def get_queryset(self):
"""Return the right base queryset depending on the situation. Note that
permissions checks still apply on top of that, against the add-on
as per check_object_permissions() above."""
requested = self.request.GET.get('filter')
# By default we restrict to valid versions. However:
#
# When accessing a single version or if requesting it explicitly when
# listing, admins can access all versions, including deleted ones.
should_access_all_versions_included_deleted = (
(requested == 'all_with_deleted' or self.action != 'list')
and self.request.user.is_authenticated()
and self.request.user.is_staff)
# When accessing a single version or if requesting it explicitly when
# listing, reviewers and add-on authors can access all non-deleted
# versions.
should_access_all_versions = (
(requested == 'all' or self.action != 'list')
and (AllowReviewer().has_permission(self.request, self)
or AllowAddonAuthor().has_object_permission(
self.request, self, self.get_addon_object())))
# Everyone can see (non deleted) beta version when they request it
# explicitly.
should_access_only_beta_versions = (requested == 'beta_only')
if should_access_all_versions_included_deleted:
self.queryset = Version.unfiltered.all()
elif should_access_all_versions:
self.queryset = Version.objects.all()
elif should_access_only_beta_versions:
self.queryset = Version.objects.filter(
files__status=amo.STATUS_BETA).distinct()
# Now that the base queryset has been altered, call super() to use it.
qs = super(AddonVersionViewSet, self).get_queryset()
# Filter with the add-on.
return qs.filter(addon=self.get_addon_object())
def setUp(self):
self.permission = AllowReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ('patch', 'post', 'put', 'delete')
self.safe_methods = ('get', 'options', 'head')
class TestAllowReviewer(TestCase):
# Note: be careful when testing, under the hood we're using a method that
# relies on UserProfile.groups_list, which is cached on the UserProfile
# instance.
def setUp(self):
self.permission = AllowReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ('patch', 'post', 'put', 'delete')
self.safe_methods = ('get', 'options', 'head')
def test_user_cannot_be_anonymous(self):
request = self.request_factory.get('/')
request.user = AnonymousUser()
obj = Mock(spec=[])
obj.has_listed_versions = lambda: True
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(request, myview, obj)
def test_authenticated_but_not_reviewer(self):
request = self.request_factory.get('/')
request.user = user_factory()
obj = Mock(spec=[])
obj.has_listed_versions = lambda: True
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(request, myview, obj)
def test_admin(self):
user = user_factory()
self.grant_permission(user, '*:*')
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
obj = Mock(spec=[])
obj.has_listed_versions = lambda: True
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
def test_reviewer_tools_access_read_only(self):
user = user_factory()
self.grant_permission(user, 'ReviewerTools:View')
obj = Mock(spec=[])
obj.has_listed_versions = lambda: True
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_actual_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:Review')
obj = Mock(spec=[])
obj.has_listed_versions = lambda: True
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
def test_no_listed_version_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:Review')
obj = Mock(spec=[])
obj.has_listed_versions = lambda: False
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because it's
# a safe HTTP method.
assert self.permission.has_permission(request, myview)
# It doesn't work with the object though, since
# has_listed_versions() is returning False, we don't have enough
# permissions, being a "simple" reviewer.
assert not self.permission.has_object_permission(
request, myview, obj)
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're a
# reviewer.
assert self.permission.has_permission(request, myview)
# As above it doesn't work with the object though.
assert not self.permission.has_object_permission(
request, myview, obj)
class TestAllowReviewer(TestCase):
fixtures = ['base/users']
# Note: be careful when testing, under the hood we're using a method that
# relies on UserProfile.groups_list, which is cached on the UserProfile
# instance.
def setUp(self):
self.permission = AllowReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ('patch', 'post', 'put', 'delete')
self.safe_methods = ('get', 'options', 'head')
def test_user_cannot_be_anonymous(self):
request = self.request_factory.get('/')
request.user = AnonymousUser()
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, Mock())
def test_authenticated_but_not_reviewer(self):
request = self.request_factory.get('/')
request.user = UserProfile.objects.get(pk=999)
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, Mock())
def test_admin(self):
user = UserProfile.objects.get(email='*****@*****.**')
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(
request, myview, Mock())
def test_reviewer_tools_access_read_only(self):
user = UserProfile.objects.get(pk=999)
group = Group.objects.create(name='ReviewerTools Viewer',
rules='ReviewerTools:View')
GroupUser.objects.create(user=user, group=group)
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(
request, myview, Mock())
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, Mock())
def test_actual_reviewer(self):
user = UserProfile.objects.get(email='*****@*****.**')
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(
request, myview, Mock())
def setUp(self):
self.permission = AllowReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ("patch", "post", "put", "delete")
self.safe_methods = ("get", "options", "head")
class TestAllowReviewer(TestCase):
fixtures = ["base/users"]
# Note: be careful when testing, under the hood we're using a method that
# relies on UserProfile.groups_list, which is cached on the UserProfile
# instance.
def setUp(self):
self.permission = AllowReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ("patch", "post", "put", "delete")
self.safe_methods = ("get", "options", "head")
def test_user_cannot_be_anonymous(self):
request = self.request_factory.get("/")
request.user = AnonymousUser()
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(request, myview, Mock())
def test_authenticated_but_not_reviewer(self):
request = self.request_factory.get("/")
request.user = UserProfile.objects.get(pk=999)
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(request, myview, Mock())
def test_admin(self):
user = UserProfile.objects.get(email="*****@*****.**")
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)("/")
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, Mock())
def test_reviewer_tools_access_read_only(self):
user = UserProfile.objects.get(pk=999)
group = Group.objects.create(name="ReviewerTools Viewer", rules="ReviewerTools:View")
GroupUser.objects.create(user=user, group=group)
for method in self.safe_methods:
request = getattr(self.request_factory, method)("/")
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, Mock())
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)("/")
request.user = user
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(request, myview, Mock())
def test_actual_reviewer(self):
user = UserProfile.objects.get(email="*****@*****.**")
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)("/")
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, Mock())
def setUp(self):
self.permission = AllowReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ('patch', 'post', 'put', 'delete')
self.safe_methods = ('get', 'options', 'head')
class TestAllowReviewer(TestCase):
# Note: be careful when testing, under the hood we're using a method that
# relies on UserProfile.groups_list, which is cached on the UserProfile
# instance.
def setUp(self):
self.permission = AllowReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ('patch', 'post', 'put', 'delete')
self.safe_methods = ('get', 'options', 'head')
def test_user_cannot_be_anonymous(self):
request = self.request_factory.get('/')
request.user = AnonymousUser()
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda: True
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_authenticated_but_not_reviewer(self):
request = self.request_factory.get('/')
request.user = user_factory()
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda: True
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_admin(self):
user = user_factory()
self.grant_permission(user, '*:*')
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda: True
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(
request, myview, obj)
def test_reviewer_tools_access_read_only(self):
user = user_factory()
self.grant_permission(user, 'ReviewerTools:View')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda: True
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(
request, myview, obj)
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_legacy_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:Review')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda: True
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(
request, myview, obj)
# Does not have access to static themes.
obj.type = amo.ADDON_STATICTHEME
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_post_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:PostReview')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda: True
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(
request, myview, obj)
# Does not have access to static themes.
obj.type = amo.ADDON_STATICTHEME
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_theme_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:ThemeReview')
obj = Mock(spec=[])
obj.type = amo.ADDON_STATICTHEME
obj.has_listed_versions = lambda: True
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(
request, myview, obj)
# Does not have access to other extensions.
obj.type = amo.ADDON_EXTENSION
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_no_listed_version_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:Review')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda: False
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
# It doesn't work with the object though, since
# has_listed_versions() is returning False, we don't have enough
# permissions, being a "simple" reviewer.
assert not self.permission.has_object_permission(
request, myview, obj)
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
# As above it doesn't work with the object though.
assert not self.permission.has_object_permission(
request, myview, obj)
