def test_schema_auth(self):
api_key = self.__login("user", "pass3")
headers = self.__build_headers("user", api_key)
ModelPermission.objects.all().delete()
response = self.client.get("/admin-api/author/schema/", **headers)
tools.assert_equals(response.status_code, 403)
grant_permission(Author, self.test_role, self.can_view)
response = self.client.get("/admin-api/author/schema/", **headers)
tools.assert_equals(response.status_code, 200)
self.__logout(headers)
def update_permissions(model):
"""
1. Remove all permissions for the workflow (from ModelPermission relation)
2. Grant permission for the current state (to ModelPermission relation)
"""
workflow = get_workflow(model)
state = get_state(model)
content_type = ContentType.objects.get_for_model(model)
perms = [
wpr.permission
for wpr in WorkflowPermissionRelation.objects.filter(workflow=workflow).select_related("permission")
]
ModelPermission.objects.filter(content_type=content_type, permission__in=perms).delete()
for relation in StatePermissionRelation.objects.filter(state=state):
grant_permission(model, relation.role, relation.permission)
def test_top_level_schema_auth(self):
api_key = self.__login("banned_user", "pass2")
headers = self.__build_headers("banned_user", api_key)
response = self.client.get("/admin-api/", **headers)
tools.assert_equals(response.status_code, 403)
self.__logout(headers)
api_key = self.__login("admin_user", "pass1")
headers = self.__build_headers("admin_user", api_key)
response = self.client.get("/admin-api/", **headers)
tools.assert_equals(response.status_code, 200)
self.__logout(headers)
api_key = self.__login("user", "pass3")
headers = self.__build_headers("user", api_key)
grant_permission(Author, self.test_role, self.can_view)
response = self.client.get("/admin-api/", **headers)
resources = self.__get_response_json(response)
tools.assert_equals(response.status_code, 200)
tools.assert_true("author" in resources)
grant_permission(Site, self.test_role, self.can_view)
response = self.client.get("/admin-api/", **headers)
resources = self.__get_response_json(response)
tools.assert_equals(response.status_code, 200)
tools.assert_true("author" in resources)
tools.assert_true("site" in resources)
self.__logout(headers)
