(email="*****@*****.**",
password="******",
first="a",
last="b")
assert invited_roles == list(user.roles.all())
# Make sure the invited user model is deleted
assert not InvitedUser.objects.filter(email="*****@*****.**").exists()
def create(prof_id, role_objs, is_auth=True, perms=['__all__']):
prof = create_test_prof(num=prof_id)
role = Role.create(*role_objs)
role.permissions.add(*perms)
role.give_role(prof)
client = APIClient()
if is_auth:
client.force_authenticate(user=prof)
return prof, role, client
def test_is_allowed_user(self, role_model_instances, create_test_prof):
prof = create_test_prof(num=1)
district1, school1, club1 = role_model_instances()
role = Role.create(district1, school1, club1)
role.permissions.add('modify-club')
assert role.is_allowed(user=prof) is False
role.give_role(prof)
assert role.is_allowed(user=prof) is True
def test_highest_level_str(self, perm_const_override, create_test_prof,
role_model_instances):
prof = create_test_prof(1)
district1, school1, club1 = role_model_instances()
role = Role.from_start_model(school1)
role.permissions.add('create-club')
role.give_role(prof)
hier_perm = RoleModel.get_role(role)
assert hier_perm.highest_level_str == f'School-{school1.id}/perms=[create-club]'
def test_move_up_levels(self, role_model_instances, create_test_prof):
district1, school1, club1 = role_model_instances()
role = Role.create(district1, school1, club1)
new_role = role.go_up_levels(times=1, perms=['modify-school'])
assert Role.create(district1, school1) == new_role
assert new_role.permissions.permissions == {'modify-school'}
role = Role.create(district1, school1, club1)
new_role = role.go_up_levels(
times=2, perms=['create-school', 'modify-district'])
assert Role.create(district1) == new_role
assert new_role.permissions.permissions == {
'create-school', 'modify-district'}
# Goes outside of possible roles
with pytest.raises(AssertionError):
role = Role.create(district1, school1, club1)
assert role.go_up_levels(times=3)
# Permissions not valid for new role
with pytest.raises(AssertionError):
role = Role.create(district1, school1, club1)
assert role.go_up_levels(
times=2, perms=['perms not in permissions'])
def test_str_matches(self, role_model_instances, perm_const_override):
district1, school1, club1 = role_model_instances()
test_hier = PermConst.Hierarchy(District, School, Club, name="test_hier", poss_perms=[
'some_str', 'other_str'])
role = Role.create(district1, school1, club1)
role.hierarchy = test_hier
role.permissions.hierarchy = test_hier
perms = role.hierarchy.poss_perms
role.permissions.add('some_str', 'other_str')
expected = 'District-1/School-1/Club-1/perms=[some_str, other_str]'
def test_get_admin_invited_users(self, role_model_instances):
d1, s1, c1 = role_model_instances()
role = Role.from_start_model(s1)
role.permissions.add('modify-school')
inv1 = InvitedUser.create(email="*****@*****.**", roles=[role])
inv2 = InvitedUser.create(email="*****@*****.**", roles=[role])
inv3 = InvitedUser.create(email="*****@*****.**", roles=[role])
invited = [inv1, inv2, inv3]
assert list(role.get_admins(invited=True)) == invited
def test_profile_serialize_permissions(self, db, role_model_instances,
perm_const_override,
create_test_prof):
d1, s1, c1 = role_model_instances()
prof = create_test_prof(1)
role = Role.from_start_model(c1)
role.permissions.add('modify-club', 'add-admin')
role.give_role(prof)
role = Role.from_start_model(s1)
role.permissions.allow_all_perms()
role.give_role(prof)
expected = {
'id':
prof.id,
'email':
prof.email,
'first_name':
prof.first_name,
'last_name':
prof.last_name,
'school':
None,
'district':
None,
'is_anon':
prof.is_anon,
'permissions': [
f'Club-{c1.id}/perms=[add-admin, modify-club]',
f'School-{s1.id}/perms=[__all__]',
],
'joined_clubs': [],
}
assert ProfileSerializer(prof).data == expected
def test_reset_perms(self, role_model_instances, create_test_prof):
district1, school1, club1 = role_model_instances()
role = Role.create(district1, school1, club1)
role.permissions.add('modify-club')
assert role.permissions.permissions == {'modify-club'}
role.reset_perms()
assert role.permissions.permissions == set()
assert role.hierarchy == role.permissions.hierarchy
role.reset_perms(['modify-club', 'add-admin'])
assert role.permissions.permissions == {'modify-club', 'add-admin'}
with pytest.raises(AssertionError):
assert role.reset_perms(['modify-club', 'blah-blah'])
def test_give_role_same_obj_twice(self, create_test_prof, role_model_instances):
# Check that a new RoleModel is not created each time a prof is given a role. It should just be appended
# Added to test found bug
prof = create_test_prof(1)
district1, school1, club1 = role_model_instances()
role = Role.create(district1, school1, club1)
role.permissions.add('modify-club')
role.give_role(prof)
role.permissions.add('hide-club')
role.give_role(prof)
prof.refresh_from_db()
assert prof.roles.filter(role_name=role.role_str).count() == 1
def test_valid_data(self, perm_const_override, create_test_prof,
role_model_instances):
d1, s1, c1 = role_model_instances()
role = Role.from_start_model(c1)
role.permissions.add('hide-club')
prof = create_test_prof(1)
role.give_role(prof)
serializer = EditorSerializer(prof, context={'role': role})
expected_data = {
'profile': {
'id': prof.id,
'email': prof.email,
'first_name': prof.first_name,
'last_name': prof.last_name,
},
'perms': ['hide-club']
}
assert serializer.data == expected_data
