def test_create_object_with_constrained_permission(self):
initial_count = self._get_queryset().count()
# Assign constrained permission
obj_perm = ObjectPermission(
name="Test permission",
constraints={"pk": str(uuid.uuid4())}, # Dummy permission to deny all
actions=["add"],
)
obj_perm.save()
obj_perm.users.add(self.user)
obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
# Try GET with object-level permission
self.assertHttpStatus(self.client.get(self._get_url("add")), 200)
# Try to create an object (not permitted)
request = {
"path": self._get_url("add"),
"data": post_data(self.form_data),
}
self.assertHttpStatus(self.client.post(**request), 200)
self.assertEqual(initial_count, self._get_queryset().count()) # Check that no object was created
# Update the ObjectPermission to allow creation
obj_perm.constraints = {"pk__isnull": False}
obj_perm.save()
# Try to create an object (permitted)
request = {
"path": self._get_url("add"),
"data": post_data(self.form_data),
}
self.assertHttpStatus(self.client.post(**request), 302)
self.assertEqual(initial_count + 1, self._get_queryset().count())
if hasattr(self.model, "last_updated"):
self.assertInstanceEqual(self._get_queryset().order_by("last_updated").last(), self.form_data)
else:
self.assertInstanceEqual(self._get_queryset().last(), self.form_data)
def test_bulk_edit_objects_with_constrained_permission(self):
pk_list = list(self._get_queryset().values_list("pk", flat=True)[:3])
data = {
"pk": pk_list,
"_apply": True, # Form button
}
# Append the form data to the request
data.update(post_data(self.bulk_edit_data))
# Dynamically determine a constraint that will *not* be matched by the updated objects.
attr_name = list(self.bulk_edit_data.keys())[0]
field = self.model._meta.get_field(attr_name)
value = field.value_from_object(self._get_queryset().first())
# Assign constrained permission
obj_perm = ObjectPermission(
name="Test permission",
constraints={attr_name: value},
actions=["change"],
)
obj_perm.save()
obj_perm.users.add(self.user)
obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
# Attempt to bulk edit permitted objects into a non-permitted state
response = self.client.post(self._get_url("bulk_edit"), data)
self.assertHttpStatus(response, 200)
# Update permission constraints
obj_perm.constraints = {"pk__gt": 0}
obj_perm.save()
# Bulk edit permitted objects
self.assertHttpStatus(self.client.post(self._get_url("bulk_edit"), data), 302)
for i, instance in enumerate(self._get_queryset().filter(pk__in=pk_list)):
self.assertInstanceEqual(instance, self.bulk_edit_data)
def test_create_multiple_objects_with_constrained_permission(self):
initial_count = self._get_queryset().count()
request = {
"path": self._get_url("add"),
"data": post_data(self.bulk_create_data),
}
# Assign constrained permission
obj_perm = ObjectPermission(
name="Test permission",
actions=["add"],
constraints={"pk": uuid.uuid4()}, # Dummy constraint to deny all
)
obj_perm.save()
obj_perm.users.add(self.user)
obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
# Attempt to make the request with unmet constraints
self.assertHttpStatus(self.client.post(**request), 200)
self.assertEqual(self._get_queryset().count(), initial_count)
# Update the ObjectPermission to allow creation
obj_perm.constraints = {"pk__isnull": False} # Dummy constraint to allow all
obj_perm.save()
response = self.client.post(**request)
self.assertHttpStatus(response, 302)
self.assertEqual(initial_count + self.bulk_create_count, self._get_queryset().count())
matching_count = 0
for instance in self._get_queryset().all():
try:
self.assertInstanceEqual(instance, self.bulk_create_data)
matching_count += 1
except AssertionError:
pass
self.assertEqual(matching_count, self.bulk_create_count)
def test_bulk_delete_objects_with_constrained_permission(self):
initial_count = self._get_queryset().count()
pk_list = self._get_queryset().values_list("pk", flat=True)
data = {
"pk": pk_list,
"confirm": True,
"_confirm": True, # Form button
}
# Assign constrained permission
obj_perm = ObjectPermission(
name="Test permission",
constraints={"pk": str(uuid.uuid4())
}, # Dummy permission to deny all
actions=["delete"],
)
obj_perm.save()
obj_perm.users.add(self.user)
obj_perm.object_types.add(
ContentType.objects.get_for_model(self.model))
# Attempt to bulk delete non-permitted objects
self.assertHttpStatus(
self.client.post(self._get_url("bulk_delete"), data), 302)
self.assertEqual(self._get_queryset().count(), initial_count)
# Update permission constraints
obj_perm.constraints = {
"pk__isnull": False
} # Dummy permission to allow all
obj_perm.save()
# Bulk delete permitted objects
self.assertHttpStatus(
self.client.post(self._get_url("bulk_delete"), data), 302)
self.assertEqual(self._get_queryset().count(), 0)
