def test_permissions(self):
"""
Test page access control behaviour.
"""
crs = CourseOffering.objects.get(slug=TEST_COURSE_SLUG)
memb = Member.objects.filter(offering=crs, role='INST').first()
inst = memb.person
ta = Member.objects.filter(offering=crs, role='TA').first().person
stud = Member.objects.filter(offering=crs, role='STUD').first().person
non_member = Person.objects.get(userid='dixon')
assert not Member.objects.filter(offering=crs, person=non_member)
p = Page(offering=crs, label="Test", can_read='STAF', can_write='INST')
p.save()
v = PageVersion(page=p, title="Test Page", wikitext="Page contents", editor=memb)
v.save()
# page-viewing permissions
c = Client()
url = reverse('offering:pages:view_page', kwargs={'course_slug': crs.slug, 'page_label': 'Test'})
c.logout()
response = c.get(url)
self.assertEqual(response.status_code, 403)
c.login_user(inst.userid)
response = c.get(url)
self.assertEqual(response.status_code, 200)
c.login_user(ta.userid)
response = c.get(url)
self.assertEqual(response.status_code, 200)
c.login_user(stud.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
c.login_user(non_member.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
# ... but with a PagePermission object, non_member can access
pp = PagePermission(person=non_member, offering=crs, role='INST')
pp.save()
response = c.get(url)
self.assertEqual(response.status_code, 200)
# page-editing permissions
url = reverse('offering:pages:edit_page', kwargs={'course_slug': crs.slug, 'page_label': 'Test'})
c.logout()
response = c.get(url)
self.assertEqual(response.status_code, 302) # redirect to log in
c.login_user(inst.userid)
response = c.get(url)
self.assertEqual(response.status_code, 200)
c.login_user(ta.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
c.login_user(stud.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
# editing with PagePermission not implemented
c.login_user(non_member.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
def test_permissions(self):
"""
Test page access control behaviour.
"""
crs = CourseOffering.objects.get(slug=TEST_COURSE_SLUG)
memb = Member.objects.filter(offering=crs, role='INST').first()
inst = memb.person
ta = Member.objects.filter(offering=crs, role='TA').first().person
stud = Member.objects.filter(offering=crs, role='STUD').first().person
non_member = Person.objects.get(userid='dixon')
assert not Member.objects.filter(offering=crs, person=non_member)
p = Page(offering=crs, label="Test", can_read='STAF', can_write='INST')
p.save()
v = PageVersion(page=p,
title="Test Page",
wikitext="Page contents",
editor=memb)
v.save()
# page-viewing permissions
c = Client()
url = reverse('offering:pages:view_page',
kwargs={
'course_slug': crs.slug,
'page_label': 'Test'
})
c.logout()
response = c.get(url)
self.assertEqual(response.status_code, 403)
c.login_user(inst.userid)
response = c.get(url)
self.assertEqual(response.status_code, 200)
c.login_user(ta.userid)
response = c.get(url)
self.assertEqual(response.status_code, 200)
c.login_user(stud.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
c.login_user(non_member.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
# ... but with a PagePermission object, non_member can access
pp = PagePermission(person=non_member, offering=crs, role='INST')
pp.save()
response = c.get(url)
self.assertEqual(response.status_code, 200)
# page-editing permissions
url = reverse('offering:pages:edit_page',
kwargs={
'course_slug': crs.slug,
'page_label': 'Test'
})
c.logout()
response = c.get(url)
self.assertEqual(response.status_code, 302) # redirect to log in
c.login_user(inst.userid)
response = c.get(url)
self.assertEqual(response.status_code, 200)
c.login_user(ta.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
c.login_user(stud.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
# editing with PagePermission not implemented
c.login_user(non_member.userid)
response = c.get(url)
self.assertEqual(response.status_code, 403)
def test_oauth_workflow(self):
request_token_url = 'http://testserver' + reverse(
'api:oauth_request_token')
authorize_token_url = 'http://testserver' + reverse(
'api:oauth_user_authorization')
# create consumer for tests
c = Client()
c.login_user('ggbaker')
c.logout()
consumer = Consumer(name='Test Consumer',
description='Consumer to do some tests with',
status=ACCEPTED,
user=User.objects.get(username='******'),
xauth_allowed=False)
consumer.generate_random_codes()
consumer.save()
ci = ConsumerInfo(consumer=consumer)
ci.admin_contact = '*****@*****.**'
ci.permissions = ['courses', 'grades']
ci.save()
# generate request token
oauth_request = oauth.Request.from_consumer_and_token(
consumer,
http_url=request_token_url,
parameters={'oauth_callback': 'oob'})
oauth_request.sign_request(oauth.SignatureMethod_HMAC_SHA1(), consumer,
None)
resp = c.get(request_token_url, **oauth_request.to_header())
self.assertEqual(resp.status_code, 200)
request_token = dict(
urllib.parse.parse_qsl(resp.content.decode('utf8')))
# get auth verifier
c.login_user('ggbaker')
resp = c.get(authorize_token_url,
{'oauth_token': request_token['oauth_token']})
self.assertEqual(resp.status_code, 200)
resp = c.post(authorize_token_url, {
'oauth_token': request_token['oauth_token'],
'authorize_access': 'on'
})
self.assertEqual(resp.status_code, 200)
parser = etree.HTMLParser()
root = etree.fromstring(resp.content, parser=parser)
verifier_elt = root.xpath('//*[@id="verifier"]')[0]
oauth_verifier = verifier_elt.text.strip()
c.logout()
# get access token
token = oauth.Token(request_token['oauth_token'],
request_token['oauth_token_secret'])
token.set_verifier(oauth_verifier)
oauth_request = oauth.Request.from_consumer_and_token(
consumer, token, http_url=authorize_token_url)
oauth_request.sign_request(oauth.SignatureMethod_HMAC_SHA1(), consumer,
token)
resp = c.get(authorize_token_url, **oauth_request.to_header())
