def test_asset_patch_validation(self): """User's only allow to PATCH an asset that has a department their are part of, and the PATCH department has to be one he belongs to""" client = APIClient() asset_dict = copy.copy(COMPLETE_ASSET) asset_dict['department'] = 'TESTDEPT2' asset = Asset(**asset_dict) asset.save() result_patch = client.patch('/assets/%s/' % asset.pk, {"name": "asset1"}) # Not allowed because the asset belongs to TESTDEPT2 self.assert_method_is_not_listed_as_allowed('PATCH', asset) self.assertEqual(result_patch.status_code, 403) # We fix the department, so now the user should be allow but we try to change the # department to another that the user doesn't belong to asset.department = 'TESTDEPT' set_local_user(self.user) asset.save() # User is in principle allowed ... self.assert_method_is_listed_as_allowed('PATCH', asset) # ... but not in this case result_patch = client.patch('/assets/%s/' % asset.pk, {"department": "TESTDEPT2"}) self.assertEqual(result_patch.status_code, 403) # This one should be allowed result_patch = client.patch('/assets/%s/' % asset.pk, {"name": "asset2"}) self.assert_method_is_listed_as_allowed('PATCH', asset) self.assertEqual(result_patch.status_code, 200)
def test_asset_put_validation(self): """User's only allow to PUT an asset that has a department their are part of, and the PUT department has to be one he belongs to""" client = APIClient() asset_dict = copy.copy(COMPLETE_ASSET) asset_dict['department'] = 'TESTDEPT2' asset = Asset(**asset_dict) asset.save() result_put = client.put('/assets/%s/' % asset.pk, COMPLETE_ASSET) # Not allowed because the asset belongs to TESTDEPT2 self.assert_method_is_not_listed_as_allowed('PUT', asset) self.assertEqual(result_put.status_code, 403) # We fix the department, so now the user should be allow but we try to change the # department to another that the user doesn't belong to asset.department = 'TESTDEPT' set_local_user(self.user) asset.save() # User can, in principle PUT... self.assert_method_is_listed_as_allowed('PUT', asset) # ... but not this asset result_put = client.put('/assets/%s/' % asset.pk, asset_dict) self.assertEqual(result_put.status_code, 403) # This one should be allowed asset_dict['department'] = 'TESTDEPT' asset_dict['name'] = 'asset2' result_put = client.put('/assets/%s/' % asset.pk, asset_dict) self.assert_method_is_listed_as_allowed('PUT', asset) self.assertEqual(result_put.status_code, 200)
def test_asset_put_validation(self): """User's only allow to PUT an asset that has a department their are part of, and the PUT department has to be one he belongs to""" client = APIClient() asset_dict = copy.copy(COMPLETE_ASSET) asset_dict['department'] = 'TESTDEPT2' asset = Asset(**asset_dict) asset.save() result_patch = client.patch('/assets/%s/' % asset.pk, COMPLETE_ASSET) # Not allowed because the asset belongs to TESTDEPT2 self.assertEqual(result_patch.status_code, 403) # We fix the department, so now the user should be allow but we try to change the # department to another that the user doesn't belong to asset.department = 'TESTDEPT' asset.save() result_patch = client.patch('/assets/%s/' % asset.pk, asset_dict) self.assertEqual(result_patch.status_code, 403) # This one should be allowed asset_dict['department'] = 'TESTDEPT' asset_dict['name'] = 'asset2' result_patch = client.patch('/assets/%s/' % asset.pk, asset_dict) self.assertEqual(result_patch.status_code, 200)