def test_should_not_disable_restrictions_when_restricted_content_owned_users( self): """ User M User N User O User P Admin Admin User | \ / \ / | \ / \ / | Org A Org B Org C / \ / \ _____/ / \ / \ / Project X Project Y Project Z """ # Given org_content_owned = Organisation.objects.create( name='C', long_name='C', can_create_projects=False, enable_restrictions=True) Partnership.objects.create( organisation=org_content_owned, project=self.projects['Z'], iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) self.user_p = self.create_user('*****@*****.**') Employment.objects.create(user=self.user_p, organisation=org_content_owned, group=self.users, is_approved=True) restrict_projects(self.user_n, self.user_p, [self.projects['Z']]) # When self.org_b.enable_restrictions = False with self.assertRaises(CannotDisableRestrictions): self.org_b.save()
def test_admin_cannot_restrict_unmanageable_user(self): Y = self.projects['Y'] with self.assertRaises(InvalidPermissionChange): restrict_projects(self.user_m, self.user_o, [Y]) self.assertTrue(self.user_o.has_perm('rsr.view_project', Y))
def test_admin_employers_swapped_as_partners_retains_restrictions(self): """ User M User N User O User P Admin Admin User | \ / \ / | \ / \ / | Org A Org B Org C (content owned) / / \ | / / \ | Project X Project Y Project Z | | | +-------------------------+ """ Y = self.projects['Y'] Partnership.objects.get(organisation=self.org_a, project=Y).delete() org_content_owned = Organisation.objects.create( name='C', long_name='C', can_create_projects=False, enable_restrictions=True) Partnership.objects.create( organisation=org_content_owned, project=Y, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) user_p = self.create_user('*****@*****.**') Employment.objects.create(user=user_p, organisation=org_content_owned, group=self.users, is_approved=True) restrict_projects(self.user_n, user_p, [Y]) Partnership.objects.get(organisation=self.org_b, project=Y).delete() Partnership.objects.create(organisation=self.org_a, project=Y) self.assertFalse(user_p.has_perm('rsr.view_project', Y))
def test_admin_cannot_restrict_inaccessible_projects_for_content_owned_user( self): """ User M User N User O User P Admin Admin User | \ / \ / | \ / \ / | Org A Org B /--Org C / \ / \ /---- | / \ / \ --- | Project X Project Y Project Z | | | +-------------------------+ """ org_content_owned = Organisation.objects.create( name='C', long_name='C', can_create_projects=False, enable_restrictions=True) Partnership.objects.create( organisation=org_content_owned, project=self.projects['Y'], iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) Partnership.objects.create( organisation=org_content_owned, project=self.projects['Z'], iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) user = self.create_user('*****@*****.**') Employment.objects.create(user=user, organisation=org_content_owned, group=self.users, is_approved=True) with self.assertRaises(InvalidPermissionChange): restrict_projects(self.user_m, user, [self.projects['Z']])
def test_removing_partner_does_not_restore_access(self): """ User M User N User O User P Admin Admin User | \ / \ / | \ / \ / | Org A Org B Org C (content owned) / \ / \ | / \ / \ | Project X Project Y Project Z | | | +-------------------------+ """ org_content_owned = Organisation.objects.create( name='C', long_name='C', can_create_projects=False, enable_restrictions=True) Partnership.objects.create( organisation=org_content_owned, project=self.projects['Y'], iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) user_p = self.create_user('*****@*****.**') Employment.objects.create(user=user_p, organisation=org_content_owned, group=self.users, is_approved=True) restrict_projects(self.user_m, user_p, [self.projects['Y']]) Partnership.objects.get(organisation=self.org_a, project=self.projects['Y']).delete() self.assertFalse( user_p.has_perm('rsr.view_project', self.projects['Y']))
def test_admin_cannot_restrict_other_admins(self): with self.assertRaises(InvalidPermissionChange): restrict_projects(self.user_m, self.user_n, [self.projects['Y']]) self.assertTrue( self.user_n.has_perm('rsr.view_project', self.projects['Y'])) self.assertTrue( self.user_n.has_perm('rsr.view_project', self.projects['Z']))
def test_admin_cannot_restrict_inaccessible_projects(self): Z = self.projects['Z'] with self.assertRaises(InvalidPermissionChange): restrict_projects(self.user_m, self.user_o, [Z]) self.assertTrue( self.user_o.has_perm('rsr.view_project', self.projects['Z']))
def test_removing_and_adding_partnership_doesnot_change_permissions(self): Z = self.projects['Z'] restrict_projects(self.user_n, self.user_o, [Z]) Partnership.objects.get(organisation=self.org_b, project=Z).delete() Partnership.objects.create(organisation=self.org_b, project=Z) self.assertFalse(self.user_o.has_perm('rsr.view_project', Z))
def test_endpoint_for_admin_and_user_having_same_org(self): """ /̶ o and \̶ o = project with restricted access for user_o User M User N User O Admin Admin User \ \ / \ \ / Org A Org B / \ /̶ o \ / \ /̶ o \ Project X Project Y Project Z """ # When # Remove User N's employment with A self.user_n.employers.filter(organisation=self.org_a).delete() restrict_projects(self.user_n, self.user_o, [self.projects['Y']]) self.c.login(username=self.user_n.username, password=self.password_n) response = self.c.get( '/rest/v1/user_projects_access/{}/'.format(self.user_o.pk), {'format': 'json'}) self.assertEqual(response.status_code, 200) content = json.loads(response.content) # organisation_groups = [ # { # organisations: "B", # projects: [ # { # id: <self.projects['Z'].pk>, # title: "Z", # subtitle: "Z subtitle", # access: True # }, # { # id: <self.projects['Y'].pk>, # title: "Y", # subtitle: "Y subtitle", # access: False # } # ] # } # ] org_groups = content['organisation_groups'] # Then self.assertEqual(len(org_groups), 1) self.assertEqual(org_groups[0]['organisations'], "B") self.assertEqual(len(org_groups[0]['projects']), 2) self.assertEqual(org_groups[0]['projects'][0]['id'], self.projects['Z'].pk) self.assertTrue(org_groups[0]['projects'][0]['access']) self.assertEqual(org_groups[0]['projects'][1]['id'], self.projects['Y'].pk) self.assertFalse(org_groups[0]['projects'][1]['access'])
def test_new_projects_not_accessible_to_implementing_partners_not_content_owned_org_users( self): """ ---------------------------------------------+ / | User M User N User O User P | Admin Admin User | | \ / \ / | | \ / \ / | | Org A Org B --- Project W---Org C --+ / \ / \ | / \ / \ | Project X Project Y Project Z | | | +-------------------------------------+ """ # Given self.org_b.enable_restrictions = False self.org_b.save() implementing_partner = Organisation.objects.create( name='C', long_name='C', can_create_projects=True, enable_restrictions=True) Partnership.objects.create( organisation=implementing_partner, project=self.projects['X'], iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) self.user_p = self.create_user('*****@*****.**') Employment.objects.create(user=self.user_p, organisation=implementing_partner, group=self.users, is_approved=True) Employment.objects.create(user=self.user_m, organisation=implementing_partner, group=self.admins, is_approved=True) restrict_projects(self.user_m, self.user_p, [self.projects['X']]) # When self.projects['W'] = project = Project.objects.create(title='W') # FIXME: Ideally, this call should be automatic, but is manual now. Project.new_project_created(project.id, self.user_n) Partnership.objects.create( organisation=implementing_partner, project=project, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) # Then self.assertFalse(self.org_b.enable_restrictions) self.assertTrue(implementing_partner.enable_restrictions) self.assertFalse( self.user_p.has_perm('rsr.view_project', self.projects['X'])) self.assertFalse( self.user_p.has_perm('rsr.view_project', self.projects['Y'])) self.assertFalse( self.user_p.has_perm('rsr.view_project', self.projects['Z'])) self.assertFalse(self.user_p.has_perm('rsr.view_project', project))
def test_unrestrict_user_with_restricted_projects_from_other_org(self): """ User M User N User O User P Admin Admin User | \ \ / | \ \ / | Org A Org B Org C (content owned) / \ \ /̶ P | / \ \ /̶ P | Project X Project Y Project Z | | | | +-----------+-------------+ Test that you can't unrestrict a user (set is_restricted to False) with restricted projects that you don't control """ # When Y, Z = self.projects['Y'], self.projects['Z'] org_content_owned = Organisation.objects.create( name='C', long_name='C', can_create_projects=False, enable_restrictions=True) Partnership.objects.create( organisation=org_content_owned, project=Y, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) Partnership.objects.create( organisation=org_content_owned, project=Z, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) user_p = self.create_user('*****@*****.**') Employment.objects.create(user=user_p, organisation=org_content_owned, group=self.users, is_approved=True) Employment.objects.get(user=self.user_n, organisation=self.org_a).delete() Partnership.objects.get(organisation=self.org_b, project=Y).delete() restrict_projects(self.user_n, user_p, [Z]) self.c.login(username=self.user_m.username, password=self.password_m) data = json.dumps({ 'user_projects': { 'is_restricted': False, 'projects': [Y.pk] }, }) response = self.c.patch('/rest/v1/user_projects_access/{}/'.format( user_p.pk), data=data, content_type='application/json') # Then self.assertEqual(response.status_code, 400) self.assertEqual(response.data['non_field_errors'][0], u'This user may not be unrestricted at this time.')
def test_can_add_new_restrictions(self): restrict_projects(self.user_n, self.user_o, [self.projects['Z']]) restrict_projects(self.user_n, self.user_o, [self.projects['Y']]) self.assertFalse( self.user_o.has_perm('rsr.view_project', self.projects['Z'])) self.assertFalse( self.user_o.has_perm('rsr.view_project', self.projects['Y']))
def test_user_may_be_unrestricted_only_by_eligible_admin(self): """ User M User N User O User P Admin Admin User | \ \ / | \ \ / | Org A Org B Org C (content owned) / \ \ /̶ P | / \ \ /̶ P | Project X Project Y Project Z | | | +-------------------------+ Check the may_unrestrict field on the UserProjectsSerializer """ # When Y, Z = self.projects['Y'], self.projects['Z'] org_content_owned = Organisation.objects.create( name='C', long_name='C', can_create_projects=False, enable_restrictions=True) Partnership.objects.create( organisation=org_content_owned, project=Y, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) Partnership.objects.create( organisation=org_content_owned, project=Z, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) user_p = self.create_user('*****@*****.**') Employment.objects.create(user=user_p, organisation=org_content_owned, group=self.users, is_approved=True) Employment.objects.get(user=self.user_n, organisation=self.org_a).delete() Partnership.objects.get(organisation=self.org_b, project=Y).delete() restrict_projects(self.user_n, user_p, [Z]) self.c.login(username=self.user_m.username, password=self.password_m) response_m = self.c.get('/rest/v1/user_projects_access/{}/'.format( user_p.pk), content_type='application/json') self.c.login(username=self.user_n.username, password=self.password_n) response_n = self.c.get('/rest/v1/user_projects_access/{}/'.format( user_p.pk), content_type='application/json') # Then may_unrestrict_m = response_m.data['user_projects']['may_unrestrict'] may_unrestrict_n = response_n.data['user_projects']['may_unrestrict'] self.assertFalse(may_unrestrict_m) self.assertTrue(may_unrestrict_n)
def test_new_projects_are_not_accessible_to_restricted_users_if_enable_restrictions( self): restrict_projects(self.user_n, self.user_o, [self.projects['Z']]) project = Project.objects.create(title='W') Project.new_project_created(project.id, self.user_n) self.assertFalse(self.user_o.has_perm('rsr.view_project', project)) self.assertFalse( self.user_o.has_perm('rsr.view_project', self.projects['Z']))
def test_admin_can_remove_restrictions(self): user = self.create_user('*****@*****.**') Employment.objects.create(user=user, organisation=self.org_a, group=self.users, is_approved=True) restrict_projects(self.user_m, user, [self.projects['X']]) unrestrict_projects(self.user_m, user, [self.projects['X']]) self.assertTrue(user.has_perm('rsr.view_project', self.projects['X'])) self.assertTrue(user.has_perm('rsr.view_project', self.projects['Y']))
def test_should_not_disable_restrictions_when_restricted_users(self): # Given self.assertTrue(self.org_b.enable_restrictions) restrict_projects(self.user_n, self.user_o, [self.projects['Z']]) # When/Then self.org_b.enable_restrictions = False with self.assertRaises(CannotDisableRestrictions): self.org_b.save() # Then org_b = Organisation.objects.get(pk=self.org_b.pk) self.assertTrue(org_b.enable_restrictions)
def test_admin_cannot_remove_restrictions_from_non_manageable_user(self): user = self.create_user('*****@*****.**') Employment.objects.create(user=user, organisation=self.org_b, group=self.users, is_approved=True) restrict_projects(self.user_n, user, [self.projects['Y']]) with self.assertRaises(InvalidPermissionChange): unrestrict_projects(self.user_m, user, [self.projects['Y']]) self.assertFalse(user.has_perm('rsr.view_project', self.projects['Y'])) self.assertTrue(user.has_perm('rsr.view_project', self.projects['Z']))
def test_admin_can_restrict_new_user(self): user = self.create_user('*****@*****.**') Employment.objects.create(user=user, organisation=self.org_a, group=self.users, is_approved=True) admin = self.user_m project = self.projects['X'] restrict_projects(admin, user, [project]) self.assertFalse(user.has_perm('rsr.view_project', self.projects['X'])) self.assertTrue(user.has_perm('rsr.view_project', self.projects['Y']))
def update(self, user, validated_data): """ Custom update method that adds and/or removes projects from the UserProjects.projects list """ # Wrap in a transaction to make sure we don't "forget" the original list if there's a # PermissionDenied error with transaction.atomic(): user_projects_data = validated_data.get('user_projects', None) if user_projects_data is not None: admin = self.context['request'].user.user # Check if we have a list of projects. These are all projects # that the admin currently grants access to. The user may have access # to other projects, which this admin cannot restrict/grant # access to. accessible_projects_by_admin = user_projects_data.get('projects', None) accessible_projects_by_admin_pks = set( p.pk for p in accessible_projects_by_admin or {} ) # All projects currently accessible by the user try: projects = UserProjects.objects.get(user=user).projects.values_list('pk', flat=True) except UserProjects.DoesNotExist: projects = [] # All projects admin may grant/restrict access to admin_associated_project_pks = admin.admin_projects().values_list('pk', flat=True) # Currently accessible projects of the user, that admin may grant/restrict access to currently_accessible_projects = set(projects) & set(admin_associated_project_pks) # projects part of currently_accessible_projects but not part of # accessible_projects_by_admin_pks should be restricted restricted_projects = currently_accessible_projects - accessible_projects_by_admin_pks user_projects = restrict_projects( admin, user, Project.objects.filter(pk__in=restricted_projects) ) # The projects where the admin has granted access by selecting # previously unselected check boxes unrestricted_projects = ( accessible_projects_by_admin_pks - set( user_projects.projects.values_list('pk', flat=True) ) ) user_projects = unrestrict_projects( admin, user, Project.objects.filter(pk__in=unrestricted_projects) ) # Finally set is_restricted is_restricted = user_projects_data.get('is_restricted', None) if is_restricted is not None: user_projects.is_restricted = is_restricted user_projects.save() # For reasons I don't understand, on the original instance, user, the fields on # UserProjects for the instance are not updated resulting in returning stale data if there # have been changes. Fix by fetching a fresh instance of User. return get_user_model().objects.get(pk=user.pk)
def test_access_for_restricted_user_of_new_project(self): # When self.c.login(username=self.user_n.username, password=self.password_n) self.validation = ProjectEditorValidationSet.objects.create( name='test') restrict_projects(self.user_n, self.user_o, [self.projects['Y']]) response = self.c.post('/rest/v1/project/', { 'format': 'json', 'validations': [self.validation.pk] }) # Then project_id = response.data['id'] my_projects_list = self.user_o.my_projects().values_list('id', flat=True) self.assertTrue(project_id in my_projects_list)
def __init__(self, *args, **kwargs): """ Delete the 'absolute_url' field added in BaseRSRSerializer.__init__(). It's neither correct nor do we want this data to be visible. """ super(UserProjectAccessSerializer, self).__init__(*args, **kwargs) del self.fields['absolute_url'] user = self.instance # for some reason the serializer is called three times when accessing the endpoint, # therefore we check for the existence of a UserProjects object to not have to call # restrict_projects more than once try: UserProjects.objects.get(user=user) except UserProjects.DoesNotExist: admin = self.context['request'].user # Make sure we have a UserProjects object, but don't change an existing one restrict_projects(admin, user, Project.objects.none())
def test_removing_one_role_of_partner_does_not_restore_access(self): """ User M User N User O Admin Admin User \ / \ / \ / \ / Funding partner Org A Org B-------+ / \ / \ | (default partnership) / \ / \ | Project X Project Y Project Z """ extra_partnership = Partnership.objects.create( organisation=self.org_b, project=self.projects['Z'], iati_organisation_role=Partnership.IATI_FUNDING_PARTNER) Z = self.projects['Z'] restrict_projects(self.user_n, self.user_o, [Z]) extra_partnership.delete() self.assertFalse(self.user_o.has_perm('rsr.view_project', Z))
def test_user_can_be_restricted_by_multiple_admins(self): Employment.objects.create(user=self.user_o, organisation=self.org_a, group=self.users, is_approved=True) X, Y, Z = (self.projects[name] for name in 'XYZ') restrict_projects(self.user_m, self.user_o, [X]) restrict_projects(self.user_n, self.user_o, [Y]) restrict_projects(self.user_n, self.user_o, [Z]) self.assertFalse(self.user_o.has_perm('rsr.view_project', X)) self.assertFalse(self.user_o.has_perm('rsr.view_project', Y)) self.assertFalse(self.user_o.has_perm('rsr.view_project', Z))
def test_admin_can_restrict_user_with_restricted_projects_from_other_org( self): """ User M User N User O User P Admin Admin User | \ \ / | \ \ / | Org A Org B Org C (content owned) / \ / \ /̶ P | / \ / \ /̶ P | Project X Project Y Project W Project Z | | | | | +--------------+------------+-------------+ Test that you can restrict permissions for a user with restricted projects that you don't control """ # Given Y, Z = self.projects['Y'], self.projects['Z'] W = Project.objects.create(title='W') Project.new_project_created(W.id, self.user_n) org_content_owned = Organisation.objects.create( name='C', long_name='C', can_create_projects=False, enable_restrictions=True) Partnership.objects.create( organisation=org_content_owned, project=Y, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) Partnership.objects.create( organisation=org_content_owned, project=Z, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) Partnership.objects.create( organisation=org_content_owned, project=W, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) user_p = self.create_user('*****@*****.**') Employment.objects.create(user=user_p, organisation=org_content_owned, group=self.users, is_approved=True) Employment.objects.get(user=self.user_n, organisation=self.org_a).delete() Partnership.objects.get(organisation=self.org_b, project=Y).delete() restrict_projects(self.user_n, user_p, [Z]) self.c.login(username=self.user_m.username, password=self.password_m) data = json.dumps({ 'user_projects': { 'is_restricted': True, 'projects': [] }, }) # When response = self.c.patch('/rest/v1/user_projects_access/{}/'.format( user_p.pk), data=data, content_type='application/json') # Then may_unrestrict_m = response.data['user_projects']['may_unrestrict'] self.assertFalse(may_unrestrict_m) projects = response.data['user_projects']['projects'] self.assertEqual(projects, [W.id])
def test_new_projects_are_accessible_in_unrestricted_content_owner_orgs( self): """ User M User N User O User P Admin Admin User | \ / \ / | \ / \ / | Org A Org B - -Project W- - Org C / \ / \ _____/ | / \ / \ / | Project X Project Y Project Z | | | +-------------------------------------+ | | Project U --------------------------------+ """ # Given self.org_b.enable_restrictions = False self.org_b.save() org_content_owned = Organisation.objects.create( name='C', long_name='C', can_create_projects=False, enable_restrictions=True) Partnership.objects.create( organisation=org_content_owned, project=self.projects['X'], iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) Partnership.objects.create( organisation=org_content_owned, project=self.projects['Z'], iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) self.user_p = self.create_user('*****@*****.**') Employment.objects.create(user=self.user_p, organisation=org_content_owned, group=self.users, is_approved=True) restrict_projects(self.user_m, self.user_p, [self.projects['X']]) # When self.projects['W'] = project = Project.objects.create(title='W') # FIXME: Ideally, this call should be automatic, but is manual now. Project.new_project_created(project.id, self.user_n) Partnership.objects.create( organisation=org_content_owned, project=project, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) self.projects['U'] = project = Project.objects.create(title='U') # FIXME: Ideally, this call should be automatic, but is manual now. Project.new_project_created(project.id, self.user_m) Partnership.objects.create( organisation=org_content_owned, project=project, iati_organisation_role=Partnership.IATI_IMPLEMENTING_PARTNER) # Then self.assertFalse(self.org_b.enable_restrictions) self.assertTrue(self.org_a.enable_restrictions) self.assertTrue(org_content_owned.enable_restrictions) self.assertTrue( self.user_p.has_perm('rsr.view_project', self.projects['Z'])) self.assertTrue( self.user_p.has_perm('rsr.view_project', self.projects['W'])) self.assertFalse( self.user_p.has_perm('rsr.view_project', self.projects['Y'])) self.assertFalse( self.user_p.has_perm('rsr.view_project', self.projects['U']))
def test_endpoint_for_admin_n_user_o_with_extra_employment(self): """ Test where user o has an employment in C too /̶ o and \̶ o = project with restricted access for user_o User M User N User O Admin Admin User \ / \ / \ \ / \ / \ Org A Org B Org C / \ /̶ o \ / / \ /̶ o \ / Project X Project Y Project Z """ # When self.org_c = Organisation.objects.create(name='C', long_name='C', can_create_projects=True) Partnership.objects.create(organisation=self.org_c, project=self.projects['Z']) Employment.objects.create(user=self.user_o, organisation=self.org_c, group=self.users, is_approved=True) restrict_projects(self.user_n, self.user_o, [self.projects['Y']]) self.c.login(username=self.user_n.username, password=self.password_n) response = self.c.get( '/rest/v1/user_projects_access/{}/'.format(self.user_o.pk), {'format': 'json'}) self.assertEqual(response.status_code, 200) content = json.loads(response.content) # [ # { # organisations: "A, B", # projects: [ # { # id: <self.projects['Y'].pk>, # title: "Y", # subtitle: "Y subtitle", # access: False # } # ] # }, # { # organisations: "B, C", # projects: [ # { # id: <self.projects['Z'].pk>, # title: "Z", # subtitle: "Z subtitle", # access: True # } # ] # } # ] # Then org_groups = sorted(content['organisation_groups'], key=lambda x: x['organisations']) self.assertEqual(len(org_groups), 2) self.assertEqual(org_groups[0]['organisations'], "A, B") self.assertEqual(len(org_groups[0]['projects']), 1) self.assertEqual(org_groups[0]['projects'][0]['id'], self.projects['Y'].pk) self.assertFalse(org_groups[0]['projects'][0]['access']) self.assertEqual(org_groups[1]['organisations'], "B, C") self.assertEqual(len(org_groups[1]['projects']), 1) self.assertEqual(org_groups[1]['projects'][0]['id'], self.projects['Z'].pk) self.assertTrue(org_groups[1]['projects'][0]['access'])
def test_endpoint_for_admin_n_user_o(self): """ Test where admin is employed by two organisations /̶ o and \̶ o = project with restricted access for user_o User M User N User O Admin Admin User \ / \ / \ / \ / Org A Org B / \ /̶ o \ / \ /̶ o \ Project X Project Y Project Z """ # When restrict_projects(self.user_n, self.user_o, [self.projects['Y']]) self.c.login(username=self.user_n.username, password=self.password_n) response = self.c.get( '/rest/v1/user_projects_access/{}/'.format(self.user_o.pk), {'format': 'json'}) self.assertEqual(response.status_code, 200) content = json.loads(response.content) # [ # { # organisations: "A, B", # projects: [ # { # id: <self.projects['Y'].pk>, # title: "Y", # subtitle: "Y subtitle", # access: False # } # ] # }, # { # organisations: "B", # projects: [ # { # id: <self.projects['Z'].pk>, # title: "Z", # subtitle: "Z subtitle", # access: True # } # ] # } # ] org_groups = sorted(content['organisation_groups'], key=lambda x: x['organisations']) # Then self.assertEqual(len(org_groups), 2) self.assertEqual(org_groups[0]['organisations'], "A, B") self.assertEqual(len(org_groups[0]['projects']), 1) self.assertEqual(org_groups[0]['projects'][0]['id'], self.projects['Y'].pk) self.assertFalse(org_groups[0]['projects'][0]['access']) self.assertEqual(org_groups[1]['organisations'], "B") self.assertEqual(len(org_groups[1]['projects']), 1) self.assertEqual(org_groups[1]['projects'][0]['id'], self.projects['Z'].pk) self.assertTrue(org_groups[1]['projects'][0]['access'])