def test_permissions(self):
UsersLogic.register(RegisteredUser('ShaharShahar', '1212345678'))
UsersLogic.register(RegisteredUser('TomerTomerLev', '65412321'))
shop = Shop('myShop', 'Active')
ShopLogic.create_shop(shop, 'ShaharShahar')
UsersLogic.add_manager(
'ShaharShahar',
StoreManager('TomerTomerLev', 'myShop', 1, 1, 1, 1, 1, 1, 1, 1))
ItemsLogic.add_item_to_shop(
Item(None, 'myShop', 'doll', 'toys', 'toys:kids', 20, 300,
'regular', None, 0, 0, 0), 'TomerTomerLev')
item = Items.get_item(1)
self.assertEqual(item.shop_name, 'myShop')
self.assertEqual(item.price, 20)
self.assertEqual(item.quantity, 300)
status = ItemsLogic.edit_shop_item('TomerTomerLev', 1, 'price', 40)
self.assertTrue(status)
status = ItemsLogic.edit_shop_item('TomerTomerLev', 1, 'name',
'doll_new')
self.assertTrue(status)
status = ItemsLogic.edit_shop_item('TomerTomerLev', 1, 'quantity', 40)
self.assertTrue(status)
item = Items.get_item(1)
self.assertEqual(item.name, 'doll_new')
self.assertEqual(item.quantity, 40)
self.assertEqual(item.keyWords, 'toys:kids')
status = ItemsLogic.remove_item_from_shop(1, 'TomerTomerLev')
self.assertTrue(status)
def edit_shop_item(request):
if request.method == 'POST':
login = request.COOKIES.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('fail')
item_id = request.POST.get('item_id')
fields = ['quantity', 'category', 'keywords', 'price', 'url']
new_values = [
request.POST.get('item_quantity'),
request.POST.get('item_category'),
request.POST.get('item_keywords'),
request.POST.get('item_price'),
request.POST.get('item_url')
]
event = "EDIT ITEM"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[0], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[1], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[2], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[3], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[4], event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item(item_id)
if item is False:
return HttpResponse('fail')
if not UsersLogic.is_owner_of_shop(username, item.shop_name):
if UsersLogic.is_manager_of_shop(username, item.shop_name):
manager = UsersLogic.get_manager(username, item.shop_name)
if manager.permission_edit_item is not 1: # no permission
return HttpResponse('no permission to edit item')
else:
return HttpResponse('fail') # not manager not owner
for i in range(0, len(fields)):
status = ItemsLogic.edit_shop_item(username, item_id, fields[i],
new_values[i])
if status is False:
return HttpResponse('fail')
return HttpResponse('success')
def edit_item_name(item_id, username, item_name):
return ItemsLogic.edit_shop_item(username, item_id, 'name', item_name)