def test_reviewer_tools_unlisted_access_read_only(self):
self.permission = AllowUnlistedViewerOrReviewer()
user = user_factory()
self.grant_permission(user, 'ReviewerTools:ViewUnlisted')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_unlisted_versions = lambda include_deleted=False: True
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def setUp(self):
self.permission = AllowUnlistedViewerOrReviewer()
self.request = RequestFactory().post('/')
class TestAllowUnlistedViewerOrReviewer(TestCase):
# Note: be careful when testing, under the hood we're using a method that
# relies on UserProfile.groups_list, which is cached on the UserProfile
# instance.
def setUp(self):
self.permission = AllowUnlistedViewerOrReviewer()
self.request = RequestFactory().post('/')
def test_user_cannot_be_anonymous(self):
self.request.user = AnonymousUser()
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: True
assert not self.permission.has_permission(self.request, myview)
assert not self.permission.has_object_permission(
self.request, myview, obj)
def test_authenticated_but_not_reviewer(self):
self.request.user = user_factory()
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: True
assert not self.permission.has_permission(self.request, myview)
assert not self.permission.has_object_permission(
self.request, myview, obj)
def test_admin(self):
self.request.user = user_factory()
self.grant_permission(self.request.user, '*:*')
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: True
assert self.permission.has_permission(self.request, myview)
assert self.permission.has_object_permission(self.request, myview, obj)
def test_regular_reviewer(self):
self.request.user = user_factory()
self.grant_permission(self.request.user, 'Addons:Review')
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: True
assert not self.permission.has_permission(self.request, myview)
assert not self.permission.has_object_permission(
self.request, myview, obj)
def test_unlisted_reviewer(self):
self.request.user = user_factory()
self.grant_permission(self.request.user, 'Addons:ReviewUnlisted')
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: True
assert self.permission.has_permission(self.request, myview)
assert self.permission.has_object_permission(self.request, myview, obj)
def test_unlisted_viewer(self):
self.request.user = user_factory()
self.grant_permission(self.request.user, 'ReviewerTools:ViewUnlisted')
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: True
assert self.permission.has_permission(self.request, myview)
# self.request is a POST, viewers should not have access to that.
assert not self.permission.has_object_permission(
self.request, myview, obj)
# GET requests should be allowed.
self.request.method = 'GET'
assert self.permission.has_object_permission(self.request, myview, obj)
def test_object_with_listed_versions_but_no_unlisted_versions(self):
self.request.user = user_factory()
self.grant_permission(self.request.user, 'Addons:ReviewUnlisted')
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: False
obj.has_listed_versions = lambda include_deleted=False: True
assert self.permission.has_permission(self.request, myview)
assert not self.permission.has_object_permission(
self.request, myview, obj)
def test_object_with_listed_versions_but_no_unlisted_versions_viewer(self):
self.request.user = user_factory()
self.grant_permission(self.request.user, 'ReviewerTools:ViewUnlisted')
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: False
obj.has_listed_versions = lambda include_deleted=False: True
assert self.permission.has_permission(self.request, myview)
assert not self.permission.has_object_permission(
self.request, myview, obj)
def test_object_with_no_unlisted_versions_and_no_listed_versions(self):
self.request.user = user_factory()
self.grant_permission(self.request.user, 'Addons:ReviewUnlisted')
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: False
obj.has_listed_versions = lambda include_deleted=False: False
assert self.permission.has_permission(self.request, myview)
assert self.permission.has_object_permission(self.request, myview, obj)
def test_object_with_no_unlisted_versions_and_no_listed_versions_viewer(
self):
self.request.user = user_factory()
self.grant_permission(self.request.user, 'ReviewerTools:ViewUnlisted')
obj = Mock(spec=[])
obj.has_unlisted_versions = lambda include_deleted=False: False
obj.has_listed_versions = lambda include_deleted=False: False
assert self.permission.has_permission(self.request, myview)
# self.request is a POST, viewers should not have access to that.
assert not self.permission.has_object_permission(
self.request, myview, obj)
# GET requests should be allowed.
self.request.method = 'GET'
assert self.permission.has_object_permission(self.request, myview, obj)
def setUp(self):
self.permission = AllowListedViewerOrReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ('patch', 'post', 'put', 'delete')
self.safe_methods = ('get', 'options', 'head')
class TestAllowListedViewerOrReviewer(TestCase):
# Note: be careful when testing, under the hood we're using a method that
# relies on UserProfile.groups_list, which is cached on the UserProfile
# instance.
def setUp(self):
self.permission = AllowListedViewerOrReviewer()
self.request_factory = RequestFactory()
self.unsafe_methods = ('patch', 'post', 'put', 'delete')
self.safe_methods = ('get', 'options', 'head')
def test_user_cannot_be_anonymous(self):
request = self.request_factory.get('/')
request.user = AnonymousUser()
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda include_deleted=False: True
assert not self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(request, myview, obj)
def test_authenticated_but_not_reviewer(self):
request = self.request_factory.get('/')
request.user = user_factory()
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda include_deleted=False: True
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(request, myview, obj)
def test_admin(self):
user = user_factory()
self.grant_permission(user, '*:*')
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda include_deleted=False: True
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
def test_reviewer_tools_access_read_only(self):
user = user_factory()
self.grant_permission(user, 'ReviewerTools:View')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda include_deleted=False: True
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_reviewer_tools_unlisted_access_read_only(self):
self.permission = AllowUnlistedViewerOrReviewer()
user = user_factory()
self.grant_permission(user, 'ReviewerTools:ViewUnlisted')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_unlisted_versions = lambda include_deleted=False: True
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_addon_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:Review')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda include_deleted=False: True
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
# Does not have access to static themes.
obj.type = amo.ADDON_STATICTHEME
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_theme_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:ThemeReview')
obj = Mock(spec=[])
obj.type = amo.ADDON_STATICTHEME
obj.has_listed_versions = lambda include_deleted=False: True
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
assert self.permission.has_permission(request, myview)
assert self.permission.has_object_permission(request, myview, obj)
# Does not have access to other extensions.
obj.type = amo.ADDON_EXTENSION
for method in self.safe_methods + self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
assert not self.permission.has_object_permission(
request, myview, obj)
def test_no_listed_version_reviewer(self):
user = user_factory()
self.grant_permission(user, 'Addons:Review')
obj = Mock(spec=[])
obj.type = amo.ADDON_EXTENSION
obj.has_listed_versions = lambda include_deleted=False: False
for method in self.safe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
# It doesn't work with the object though, since
# has_listed_versions() is returning False, we don't have enough
# permissions, being a "simple" reviewer.
assert not self.permission.has_object_permission(
request, myview, obj)
for method in self.unsafe_methods:
request = getattr(self.request_factory, method)('/')
request.user = user
# When not checking the object, we have permission because we're
# authenticated.
assert self.permission.has_permission(request, myview)
# As above it doesn't work with the object though.
assert not self.permission.has_object_permission(
request, myview, obj)