def test_move_project_owner(self): # create project and publish form to project self._publish_xls_form_to_project() alice_data = {'username': '******', 'email': '*****@*****.**'} alice_profile = self._create_user_profile(alice_data) alice = alice_profile.user projectid = self.project.pk self.assertFalse(OwnerRole.user_has_role(alice, self.project)) view = ProjectViewSet.as_view({ 'patch': 'partial_update' }) data_patch = { 'owner': 'http://testserver/api/v1/users/%s' % alice.username } request = self.factory.patch('/', data=data_patch, **self.extra) response = view(request, pk=projectid) self.project.reload() self.assertEqual(response.status_code, 200) self.assertEquals(self.project.organization, alice) self.assertTrue(OwnerRole.user_has_role(alice, self.project))
def test_owner_cannot_remove_self_if_no_other_owner(self): self._project_create() view = ProjectViewSet.as_view({'put': 'share'}) data = {'username': '******', 'remove': True, 'role': 'owner'} request = self.factory.put('/', data=data, **self.extra) response = view(request, pk=self.project.pk) self.assertEqual(response.status_code, 400) error = {'remove': [u"Project requires at least one owner"]} self.assertEquals(response.data, error) self.assertTrue(OwnerRole.user_has_role(self.user, self.project)) alice_data = {'username': '******', 'email': '*****@*****.**'} profile = self._create_user_profile(alice_data) OwnerRole.add(profile.user, self.project) view = ProjectViewSet.as_view({'put': 'share'}) data = {'username': '******', 'remove': True, 'role': 'owner'} request = self.factory.put('/', data=data, **self.extra) response = view(request, pk=self.project.pk) self.assertEqual(response.status_code, 204) self.assertFalse(OwnerRole.user_has_role(self.user, self.project))
def test_org_members_added_to_projects(self): # create org self._org_create() view = OrganizationProfileViewSet.as_view({ 'post': 'members', 'get': 'retrieve', 'put': 'members' }) # create aboy self.profile_data['username'] = "******" aboy = self._create_user_profile().user data = {'username': '******', 'role': 'owner'} request = self.factory.post( '/', data=json.dumps(data), content_type="application/json", **self.extra) response = view(request, user='******') self.assertEqual(response.status_code, 201) # create a proj project_data = { 'owner': self.company_data['user'] } self._project_create(project_data) self._publish_xls_form_to_project() # create alice self.profile_data['username'] = "******" alice = self._create_user_profile().user alice_data = {'username': '******', 'role': 'owner'} request = self.factory.post( '/', data=json.dumps(alice_data), content_type="application/json", **self.extra) response = view(request, user='******') self.assertEqual(response.status_code, 201) # Assert that user added in org is added to teams in proj self.assertTrue(OwnerRole.user_has_role(aboy, self.project)) self.assertTrue(OwnerRole.user_has_role(alice, self.project)) self.assertTrue(OwnerRole.user_has_role(aboy, self.xform)) self.assertTrue(OwnerRole.user_has_role(alice, self.xform)) # Org admins are added to owners in project projectView = ProjectViewSet.as_view({ 'get': 'retrieve' }) request = self.factory.get('/', **self.extra) response = projectView(request, pk=self.project.pk) project_users = response.data.get('users') users_in_users = [user['user'] for user in project_users] self.assertIn('bob', users_in_users) self.assertIn('denoinc', users_in_users) self.assertIn('aboy', users_in_users) self.assertIn('alice', users_in_users)
def test_publish_xlsform(self): view = XFormViewSet.as_view({"post": "create"}) data = { "owner": "http://testserver/api/v1/users/bob", "public": False, "public_data": False, "description": u"transportation_2011_07_25", "downloadable": True, "allows_sms": False, "encrypted": False, "sms_id_string": u"transportation_2011_07_25", "id_string": u"transportation_2011_07_25", "title": u"transportation_2011_07_25", "bamboo_dataset": u"", } path = os.path.join( settings.ONADATA_DIR, "apps", "main", "tests", "fixtures", "transportation", "transportation.xls" ) with open(path) as xls_file: post_data = {"xls_file": xls_file} request = self.factory.post("/", data=post_data, **self.extra) response = view(request) self.assertEqual(response.status_code, 201) xform = self.user.xforms.all()[0] data.update({"url": "http://testserver/api/v1/forms/%s" % xform.pk}) self.assertDictContainsSubset(data, response.data) self.assertTrue(OwnerRole.user_has_role(self.user, xform)) self.assertEquals("owner", response.data["users"][0]["role"])
def test_publish_xlsform(self): view = XFormViewSet.as_view({ 'post': 'create' }) data = { 'owner': 'http://testserver/api/v1/users/bob', 'public': False, 'public_data': False, 'description': u'transportation_2011_07_25', 'downloadable': True, 'allows_sms': False, 'encrypted': False, 'sms_id_string': u'transportation_2011_07_25', 'id_string': u'transportation_2011_07_25', 'title': u'transportation_2011_07_25', 'bamboo_dataset': u'' } path = os.path.join( settings.PROJECT_ROOT, "apps", "main", "tests", "fixtures", "transportation", "transportation.xls") with open(path) as xls_file: post_data = {'xls_file': xls_file} request = self.factory.post('/', data=post_data, **self.extra) response = view(request) self.assertEqual(response.status_code, 201) xform = self.user.xforms.all()[0] data.update({ 'url': 'http://testserver/api/v1/forms/%s' % xform.pk }) self.assertDictContainsSubset(data, response.data) self.assertTrue(OwnerRole.user_has_role(self.user, xform)) self.assertEquals("owner", response.data['users'][0]['role'])
def test_publish_xlsform(self): view = XFormViewSet.as_view({'post': 'create'}) data = { 'owner': 'http://testserver/api/v1/users/bob', 'public': False, 'public_data': False, 'description': u'transportation_2011_07_25', 'downloadable': True, 'allows_sms': False, 'encrypted': False, 'sms_id_string': u'transportation_2011_07_25', 'id_string': u'transportation_2011_07_25', 'title': u'transportation_2011_07_25', 'bamboo_dataset': u'' } path = os.path.join(settings.PROJECT_ROOT, "apps", "main", "tests", "fixtures", "transportation", "transportation.xls") with open(path) as xls_file: post_data = {'xls_file': xls_file} request = self.factory.post('/', data=post_data, **self.extra) response = view(request) self.assertEqual(response.status_code, 201) xform = self.user.xforms.all()[0] data.update( {'url': 'http://testserver/api/v1/forms/%s' % xform.pk}) self.assertDictContainsSubset(data, response.data) self.assertTrue(OwnerRole.user_has_role(self.user, xform)) self.assertEquals("owner", response.data['users'][0]['role'])
def test_publish_select_external_xlsform(self): view = XFormViewSet.as_view({'post': 'create'}) path = os.path.join(settings.PROJECT_ROOT, "apps", "api", "tests", "fixtures", "select_one_external.xlsx") with open(path) as xls_file: meta_count = MetaData.objects.count() post_data = {'xls_file': xls_file} request = self.factory.post('/', data=post_data, **self.extra) response = view(request) self.assertEqual(response.status_code, 201) self.assertEqual(meta_count + 1, MetaData.objects.count()) xform = self.user.xforms.all()[0] metadata = xform.metadata_set.all()[0] self.assertEqual('itemsets.csv', metadata.data_value) self.assertTrue(OwnerRole.user_has_role(self.user, xform)) self.assertTrue(OwnerRole.user_has_role(self.user, metadata)) self.assertEquals("owner", response.data['users'][0]['role'])
def test_publish_xls_form_to_organization_project(self): self._org_create() project_data = { 'owner': self.company_data['user'] } self._project_create(project_data) self._publish_xls_form_to_project() self.assertTrue(OwnerRole.user_has_role(self.user, self.xform))
def test_owner_cannot_remove_self_if_no_other_owner(self): self._project_create() view = ProjectViewSet.as_view({ 'put': 'share' }) ManagerRole.add(self.user, self.project) tom_data = {'username': '******', 'email': '*****@*****.**'} bob_profile = self._create_user_profile(tom_data) OwnerRole.add(bob_profile.user, self.project) data = {'username': '******', 'remove': True, 'role': 'owner'} request = self.factory.put('/', data=data, **self.extra) response = view(request, pk=self.project.pk) self.assertEqual(response.status_code, 400) error = {'remove': [u"Project requires at least one owner"]} self.assertEquals(response.data, error) self.assertTrue(OwnerRole.user_has_role(bob_profile.user, self.project)) alice_data = {'username': '******', 'email': '*****@*****.**'} profile = self._create_user_profile(alice_data) OwnerRole.add(profile.user, self.project) view = ProjectViewSet.as_view({ 'put': 'share' }) data = {'username': '******', 'remove': True, 'role': 'owner'} request = self.factory.put('/', data=data, **self.extra) response = view(request, pk=self.project.pk) self.assertEqual(response.status_code, 204) self.assertFalse(OwnerRole.user_has_role(bob_profile.user, self.project))
def test_reassign_role_owner_to_editor(self): self._publish_transportation_form() alice = self._create_user('alice', 'alice') self.assertFalse(OwnerRole.user_has_role(alice, self.xform)) OwnerRole.add(alice, self.xform) self.assertTrue(OwnerRole.user_has_role(alice, self.xform)) self.assertTrue( OwnerRole.has_role(perms_for(alice, self.xform), self.xform)) EditorRole.add(alice, self.xform) self.assertFalse(OwnerRole.user_has_role(alice, self.xform)) self.assertTrue(EditorRole.user_has_role(alice, self.xform)) self.assertFalse( OwnerRole.has_role(perms_for(alice, self.xform), self.xform)) self.assertTrue( EditorRole.has_role(perms_for(alice, self.xform), self.xform))
def test_reassign_role_owner_to_editor(self): self._publish_transportation_form() alice = self._create_user('alice', 'alice') self.assertFalse(OwnerRole.user_has_role(alice, self.xform)) OwnerRole.add(alice, self.xform) self.assertTrue(OwnerRole.user_has_role(alice, self.xform)) self.assertTrue(OwnerRole.has_role( perms_for(alice, self.xform), self.xform)) EditorRole.add(alice, self.xform) self.assertFalse(OwnerRole.user_has_role(alice, self.xform)) self.assertTrue(EditorRole.user_has_role(alice, self.xform)) self.assertFalse(OwnerRole.has_role( perms_for(alice, self.xform), self.xform)) self.assertTrue(EditorRole.has_role( perms_for(alice, self.xform), self.xform))
def test_publish_select_external_xlsform(self): view = XFormViewSet.as_view({ 'post': 'create' }) path = os.path.join( settings.PROJECT_ROOT, "apps", "api", "tests", "fixtures", "select_one_external.xlsx") with open(path) as xls_file: meta_count = MetaData.objects.count() post_data = {'xls_file': xls_file} request = self.factory.post('/', data=post_data, **self.extra) response = view(request) self.assertEqual(response.status_code, 201) self.assertEqual(meta_count + 1, MetaData.objects.count()) xform = self.user.xforms.all()[0] metadata = xform.metadata_set.all()[0] self.assertEqual('itemsets.csv', metadata.data_value) self.assertTrue(OwnerRole.user_has_role(self.user, xform)) self.assertTrue(OwnerRole.user_has_role(self.user, metadata)) self.assertEquals("owner", response.data['users'][0]['role'])
def test_project_users_get_readonly_role_on_add_form(self): self._project_create() alice_data = {'username': '******', 'email': '*****@*****.**'} alice_profile = self._create_user_profile(alice_data) ReadOnlyRole.add(alice_profile.user, self.project) self.assertTrue(ReadOnlyRole.user_has_role(alice_profile.user, self.project)) self._publish_xls_form_to_project() self.assertTrue(ReadOnlyRole.user_has_role(alice_profile.user, self.xform)) self.assertFalse(OwnerRole.user_has_role(alice_profile.user, self.xform))
def test_project_users_get_readonly_role_on_add_form(self): self._project_create() alice_data = {'username': '******', 'email': '*****@*****.**'} alice_profile = self._create_user_profile(alice_data) ReadOnlyRole.add(alice_profile.user, self.project) self.assertTrue( ReadOnlyRole.user_has_role(alice_profile.user, self.project)) self._publish_xls_form_to_project() self.assertTrue( ReadOnlyRole.user_has_role(alice_profile.user, self.xform)) self.assertFalse( OwnerRole.user_has_role(alice_profile.user, self.xform))
def test_creator_permissions(self): """ Test that the creator of the organization has the necessary permissions """ self._org_create() request = self.factory.get('/', **self.extra) response = self.view(request) self.assertNotEqual(response.get('Cache-Control'), None) self.assertEqual(response.status_code, 200) orgs = OrganizationProfile.objects.filter(creator=self.user) self.assertEqual(orgs.count(), 1) org = orgs.first() self.assertTrue(OwnerRole.user_has_role(self.user, org)) self.assertTrue( OwnerRole.user_has_role(self.user, org.userprofile_ptr)) members_view = OrganizationProfileViewSet.as_view({ 'post': 'members', 'delete': 'members' }) # New admins should also have the required permissions self.profile_data['username'] = "******" dave = self._create_user_profile().user data = {'username': '******', 'role': 'owner'} request = self.factory.post( '/', data=json.dumps(data), content_type="application/json", **self.extra) response = members_view(request, user='******') self.assertEqual(response.status_code, 201) # Ensure user has role self.assertTrue(OwnerRole.user_has_role(dave, org)) self.assertTrue( OwnerRole.user_has_role(dave, org.userprofile_ptr)) # Permissions should be removed when the user is removed from # organization request = self.factory.delete('/', data=json.dumps(data), content_type="application/json", **self.extra) response = members_view(request, user='******') expected_results = [u'denoinc'] self.assertEqual(expected_results, response.data) # Ensure permissions are removed self.assertFalse(OwnerRole.user_has_role(dave, org)) self.assertFalse( OwnerRole.user_has_role(dave, org.userprofile_ptr))
def validate_content_object(self, value): request = self.context.get('request') users = get_users_with_perms( value.project, attach_perms=False, with_group_users=False ) profile = value.project.organization.profile # Shared or an admin in the organization if request.user not in users and not\ is_organization(profile) and not\ OwnerRole.user_has_role(request.user, profile): raise serializers.ValidationError(_( u"You don't have permission to the Project." )) return value
def test_cannot_share_project_to_owner(self): # create project and publish form to project self._publish_xls_form_to_project() data = {'username': self.user.username, 'role': ManagerRole.name, 'email_msg': 'I have shared the project with you'} request = self.factory.post('/', data=data, **self.extra) view = ProjectViewSet.as_view({ 'post': 'share' }) response = view(request, pk=self.project.pk) self.assertEqual(response.status_code, 400) self.assertEqual(response.data['username'], [u"Cannot share project" u" with the owner"]) self.assertTrue(OwnerRole.user_has_role(self.user, self.project))
def test_create_organization_creates_team_and_perms(self): # create a user - bob profile = tools.create_organization_object("modilabs", self.user) profile.save() self.assertIsInstance(profile, OrganizationProfile) organization_profile = OrganizationProfile.objects.get( user__username="******") # check organization was created self.assertTrue(organization_profile.is_organization) self.assertTrue(hasattr(profile, 'metadata')) # check that the default team was created team_name = "modilabs#%s" % Team.OWNER_TEAM_NAME team = Team.objects.get(organization=organization_profile.user, name=team_name) self.assertIsInstance(team, Team) self.assertIn(team.group_ptr, self.user.groups.all()) self.assertTrue(self.user.has_perm('api.is_org_owner')) # Assert that the user has the OwnerRole for the Organization self.assertTrue( OwnerRole.user_has_role(self.user, organization_profile))
def test_form_id_filter_for_require_auth_account(self): """ Test formList formID filter for account that requires authentication """ # Bob submit forms xls_path = os.path.join(settings.PROJECT_ROOT, "apps", "main", "tests", "fixtures", "tutorial.xls") self._publish_xls_form_to_project(xlsform_path=xls_path) xls_file_path = os.path.join(settings.PROJECT_ROOT, "apps", "logger", "fixtures", "external_choice_form_v1.xlsx") self._publish_xls_form_to_project(xlsform_path=xls_file_path) # Set require auth to true self.user.profile.require_auth = True self.user.profile.save() request = self.factory.get('/', {'formID': self.xform.id_string}) response = self.view(request, username=self.user.username) self.assertEqual(response.status_code, 401) # Test for authenticated user but unrecognized formID auth = DigestAuth('bob', 'bobbob') request = self.factory.get('/', {'formID': 'unrecognizedID'}) request.META.update(auth(request.META, response)) response = self.view(request, username=self.user.username) self.assertEqual(response.status_code, 200) self.assertEqual(response.data, []) # Test for authenticated user and valid formID request = self.factory.get('/', {'formID': self.xform.id_string}) self.assertTrue(self.user.profile.require_auth) response = self.view(request, username=self.user.username) self.assertEqual(response.status_code, 401) auth = DigestAuth('bob', 'bobbob') request.META.update(auth(request.META, response)) response = self.view(request, username=self.user.username) self.assertEqual(response.status_code, 200) path = os.path.join( os.path.dirname(__file__), '..', 'fixtures', 'formList2.xml') with open(path, encoding='utf-8') as f: form_list = f.read().strip() data = {"hash": self.xform.hash, "pk": self.xform.pk, 'version': self.xform.version} content = response.render().content.decode('utf-8') self.assertEqual(content, form_list % data) # Test for shared forms # Create user Alice alice_data = { 'username': '******', 'email': '*****@*****.**', 'password1': 'alice', 'password2': 'alice' } alice_profile = self._create_user_profile(alice_data) # check that she can authenticate successfully request = self.factory.get('/') response = self.view(request) self.assertEqual(response.status_code, 401) auth = DigestAuth('alice', 'alice') request.META.update(auth(request.META, response)) response = self.view(request) self.assertEqual(response.status_code, 200) self.assertFalse( ReadOnlyRole.user_has_role(alice_profile.user, self.project)) # share Bob's project with Alice data = { 'username': '******', 'role': ReadOnlyRole.name } request = self.factory.post('/', data=data, **self.extra) share_view = ProjectViewSet.as_view({'post': 'share'}) project_id = self.project.pk response = share_view(request, pk=project_id) self.assertEqual(response.status_code, 204) self.assertTrue( ReadOnlyRole.user_has_role(alice_profile.user, self.project)) request = self.factory.get('/', {'formID': self.xform.id_string}) response = self.view(request) self.assertEqual(response.status_code, 401) auth = DigestAuth('alice', 'alice') request.META.update(auth(request.META, response)) response = self.view(request, username='******') self.assertEqual(response.status_code, 200) path = os.path.join( os.path.dirname(__file__), '..', 'fixtures', 'formList2.xml') with open(path, encoding='utf-8') as f: form_list = f.read().strip() data = {"hash": self.xform.hash, "pk": self.xform.pk, "version": self.xform.version} content = response.render().content.decode('utf-8') self.assertEqual(content, form_list % data) # Bob's profile bob_profile = self.user # Submit form as Alice self._login_user_and_profile(extra_post_data=alice_data) self.assertEqual(self.user.username, 'alice') path = os.path.join( settings.PROJECT_ROOT, "apps", "main", "tests", "fixtures", "good_eats_multilang", "good_eats_multilang.xls") self._publish_xls_form_to_project(xlsform_path=path) self.assertTrue(OwnerRole.user_has_role(alice_profile.user, self.xform)) # Share Alice's form with Bob ReadOnlyRole.add(bob_profile, self.xform) self.assertTrue(ReadOnlyRole.user_has_role(bob_profile, self.xform)) # Get unrecognized formID as bob request = self.factory.get('/', {'formID': 'unrecognizedID'}) response = self.view(request, username=bob_profile.username) self.assertEqual(response.status_code, 401) auth = DigestAuth('bob', 'bobbob') request.META.update(auth(request.META, response)) response = self.view(request, username=bob_profile.username) self.assertEqual(response.status_code, 200) self.assertEqual(response.data, []) # Get Alice's form as Bob request = self.factory.get('/', {'formID': 'good_eats_multilang'}) response = self.view(request, username=bob_profile.username) self.assertEqual(response.status_code, 401) auth = DigestAuth('bob', 'bobbob') request.META.update(auth(request.META, response)) response = self.view(request, username=bob_profile.username) self.assertEqual(response.status_code, 200) self.assertEqual(len(response.data), 1) self.assertEqual(response.data[0]['formID'], 'good_eats_multilang')
def _check_is_admin_or_manager( # pylint: disable=no-self-use self, user: User, xform: XForm) -> bool: return OwnerRole.user_has_role( user, xform) or ManagerRole.user_has_role(user, xform)