def test_permissions(self): """ Test page access control behaviour. """ crs = CourseOffering.objects.get(slug=TEST_COURSE_SLUG) memb = Member.objects.filter(offering=crs, role='INST').first() inst = memb.person ta = Member.objects.filter(offering=crs, role='TA').first().person stud = Member.objects.filter(offering=crs, role='STUD').first().person non_member = Person.objects.get(userid='dixon') assert not Member.objects.filter(offering=crs, person=non_member) p = Page(offering=crs, label="Test", can_read='STAF', can_write='INST') p.save() v = PageVersion(page=p, title="Test Page", wikitext="Page contents", editor=memb) v.save() # page-viewing permissions c = Client() url = reverse('offering:pages:view_page', kwargs={'course_slug': crs.slug, 'page_label': 'Test'}) c.logout() response = c.get(url) self.assertEqual(response.status_code, 403) c.login_user(inst.userid) response = c.get(url) self.assertEqual(response.status_code, 200) c.login_user(ta.userid) response = c.get(url) self.assertEqual(response.status_code, 200) c.login_user(stud.userid) response = c.get(url) self.assertEqual(response.status_code, 403) c.login_user(non_member.userid) response = c.get(url) self.assertEqual(response.status_code, 403) # ... but with a PagePermission object, non_member can access pp = PagePermission(person=non_member, offering=crs, role='INST') pp.save() response = c.get(url) self.assertEqual(response.status_code, 200) # page-editing permissions url = reverse('offering:pages:edit_page', kwargs={'course_slug': crs.slug, 'page_label': 'Test'}) c.logout() response = c.get(url) self.assertEqual(response.status_code, 302) # redirect to log in c.login_user(inst.userid) response = c.get(url) self.assertEqual(response.status_code, 200) c.login_user(ta.userid) response = c.get(url) self.assertEqual(response.status_code, 403) c.login_user(stud.userid) response = c.get(url) self.assertEqual(response.status_code, 403) # editing with PagePermission not implemented c.login_user(non_member.userid) response = c.get(url) self.assertEqual(response.status_code, 403)
def test_permissions(self): """ Test page access control behaviour. """ crs = CourseOffering.objects.get(slug=TEST_COURSE_SLUG) memb = Member.objects.filter(offering=crs, role='INST').first() inst = memb.person ta = Member.objects.filter(offering=crs, role='TA').first().person stud = Member.objects.filter(offering=crs, role='STUD').first().person non_member = Person.objects.get(userid='dixon') assert not Member.objects.filter(offering=crs, person=non_member) p = Page(offering=crs, label="Test", can_read='STAF', can_write='INST') p.save() v = PageVersion(page=p, title="Test Page", wikitext="Page contents", editor=memb) v.save() # page-viewing permissions c = Client() url = reverse('offering:pages:view_page', kwargs={ 'course_slug': crs.slug, 'page_label': 'Test' }) c.logout() response = c.get(url) self.assertEqual(response.status_code, 403) c.login_user(inst.userid) response = c.get(url) self.assertEqual(response.status_code, 200) c.login_user(ta.userid) response = c.get(url) self.assertEqual(response.status_code, 200) c.login_user(stud.userid) response = c.get(url) self.assertEqual(response.status_code, 403) c.login_user(non_member.userid) response = c.get(url) self.assertEqual(response.status_code, 403) # ... but with a PagePermission object, non_member can access pp = PagePermission(person=non_member, offering=crs, role='INST') pp.save() response = c.get(url) self.assertEqual(response.status_code, 200) # page-editing permissions url = reverse('offering:pages:edit_page', kwargs={ 'course_slug': crs.slug, 'page_label': 'Test' }) c.logout() response = c.get(url) self.assertEqual(response.status_code, 302) # redirect to log in c.login_user(inst.userid) response = c.get(url) self.assertEqual(response.status_code, 200) c.login_user(ta.userid) response = c.get(url) self.assertEqual(response.status_code, 403) c.login_user(stud.userid) response = c.get(url) self.assertEqual(response.status_code, 403) # editing with PagePermission not implemented c.login_user(non_member.userid) response = c.get(url) self.assertEqual(response.status_code, 403)
def test_oauth_workflow(self): request_token_url = 'http://testserver' + reverse( 'api:oauth_request_token') authorize_token_url = 'http://testserver' + reverse( 'api:oauth_user_authorization') # create consumer for tests c = Client() c.login_user('ggbaker') c.logout() consumer = Consumer(name='Test Consumer', description='Consumer to do some tests with', status=ACCEPTED, user=User.objects.get(username='******'), xauth_allowed=False) consumer.generate_random_codes() consumer.save() ci = ConsumerInfo(consumer=consumer) ci.admin_contact = '*****@*****.**' ci.permissions = ['courses', 'grades'] ci.save() # generate request token oauth_request = oauth.Request.from_consumer_and_token( consumer, http_url=request_token_url, parameters={'oauth_callback': 'oob'}) oauth_request.sign_request(oauth.SignatureMethod_HMAC_SHA1(), consumer, None) resp = c.get(request_token_url, **oauth_request.to_header()) self.assertEqual(resp.status_code, 200) request_token = dict( urllib.parse.parse_qsl(resp.content.decode('utf8'))) # get auth verifier c.login_user('ggbaker') resp = c.get(authorize_token_url, {'oauth_token': request_token['oauth_token']}) self.assertEqual(resp.status_code, 200) resp = c.post(authorize_token_url, { 'oauth_token': request_token['oauth_token'], 'authorize_access': 'on' }) self.assertEqual(resp.status_code, 200) parser = etree.HTMLParser() root = etree.fromstring(resp.content, parser=parser) verifier_elt = root.xpath('//*[@id="verifier"]')[0] oauth_verifier = verifier_elt.text.strip() c.logout() # get access token token = oauth.Token(request_token['oauth_token'], request_token['oauth_token_secret']) token.set_verifier(oauth_verifier) oauth_request = oauth.Request.from_consumer_and_token( consumer, token, http_url=authorize_token_url) oauth_request.sign_request(oauth.SignatureMethod_HMAC_SHA1(), consumer, token) resp = c.get(authorize_token_url, **oauth_request.to_header())