def test_get_members_by_authenticated(self):
user1 = UserFactory()
user2 = UserFactory()
box = BoxFactory(visibility=Box.PRIVATE)
box.share_with(user2, BoxMember.PERM_R)
request = APIRequestFactory().get('/url/')
request.user = user1
self.serializer.context['request'] = request
members = self.serializer.get_members(box)
self.assertEqual(len(members), 0)
def test_get_members_by_box_owner(self):
user1 = UserFactory()
user2 = UserFactory()
box = BoxFactory(owner=user1, visibility=Box.PRIVATE)
box.share_with(user2, BoxMember.PERM_R)
request = APIRequestFactory().get('/url/')
request.user = user1
self.serializer.context['request'] = request
members = self.serializer.get_members(box)
self.assertEqual(len(members), 1)
self.assertEqual(members[0]['username'], user2.username)
def test_get_boxes(self):
user1 = UserFactory()
user2 = UserFactory()
b1 = BoxFactory(owner=user1, visibility=Box.PRIVATE)
b2 = BoxFactory(owner=user1, visibility=Box.PUBLIC)
request = APIRequestFactory().get('/url/')
request.user = user2
self.serializer.context['request'] = request
boxes = self.serializer.get_boxes(user1)
self.assertEqual(len(boxes), 1, msg="Private box shouldn't be shown")
self.assertIn(b2.name, boxes[0])
self.assertIn('http://', boxes[0], msg="Should be absolute URL")
def test_list_user_boxes(self):
user = UserFactory()
user1 = UserFactory()
b1 = BoxFactory(visibility=Box.PRIVATE, owner=user1)
b2 = BoxFactory(visibility=Box.PRIVATE, owner=user1)
b2.share_with(user, BoxMember.PERM_R)
request = self.factory.get('/url/')
force_authenticate(request, user=user)
response = self.view_list(request, username=user1.username)
self.assertEqual(response.status_code, status.HTTP_200_OK)
# only b2; b1 not shared with user; b4 different owner
self.assertEqual(response.data['count'], 1)
self.assertEqual(response.data['results'][0]['name'], b2.name)
def test_box_owner_can_view_box_members(self):
user = UserFactory()
box = BoxFactory(owner=user)
user1 = UserFactory()
box.share_with(user1, BoxMember.PERM_RW)
user2 = UserFactory()
box.share_with(user2, BoxMember.PERM_R)
request = self.factory.get('/url/')
force_authenticate(request, user=user)
response = self.view_list(request,
username=user.username,
box_name=box.name)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['count'], 2)
def test_user_cant_create_box_for_other_user(self):
user = UserFactory()
user1 = UserFactory()
data = {
'name': 'testbox1',
'description': 'some description',
'short_description': 'Test box',
'visibility': Box.PRIVATE,
}
request = self.factory.post('/url/', data=data)
force_authenticate(request, user=user)
response = self.view_list(request, username=user1.username)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(Box.objects.count(), 0)
def test_user_updated(self):
user = UserFactory()
data = {
'username': '******',
'email': '*****@*****.**',
'password': '******',
'profile': {
'boxes_permissions': UserProfile.BOXES_PERM_R,
}
}
user = self.serializer.update(user, data)
self.assertEqual(user.username, data['username'])
self.assertEqual(user.email, data['email'])
self.assertTrue(user.check_password(data['password']))
self.assertEqual(user.profile.boxes_permissions,
data['profile']['boxes_permissions'])
def test_get_perms_for_authenticated(self):
user = UserFactory()
box = BoxFactory(visibility=Box.PRIVATE)
self.check_perms(user, box, '')
box = BoxFactory(visibility=Box.PUBLIC)
self.check_perms(user, box, BoxMember.PERM_R)
def test_box_owner_can_add_box_member(self):
user = UserFactory()
box = BoxFactory(owner=user)
user1 = UserFactory()
data = {
'permissions': BoxMember.PERM_RW,
}
request = self.factory.post('/url/', data=data)
force_authenticate(request, user=user)
response = self.view_detail(request,
username=user.username,
box_name=box.name,
member_username=user1.username)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertListEqual(list(box.shared_with.all()), [user1])
def test_authenticated_without_model_perms(self):
user = UserFactory(profile__boxes_permissions='')
checks = {
'GET': False,
'PATCH': False,
'POST': False,
'DELETE': False,
}
self.check_model_perms(checks, user)
def test_authenticated_with_read_write_boxes_perms(self):
user = UserFactory()
checks = {
'GET': True,
'PATCH': True,
'POST': True,
'DELETE': True,
}
self.check_model_perms(checks, user)
def test_box_owner_perms(self):
user = UserFactory()
checks = {
'GET': True,
'PATCH': True,
'POST': True,
'DELETE': True,
}
self.check_box_obj_perms(checks, user, box_owner=user)
def test_authenticated_perms(self):
user = UserFactory()
checks = {
'GET': False,
'PATCH': False,
'POST': False,
'DELETE': False,
}
self.check_box_obj_perms(checks, user)
def test_authenticated_with_read_boxes_perms(self):
user = UserFactory(profile__boxes_permissions=UserProfile.BOXES_PERM_R)
checks = {
'GET': True,
'PATCH': False,
'POST': False,
'DELETE': False,
}
self.check_model_perms(checks, user)
def test_token_in_query_string(self):
user = UserFactory()
token = user.auth_token
request = self.factory.get('/url/')
request.query_params = {'auth_token': token.key}
auth_user, auth_token = self.auth.authenticate(request)
self.assertEqual(auth_user, user)
self.assertEqual(auth_token, token)
def test_get_perms_for_user_with_push_access(self):
user = UserFactory()
box = BoxFactory(visibility=Box.PRIVATE)
box.share_with(user, BoxMember.PERM_RW)
self.check_perms(user, box, BoxMember.PERM_RW)
box = BoxFactory(visibility=Box.PUBLIC)
box.share_with(user, BoxMember.PERM_RW)
self.check_perms(user, box, BoxMember.PERM_RW)
def test_box_member_with_read_write_permissions(self):
user = UserFactory()
checks = {
'GET': True,
'PATCH': False,
'POST': False,
'DELETE': False,
}
box = BoxFactory(visibility=Box.PRIVATE)
box.share_with(user, BoxMember.PERM_RW)
self.check_obj_perms(checks, user, box)
def test_box_owner_cannot_add_already_added_box_member(self):
user = UserFactory()
box = BoxFactory(owner=user)
user1 = UserFactory()
box.share_with(user1, BoxMember.PERM_RW)
data = {
'permissions': BoxMember.PERM_RW,
}
request = self.factory.post('/url/', data=data)
force_authenticate(request, user=user)
# Wrap in atomic transaction because of UNIQUER DB error
with transaction.atomic():
response = self.view_detail(request,
username=user.username,
box_name=box.name,
member_username=user1.username)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertListEqual(list(box.shared_with.all()), [user1])
def test_token_expired(self):
user = UserFactory()
token = user.auth_token
token.created -= timedelta(hours=settings.TOKEN_EXPIRE_AFTER + 1)
token.save()
request = self.factory.get('/url/',
HTTP_AUTHORIZATION='Token {}'.format(
token.key))
with self.assertRaises(AuthenticationFailed):
self.auth.authenticate(request)
def test_token_valid(self):
user = UserFactory()
token = user.auth_token
request = self.factory.get('/url/',
HTTP_AUTHORIZATION='Token {}'.format(
token.key))
auth_user, auth_token = self.auth.authenticate(request)
self.assertEqual(auth_user, user)
self.assertEqual(auth_token, token)
def test_box_member_perms(self):
user = UserFactory()
checks = {
'GET': False,
'PATCH': False,
'POST': False,
'DELETE': False,
}
self.check_box_obj_perms(checks,
user,
share_with=user,
share_perm=BoxMember.PERM_RW)
def check_box_obj_perms(self,
checks,
user,
box_owner=None,
share_with=None,
share_perm=None):
if box_owner is None:
box_owner = UserFactory()
for visibility in [Box.PRIVATE, Box.PUBLIC]:
box = BoxFactory(visibility=visibility, owner=box_owner)
if share_with:
box.share_with(share_with, share_perm)
self.check_obj_perms(checks, user, box)
def test_user_with_permissions_cannot_read_box_members(self):
user = UserFactory()
box = BoxFactory()
box.share_with(user, BoxMember.PERM_RW)
request = self.factory.get('/url/')
force_authenticate(request, user=user)
response = self.view_list(request,
username=box.owner.username,
box_name=box.name)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['count'], 0)
self.assertListEqual(list(box.shared_with.all()), [user])
def test_user_with_permissions_can_view_versions(self):
user = UserFactory()
box = BoxFactory()
box.share_with(user, BoxMember.PERM_R)
BoxVersionFactory(box=box, version='1.0.0')
BoxVersionFactory(box=box, version='1.0.1')
request = self.factory.get('/url/')
force_authenticate(request, user=user)
response = self.view_list(request,
username=box.owner.username,
box_name=box.name)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['count'], 2)
def test_get_boxes_for_authenticated(self):
user = UserFactory()
b1 = BoxFactory(visibility=Box.PRIVATE)
b2 = BoxFactory(visibility=Box.PRIVATE, owner=user)
b3 = BoxFactory(visibility=Box.PRIVATE)
b3.share_with(user, BoxMember.PERM_RW)
b4 = BoxFactory(visibility=Box.PRIVATE)
b4.share_with(user, BoxMember.PERM_R)
b5 = BoxFactory(visibility=Box.PUBLIC)
self.assertCountEqual(
list(Box.objects.for_user(user)),
[b2, b3, b4, b5]
)
def test_user_with_permissions_can_view_metadata(self):
user = UserFactory()
box = BoxFactory()
box.share_with(user, BoxMember.PERM_R)
version = BoxVersionFactory(box=box)
BoxProviderFactory(version=version, provider='virtualbox')
BoxProviderFactory(version=version, provider='vmware')
BoxProviderFactory()
request = self.factory.get('/url/')
force_authenticate(request, user=user)
response = self.view_detail(request,
username=box.owner.username,
box_name=box.name)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_box_owner_can_create_version(self):
user = UserFactory()
box = BoxFactory(owner=user)
data = {
'version': '1.0.1',
'changes': 'Initial release',
}
request = self.factory.post('/url/', data=data)
force_authenticate(request, user=user)
response = self.view_list(request,
username=box.owner.username,
box_name=box.name)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertTrue(box.versions.filter(**data).exists())
def test_user_creates_own_box(self):
user = UserFactory()
data = {
'name': 'testbox1',
'description': 'some description',
'short_description': 'Test box',
'visibility': Box.PRIVATE,
}
request = self.factory.post('/url/', data=data)
force_authenticate(request, user=user)
response = self.view_list(request, username=user.username)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertEqual(Box.objects.count(), 1)
self.assertTrue(Box.objects.filter(**data).exists())
def test_user_with_permissions_cannot_delete_provider(self):
user = UserFactory()
box = BoxFactory()
box.share_with(user, BoxMember.PERM_R)
version = BoxVersionFactory(box=box)
provider = BoxProviderFactory(version=version)
request = self.factory.delete('/url/')
force_authenticate(request, user=user)
response = self.view_detail(request,
username=box.owner.username,
box_name=box.name,
version=version.version,
provider=provider.provider)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_user_creates_box_with_the_same_name(self):
user = UserFactory()
box = BoxFactory(owner=user, visibility=Box.PRIVATE)
data = {
'name': box.name,
'description': 'some description',
'short_description': 'Test box',
'visibility': Box.PUBLIC,
}
request = self.factory.post('/url/', data=data)
force_authenticate(request, user=user)
# Wrap in atomic transaction because of UNIQUER DB error
with transaction.atomic():
response = self.view_list(request, username=user.username)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertEqual(Box.objects.count(), 1)
