def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) patient = dbsession.query(models.Patient).filter( models.Patient.pid == u'123').one() data = { 'initials': patient.initials, 'nurse': patient.nurse, 'site_id': patient.site_id, 'pid': patient.pid, 'site': patient.site_id } res = app.put_json( self.url.format('123'), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) enrollment_id = dbsession.query(models.Enrollment.id).filter( models.Study.name == u'test_study').scalar() data = { 'ofmetadata_-collect_date': '2015-01-01', 'ofmetadata_-version': '2015-01-01', 'ofmetadata_-state': 'pending-entry', } res = app.post( self.url.format(enrollment_id), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, xhr=True, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) study_id = dbsession.query(models.Study.id).filter( models.Study.name == u'test_study').scalar() enrollment_id = dbsession.query(models.Enrollment.id).filter( models.Study.name == u'test_study').scalar() data = { 'study': study_id, 'consent_date': '2014-12-22', 'latest_consent_date': '2015-01-01', 'reference_number': '' } res = app.put_json( self.url.format(enrollment_id), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) enrollment_id = dbsession.query(models.Enrollment.id).filter( models.Study.name == u'test_study').scalar() data = { 'ofmetadata_-collect_date': '2015-01-01', 'ofmetadata_-version': '2015-01-01', 'ofmetadata_-state': 'pending-entry', } res = app.post(self.url.format(enrollment_id), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, xhr=True, params=data) assert 403 == res.status_code
def test_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) study_id = dbsession.query(models.Study.id).filter( models.Study.name == u'test_study').scalar() data = { 'consent_date': '2015-01-01', 'latest_consent_date': '2015-01-01', 'study': study_id } res = app.post_json(self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) study_id = dbsession.query(models.Study.id).filter( models.Study.name == u'test_study').scalar() enrollment_id = dbsession.query(models.Enrollment.id).filter( models.Study.name == u'test_study').scalar() data = { 'study': study_id, 'consent_date': '2014-12-22', 'latest_consent_date': '2015-01-01', 'reference_number': '' } res = app.put_json(self.url.format(enrollment_id), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) cycle_id = dbsession.query(models.Cycle.id).filter( models.Cycle.name == u'TestCycle').scalar() data = { 'cycles': [cycle_id], 'visit_date': '2015-01-01', 'include_forms': False, 'include_speciman': False } res = app.post_json( self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) site = dbsession.query(models.Site).filter( models.Site.name == u'UCSD').one() site_id = site.id data = { 'site': site_id, 'references': [] } res = app.post_json( self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) visit_date = dbsession.query(models.Visit.visit_date).filter( models.Patient.pid == u'123').scalar() cycle_id = dbsession.query(models.Cycle.id).filter( models.Cycle.name == u'TestCycle').scalar() data = { 'cycles': [cycle_id], 'visit_date': '2015-01-02' } res = app.put_json( self.url.format(visit_date), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) form_id = dbsession.query(models.Schema.id).filter( models.Schema.name == u'test_schema').scalar() data = { 'schema': form_id, 'collect_date': '2015-01-01' } res = app.post_json( self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) patient = dbsession.query( models.Patient).filter(models.Patient.pid == u'123').one() data = { 'initials': patient.initials, 'nurse': patient.nurse, 'site_id': patient.site_id, 'pid': patient.pid, 'site': patient.site_id } res = app.put_json(self.url.format('123'), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) cycle_id = dbsession.query(models.Cycle.id).filter( models.Cycle.name == u'TestCycle').scalar() data = { 'cycles': [cycle_id], 'visit_date': '2015-01-01', 'include_forms': False, 'include_speciman': False } res = app.post_json(self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_randomize_ajax_not_allowed(self, app, dbsession, factories, group): import uuid from occams import models enrollment = dbsession.query(models.Enrollment).one() url = '/studies/patients/{pid}/enrollments/{eid}/randomization'.format( pid=enrollment.patient.pid, eid=enrollment.id) environ = make_environ(userid=USERID, groups=[group]) headers = { 'X-CSRF-Token': get_csrf_token(app, environ), 'X-REQUESTED-WITH': str('XMLHttpRequest') } res = app.get( url, extra_environ=environ, status='*', headers=headers, xhr=True, ) assert 403 == res.status_code procid = str(uuid.uuid4()) # CHALLENGE res = app.post(url, extra_environ=environ, status='*', headers=headers, xhr=True, params={'procid': procid}) assert 403 == res.status_code # ENTRY res = app.post(url, extra_environ=environ, status='*', headers=headers, xhr=True, params={'procid': procid}) assert 403 == res.status_code # VERIFY res = app.post(url, extra_environ=environ, status='*', headers=headers, xhr=True, params={'procid': procid}) assert 403 == res.status_code
def test_allowed(self, app, dbsession, group): environ = make_environ(groups=[group]) csrf_token = get_csrf_token(app, environ) app.delete(self.url, extra_environ=environ, headers={'X-CSRF-Token': csrf_token}, xhr=True, status=200)
def test_not_owner(self, app, dbsession): import transaction from occams import models with transaction.manager: dbsession.add(models.User(key='somebody_else')) environ = make_environ(userid='somebody_else') csrf_token = get_csrf_token(app, environ) app.delete(self.url, extra_environ=environ, headers={'X-CSRF-Token': csrf_token}, xhr=True, status=403)
def test_allowed(self, app, dbsession, group): environ = make_environ(userid=USERID, groups=[group]) res = app.get(self.url, extra_environ=environ, xhr=True) data = res.json csrf_token = get_csrf_token(app, environ) res = app.delete_json(self.url, extra_environ=environ, status='*', headers={'X-CSRF-Token': csrf_token}, params=data) assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group): environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) res = app.delete_json(self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params={}) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) res = app.delete_json( self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params={}) assert 403 == res.status_code
def test_allowed(self, app, dbsession, group): environ = make_environ(userid=USERID, groups=[group]) res = app.get(self.url, extra_environ=environ, xhr=True) data = res.json csrf_token = get_csrf_token(app, environ) res = app.delete_json( self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token }, params=data) assert 200 == res.status_code
def test_allowed(self, app, dbsession, group): environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) data = { 'name': u'test', 'title': u'test_title', 'short_title': u'test2', 'code': u'test3', 'consent_date': '2015-01-01' } res = app.post_json(self.url, extra_environ=environ, status='*', headers={'X-CSRF-Token': csrf_token}, params=data) assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) enrollment_id = dbsession.query(models.Enrollment.id).filter( models.Study.name == u'test_study').scalar() res = app.delete_json(self.url.format(enrollment_id), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params={}) assert 403 == res.status_code
def test_allowed(self, app, dbsession, group): environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) data = {'name': u'test', 'title': u'test_title', 'short_title': u'test2', 'code': u'test3', 'consent_date': '2015-01-01'} res = app.post_json( self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token }, params=data) assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) enrollment_id = dbsession.query(models.Enrollment.id).filter( models.Study.name == u'test_study').scalar() res = app.delete_json( self.url.format(enrollment_id), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params={}) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) visit_date = dbsession.query(models.Visit.visit_date).filter( models.Patient.pid == u'123').scalar() res = app.delete(self.url.format(visit_date), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, xhr=True, params={}) assert 403 == res.status_code
def test_not_allowed(self, app, group): environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) data = { 'title': 'test_study Week 1', 'week': '1' } res = app.post_json( self.url.format('test_study'), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) visit_date = dbsession.query(models.Visit.visit_date).filter( models.Patient.pid == u'123').scalar() res = app.delete( self.url.format(visit_date), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, xhr=True, params={}) assert 403 == res.status_code
def test_allowed(self, app, group): environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) data = { 'name': 'TestDelete', 'title': 'TestDelete', 'week': 4 } res = app.put_json( self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 200 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) site = dbsession.query( models.Site).filter(models.Site.name == u'UCSD').one() site_id = site.id data = {'site': site_id, 'references': []} res = app.post_json(self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_not_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) schema = dbsession.query( models.Schema).filter(models.Schema.name == u'test_schema').one() schema_id = schema.id data = {'collect_date': '2015-01-01', 'schema': schema_id} res = app.post_json(self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 403 == res.status_code
def test_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) form_id = dbsession.query(models.Schema.id).filter( models.Schema.name == u'test_schema').scalar() entity_id = dbsession.query(models.Entity.id).filter( models.Entity.schema_id == form_id).scalar() res = app.delete_json(self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params={'forms': [entity_id]}) assert 200 == res.status_code
def test_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) form_id = dbsession.query(models.Schema.id).filter( models.Schema.name == u'test_schema').scalar() entity_id = dbsession.query(models.Entity.id).filter( models.Entity.schema_id == form_id).scalar() res = app.delete_json( self.url, extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params={'forms': [entity_id]}) assert 200 == res.status_code
def test_allowed(self, app, dbsession, group): from occams import models environ = make_environ(userid=USERID, groups=[group]) csrf_token = get_csrf_token(app, environ) visit_date = dbsession.query(models.Visit.visit_date).filter( models.Patient.pid == u'123').scalar() cycle_id = dbsession.query(models.Cycle.id).filter( models.Cycle.name == u'TestCycle').scalar() data = {'cycles': [cycle_id], 'visit_date': '2015-01-02'} res = app.put_json(self.url.format(visit_date), extra_environ=environ, status='*', headers={ 'X-CSRF-Token': csrf_token, 'X-REQUESTED-WITH': str('XMLHttpRequest') }, params=data) assert 200 == res.status_code
def test_randomize_ajax_not_allowed(self, app, dbsession, factories, group): import uuid from occams import models enrollment = dbsession.query(models.Enrollment).one() url = '/studies/patients/{pid}/enrollments/{eid}/randomization'.format( pid=enrollment.patient.pid, eid=enrollment.id ) environ = make_environ(userid=USERID, groups=[group]) headers = { 'X-CSRF-Token': get_csrf_token(app, environ), 'X-REQUESTED-WITH': str('XMLHttpRequest') } res = app.get( url, extra_environ=environ, status='*', headers=headers, xhr=True, ) assert 403 == res.status_code procid = str(uuid.uuid4()) # CHALLENGE res = app.post( url, extra_environ=environ, status='*', headers=headers, xhr=True, params={'procid': procid} ) assert 403 == res.status_code # ENTRY res = app.post( url, extra_environ=environ, status='*', headers=headers, xhr=True, params={'procid': procid} ) assert 403 == res.status_code # VERIFY res = app.post( url, extra_environ=environ, status='*', headers=headers, xhr=True, params={'procid': procid} ) assert 403 == res.status_code