def test_update_form_input_entry_normal_user_fail_no_permission(
client: TestClient, db: Session) -> None:
"""Fail if the normal user doesn't have update permissions"""
setup = form_input_permission_setup(
db,
permission_type=PermissionTypeEnum.update,
permission_enabled=False)
form_input = setup["form_input"]
user = setup["user"]
form_input_entry = create_random_form_input_table_entry(db)
data = {"name": random_lower_string()}
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.put(
(f"{settings.API_V1_STR}/interfaces/form-inputs/"
f"{form_input.id}/entries/{form_input_entry.id}"),
headers=user_token_headers,
json=data,
)
content = response.json()
assert response.status_code == 403
assert content["detail"] == (
f"User ID {user.id} does not have update permissions for "
f"interface ID {form_input.id}")
def test_update_node_normal_user(client: TestClient,
superuser_token_headers: dict,
db: Session) -> None:
"""Successfully update a node as a normal user"""
setup = node_permission_setup(
db,
node_type="test_update_node_normal_user",
permission_type=PermissionTypeEnum.update,
permission_enabled=True,
)
data = {
"node_type": "updated_test_node",
"name": random_lower_string(),
}
user_token_headers = authentication_token_from_email(
client=client, email=setup["user"].email, db=db)
response = client.put(
f"{settings.API_V1_STR}/nodes/{setup['node'].id}",
headers=user_token_headers,
json=data,
)
assert response.status_code == 200
content = response.json()
assert content["node_type"] == data["node_type"]
assert content["name"] == data["name"]
assert content["is_active"] == setup["node"].is_active
assert content["parent_id"] == setup["node"].parent_id
assert content["depth"] == 0
assert "id" in content
assert "created_at" in content
assert "updated_at" in content
assert "created_by_id" in content
assert "updated_by_id" in content
def test_create_user_normal_user(client: TestClient, db: Session) -> None:
username = random_email()
password = random_lower_string()
user_group = create_random_user_group(db)
data = {"email": username, "password": password, "user_group_id": user_group.id}
user = create_random_user(db)
crud.user_group.add_user(db, user_group=user_group, user_id=user.id)
create_permission = crud.user_group.get_permission(
db, id=user_group.id, permission_type=PermissionTypeEnum.create
)
crud.permission.grant(
db, user_group_id=user_group.id, permission_id=create_permission.id
)
user_token_headers = authentication_token_from_email(
client=client, email=user.email, db=db
)
r = client.post(
f"{settings.API_V1_STR}/users/",
headers=user_token_headers,
json=data,
)
created_user = r.json()
user = crud.user.get_by_email(db, email=username)
assert 200 <= r.status_code < 300
assert user
assert user.email == created_user["email"]
assert user_group in user.user_groups
def test_create_user_fail_normal_user_no_permission(
client: TestClient, db: Session
) -> None:
username = random_email()
password = random_lower_string()
user_group = create_random_user_group(db)
data = {"email": username, "password": password, "user_group_id": user_group.id}
user = create_random_user(db)
crud.user_group.add_user(db, user_group=user_group, user_id=user.id)
user_token_headers = authentication_token_from_email(
client=client, email=user.email, db=db
)
r = client.post(
f"{settings.API_V1_STR}/users/",
headers=user_token_headers,
json=data,
)
content = r.json()
returned_user = crud.user.get_by_email(db, email=username)
assert r.status_code == 403
assert returned_user is None
assert content["detail"] == (
f"User ID {user.id} does not have create permissions for "
f"user_group ID {user_group.id}"
)
def test_create_user_fail_user_group_not_exists(
client: TestClient, db: Session
) -> None:
username = random_email()
password = random_lower_string()
data = {"email": username, "password": password, "user_group_id": -1}
user = create_random_user(db)
user_group = create_random_user_group(db)
crud.user_group.add_user(db, user_group=user_group, user_id=user.id)
create_permission = crud.user_group.get_permission(
db, id=user_group.id, permission_type=PermissionTypeEnum.create
)
crud.permission.grant(
db, user_group_id=user_group.id, permission_id=create_permission.id
)
user_token_headers = authentication_token_from_email(
client=client, email=user.email, db=db
)
r = client.post(
f"{settings.API_V1_STR}/users/",
headers=user_token_headers,
json=data,
)
content = r.json()
user = crud.user.get_by_email(db, email=username)
assert r.status_code == 404
assert user is None
assert content["detail"] == "Can not find user group."
def test_remove_interface_from_node_normal_user(client: TestClient,
db: Session) -> None:
"""Successfully remove an interface from a node as a normal user"""
setup = node_permission_setup(
db,
node_type="test",
permission_type=PermissionTypeEnum.update,
permission_enabled=True,
)
node = setup["node"]
user = setup["user"]
interface = create_random_form_input_interface(db)
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
crud.node.add_interface(db, node=node, interface=interface)
response = client.post(
f"{settings.API_V1_STR}/nodes/{node.id}/interfaces/{interface.id}/remove",
headers=user_token_headers,
)
db.refresh(node)
assert response.status_code == 200
assert interface not in node.interfaces
def test_delete_form_input_entry_normal_user(client: TestClient,
db: Session) -> None:
"""Successful form input delete by a normal user"""
setup = form_input_permission_setup(
db, permission_type=PermissionTypeEnum.delete)
form_input = setup["form_input"]
user = setup["user"]
form_input_entry = create_random_form_input_table_entry(db)
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.delete(
(f"{settings.API_V1_STR}/interfaces/form-inputs/"
f"{form_input.id}/entries/{form_input_entry.id}"),
headers=user_token_headers,
)
form_input_crud = crud.form_input.get_table_crud(db, id=form_input.id)
stored_form_input_entry = form_input_crud.get(db, id=form_input_entry.id)
content = response.json()
assert response.status_code == 200
assert content["id"] == form_input_entry.id
assert content["name"] == form_input_entry.name
assert content["date_created"] == str(form_input_entry.date_created)
assert content["an_integer"] == form_input_entry.an_integer
assert content["node_id"] == form_input_entry.node_id
assert stored_form_input_entry is None
def test_get_course_weakadmin(client: TestClient, db: Session) -> None:
admin = create_random_user(db=db, type="admin", permissions=0)
admin_user_token_headers = authentication_token_from_email(
client=client, db=db, email=admin.email, user_type="admin")
r = client.get(f"{settings.API_V1_STR}/courses/",
headers=admin_user_token_headers)
assert r.status_code == 403
def test_read_network_nodes_fail_normal_user(client: TestClient,
superuser_token_headers: dict,
db: Session) -> None:
"""Fail when attempting to read network nodes as a normal user"""
setup = multi_node_permission_setup(
db,
n=10,
node_type="network",
permission_type=PermissionTypeEnum.read,
permission_enabled=True,
)
nodes = setup["nodes"]
user = setup["user"]
node_ids = [node.id for node in nodes]
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.get(
f"{settings.API_V1_STR}/nodes/networks/",
headers=user_token_headers,
)
content = response.json()
assert response.status_code == 400
assert content["detail"] == "The user is not a superuser"
def test_create_node_fail_permission_missing(client: TestClient,
superuser_token_headers: dict,
db: Session) -> None:
"""
Node creation fails when user does not have a permission associate
with the resource
"""
# Setup: Create the parent node, create a user. Importantly, no permission setup
# for the user and the parent node
parent_node = create_random_node(db, created_by_id=1, node_type="network")
user = create_random_user(db)
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
data = {
"node_type": "test_create_node",
"name": random_lower_string(),
"is_active": True,
"parent_id": parent_node.id,
}
response = client.post(
f"{settings.API_V1_STR}/nodes/",
headers=user_token_headers,
json=data,
)
assert response.status_code == 403
content = response.json()
assert content[
"detail"] == "User does not have permission to create this node"
def test_read_node_normal_user(client: TestClient,
superuser_token_headers: dict,
db: Session) -> None:
"""Successfully read a node with permissions"""
setup = node_permission_setup(
db,
node_type="test_read_node_normal_user",
permission_type=PermissionTypeEnum.read,
permission_enabled=True,
)
user_token_headers = authentication_token_from_email(
client=client, email=setup["user"].email, db=db)
response = client.get(
f"{settings.API_V1_STR}/nodes/{setup['node'].id}",
headers=user_token_headers,
)
assert response.status_code == 200
content = response.json()
assert content["node_type"] == setup["node"].node_type
assert content["name"] == setup["node"].name
assert content["is_active"]
assert content["depth"] == 0
assert "id" in content
assert "parent_id" in content
assert "created_at" in content
assert "updated_at" in content
assert "created_by_id" in content
assert "updated_by_id" in content
def test_get_node_with_children_normal_user_fail_no_permission(
client: TestClient, db: Session) -> None:
"""Fail if the user doesn't have read permissions on the node"""
setup = node_permission_setup(
db,
node_type="test",
permission_type=PermissionTypeEnum.read,
permission_enabled=False,
)
node = setup["node"]
user = setup["user"]
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.get(
f"{settings.API_V1_STR}/nodes/{node.id}/children",
headers=user_token_headers,
)
content = response.json()
assert response.status_code == 403
assert content["detail"] == (
f"User ID {user.id} does not have "
f"{setup['permission'].permission_type} permissions for "
f"{setup['permission'].resource_type} ID {node.id}")
def test_create_node_fail_permission_false(client: TestClient,
superuser_token_headers: dict,
db: Session) -> None:
"""Node creation fails when user has a permission not enabled for node parent"""
setup = node_permission_setup(
db,
node_type="test_create_node_fail_permission_false",
permission_type=PermissionTypeEnum.create,
permission_enabled=False,
)
user_token_headers = authentication_token_from_email(
client=client, email=setup["user"].email, db=db)
data = {
"node_type": "test_create_node",
"name": random_lower_string(),
"is_active": True,
"parent_id": setup["node"].id,
}
response = client.post(
f"{settings.API_V1_STR}/nodes/",
headers=user_token_headers,
json=data,
)
assert response.status_code == 403
content = response.json()
assert content[
"detail"] == "User does not have permission to create this node"
def test_get_school_invalid_student(client: TestClient, db: Session) -> None:
school = create_random_school(db)
admin_user_token_headers = authentication_token_from_email(
client=client, db=db, email=random_email())
r = client.get(f"{settings.API_V1_STR}/schools/{school.id}",
headers=admin_user_token_headers)
assert r.status_code == 403
def test_get_node_with_children_normal_user(client: TestClient,
db: Session) -> None:
"""Successfully get a node with children listing"""
setup = node_permission_setup(
db,
node_type="test",
permission_type=PermissionTypeEnum.read,
permission_enabled=True,
)
node = setup["node"]
user = setup["user"]
user_group = setup["user_group"]
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.get(
f"{settings.API_V1_STR}/nodes/{node.id}/children",
headers=user_token_headers,
)
content = response.json()
assert response.status_code == 200
for child in content:
if child["child_type"] == "user_group":
assert child["child_id"] == user_group.id
def test_create_form_input_entry_normal_user(client: TestClient,
db: Session) -> None:
"""Successful form input entry creation by normal user"""
setup = form_input_permission_setup(
db, permission_type=PermissionTypeEnum.create)
user = setup["user"]
form_input = setup["form_input"]
node = create_random_node(db)
data = {
"name": random_lower_string(),
"date_created":
str(date(1985, 1, 1) + timedelta(days=randint(0, 9999))),
"an_integer": randint(0, 10000),
"node_id": node.id,
}
form_input = crud.form_input.get_by_template_table_name(
db, table_name="form_input_test_table")
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.post(
f"{settings.API_V1_STR}/interfaces/form-inputs/{form_input.id}/entries/",
headers=user_token_headers,
json=data,
)
content = response.json()
assert response.status_code == 200
assert content["id"]
assert content["name"] == data["name"]
assert content["date_created"] == data["date_created"]
assert content["an_integer"] == data["an_integer"]
assert content["node_id"] == data["node_id"]
def test_update_node_fail_user_no_parent_permission(
client: TestClient, superuser_token_headers: dict,
db: Session) -> None:
"""Fails if the user doesn't have update permissions on the new parent node"""
new_parent_node = create_random_node(db,
created_by_id=1,
node_type="new_parent_node")
data = {"parent_id": new_parent_node.id}
setup = node_permission_setup(
db,
node_type="test_update_node_fail_user_no_permission",
permission_type=PermissionTypeEnum.update,
permission_enabled=True,
)
user_token_headers = authentication_token_from_email(
client=client, email=setup["user"].email, db=db)
response = client.put(
f"{settings.API_V1_STR}/nodes/{setup['node'].id}",
headers=user_token_headers,
json=data,
)
assert response.status_code == 403
content = response.json()
assert content["detail"] == (
"User does not have permission to assign resources to node "
f"{data['parent_id']}")
def test_remove_interface_from_node_normal_user_fail_no_permission(
client: TestClient, db: Session) -> None:
"""Successfully add an interface to a node as a normal user"""
setup = node_permission_setup(
db,
node_type="test",
permission_type=PermissionTypeEnum.update,
permission_enabled=False,
)
node = setup["node"]
user = setup["user"]
interface = create_random_form_input_interface(db)
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.post(
f"{settings.API_V1_STR}/nodes/{node.id}/interfaces/{interface.id}/remove",
headers=user_token_headers,
)
content = response.json()
assert response.status_code == 403
assert content["detail"] == (
f"User ID {user.id} does not have "
f"{setup['permission'].permission_type} permissions for "
f"{setup['permission'].resource_type} ID {node.id}")
def test_update_node_fail_user_no_permission(client: TestClient,
superuser_token_headers: dict,
db: Session) -> None:
"""Fails if the user doesn't have update permissions on the target node"""
setup = node_permission_setup(
db,
node_type="test_update_node_fail_user_no_permission",
permission_type=PermissionTypeEnum.update,
permission_enabled=False,
)
user_token_headers = authentication_token_from_email(
client=client, email=setup["user"].email, db=db)
data = {"name": "no matter"}
response = client.put(
f"{settings.API_V1_STR}/nodes/{setup['node'].id}",
headers=user_token_headers,
json=data,
)
assert response.status_code == 403
content = response.json()
assert content["detail"] == (
f"User ID {setup['user'].id} does not have "
f"{setup['permission'].permission_type} permissions for "
f"{setup['permission'].resource_type} ID {setup['node'].id}")
def test_update_form_input_entry_normal_user(client: TestClient,
db: Session) -> None:
"""Successful form input update by a normal user"""
setup = form_input_permission_setup(
db, permission_type=PermissionTypeEnum.update)
form_input = setup["form_input"]
user = setup["user"]
form_input_entry = create_random_form_input_table_entry(db)
data = {"name": random_lower_string()}
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.put(
(f"{settings.API_V1_STR}/interfaces/form-inputs/"
f"{form_input.id}/entries/{form_input_entry.id}"),
headers=user_token_headers,
json=data,
)
content = response.json()
assert response.status_code == 200
assert content["id"] == form_input_entry.id
assert content["name"] == data["name"]
assert content["date_created"] == str(form_input_entry.date_created)
assert content["an_integer"] == form_input_entry.an_integer
assert content["node_id"] == form_input_entry.node_id
def test_create_form_input_entry_normal_user_fail_no_permission(
client: TestClient, db: Session) -> None:
"""Fail if the normal user doesn't have create permissions"""
node = create_random_node(db)
data = {
"name": random_lower_string(),
"date_created":
str(date(1985, 1, 1) + timedelta(days=randint(0, 9999))),
"an_integer": randint(0, 10000),
"node_id": node.id,
}
form_input = crud.form_input.get_by_template_table_name(
db, table_name="form_input_test_table")
user = create_random_user(db)
user_token_headers = authentication_token_from_email(client=client,
email=user.email,
db=db)
response = client.post(
f"{settings.API_V1_STR}/interfaces/form-inputs/{form_input.id}/entries/",
headers=user_token_headers,
json=data,
)
content = response.json()
assert response.status_code == 403
assert content["detail"] == (f"User ID {user.id} does not have "
f"create permissions for "
f"interface ID {form_input.id}")
def test_get_student_divisions_id_admin_without_perms(client: TestClient, db: Session) -> None:
student = create_random_student(db)
admin = create_random_user(db, type="admin")
r = client.get(
f"{settings.API_V1_STR}/students/{student.user_id}/divisions",
headers=authentication_token_from_email(client=client, email=admin.email, db=db),
)
assert r.status_code == 403
def test_get_timeslot_admin(client: TestClient, db: Session) -> None:
admin_perms = AdminPermissions(0)
admin_perms["school"] = True
admin = create_random_user(db=db, type="admin", permissions=admin_perms.permissions)
admin_user_token_headers = authentication_token_from_email(
client=client, db=db, email=admin.email, user_type="admin"
)
r = client.get(f"{settings.API_V1_STR}/timeslots/", headers=admin_user_token_headers)
assert r.status_code == 200
def test_read_user_self(client: TestClient, db: Session) -> None:
user = create_random_user(db, type="student")
r = client.get(
f"{settings.API_V1_STR}/users/{user.id}",
headers=authentication_token_from_email(client=client, email=user.email, db=db),
)
assert r.status_code == 200
fetched_user = r.json()
compare_api_and_db_query_results(api_result=fetched_user, db_dict=to_json(user))
def test_read_professor_by_id_professor(client: TestClient,
db: Session) -> None:
professor = create_random_user(db, type="professor")
r = client.get(
f"{settings.API_V1_STR}/professors/{professor.id}",
headers=authentication_token_from_email(client=client,
email=professor.email,
db=db),
)
assert r.status_code == 200
def test_get_student_me_normal_student(client: TestClient, db: Session) -> None:
student = create_random_student(db)
r = client.get(
f"{settings.API_V1_STR}/students/me",
headers=authentication_token_from_email(client=client, email=student.user.email, db=db),
)
assert r.status_code == 200
fetched_student = r.json()
assert fetched_student
compare_api_and_db_query_results(api_result=fetched_student, db_dict=to_json(student))
def test_update_students_non_admin(client: TestClient, db: Session) -> None:
student = create_random_student(db)
term_id = create_random_term(db).id
data = {"term_id": term_id}
r = client.put(
f"{settings.API_V1_STR}/students/{student.user_id}",
headers=authentication_token_from_email(client=client, email=student.user.email, db=db),
json=data,
)
assert r.status_code == 403
def test_create_superuser_by_normal_admin_with_user_perms(client: TestClient, db: Session) -> None:
admin_user = create_random_user(db=db, type="admin", is_admin=True, permissions=1)
username = random_email()
password = random_password()
data = {"email": username, "password": password, "type": "superuser"}
r = client.post(
f"{settings.API_V1_STR}/users/",
headers=authentication_token_from_email(client=client, email=admin_user.email, db=db),
json=data,
)
assert r.status_code == 403
def test_get_school_valid_student(client: TestClient, db: Session) -> None:
school = create_random_school(db)
admin_user_token_headers = authentication_token_from_email(
client=client, db=db, email=random_email(), school_id=school.id)
r = client.get(f"{settings.API_V1_STR}/schools/{school.id}",
headers=admin_user_token_headers)
assert r.status_code == 200
fetched_school = r.json()
assert fetched_school
compare_api_and_db_query_results(api_result=fetched_school,
db_dict=to_json(school))
def test_get_professor_me_normal_professor(client: TestClient,
db: Session) -> None:
professor = create_random_user(db, type="professor")
r = client.get(
f"{settings.API_V1_STR}/professors/me",
headers=authentication_token_from_email(client=client,
email=professor.email,
db=db),
)
assert r.status_code == 200
fetched_professor = r.json()
assert fetched_professor["user_id"] == professor.id
