def test_profile_put_writes_audit_log_if_not_own_profile( profile, other_profile, api_client, caplog): # A forbidden "UPDATE" event should be left if a user # tries to update another person's profile. api_client.credentials( HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}") url = reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), )) api_client.put( url, { **PROFILE_TEST_DATA, "first_name": "Maija", "street_address": "Kauppakatu 23" }, ) audit_event = get_audit_log_event(caplog) assert audit_event is not None, "no audit log entry was written" assert audit_event["actor"] == { "role": "USER", "profile_id": str(profile.pk) } assert audit_event["operation"] == "UPDATE" assert audit_event["target"] == { "id": str(other_profile.pk), "type": "Profile" } assert audit_event["status"] == "FORBIDDEN"
def test_profile_delete_fails_if_not_authenticated(profile, api_client): # An unauthenticated user should not be able to delete any profiles response = api_client.delete( reverse("users:profile-detail", args=(mask_uuid(profile.pk), )), PROFILE_TEST_DATA, ) assert response.status_code == 401
def test_profile_get_detail(profile, api_client): # The user should be able to retrieve their own profile api_client.credentials( HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}") response = api_client.get( reverse("users:profile-detail", args=(mask_uuid(profile.pk), ))) assert response.status_code == 200 assert response.data == PROFILE_TEST_DATA
def test_profile_delete(profile, api_client): # A user should be able to delete their own profile api_client.credentials( HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}") url = reverse("users:profile-detail", args=(mask_uuid(profile.pk), )) response = api_client.delete(url) assert response.status_code == 204 assert not User.objects.filter(pk=profile.user.pk).exists() assert not Profile.objects.filter(pk=profile.pk).exists()
def test_profile_patch_is_not_allowed(profile, api_client): # Partial updates should not be allowed api_client.credentials( HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}") url = reverse("users:profile-detail", args=(mask_uuid(profile.pk), )) response = api_client.patch(url, { "first_name": "Maija", "street_address": "Kauppakatu 23" }) assert response.status_code == 405
def test_profile_put_fails_if_not_own_profile(profile, other_profile, api_client): # A user should not be able to update other users' profiles api_client.credentials( HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}") url = reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), )) put_data = { **PROFILE_TEST_DATA, "first_name": "Maija", "street_address": "Kauppakatu 23", } response = api_client.put(url, put_data) assert response.status_code == 403
def test_profile_delete_writes_audit_log_if_not_authenticated( profile, api_client, caplog): # A forbidden "DELETE" event should be written if an unauthenticated user # tries to delete a user's profile. api_client.delete( reverse("users:profile-detail", args=(mask_uuid(profile.pk), )), PROFILE_TEST_DATA, ) audit_event = get_audit_log_event(caplog) assert audit_event is not None, "no audit log entry was written" assert audit_event["actor"] == {"role": "ANONYMOUS", "profile_id": None} assert audit_event["operation"] == "DELETE" assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"} assert audit_event["status"] == "FORBIDDEN"
def test_profile_put(profile, api_client): # A user should be able to update their own profile api_client.credentials( HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}") url = reverse("users:profile-detail", args=(mask_uuid(profile.pk), )) put_data = { **PROFILE_TEST_DATA, "first_name": "Maija", "street_address": "Kauppakatu 23", } response = api_client.put(url, put_data) assert response.status_code == 200 assert response.data == put_data profile.refresh_from_db() for attr in ["first_name", "last_name", "email"]: assert str(getattr(profile.user, attr)) == str(put_data.pop(attr)) for attr, value in put_data.items(): assert str(getattr(profile, attr)) == str(value)
def test_profile_delete_writes_audit_log_if_not_own_profile( profile, other_profile, api_client, caplog): # A forbidden "DELETE" entry should be written if a user # tries to delete another person's profile. api_client.credentials( HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}") api_client.delete( reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), ))) audit_event = get_audit_log_event(caplog) assert audit_event is not None, "no audit log entry was written" assert audit_event["actor"] == { "role": "USER", "profile_id": str(profile.pk) } assert audit_event["operation"] == "DELETE" assert audit_event["target"] == { "id": str(other_profile.pk), "type": "Profile" } assert audit_event["status"] == "FORBIDDEN"
def test_profile_put_writes_audit_log(profile, api_client, caplog): # A successful "UPDATE" entry should be left when the user updates their own profile api_client.credentials( HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}") api_client.put( reverse("users:profile-detail", args=(mask_uuid(profile.pk), )), { **PROFILE_TEST_DATA, "first_name": "Maija", "address": "Kauppakatu 23" }, ) audit_event = get_audit_log_event(caplog) assert audit_event is not None, "no audit log entry was written" assert audit_event["actor"] == { "role": "OWNER", "profile_id": str(profile.pk) } assert audit_event["operation"] == "UPDATE" assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"} assert audit_event["status"] == "SUCCESS"