def setUp(self): super().setUp() self.owner_permission = IsOwnerOrReadOnly() self.flag_enabled_permission = FlagEnabledPermission() self.can_change_flagged_comment_state = CanChangeFlaggedCommentState() self.factory = RequestFactory() self.view = CommentList()
class OwnerPermissionTest(BaseAPIPermissionsTest): def setUp(self): super().setUp() self.permission = IsOwnerOrReadOnly() def test_get_request(self): request = self.factory.get('/') self.assertTrue( self.permission.has_object_permission(request, self.view, self.comment_1)) def test_put_method_from_different_user(self): request = self.factory.put('/') request.user = self.user_2 self.assertEqual(self.comment_1.user, self.user_1) self.assertFalse( self.permission.has_object_permission(request, self.view, self.comment_1)) def test_put_method_from_admin(self): request = self.factory.put('/') request.user = self.admin self.assertEqual(self.comment_1.user, self.user_1) self.assertFalse( self.permission.has_object_permission(request, self.view, self.comment_1)) def test_put_method_from_same_user(self): request = self.factory.put('/') request.user = self.user_1 self.assertEqual(self.comment_1.user, self.user_1) self.assertTrue( self.permission.has_object_permission(request, self.view, self.comment_1))
class APIPermissionsTest(APIBaseTest): def setUp(self): super().setUp() self.owner_permission = IsOwnerOrReadOnly() self.flag_enabled_permission = FlagEnabledPermission() self.can_change_flagged_comment_state = CanChangeFlaggedCommentState() self.factory = RequestFactory() self.view = CommentList() @classmethod def setUpTestData(cls): super().setUpTestData() cls.flag_data = { 'reason': FlagInstanceManager.reason_values[0], 'info': '', } cls.create_flag_instance(cls.user_1, cls.comment_1, **cls.flag_data) cls.create_flag_instance(cls.user_2, cls.comment_1, **cls.flag_data) def test_owner_permission(self): # self.client.login(username='******', password='******') request = self.factory.get('/') # get is in the safe methods self.assertTrue( self.owner_permission.has_object_permission( request, self.view, self.comment_1)) # PUT method from different user request = self.factory.put('/') request.user = self.user_2 self.assertEqual(self.comment_1.user, self.user_1) self.assertFalse( self.owner_permission.has_object_permission( request, self.view, self.comment_1)) # DELETE method from admin request = self.factory.put('/') request.user = self.admin self.assertEqual(self.comment_1.user, self.user_1) self.assertFalse( self.owner_permission.has_object_permission( request, self.view, self.comment_1)) # PUT method from same user request = self.factory.put('/') request.user = self.user_1 self.assertEqual(self.comment_1.user, self.user_1) self.assertTrue( self.owner_permission.has_object_permission( request, self.view, self.comment_1)) def test_flag_enabled_permission(self): request = self.factory.get('/') settings.COMMENT_FLAGS_ALLOWED = 0 self.assertFalse( self.flag_enabled_permission.has_permission(request, self.view)) settings.COMMENT_FLAGS_ALLOWED = 1 self.assertTrue( self.flag_enabled_permission.has_permission(request, self.view)) def test_can_change_flagged_comment_state(self): request = self.factory.get('/') user = self.user_1 request.user = user # not moderator user self.assertFalse( self.can_change_flagged_comment_state.has_permission( request, self.view)) user = self.moderator request.user = user self.assertTrue( self.can_change_flagged_comment_state.has_permission( request, self.view)) comment = self.comment_2 self.assertFalse(comment.is_flagged) self.assertFalse( self.can_change_flagged_comment_state.has_object_permission( request, self.view, comment)) settings.COMMENT_FLAGS_ALLOWED = 1 self.set_flag(self.user_1, comment, **self.flag_data) self.set_flag(self.user_2, comment, **self.flag_data) self.assertTrue(comment.is_flagged) self.assertTrue( self.can_change_flagged_comment_state.has_object_permission( request, self.view, comment)) request.user = self.user_1 self.assertFalse( self.can_change_flagged_comment_state.has_object_permission( request, self.view, comment))
class APIPermissionsTest(APIBaseTest): def setUp(self): super().setUp() self.owner_permission = IsOwnerOrReadOnly() self.content_type_permission = ContentTypePermission() self.parent_permission = ParentIdPermission() self.flag_enabled_permission = FlagEnabledPermission() self.can_change_flagged_comment_state = CanChangeFlaggedCommentState() self.factory = RequestFactory() self.view = CommentList() def test_owner_permission(self): # self.client.login(username='******', password='******') request = self.factory.get('/') # get is in the safe methods self.assertTrue(self.owner_permission.has_object_permission(request, self.view, self.comment_1)) # PUT method from different user request = self.factory.put('/') request.user = self.user_2 self.assertEqual(self.comment_1.user, self.user_1) self.assertFalse(self.owner_permission.has_object_permission(request, self.view, self.comment_1)) # DELETE method from admin request = self.factory.put('/') request.user = self.admin self.assertEqual(self.comment_1.user, self.user_1) self.assertFalse(self.owner_permission.has_object_permission(request, self.view, self.comment_1)) # PUT method from same user request = self.factory.put('/') request.user = self.user_1 self.assertEqual(self.comment_1.user, self.user_1) self.assertTrue(self.owner_permission.has_object_permission(request, self.view, self.comment_1)) def test_content_type_permission(self): # missing model type request = self.factory.get('/api/comments/') self.assertFalse(self.content_type_permission.has_permission(request, self.view)) self.assertEqual(self.content_type_permission.message, 'model type must be provided') # missing model id request = self.factory.get('/api/comments/?type=post') self.assertFalse(self.content_type_permission.has_permission(request, self.view)) self.assertEqual(self.content_type_permission.message, 'model id must be provided') # not exist model type request = self.factory.get('/api/comments/?type=not_exist&id=1') self.assertFalse(self.content_type_permission.has_permission(request, self.view)) self.assertEqual(self.content_type_permission.message, 'this is not a valid model type') # not exist model id request = self.factory.get('/api/comments/?type=post&id=100') self.assertFalse(self.content_type_permission.has_permission(request, self.view)) self.assertEqual(self.content_type_permission.message, 'this is not a valid id for this model') # not integer model id request = self.factory.get('/api/comments/?type=post&id=c') self.assertFalse(self.content_type_permission.has_permission(request, self.view)) self.assertEqual(self.content_type_permission.message, 'type id must be an integer') # success self.content_type_permission = ContentTypePermission() # start fresh request = self.factory.get('/api/comments/?type=post&id=1') self.assertTrue(self.content_type_permission.has_permission(request, self.view)) self.assertEqual(self.content_type_permission.message, '') def test_parent_id_permission(self): # parent id not provided - user will be permitted and parent comment will be created request = self.factory.get('/api/comments/create/?type=post&id=1') self.assertTrue(self.parent_permission.has_permission(request, self.view)) self.assertEqual(self.parent_permission.message, '') # parent id not int request = self.factory.get('/api/comments/create/?type=post&id=1&parent_id=c') self.assertFalse(self.parent_permission.has_permission(request, self.view)) self.assertEqual(self.parent_permission.message, 'the parent id must be an integer') # parent id not exist request = self.factory.get('/api/comments/create/?type=post&id=1&parent_id=100') self.assertFalse(self.parent_permission.has_permission(request, self.view)) self.assertEqual( self.parent_permission.message, "this is not a valid id for a parent comment or the parent comment does NOT belong to this model object" ) # parent id doesn't belong to the provided model type request = self.factory.get('/api/comments/create/?type=post&id=2&parent_id=1') self.assertFalse(self.parent_permission.has_permission(request, self.view)) self.assertEqual( self.parent_permission.message, "this is not a valid id for a parent comment or the parent comment does NOT belong to this model object" ) # parent id = 0 request = self.factory.get('/api/comments/create/?type=post&id=2&parent_id=0') self.assertTrue(self.parent_permission.has_permission(request, self.view)) def test_flag_enabled_permission(self): request = self.factory.get('/') settings.COMMENT_FLAGS_ALLOWED = 0 self.assertFalse(self.flag_enabled_permission.has_permission(request, self.view)) settings.COMMENT_FLAGS_ALLOWED = 1 self.assertTrue(self.flag_enabled_permission.has_permission(request, self.view)) def test_can_change_flagged_comment_state(self): request = self.factory.get('/') request.user = self.user_1 # not moderator user self.assertFalse(self.can_change_flagged_comment_state.has_permission(request, self.view)) request.user = self.moderator self.assertTrue(self.can_change_flagged_comment_state.has_permission(request, self.view)) self.assertFalse(self.comment_1.is_flagged) self.assertFalse( self.can_change_flagged_comment_state.has_object_permission(request, self.view, self.comment_1) ) flag_data = { 'reason': '1', 'info': None, } settings.COMMENT_FLAGS_ALLOWED = 1 self.create_flag_instance(self.user_1, self.comment_1, **flag_data) self.create_flag_instance(self.user_2, self.comment_1, **flag_data) self.assertTrue(self.comment_1.is_flagged) self.assertTrue( self.can_change_flagged_comment_state.has_object_permission(request, self.view, self.comment_1) ) request.user = self.user_1 self.assertFalse( self.can_change_flagged_comment_state.has_object_permission(request, self.view, self.comment_1) )
def setUp(self): super().setUp() self.permission = IsOwnerOrReadOnly()