def setUp(self): super(RESTAuthTestCase, self).setUp() # add_repo_user is another user with add_repo permission but who # does not have access to self.repo self.add_repo_user = User.objects.create_user( username="******", password=self.PASSWORD ) add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM) self.add_repo_user.user_permissions.add(add_repo_perm) # curator_user doesn't have add_repo but have view_repo permission on # self.repo self.curator_user = User.objects.create_user( username="******", password=self.PASSWORD ) assign_user_to_repo_group( self.curator_user, self.repo, GroupTypes.REPO_CURATOR) # author_user doesn't have manage_taxonomy permission self.author_user = User.objects.create_user( username="******", password=self.PASSWORD ) assign_user_to_repo_group( self.author_user, self.repo, GroupTypes.REPO_AUTHOR )
def test_members_get(self): """ Tests for members. Get requests: an user can see members if has at least basic permissions """ # add an user to all groups for group_type in [GroupTypes.REPO_ADMINISTRATOR, GroupTypes.REPO_CURATOR, GroupTypes.REPO_AUTHOR]: assign_user_to_repo_group( self.user, self.repo, group_type) self.logout() # as anonymous self.get_members(urlfor='base', repo_slug=self.repo.slug, expected_status=HTTP_403_FORBIDDEN) # list of all groups for an user self.get_members(urlfor='users', repo_slug=self.repo.slug, username=self.user.username, expected_status=HTTP_403_FORBIDDEN) for group_type in BaseGroupTypes.all_base_groups(): # specific group for an user self.get_members(urlfor='users', repo_slug=self.repo.slug, username=self.user.username, group_type=group_type, expected_status=HTTP_403_FORBIDDEN) # list of all users for a group self.get_members(urlfor='groups', repo_slug=self.repo.slug, group_type=group_type, expected_status=HTTP_403_FORBIDDEN) # specific user for a group self.get_members(urlfor='groups', repo_slug=self.repo.slug, username=self.user.username, group_type=group_type, expected_status=HTTP_403_FORBIDDEN) # any kind of user in the repo groups can retrieve infos for user in [self.author_user.username, self.curator_user.username, self.user.username]: self.logout() self.login(user) # list of all groups for an user self.get_members(urlfor='base', repo_slug=self.repo.slug) # specific group for an user self.get_members(urlfor='users', repo_slug=self.repo.slug, username=self.user.username) for group_type in BaseGroupTypes.all_base_groups(): self.get_members(urlfor='users', repo_slug=self.repo.slug, username=self.user.username, group_type=group_type) # list of all users for a group self.get_members(urlfor='groups', repo_slug=self.repo.slug, group_type=group_type) # specific user for a group self.get_members(urlfor='groups', repo_slug=self.repo.slug, username=self.user.username, group_type=group_type)
def perform_create(self, serializer): """Add a group for a user.""" # Validate the incoming data serializer.is_valid(raise_exception=True) # Get the user username = self.kwargs.get('username') user = User.objects.get(username=username) # Get the repo group type group_type = serializer.data.get('group_type') repo_group_type = GroupTypes.get_repo_groupname_by_base(group_type) # Get the repo object repo = Repository.objects.get(slug=self.kwargs['repo_slug']) assign_user_to_repo_group(user, repo, repo_group_type)
def test_single_repo(self): """ Search should only return records for one repository at a time. """ resp = self.client.get(reverse("repositories", args=(self.repo.slug,))) self.assertContains(resp, self.resource.title) # Make a new repo with no content. new_repo = create_repo("other", "whatever", self.user.id) assign_user_to_repo_group( self.user, new_repo, GroupTypes.REPO_ADMINISTRATOR ) resp = self.client.get(reverse("repositories", args=(new_repo.slug,))) self.assertNotContains(resp, self.resource.title)
def setUp(self): """set up""" super(LoreTestCase, self).setUp() self.user = User.objects.create_user( username=self.USERNAME, password=self.PASSWORD ) add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM) self.user.user_permissions.add(add_repo_perm) # user without permission to add a repo self.user_norepo = User.objects.create_user( username=self.USERNAME_NO_REPO, password=self.PASSWORD ) self.repo = create_repo( name="test repo", description="just a test", user_id=self.user.id, ) self.course = create_course( org="test-org", repo_id=self.repo.id, course_number="infinity", run="Febtober", user_id=self.user.id, ) self.resource = self.create_resource( course=self.course, parent=None, resource_type="example", title="silly example", content_xml="<blah>blah</blah>", mpath="/blah", url_name="url_name1", ) assign_user_to_repo_group( self.user, self.repo, GroupTypes.REPO_ADMINISTRATOR ) self.toy_resource_count = 18 # Resources in toy course. self.toy_asset_count = 5 # Static assets in toy course. self.client = Client() self.login(username=self.USERNAME)
def add_creator_permission(sender, **kwargs): """ Give the creator of a repository admin permissions over that repository. """ from roles.api import assign_user_to_repo_group, roles_init_new_repo from roles.permissions import GroupTypes instance = kwargs.pop("instance", None) if not kwargs["created"]: return if not isinstance(instance, Repository): return roles_init_new_repo(instance) assign_user_to_repo_group( instance.created_by, instance, GroupTypes.REPO_ADMINISTRATOR, )
def create_repo(request): """ Create a new repository. """ form = RepositoryForm() if request.method == "POST": form = RepositoryForm(data=request.POST) if form.is_valid(): repo = form.save(request.user) assign_user_to_repo_group( request.user, repo, GroupTypes.REPO_ADMINISTRATOR ) return redirect(reverse("repositories", args=(repo.slug,))) return render( request, "create_repo.html", {"form": form}, )
def setUp(self): super(RESTAuthTestCase, self).setUp() # add_repo_user is another user with add_repo permission but who # does not have access to self.repo self.add_repo_user = User.objects.create_user(username="******", password=self.PASSWORD) add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM) self.add_repo_user.user_permissions.add(add_repo_perm) # curator_user doesn't have add_repo but have view_repo permission on # self.repo self.curator_user = User.objects.create_user(username="******", password=self.PASSWORD) assign_user_to_repo_group(self.curator_user, self.repo, GroupTypes.REPO_CURATOR) # author_user doesn't have manage_taxonomy permission self.author_user = User.objects.create_user(username="******", password=self.PASSWORD) assign_user_to_repo_group(self.author_user, self.repo, GroupTypes.REPO_AUTHOR)
def test_assign_user_group_2(self): """ Test for api.assign_user_to_repo_group """ repo = Repository.objects.create( name=self.repo_name, description=self.repo_desc, created_by=self.user ) admin = Group.objects.get(name=self.group_admin) curator = Group.objects.get(name=self.group_curator) author = Group.objects.get(name=self.group_author) self.assertIn(self.user, admin.user_set.all()) self.assertNotIn(self.user, curator.user_set.all()) self.assertNotIn(self.user, author.user_set.all()) admin.user_set.clear() api.assign_user_to_repo_group( self.user, repo, group_type=GroupTypes.REPO_CURATOR ) self.assertNotIn(self.user, admin.user_set.all()) self.assertIn(self.user, curator.user_set.all()) self.assertNotIn(self.user, author.user_set.all()) curator.user_set.clear() api.assign_user_to_repo_group( self.user, repo, group_type=GroupTypes.REPO_AUTHOR ) self.assertNotIn(self.user, admin.user_set.all()) self.assertNotIn(self.user, curator.user_set.all()) self.assertIn(self.user, author.user_set.all()) author.user_set.clear()
def test_is_last_admin_in_repo(self): """ Test for is_last_admin_in_repo """ # By default the repo creator is also administrator self.assertTrue( api.is_last_admin_in_repo(self.user, self.repo) ) # Add another user to the administrators. api.assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_ADMINISTRATOR ) self.assertFalse( api.is_last_admin_in_repo(self.user, self.repo) ) # Remove the first user from the administrators. api.remove_user_from_repo_group( self.user, self.repo, GroupTypes.REPO_ADMINISTRATOR ) # Add user to the curators. api.assign_user_to_repo_group( self.user, self.repo, GroupTypes.REPO_CURATOR ) # The user is not the last of the admins because he is not admin self.assertFalse( api.is_last_admin_in_repo(self.user, self.repo) ) # The other user is indeed the last admin self.assertTrue( api.is_last_admin_in_repo(self.user_norepo, self.repo) )
def add_users_to_repo(self): """ Helper function to add some users to the repository groups. """ # add only 3 users to 3 different groups assign_user_to_repo_group( self.author_user, self.repo, GroupTypes.REPO_AUTHOR) assign_user_to_repo_group( self.curator_user, self.repo, GroupTypes.REPO_CURATOR) assign_user_to_repo_group( self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
def add_users_to_repo(self): """ Helper function to add some users to the repository groups. """ # add only 3 users to 3 different groups assign_user_to_repo_group(self.author_user, self.repo, GroupTypes.REPO_AUTHOR) assign_user_to_repo_group(self.curator_user, self.repo, GroupTypes.REPO_CURATOR) assign_user_to_repo_group(self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
def test_upload_with_permissions(self): """GET upload page with different user permissions""" def check_user_no_permission(): """ Helper function to check that the user has no permission on the repo """ # user cannot see the repository page self.assert_status_code(self.repository_url_slug, UNAUTHORIZED) # and cannot see the import page self.assert_status_code(self.import_url_slug, UNAUTHORIZED) self.logout() self.login(self.USERNAME_NO_REPO) # user has no permissions at all check_user_no_permission() # user has author permissions assign_user_to_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR) # user can see the repository page self.assert_status_code(self.repository_url_slug, HTTP_OK) # but cannot see the import for the repo self.assert_status_code(self.import_url_slug, UNAUTHORIZED) # user has no permissions remove_user_from_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR) check_user_no_permission() # user has curator permissions assign_user_to_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_CURATOR) # user can see the repository page self.assert_status_code(self.repository_url_slug, HTTP_OK) # and can see the the import for the repo self.assert_status_code(self.import_url_slug, HTTP_OK) # remove curator permissions remove_user_from_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_CURATOR) check_user_no_permission() # user has admin permissions assign_user_to_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_ADMINISTRATOR) # user can see the repository page self.assert_status_code(self.repository_url_slug, HTTP_OK) # and can see the the import for the repo self.assert_status_code(self.import_url_slug, HTTP_OK)
def test_listing_importcourse_perms(self): """ Tests the listing page with different user permissions to check who can see the import course html """ self.logout() self.login(self.USERNAME_NO_REPO) # user has no permissions at all self.assert_status_code(self.repository_url, UNAUTHORIZED) # user has author permissions and cannot see the import for the repo assign_user_to_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR) body = self.assert_status_code(self.repository_url, HTTP_OK, return_body=True) self.assertFalse("Import Course</a>" in body) # user has no permissions remove_user_from_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR) self.assert_status_code(self.repository_url, UNAUTHORIZED) # user has curator permissions and can see the the import for the repo assign_user_to_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_CURATOR) body = self.assert_status_code(self.repository_url, HTTP_OK, return_body=True) self.assertTrue("Import Course</a>" in body) # user has no permissions remove_user_from_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_CURATOR) self.assert_status_code(self.repository_url, UNAUTHORIZED) # user has admin permissions and can see the the import for the repo assign_user_to_repo_group(self.user_norepo, self.repo, GroupTypes.REPO_ADMINISTRATOR) body = self.assert_status_code(self.repository_url, HTTP_OK, return_body=True) self.assertTrue("Import Course</a>" in body)
def test_members_delete(self): """ Members DELETE Testing only using an administrator used logged in. All the other kind of users don't have permissions to handle users. (tests for other users in rest_test_authorization.py) """ # No users in the repo self.assert_users_count() # Populate repo groups. self.add_users_to_repo() # Add extra administrator assign_user_to_repo_group(self.admin_user2, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=2, curators=1, authors=1) self.login(self.admin_user2) # First part: delete group from user # Delete authors group self.delete_member( urlfor='users', repo_slug=self.repo.slug, username=self.author_user.username, group_type=BaseGroupTypes.AUTHORS, ) self.assert_users_count(admins=2, curators=1) # Delete curators group self.delete_member( urlfor='users', repo_slug=self.repo.slug, username=self.curator_user.username, group_type=BaseGroupTypes.CURATORS, ) self.assert_users_count(admins=2) # Delete administrators group self.delete_member( urlfor='users', repo_slug=self.repo.slug, username=self.admin_user.username, group_type=BaseGroupTypes.ADMINISTRATORS, ) self.assert_users_count(admins=1) # Trying to delete the last of administrators group will fail self.delete_member(urlfor='users', repo_slug=self.repo.slug, username=self.admin_user2.username, group_type=BaseGroupTypes.ADMINISTRATORS, expected_status=HTTP_400_BAD_REQUEST) self.assert_users_count(admins=1) # Add back second admin assign_user_to_repo_group(self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=2) # Admin is able to delete self if there is another admin self.delete_member(urlfor='users', repo_slug=self.repo.slug, username=self.admin_user2.username, group_type=BaseGroupTypes.ADMINISTRATORS) self.assert_users_count(admins=1) # Reset users configuration # Populate repo groups. self.add_users_to_repo() # Add extra administrator assign_user_to_repo_group(self.admin_user2, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=2, curators=1, authors=1) # Second part: delete user from group # Delete user from authors group self.delete_member( urlfor='groups', repo_slug=self.repo.slug, username=self.author_user.username, group_type=BaseGroupTypes.AUTHORS, ) self.assert_users_count(admins=2, curators=1) # Delete user from curators group self.delete_member( urlfor='groups', repo_slug=self.repo.slug, username=self.curator_user.username, group_type=BaseGroupTypes.CURATORS, ) self.assert_users_count(admins=2) # Delete user from administrators group self.delete_member( urlfor='groups', repo_slug=self.repo.slug, username=self.admin_user.username, group_type=BaseGroupTypes.ADMINISTRATORS, ) self.assert_users_count(admins=1) # Trying to delete the last of administrators group will fail self.delete_member(urlfor='groups', repo_slug=self.repo.slug, username=self.admin_user2.username, group_type=BaseGroupTypes.ADMINISTRATORS, expected_status=HTTP_400_BAD_REQUEST) self.assert_users_count(admins=1) # Add back second admin assign_user_to_repo_group(self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=2) # Admin is able to delete self if there is another admin self.delete_member(urlfor='groups', repo_slug=self.repo.slug, username=self.admin_user2.username, group_type=BaseGroupTypes.ADMINISTRATORS) self.assert_users_count(admins=1)
def test_members_create(self): """ Members POST Testing only using an administrator used logged in. All the other kind of users don't have permissions to handle users. (tests for other users in rest_test_authorization.py) """ # No users in the repo self.assert_users_count() # One user must be admin. assign_user_to_repo_group(self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=1) self.login(self.admin_user.username) # First part: assign group to user # Assign unexpected group will fail self.create_member(urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': 'foo'}, username=self.author_user.username, expected_status=HTTP_400_BAD_REQUEST) # Assign real group to nonexistent user will fail self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': GroupTypes.REPO_ADMINISTRATOR}, username='******', expected_status=HTTP_404_NOT_FOUND) # Assign authors group self.create_member(urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.AUTHORS}, username=self.author_user.username, reverse_str='repo-members-user-group-detail') self.assert_users_count(admins=1, authors=1) # Repeating the same assignment has no effect self.create_member(urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.AUTHORS}, username=self.author_user.username, reverse_str='repo-members-user-group-detail') self.assert_users_count(admins=1, authors=1) # Assign curators group self.create_member(urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.CURATORS}, username=self.curator_user.username, reverse_str='repo-members-user-group-detail') self.assert_users_count(admins=1, curators=1, authors=1) # Assign admin group self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS}, username=self.admin_user2.username, reverse_str='repo-members-user-group-detail') self.assert_users_count(admins=2, curators=1, authors=1) # Assign admin group to curator user (user can have multiple groups) self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS}, username=self.curator_user.username, reverse_str='repo-members-user-group-detail') self.assert_users_count(admins=3, curators=1, authors=1) # Reset users configuration self.remove_all_users_from_repo() self.assert_users_count() assign_user_to_repo_group(self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=1) # Second part: assign user to group # Assign unexpected group will fail self.create_member(urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.author_user.username}, group_type='foo', expected_status=HTTP_404_NOT_FOUND) # Assign real group to nonexistent user will fail self.create_member(urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': '******'}, group_type=BaseGroupTypes.AUTHORS, expected_status=HTTP_400_BAD_REQUEST) # Assign user to authors group self.create_member(urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.author_user.username}, group_type=BaseGroupTypes.AUTHORS, reverse_str='repo-members-group-user-detail') self.assert_users_count(admins=1, authors=1) # Repeating the same assignment has no effect self.create_member(urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.author_user.username}, group_type=BaseGroupTypes.AUTHORS, reverse_str='repo-members-group-user-detail') self.assert_users_count(admins=1, authors=1) # Assign user to curators group self.create_member(urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.curator_user.username}, group_type=BaseGroupTypes.CURATORS, reverse_str='repo-members-group-user-detail') self.assert_users_count(admins=1, curators=1, authors=1) # Assign user to admins group self.create_member(urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.admin_user2.username}, group_type=BaseGroupTypes.ADMINISTRATORS, reverse_str='repo-members-group-user-detail') self.assert_users_count(admins=2, curators=1, authors=1) # Assign curator user to admin group (user can have multiple groups) self.create_member(urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.curator_user.username}, group_type=BaseGroupTypes.ADMINISTRATORS, reverse_str='repo-members-group-user-detail') self.assert_users_count(admins=3, curators=1, authors=1)
def test_upload_with_permissions(self): """GET upload page with different user permissions""" def check_user_no_permission(): """ Helper function to check that the user has no permission on the repo """ # user cannot see the repository page self.assert_status_code( self.repository_url_slug, UNAUTHORIZED ) # and cannot see the import page self.assert_status_code( self.import_url_slug, UNAUTHORIZED ) self.logout() self.login(self.USERNAME_NO_REPO) # user has no permissions at all check_user_no_permission() # user has author permissions assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR ) # user can see the repository page self.assert_status_code( self.repository_url_slug, HTTP_OK ) # but cannot see the import for the repo self.assert_status_code( self.import_url_slug, UNAUTHORIZED ) # user has no permissions remove_user_from_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR ) check_user_no_permission() # user has curator permissions assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_CURATOR ) # user can see the repository page self.assert_status_code( self.repository_url_slug, HTTP_OK ) # and can see the the import for the repo self.assert_status_code( self.import_url_slug, HTTP_OK ) # remove curator permissions remove_user_from_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_CURATOR ) check_user_no_permission() # user has admin permissions assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_ADMINISTRATOR ) # user can see the repository page self.assert_status_code( self.repository_url_slug, HTTP_OK ) # and can see the the import for the repo self.assert_status_code( self.import_url_slug, HTTP_OK )
def test_members_create(self): """ Members POST Testing only using an administrator used logged in. All the other kind of users don't have permissions to handle users. (tests for other users in rest_test_authorization.py) """ # No users in the repo self.assert_users_count() # One user must be admin. assign_user_to_repo_group( self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=1) self.login(self.admin_user.username) # First part: assign group to user # Assign unexpected group will fail self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': 'foo'}, username=self.author_user.username, expected_status=HTTP_400_BAD_REQUEST ) # Assign real group to nonexistent user will fail self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': GroupTypes.REPO_ADMINISTRATOR}, username='******', expected_status=HTTP_404_NOT_FOUND ) # Assign authors group self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.AUTHORS}, username=self.author_user.username, reverse_str='repo-members-user-group-detail' ) self.assert_users_count(admins=1, authors=1) # Repeating the same assignment has no effect self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.AUTHORS}, username=self.author_user.username, reverse_str='repo-members-user-group-detail' ) self.assert_users_count(admins=1, authors=1) # Assign curators group self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.CURATORS}, username=self.curator_user.username, reverse_str='repo-members-user-group-detail' ) self.assert_users_count(admins=1, curators=1, authors=1) # Assign admin group self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS}, username=self.admin_user2.username, reverse_str='repo-members-user-group-detail' ) self.assert_users_count(admins=2, curators=1, authors=1) # Assign admin group to curator user (user can have multiple groups) self.create_member( urlfor='users', repo_slug=self.repo.slug, mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS}, username=self.curator_user.username, reverse_str='repo-members-user-group-detail' ) self.assert_users_count(admins=3, curators=1, authors=1) # Reset users configuration self.remove_all_users_from_repo() self.assert_users_count() assign_user_to_repo_group( self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=1) # Second part: assign user to group # Assign unexpected group will fail self.create_member( urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.author_user.username}, group_type='foo', expected_status=HTTP_404_NOT_FOUND ) # Assign real group to nonexistent user will fail self.create_member( urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': '******'}, group_type=BaseGroupTypes.AUTHORS, expected_status=HTTP_400_BAD_REQUEST ) # Assign user to authors group self.create_member( urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.author_user.username}, group_type=BaseGroupTypes.AUTHORS, reverse_str='repo-members-group-user-detail' ) self.assert_users_count(admins=1, authors=1) # Repeating the same assignment has no effect self.create_member( urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.author_user.username}, group_type=BaseGroupTypes.AUTHORS, reverse_str='repo-members-group-user-detail' ) self.assert_users_count(admins=1, authors=1) # Assign user to curators group self.create_member( urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.curator_user.username}, group_type=BaseGroupTypes.CURATORS, reverse_str='repo-members-group-user-detail' ) self.assert_users_count(admins=1, curators=1, authors=1) # Assign user to admins group self.create_member( urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.admin_user2.username}, group_type=BaseGroupTypes.ADMINISTRATORS, reverse_str='repo-members-group-user-detail' ) self.assert_users_count(admins=2, curators=1, authors=1) # Assign curator user to admin group (user can have multiple groups) self.create_member( urlfor='groups', repo_slug=self.repo.slug, mem_dict={'username': self.curator_user.username}, group_type=BaseGroupTypes.ADMINISTRATORS, reverse_str='repo-members-group-user-detail' ) self.assert_users_count(admins=3, curators=1, authors=1)
def test_list_users_in_repo_no_base_group_type_specified(self): """ Test for list_users_in_repo """ self.assertListEqual( api.list_users_in_repo(self.repo), [ UserGroup(self.user.username, BaseGroupTypes.ADMINISTRATORS) ] ) # Remove the user from the administrators. api.remove_user_from_repo_group( self.user, self.repo, GroupTypes.REPO_ADMINISTRATOR ) # No users in the repo. self.assertListEqual( api.list_users_in_repo(self.repo), [] ) # Add user to the curators. api.assign_user_to_repo_group( self.user, self.repo, GroupTypes.REPO_CURATOR ) self.assertListEqual( api.list_users_in_repo(self.repo), [ UserGroup(self.user.username, BaseGroupTypes.CURATORS) ] ) # Add user back to the administrators. api.assign_user_to_repo_group( self.user, self.repo, GroupTypes.REPO_ADMINISTRATOR ) self.assertListEqual( self.sort_user_group( api.list_users_in_repo(self.repo) ), self.sort_user_group( [ UserGroup( self.user.username, BaseGroupTypes.ADMINISTRATORS ), UserGroup( self.user.username, BaseGroupTypes.CURATORS ) ] ) ) # Add another user to the authors. api.assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR ) self.assertListEqual( self.sort_user_group( api.list_users_in_repo(self.repo) ), self.sort_user_group( [ UserGroup( self.user.username, BaseGroupTypes.ADMINISTRATORS ), UserGroup( self.user.username, BaseGroupTypes.CURATORS ), UserGroup( self.user_norepo.username, BaseGroupTypes.AUTHORS ) ] ) ) # Adding again the same user in the same group # will not create multiple instances. api.assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR ) self.assertListEqual( self.sort_user_group( api.list_users_in_repo(self.repo) ), self.sort_user_group( [ UserGroup( self.user.username, BaseGroupTypes.ADMINISTRATORS ), UserGroup( self.user.username, BaseGroupTypes.CURATORS ), UserGroup( self.user_norepo.username, BaseGroupTypes.AUTHORS ) ] ) )
def test_members_delete(self): """ Members DELETE Testing only using an administrator used logged in. All the other kind of users don't have permissions to handle users. (tests for other users in rest_test_authorization.py) """ # No users in the repo self.assert_users_count() # Populate repo groups. self.add_users_to_repo() # Add extra administrator assign_user_to_repo_group( self.admin_user2, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=2, curators=1, authors=1) self.login(self.admin_user2) # First part: delete group from user # Delete authors group self.delete_member( urlfor='users', repo_slug=self.repo.slug, username=self.author_user.username, group_type=BaseGroupTypes.AUTHORS, ) self.assert_users_count(admins=2, curators=1) # Delete curators group self.delete_member( urlfor='users', repo_slug=self.repo.slug, username=self.curator_user.username, group_type=BaseGroupTypes.CURATORS, ) self.assert_users_count(admins=2) # Delete administrators group self.delete_member( urlfor='users', repo_slug=self.repo.slug, username=self.admin_user.username, group_type=BaseGroupTypes.ADMINISTRATORS, ) self.assert_users_count(admins=1) # Trying to delete the last of administrators group will fail self.delete_member( urlfor='users', repo_slug=self.repo.slug, username=self.admin_user2.username, group_type=BaseGroupTypes.ADMINISTRATORS, expected_status=HTTP_400_BAD_REQUEST ) self.assert_users_count(admins=1) # Add back second admin assign_user_to_repo_group( self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=2) # Admin is able to delete self if there is another admin self.delete_member( urlfor='users', repo_slug=self.repo.slug, username=self.admin_user2.username, group_type=BaseGroupTypes.ADMINISTRATORS ) self.assert_users_count(admins=1) # Reset users configuration # Populate repo groups. self.add_users_to_repo() # Add extra administrator assign_user_to_repo_group( self.admin_user2, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=2, curators=1, authors=1) # Second part: delete user from group # Delete user from authors group self.delete_member( urlfor='groups', repo_slug=self.repo.slug, username=self.author_user.username, group_type=BaseGroupTypes.AUTHORS, ) self.assert_users_count(admins=2, curators=1) # Delete user from curators group self.delete_member( urlfor='groups', repo_slug=self.repo.slug, username=self.curator_user.username, group_type=BaseGroupTypes.CURATORS, ) self.assert_users_count(admins=2) # Delete user from administrators group self.delete_member( urlfor='groups', repo_slug=self.repo.slug, username=self.admin_user.username, group_type=BaseGroupTypes.ADMINISTRATORS, ) self.assert_users_count(admins=1) # Trying to delete the last of administrators group will fail self.delete_member( urlfor='groups', repo_slug=self.repo.slug, username=self.admin_user2.username, group_type=BaseGroupTypes.ADMINISTRATORS, expected_status=HTTP_400_BAD_REQUEST ) self.assert_users_count(admins=1) # Add back second admin assign_user_to_repo_group( self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.assert_users_count(admins=2) # Admin is able to delete self if there is another admin self.delete_member( urlfor='groups', repo_slug=self.repo.slug, username=self.admin_user2.username, group_type=BaseGroupTypes.ADMINISTRATORS ) self.assert_users_count(admins=1)
def test_learning_resource_exports(self): """Test for creating LearningResource ids in session shopping cart.""" # set up our data self.logout() self.login(self.add_repo_user) repo_slug1 = self.repo.slug repo_slug2 = self.create_repository()['slug'] repo2 = Repository.objects.get(slug=repo_slug2) # 'add_repo_user' will be able to see both repos assign_user_to_repo_group( self.add_repo_user, self.repo, GroupTypes.REPO_ADMINISTRATOR) self.import_course_tarball(repo2) repo1_lrid1 = get_resources(self.repo.id).all()[0].id repo2_lrid1 = get_resources(repo2.id).all()[0].id repo2_lrid2 = get_resources(repo2.id).all()[1].id self.logout() self.login(self.user) # make sure we start with an empty shopping cart self.assertEqual([], self.get_learning_resource_exports( repo_slug1)['results']) self.create_learning_resource_export(self.repo.slug, { 'id': repo1_lrid1 }) self.assertEqual([{'id': repo1_lrid1}], self.get_learning_resource_exports( repo_slug1)['results']) # user doesn't have access to repo2 self.get_learning_resource_exports( repo_slug2, expected_status=HTTP_403_FORBIDDEN) self.logout() self.login(self.add_repo_user) # make sure that session is not shared between users # user has an id in repo1 but add_repo_user does not self.assertEqual([], self.get_learning_resource_exports( repo_slug1 )['results']) # don't store duplicates self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1}) self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1}) self.assertEqual( [{"id": repo1_lrid1}], self.get_learning_resource_exports( repo_slug1 )['results']) # make sure export ids are confined to their own repos self.create_learning_resource_export(repo_slug2, { 'id': repo2_lrid1 }) # not affected by POST in previous line self.assertEqual([{'id': repo1_lrid1}], self.get_learning_resource_exports( repo_slug1)['results']) # contains the new item self.assertEqual([{'id': repo2_lrid1}], self.get_learning_resource_exports( repo_slug2)['results']) # make sure we can't add export ids that don't belong to the repo self.create_learning_resource_export(repo_slug1, { 'id': repo2_lrid1 }, expected_status=HTTP_403_FORBIDDEN) # make sure detail view will 404 if out of bounds self.assertEqual(repo1_lrid1, self.get_learning_resource_export( repo_slug1, repo1_lrid1)['id']) self.get_learning_resource_export( repo_slug1, repo2_lrid1, expected_status=HTTP_404_NOT_FOUND) self.get_learning_resource_export( repo_slug2, repo1_lrid1, expected_status=HTTP_404_NOT_FOUND) self.assertEqual(repo2_lrid1, self.get_learning_resource_export( repo_slug2, repo2_lrid1)['id']) self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid1}) self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid2}) # finally, delete all of the things self.assertEqual( 2, self.get_learning_resource_exports(repo_slug2)['count']) self.delete_learning_resource_exports(repo_slug2) self.assertEqual( 0, self.get_learning_resource_exports(repo_slug2)['count']) # make sure deleting an empty list doesn't cause problems self.delete_learning_resource_exports(repo_slug2) self.assertEqual( 0, self.get_learning_resource_exports(repo_slug2)['count']) # repo1 is unaffected self.assertEqual( 1, self.get_learning_resource_exports(repo_slug1)['count']) self.delete_learning_resource_export(repo_slug1, repo1_lrid1) self.get_learning_resource_export( repo_slug1, repo1_lrid1, expected_status=HTTP_404_NOT_FOUND) self.logout() self.login(self.user) # Populate shopping cart one more time. self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1}) self.logout() self.login(self.user) # After logout and login session was cleared self.assertEqual( 0, self.get_learning_resource_exports(repo_slug1)['count'])
def test_members_get(self): """ Tests for members. Get requests: an user can see members if has at least basic permissions """ # add an user to all groups for group_type in [ GroupTypes.REPO_ADMINISTRATOR, GroupTypes.REPO_CURATOR, GroupTypes.REPO_AUTHOR ]: assign_user_to_repo_group(self.user, self.repo, group_type) self.logout() # as anonymous self.get_members(urlfor='base', repo_slug=self.repo.slug, expected_status=HTTP_403_FORBIDDEN) # list of all groups for an user self.get_members(urlfor='users', repo_slug=self.repo.slug, username=self.user.username, expected_status=HTTP_403_FORBIDDEN) for group_type in BaseGroupTypes.all_base_groups(): # specific group for an user self.get_members(urlfor='users', repo_slug=self.repo.slug, username=self.user.username, group_type=group_type, expected_status=HTTP_403_FORBIDDEN) # list of all users for a group self.get_members(urlfor='groups', repo_slug=self.repo.slug, group_type=group_type, expected_status=HTTP_403_FORBIDDEN) # specific user for a group self.get_members(urlfor='groups', repo_slug=self.repo.slug, username=self.user.username, group_type=group_type, expected_status=HTTP_403_FORBIDDEN) # any kind of user in the repo groups can retrieve infos for user in [ self.author_user.username, self.curator_user.username, self.user.username ]: self.logout() self.login(user) # list of all groups for an user self.get_members(urlfor='base', repo_slug=self.repo.slug) # specific group for an user self.get_members(urlfor='users', repo_slug=self.repo.slug, username=self.user.username) for group_type in BaseGroupTypes.all_base_groups(): self.get_members(urlfor='users', repo_slug=self.repo.slug, username=self.user.username, group_type=group_type) # list of all users for a group self.get_members(urlfor='groups', repo_slug=self.repo.slug, group_type=group_type) # specific user for a group self.get_members(urlfor='groups', repo_slug=self.repo.slug, username=self.user.username, group_type=group_type)
def test_listing_importcourse_perms(self): """ Tests the listing page with different user permissions to check who can see the import course html """ self.logout() self.login(self.USERNAME_NO_REPO) # user has no permissions at all self.assert_status_code( self.repository_url, UNAUTHORIZED ) # user has author permissions and cannot see the import for the repo assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR ) body = self.assert_status_code( self.repository_url, HTTP_OK, return_body=True ) self.assertFalse("Import Course</a>" in body) # user has no permissions remove_user_from_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_AUTHOR ) self.assert_status_code( self.repository_url, UNAUTHORIZED ) # user has curator permissions and can see the the import for the repo assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_CURATOR ) body = self.assert_status_code( self.repository_url, HTTP_OK, return_body=True ) self.assertTrue("Import Course</a>" in body) # user has no permissions remove_user_from_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_CURATOR ) self.assert_status_code( self.repository_url, UNAUTHORIZED ) # user has admin permissions and can see the the import for the repo assign_user_to_repo_group( self.user_norepo, self.repo, GroupTypes.REPO_ADMINISTRATOR ) body = self.assert_status_code( self.repository_url, HTTP_OK, return_body=True ) self.assertTrue("Import Course</a>" in body)