def test_profile_put_writes_audit_log_if_not_own_profile(
profile, other_profile, api_client, caplog):
# A forbidden "UPDATE" event should be left if a user
# tries to update another person's profile.
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
url = reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), ))
api_client.put(
url,
{
**PROFILE_TEST_DATA, "first_name": "Maija",
"street_address": "Kauppakatu 23"
},
)
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {
"role": "USER",
"profile_id": str(profile.pk)
}
assert audit_event["operation"] == "UPDATE"
assert audit_event["target"] == {
"id": str(other_profile.pk),
"type": "Profile"
}
assert audit_event["status"] == "FORBIDDEN"
def test_profile_delete_fails_if_not_authenticated(profile, api_client):
# An unauthenticated user should not be able to delete any profiles
response = api_client.delete(
reverse("users:profile-detail", args=(mask_uuid(profile.pk), )),
PROFILE_TEST_DATA,
)
assert response.status_code == 401
def test_profile_get_detail(profile, api_client):
# The user should be able to retrieve their own profile
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
response = api_client.get(
reverse("users:profile-detail", args=(mask_uuid(profile.pk), )))
assert response.status_code == 200
assert response.data == PROFILE_TEST_DATA
def test_profile_delete(profile, api_client):
# A user should be able to delete their own profile
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
url = reverse("users:profile-detail", args=(mask_uuid(profile.pk), ))
response = api_client.delete(url)
assert response.status_code == 204
assert not User.objects.filter(pk=profile.user.pk).exists()
assert not Profile.objects.filter(pk=profile.pk).exists()
def test_profile_patch_is_not_allowed(profile, api_client):
# Partial updates should not be allowed
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
url = reverse("users:profile-detail", args=(mask_uuid(profile.pk), ))
response = api_client.patch(url, {
"first_name": "Maija",
"street_address": "Kauppakatu 23"
})
assert response.status_code == 405
def test_profile_put_fails_if_not_own_profile(profile, other_profile,
api_client):
# A user should not be able to update other users' profiles
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
url = reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), ))
put_data = {
**PROFILE_TEST_DATA,
"first_name": "Maija",
"street_address": "Kauppakatu 23",
}
response = api_client.put(url, put_data)
assert response.status_code == 403
def test_profile_delete_writes_audit_log_if_not_authenticated(
profile, api_client, caplog):
# A forbidden "DELETE" event should be written if an unauthenticated user
# tries to delete a user's profile.
api_client.delete(
reverse("users:profile-detail", args=(mask_uuid(profile.pk), )),
PROFILE_TEST_DATA,
)
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {"role": "ANONYMOUS", "profile_id": None}
assert audit_event["operation"] == "DELETE"
assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"}
assert audit_event["status"] == "FORBIDDEN"
def test_profile_put(profile, api_client):
# A user should be able to update their own profile
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
url = reverse("users:profile-detail", args=(mask_uuid(profile.pk), ))
put_data = {
**PROFILE_TEST_DATA,
"first_name": "Maija",
"street_address": "Kauppakatu 23",
}
response = api_client.put(url, put_data)
assert response.status_code == 200
assert response.data == put_data
profile.refresh_from_db()
for attr in ["first_name", "last_name", "email"]:
assert str(getattr(profile.user, attr)) == str(put_data.pop(attr))
for attr, value in put_data.items():
assert str(getattr(profile, attr)) == str(value)
def test_profile_delete_writes_audit_log_if_not_own_profile(
profile, other_profile, api_client, caplog):
# A forbidden "DELETE" entry should be written if a user
# tries to delete another person's profile.
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
api_client.delete(
reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), )))
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {
"role": "USER",
"profile_id": str(profile.pk)
}
assert audit_event["operation"] == "DELETE"
assert audit_event["target"] == {
"id": str(other_profile.pk),
"type": "Profile"
}
assert audit_event["status"] == "FORBIDDEN"
def test_profile_put_writes_audit_log(profile, api_client, caplog):
# A successful "UPDATE" entry should be left when the user updates their own profile
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
api_client.put(
reverse("users:profile-detail", args=(mask_uuid(profile.pk), )),
{
**PROFILE_TEST_DATA, "first_name": "Maija",
"address": "Kauppakatu 23"
},
)
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {
"role": "OWNER",
"profile_id": str(profile.pk)
}
assert audit_event["operation"] == "UPDATE"
assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"}
assert audit_event["status"] == "SUCCESS"