コード例 #1
0
class TestAllowReviewer(TestCase):
    fixtures = ["base/users"]

    # Note: be careful when testing, under the hood we're using a method that
    # relies on UserProfile.groups_list, which is cached on the UserProfile
    # instance.
    def setUp(self):
        self.permission = AllowReviewer()
        self.request_factory = RequestFactory()
        self.unsafe_methods = ("patch", "post", "put", "delete")
        self.safe_methods = ("get", "options", "head")

    def test_user_cannot_be_anonymous(self):
        request = self.request_factory.get("/")
        request.user = AnonymousUser()
        assert not self.permission.has_permission(request, myview)
        assert not self.permission.has_object_permission(request, myview, Mock())

    def test_authenticated_but_not_reviewer(self):
        request = self.request_factory.get("/")
        request.user = UserProfile.objects.get(pk=999)
        assert not self.permission.has_permission(request, myview)
        assert not self.permission.has_object_permission(request, myview, Mock())

    def test_admin(self):
        user = UserProfile.objects.get(email="*****@*****.**")

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)("/")
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(request, myview, Mock())

    def test_reviewer_tools_access_read_only(self):
        user = UserProfile.objects.get(pk=999)
        group = Group.objects.create(name="ReviewerTools Viewer", rules="ReviewerTools:View")
        GroupUser.objects.create(user=user, group=group)

        for method in self.safe_methods:
            request = getattr(self.request_factory, method)("/")
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(request, myview, Mock())

        for method in self.unsafe_methods:
            request = getattr(self.request_factory, method)("/")
            request.user = user
            assert not self.permission.has_permission(request, myview)
            assert not self.permission.has_object_permission(request, myview, Mock())

    def test_actual_reviewer(self):
        user = UserProfile.objects.get(email="*****@*****.**")

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)("/")
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(request, myview, Mock())
コード例 #2
0
class TestAllowReviewer(TestCase):
    # Note: be careful when testing, under the hood we're using a method that
    # relies on UserProfile.groups_list, which is cached on the UserProfile
    # instance.
    def setUp(self):
        self.permission = AllowReviewer()
        self.request_factory = RequestFactory()
        self.unsafe_methods = ('patch', 'post', 'put', 'delete')
        self.safe_methods = ('get', 'options', 'head')

    def test_user_cannot_be_anonymous(self):
        request = self.request_factory.get('/')
        request.user = AnonymousUser()
        obj = Mock(spec=[])
        obj.has_listed_versions = lambda: True

        assert not self.permission.has_permission(request, myview)
        assert not self.permission.has_object_permission(request, myview, obj)

    def test_authenticated_but_not_reviewer(self):
        request = self.request_factory.get('/')
        request.user = user_factory()
        obj = Mock(spec=[])
        obj.has_listed_versions = lambda: True
        assert not self.permission.has_permission(request, myview)
        assert not self.permission.has_object_permission(request, myview, obj)

    def test_admin(self):
        user = user_factory()
        self.grant_permission(user, '*:*')

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            obj = Mock(spec=[])
            obj.has_listed_versions = lambda: True
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(request, myview, obj)

    def test_reviewer_tools_access_read_only(self):
        user = user_factory()
        self.grant_permission(user, 'ReviewerTools:View')
        obj = Mock(spec=[])
        obj.has_listed_versions = lambda: True

        for method in self.safe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(request, myview, obj)

        for method in self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert not self.permission.has_permission(request, myview)
            assert not self.permission.has_object_permission(
                request, myview, obj)

    def test_actual_reviewer(self):
        user = user_factory()
        self.grant_permission(user, 'Addons:Review')
        obj = Mock(spec=[])
        obj.has_listed_versions = lambda: True

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(request, myview, obj)

    def test_no_listed_version_reviewer(self):
        user = user_factory()
        self.grant_permission(user, 'Addons:Review')
        obj = Mock(spec=[])
        obj.has_listed_versions = lambda: False

        for method in self.safe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user

            # When not checking the object, we have permission because it's
            # a safe HTTP method.
            assert self.permission.has_permission(request, myview)

            # It doesn't work with the object though, since
            # has_listed_versions() is returning False, we don't have enough
            # permissions, being a "simple" reviewer.
            assert not self.permission.has_object_permission(
                request, myview, obj)

        for method in self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user

            # When not checking the object, we have permission because we're a
            # reviewer.
            assert self.permission.has_permission(request, myview)

            # As above it doesn't work with the object though.
            assert not self.permission.has_object_permission(
                request, myview, obj)
コード例 #3
0
class TestAllowReviewer(TestCase):
    fixtures = ['base/users']

    # Note: be careful when testing, under the hood we're using a method that
    # relies on UserProfile.groups_list, which is cached on the UserProfile
    # instance.
    def setUp(self):
        self.permission = AllowReviewer()
        self.request_factory = RequestFactory()
        self.unsafe_methods = ('patch', 'post', 'put', 'delete')
        self.safe_methods = ('get', 'options', 'head')

    def test_user_cannot_be_anonymous(self):
        request = self.request_factory.get('/')
        request.user = AnonymousUser()
        assert not self.permission.has_permission(request, myview)
        assert not self.permission.has_object_permission(
            request, myview, Mock())

    def test_authenticated_but_not_reviewer(self):
        request = self.request_factory.get('/')
        request.user = UserProfile.objects.get(pk=999)
        assert not self.permission.has_permission(request, myview)
        assert not self.permission.has_object_permission(
            request, myview, Mock())

    def test_admin(self):
        user = UserProfile.objects.get(email='*****@*****.**')

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(
                request, myview, Mock())

    def test_reviewer_tools_access_read_only(self):
        user = UserProfile.objects.get(pk=999)
        group = Group.objects.create(name='ReviewerTools Viewer',
                                     rules='ReviewerTools:View')
        GroupUser.objects.create(user=user, group=group)

        for method in self.safe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(
                request, myview, Mock())

        for method in self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert not self.permission.has_permission(request, myview)
            assert not self.permission.has_object_permission(
                request, myview, Mock())

    def test_actual_reviewer(self):
        user = UserProfile.objects.get(email='*****@*****.**')

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(
                request, myview, Mock())
コード例 #4
0
ファイル: test_permissions.py プロジェクト: eviljeff/olympia
class TestAllowReviewer(TestCase):
    # Note: be careful when testing, under the hood we're using a method that
    # relies on UserProfile.groups_list, which is cached on the UserProfile
    # instance.
    def setUp(self):
        self.permission = AllowReviewer()
        self.request_factory = RequestFactory()
        self.unsafe_methods = ('patch', 'post', 'put', 'delete')
        self.safe_methods = ('get', 'options', 'head')

    def test_user_cannot_be_anonymous(self):
        request = self.request_factory.get('/')
        request.user = AnonymousUser()
        obj = Mock(spec=[])
        obj.type = amo.ADDON_EXTENSION
        obj.has_listed_versions = lambda: True

        assert not self.permission.has_permission(request, myview)
        assert not self.permission.has_object_permission(
            request, myview, obj)

    def test_authenticated_but_not_reviewer(self):
        request = self.request_factory.get('/')
        request.user = user_factory()
        obj = Mock(spec=[])
        obj.type = amo.ADDON_EXTENSION
        obj.has_listed_versions = lambda: True
        assert self.permission.has_permission(request, myview)
        assert not self.permission.has_object_permission(
            request, myview, obj)

    def test_admin(self):
        user = user_factory()
        self.grant_permission(user, '*:*')

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            obj = Mock(spec=[])
            obj.type = amo.ADDON_EXTENSION
            obj.has_listed_versions = lambda: True
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(
                request, myview, obj)

    def test_reviewer_tools_access_read_only(self):
        user = user_factory()
        self.grant_permission(user, 'ReviewerTools:View')
        obj = Mock(spec=[])
        obj.type = amo.ADDON_EXTENSION
        obj.has_listed_versions = lambda: True

        for method in self.safe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(
                request, myview, obj)

        for method in self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            # When not checking the object, we have permission because we're
            # authenticated.
            assert self.permission.has_permission(request, myview)
            assert not self.permission.has_object_permission(
                request, myview, obj)

    def test_legacy_reviewer(self):
        user = user_factory()
        self.grant_permission(user, 'Addons:Review')
        obj = Mock(spec=[])
        obj.type = amo.ADDON_EXTENSION
        obj.has_listed_versions = lambda: True

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(
                request, myview, obj)

        # Does not have access to static themes.
        obj.type = amo.ADDON_STATICTHEME
        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            # When not checking the object, we have permission because we're
            # authenticated.
            assert self.permission.has_permission(request, myview)
            assert not self.permission.has_object_permission(
                request, myview, obj)

    def test_post_reviewer(self):
        user = user_factory()
        self.grant_permission(user, 'Addons:PostReview')
        obj = Mock(spec=[])
        obj.type = amo.ADDON_EXTENSION
        obj.has_listed_versions = lambda: True

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(
                request, myview, obj)

        # Does not have access to static themes.
        obj.type = amo.ADDON_STATICTHEME
        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            # When not checking the object, we have permission because we're
            # authenticated.
            assert self.permission.has_permission(request, myview)
            assert not self.permission.has_object_permission(
                request, myview, obj)

    def test_theme_reviewer(self):
        user = user_factory()
        self.grant_permission(user, 'Addons:ThemeReview')
        obj = Mock(spec=[])
        obj.type = amo.ADDON_STATICTHEME
        obj.has_listed_versions = lambda: True

        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            assert self.permission.has_permission(request, myview)
            assert self.permission.has_object_permission(
                request, myview, obj)

        # Does not have access to other extensions.
        obj.type = amo.ADDON_EXTENSION
        for method in self.safe_methods + self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user
            # When not checking the object, we have permission because we're
            # authenticated.
            assert self.permission.has_permission(request, myview)
            assert not self.permission.has_object_permission(
                request, myview, obj)

    def test_no_listed_version_reviewer(self):
        user = user_factory()
        self.grant_permission(user, 'Addons:Review')
        obj = Mock(spec=[])
        obj.type = amo.ADDON_EXTENSION
        obj.has_listed_versions = lambda: False

        for method in self.safe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user

            # When not checking the object, we have permission because we're
            # authenticated.
            assert self.permission.has_permission(request, myview)

            # It doesn't work with the object though, since
            # has_listed_versions() is returning False, we don't have enough
            # permissions, being a "simple" reviewer.
            assert not self.permission.has_object_permission(
                request, myview, obj)

        for method in self.unsafe_methods:
            request = getattr(self.request_factory, method)('/')
            request.user = user

            # When not checking the object, we have permission because we're
            # authenticated.
            assert self.permission.has_permission(request, myview)

            # As above it doesn't work with the object though.
            assert not self.permission.has_object_permission(
                request, myview, obj)