def test_update_form_input_entry_normal_user_fail_no_permission( client: TestClient, db: Session) -> None: """Fail if the normal user doesn't have update permissions""" setup = form_input_permission_setup( db, permission_type=PermissionTypeEnum.update, permission_enabled=False) form_input = setup["form_input"] user = setup["user"] form_input_entry = create_random_form_input_table_entry(db) data = {"name": random_lower_string()} user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.put( (f"{settings.API_V1_STR}/interfaces/form-inputs/" f"{form_input.id}/entries/{form_input_entry.id}"), headers=user_token_headers, json=data, ) content = response.json() assert response.status_code == 403 assert content["detail"] == ( f"User ID {user.id} does not have update permissions for " f"interface ID {form_input.id}")
def test_update_node_normal_user(client: TestClient, superuser_token_headers: dict, db: Session) -> None: """Successfully update a node as a normal user""" setup = node_permission_setup( db, node_type="test_update_node_normal_user", permission_type=PermissionTypeEnum.update, permission_enabled=True, ) data = { "node_type": "updated_test_node", "name": random_lower_string(), } user_token_headers = authentication_token_from_email( client=client, email=setup["user"].email, db=db) response = client.put( f"{settings.API_V1_STR}/nodes/{setup['node'].id}", headers=user_token_headers, json=data, ) assert response.status_code == 200 content = response.json() assert content["node_type"] == data["node_type"] assert content["name"] == data["name"] assert content["is_active"] == setup["node"].is_active assert content["parent_id"] == setup["node"].parent_id assert content["depth"] == 0 assert "id" in content assert "created_at" in content assert "updated_at" in content assert "created_by_id" in content assert "updated_by_id" in content
def test_create_user_normal_user(client: TestClient, db: Session) -> None: username = random_email() password = random_lower_string() user_group = create_random_user_group(db) data = {"email": username, "password": password, "user_group_id": user_group.id} user = create_random_user(db) crud.user_group.add_user(db, user_group=user_group, user_id=user.id) create_permission = crud.user_group.get_permission( db, id=user_group.id, permission_type=PermissionTypeEnum.create ) crud.permission.grant( db, user_group_id=user_group.id, permission_id=create_permission.id ) user_token_headers = authentication_token_from_email( client=client, email=user.email, db=db ) r = client.post( f"{settings.API_V1_STR}/users/", headers=user_token_headers, json=data, ) created_user = r.json() user = crud.user.get_by_email(db, email=username) assert 200 <= r.status_code < 300 assert user assert user.email == created_user["email"] assert user_group in user.user_groups
def test_create_user_fail_normal_user_no_permission( client: TestClient, db: Session ) -> None: username = random_email() password = random_lower_string() user_group = create_random_user_group(db) data = {"email": username, "password": password, "user_group_id": user_group.id} user = create_random_user(db) crud.user_group.add_user(db, user_group=user_group, user_id=user.id) user_token_headers = authentication_token_from_email( client=client, email=user.email, db=db ) r = client.post( f"{settings.API_V1_STR}/users/", headers=user_token_headers, json=data, ) content = r.json() returned_user = crud.user.get_by_email(db, email=username) assert r.status_code == 403 assert returned_user is None assert content["detail"] == ( f"User ID {user.id} does not have create permissions for " f"user_group ID {user_group.id}" )
def test_create_user_fail_user_group_not_exists( client: TestClient, db: Session ) -> None: username = random_email() password = random_lower_string() data = {"email": username, "password": password, "user_group_id": -1} user = create_random_user(db) user_group = create_random_user_group(db) crud.user_group.add_user(db, user_group=user_group, user_id=user.id) create_permission = crud.user_group.get_permission( db, id=user_group.id, permission_type=PermissionTypeEnum.create ) crud.permission.grant( db, user_group_id=user_group.id, permission_id=create_permission.id ) user_token_headers = authentication_token_from_email( client=client, email=user.email, db=db ) r = client.post( f"{settings.API_V1_STR}/users/", headers=user_token_headers, json=data, ) content = r.json() user = crud.user.get_by_email(db, email=username) assert r.status_code == 404 assert user is None assert content["detail"] == "Can not find user group."
def test_remove_interface_from_node_normal_user(client: TestClient, db: Session) -> None: """Successfully remove an interface from a node as a normal user""" setup = node_permission_setup( db, node_type="test", permission_type=PermissionTypeEnum.update, permission_enabled=True, ) node = setup["node"] user = setup["user"] interface = create_random_form_input_interface(db) user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) crud.node.add_interface(db, node=node, interface=interface) response = client.post( f"{settings.API_V1_STR}/nodes/{node.id}/interfaces/{interface.id}/remove", headers=user_token_headers, ) db.refresh(node) assert response.status_code == 200 assert interface not in node.interfaces
def test_delete_form_input_entry_normal_user(client: TestClient, db: Session) -> None: """Successful form input delete by a normal user""" setup = form_input_permission_setup( db, permission_type=PermissionTypeEnum.delete) form_input = setup["form_input"] user = setup["user"] form_input_entry = create_random_form_input_table_entry(db) user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.delete( (f"{settings.API_V1_STR}/interfaces/form-inputs/" f"{form_input.id}/entries/{form_input_entry.id}"), headers=user_token_headers, ) form_input_crud = crud.form_input.get_table_crud(db, id=form_input.id) stored_form_input_entry = form_input_crud.get(db, id=form_input_entry.id) content = response.json() assert response.status_code == 200 assert content["id"] == form_input_entry.id assert content["name"] == form_input_entry.name assert content["date_created"] == str(form_input_entry.date_created) assert content["an_integer"] == form_input_entry.an_integer assert content["node_id"] == form_input_entry.node_id assert stored_form_input_entry is None
def test_get_course_weakadmin(client: TestClient, db: Session) -> None: admin = create_random_user(db=db, type="admin", permissions=0) admin_user_token_headers = authentication_token_from_email( client=client, db=db, email=admin.email, user_type="admin") r = client.get(f"{settings.API_V1_STR}/courses/", headers=admin_user_token_headers) assert r.status_code == 403
def test_read_network_nodes_fail_normal_user(client: TestClient, superuser_token_headers: dict, db: Session) -> None: """Fail when attempting to read network nodes as a normal user""" setup = multi_node_permission_setup( db, n=10, node_type="network", permission_type=PermissionTypeEnum.read, permission_enabled=True, ) nodes = setup["nodes"] user = setup["user"] node_ids = [node.id for node in nodes] user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.get( f"{settings.API_V1_STR}/nodes/networks/", headers=user_token_headers, ) content = response.json() assert response.status_code == 400 assert content["detail"] == "The user is not a superuser"
def test_create_node_fail_permission_missing(client: TestClient, superuser_token_headers: dict, db: Session) -> None: """ Node creation fails when user does not have a permission associate with the resource """ # Setup: Create the parent node, create a user. Importantly, no permission setup # for the user and the parent node parent_node = create_random_node(db, created_by_id=1, node_type="network") user = create_random_user(db) user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) data = { "node_type": "test_create_node", "name": random_lower_string(), "is_active": True, "parent_id": parent_node.id, } response = client.post( f"{settings.API_V1_STR}/nodes/", headers=user_token_headers, json=data, ) assert response.status_code == 403 content = response.json() assert content[ "detail"] == "User does not have permission to create this node"
def test_read_node_normal_user(client: TestClient, superuser_token_headers: dict, db: Session) -> None: """Successfully read a node with permissions""" setup = node_permission_setup( db, node_type="test_read_node_normal_user", permission_type=PermissionTypeEnum.read, permission_enabled=True, ) user_token_headers = authentication_token_from_email( client=client, email=setup["user"].email, db=db) response = client.get( f"{settings.API_V1_STR}/nodes/{setup['node'].id}", headers=user_token_headers, ) assert response.status_code == 200 content = response.json() assert content["node_type"] == setup["node"].node_type assert content["name"] == setup["node"].name assert content["is_active"] assert content["depth"] == 0 assert "id" in content assert "parent_id" in content assert "created_at" in content assert "updated_at" in content assert "created_by_id" in content assert "updated_by_id" in content
def test_get_node_with_children_normal_user_fail_no_permission( client: TestClient, db: Session) -> None: """Fail if the user doesn't have read permissions on the node""" setup = node_permission_setup( db, node_type="test", permission_type=PermissionTypeEnum.read, permission_enabled=False, ) node = setup["node"] user = setup["user"] user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.get( f"{settings.API_V1_STR}/nodes/{node.id}/children", headers=user_token_headers, ) content = response.json() assert response.status_code == 403 assert content["detail"] == ( f"User ID {user.id} does not have " f"{setup['permission'].permission_type} permissions for " f"{setup['permission'].resource_type} ID {node.id}")
def test_create_node_fail_permission_false(client: TestClient, superuser_token_headers: dict, db: Session) -> None: """Node creation fails when user has a permission not enabled for node parent""" setup = node_permission_setup( db, node_type="test_create_node_fail_permission_false", permission_type=PermissionTypeEnum.create, permission_enabled=False, ) user_token_headers = authentication_token_from_email( client=client, email=setup["user"].email, db=db) data = { "node_type": "test_create_node", "name": random_lower_string(), "is_active": True, "parent_id": setup["node"].id, } response = client.post( f"{settings.API_V1_STR}/nodes/", headers=user_token_headers, json=data, ) assert response.status_code == 403 content = response.json() assert content[ "detail"] == "User does not have permission to create this node"
def test_get_school_invalid_student(client: TestClient, db: Session) -> None: school = create_random_school(db) admin_user_token_headers = authentication_token_from_email( client=client, db=db, email=random_email()) r = client.get(f"{settings.API_V1_STR}/schools/{school.id}", headers=admin_user_token_headers) assert r.status_code == 403
def test_get_node_with_children_normal_user(client: TestClient, db: Session) -> None: """Successfully get a node with children listing""" setup = node_permission_setup( db, node_type="test", permission_type=PermissionTypeEnum.read, permission_enabled=True, ) node = setup["node"] user = setup["user"] user_group = setup["user_group"] user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.get( f"{settings.API_V1_STR}/nodes/{node.id}/children", headers=user_token_headers, ) content = response.json() assert response.status_code == 200 for child in content: if child["child_type"] == "user_group": assert child["child_id"] == user_group.id
def test_create_form_input_entry_normal_user(client: TestClient, db: Session) -> None: """Successful form input entry creation by normal user""" setup = form_input_permission_setup( db, permission_type=PermissionTypeEnum.create) user = setup["user"] form_input = setup["form_input"] node = create_random_node(db) data = { "name": random_lower_string(), "date_created": str(date(1985, 1, 1) + timedelta(days=randint(0, 9999))), "an_integer": randint(0, 10000), "node_id": node.id, } form_input = crud.form_input.get_by_template_table_name( db, table_name="form_input_test_table") user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.post( f"{settings.API_V1_STR}/interfaces/form-inputs/{form_input.id}/entries/", headers=user_token_headers, json=data, ) content = response.json() assert response.status_code == 200 assert content["id"] assert content["name"] == data["name"] assert content["date_created"] == data["date_created"] assert content["an_integer"] == data["an_integer"] assert content["node_id"] == data["node_id"]
def test_update_node_fail_user_no_parent_permission( client: TestClient, superuser_token_headers: dict, db: Session) -> None: """Fails if the user doesn't have update permissions on the new parent node""" new_parent_node = create_random_node(db, created_by_id=1, node_type="new_parent_node") data = {"parent_id": new_parent_node.id} setup = node_permission_setup( db, node_type="test_update_node_fail_user_no_permission", permission_type=PermissionTypeEnum.update, permission_enabled=True, ) user_token_headers = authentication_token_from_email( client=client, email=setup["user"].email, db=db) response = client.put( f"{settings.API_V1_STR}/nodes/{setup['node'].id}", headers=user_token_headers, json=data, ) assert response.status_code == 403 content = response.json() assert content["detail"] == ( "User does not have permission to assign resources to node " f"{data['parent_id']}")
def test_remove_interface_from_node_normal_user_fail_no_permission( client: TestClient, db: Session) -> None: """Successfully add an interface to a node as a normal user""" setup = node_permission_setup( db, node_type="test", permission_type=PermissionTypeEnum.update, permission_enabled=False, ) node = setup["node"] user = setup["user"] interface = create_random_form_input_interface(db) user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.post( f"{settings.API_V1_STR}/nodes/{node.id}/interfaces/{interface.id}/remove", headers=user_token_headers, ) content = response.json() assert response.status_code == 403 assert content["detail"] == ( f"User ID {user.id} does not have " f"{setup['permission'].permission_type} permissions for " f"{setup['permission'].resource_type} ID {node.id}")
def test_update_node_fail_user_no_permission(client: TestClient, superuser_token_headers: dict, db: Session) -> None: """Fails if the user doesn't have update permissions on the target node""" setup = node_permission_setup( db, node_type="test_update_node_fail_user_no_permission", permission_type=PermissionTypeEnum.update, permission_enabled=False, ) user_token_headers = authentication_token_from_email( client=client, email=setup["user"].email, db=db) data = {"name": "no matter"} response = client.put( f"{settings.API_V1_STR}/nodes/{setup['node'].id}", headers=user_token_headers, json=data, ) assert response.status_code == 403 content = response.json() assert content["detail"] == ( f"User ID {setup['user'].id} does not have " f"{setup['permission'].permission_type} permissions for " f"{setup['permission'].resource_type} ID {setup['node'].id}")
def test_update_form_input_entry_normal_user(client: TestClient, db: Session) -> None: """Successful form input update by a normal user""" setup = form_input_permission_setup( db, permission_type=PermissionTypeEnum.update) form_input = setup["form_input"] user = setup["user"] form_input_entry = create_random_form_input_table_entry(db) data = {"name": random_lower_string()} user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.put( (f"{settings.API_V1_STR}/interfaces/form-inputs/" f"{form_input.id}/entries/{form_input_entry.id}"), headers=user_token_headers, json=data, ) content = response.json() assert response.status_code == 200 assert content["id"] == form_input_entry.id assert content["name"] == data["name"] assert content["date_created"] == str(form_input_entry.date_created) assert content["an_integer"] == form_input_entry.an_integer assert content["node_id"] == form_input_entry.node_id
def test_create_form_input_entry_normal_user_fail_no_permission( client: TestClient, db: Session) -> None: """Fail if the normal user doesn't have create permissions""" node = create_random_node(db) data = { "name": random_lower_string(), "date_created": str(date(1985, 1, 1) + timedelta(days=randint(0, 9999))), "an_integer": randint(0, 10000), "node_id": node.id, } form_input = crud.form_input.get_by_template_table_name( db, table_name="form_input_test_table") user = create_random_user(db) user_token_headers = authentication_token_from_email(client=client, email=user.email, db=db) response = client.post( f"{settings.API_V1_STR}/interfaces/form-inputs/{form_input.id}/entries/", headers=user_token_headers, json=data, ) content = response.json() assert response.status_code == 403 assert content["detail"] == (f"User ID {user.id} does not have " f"create permissions for " f"interface ID {form_input.id}")
def test_get_student_divisions_id_admin_without_perms(client: TestClient, db: Session) -> None: student = create_random_student(db) admin = create_random_user(db, type="admin") r = client.get( f"{settings.API_V1_STR}/students/{student.user_id}/divisions", headers=authentication_token_from_email(client=client, email=admin.email, db=db), ) assert r.status_code == 403
def test_get_timeslot_admin(client: TestClient, db: Session) -> None: admin_perms = AdminPermissions(0) admin_perms["school"] = True admin = create_random_user(db=db, type="admin", permissions=admin_perms.permissions) admin_user_token_headers = authentication_token_from_email( client=client, db=db, email=admin.email, user_type="admin" ) r = client.get(f"{settings.API_V1_STR}/timeslots/", headers=admin_user_token_headers) assert r.status_code == 200
def test_read_user_self(client: TestClient, db: Session) -> None: user = create_random_user(db, type="student") r = client.get( f"{settings.API_V1_STR}/users/{user.id}", headers=authentication_token_from_email(client=client, email=user.email, db=db), ) assert r.status_code == 200 fetched_user = r.json() compare_api_and_db_query_results(api_result=fetched_user, db_dict=to_json(user))
def test_read_professor_by_id_professor(client: TestClient, db: Session) -> None: professor = create_random_user(db, type="professor") r = client.get( f"{settings.API_V1_STR}/professors/{professor.id}", headers=authentication_token_from_email(client=client, email=professor.email, db=db), ) assert r.status_code == 200
def test_get_student_me_normal_student(client: TestClient, db: Session) -> None: student = create_random_student(db) r = client.get( f"{settings.API_V1_STR}/students/me", headers=authentication_token_from_email(client=client, email=student.user.email, db=db), ) assert r.status_code == 200 fetched_student = r.json() assert fetched_student compare_api_and_db_query_results(api_result=fetched_student, db_dict=to_json(student))
def test_update_students_non_admin(client: TestClient, db: Session) -> None: student = create_random_student(db) term_id = create_random_term(db).id data = {"term_id": term_id} r = client.put( f"{settings.API_V1_STR}/students/{student.user_id}", headers=authentication_token_from_email(client=client, email=student.user.email, db=db), json=data, ) assert r.status_code == 403
def test_create_superuser_by_normal_admin_with_user_perms(client: TestClient, db: Session) -> None: admin_user = create_random_user(db=db, type="admin", is_admin=True, permissions=1) username = random_email() password = random_password() data = {"email": username, "password": password, "type": "superuser"} r = client.post( f"{settings.API_V1_STR}/users/", headers=authentication_token_from_email(client=client, email=admin_user.email, db=db), json=data, ) assert r.status_code == 403
def test_get_school_valid_student(client: TestClient, db: Session) -> None: school = create_random_school(db) admin_user_token_headers = authentication_token_from_email( client=client, db=db, email=random_email(), school_id=school.id) r = client.get(f"{settings.API_V1_STR}/schools/{school.id}", headers=admin_user_token_headers) assert r.status_code == 200 fetched_school = r.json() assert fetched_school compare_api_and_db_query_results(api_result=fetched_school, db_dict=to_json(school))
def test_get_professor_me_normal_professor(client: TestClient, db: Session) -> None: professor = create_random_user(db, type="professor") r = client.get( f"{settings.API_V1_STR}/professors/me", headers=authentication_token_from_email(client=client, email=professor.email, db=db), ) assert r.status_code == 200 fetched_professor = r.json() assert fetched_professor["user_id"] == professor.id