class TestPrivateLink(OsfTestCase): def setUp(self): super(TestPrivateLink, self).setUp() self.flaskapp = Flask('testing_private_links') @self.flaskapp.route('/project/<pid>/') @must_be_contributor def project_get(**kwargs): return 'success', 200 self.app = WebtestApp(self.flaskapp) self.user = AuthUserFactory() self.project = ProjectFactory(is_public=False) self.link = PrivateLinkFactory() self.link.nodes.add(self.project) self.link.save() @mock.patch('website.project.decorators.Auth.from_kwargs') def test_has_private_link_key(self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get('/project/{0}'.format(self.project._primary_key), {'view_only': self.link.key}) res = res.follow() assert_equal(res.status_code, 200) assert_equal(res.body, 'success') @mock.patch('website.project.decorators.Auth.from_kwargs') def test_does_not_have_key(self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get('/project/{0}'.format(self.project._primary_key), {'key': None}) assert_is_redirect(res)
def setUp(self): super(TestMustBeContributorOrPublicButNotAnonymizedDecorator, self).setUp() self.contrib = AuthUserFactory() self.non_contrib = AuthUserFactory() admin = UserFactory() self.public_project = ProjectFactory(is_public=True) self.public_project.add_contributor(admin, auth=Auth(self.public_project.creator), permissions=['read', 'write', 'admin']) self.private_project = ProjectFactory(is_public=False) self.private_project.add_contributor(admin, auth=Auth(self.private_project.creator), permissions=['read', 'write', 'admin']) self.public_project.add_contributor(self.contrib, auth=Auth(self.public_project.creator)) self.private_project.add_contributor(self.contrib, auth=Auth(self.private_project.creator)) self.public_project.save() self.private_project.save() self.anonymized_link_to_public_project = PrivateLinkFactory(anonymous=True) self.anonymized_link_to_private_project = PrivateLinkFactory(anonymous=True) self.anonymized_link_to_public_project.nodes.add(self.public_project) self.anonymized_link_to_public_project.save() self.anonymized_link_to_private_project.nodes.add(self.private_project) self.anonymized_link_to_private_project.save() self.flaskapp = Flask('Testing decorator') @self.flaskapp.route('/project/<pid>/') @must_be_contributor_or_public_but_not_anonymized def project_get(**kwargs): return 'success', 200 self.app = WebtestApp(self.flaskapp)
def setUp(self): super(TestPrivateLinkView, self).setUp() self.user = AuthUserFactory() # Is NOT a contributor self.project = ProjectFactory(is_public=False) self.link = PrivateLinkFactory(anonymous=True) self.link.nodes.add(self.project) self.link.save() self.project_url = self.project.web_url_for('view_project')
def test_private_node_user_with_view_only_link_can_view_wiki_version(self): self._set_up_private_project_with_wiki_page() private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(self.private_project) private_link.save() url = furl.furl(self.private_url).add(query_params={'view_only': private_link.key}).url res = self.app.get(url) assert_equal(res.status_code, 200) assert_equal(res.json['data']['id'], str(self.private_wiki_version.identifier))
def test_private_node_user_with_view_only_link_can_view_wiki(self): self._set_up_private_project_with_wiki_page() private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(self.private_project) private_link.save() url = furl.furl(self.private_url).add(query_params={ 'view_only': private_link.key }).url res = self.app.get(url) assert_equal(res.status_code, 200) assert_equal(res.json['data']['id'], self.private_wiki._id)
def test_public_node_user_with_private_link_can_view_comment(self): self._set_up_public_project_with_comment() private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(self.public_project) private_link.save() res = self.app.get('/{}comments/{}/'.format(API_BASE, self.public_comment._id), {'view_only': private_link.key}, expect_errors=True) assert_equal(self.public_comment._id, res.json['data']['id']) assert_equal(self.public_comment.content, res.json['data']['attributes']['content'])
class TestPrivateLinkView(OsfTestCase): def setUp(self): super(TestPrivateLinkView, self).setUp() self.user = AuthUserFactory() # Is NOT a contributor self.project = ProjectFactory(is_public=False) self.link = PrivateLinkFactory(anonymous=True) self.link.nodes.add(self.project) self.link.save() self.project_url = self.project.web_url_for('view_project') def test_anonymous_link_hide_contributor(self): res = self.app.get(self.project_url, {'view_only': self.link.key}) assert_in('Anonymous Contributors', res.body) assert_not_in(self.user.fullname, res) def test_anonymous_link_hides_citations(self): res = self.app.get(self.project_url, {'view_only': self.link.key}) assert_not_in('Citation:', res) def test_no_warning_for_read_only_user_with_valid_link(self): link2 = PrivateLinkFactory(anonymous=False) link2.nodes.add(self.project) link2.save() self.project.add_contributor( self.user, permissions=['read'], save=True, ) res = self.app.get(self.project_url, {'view_only': link2.key}, auth=self.user.auth) assert_not_in( 'is being viewed through a private, view-only link. ' 'Anyone with the link can view this project. Keep ' 'the link safe.', res.body ) def test_no_warning_for_read_only_user_with_invalid_link(self): self.project.add_contributor( self.user, permissions=['read'], save=True, ) res = self.app.get(self.project_url, {'view_only': 'not_valid'}, auth=self.user.auth) assert_not_in( 'is being viewed through a private, view-only link. ' 'Anyone with the link can view this project. Keep ' 'the link safe.', res.body )
def test_build_addon_root_for_anonymous_vols_shows_path(self): private_link = PrivateLinkFactory() private_link.nodes.add(self.project) private_link.save() project_viewer = UserFactory() result = rubeus.build_addon_root(self.node_settings, self.node_settings.bucket, user=project_viewer, private_key=private_link.key) assert result['name'] == 'Amazon S3: {0}'.format( self.node_settings.bucket)
def test_private_node_user_with_anonymous_link_cannot_see_commenter_info( self): self._set_up_private_project_with_comment() private_link = PrivateLinkFactory(anonymous=True) private_link.nodes.add(self.private_project) private_link.save() res = self.app.get( '/{}comments/{}/'.format(API_BASE, self.comment._id), {'view_only': private_link.key}) assert_equal(res.status_code, 200) assert_equal(self.comment._id, res.json['data']['id']) assert_equal(self.comment.content, res.json['data']['attributes']['content']) assert_not_in('user', res.json['data']['relationships'])
def test_build_addon_root_for_anonymous_vols_hides_path(self): private_anonymous_link = PrivateLinkFactory(anonymous=True) private_anonymous_link.nodes.add(self.project) private_anonymous_link.save() project_viewer = UserFactory() result = rubeus.build_addon_root( self.node_settings, self.node_settings.bucket, user=project_viewer, private_key=private_anonymous_link.key ) assert result['name'] == 'Amazon S3'
def test_private_node_user_with_private_and_anonymous_link_misc( self, app, private_project, comment): # def test_private_node_user_with_private_link_can_see_comment private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(private_project) private_link.save() res = app.get('/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': private_link.key}, expect_errors=True) assert res.status_code == 200 assert comment._id == res.json['data']['id'] assert comment.content == res.json['data']['attributes']['content'] # test_private_node_user_with_anonymous_link_cannot_see_commenter_info private_link = PrivateLinkFactory(anonymous=True) private_link.nodes.add(private_project) private_link.save() res = app.get('/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': private_link.key}) assert res.status_code == 200 assert comment._id == res.json['data']['id'] assert comment.content == res.json['data']['attributes']['content'] assert 'user' not in res.json['data']['relationships'] # test_private_node_user_with_anonymous_link_cannot_see_mention_info comment.content = 'test with [@username](userlink) and @mention' comment.save() res = app.get('/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': private_link.key}) assert res.status_code == 200 assert comment._id == res.json['data']['id'] assert 'test with @A User and @mention' == res.json['data'][ 'attributes']['content']
def test_no_warning_for_read_only_user_with_valid_link(self): link2 = PrivateLinkFactory(anonymous=False) link2.nodes.add(self.project) link2.save() self.project.add_contributor( self.user, permissions=['read'], save=True, ) res = self.app.get(self.project_url, {'view_only': link2.key}, auth=self.user.auth) assert_not_in( "is being viewed through a private, view-only link. " "Anyone with the link can view this project. Keep " "the link safe.", res.body)
def test_private_node_user_with_anonymous_link_cannot_see_mention_info( self): self._set_up_private_project_with_comment() self.comment.content = 'test with [@username](userlink) and @mention' self.comment.save() private_link = PrivateLinkFactory(anonymous=True) private_link.nodes.add(self.private_project) private_link.save() res = self.app.get( '/{}comments/{}/'.format(API_BASE, self.comment._id), {'view_only': private_link.key}) assert_equal(res.status_code, 200) assert_equal(self.comment._id, res.json['data']['id']) assert_equal('test with @A User and @mention', res.json['data']['attributes']['content'])
def test_public_node_view_only_link_user_cannot_see_deleted_comment(self): self._set_up_public_project_with_comment() self.public_comment.is_deleted = True self.public_comment.save() private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(self.public_project) private_link.save() res = self.app.get('/{}comments/{}/'.format(API_BASE, self.public_comment._id), {'view_only': private_link.key}, expect_errors=True) assert_equal(res.status_code, 200) assert_is_none(res.json['data']['attributes']['content'])
def test_params_do_not_appear_on_private_project_with_anonymous_view_only_link(self): private_link = PrivateLinkFactory(anonymous=True) private_link.nodes.add(self.node) private_link.save() url = self.url + '{}/'.format(self.log_add_contributor._id) res = self.app.get(url, {'view_only': private_link.key}, expect_errors=True) assert_equal(res.status_code, 200) data = res.json['data'] assert_in('attributes', data) assert_not_in('params', data['attributes']) body = res.body assert_not_in(self.user._id, body)
def setUp(self): super(ViewOnlyLinkTestCase, self).setUp() self.user = AuthUserFactory() self.read_only_user = AuthUserFactory() self.read_write_user = AuthUserFactory() self.non_contributor = AuthUserFactory() self.public_project = ProjectFactory(is_public=True, creator=self.user) self.public_project.add_contributor(self.read_only_user, permissions=[permissions.READ]) self.public_project.add_contributor(self.read_write_user, permissions=[permissions.WRITE]) self.public_project.save() self.view_only_link = PrivateLinkFactory(name='testlink') self.view_only_link.nodes.add(self.public_project) self.view_only_link.save()
def test_params_do_not_appear_on_private_project_with_anonymous_view_only_link( self, app, url_logs, node_private, contributor_log_private, user_one): private_link = PrivateLinkFactory(anonymous=True) private_link.nodes.add(node_private) private_link.save() url = '{}{}/'.format(url_logs, contributor_log_private._id) res = app.get(url, {'view_only': private_link.key}, expect_errors=True) assert res.status_code == 200 data = res.json['data'] assert 'attributes' in data assert 'params' not in data['attributes'] body = res.body assert user_one._id not in body
def setUp(self): super(TestPrivateLink, self).setUp() self.flaskapp = Flask('testing_private_links') @self.flaskapp.route('/project/<pid>/') @must_be_contributor def project_get(**kwargs): return 'success', 200 self.app = WebtestApp(self.flaskapp) self.user = AuthUserFactory() self.project = ProjectFactory(is_public=False) self.link = PrivateLinkFactory() self.link.nodes.add(self.project) self.link.save()
def test_params_do_not_appear_on_private_project_with_anonymous_view_only_link( self, app, url_logs, node_private, contributor_log_private, user_one): private_link = PrivateLinkFactory(anonymous=True) private_link.nodes.add(node_private) private_link.save() url = '{}{}/'.format(url_logs, contributor_log_private._id) res = app.get(url, {'view_only': private_link.key}, expect_errors=True) assert res.status_code == 200 data = res.json['data'] assert 'attributes' in data assert 'params' not in data['attributes'] body = res.body.decode() assert user_one._id not in body
def test_no_warning_for_read_only_user_with_valid_link(self): link2 = PrivateLinkFactory(anonymous=False) link2.nodes.add(self.project) link2.save() self.project.add_contributor( self.user, permissions=['read'], save=True, ) res = self.app.get(self.project_url, {'view_only': link2.key}, auth=self.user.auth) assert_not_in( 'is being viewed through a private, view-only link. ' 'Anyone with the link can view this project. Keep ' 'the link safe.', res.body )
def test_deleted_vols_not_returned(self, app, user, url, public_project): view_only_link = PrivateLinkFactory(name='testlink2') view_only_link.nodes.add(public_project) view_only_link.save() res = app.get(url, auth=user.auth) data = res.json['data'] assert res.status_code == 200 assert len(data) == 2 view_only_link.nodes.remove(public_project) view_only_link.save() res = app.get(url, auth=user.auth) data = res.json['data'] assert res.status_code == 200 assert len(data) == 1
def test_public_node_deleted_comments_auth_misc( self, app, user, contributor, non_contrib, public_project, public_comment ): public_comment.is_deleted = True public_comment.save() url = '/{}comments/{}/'.format(API_BASE, public_comment._id) # test_public_node_only_logged_in_commenter_can_view_deleted_comment res = app.get(url, auth=user.auth) assert res.status_code == 200 assert res.json['data']['attributes']['content'] == public_comment.content # test_public_node_contributor_cannot_view_other_users_deleted_comment res = app.get(url, auth=contributor.auth) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None # test_public_node_non_contrib_cannot_view_other_users_deleted_comment res = app.get(url, auth=non_contrib.auth) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None # test_public_node_logged_out_user_cannot_view_deleted_comments res = app.get(url) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None # test_public_node_view_only_link_user_cannot_see_deleted_comment private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(public_project) private_link.save() res = app.get( '/{}comments/{}/'.format( API_BASE, public_comment._id ), {'view_only': private_link.key}, expect_errors=True ) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None
def test_public_node_comment_can_view_misc(self, app, user, non_contrib, public_project, public_url, public_comment, registration_comment, comment_url): # test_public_node_logged_in_contributor_can_view_comment res = app.get(public_url, auth=user.auth) assert res.status_code == 200 assert public_comment._id == res.json['data']['id'] assert public_comment.content == res.json['data']['attributes'][ 'content'] # test_public_node_logged_in_non_contrib_can_view_comment res = app.get(public_url, auth=non_contrib.auth) assert res.status_code == 200 assert public_comment._id == res.json['data']['id'] assert public_comment.content == res.json['data']['attributes'][ 'content'] # test_public_node_logged_out_user_can_view_comment res = app.get(public_url) assert res.status_code == 200 assert public_comment._id == res.json['data']['id'] assert public_comment.content == res.json['data']['attributes'][ 'content'] # test_registration_logged_in_contributor_can_view_comment res = app.get(comment_url, auth=user.auth) assert res.status_code == 200 assert registration_comment._id == res.json['data']['id'] assert registration_comment.content == res.json['data']['attributes'][ 'content'] # test_public_node_user_with_private_link_can_view_comment private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(public_project) private_link.save() res = app.get('/{}comments/{}/'.format(API_BASE, public_comment._id), {'view_only': private_link.key}, expect_errors=True) assert public_comment._id == res.json['data']['id'] assert public_comment.content == res.json['data']['attributes'][ 'content']
def test_redirects_through_view_only_link(self, app, project, user): # test_redirect_when_viewing_private_project_through_view_only_link view_only_link = PrivateLinkFactory(anonymous=False) view_only_link.nodes.add(project) view_only_link.save() url = '/{}guids/{}/?view_only={}'.format(API_BASE, project._id, view_only_link.key) res = app.get(url, auth=user.auth) redirect_url = '{}{}nodes/{}/?view_only={}'.format( API_DOMAIN, API_BASE, project._id, view_only_link.key) assert res.status_code == 302 assert res.location == redirect_url # test_redirect_when_viewing_private_project_file_through_view_only_link test_file = OsfStorageFile.create( node=project, path='/test', name='test', materialized_path='/test', ) test_file.save() guid = test_file.get_guid(create=True) url = '/{}guids/{}/?view_only={}'.format(API_BASE, guid._id, view_only_link.key) res = app.get(url, auth=user.auth) redirect_url = '{}{}files/{}/?view_only={}'.format( API_DOMAIN, API_BASE, test_file._id, view_only_link.key) assert res.status_code == 302 assert res.location == redirect_url # test_redirect_when_viewing_private_project_comment_through_view_only_link comment = CommentFactory(node=project) url = '/{}guids/{}/?view_only={}'.format(API_BASE, comment._id, view_only_link.key) res = app.get(url, auth=AuthUserFactory().auth) redirect_url = '{}{}comments/{}/?view_only={}'.format( API_DOMAIN, API_BASE, comment._id, view_only_link.key) assert res.status_code == 302 assert res.location == redirect_url
def test_redirects_through_view_only_link(self, app, project, user): # test_redirect_when_viewing_private_project_through_view_only_link view_only_link = PrivateLinkFactory(anonymous=False) view_only_link.nodes.add(project) view_only_link.save() url = '/{}guids/{}/?view_only={}'.format( API_BASE, project._id, view_only_link.key) res = app.get(url, auth=user.auth) redirect_url = '{}{}nodes/{}/?view_only={}'.format( API_DOMAIN, API_BASE, project._id, view_only_link.key) assert res.status_code == 302 assert res.location == redirect_url # test_redirect_when_viewing_private_project_file_through_view_only_link test_file = OsfStorageFile.create( node=project, path='/test', name='test', materialized_path='/test', ) test_file.save() guid = test_file.get_guid(create=True) url = '/{}guids/{}/?view_only={}'.format( API_BASE, guid._id, view_only_link.key) res = app.get(url, auth=user.auth) redirect_url = '{}{}files/{}/?view_only={}'.format( API_DOMAIN, API_BASE, test_file._id, view_only_link.key) assert res.status_code == 302 assert res.location == redirect_url # test_redirect_when_viewing_private_project_comment_through_view_only_link comment = CommentFactory(node=project) url = '/{}guids/{}/?view_only={}'.format( API_BASE, comment._id, view_only_link.key) res = app.get(url, auth=AuthUserFactory().auth) redirect_url = '{}{}comments/{}/?view_only={}'.format( API_DOMAIN, API_BASE, comment._id, view_only_link.key) assert res.status_code == 302 assert res.location == redirect_url
def test_public_node_comment_can_view_misc( self, app, user, non_contrib, public_project, public_url, public_comment, registration_comment, comment_url ): # test_public_node_logged_in_contributor_can_view_comment res = app.get(public_url, auth=user.auth) assert res.status_code == 200 assert public_comment._id == res.json['data']['id'] assert public_comment.content == res.json['data']['attributes']['content'] # test_public_node_logged_in_non_contrib_can_view_comment res = app.get(public_url, auth=non_contrib.auth) assert res.status_code == 200 assert public_comment._id == res.json['data']['id'] assert public_comment.content == res.json['data']['attributes']['content'] # test_public_node_logged_out_user_can_view_comment res = app.get(public_url) assert res.status_code == 200 assert public_comment._id == res.json['data']['id'] assert public_comment.content == res.json['data']['attributes']['content'] # test_registration_logged_in_contributor_can_view_comment res = app.get(comment_url, auth=user.auth) assert res.status_code == 200 assert registration_comment._id == res.json['data']['id'] assert registration_comment.content == res.json['data']['attributes']['content'] # test_public_node_user_with_private_link_can_view_comment private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(public_project) private_link.save() res = app.get( '/{}comments/{}/'.format(API_BASE, public_comment._id), {'view_only': private_link.key}, expect_errors=True ) assert public_comment._id == res.json['data']['id'] assert public_comment.content == res.json['data']['attributes']['content']
def test_private_node_deleted_comment_auth_misc(self, app, user, contributor, comment, private_project): comment.is_deleted = True comment.save() # test_private_node_only_logged_in_commenter_can_view_deleted_comment url = '/{}comments/{}/'.format(API_BASE, comment._id) res = app.get(url, auth=user.auth) assert res.status_code == 200 assert res.json['data']['attributes']['content'] == comment.content # test_private_node_contributor_cannot_see_other_users_deleted_comment url = '/{}comments/{}/'.format(API_BASE, comment._id) res = app.get(url, auth=contributor.auth) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None # test_private_node_logged_out_user_cannot_see_deleted_comment url = '/{}comments/{}/'.format(API_BASE, comment._id) res = app.get(url, expect_errors=True) assert res.status_code == 401 assert res.json['errors'][0][ 'detail'] == exceptions.NotAuthenticated.default_detail # test_private_node_view_only_link_user_cannot_see_deleted_comment private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(private_project) private_link.save() res = app.get('/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': private_link.key}, expect_errors=True) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None # test_private_node_anonymous_view_only_link_user_cannot_see_deleted_comment anonymous_link = PrivateLinkFactory(anonymous=True) anonymous_link.nodes.add(private_project) anonymous_link.save() res = app.get('/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': anonymous_link.key}, expect_errors=True) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None
class ViewOnlyTestCase(ApiTestCase): def setUp(self): super(ViewOnlyTestCase, self).setUp() self.creation_user = AuthUserFactory() self.viewing_user = AuthUserFactory() self.contributing_read_user = AuthUserFactory() self.contributing_write_user = AuthUserFactory() self.valid_contributors = [ self.creation_user._id, self.contributing_read_user._id, self.contributing_write_user._id, ] self.private_node_one = ProjectFactory(is_public=False, creator=self.creation_user, title="Private One") self.private_node_one.add_contributor(self.contributing_read_user, permissions=[permissions.READ], save=True) self.private_node_one.add_contributor(self.contributing_write_user, permissions=[permissions.WRITE], save=True) self.private_node_one_anonymous_link = PrivateLinkFactory(anonymous=True) self.private_node_one_anonymous_link.nodes.add(self.private_node_one) self.private_node_one_anonymous_link.save() self.private_node_one_private_link = PrivateLinkFactory(anonymous=False) self.private_node_one_private_link.nodes.add(self.private_node_one) self.private_node_one_private_link.save() self.private_node_one_url = '/{}nodes/{}/'.format(API_BASE, self.private_node_one._id) self.private_node_two = ProjectFactory(is_public=False, creator=self.creation_user, title="Private Two") self.private_node_two.add_contributor(self.contributing_read_user, permissions=[permissions.READ], save=True) self.private_node_two.add_contributor(self.contributing_write_user, permissions=[permissions.WRITE], save=True) self.private_node_two_url = '/{}nodes/{}/'.format(API_BASE, self.private_node_two._id) self.public_node_one = ProjectFactory(is_public=True, creator=self.creation_user, title="Public One") self.public_node_one.add_contributor(self.contributing_read_user, permissions=[permissions.READ], save=True) self.public_node_one.add_contributor(self.contributing_write_user, permissions=[permissions.WRITE], save=True) self.public_node_one_anonymous_link = PrivateLinkFactory(anonymous=True) self.public_node_one_anonymous_link.nodes.add(self.public_node_one) self.public_node_one_anonymous_link.save() self.public_node_one_private_link = PrivateLinkFactory(anonymous=False) self.public_node_one_private_link.nodes.add(self.public_node_one) self.public_node_one_private_link.save() self.public_node_one_url = '/{}nodes/{}/'.format(API_BASE, self.public_node_one._id) self.public_node_two = ProjectFactory(is_public=True, creator=self.creation_user, title="Public Two") self.public_node_two.add_contributor(self.contributing_read_user, permissions=[permissions.READ], save=True) self.public_node_two.add_contributor(self.contributing_write_user, permissions=[permissions.WRITE], save=True) self.public_node_two_url = '/{}nodes/{}/'.format(API_BASE, self.public_node_two._id)
def test_deleted_vols_not_returned(self, app, user, url, public_project, view_only_link): view_only_link = PrivateLinkFactory(name='testlink2') view_only_link.nodes.add(public_project) view_only_link.save() res = app.get(url, auth=user.auth) data = res.json['data'] assert res.status_code == 200 assert len(data) == 2 view_only_link.is_deleted = True view_only_link.save() res = app.get(url, auth=user.auth) data = res.json['data'] assert res.status_code == 200 assert len(data) == 1
def test_deleted_vols_not_returned(self): view_only_link = PrivateLinkFactory(name='testlink2') view_only_link.nodes.add(self.public_project) view_only_link.save() res = self.app.get(self.url, auth=self.user.auth) data = res.json['data'] assert_equal(res.status_code, 200) assert_equal(len(data), 2) view_only_link.nodes.remove(self.public_project) view_only_link.save() res = self.app.get(self.url, auth=self.user.auth) data = res.json['data'] assert_equal(res.status_code, 200) assert_equal(len(data), 1)
def test_private_node_deleted_comment_auth_misc( self, app, user, contributor, comment, private_project): comment.is_deleted = True comment.save() # test_private_node_only_logged_in_commenter_can_view_deleted_comment url = '/{}comments/{}/'.format(API_BASE, comment._id) res = app.get(url, auth=user.auth) assert res.status_code == 200 assert res.json['data']['attributes']['content'] == comment.content # test_private_node_contributor_cannot_see_other_users_deleted_comment url = '/{}comments/{}/'.format(API_BASE, comment._id) res = app.get(url, auth=contributor.auth) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None # test_private_node_logged_out_user_cannot_see_deleted_comment url = '/{}comments/{}/'.format(API_BASE, comment._id) res = app.get(url, expect_errors=True) assert res.status_code == 401 assert res.json['errors'][0]['detail'] == exceptions.NotAuthenticated.default_detail # test_private_node_view_only_link_user_cannot_see_deleted_comment private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(private_project) private_link.save() res = app.get('/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': private_link.key}, expect_errors=True) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None # test_private_node_anonymous_view_only_link_user_cannot_see_deleted_comment anonymous_link = PrivateLinkFactory(anonymous=True) anonymous_link.nodes.add(private_project) anonymous_link.save() res = app.get('/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': anonymous_link.key}, expect_errors=True) assert res.status_code == 200 assert res.json['data']['attributes']['content'] is None
def test_private_node_user_with_private_and_anonymous_link_misc( self, app, private_project, comment): # def test_private_node_user_with_private_link_can_see_comment private_link = PrivateLinkFactory(anonymous=False) private_link.nodes.add(private_project) private_link.save() res = app.get( '/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': private_link.key}, expect_errors=True ) assert res.status_code == 200 assert comment._id == res.json['data']['id'] assert comment.content == res.json['data']['attributes']['content'] # test_private_node_user_with_anonymous_link_cannot_see_commenter_info private_link = PrivateLinkFactory(anonymous=True) private_link.nodes.add(private_project) private_link.save() res = app.get( '/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': private_link.key} ) assert res.status_code == 200 assert comment._id == res.json['data']['id'] assert comment.content == res.json['data']['attributes']['content'] assert 'user' not in res.json['data']['relationships'] # test_private_node_user_with_anonymous_link_cannot_see_mention_info comment.content = 'test with [@username](userlink) and @mention' comment.save() res = app.get( '/{}comments/{}/'.format(API_BASE, comment._id), {'view_only': private_link.key} ) assert res.status_code == 200 assert comment._id == res.json['data']['id'] assert 'test with @A User and @mention' == res.json['data']['attributes']['content']
def view_only_link(public_project): view_only_link = PrivateLinkFactory(name='testlink') view_only_link.nodes.add(public_project) view_only_link.save() return view_only_link
def private_node_one_anonymous_link(self, private_node_one): private_node_one_anonymous_link = PrivateLinkFactory(anonymous=True) private_node_one_anonymous_link.nodes.add(private_node_one) private_node_one_anonymous_link.save() return private_node_one_anonymous_link
def private_node_one_private_link(private_node_one): private_node_one_private_link = PrivateLinkFactory(anonymous=False) private_node_one_private_link.nodes.add(private_node_one) private_node_one_private_link.save() return private_node_one_private_link
def public_node_one_anonymous_link(public_node_one): public_node_one_anonymous_link = PrivateLinkFactory(anonymous=True) public_node_one_anonymous_link.nodes.add(public_node_one) public_node_one_anonymous_link.save() return public_node_one_anonymous_link
def view_only_link(self): private_link = PrivateLinkFactory(creator=self.user) private_link.nodes.add(self.project) private_link.save() return private_link
class TestMustBeContributorOrPublicButNotAnonymizedDecorator(AuthAppTestCase): def setUp(self): super(TestMustBeContributorOrPublicButNotAnonymizedDecorator, self).setUp() self.contrib = AuthUserFactory() self.non_contrib = AuthUserFactory() admin = UserFactory() self.public_project = ProjectFactory(is_public=True) self.public_project.add_contributor(admin, auth=Auth(self.public_project.creator), permissions=['read', 'write', 'admin']) self.private_project = ProjectFactory(is_public=False) self.private_project.add_contributor(admin, auth=Auth(self.private_project.creator), permissions=['read', 'write', 'admin']) self.public_project.add_contributor(self.contrib, auth=Auth(self.public_project.creator)) self.private_project.add_contributor(self.contrib, auth=Auth(self.private_project.creator)) self.public_project.save() self.private_project.save() self.anonymized_link_to_public_project = PrivateLinkFactory(anonymous=True) self.anonymized_link_to_private_project = PrivateLinkFactory(anonymous=True) self.anonymized_link_to_public_project.nodes.add(self.public_project) self.anonymized_link_to_public_project.save() self.anonymized_link_to_private_project.nodes.add(self.private_project) self.anonymized_link_to_private_project.save() self.flaskapp = Flask('Testing decorator') @self.flaskapp.route('/project/<pid>/') @must_be_contributor_or_public_but_not_anonymized def project_get(**kwargs): return 'success', 200 self.app = WebtestApp(self.flaskapp) def test_must_be_contributor_when_user_is_contributor_and_public_project(self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=self.contrib) assert_equal(result, self.public_project) def test_must_be_contributor_when_user_is_not_contributor_and_public_project(self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=self.non_contrib) assert_equal(result, self.public_project) def test_must_be_contributor_when_user_is_contributor_and_private_project(self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=self.contrib) assert_equal(result, self.private_project) def test_must_be_contributor_when_user_is_not_contributor_and_private_project_raise_error(self): with assert_raises(HTTPError): view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=self.non_contrib ) def test_must_be_contributor_no_user_and_public_project(self): res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=None, ) assert_equal(res, self.public_project) def test_must_be_contributor_no_user_and_private_project(self): res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=None, ) assert_is_redirect(res) # redirects to login url redirect_url = res.headers['Location'] login_url = cas.get_login_url(service_url='http://localhost/') assert_equal(redirect_url, login_url) def test_must_be_contributor_parent_admin_and_public_project(self): user = UserFactory() node = NodeFactory(parent=self.public_project, creator=user) res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._id, nid=node._id, user=self.public_project.creator, ) assert_equal(res, node) def test_must_be_contributor_parent_admin_and_private_project(self): user = UserFactory() node = NodeFactory(parent=self.private_project, creator=user) res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._id, nid=node._id, user=self.private_project.creator, ) assert_equal(res, node) def test_must_be_contributor_parent_write_public_project(self): user = UserFactory() node = NodeFactory(parent=self.public_project, creator=user) self.public_project.set_permissions(self.public_project.creator, ['read', 'write']) self.public_project.save() with assert_raises(HTTPError) as exc_info: view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._id, nid=node._id, user=self.public_project.creator, ) assert_equal(exc_info.exception.code, 403) def test_must_be_contributor_parent_write_private_project(self): user = UserFactory() node = NodeFactory(parent=self.private_project, creator=user) self.private_project.set_permissions(self.private_project.creator, ['read', 'write']) self.private_project.save() with assert_raises(HTTPError) as exc_info: view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._id, nid=node._id, user=self.private_project.creator, ) assert_equal(exc_info.exception.code, 403) @mock.patch('website.project.decorators.Auth.from_kwargs') def test_decorator_does_allow_anonymous_link_public_project(self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get('/project/{0}'.format(self.public_project._primary_key), {'view_only': self.anonymized_link_to_public_project.key}) res = res.follow() assert_equal(res.status_code, 200) @mock.patch('website.project.decorators.Auth.from_kwargs') def test_decorator_does_not_allow_anonymous_link_private_project(self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get('/project/{0}'.format(self.private_project._primary_key), {'view_only': self.anonymized_link_to_private_project.key}) res = res.follow(expect_errors=True) assert_equal(res.status_code, 500)
def view_only_link(registration_with_children): view_only_link = PrivateLinkFactory(name='testlink') view_only_link.nodes.add(registration_with_children) view_only_link.save() return view_only_link
def _add_private_link(self, project, anonymous=False): view_only_link = PrivateLinkFactory(anonymous=anonymous) view_only_link.nodes.add(project) view_only_link.save() return view_only_link
def test_node_settings_detail(self, app, admin_contrib, non_contrib, write_contrib, url, project): # non logged in uers can't access node settings res = app.get(url, expect_errors=True) assert res.status_code == 401 # non_contrib can't access node settings res = app.get(url, auth=non_contrib.auth, expect_errors=True) assert res.status_code == 403 # read contrib can access node settings res = app.get(url, auth=write_contrib.auth) assert res.status_code == 200 # admin can access node settings res = app.get(url, auth=admin_contrib.auth) assert res.status_code == 200 # allow_access_requests project.allow_access_requests = True project.save() res = app.get(url, auth=admin_contrib.auth) attributes = res.json['data']['attributes'] assert attributes['access_requests_enabled'] is True # anyone can comment project.comment_level = 'public' project.save() res = app.get(url, auth=admin_contrib.auth) attributes = res.json['data']['attributes'] assert attributes['anyone_can_comment'] is True project.comment_level = 'private' project.save() res = app.get(url, auth=admin_contrib.auth) attributes = res.json['data']['attributes'] assert attributes['anyone_can_comment'] is False # wiki enabled res = app.get(url, auth=admin_contrib.auth) attributes = res.json['data']['attributes'] assert attributes['wiki_enabled'] is True project.delete_addon('wiki', auth=Auth(admin_contrib)) project.save() res = app.get(url, auth=admin_contrib.auth) attributes = res.json['data']['attributes'] assert attributes['wiki_enabled'] is False # redirect link enabled res = app.get(url, auth=admin_contrib.auth) attributes = res.json['data']['attributes'] assert attributes['redirect_link_enabled'] is False assert attributes['redirect_link_url'] is None assert attributes['redirect_link_label'] is None new_url = 'http://cool.com' new_label = 'Test Label Woo' forward = project.add_addon('forward', auth=Auth(admin_contrib)) forward.url = new_url forward.label = new_label forward.save() res = app.get(url, auth=admin_contrib.auth) attributes = res.json['data']['attributes'] assert attributes['redirect_link_enabled'] is True assert attributes['redirect_link_url'] == new_url assert attributes['redirect_link_label'] == new_label # view only links view_only_link = PrivateLinkFactory(name='testlink') view_only_link.nodes.add(project) view_only_link.save() res = app.get(url, auth=admin_contrib.auth) assert 'view_only_links' in res.json['data']['relationships'].keys()
def reg_report_anonymous_link(self, reg_report): anon_link = PrivateLinkFactory(anonymous=True) anon_link.nodes.add(reg_report) anon_link.save() return anon_link