def test_menu_logged_in_error_dont_show_user_loaded(self, mock_user_get):
""" If the user is logged in, if we show a 500 error, do not show the user menu
If the user has previously been loaded in the view, check that it's not
loaded while rendering the template"""
user = db_user.get_or_create('little_rsh')
db_user.agree_to_gdpr(user['musicbrainz_id'])
user = db_user.get_or_create('little_rsh')
mock_user_get.return_value = user
@self.app.route('/page_that_returns_500')
@login_required
def view500():
# flask-login user is loaded during @login_required, so check that the db has been queried
mock_user_get.assert_called_with(user['id'])
raise InternalServerError('error')
self.temporary_login(user['id'])
resp = self.client.get('/page_that_returns_500')
data = resp.data.decode('utf-8')
# item not in user menu
self.assertNotIn('Your profile', data)
self.assertIn('Sign in', data)
# Even after rendering the template, the database has only been queried once (before the exception)
mock_user_get.assert_called_once_with(user['id'])
self.assertIsInstance(self.get_context_variable('current_user'), webserver.login.User)
def test_edit(self):
# Should redirect to login page even if trying to edit dataset that
# doesn't exist.
resp = self.client.get(
url_for("datasets.edit", dataset_id=self.test_uuid))
self.assertStatus(resp, 302)
dataset_id = dataset.create_from_dict(self.test_data,
author_id=self.test_user_id)
# Trying to edit without login
resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id))
self.assertStatus(resp, 302)
# Editing using another user
another_user_id = user.create("another_tester")
user.agree_to_gdpr("another_tester")
self.temporary_login(another_user_id)
resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id))
self.assert401(resp)
# Editing properly
self.temporary_login(self.test_user_id)
resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id))
self.assert200(resp)
def test_edit_service(self):
dataset_id = dataset.create_from_dict(self.test_data,
author_id=self.test_user_id)
# Trying to edit without login
resp = self.client.post(
url_for("datasets.edit_service", dataset_id=dataset_id),
headers={"Content-Type": "application/json"},
data=json.dumps(self.test_data),
)
self.assert401(resp)
self.assertTrue(resp.json["message"].startswith(
"The server could not verify that you are authorized"))
# Editing using another user
another_user_id = user.create("another_tester")
user.agree_to_gdpr("another_tester")
self.temporary_login(another_user_id)
resp = self.client.post(
url_for("datasets.edit_service", dataset_id=dataset_id),
headers={"Content-Type": "application/json"},
data=json.dumps(self.test_data),
)
self.assert401(resp)
# Editing properly
self.temporary_login(self.test_user_id)
resp = self.client.post(
url_for("datasets.edit_service", dataset_id=dataset_id),
headers={"Content-Type": "application/json"},
data=json.dumps(self.test_data),
)
self.assert200(resp)
def setUp(self):
super(AuthorizationTestCase, self).setUp()
self.test_user_mb_name = "tester"
self.test_user_id = user.create(self.test_user_mb_name)
self.api_key = api_key.generate(self.test_user_id)
user.agree_to_gdpr(self.test_user_mb_name)
def _test_view_with_get_dataset(self, view_name):
"""Check that a view that uses datasets.get_dataset to retrieve a dataset"""
# no such dataset, 404
resp = self.client.get(url_for(view_name, dataset_id=self.test_uuid))
self.assert404(resp)
# public dataset + not logged in, OK
dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id)
resp = self.client.get(url_for(view_name, dataset_id=dataset_id))
self.assert200(resp)
self.temporary_login(self.test_user_id)
# public dataset + logged in, ok
resp = self.client.get(url_for(view_name, dataset_id=dataset_id))
self.assert200(resp)
# private dataset + author, ok
self.test_data["public"] = False
private_dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id)
resp = self.client.get(url_for(view_name, dataset_id=private_dataset_id))
self.assert200(resp)
# private dataset, not author, 404
another_user_id = user.create("another_tester")
user.agree_to_gdpr("another_tester")
self.temporary_login(another_user_id)
resp = self.client.get(url_for(view_name, dataset_id=private_dataset_id))
self.assert404(resp)
def _test_view_with_get_dataset(self, view_name):
"""Check that a view that uses datasets.get_dataset to retrieve a dataset"""
# no such dataset, 404
resp = self.client.get(url_for(view_name, dataset_id=self.test_uuid))
self.assert404(resp)
# public dataset + not logged in, OK
dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id)
resp = self.client.get(url_for(view_name, dataset_id=dataset_id))
self.assert200(resp)
self.temporary_login(self.test_user_id)
# public dataset + logged in, ok
resp = self.client.get(url_for(view_name, dataset_id=dataset_id))
self.assert200(resp)
# private dataset + author, ok
self.test_data["public"] = False
private_dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id)
resp = self.client.get(url_for(view_name, dataset_id=private_dataset_id))
self.assert200(resp)
# private dataset, not author, 404
another_user_id = user.create("another_tester")
user.agree_to_gdpr("another_tester")
self.temporary_login(another_user_id)
resp = self.client.get(url_for(view_name, dataset_id=private_dataset_id))
self.assert404(resp)
def test_menu_logged_in_error_show(self, mock_user_get):
""" If the user is logged in, if we show a 400 or 404 error, show the user menu"""
@self.app.route('/page_that_returns_400')
def view400():
raise BadRequest('bad request')
@self.app.route('/page_that_returns_404')
def view404():
raise NotFound('not found')
user = db_user.get_or_create('little_rsh')
db_user.agree_to_gdpr(user['musicbrainz_id'])
user = db_user.get_or_create('little_rsh')
mock_user_get.return_value = user
self.temporary_login(user['id'])
resp = self.client.get('/page_that_returns_400')
data = resp.data.decode('utf-8')
self.assert400(resp)
# username (menu header)
self.assertIn('little_rsh', data)
# item in user menu
self.assertIn('Your profile', data)
mock_user_get.assert_called_with(user['id'])
resp = self.client.get('/page_that_returns_404')
data = resp.data.decode('utf-8')
self.assert404(resp)
# username (menu header)
self.assertIn('little_rsh', data)
# item in user menu
self.assertIn('Your profile', data)
mock_user_get.assert_called_with(user['id'])
def test_delete(self):
# Should redirect to login page even if trying to delete dataset that
# doesn't exist.
resp = self.client.get(url_for("datasets.delete", dataset_id=self.test_uuid))
self.assertStatus(resp, 302)
dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id)
# Trying to delete without login
resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id))
self.assertStatus(resp, 302)
resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id))
self.assertStatus(resp, 302)
self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 1)
# Deleting using another user
another_user_id = user.create("another_tester")
user.agree_to_gdpr("another_tester")
self.temporary_login(another_user_id)
resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id))
self.assert403(resp)
resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id))
self.assert403(resp)
self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 1)
# Editing properly
self.temporary_login(self.test_user_id)
resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id))
self.assert200(resp)
resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id))
self.assertRedirects(resp, url_for("user.profile", musicbrainz_id=self.test_user_mb_name))
self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 0)
def test_edit_service(self):
dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id)
# Trying to edit without login
resp = self.client.post(
url_for("datasets.edit_service", dataset_id=dataset_id),
headers={"Content-Type": "application/json"},
data=json.dumps(self.test_data),
)
self.assert401(resp)
self.assertTrue(resp.json["message"].startswith("The server could not verify that you are authorized"))
# Editing using another user
another_user_id = user.create("another_tester")
user.agree_to_gdpr("another_tester")
self.temporary_login(another_user_id)
resp = self.client.post(
url_for("datasets.edit_service", dataset_id=dataset_id),
headers={"Content-Type": "application/json"},
data=json.dumps(self.test_data),
)
self.assert401(resp)
# Editing properly
self.temporary_login(self.test_user_id)
resp = self.client.post(
url_for("datasets.edit_service", dataset_id=dataset_id),
headers={"Content-Type": "application/json"},
data=json.dumps(self.test_data),
)
self.assert200(resp)
def test_delete(self):
# Should redirect to login page even if trying to delete dataset that
# doesn't exist.
resp = self.client.get(url_for("datasets.delete", dataset_id=self.test_uuid))
self.assertStatus(resp, 302)
dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id)
# Trying to delete without login
resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id))
self.assertStatus(resp, 302)
resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id))
self.assertStatus(resp, 302)
self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 1)
# Deleting using another user
another_user_id = user.create("another_tester")
user.agree_to_gdpr("another_tester")
self.temporary_login(another_user_id)
resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id))
self.assert403(resp)
resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id))
self.assert403(resp)
self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 1)
# Editing properly
self.temporary_login(self.test_user_id)
resp = self.client.get(url_for("datasets.delete", dataset_id=dataset_id))
self.assert200(resp)
resp = self.client.post(url_for("datasets.delete", dataset_id=dataset_id))
self.assertRedirects(resp, url_for("user.profile", musicbrainz_id=self.test_user_mb_name))
self.assertTrue(len(dataset.get_by_user_id(self.test_user_id)) == 0)
def test_menu_logged_in(self, mock_user_get):
""" If the user is logged in, check that we perform a database query to get user data """
user = db_user.get_or_create('little_rsh')
db_user.agree_to_gdpr(user['musicbrainz_id'])
user = db_user.get_or_create('little_rsh')
mock_user_get.return_value = user
self.temporary_login(user['id'])
resp = self.client.get(url_for('index.index'))
data = resp.data.decode('utf-8')
# username (menu header)
self.assertIn('little_rsh', data)
# item in user menu
self.assertIn('Your profile', data)
mock_user_get.assert_called_with(user['id'])
def test_gdpr_redirect(self):
"""Test that a user who logs in and hasn't agreed to the GDPR terms
gets redirected to the preferences page"""
user = db_user.get_or_create('newuser')
self.temporary_login(user['id'])
resp = self.client.get(url_for('index.index'))
self.assertStatus(resp, 302)
self.assertIn(url_for('index.gdpr_notice'), resp.location)
# User accepts
db_user.agree_to_gdpr(user['musicbrainz_id'])
resp = self.client.get(url_for('index.index'))
self.assert200(resp)
self.assertIsNone(resp.location)
def gdpr_notice():
if request.method == 'GET':
return render_template('index/gdpr.html', next=request.args.get('next'))
elif request.method == 'POST':
if request.form.get('gdpr-options') == 'agree':
try:
db_user.agree_to_gdpr(current_user.musicbrainz_id)
except db.exceptions.DatabaseException:
flash.error('Could not store agreement to GDPR terms')
next = request.form.get('next')
if next:
return redirect(next)
return redirect(url_for('index.index'))
elif request.form.get('gdpr-options') == 'disagree':
return redirect(url_for('login.logout', next=request.args.get('next')))
else:
flash.error('You must agree to or decline our terms')
return render_template('index/gdpr.html', next=request.args.get('next'))
def setUp(self):
super(DatasetsViewsTestCase, self).setUp()
self.test_user_mb_name = "tester"
self.test_user_id = user.create(self.test_user_mb_name)
user.agree_to_gdpr(self.test_user_mb_name)
self.test_uuid = "123e4567-e89b-12d3-a456-426655440000"
self.test_mbid_1 = "e8afe383-1478-497e-90b1-7885c7f37f6e"
self.test_mbid_2 = "0dad432b-16cc-4bf0-8961-fd31d124b01b"
self.test_data = {
"name":
"Test",
"description":
"",
"classes": [
{
"name": "Class #1",
"description": "This is a description of class #1!",
"recordings": [
self.test_mbid_1,
self.test_mbid_2,
]
},
{
"name": "Class #2",
"description": "",
"recordings": [
self.test_mbid_1,
self.test_mbid_2,
]
},
],
"public":
True,
}
# Loading the actual data because it is required to evaluate the dataset
self.load_low_level_data(self.test_mbid_1)
self.load_low_level_data(self.test_mbid_2)
def gdpr_notice():
if request.method == 'GET':
return render_template('index/gdpr.html',
next=request.args.get('next'))
elif request.method == 'POST':
if request.form.get('gdpr-options') == 'agree':
try:
db_user.agree_to_gdpr(current_user.musicbrainz_id)
except db.exceptions.DatabaseException:
flash.error('Could not store agreement to GDPR terms')
next = request.form.get('next')
if next:
return redirect(next)
return redirect(url_for('index.index'))
elif request.form.get('gdpr-options') == 'disagree':
return redirect(
url_for('login.logout', next=request.args.get('next')))
else:
flash.error('You must agree to or decline our terms')
return render_template('index/gdpr.html',
next=request.args.get('next'))
def setUp(self):
super(DatasetsViewsTestCase, self).setUp()
self.test_user_mb_name = "tester"
self.test_user_id = user.create(self.test_user_mb_name)
user.agree_to_gdpr(self.test_user_mb_name)
self.test_uuid = "123e4567-e89b-12d3-a456-426655440000"
self.test_mbid_1 = "e8afe383-1478-497e-90b1-7885c7f37f6e"
self.test_mbid_2 = "0dad432b-16cc-4bf0-8961-fd31d124b01b"
self.test_data = {
"name": "Test",
"description": "",
"classes": [
{
"name": "Class #1",
"description": "This is a description of class #1!",
"recordings": [
self.test_mbid_1,
self.test_mbid_2,
]
},
{
"name": "Class #2",
"description": "",
"recordings": [
self.test_mbid_1,
self.test_mbid_2,
]
},
],
"public": True,
}
# Loading the actual data because it is required to evaluate the dataset
self.load_low_level_data(self.test_mbid_1)
self.load_low_level_data(self.test_mbid_2)
def test_edit(self):
# Should redirect to login page even if trying to edit dataset that
# doesn't exist.
resp = self.client.get(url_for("datasets.edit", dataset_id=self.test_uuid))
self.assertStatus(resp, 302)
dataset_id = dataset.create_from_dict(self.test_data, author_id=self.test_user_id)
# Trying to edit without login
resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id))
self.assertStatus(resp, 302)
# Editing using another user
another_user_id = user.create("another_tester")
user.agree_to_gdpr("another_tester")
self.temporary_login(another_user_id)
resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id))
self.assert401(resp)
# Editing properly
self.temporary_login(self.test_user_id)
resp = self.client.get(url_for("datasets.edit", dataset_id=dataset_id))
self.assert200(resp)
def gdpr_notice():
form = GdprForm()
if form.validate_on_submit():
if form.preference.data == 'agree':
try:
db_user.agree_to_gdpr(current_user.musicbrainz_id)
except db.exceptions.DatabaseException:
flash.error('Could not store agreement to GDPR terms')
next = request.form.get('next')
if next:
return redirect(next)
return redirect(url_for('index.index'))
elif form.preference.data == 'disagree':
return redirect(
url_for('login.logout', next=request.args.get('next')))
else:
flash.error('You must agree to or decline our terms')
return render_template('index/gdpr.html',
form=form,
next=request.args.get('next'))
else:
return render_template('index/gdpr.html',
form=form,
next=request.args.get('next'))
def setUp(self):
super(SimilarityViewsTestCase, self).setUp()
self.test_user_mb_name = "tester"
self.test_user_id = user.create(self.test_user_mb_name)
user.agree_to_gdpr(self.test_user_mb_name)
