def test_not_authorized(self): """ Unauthorized users should get an empty list. """ user = StaffFactory(course_key=self.course.id) access_token = AccessTokenFactory.create( user=user, client=self.oauth_client).token auth_header = 'Bearer ' + access_token # Data should be returned if the user is authorized. response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) url = "{}?course_id={}".format(reverse(self.view), self.course_id) response = self.http_get(url, HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) data = response.data['results'] self.assertEqual(len(data), 1) self.assertEqual(data[0]['name'], self.course.display_name) # The view should return an empty list if the user cannot access any courses. url = "{}?course_id={}".format(reverse(self.view), unicode(self.empty_course.id)) response = self.http_get(url, HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) self.assertDictContainsSubset({ 'count': 0, u'results': [] }, response.data)
def test_not_authorized(self): """ Unauthorized users should get an empty list. """ user = StaffFactory(course_key=self.course.id) access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token auth_header = 'Bearer ' + access_token # If debug mode is enabled, the view should always return data. with override_settings(DEBUG=True): response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) # Data should be returned if the user is authorized. response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) url = "{}?course_id={}".format(reverse(self.view), self.course_id) response = self.http_get(url, HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) data = response.data['results'] self.assertEqual(len(data), 1) self.assertEqual(data[0]['name'], self.course.display_name) # The view should return an empty list if the user cannot access any courses. url = "{}?course_id={}".format(reverse(self.view), unicode(self.empty_course.id)) response = self.http_get(url, HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) self.assertDictContainsSubset({'count': 0, u'results': []}, response.data)
def test_not_authorized(self): user = StaffFactory(course_key=self.course.id) access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token auth_header = 'Bearer ' + access_token # Access should be granted if the proper access token is supplied. response = self.http_get_for_course(HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) # Access should be denied if the user is not course staff. response = self.http_get_for_course(course_id=unicode(self.empty_course.id), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 404)
def test_oauth(self): """ Verify the endpoint supports OAuth, and only allows authorization for staff users. """ user = UserFactory(is_staff=False) oauth_client = ClientFactory.create() access_token = AccessTokenFactory.create(user=user, client=oauth_client).token headers = {"HTTP_AUTHORIZATION": "Bearer " + access_token} # Non-staff users should not have access to the API response = self.client.get(self.path, **headers) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() # pylint: disable=no-member response = self.client.get(self.path, **headers) self.assertEqual(response.status_code, 200)
def test_oauth(self): """ Verify the endpoint supports OAuth, and only allows authorization for staff users. """ user = UserFactory(is_staff=False) oauth_client = ClientFactory.create() access_token = AccessTokenFactory.create(user=user, client=oauth_client).token headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token} # Non-staff users should not have access to the API response = self.client.get(self.path, **headers) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() # pylint: disable=no-member response = self.client.get(self.path, **headers) self.assertEqual(response.status_code, 200)
def test_not_authorized(self): user = StaffFactory(course_key=self.course.id) access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token auth_header = 'Bearer ' + access_token # If debug mode is enabled, the view should always return data. with override_settings(DEBUG=True): response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) # Access should be granted if the proper access token is supplied. response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) # Access should be denied if the user is not course staff. response = self.http_get(reverse(self.view, kwargs={'course_id': unicode(self.empty_course.id)}), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 403)
def test_not_authorized(self): user = StaffFactory(course_key=self.course.id) access_token = AccessTokenFactory.create( user=user, client=self.oauth_client).token auth_header = 'Bearer ' + access_token # If debug mode is enabled, the view should always return data. with override_settings(DEBUG=True): response = self.http_get(reverse( self.view, kwargs={'course_id': self.course_id}), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) # Access should be granted if the proper access token is supplied. response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) # Access should be denied if the user is not course staff. response = self.http_get(reverse( self.view, kwargs={'course_id': unicode(self.empty_course.id)}), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 403)
def test_not_authorized(self): """ Unauthorized users should get an empty list. """ user = StaffFactory(course_key=self.course.id) access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token auth_header = "Bearer " + access_token # Data should be returned if the user is authorized. response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) url = "{}?course_id={}".format(reverse(self.view), self.course_id) response = self.http_get(url, HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) data = response.data["results"] self.assertEqual(len(data), 1) self.assertEqual(data[0]["name"], self.course.display_name) # The view should return an empty list if the user cannot access any courses. url = "{}?course_id={}".format(reverse(self.view), unicode(self.empty_course.id)) response = self.http_get(url, HTTP_AUTHORIZATION=auth_header) self.assertEqual(response.status_code, 200) self.assertDictContainsSubset({"count": 0, u"results": []}, response.data)
def create_user_and_access_token(self): self.user = GlobalStaffFactory.create() self.oauth_client = ClientFactory.create() self.access_token = AccessTokenFactory.create( user=self.user, client=self.oauth_client).token
def create_user_and_access_token(self): self.create_user() self.oauth_client = ClientFactory.create() self.access_token = AccessTokenFactory.create(user=self.user, client=self.oauth_client).token