def setUp(self): super(TestCanBeHeroAuthorization, self).setUp() self.collection = self.make_collection() self.auth = CanBeHeroAuthorization() self.user = User.objects.get(pk=2519) self.profile = self.user.get_profile() self.view = GenericAPIView()
def setUp(self): super(TestCanBeHeroAuthorization, self).setUp() self.collection = self.make_collection() self.auth = CanBeHeroAuthorization() self.user = UserProfile.objects.get(pk=2519) self.profile = self.user self.view = GenericAPIView()
class TestCanBeHeroAuthorization(CollectionTestMixin, TestCase): enforced_verbs = ['POST', 'PUT'] fixtures = fixture('user_2519') def setUp(self): super(TestCanBeHeroAuthorization, self).setUp() self.collection = self.make_collection() self.auth = CanBeHeroAuthorization() self.user = UserProfile.objects.get(pk=2519) self.profile = self.user self.view = GenericAPIView() def give_permission(self): self.grant_permission(self.profile, 'Collections:Curate') def is_authorized_object(self, request): return self.auth.has_object_permission(request, self.view, self.collection) def request(self, verb, qs=None, content_type='application/json', encoder=json.dumps, **data): if not qs: qs = '' request = getattr(RequestFactory(), verb.lower()) request = request('/?' + qs, content_type=content_type, data=encoder(data) if data else '') request.user = self.user ACLMiddleware().process_request(request) return Request(request, parsers=[parser_cls() for parser_cls in api_settings.DEFAULT_PARSER_CLASSES]) def test_unenforced(self): """ Should always pass for GET requests. """ ok_(self.is_authorized_object(self.request('GET'))) def test_no_qs_modification(self): """ Non-GET requests should not be rejected if there is a can_be_true querystring param (which hypothetically shouldn't do anything). We're effectively testing that request.GET doesn't bleed into request.POST. """ self.give_permission() for verb in self.enforced_verbs: request = self.request(verb, qs='can_be_hero=1') ok_(not self.auth.hero_field_modified(request), verb) def test_change_permission(self): """ Should pass if the user is attempting to modify the can_be_hero field and has the permission. """ self.give_permission() for verb in self.enforced_verbs: request = self.request(verb, can_be_hero=True) ok_(self.auth.hero_field_modified(request), verb) def test_change_permission_urlencode(self): """ Should pass if the user is attempting to modify the can_be_hero field and has the permission. """ self.give_permission() for verb in self.enforced_verbs: request = self.request(verb, encoder=urlencode, content_type='application/x-www-form-urlencoded', can_be_hero=True) ok_(self.auth.hero_field_modified(request), verb) def test_no_change_no_permission(self): """ Should pass if the user does not have the permission and is not attempting to modify the can_be_hero field. """ for verb in self.enforced_verbs: request = self.request(verb) ok_(self.is_authorized_object(request), verb) def test_no_change(self): """ Should pass if the user does have the permission and is not attempting to modify the can_be_hero field. """ self.give_permission() for verb in self.enforced_verbs: request = self.request(verb) ok_(self.is_authorized_object(request), verb) def test_post_change_no_permission(self): """ Should not pass if the user is attempting to modify the can_be_hero field without the permission. """ for verb in self.enforced_verbs: request = self.request(verb, can_be_hero=True) ok_(not self.is_authorized_object(request), verb)
class TestCanBeHeroAuthorization(CollectionTestMixin, TestCase): enforced_verbs = ['POST', 'PUT'] fixtures = fixture('user_2519') def setUp(self): super(TestCanBeHeroAuthorization, self).setUp() self.collection = self.make_collection() self.auth = CanBeHeroAuthorization() self.user = User.objects.get(pk=2519) self.profile = self.user.get_profile() self.view = GenericAPIView() def give_permission(self): self.grant_permission(self.profile, 'Collections:Curate') def is_authorized_object(self, request): return self.auth.has_object_permission(request, self.view, self.collection) def request(self, verb, qs=None, **data): if not qs: qs = '' request = getattr(RequestFactory(), verb.lower()) request = request('/?' + qs, content_type='application/json', data=json.dumps(data) if data else '') request.user = self.user ACLMiddleware().process_request(request) return Request(request) def test_unenforced(self): """ Should always pass for GET requests. """ ok_(self.is_authorized_object(self.request('GET'))) def test_no_qs_modification(self): """ Non-GET requests should not be rejected if there is a can_be_true querystring param (which hypothetically shouldn't do anything). We're effectively testing that request.GET doesn't bleed into request.POST. """ self.give_permission() for verb in self.enforced_verbs: request = self.request(verb, qs='can_be_hero=1') ok_(not self.auth.hero_field_modified(request), verb) def test_change_permission(self): """ Should pass if the user is attempting to modify the can_be_hero field and has the permission. """ self.give_permission() for verb in self.enforced_verbs: request = self.request(verb, can_be_hero=True) ok_(self.auth.hero_field_modified(request), verb) def test_no_change_no_permission(self): """ Should pass if the user does not have the permission and is not attempting to modify the can_be_hero field. """ for verb in self.enforced_verbs: request = self.request(verb) ok_(self.is_authorized_object(request), verb) def test_no_change(self): """ Should pass if the user does have the permission and is not attempting to modify the can_be_hero field. """ self.give_permission() for verb in self.enforced_verbs: request = self.request(verb) ok_(self.is_authorized_object(request), verb) def test_post_change_no_permission(self): """ Should not pass if the user is attempting to modify the can_be_hero field without the permission. """ for verb in self.enforced_verbs: request = self.request(verb, can_be_hero=True) ok_(not self.is_authorized_object(request), verb)