def test_no_access_to_questionnaire_api_for_anonymous():
questionnaire = factories.QuestionnaireFactory()
# retrieve is never allowed
response = utils.get_resource_without_login(client, 'questionnaire',
questionnaire.id)
assert response.status_code == 403
# update
payload = make_update_payload(questionnaire)
response = utils.update_resource_without_login(client, 'questionnaire',
payload)
assert response.status_code == 403
# delete is never allowed
response = utils.delete_resource_without_login(client, 'questionnaire',
questionnaire.id)
assert response.status_code == 403
# create
clear_saved_data()
payload = make_create_payload(questionnaire.control.id)
response = utils.create_resource_without_login(client, 'questionnaire',
payload)
assert response.status_code == 403
assert_no_data_is_saved()
def run_test_response_file_api_is_readonly(user, response_file):
payload = {"id": response_file.id}
utils.login(client, user=user)
# no create
response = utils.create_resource_without_login(client, 'response-file', payload)
assert response.status_code == 405 # method not allowed
# no update
response = utils.update_resource_without_login(client, 'response-file', payload)
assert response.status_code == 405 # method not allowed
# no patch
url = reverse('api:response-file-detail', args=[payload['id']])
response = client.patch(url, payload, format='json')
assert response.status_code == 405 # method not allowed
def test_no_access_to_control_create_api_for_anonymous():
payload = make_create_payload()
response = utils.create_resource_without_login(client, 'control', payload)
assert response.status_code == 403