def test_reviewer_tools_unlisted_access_read_only(self): self.permission = AllowUnlistedViewerOrReviewer() user = user_factory() self.grant_permission(user, 'ReviewerTools:ViewUnlisted') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_unlisted_versions = lambda include_deleted=False: True for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj)
def setUp(self): self.permission = AllowUnlistedViewerOrReviewer() self.request = RequestFactory().post('/')
class TestAllowUnlistedViewerOrReviewer(TestCase): # Note: be careful when testing, under the hood we're using a method that # relies on UserProfile.groups_list, which is cached on the UserProfile # instance. def setUp(self): self.permission = AllowUnlistedViewerOrReviewer() self.request = RequestFactory().post('/') def test_user_cannot_be_anonymous(self): self.request.user = AnonymousUser() obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: True assert not self.permission.has_permission(self.request, myview) assert not self.permission.has_object_permission( self.request, myview, obj) def test_authenticated_but_not_reviewer(self): self.request.user = user_factory() obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: True assert not self.permission.has_permission(self.request, myview) assert not self.permission.has_object_permission( self.request, myview, obj) def test_admin(self): self.request.user = user_factory() self.grant_permission(self.request.user, '*:*') obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: True assert self.permission.has_permission(self.request, myview) assert self.permission.has_object_permission(self.request, myview, obj) def test_regular_reviewer(self): self.request.user = user_factory() self.grant_permission(self.request.user, 'Addons:Review') obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: True assert not self.permission.has_permission(self.request, myview) assert not self.permission.has_object_permission( self.request, myview, obj) def test_unlisted_reviewer(self): self.request.user = user_factory() self.grant_permission(self.request.user, 'Addons:ReviewUnlisted') obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: True assert self.permission.has_permission(self.request, myview) assert self.permission.has_object_permission(self.request, myview, obj) def test_unlisted_viewer(self): self.request.user = user_factory() self.grant_permission(self.request.user, 'ReviewerTools:ViewUnlisted') obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: True assert self.permission.has_permission(self.request, myview) # self.request is a POST, viewers should not have access to that. assert not self.permission.has_object_permission( self.request, myview, obj) # GET requests should be allowed. self.request.method = 'GET' assert self.permission.has_object_permission(self.request, myview, obj) def test_object_with_listed_versions_but_no_unlisted_versions(self): self.request.user = user_factory() self.grant_permission(self.request.user, 'Addons:ReviewUnlisted') obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: False obj.has_listed_versions = lambda include_deleted=False: True assert self.permission.has_permission(self.request, myview) assert not self.permission.has_object_permission( self.request, myview, obj) def test_object_with_listed_versions_but_no_unlisted_versions_viewer(self): self.request.user = user_factory() self.grant_permission(self.request.user, 'ReviewerTools:ViewUnlisted') obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: False obj.has_listed_versions = lambda include_deleted=False: True assert self.permission.has_permission(self.request, myview) assert not self.permission.has_object_permission( self.request, myview, obj) def test_object_with_no_unlisted_versions_and_no_listed_versions(self): self.request.user = user_factory() self.grant_permission(self.request.user, 'Addons:ReviewUnlisted') obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: False obj.has_listed_versions = lambda include_deleted=False: False assert self.permission.has_permission(self.request, myview) assert self.permission.has_object_permission(self.request, myview, obj) def test_object_with_no_unlisted_versions_and_no_listed_versions_viewer( self): self.request.user = user_factory() self.grant_permission(self.request.user, 'ReviewerTools:ViewUnlisted') obj = Mock(spec=[]) obj.has_unlisted_versions = lambda include_deleted=False: False obj.has_listed_versions = lambda include_deleted=False: False assert self.permission.has_permission(self.request, myview) # self.request is a POST, viewers should not have access to that. assert not self.permission.has_object_permission( self.request, myview, obj) # GET requests should be allowed. self.request.method = 'GET' assert self.permission.has_object_permission(self.request, myview, obj)
def setUp(self): self.permission = AllowListedViewerOrReviewer() self.request_factory = RequestFactory() self.unsafe_methods = ('patch', 'post', 'put', 'delete') self.safe_methods = ('get', 'options', 'head')
class TestAllowListedViewerOrReviewer(TestCase): # Note: be careful when testing, under the hood we're using a method that # relies on UserProfile.groups_list, which is cached on the UserProfile # instance. def setUp(self): self.permission = AllowListedViewerOrReviewer() self.request_factory = RequestFactory() self.unsafe_methods = ('patch', 'post', 'put', 'delete') self.safe_methods = ('get', 'options', 'head') def test_user_cannot_be_anonymous(self): request = self.request_factory.get('/') request.user = AnonymousUser() obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda include_deleted=False: True assert not self.permission.has_permission(request, myview) assert not self.permission.has_object_permission(request, myview, obj) def test_authenticated_but_not_reviewer(self): request = self.request_factory.get('/') request.user = user_factory() obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda include_deleted=False: True assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission(request, myview, obj) def test_admin(self): user = user_factory() self.grant_permission(user, '*:*') for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda include_deleted=False: True assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) def test_reviewer_tools_access_read_only(self): user = user_factory() self.grant_permission(user, 'ReviewerTools:View') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda include_deleted=False: True for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_reviewer_tools_unlisted_access_read_only(self): self.permission = AllowUnlistedViewerOrReviewer() user = user_factory() self.grant_permission(user, 'ReviewerTools:ViewUnlisted') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_unlisted_versions = lambda include_deleted=False: True for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_addon_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:Review') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda include_deleted=False: True for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) # Does not have access to static themes. obj.type = amo.ADDON_STATICTHEME for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_theme_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:ThemeReview') obj = Mock(spec=[]) obj.type = amo.ADDON_STATICTHEME obj.has_listed_versions = lambda include_deleted=False: True for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user assert self.permission.has_permission(request, myview) assert self.permission.has_object_permission(request, myview, obj) # Does not have access to other extensions. obj.type = amo.ADDON_EXTENSION for method in self.safe_methods + self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) assert not self.permission.has_object_permission( request, myview, obj) def test_no_listed_version_reviewer(self): user = user_factory() self.grant_permission(user, 'Addons:Review') obj = Mock(spec=[]) obj.type = amo.ADDON_EXTENSION obj.has_listed_versions = lambda include_deleted=False: False for method in self.safe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) # It doesn't work with the object though, since # has_listed_versions() is returning False, we don't have enough # permissions, being a "simple" reviewer. assert not self.permission.has_object_permission( request, myview, obj) for method in self.unsafe_methods: request = getattr(self.request_factory, method)('/') request.user = user # When not checking the object, we have permission because we're # authenticated. assert self.permission.has_permission(request, myview) # As above it doesn't work with the object though. assert not self.permission.has_object_permission( request, myview, obj)