def test_create_permissions(self):
""" Users should only be allowed to create data for themselves. """
url = reverse('api_experiments:v0:data-list')
# Authentication is required
response = self.client.post(url, {})
assert response.status_code == 401
user = UserFactory()
data = {
'experiment_id': 1,
'key': 'foo',
'value': 'bar',
}
self.client.login(username=user.username,
password=UserFactory._DEFAULT_PASSWORD) # lint-amnesty, pylint: disable=protected-access
# Users can create data for themselves
response = self.client.post(url, data)
assert response.status_code == 201
ExperimentData.objects.get(user=user)
# A non-staff user cannot create data for another user
other_user = UserFactory()
data['user'] = other_user.username
response = self.client.post(url, data)
assert response.status_code == 403
assert not ExperimentData.objects.filter(user=other_user).exists()
# A staff user can create data for other users
user.is_staff = True
user.save()
response = self.client.post(url, data)
assert response.status_code == 201
ExperimentData.objects.get(user=other_user)
def _get_toggle_state_response(self, is_staff=True): # lint-amnesty, pylint: disable=missing-function-docstring
request = APIRequestFactory().get('/api/toggles/state/')
user = UserFactory()
user.is_staff = is_staff
request.user = user
view = toggle_state_views.ToggleStateView.as_view()
response = view(request)
return response
def _get_toggle_state_response(self, is_staff=True):
request = APIRequestFactory().get('/api/toggles/state/')
user = UserFactory()
user.is_staff = is_staff
request.user = user
view = ToggleStateView.as_view()
response = view(request)
return response
def test_entrance_exam_view_direct_missing_score_setting(self):
"""
Unit Test: test_entrance_exam_view_direct_missing_score_setting
"""
user = UserFactory()
user.is_staff = True
request = RequestFactory()
request.user = user
resp = create_entrance_exam(request, self.course.id, None)
self.assertEqual(resp.status_code, 201)
def test_session_auth(self):
""" Verify the endpoint supports session authentication, and only allows authorization for staff users. """
user = UserFactory(password=self.password, is_staff=False)
self.client.login(username=user.username, password=self.password)
# Non-staff users should not have access to the API
response = self.client.get(self.path)
assert response.status_code == 403
# Staff users should have access to the API
user.is_staff = True
user.save()
response = self.client.get(self.path)
assert response.status_code == 200
def test_entrance_exam_feature_flag_gating(self):
user = UserFactory()
user.is_staff = True
request = RequestFactory()
request.user = user
resp = self.client.get(self.exam_url)
self.assertEqual(resp.status_code, 400)
resp = create_entrance_exam(request, self.course.id, None)
self.assertEqual(resp.status_code, 400)
resp = delete_entrance_exam(request, self.course.id)
self.assertEqual(resp.status_code, 400)
# No return, so we'll just ensure no exception is thrown
update_entrance_exam(request, self.course.id, {})
def test_oauth(self):
""" Verify the endpoint supports OAuth, and only allows authorization for staff users. """
user = UserFactory(is_staff=False)
oauth_client = ApplicationFactory.create()
access_token = AccessTokenFactory.create(
user=user, application=oauth_client).token
headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token}
# Non-staff users should not have access to the API
response = self.client.get(self.path, **headers)
assert response.status_code == 403
# Staff users should have access to the API
user.is_staff = True
user.save()
response = self.client.get(self.path, **headers)
assert response.status_code == 200
def test_oauth_list(self, path_name):
""" Verify the endpoints supports OAuth, and only allows authorization for staff users. """
path = reverse(path_name,
kwargs={'course_key_string': self.course_str})
user = UserFactory(is_staff=False)
oauth_client = ApplicationFactory.create()
access_token = AccessTokenFactory.create(
user=user, application=oauth_client).token
headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token}
# Non-staff users should not have access to the API
response = self.client.get(path=path, **headers)
self.assertEqual(response.status_code, 403)
# Staff users should have access to the API
user.is_staff = True
user.save()
response = self.client.get(path=path, **headers)
self.assertEqual(response.status_code, 200)
def test_oauth_csv(self):
""" Verify the endpoint supports OAuth, and only allows authorization for staff users. """
cohorts.add_cohort(self.course_key, "DEFAULT", "random")
path = reverse('api_cohorts:cohort_users_csv',
kwargs={'course_key_string': self.course_str})
user = UserFactory(is_staff=False)
oauth_client = ApplicationFactory.create()
access_token = AccessTokenFactory.create(
user=user, application=oauth_client).token
headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token}
# Non-staff users should not have access to the API
response = self.client.post(path=path, **headers)
assert response.status_code == 403
# Staff users should have access to the API
user.is_staff = True
user.save()
response = self.client.post(path=path, **headers)
assert response.status_code == 400