def test_put_bad_data(self):
# invalid request.data should get a 400 response
av = Av(key=self.key)
av.save()
# Good data would be newline delimited key=val pairs. Form-encoded
# data is invalid.
bad_data = 'owners=foo,bar&favcolor=blue'
res = self.put(self.url, bad_data)
assert res.status_code == 400
def test_bad_create_user(self):
# non-superuser should not be able to create new user
regular_joe = Av(key=self.key)
regular_joe.save()
other_key = random_chars(20)
url = '/api/1/av/%s/' % other_key
res = self.put(url, 'owners=foo,bar')
assert res.status_code == 404
def test_good_get(self):
# existing user should be able to get own data
av = Av(key=self.key)
av.save()
res = self.get(self.url)
assert res.status_code == 200
# The first line of responses should have "MCDATA", followed by a
# space, followed by the key of the av whose data was just fetched.
assert res.data.split('\n')[0] == 'MCDATA ' + self.key
def test_own_owner_save_data(self):
# I saw a bug where someone couldn't edit data because they were in
# their own owner list and I had misjudged the order of evaluation for
# a 'not' and an 'or' in the same expression. This test would fail if
# that bug were still around.
# Make an av with himself in owner list
av = Av(
key=self.key,
owners=[Owner(key=self.key, name=self.key)]
)
av.save()
# Now try to PUT new data
new_owners = [av.key, av.key, random_chars(10), random_chars(10)]
new_data = 'owners=%s' % new_owners
res = self.put(self.url, new_data)
assert res.status_code == 200
def av_by_key(key):
requester = request.headers[OWNER_HEADER]
try:
av = Av.objects.get(key=key)
except Av.DoesNotExist:
if request.method == 'PUT' and requester==SUPERUSER:
# Only the superuser may create new records.
logging.info('Creating new av record for %s' % key)
av = Av(key=key)
else:
# XXX Unauthorized access has to return exactly the same response as
# an av not existing in the DB. Otherwise people can make requests to
# others' urls and use the differing responses to see who has used the
# service.
logging.info('Av %s does not exist' % key)
abort(404)
# Ensure that this person is allowed to access this data
if not (key == av.key or av.has_owner(requester)):
logging.info('%s denied access to %s' % (requester, av.key))
abort(404)
if request.method == 'GET':
return text(av.to_lsl())
elif request.method == 'PUT':
if 'owners' in request.lsldata:
# owners string will look like avkey,avname,av2key,av2name etc.
# split it on commas, then zip into tuples of (key,name). Iterate
# over those tuples and ensure that there's a record for each one
# in the DB's owner list.
vals = request.lsldata['owners'].split(",")
av.owners = [Owner(**{'key':i[0], 'name':i[1]}) for i in
zip(vals[::2], vals[1::2])]
av.save()
return text(av.to_lsl())
def test_unsubscribed_put(self):
# non-existent user should not be able to save data
res = self.put(self.url, 'owners=foo,bar')
assert Av.objects(key=self.key).count() == 0
assert res.status_code == 404