def test_stored_payment_sources_restriction( mocker, staff_api_client, customer_user, permission_manage_users ): # Only owner of storedPaymentSources can fetch it. card = CreditCardInfo( last_4="5678", exp_year=2020, exp_month=12, name_on_card="JohnDoe" ) source = CustomerSource(id="test1", gateway="dummy", credit_card_info=card) mocker.patch( "saleor.graphql.account.resolvers.gateway.list_payment_sources", return_value=[source], autospec=True, ) customer_user_id = graphene.Node.to_global_id("User", customer_user.pk) query = """ query PaymentSources($id: ID!) { user(id: $id) { storedPaymentSources { creditCardInfo { firstDigits } } } } """ variables = {"id": customer_user_id} response = staff_api_client.post_graphql( query, variables, permissions=[permission_manage_users] ) assert_no_permission(response)
def test_query_gift_card_with_permissions( staff_api_client, gift_card, permission_manage_gift_card, permission_manage_users ): query = """ query giftCard($id: ID!) { giftCard(id: $id){ id displayCode user { email } } } """ gift_card_id = graphene.Node.to_global_id("GiftCard", gift_card.pk) variables = {"id": gift_card_id} # Query should fail without manage_users permission. response = staff_api_client.post_graphql( query, variables, permissions=[permission_manage_gift_card] ) assert_no_permission(response) # Query should succeed with manage_users and manage_gift_card permissions. response = staff_api_client.post_graphql( query, variables, permissions=[permission_manage_gift_card, permission_manage_users], ) content = get_graphql_content(response) data = content["data"]["giftCard"] assert data["id"] == gift_card_id assert data["displayCode"] == gift_card.display_code assert data["user"]["email"] == gift_card.user.email
def post_graphql( self, query, variables=None, permissions=None, check_no_permissions=True, **kwargs, ): """Dedicated helper for posting GraphQL queries. Sets the `application/json` content type and json.dumps the variables if present. """ data = {"query": query} if variables is not None: data["variables"] = variables if data: data = json.dumps(data, cls=DjangoJSONEncoder) kwargs["content_type"] = "application/json" if permissions: if check_no_permissions: response = super().post(API_PATH, data, **kwargs) assert_no_permission(response) if self.app: self.app.permissions.add(*permissions) else: self.user.user_permissions.add(*permissions) result = super().post(API_PATH, data, **kwargs) flush_post_commit_hooks() return result
def test_query_stock_requires_permission(staff_api_client, stock): assert not staff_api_client.user.has_perm( ProductPermissions.MANAGE_PRODUCTS) stock_id = graphene.Node.to_global_id("Stock", stock.pk) response = staff_api_client.post_graphql(QUERY_STOCK, variables={"id": stock_id}) assert_no_permission(response)
def test_webhook_delete_when_app_doesnt_exist(app_api_client, app): app.delete() query = WEBHOOK_DELETE_BY_APP webhook_id = graphene.Node.to_global_id("Webhook", 1) variables = {"id": webhook_id} response = app_api_client.post_graphql(query, variables=variables) assert_no_permission(response)
def test_app_token_create_no_permissions(staff_api_client, staff_user): app = App.objects.create(name="New_app") query = APP_TOKEN_CREATE_MUTATION id = graphene.Node.to_global_id("App", app.id) variables = {"name": "Default token", "app": id} response = staff_api_client.post_graphql(query, variables={"input": variables}) assert_no_permission(response)
def test_service_account_token_create_no_permissions(staff_api_client, staff_user): app = App.objects.create(name="New_sa") query = SERVICE_ACCOUNT_TOKEN_CREATE_MUTATION id = graphene.Node.to_global_id("ServiceAccount", app.id) variables = {"name": "Default token", "serviceAccount": id} response = staff_api_client.post_graphql(query, variables={"input": variables}) assert_no_permission(response)
def test_webhook_delete_by_inactive_app(app_api_client, webhook): app = webhook.app app.is_active = False app.save() query = WEBHOOK_DELETE_BY_APP webhook_id = graphene.Node.to_global_id("Webhook", webhook.pk) variables = {"id": webhook_id} response = app_api_client.post_graphql(query, variables=variables) assert_no_permission(response)
def test_app_token_delete_no_permissions(staff_api_client, staff_user, app): query = APP_TOKEN_DELETE_MUTATION token = app.tokens.get() id = graphene.Node.to_global_id("AppToken", token.id) variables = {"id": id} response = staff_api_client.post_graphql(query, variables=variables) assert_no_permission(response) token.refresh_from_db()
def test_webhook_update_not_allowed_by_app(app_api_client, app, webhook): query = WEBHOOK_UPDATE webhook_id = graphene.Node.to_global_id("Webhook", webhook.pk) variables = { "id": webhook_id, "events": [WebhookEventTypeEnum.ORDER_CREATED.name], "is_active": False, } response = app_api_client.post_graphql(query, variables=variables) assert_no_permission(response)
def test_app_update_no_permission(app, staff_api_client, staff_user): query = APP_UPDATE_MUTATION id = graphene.Node.to_global_id("App", app.id) variables = { "id": id, "is_active": False, "permissions": [PermissionEnum.MANAGE_PRODUCTS.name], } response = staff_api_client.post_graphql(query, variables=variables) assert_no_permission(response)
def test_assign_menu( staff_api_client, menu, permission_manage_menus, permission_manage_settings, site_settings, ): query = """ mutation AssignMenu($menu: ID, $navigationType: NavigationType!) { assignNavigation(menu: $menu, navigationType: $navigationType) { errors { field message } menu { name } } } """ # test mutations fails without proper permissions menu_id = graphene.Node.to_global_id("Menu", menu.pk) variables = {"menu": menu_id, "navigationType": NavigationType.MAIN.name} response = staff_api_client.post_graphql(query, variables) assert_no_permission(response) staff_api_client.user.user_permissions.add(permission_manage_menus) staff_api_client.user.user_permissions.add(permission_manage_settings) # test assigning main menu response = staff_api_client.post_graphql(query, variables) content = get_graphql_content(response) assert content["data"]["assignNavigation"]["menu"]["name"] == menu.name site_settings.refresh_from_db() assert site_settings.top_menu.name == menu.name # test assigning secondary menu variables = { "menu": menu_id, "navigationType": NavigationType.SECONDARY.name } response = staff_api_client.post_graphql(query, variables) content = get_graphql_content(response) assert content["data"]["assignNavigation"]["menu"]["name"] == menu.name site_settings.refresh_from_db() assert site_settings.bottom_menu.name == menu.name # test unasigning menu variables = {"id": None, "navigationType": NavigationType.MAIN.name} response = staff_api_client.post_graphql(query, variables) content = get_graphql_content(response) assert not content["data"]["assignNavigation"]["menu"] site_settings.refresh_from_db() assert site_settings.top_menu is None
def test_webhook_create_app_doesnt_exist(app_api_client, app): app.delete() query = WEBHOOK_CREATE_BY_APP variables = { "target_url": "https://www.example.com", "events": [WebhookEventTypeEnum.ORDER_CREATED.name], "name": "", } response = app_api_client.post_graphql(query, variables=variables) assert_no_permission(response)
def test_webhook_create_without_app(app_api_client, app): app_api_client.app = None app_api_client.app_token = None query = WEBHOOK_CREATE_BY_APP variables = { "target_url": "https://www.example.com", "events": [WebhookEventTypeEnum.ORDER_CREATED.name], "name": "", } response = app_api_client.post_graphql(query, variables=variables) assert_no_permission(response)
def test_webhook_create_by_staff_without_permission(staff_api_client, app): query = WEBHOOK_CREATE_BY_STAFF app_id = graphene.Node.to_global_id("App", app.pk) variables = { "target_url": "https://www.example.com", "events": [WebhookEventTypeEnum.ORDER_CREATED.name], "app": app_id, } response = staff_api_client.post_graphql(query, variables=variables) assert_no_permission(response) assert Webhook.objects.count() == 0
def test_query_plugin_configuration_as_customer_user(user_api_client, settings): settings.PLUGINS = [ "saleor.graphql.plugins.tests.test_plugins.PluginSample" ] manager = get_plugins_manager() sample_plugin = manager.get_plugin(PluginSample.PLUGIN_ID) variables = {"id": sample_plugin.PLUGIN_ID} response = user_api_client.post_graphql(PLUGIN_QUERY, variables) assert_no_permission(response)
def test_fulfillment_update_metadata_user_has_no_permision( staff_api_client, staff_user, update_metadata_mutation, update_metadata_variables): assert not staff_user.has_perm(OrderPermissions.MANAGE_ORDERS) response = staff_api_client.post_graphql( update_metadata_mutation, update_metadata_variables, permissions=[], check_no_permissions=False, ) assert_no_permission(response)
def test_webhook_create_by_staff_with_inactive_service_account( staff_api_client, app): app.is_active = False query = WEBHOOK_CREATE_BY_STAFF service_account_id = graphene.Node.to_global_id("ServiceAccount", app.pk) variables = { "target_url": "https://www.example.com", "events": [WebhookEventTypeEnum.ORDER_CREATED.name], "service_account": service_account_id, } response = staff_api_client.post_graphql(query, variables=variables) assert_no_permission(response) assert Webhook.objects.count() == 0
def post_multipart(self, *args, permissions=None, **kwargs): """Send a multipart POST request. This is used to send multipart requests to GraphQL API when e.g. uploading files. """ kwargs["content_type"] = MULTIPART_CONTENT if permissions: response = super().post(API_PATH, *args, **kwargs) assert_no_permission(response) self.user.user_permissions.add(*permissions) return super().post(API_PATH, *args, **kwargs)
def test_update_gift_card_without_premissions(staff_api_client, gift_card): new_code = "new_test_code" balance = 150 assert gift_card.code != new_code assert gift_card.current_balance != balance variables = { "id": graphene.Node.to_global_id("GiftCard", gift_card.id), "balance": balance, "userEmail": staff_api_client.user.email, } response = staff_api_client.post_graphql(UPDATE_GIFT_CARD_MUTATION, variables) assert_no_permission(response)
def test_fulfillment_clear_meta_user_has_no_permission( staff_api_client, staff_user, fulfillment, clear_meta_variables, clear_metadata_mutation, ): assert not staff_user.has_perm(OrderPermissions.MANAGE_ORDERS) fulfillment.store_value_in_metadata(items={"foo": "bar"}) fulfillment.save() response = staff_api_client.post_graphql(clear_metadata_mutation, clear_meta_variables) assert_no_permission(response)
def test_staff_clear_meta_without_permissions(staff_api_client, customer_with_meta, mutation): user_id = graphene.Node.to_global_id("User", customer_with_meta.id) variables = { "id": user_id, "input": { "namespace": PUBLIC_META_NAMESPACE, "clientName": META_CLIENT, "key": PUBLIC_KEY, }, } response = staff_api_client.post_graphql(mutation, variables) assert_no_permission(response)
def test_webhook_create_inactive_app(app_api_client, app, permission_manage_orders): app.is_active = False app.save() query = WEBHOOK_CREATE_BY_APP variables = { "target_url": "https://www.example.com", "events": [WebhookEventTypeEnum.ORDER_CREATED.name], "name": "", } response = app_api_client.post_graphql( query, variables=variables, permissions=[permission_manage_orders] ) assert_no_permission(response)
def test_apps_query_no_permission(staff_api_client, permission_manage_users, permission_manage_staff, app): variables = {"filter": {}} response = staff_api_client.post_graphql(QUERY_APPS_WITH_FILTER, variables, permissions=[]) assert_no_permission(response) response = staff_api_client.post_graphql( QUERY_APPS_WITH_FILTER, variables, permissions=[permission_manage_users, permission_manage_staff], ) assert_no_permission(response)
def test_create_gift_card_without_premissions(staff_api_client): code = "mirumee" start_date = date(day=1, month=1, year=2018) end_date = date(day=1, month=1, year=2019) initial_balance = 100 variables = { "code": code, "startDate": start_date.isoformat(), "endDate": end_date.isoformat(), "balance": initial_balance, "userEmail": staff_api_client.user.email, } response = staff_api_client.post_graphql(CREATE_GIFT_CARD_MUTATION, variables) assert_no_permission(response)
def test_staff_update_meta_without_permissions(staff_api_client, customer_with_meta, mutation): user_id = graphene.Node.to_global_id("User", customer_with_meta.id) variables = { "id": user_id, "input": { "namespace": "new_namespace", "clientName": "client_name", "key": "meta_key", "value": "value", }, } response = staff_api_client.post_graphql(mutation, variables) assert_no_permission(response)
def test_service_accounts_query_no_permission(staff_api_client, permission_manage_users, permission_manage_staff, app): variables = {"filter": {}} response = staff_api_client.post_graphql( QUERY_SERVICE_ACCOUNTS_WITH_FILTER, variables, permissions=[]) assert_no_permission(response) response = staff_api_client.post_graphql( QUERY_SERVICE_ACCOUNTS_WITH_FILTER, variables, permissions=[permission_manage_users, permission_manage_staff], ) assert_no_permission(response)
def test_service_account_create_mutation_no_permissions( permission_manage_service_accounts, permission_manage_products, staff_api_client, staff_user, ): query = SERVICE_ACCOUNT_CREATE_MUTATION variables = { "name": "New integration", "is_active": True, "permissions": [PermissionEnum.MANAGE_PRODUCTS.name], } response = staff_api_client.post_graphql(query, variables=variables) assert_no_permission(response)
def test_query_gift_card_without_premissions( user_api_client, gift_card_created_by_staff ): query = """ query giftCard($id: ID!) { giftCard(id: $id){ id } } """ gift_card_id = graphene.Node.to_global_id("GiftCard", gift_card_created_by_staff.pk) variables = {"id": gift_card_id} response = user_api_client.post_graphql(query, variables) assert_no_permission(response)
def test_plugin_configuration_update_as_customer_user(user_api_client, settings): settings.PLUGINS = ["saleor.plugins.tests.sample_plugins.PluginSample"] manager = get_plugins_manager() plugin = manager.get_plugin(PluginSample.PLUGIN_ID) variables = { "id": plugin.PLUGIN_ID, "active": True, "configuration": [{ "name": "Username", "value": "user" }], } response = user_api_client.post_graphql(PLUGIN_UPDATE_MUTATION, variables) assert_no_permission(response)