class StateManagerUserTest(SeasonTestCaseMixin): def setUp(self): self.client = StateManagerAuthClient() super(StateManagerUserTest, self).setUp() def test_access_to_season_list(self): for symbolicurl in restrictedgenericurls: url = reverse(symbolicurl) # Final URL is forbidden response = self.client.get(url, follow=True) self.assertEqual(response.status_code, 200, url) def test_access_to_season_detail(self): for symbolicurl in restrictedspecificurls: url = reverse(symbolicurl, kwargs={'pk': self.season.pk}) # Final URL is OK response = self.client.get(url, follow=True) self.assertEqual(response.status_code, 200, url) for symbolicurl in restrictedhelperspecificurls: for helper in self.users: url = reverse( symbolicurl, kwargs={ 'pk': self.season.pk, 'helperpk': helper.pk }) # Final URL is OK response = self.client.get(url, follow=True) self.assertEqual(response.status_code, 200, url) for exportformat in ['csv', 'ods', 'xls']: url = reverse( 'season-export', kwargs={ 'pk': self.season.pk, 'format': exportformat }) # Final URL is OK response = self.client.get(url, follow=True) self.assertEqual(response.status_code, 200, url) def test_season_creation(self): url = reverse('season-create') # Final URL is OK response = self.client.get(url, follow=True) self.assertEqual(response.status_code, 200, url) initial = { 'begin': '09.03.2015', 'end': '10.03.2015', 'cantons': [], 'leader': self.client.user.pk, } # 200 because we're back on the page, because cantons' empty response = self.client.post(url, initial) self.assertEqual(response.status_code, 200, url) initial['cantons'] = self.foreigncantons # 200 because we're back on the page, because cantons' not our cantons response = self.client.post(url, initial) self.assertEqual(response.status_code, 200, url) initial['cantons'] = self.mycantons # That works now response = self.client.post(url, initial) self.assertEqual(response.status_code, 302, url) initial['end'] = '08.03.2015' # Inverse dates # That must not work response = self.client.post(url, initial) self.assertEqual(response.status_code, 200, url) def test_session_creation(self): url = reverse('session-create', kwargs={'seasonpk': self.season.pk}) # Final URL is OK response = self.client.get(url, follow=True) self.assertEqual(response.status_code, 200, url) initial = { 'day': (self.season.begin).strftime(SWISS_DATE_INPUT_FORMAT), 'begin': '09:00', } # 200 because we're back on the page, because organization' empty response = self.client.post(url, initial) self.assertEqual(response.status_code, 200, url) orga = OrganizationFactory( address_canton=self.foreignseason.cantons[0] ) initial['organization'] = orga.pk # 200 because we're back on the page, because organization is not # in our canton response = self.client.post(url, initial) self.assertEqual(response.status_code, 200, url) orga = OrganizationFactory(address_canton=self.season.cantons[0]) initial['organization'] = orga.pk # That works now response = self.client.post(url, initial) self.assertEqual(response.status_code, 302, url) def test_no_access_to_foreign_season(self): for symbolicurl in restrictedspecificurls: url = reverse(symbolicurl, kwargs={'pk': self.foreignseason.pk}) # Final URL is NOK response = self.client.get(url, follow=True) # For helperlist and actorlist if symbolicurl in ['season-availabilities', 'season-staff-update', 'season-helperlist', 'season-actorlist']: self.assertEqual(response.status_code, 403, url) else: self.assertEqual(response.status_code, 404, url) def test_no_access_to_foreignsession(self): for session in self.foreignsessions: urls = [ reverse( 'session-list', kwargs={ 'seasonpk': self.foreignseason.pk, 'year': session.day.year, 'week': session.day.strftime('%W'), }), reverse( 'session-create', kwargs={ 'seasonpk': self.foreignseason.pk, }), reverse( 'session-detail', kwargs={ 'seasonpk': self.foreignseason.pk, 'pk': session.pk, }), reverse( 'session-update', kwargs={ 'seasonpk': self.foreignseason.pk, 'pk': session.pk, }), reverse( 'session-staff-choices', kwargs={ 'seasonpk': self.foreignseason.pk, 'pk': session.pk, }), reverse( 'session-delete', kwargs={ 'seasonpk': self.foreignseason.pk, 'pk': session.pk, }), ] for url in urls: # Final URL is forbidden response = self.client.get(url, follow=True) self.assertEqual(response.status_code, 403, url) def test_access_to_mysession(self): for session in self.sessions: urls = [ reverse( 'session-list', kwargs={ 'seasonpk': self.season.pk, 'year': session.day.year, 'week': session.day.strftime('%W'), }), reverse( 'session-create', kwargs={ 'seasonpk': self.season.pk, }), reverse( 'session-detail', kwargs={ 'seasonpk': self.season.pk, 'pk': session.pk, }), reverse( 'session-update', kwargs={ 'seasonpk': self.season.pk, 'pk': session.pk, }), reverse( 'session-staff-choices', kwargs={ 'seasonpk': self.season.pk, 'pk': session.pk, }), reverse( 'session-delete', kwargs={ 'seasonpk': self.season.pk, 'pk': session.pk, }), ] for url in urls: # Final URL is forbidden response = self.client.get(url, follow=True) self.assertEqual(response.status_code, 200, url)
class OrgaStateManagerUserTest(TestCase): expected_code = 200 def setUp(self): self.client = StateManagerAuthClient() mycanton = str((self.client.user.managedstates.first()).canton) self.myorga = OrganizationFactory(address_canton=mycanton) self.myorga.save() OTHERSTATES = [c for c in DV_STATES if c != mycanton] self.foreignorga = OrganizationFactory( address_canton=OTHERSTATES[0]) self.foreignorga.save() def test_access_to_orga_list(self): response = self.client.get(reverse('organization-list')) self.assertTemplateUsed(response, 'orga/organization_filter.html') self.assertEqual(response.status_code, self.expected_code) response = self.client.get(reverse( 'organization-list-export', kwargs={'format': 'csv'})) self.assertEqual(response.status_code, self.expected_code) def test_access_to_orga_detail(self): response = self.client.get(reverse('organization-detail', kwargs={'pk': self.myorga.pk})) self.assertTemplateUsed(response, 'orga/organization_detail.html') self.assertEqual(response.status_code, self.expected_code) # The other orga cannot be accessed response = self.client.get(reverse('organization-detail', kwargs={'pk': self.foreignorga.pk})) self.assertEqual(response.status_code, 404) def test_access_to_orga_edit(self): url = reverse('organization-update', kwargs={'pk': self.myorga.pk}) response = self.client.get(url) self.assertTemplateUsed(response, 'orga/organization_form.html') self.assertEqual(response.status_code, self.expected_code) # Our orga cannot be edited away from my cantons initial = self.myorga.__dict__.copy() del(initial['id']) del(initial['created_on']) del(initial['address_ptr_id']) del(initial['_state']) initial['address_no'] = self.myorga.address_no + 1 response = self.client.post(url, initial) # Code 302 because update succeeded self.assertEqual(response.status_code, 302, url) # Check update succeeded neworga = Organization.objects.get(pk=self.myorga.pk) self.assertEqual(neworga.address_no, str(self.myorga.address_no + 1)) # Test some update, that must go through initial['address_canton'] = self.foreignorga.address_canton response = self.client.post(url, initial) # Code 200 because update failed self.assertEqual(response.status_code, 200, url) # Check update failed neworga = Organization.objects.get(pk=self.myorga.pk) self.assertEqual(neworga.address_canton, self.myorga.address_canton) # The other orga cannot be accessed response = self.client.get(reverse('organization-update', kwargs={'pk': self.foreignorga.pk})) self.assertEqual(response.status_code, 404) def test_autocompletes(self): for al in ['OrganizationAutocomplete']: url = reverse( 'autocomplete_light_autocomplete', kwargs={'autocomplete': al} ) response = self.client.get(url) self.assertEqual(response.status_code, self.expected_code, url) # Check that we only find our orga entries = re.findall('data-value="(\d+)"', str(response.content)) self.assertEqual(entries, [str(self.myorga.pk)])
class StateManagerUserTest(ProfileTestCase): def setUp(self): super(StateManagerUserTest, self).setUp() self.client = StateManagerAuthClient() mycanton = str((self.client.user.managedstates.first()).canton) OTHERSTATES = [c for c in DV_STATES if c != mycanton] for user in self.users: user.profile.affiliation_canton = OTHERSTATES[0] user.profile.save() self.users[0].profile.affiliation_canton = mycanton self.users[0].profile.save() self.myuser = self.users[0] self.foreignuser = self.users[1] def test_my_allowances(self): for symbolicurl in myurlsforall + myurlsforoffice: for exportformat in ["csv", "ods", "xls"]: url = tryurl(symbolicurl, self.client.user, exportformat) response = self.client.get(url) self.assertEqual(response.status_code, 200, url) def test_otherusers_access(self): response = self.client.get(reverse("user-detail", kwargs={"pk": self.myuser.pk})) self.assertTemplateUsed(response, "auth/user_detail.html") self.assertEqual(response.status_code, 200, response) # The other user cannot be accessed response = self.client.get(reverse("user-detail", kwargs={"pk": self.foreignuser.pk})) self.assertEqual(response.status_code, 403) def test_otherusers_edit(self): url = reverse("user-update", kwargs={"pk": self.myuser.pk}) response = self.client.get(url) self.assertTemplateUsed(response, "auth/user_form.html") self.assertEqual(response.status_code, 200, response) # Our orga cannot be edited away from my cantons initial = self.getprofileinitial(self.myuser) initial["address_no"] = 24 response = self.client.post(url, initial) # Code 302 because update succeeded self.assertEqual(response.status_code, 302, url) # Check update succeeded newuser = get_user_model().objects.get(pk=self.myuser.pk) self.assertEqual(newuser.profile.address_no, "24") # Test some update, that must go through initial["affiliation_canton"] = self.foreignuser.profile.affiliation_canton response = self.client.post(url, initial) # Code 200 because update failed self.assertEqual(response.status_code, 200, url) # Check update failed newuser = get_user_model().objects.get(pk=self.myuser.pk) self.assertEqual(newuser.profile.affiliation_canton, self.myuser.profile.affiliation_canton) # The other user cannot be accessed response = self.client.get(reverse("user-update", kwargs={"pk": self.foreignuser.pk})) self.assertEqual(response.status_code, 403) def test_autocompletes(self): for al in ["AllPersons"]: url = reverse("autocomplete_light_autocomplete", kwargs={"autocomplete": al}) response = self.client.get(url) self.assertEqual(response.status_code, 200, url) # Check that we only find our orga entries = re.findall('data-value="(\d+)"', str(response.content)) self.assertEqual(entries, [str(self.myuser.pk)])