def test_draft_questionnaire_is_listed_in_controls_data_if_user_is_inspector():
control = factories.ControlFactory()
factories.QuestionnaireFactory(control=control, is_draft=False, title='MUST BE LISTED')
factories.QuestionnaireFactory(control=control, is_draft=True, title='MUST ALSO BE LISTED')
user = utils.make_inspector_user(control)
response = list_control(user)
assert response.status_code == 200
assert 'MUST BE LISTED' in str(response.content)
assert 'MUST ALSO BE LISTED' in str(response.content)
def test_as_auditor_questionnaire_is_not_listed_if_not_associated_with_user_control():
control_in = factories.ControlFactory()
control_out = factories.ControlFactory()
factories.QuestionnaireFactory(control=control_in, is_draft=False, title='MUST BE LISTED')
factories.QuestionnaireFactory(control=control_out, is_draft=False, title='MUST NOT BE LISTED')
user = utils.make_audited_user(control_in)
response = list_control(user)
assert response.status_code == 200
assert 'MUST BE LISTED' in str(response.content)
assert 'MUST NOT BE LISTED' not in str(response.content)
def test_no_access_to_questionnaire_api_if_control_is_not_associated_with_the_user(
):
questionnaire_in = factories.QuestionnaireFactory()
questionnaire_out = factories.QuestionnaireFactory()
assert questionnaire_in.control.id != questionnaire_out.control.id
user = utils.make_inspector_user(questionnaire_in.control)
# create
payload = make_create_payload(questionnaire_out.control.id)
clear_saved_data()
assert create_questionnaire(user, payload).status_code != 201
assert_no_data_is_saved()
def test_as_auditor_questionnaire_is_not_listed_if_associated_with_deleted_control():
control_active = factories.ControlFactory()
control_deleted = factories.ControlFactory()
factories.QuestionnaireFactory(
control=control_active, is_draft=False, title='MUST BE LISTED')
factories.QuestionnaireFactory(
control=control_deleted, is_draft=False, title='MUST NOT BE LISTED')
user = utils.make_audited_user(control_active)
user.profile.controls.add(control_deleted)
control_deleted.delete()
response = list_control(user)
assert response.status_code == 200
assert 'MUST BE LISTED' in str(response.content)
assert 'MUST NOT BE LISTED' not in str(response.content)
def test_audited_cannot_download_questionnaire_file_if_draft(client):
questionnaire = factories.QuestionnaireFactory(is_draft=True)
user = utils.make_audited_user(questionnaire.control)
utils.login(client, user=user)
url = reverse('send-questionnaire-file', args=[questionnaire.id])
response = client.get(url)
assert response.status_code == 404
def test_send_response_file_list_does_not_contais_files_from_other_questionnaire(
client):
response_file_1 = factories.ResponseFileFactory(is_deleted=False)
questionnaire_1 = response_file_1.question.theme.questionnaire
questionnaire_1.is_draft = False
questionnaire_1.save()
assert not questionnaire_1.is_draft
# Questionnaire 2 in same control as questionnaire 1
questionnaire_2 = factories.QuestionnaireFactory(
control=questionnaire_1.control)
questionnaire_2.is_draft = False
questionnaire_2.save()
assert not questionnaire_2.is_draft
theme_2 = factories.ThemeFactory(questionnaire=questionnaire_2)
question_2 = factories.QuestionFactory(theme=theme_2)
response_file_2 = factories.ResponseFileFactory(is_deleted=False,
question=question_2)
user = utils.make_audited_user(questionnaire_1.control)
files = get_files_for_export(questionnaire_1)
assert len(files) == 1
assert files[0].file.name == response_file_1.file.name
def test_can_access_questionnaire_api_if_control_is_associated_with_the_user():
questionnaire = factories.QuestionnaireFactory()
# create
inspector_user = utils.make_inspector_user(questionnaire.control)
payload = make_create_payload(questionnaire.control.id)
assert create_questionnaire(inspector_user, payload).status_code == 201
def test_no_access_to_questionnaire_api_for_anonymous():
questionnaire = factories.QuestionnaireFactory()
# retrieve is never allowed
response = utils.get_resource_without_login(client, 'questionnaire',
questionnaire.id)
assert response.status_code == 403
# update
payload = make_update_payload(questionnaire)
response = utils.update_resource_without_login(client, 'questionnaire',
payload)
assert response.status_code == 403
# delete is never allowed
response = utils.delete_resource_without_login(client, 'questionnaire',
questionnaire.id)
assert response.status_code == 403
# create
clear_saved_data()
payload = make_create_payload(questionnaire.control.id)
response = utils.create_resource_without_login(client, 'questionnaire',
payload)
assert response.status_code == 403
assert_no_data_is_saved()
def increment_ids():
# We create objects for nothing, to increment ids. Otherwise question.id = theme.id = qr.id = 1, and some errors
# are not detected.
for _ in range(5):
factories.ThemeFactory()
for _ in range(5):
factories.QuestionnaireFactory()
clear_saved_data()
def test_send_response_file_list_fails_for_draft_questionnaire_for_audited(
client):
questionnaire = factories.QuestionnaireFactory(is_draft=True)
user = utils.make_audited_user(questionnaire.control)
response = get_response_list(client, user, questionnaire.id)
assert response.status_code != 200
def test_send_response_file_list_fails_for_draft_questionnaire_for_inspector(
client):
questionnaire = factories.QuestionnaireFactory(is_draft=True)
user = utils.make_inspector_user(questionnaire.control)
utils.login(client, user=user)
url = reverse('send-response-file-list', args=[questionnaire.id])
response = client.get(url)
assert response.status_code != 200
def test_send_response_file_list_works_for_inspector_if_the_control_is_associated_with_the_user(
client):
questionnaire = factories.QuestionnaireFactory(is_draft=False)
user = utils.make_inspector_user(questionnaire.control)
response = get_response_list(client, user, questionnaire.id)
assert response.status_code == 200
def test_user_cannot_set_editor_if_they_cannot_access_the_questionnaire():
control = factories.ControlFactory()
user = utils.make_inspector_user(control=None, assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True)
response = call_api(user, questionnaire.id, user.id)
assert 400 <= response.status_code < 500
def test_send_response_file_list_fails_for_inspector_if_the_control_is_not_associated_with_the_user(
client):
questionnaire = factories.QuestionnaireFactory(is_draft=False)
unauthorized_control = factories.ControlFactory()
user = utils.make_inspector_user(unauthorized_control)
response = get_response_list(client, user, questionnaire.id)
assert response.status_code != 200
def test_audited_cannot_access_api():
control = factories.ControlFactory()
user = utils.make_audited_user(control)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user)
assert_questionnaire_has_editor(questionnaire, user)
response = call_api(user, questionnaire.id, user.id)
assert 400 <= response.status_code < 500
assert_questionnaire_has_editor(questionnaire, user)
def test_download_questionnaire_file_fails_if_the_control_is_not_associated_with_the_user(
client):
questionnaire = factories.QuestionnaireFactory(is_draft=False)
unauthorized_control = factories.ControlFactory()
assert unauthorized_control != questionnaire.control
user = utils.make_audited_user(unauthorized_control)
utils.login(client, user=user)
url = reverse('send-questionnaire-file', args=[questionnaire.id])
response = client.get(url)
assert response.status_code != 200
def __init__(self, client):
questionnaire = factories.QuestionnaireFactory(is_draft=False)
self.filename = questionnaire.basename
user = utils.make_audited_user(questionnaire.control)
utils.login(client, user=user)
url = reverse('send-questionnaire-file', args=[questionnaire.id])
self.response = client.get(url)
def test_no_questionnaire_update_if_control_is_deleted():
increment_ids()
questionnaire = factories.QuestionnaireFactory()
user = utils.make_inspector_user(questionnaire.control)
payload = make_update_payload(questionnaire)
questionnaire.control.delete()
response = update_questionnaire(user, payload)
assert 403 <= response.status_code <= 404
def test_noneditor_can_get_rights_on_questionnaire_without_editor():
control = factories.ControlFactory()
user = utils.make_inspector_user(control, assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=None)
assert_questionnaire_has_editor(questionnaire, None)
response = call_api(user, questionnaire.id, user.id)
assert response.status_code == 200
assert_questionnaire_has_editor(questionnaire, user)
def test_can_access_questionnaire_page_if_control_is_associated_with_the_user(
client):
questionnaire = factories.QuestionnaireFactory()
user = factories.UserFactory()
user.profile.controls.add(questionnaire.control)
user.profile.save()
utils.login(client, user=user)
url = reverse('questionnaire-detail', args=[questionnaire.id])
response = client.get(url)
assert response.status_code == 200
def test_questionnaire_draft_update__non_editor_cannot_update():
increment_ids()
questionnaire = factories.QuestionnaireFactory()
control = questionnaire.control
non_editor = utils.make_inspector_user(control,
assign_questionnaire_editor=False)
payload = make_update_payload(questionnaire)
payload['description'] = 'this is a great questionnaire.'
response = update_questionnaire(non_editor, payload)
assert 400 <= response.status_code < 500
def test_no_access_to_editor_api_for_deleted_control():
control = factories.ControlFactory()
user = utils.make_inspector_user(control,
assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control,
is_draft=True,
editor=user)
assert_questionnaire_has_editor(questionnaire, user)
control.delete()
response = call_api(user, questionnaire.id, user.id)
assert response.status_code == 404
def test_editor_can_transfer_rights():
control = factories.ControlFactory()
user = utils.make_inspector_user(control, assign_questionnaire_editor=False)
other_user = utils.make_inspector_user(control, assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user)
assert_questionnaire_has_editor(questionnaire, user)
response = call_api(user, questionnaire.id, other_user.id)
assert response.status_code == 200
assert_questionnaire_has_editor(questionnaire, other_user)
def test_inspector_cannot_update_published_questionnaire():
increment_ids()
control = factories.ControlFactory()
user = utils.make_inspector_user(control)
questionnaire = factories.QuestionnaireFactory(is_draft=False,
control=control,
editor=user)
payload = make_update_payload(questionnaire)
# Here we are trying to update a questionnaire that's already published
response = update_questionnaire(user, payload)
assert 400 <= response.status_code < 500
def __init__(self, client):
questionnaire = factories.QuestionnaireFactory()
self.filename = questionnaire.basename
user = factories.UserFactory()
user.profile.controls.add(questionnaire.control)
user.profile.save()
utils.login(client, user=user)
url = reverse('send-questionnaire-file', args=[questionnaire.id])
self.response = client.get(url)
def test_query_without_editor_is_refused():
control = factories.ControlFactory()
user = utils.make_inspector_user(control, assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user)
assert_questionnaire_has_editor(questionnaire, user)
utils.login(client, user=user)
url = reverse('update-editor', args=[questionnaire.id])
post_data = {
}
response = client.put(url, post_data, format='json')
assert 400 <= response.status_code < 500
assert_questionnaire_has_editor(questionnaire, user)
def test_cannot_get_questionnaire_even_if_control_is_associated_with_the_user(
):
# Retrieve is disabled
questionnaire = factories.QuestionnaireFactory()
audited_user = utils.make_audited_user(questionnaire.control)
inspector_user = utils.make_inspector_user(questionnaire.control)
assert get_questionnaire(audited_user, questionnaire.id).status_code == 405
assert get_questionnaire(inspector_user,
questionnaire.id).status_code == 405
# list is disabled
assert list_questionnaires(audited_user).status_code == 405
assert list_questionnaires(inspector_user).status_code == 405
def access_questionnaire_page(
client, page_name, is_control_associated_with_user,
profile_type, is_draft=False, assign_questionnaire_editor=True):
questionnaire = factories.QuestionnaireFactory(is_draft=is_draft)
control = questionnaire.control
if is_control_associated_with_user:
user = utils.make_user(
profile_type, control, assign_questionnaire_editor=assign_questionnaire_editor)
else:
user = utils.make_user(profile_type, None)
utils.login(client, user=user)
url = reverse(page_name, args=[questionnaire.id])
response = client.get(url)
return response
def test_no_modifying_questionnaire_if_not_inspector():
questionnaire = factories.QuestionnaireFactory()
audited_user = utils.make_audited_user(questionnaire.control)
# update
payload = make_update_payload(questionnaire)
assert update_questionnaire(audited_user, payload).status_code == 403
# delete
assert delete_questionnaire(audited_user, questionnaire.id).status_code == 403
# create
clear_saved_data()
payload = make_create_payload(questionnaire.control.id)
assert create_questionnaire(audited_user, payload).status_code == 403
assert_no_data_is_saved()
def test_questionnaire_update__questionnaire_update():
increment_ids()
# Qr with no themes or questions.
questionnaire = factories.QuestionnaireFactory()
user = utils.make_inspector_user(questionnaire.control)
payload = make_update_payload(questionnaire)
payload['description'] = 'this is a great questionnaire.'
payload['is_draft'] = False
assert Questionnaire.objects.all().count() == 1
assert payload['description'] != questionnaire.description
response = update_questionnaire(user, payload)
assert response.status_code == 200
# Data is saved
assert Questionnaire.objects.all().count() == 1
saved_qr = Questionnaire.objects.get(id=questionnaire.id)
assert saved_qr.description != questionnaire.description
assert saved_qr.description == payload['description']
assert saved_qr.is_draft == False
