def setUp(self): self.user = UserProfile.objects.create_superuser('test', 'test', '*****@*****.**', 'test', 'test') self.user.is_active = True self.user.is_verified = True self.user.save() self.user2 = mommy.make(UserProfile, is_superuser=True) document = InformationDocument(title="title", text="text", author=self.user) with transaction.atomic(), reversion.create_revision(): document.save() reversion.set_user(self.user) reversion.set_comment('test version')
def setUp(self): self.user = UserProfile.objects.create_user("testuser") self.user.save() self.group = Group.objects.create(name="test_group") for permission in get_perms_for_model(InformationDocument): permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename) assign_perm(permission_name, self.group) self.group.save() document = InformationDocument(title="title", text="text", author=self.user) document.save()
def test_url_shows_document(self): title = "Document title" text = "This is the document text." author = self.user document = InformationDocument(title=title, text=text, author=author) document.save() assign_perm(InformationDocument.VIEW_PERMISSION_NAME, author, document) self.assertTrue(author.has_perm(InformationDocument.VIEW_PERMISSION_NAME, document)) self.assertTrue(document.get_view_url(), msg="InformationDocument should return a URL") response = self.app.get(document.get_view_url(), user=author) self.assertIn(title.encode("utf-8"), response.body, msg="The displayed page should contain the document's title")
def test_view_attachment(self): params = { 'attachment_id': self.attachment.id, } # test that a user with insufficient permissions is not allowed to view/download an attachment # be an anonymous user response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method") response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions") # test viewing an attachment using a user with insufficient permissions normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**") assign_perm('change_informationdocument', normal_user, self.document) response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user) self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions") # grant the correct permission to the user an try again assign_perm(InformationDocument.get_view_permission(), normal_user, self.document) response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" ) # try the same with a user that is in a group having the correct permission response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" ) # make sure that a superuser is always allowed to download an attachment response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" )
def test_delete_attachment(self): params = { 'id': self.attachment.id, } # try to delete an attachment as user with no permissions at all (anonymous user) response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work") response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True) self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work") response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error") response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True) redirect_url = reverse('login') + '?next=' + reverse('documents:delete_attachment') self.assertRedirects( response, redirect_url, msg_prefix="If the site is visited by anonymous users they should see the login page" ) # try to delete an attachment as user with no permissions normal_user = mommy.make(UserProfile) response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user) self.assertEqual( response.status_code, 403, msg="If users have no permissions they should not be able to delete an attachment" ) # try to delete an attachment as user with wrong permissions assign_perm(InformationDocument.get_view_permission(), normal_user, self.document) response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user) self.assertEqual( response.status_code, 403, msg="If users has no permissions they should not be able to delete an attachment" ) # try to delete an attachment as user with correct permissions response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user) self.assertEqual( response.status_code, 200, msg="Users with the correct permissions for a document should be able to delete an attachment" ) # re create the attachment self.attachment.save() # try to delete an attachment as superuser response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user) self.assertEqual( response.status_code, 200, msg="Users with the correct permissions for a document should be able to delete an attachment" )
def setUp(self): self.user = UserProfile.objects.create_superuser(username="******", email="*****@*****.**", password="******") self.user.is_verified = True self.user.is_active = True self.user.save() self.document = InformationDocument(title="title", text="text", author=self.user) self.document.save()
class TestVersions(WebTest): csrf_checks = False def setUp(self): self.user = UserProfile.objects.create_superuser(username="******", email="*****@*****.**", password="******") self.user.is_verified = True self.user.is_active = True self.user.save() self.document = InformationDocument(title="title", text="text", author=self.user) with transaction.atomic(), reversion.create_revision(): self.document.save() reversion.set_user(self.user) reversion.set_comment('test version') def test_get_version_page(self): response = self.app.get(reverse('information_pages:versions', args=[self.document.url_title]), status=403) self.assertEqual(response.status_code, 403) response = self.app.get(reverse('information_pages:versions', args=[self.document.url_title]), user=self.user) self.assertEqual(response.status_code, 200) def test_save_version(self): # first get all current versions of the document from the database document = Document.objects.get() versions = reversion.get_for_object(document) self.assertEqual(len(versions), 1) # get the editor page and add a new revision response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user=self.user) self.assertEqual(response.status_code, 200) form = response.form new_string = self.document.text + "\nHallo Bibi Blocksberg!!" form.set('text', new_string) form.set('comment', 'hallo Bibi Blocksberg') response = form.submit().follow() self.assertEqual(response.status_code, 200) # check whether number of versions increased versions = reversion.get_for_object(self.document) self.assertEqual(len(versions), 2) # check whether the comment of the version correct self.assertEqual(versions[0].revision.comment, 'hallo Bibi Blocksberg') self.assertEqual(versions[1].revision.comment, 'test version')
def test_delete_attachment(self): params = { 'id': self.attachment.id, } # try to delete an attachment as user with no permissions at all (anonymous user) response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work") response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True) self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work") response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error") response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True) self.assertEqual( response.status_code, 403, msg="If users have no permissions they should not be able to delete an attachment" ) # try to delete an attachment as user with no permissions normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**") response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user) self.assertEqual( response.status_code, 403, msg="If users have no permissions they should not be able to delete an attachment" ) # try to delete an attachment as user with wrong permissions assign_perm(InformationDocument.get_view_permission(), normal_user, self.document) response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user) self.assertEqual( response.status_code, 403, msg="If users has no permissions they should not be able to delete an attachment" ) # try to delete an attachment as user with correct permissions response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user) self.assertEqual( response.status_code, 200, msg="Users with the correct permissions for a document should be able to delete an attachment" ) # re create the attachment self.attachment.save() # try to delete an attachment as superuser response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user) self.assertEqual( response.status_code, 200, msg="Users with the correct permissions for a document should be able to delete an attachment" )
def save(self, *args, **kwargs): super().save(*args, **kwargs) instance = forms.ModelForm.save(self) instance.user_set.clear() instance.user_set.add(*self.cleaned_data["users"]) if self.cleaned_data["add_information_document"]: assign_perm(InformationDocument().add_permission_name, instance) else: remove_perm(InformationDocument().add_permission_name, instance) if self.cleaned_data["add_minutesdocument"]: assign_perm(MinutesDocument().add_permission_name, instance) else: remove_perm(MinutesDocument().add_permission_name, instance) if self.cleaned_data["add_poll"]: assign_perm(Poll().add_permission_name, instance) else: remove_perm(Poll().add_permission_name, instance) return instance
def test_slugification(self): document = InformationDocument(title_en="titlea", text_en="text") self.assertEqual(document.url_title, '') document.save() self.assertEqual(document.url_title, "titlea") document.url_title = "bla/KEKS-kekskeks" document.save() self.assertEqual(document.url_title, "bla/keks-kekskeks")
def setUp(self): self.user = UserProfile.objects.create_superuser(username="******", email="*****@*****.**", password="******") self.user.is_verified = True self.user.is_active = True self.user.save() self.document = InformationDocument(title="title", text="text", author=self.user) with transaction.atomic(), reversion.create_revision(): self.document.save() reversion.set_user(self.user) reversion.set_comment('test version')
def view_information(request, title): document = get_object_or_error(InformationDocument, request.user, [InformationDocument.get_view_permission()], url_title=title) md = markdown.Markdown(safe_mode='escape', extensions=[TocExtension(baselevel=2)]) text = md.convert(document.text) return render(request, 'information_pages_base.html', { 'document': document, 'text': text, 'toc': md.toc, 'attachments': document.attachments.all(), 'active_page': 'view', })
def test_slugification(self): document = InformationDocument(title="titlea", text="text") self.assertEqual(document.url_title, "") document.save() self.assertEqual(document.url_title, "titlea") document.url_title = "bla-keks-kekskeks" document.save() self.assertEqual(document.url_title, "bla-keks-kekskeks")
def view_information(request, title): document = get_object_or_error(InformationDocument, request.user, [InformationDocument.get_view_permission()], url_title=title) md = markdown.Markdown(safe_mode='escape', extensions=[TocExtension(baselevel=2)]) text = md.convert(document.text) anonymous_rights = get_anonymous_user().has_perm(InformationDocument.VIEW_PERMISSION_NAME, document) edit_rights = request.user.has_perm("change_informationdocument", document) permission_warning = edit_rights and not anonymous_rights return render(request, 'information_pages_base.html', { 'document': document, 'text': text, 'toc': md.toc, 'attachments': document.attachments.all().order_by('index'), 'active_page': 'view', 'permission_warning' : permission_warning, })
def setUp(self): self.user = UserProfile.objects.create_superuser("test", "test", "*****@*****.**") self.group = Group.objects.create(name="testgroup") for permission in get_perms_for_model(InformationDocument): permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename) assign_perm(permission_name, self.group) self.group.save() self.group_user = UserProfile.objects.create_user("groupuser", "test", "*****@*****.**") self.group_user.groups.add(self.group) self.group_user.save() self.document = InformationDocument(author=self.user, title="test", text="blabla") self.document.save() self.content = "test content of test attachment" attachment_file = ContentFile(self.content) self.attachment = Attachment.objects.create(document=self.document) self.attachment.file.save('temp.txt', attachment_file) self.attachment.save()
def view_information(request, title): document = get_object_or_error(InformationDocument, request.user, [InformationDocument.get_view_permission()], url_title=title) md = markdown.Markdown(safe_mode='escape', extensions=[TocExtension(baselevel=2)]) text = md.convert(document.text) anonymous_rights = get_anonymous_user().has_perm( InformationDocument.VIEW_PERMISSION_NAME, document) edit_rights = request.user.has_perm("change_informationdocument", document) permission_warning = edit_rights and not anonymous_rights return render( request, 'information_pages_base.html', { 'document': document, 'text': text, 'toc': md.toc, 'attachments': document.attachments.all().order_by('index'), 'active_page': 'view', 'permission_warning': permission_warning, })
def test_view_attachment(self): params = { 'hash_value': self.attachment.hash_value, } # test that a user with insufficient permissions is not allowed to view/download an attachment # be an anonymous user response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method") response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 302) response = response.follow() self.assertTemplateUsed(response, 'login.html', msg_prefix="Anonymous users should see the login page") # test viewing an attachment using a user with insufficient permissions normal_user = mommy.make(UserProfile) assign_perm('change_informationdocument', normal_user, self.document) response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user) self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions") # grant the correct permission to the user an try again assign_perm(InformationDocument.get_view_permission(), normal_user, self.document) response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" ) # try the same with a user that is in a group having the correct permission response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" ) # make sure that a superuser is always allowed to download an attachment response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" )
class TestAttachments(WebTest): """ Tests creating, viewing and deleting attachments InformationDocuments are used as testclass. It is assumed that the behavior is similar with other documenttypes """ csrf_checks = False def setUp(self): self.user = UserProfile.objects.create_superuser("test", "test", "*****@*****.**") self.group = Group.objects.create(name="testgroup") for permission in get_perms_for_model(InformationDocument): permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename) assign_perm(permission_name, self.group) self.group.save() self.group_user = UserProfile.objects.create_user("groupuser", "test", "*****@*****.**") self.group_user.groups.add(self.group) self.group_user.save() self.document = InformationDocument(author=self.user, title="test", text="blabla") self.document.save() self.content = "test content of test attachment" attachment_file = ContentFile(self.content) self.attachment = Attachment.objects.create(document=self.document) self.attachment.file.save('temp.txt', attachment_file) self.attachment.save() def tearDown(self): for attachment in self.document.attachments.all(): attachment.file.delete() self.attachment.file.delete() def test_create_attachment(self): upload_files = [ ('file', 'test.txt', bytes(tempfile.SpooledTemporaryFile(max_size=10000, prefix='txt', mode='r'))) ] # test that user who has no change permission on a document can not add an attachment # and neither see the corresponding page normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**") response = self.app.get( reverse('information_pages:attachments', args=[self.document.url_title]), user=normal_user, expect_errors=True ) self.assertEqual(response.status_code, 403) response = self.app.post( reverse('information_pages:attachments', args=[self.document.url_title]), content_type='multipart/form-data', upload_files=upload_files, user=normal_user, expect_errors=True ) self.assertEqual(response.status_code, 403) # test that user who is allowed to view the document may not add attachments to it # and neither see the corresponding page assign_perm("view_informationdocument", normal_user, self.document) response = self.app.get( reverse('information_pages:attachments', args=[self.document.url_title]), user=normal_user, expect_errors=True ) self.assertEqual(response.status_code, 403) response = self.app.post( reverse('information_pages:attachments', args=[self.document.url_title]), content_type='multipart/form-data', upload_files=upload_files, user=normal_user, expect_errors=True ) self.assertEqual(response.status_code, 403) # test that member of group who has according permissions is allowed to upload attachments # and to see the corresponding page response = self.app.get(reverse('information_pages:attachments', args=[self.document.url_title]), user=self.group_user) self.assertEqual(response.status_code, 200) response = self.app.post( reverse('information_pages:attachments', args=[self.document.url_title]), content_type='multipart/form-data', upload_files=upload_files, user=self.group_user ) self.assertEqual(response.status_code, 200) # test that superuser is allowed to upload attachments and to see the corresponding page response = self.app.get(reverse('information_pages:attachments', args=[self.document.url_title]), user=self.user) self.assertEqual(response.status_code, 200) response = self.app.post( reverse('information_pages:attachments', args=[self.document.url_title]), content_type='multipart/form-data', upload_files=upload_files, user=self.user ) self.assertEqual(response.status_code, 200) def test_delete_attachment(self): params = { 'id': self.attachment.id, } # try to delete an attachment as user with no permissions at all (anonymous user) response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work") response = self.app.get(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True) self.assertEqual(response.status_code, 404, msg="GET Requests are not allowed to work") response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 404, msg="Requests that are not AJAX should return a 404 error") response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True) self.assertEqual( response.status_code, 403, msg="If users have no permissions they should not be able to delete an attachment" ) # try to delete an attachment as user with no permissions normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**") response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user) self.assertEqual( response.status_code, 403, msg="If users have no permissions they should not be able to delete an attachment" ) # try to delete an attachment as user with wrong permissions assign_perm(InformationDocument.get_view_permission(), normal_user, self.document) response = self.app.post(reverse('documents:delete_attachment'), params=params, expect_errors=True, xhr=True, user=normal_user) self.assertEqual( response.status_code, 403, msg="If users has no permissions they should not be able to delete an attachment" ) # try to delete an attachment as user with correct permissions response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.group_user) self.assertEqual( response.status_code, 200, msg="Users with the correct permissions for a document should be able to delete an attachment" ) # re create the attachment self.attachment.save() # try to delete an attachment as superuser response = self.app.post(reverse('documents:delete_attachment'), params=params, xhr=True, user=self.user) self.assertEqual( response.status_code, 200, msg="Users with the correct permissions for a document should be able to delete an attachment" ) def test_view_attachment(self): params = { 'attachment_id': self.attachment.id, } # test that a user with insufficient permissions is not allowed to view/download an attachment # be an anonymous user response = self.app.post(reverse('documents:download_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 400, msg="Should be bad request as user used wrong request method") response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True) self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions") # test viewing an attachment using a user with insufficient permissions normal_user = UserProfile.objects.create_user("normal", "test", "*****@*****.**") assign_perm('change_informationdocument', normal_user, self.document) response = self.app.get(reverse('documents:download_attachment'), params=params, expect_errors=True, user=normal_user) self.assertEqual(response.status_code, 403, msg="Should be forbidden as user has insufficient permissions") # grant the correct permission to the user an try again assign_perm(InformationDocument.get_view_permission(), normal_user, self.document) response = self.app.get(reverse('documents:download_attachment'), params=params, user=normal_user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" ) # try the same with a user that is in a group having the correct permission response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.group_user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" ) # make sure that a superuser is always allowed to download an attachment response = self.app.get(reverse('documents:download_attachment'), params=params, user=self.user) self.assertEqual( response.status_code, 200, msg="Users with sufficient permissions should be able to download an attachment" ) self.assertEqual( response.body.decode('utf-8'), self.content, msg="An attachment that has been downloaded should contain its original content" )
class TestEditor(WebTest): csrf_checks = False def setUp(self): self.user = UserProfile.objects.create_superuser(username="******", email="*****@*****.**", password="******") self.user.is_verified = True self.user.is_active = True self.user.save() self.document = InformationDocument(title="title", text="text", author=self.user) self.document.save() def test_get_editor(self): response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), status=403) self.assertEqual(response.status_code, 403) response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******") self.assertEqual(response.status_code, 200) form = response.form self.assertEqual(form.get('title').value, self.document.title) self.assertEqual(form.get('text').value, self.document.text) form.set('comment', 'changed title') form.set('title', 'new-title') response = form.submit('submit') self.assertRedirects(response, reverse('information_pages:edit', args=['new-title'])) document = Document.objects.get(url_title='new-title') self.assertEqual(document.url_title, 'new-title') def test_editor_error(self): for string in ['', ' ']: response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******") form = response.form form.set('title', string) response = form.submit('submit') self.assertEqual(response.status_code, 200) self.assertIn('has-error', str(response.body)) def test_editor_permissions_for_single_user(self): test_user = UserProfile.objects.create_user("testuser2") assign_perm(InformationDocument.VIEW_PERMISSION_NAME, test_user, self.document) # test that test_user is not allowed to use editor response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******", status=403) self.assertEqual(response.status_code, 403) # give that user the necessary permission and check again assign_perm('change_informationdocument', test_user, self.document) # it should work now response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******") self.assertEqual(response.status_code, 200) def test_editor_permissions_for_groups(self): test_user = UserProfile.objects.create_user("testuser2") test_group = Group.objects.create(name="testgroup") test_user.groups.add(test_group) assign_perm(InformationDocument.VIEW_PERMISSION_NAME, test_group, self.document) # user should not be able to use the editor response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******", status=403) self.assertEqual(response.status_code, 403) # add permission to group assign_perm('change_informationdocument', test_group, self.document) # user should now be able to use the editor response = self.app.get(reverse('information_pages:edit', args=[self.document.url_title]), user="******") self.assertEqual(response.status_code, 200)