def test_has_perm_per_object(self): """Assert has_perm checks per-object permissions correctly.""" from kitsune.forums.tests import restricted_forum f1 = restricted_forum() f2 = restricted_forum() # Give user permission to one of the forums u = user(save=True) perm = 'forums_forum.view_in_forum' ct = ContentType.objects.get_for_model(f1) permission(codename=perm, content_type=ct, object_id=f1.id, user=u, save=True) assert access.has_perm(u, perm, f1) assert not access.has_perm(u, perm, f2)
def test_read_without_permission(self): """Listing posts without the view_in_forum permission should 404.""" rforum = restricted_forum() t = thread(forum=rforum, save=True) response = get(self.client, 'forums.posts', args=[t.forum.slug, t.id]) eq_(404, response.status_code)
def test_admin_perm_thread(self): """Super user can do anything on any forum.""" from kitsune.forums.tests import restricted_forum f1 = restricted_forum() f2 = restricted_forum() admin = user(is_staff=True, is_superuser=True, save=True) # Loop over all forums perms and both forums perms = ('thread_edit_forum', 'thread_delete_forum', 'post_edit_forum', 'thread_sticky_forum', 'thread_locked_forum', 'post_delete_forum', 'view_in_forum') for perm in perms: for forum in [f1, f2]: assert access.has_perm(admin, 'forums_forum.' + perm, forum)
def test_read_without_permission(self): """Listing threads without the view_in_forum permission should 404. """ rforum = restricted_forum() response = get(self.client, 'forums.threads', args=[rforum.slug]) eq_(404, response.status_code)
def test_forums_search_authorized_forums(self): """Only authorized people can search certain forums""" # Create two threads: one in a restricted forum and one not. forum1 = forum(name=u'ou812forum', save=True) thread1 = thread(forum=forum1, save=True) post(thread=thread1, content=u'audio', save=True) forum2 = restricted_forum(name=u'restrictedkeepout', save=True) thread2 = thread(forum=forum2, save=True) post(thread=thread2, content=u'audio restricted', save=True) self.refresh() # Do a search as an anonymous user but don't specify the # forums to filter on. Should only see one of the posts. response = self.client.get(reverse('search'), { 'author': '', 'created': '0', 'created_date': '', 'updated': '0', 'updated_date': '', 'sortby': '0', 'a': '1', 'w': '4', 'q': 'audio', 'format': 'json' }) eq_(200, response.status_code) content = json.loads(response.content) eq_(content['total'], 1) # Do a search as an authorized user but don't specify the # forums to filter on. Should see both posts. u = user(save=True) g = group(save=True) g.user_set.add(u) ct = ContentType.objects.get_for_model(forum2) permission(codename='forums_forum.view_in_forum', content_type=ct, object_id=forum2.id, group=g, save=True) self.client.login(username=u.username, password='******') response = self.client.get(reverse('search'), { 'author': '', 'created': '0', 'created_date': '', 'updated': '0', 'updated_date': '', 'sortby': '0', 'a': '1', 'w': '4', 'q': 'audio', 'format': 'json' }) # Sees both results eq_(200, response.status_code) content = json.loads(response.content) eq_(content['total'], 2)
def test_reply_without_view_permission(self): """Posting without view_in_forum permission should 404.""" rforum = restricted_forum() t = thread(forum=rforum, save=True) u = user(save=True) self.client.login(username=u.username, password='******') response = post(self.client, 'forums.reply', {'content': 'Blahs'}, args=[t.forum.slug, t.id]) eq_(404, response.status_code)
def test_watch_forum_without_permission(self): """Watching forums without the view_in_forum permission should 404. """ rforum = restricted_forum() u = user(save=True) self.client.login(username=u.username, password='******') response = self.client.post(reverse('forums.watch_forum', args=[rforum.slug]), {'watch': 'yes'}, follow=False) eq_(404, response.status_code)
def test_new_thread_without_view_permission(self): """Making a new thread without view permission should 404.""" rforum = restricted_forum() thread(forum=rforum, save=True) u = user(save=True) self.client.login(username=u.username, password='******') response = post(self.client, 'forums.new_thread', {'title': 'Blahs', 'content': 'Blahs'}, args=[rforum.slug]) eq_(404, response.status_code)
def test_reply_without_post_permission(self): """Posting without post_in_forum permission should 403.""" rforum = restricted_forum(permission_code='forums_forum.post_in_forum') t = thread(forum=rforum, save=True) u = user(save=True) self.client.login(username=u.username, password='******') with patch.object(Forum, 'allows_viewing_by', Mock(return_value=True)): response = post(self.client, 'forums.reply', {'content': 'Blahs'}, args=[t.forum.slug, t.id]) eq_(403, response.status_code)
def test_perm_is_defined_on(self): """Test permission relationship Test whether we check for permission relationship, independent of whether the permission is actually assigned to anyone. """ from kitsune.forums.tests import forum, restricted_forum f1 = restricted_forum() f2 = forum(save=True) perm = 'forums_forum.view_in_forum' assert access.perm_is_defined_on(perm, f1) assert not access.perm_is_defined_on(perm, f2)
def test_new_thread_without_post_permission(self): """Making a new thread without post permission should 403.""" rforum = restricted_forum( permission_code='forums_forum.post_in_forum') u = user(save=True) self.client.login(username=u.username, password='******') with patch.object(Forum, 'allows_viewing_by', Mock(return_value=True)): response = post(self.client, 'forums.new_thread', {'title': 'Blahs', 'content': 'Blahs'}, args=[rforum.slug]) eq_(403, response.status_code)
def test_reply_without_post_permission(self): """Posting without post_in_forum permission should 403.""" rforum = restricted_forum( permission_code='forums_forum.post_in_forum') t = thread(forum=rforum, save=True) u = user(save=True) self.client.login(username=u.username, password='******') with patch.object(Forum, 'allows_viewing_by', Mock(return_value=True)): response = post(self.client, 'forums.reply', {'content': 'Blahs'}, args=[t.forum.slug, t.id]) eq_(403, response.status_code)
def test_new_thread_without_post_permission(self): """Making a new thread without post permission should 403.""" rforum = restricted_forum(permission_code='forums_forum.post_in_forum') u = user(save=True) self.client.login(username=u.username, password='******') with patch.object(Forum, 'allows_viewing_by', Mock(return_value=True)): response = post(self.client, 'forums.new_thread', { 'title': 'Blahs', 'content': 'Blahs' }, args=[rforum.slug]) eq_(403, response.status_code)
def test_new_thread_without_view_permission(self): """Making a new thread without view permission should 404.""" rforum = restricted_forum() thread(forum=rforum, save=True) u = user(save=True) self.client.login(username=u.username, password='******') response = post(self.client, 'forums.new_thread', { 'title': 'Blahs', 'content': 'Blahs' }, args=[rforum.slug]) eq_(404, response.status_code)
def test_discussion_forum_with_restricted_forums(self): """Tests who can see restricted forums in search form.""" # This is a long test, but it saves us from doing the setup # twice. forum1 = forum(name=u'ou812forum', save=True) thread1 = thread(forum=forum1, title=u'audio 2', save=True) post(thread=thread1, save=True) forum2 = restricted_forum(name=u'restrictedkeepout', save=True) thread2 = thread(forum=forum2, title=u'audio 2', save=True) post(thread=thread2, save=True) self.refresh() # Get the Advanced Search Form as an anonymous user response = self.client.get(reverse('search.advanced'), {'a': '2'}) eq_(200, response.status_code) # Regular forum should show up assert 'ou812forum' in response.content # Restricted forum should not show up assert 'restrictedkeepout' not in response.content u = user(save=True) g = group(save=True) g.user_set.add(u) ct = ContentType.objects.get_for_model(forum2) permission(codename='forums_forum.view_in_forum', content_type=ct, object_id=forum2.id, group=g, save=True) # Get the Advanced Search Form as a logged in user self.client.login(username=u.username, password='******') response = self.client.get(reverse('search.advanced'), {'a': '2'}) eq_(200, response.status_code) # Both forums should show up for authorized user assert 'ou812forum' in response.content assert 'restrictedkeepout' in response.content