def test_search_objects_limited_to_object_permission(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
)
record = ObjectRecordFactory.create(
geometry=Point(4.905289, 52.369918), object__object_type=self.object_type
)
ObjectRecordFactory.create(geometry=Point(4.905289, 52.369918))
url = reverse("object-search")
response = self.client.post(
url,
{
"geometry": {
"within": {
"type": "Polygon",
"coordinates": [POLYGON_AMSTERDAM_CENTRUM],
}
},
"type": self.object_type.url,
},
**GEO_WRITE_KWARGS,
)
self.assertEqual(response.status_code, status.HTTP_200_OK)
data = response.json()
self.assertEqual(len(data), 1)
self.assertEqual(
data[0]["url"],
f"http://testserver{reverse('object-detail', args=[record.object.uuid])}",
)
def test_list_incorrect_auth_fields(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "some", "record"]},
)
PermissionFactory.create(
object_type=self.other_object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "uuid", "record"]},
)
ObjectRecordFactory.create(object__object_type=self.object_type,
data={"name": "some"},
version=1)
ObjectRecordFactory.create(
object__object_type=self.other_object_type,
data={"name": "other"},
version=1,
)
response = self.client.get(self.url)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertEqual(
response.json(),
[
"Fields in the configured authorization are absent in the data: 'some'"
],
)
def test_list_no_allowed_fields(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"2": ["url", "type", "record"]},
)
PermissionFactory.create(
object_type=self.other_object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"2": ["url", "uuid", "record"]},
)
ObjectRecordFactory.create(object__object_type=self.object_type,
data={"name": "some"},
version=1)
ObjectRecordFactory.create(
object__object_type=self.other_object_type,
data={"name": "other"},
version=1,
)
url = reverse("object-list")
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.json(), [{}, {}])
self.assertIn("x-unauthorized-fields", response._headers)
def test_list_query_fields_not_allowed(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "type", "record"]},
)
PermissionFactory.create(
object_type=self.other_object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "uuid", "record"]},
)
ObjectRecordFactory.create(object__object_type=self.object_type,
data={"name": "some"})
ObjectRecordFactory.create(object__object_type=self.other_object_type,
data={"name": "other"})
response = self.client.get(self.url, {"fields": "uuid"})
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertEqual(
response.json(),
[
"'fields' query parameter has invalid or unauthorized values: 'uuid'"
],
)
def setUpTestData(cls):
super().setUpTestData()
cls.object_type = ObjectTypeFactory(service__api_root=OBJECT_TYPES_API)
cls.object = ObjectFactory.create(object_type=cls.object_type)
cls.record_1 = ObjectRecordFactory.create(
object=cls.object,
data={
"geslachtsnaam": "Poepenstaart",
"voorletters": "JP",
"geboortedatum": "1977-08-07",
"burgerlijkestaat": "ongehuwd",
},
start_at=date(1977, 8, 7),
end_at=date(2001, 9, 3),
registration_at=date(1977, 8, 15),
)
cls.record_10 = ObjectRecordFactory.create(
object=cls.object,
data={
"geslachtsnaam": "Berg",
"voorletters": "JP",
"geboortedatum": "1977-08-07",
"burgerlijkestaat": "ongehuwd",
},
start_at=date(2001, 9, 3),
end_at=date(2001, 9, 3),
registration_at=date(2001, 9, 10),
)
cls.record_40 = ObjectRecordFactory.create(
object=cls.object,
data={
"geslachtsnaam": "Bergh",
"voorvoegsel": "van den",
"voorletters": "JP",
"geboortedatum": "1977-08-07",
"burgerlijkestaat": "ongehuwd",
},
start_at=date(2001, 9, 3),
end_at=date(2005, 4, 23),
registration_at=date(2001, 11, 2),
)
cls.record_50 = ObjectRecordFactory.create(
object=cls.object,
data={
"geslachtsnaam": "Bergh",
"voorvoegsel": "van den",
"voorletters": "JP",
"geboortedatum": "1977-08-07",
"burgerlijkestaat": "gehuwd",
},
start_at=date(2005, 4, 23),
registration_at=date(2005, 4, 25),
)
PermissionFactory.create(
object_type=cls.object_type,
mode=PermissionModes.read_and_write,
token_auth=cls.token_auth,
)
def test_list_permissions_for_only_user(self):
permission1 = PermissionFactory.create(
token_auth=self.token_auth,
mode=PermissionModes.read_and_write,
)
# permission for other token
PermissionFactory.create(mode=PermissionModes.read_and_write, )
url = reverse("permission-list")
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
data = response.json()["results"]
self.assertEqual(len(data), 1)
self.assertEqual(
data,
[
{
"type": permission1.object_type.url,
"mode": PermissionModes.read_and_write,
"use_fields": False,
"fields": {},
},
],
)
def test_retrieve_with_query_fields(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "type", "record"]},
)
object = ObjectFactory.create(object_type=self.object_type)
record = ObjectRecordFactory.create(object=object, version=1)
url = reverse("object-detail", args=[object.uuid])
response = self.client.get(url,
{"fields": "url,type,record__data__name"})
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(
response.json(),
{
"url": f"http://testserver{url}",
"type": self.object_type.url,
"record": {
"data": {
"name": record.data["name"]
}
},
},
)
self.assertNotIn("x-unauthorized-fields", response._headers)
def test_update_object_type_invalid(self, m):
old_object_type = ObjectTypeFactory(service=self.object_type.service)
PermissionFactory.create(
object_type=old_object_type,
mode=PermissionModes.read_and_write,
token_auth=self.token_auth,
)
mock_service_oas_get(m, OBJECT_TYPES_API, "objecttypes")
m.get(self.object_type.url, json=mock_objecttype(self.object_type.url))
initial_record = ObjectRecordFactory.create(
object__object_type=old_object_type,
data={
"plantDate": "2020-04-12",
"diameter": 30
},
version=1,
)
object = initial_record.object
url = reverse("object-detail", args=[object.uuid])
data = {
"type": self.object_type.url,
}
response = self.client.patch(url, data, **GEO_WRITE_KWARGS)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
data = response.json()
self.assertEqual(
data["type"],
["This field can't be changed"],
)
def test_create_object_with_not_found_objecttype_url(self, m):
object_type_invalid = ObjectTypeFactory(
service=self.object_type.service)
PermissionFactory.create(
object_type=object_type_invalid,
mode=PermissionModes.read_and_write,
token_auth=self.token_auth,
)
mock_service_oas_get(m, OBJECT_TYPES_API, "objecttypes")
m.get(f"{object_type_invalid.url}/versions/1", status_code=404)
url = reverse("object-list")
data = {
"type": object_type_invalid.url,
"record": {
"typeVersion": 1,
"data": {
"plantDate": "2020-04-12"
},
"startAt": "2020-01-01",
},
}
response = self.client.post(url, data, **GEO_WRITE_KWARGS)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertEqual(Object.objects.count(), 0)
def setUpTestData(cls):
super().setUpTestData()
cls.object_type = ObjectTypeFactory(service__api_root=OBJECT_TYPES_API)
PermissionFactory.create(
object_type=cls.object_type,
mode=PermissionModes.read_and_write,
token_auth=cls.token_auth,
)
def test_list_with_query_fields(self):
other_object_type = ObjectTypeFactory()
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "type", "record"]},
)
PermissionFactory.create(
object_type=other_object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "uuid", "record"]},
)
record1 = ObjectRecordFactory.create(
object__object_type=self.object_type,
data={"name": "some"},
version=1)
record2 = ObjectRecordFactory.create(
object__object_type=other_object_type,
data={"name": "other"},
version=1)
response = self.client.get(self.url, {"fields": "url,record__data"})
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(
response.json(),
[
{
"url":
f"http://testserver{reverse('object-detail', args=[record2.object.uuid])}",
"record": {
"data": {
"name": "other"
},
},
},
{
"url":
f"http://testserver{reverse('object-detail', args=[record1.object.uuid])}",
"record": {
"data": {
"name": "some"
},
},
},
],
)
self.assertNotIn("x-unauthorized-fields", response._headers)
def test_destroy_with_read_only_perm(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
)
object = ObjectFactory.create(object_type=self.object_type)
ObjectRecordFactory.create(object=object)
url = reverse("object-detail", args=[object.uuid])
response = self.client.delete(url, **GEO_WRITE_KWARGS)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_history_with_read_only_permissions(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
)
object = ObjectFactory.create(object_type=self.object_type)
ObjectRecordFactory.create(object=object)
url = reverse("object-history", args=[object.uuid])
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_list_permissions(self):
permission1 = PermissionFactory.create(
token_auth=self.token_auth,
mode=PermissionModes.read_and_write,
)
permission2 = PermissionFactory.create(
token_auth=self.token_auth,
mode=PermissionModes.read_only,
use_fields=True,
fields={
"1": ["url", "uuid"],
"2": ["url", "record"]
},
)
url = reverse("permission-list")
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
data = response.json()
self.assertEqual(
data,
{
"count":
2,
"next":
None,
"previous":
None,
"results": [
{
"type": permission1.object_type.url,
"mode": PermissionModes.read_and_write,
"use_fields": False,
"fields": {},
},
{
"type": permission2.object_type.url,
"mode": "read_only",
"use_fields": True,
"fields": {
"1": ["url", "uuid"],
"2": ["url", "record"]
},
},
],
},
)
def test_not_allowed_field(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "type", "record__startAt", "record__index"]},
)
response = self.client.get(self.url,
{"ordering": "record__data__length"})
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertEqual(
response.json(),
[
"You are not allowed to sort on following fields: record__data__length"
],
)
def test_retrieve_incorrect_auth_fields(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "type", "some"]},
)
object = ObjectFactory.create(object_type=self.object_type)
ObjectRecordFactory.create(object=object, version=1)
url = reverse("object-detail", args=[object.uuid])
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertEqual(
response.json(),
["Fields in the configured authorization are absent in the data: 'some'"],
)
def test_search_with_fields_auth(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "type", "record__geometry"]},
)
record = ObjectRecordFactory.create(
geometry=Point(4.905289, 52.369918),
object__object_type=self.object_type,
data={"name": "some"},
version=1,
)
response = self.client.post(
self.url,
data={
"geometry": {
"within": {
"type": "Polygon",
"coordinates": [POLYGON_AMSTERDAM_CENTRUM],
}
}
},
**GEO_WRITE_KWARGS,
)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(
response.json()["results"],
[
{
"url": f"http://testserver{reverse('object-detail', args=[record.object.uuid])}",
"type": self.object_type.url,
"record": {
"geometry": {
"type": "Point",
"coordinates": [4.905289, 52.369918],
}
},
}
],
)
def test_retrieve_no_allowed_fields(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"2": ["url", "type", "record"]},
)
object = ObjectFactory.create(object_type=self.object_type)
ObjectRecordFactory.create(
object=object, data={"name": "some", "desc": "some desc"}, version=1
)
url = reverse("object-detail", args=[object.uuid])
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.json(), {})
self.assertIn("x-unauthorized-fields", response._headers)
def test_retrieve_without_query(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "type", "record__startAt"]},
)
object = ObjectFactory.create(object_type=self.object_type)
record = ObjectRecordFactory.create(object=object,
data={"name": "some"},
version=1)
url = reverse("object-detail", args=[object.uuid])
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(
response.json(),
{
"url": f"http://testserver{url}",
"type": self.object_type.url,
"record": {
"startAt": record.start_at.isoformat()
},
},
)
self.assertEqual(
set(response._headers["x-unauthorized-fields"][1].split(",")),
{
"uuid",
"record__data__name",
"record__correctionFor",
"record__endAt",
"record__correctedBy",
"record__registrationAt",
"record__index",
"record__geometry__coordinates",
"record__geometry__type",
"record__typeVersion",
},
)
def setUpTestData(cls):
super().setUpTestData()
cls.object_type = ObjectTypeFactory(service__api_root=OBJECT_TYPES_API)
PermissionFactory(
object_type=cls.object_type,
mode=PermissionModes.read_only,
token_auth=cls.token_auth,
)
ObjectRecordFactory.create_batch(10,
object__object_type=cls.object_type,
start_at=date.today())
def test_list_objects_limited_to_object_permission(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
)
object = ObjectFactory.create(object_type=self.object_type)
ObjectRecordFactory.create(object=object)
ObjectFactory.create()
url = reverse_lazy("object-list")
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
data = response.json()
self.assertEqual(len(data), 1)
self.assertEqual(
data[0]["url"],
f"http://testserver{reverse('object-detail', args=[object.uuid])}",
)
def test_allowed_field(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={
"1": ["url", "uuid", "type", "record__index", "record__data"],
"2": ["type", "uuid", "record__data"],
},
)
PermissionFactory.create(
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["uuid", "record__data"]},
)
record1 = ObjectRecordFactory.create(
object__object_type=self.object_type,
data={"length": 4},
version=1)
record2 = ObjectRecordFactory.create(
object__object_type=self.object_type,
data={"length": 3},
version=1)
response = self.client.get(self.url,
{"ordering": "record__data__length"})
self.assertEqual(response.status_code, status.HTTP_200_OK)
data = response.json()["results"]
self.assertEqual(len(data), 2)
self.assertEqual(data[0]["uuid"], str(record2.object.uuid))
self.assertEqual(data[1]["uuid"], str(record1.object.uuid))
def test_list_without_query_different_object_types(self):
PermissionFactory.create(
object_type=self.object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "type", "record"]},
)
PermissionFactory.create(
object_type=self.other_object_type,
mode=PermissionModes.read_only,
token_auth=self.token_auth,
use_fields=True,
fields={"1": ["url", "uuid", "record"]},
)
record1 = ObjectRecordFactory.create(
object__object_type=self.object_type,
data={"name": "some"},
version=1)
record2 = ObjectRecordFactory.create(
object__object_type=self.other_object_type,
data={"name": "other"},
version=1,
)
response = self.client.get(self.url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(
response.json(),
[
{
"url":
f"http://testserver{reverse('object-detail', args=[record2.object.uuid])}",
"uuid": str(record2.object.uuid),
"record": {
"index": record2.index,
"typeVersion": record2.version,
"data": {
"name": "other"
},
"geometry": json.loads(record2.geometry.json),
"startAt": record2.start_at.isoformat(),
"endAt": None,
"registrationAt": record2.registration_at.isoformat(),
"correctionFor": None,
"correctedBy": None,
},
},
{
"url":
f"http://testserver{reverse('object-detail', args=[record1.object.uuid])}",
"type": self.object_type.url,
"record": {
"index": record1.index,
"typeVersion": record1.version,
"data": {
"name": "some"
},
"geometry": json.loads(record1.geometry.json),
"startAt": record1.start_at.isoformat(),
"endAt": None,
"registrationAt": record1.registration_at.isoformat(),
"correctionFor": None,
"correctedBy": None,
},
},
],
)
self.assertEqual(
response._headers["x-unauthorized-fields"][1],
f"{self.other_object_type.url}(1)=type; {self.object_type.url}(1)=uuid",
)