def test_listing_users(self):
headers = dict(Authorization='Bearer %s' % self.admin_token())
# add a dozen users
session = self.storage.make_session(namespace='unittest')
for i in range(12):
session.add(
User(userid='user_%s' % i,
credentials='user_%s' % i,
user_group=10))
session.flush()
transaction.commit()
# admin user can retrieve all users
out = self.api.get('/api/v1/user/records?limit=10', headers=headers)
assert len(out.json['records']) == 10
assert out.json['total'] == 13
# lets retrieve the next page with the remaining users
out = self.api.get('/api/v1/user/records?offset=10', headers=headers)
assert len(out.json['records']) == 3
assert out.json['total'] == 13
# non admin users can only retrieve themselves
token = self.api.post_json('/api/v1/auth/login', {
'user': '******',
'password': '******'
}).json['token']
out = self.api.get('/api/v1/user/records',
headers={'Authorization': 'Bearer %s' % token})
assert len(out.json['records']) == 1
assert out.json['records'][0]['userid'] == 'user_4'
def test_resource_methods_with_specified_principals(self):
# this tests the explicity passing of principals into the
# resource methods (get, put, delete).
# With normal webrequests, this is evaluated before executing the
# view by pyramid, so the principals do not need to be passed.
session = self.storage.make_session(namespace='unittest')
context = UserResource(self.storage.registry, session)
# let's try to retrieve the admin user as user john
with pytest.raises(HTTPForbidden):
context.get(1, principals=['user:john'])
# create user john as editor
john = context.put(User(userid='john',
credentials='j0hn',
user_group=10),
principals=['group:admin'])
# user john should be retrievable by user john
user = context.get(john.id, principals=['user:john'])
assert user is not None
assert user.id == john.id
# john can not delete himself
with pytest.raises(HTTPForbidden):
context.delete(john, principals=['user:john'])
# but an admin can
context.delete(john, principals=['group:admin'])
def generate_test_token(self, user_group_password, owners=None):
"""Returns a token for owner / editor / admin / viewer
If the user does not exist, a new user is created
"""
response = self.api.post_json(
'/api/v1/auth/login',
{'user': user_group_password,
'password': user_group_password}
,status=[200, 401])
if response.status_code == 401:
context = UserResource(self.storage.registry, self.session)
context.put(
User(userid=user_group_password,
credentials=user_group_password,
owns=[Owner(**d) for d in (owners or [])],
user_group={'admin': 100,
'manager': 80,
'editor': 60,
'owner': 40,
'viewer': 10}[user_group_password]),
principals=['group:admin'])
transaction.commit()
response = self.api.post_json(
'/api/v1/auth/login',
{'user': user_group_password, 'password': user_group_password})
return response.json['token']
def collection_post(self):
"Create a new User"
user = User.from_dict(self.request.validated)
self.context.put(user)
# force reload the user from db to retrieve the credentials hash
self.context.session.refresh(user)
user = self.context.get(user.id)
self.request.response.status = 201
return UserSchema().to_json(user.to_dict())
def initialize_repository(self, session, namespace, admin_userid, admin_credentials):
session.execute('SET search_path TO %s, public' % namespace);
user_groups = DEFAULTS['user_groups']
for id, label in user_groups.items():
session.add(UserGroup(id=id, label=label))
session.flush()
session.add(User(userid=admin_userid,
credentials=admin_credentials,
user_group=100))
session.flush()
group_types = DEFAULTS['group_types']
for key, label in group_types.items():
session.add(GroupType(key=key, label=label))
person_account_types = DEFAULTS['person_account_types']
for key, label in person_account_types.items():
session.add(PersonAccountType(key=key, label=label))
group_account_types = DEFAULTS['group_account_types']
for key, label in group_account_types.items():
session.add(GroupAccountType(key=key, label=label))
work_types = DEFAULTS['work_types']
for key, label in work_types.items():
session.add(WorkType(key=key, label=label))
contributor_roles = DEFAULTS['contributor_roles']
for key, label in contributor_roles.items():
session.add(ContributorRole(key=key, label=label))
identifier_types = DEFAULTS['identifier_types']
for key, label in identifier_types.items():
session.add(IdentifierType(key=key, label=label))
relation_types = DEFAULTS['relation_types']
for key, label in relation_types.items():
session.add(RelationType(key=key, label=label))
description_types = DEFAULTS['description_types']
for key, label in description_types.items():
session.add(DescriptionType(key=key, label=label))
description_formats = DEFAULTS['description_formats']
for key, label in description_formats.items():
session.add(DescriptionFormat(key=key, label=label))
measure_types = DEFAULTS['measure_types']
for key, label in measure_types.items():
session.add(MeasureType(key=key, label=label))
position_types = DEFAULTS['position_types']
for key, label in position_types.items():
session.add(PositionType(key=key, label=label))
session.flush()
session.execute('SET search_path TO public');
session.flush()
def test_crud_groups_by_user_groups(self):
super(GroupAuthorzationWebTest, self).setUp()
# add some users
test_users = [('test_admin', 100), ('test_manager', 80),
('test_editor', 60)]
session = self.storage.make_session(namespace='unittest')
for user, user_group in test_users:
session.add(
User(userid=user, credentials=user, user_group=user_group))
session.flush()
transaction.commit()
for user, user_group in test_users:
token = self.api.post_json('/api/v1/auth/login', {
'user': user,
'password': user
}).json['token']
headers = dict(Authorization='Bearer %s' % token)
out = self.api.post_json('/api/v1/group/records', {
'international_name': user,
'type': 'organisation'
},
headers=headers,
status=201)
last_id = out.json['id']
out = self.api.get('/api/v1/group/records/%s' % last_id,
headers=headers)
assert out.json['international_name'] == user
out = self.api.put_json('/api/v1/group/records/%s' % last_id, {
'id': last_id,
'international_name': user,
'abbreviated_name': 'C.',
'type': 'organisation'
},
headers=headers,
status=200)
assert out.json['abbreviated_name'] == 'C.'
out = self.api.delete('/api/v1/group/records/%s' % last_id,
headers=headers)
self.api.get('/api/v1/group/records/%s' % last_id,
headers=headers,
status=404)
def test_crud_memberships_by_user_memberships(self):
super(MembershipAuthorzationWebTest, self).setUp()
# add some users
test_users = [('test_admin', 100),
('test_manager', 80),
('test_editor', 60)]
session = self.storage.make_session(namespace='unittest')
for user, user_group in test_users:
session.add(
User(userid=user, credentials=user, user_group=user_group))
session.flush()
transaction.commit()
for user, user_membership in test_users:
token = self.api.post_json(
'/api/v1/auth/login',
{'user': user, 'password': user}).json['token']
headers = dict(Authorization='Bearer %s' % token)
out = self.api.post_json('/api/v1/membership/records',
{'person_id': self.john_id,
'group_id': self.corp_id,
'start_date': '2017-01-01',
'end_date': '2017-12-31'},
headers=headers,
status=201)
last_id = out.json['id']
out = self.api.get('/api/v1/membership/records/%s' % last_id,
headers=headers)
assert out.json['person_id'] == self.john_id
out = self.api.put_json('/api/v1/membership/records/%s' % last_id,
{'id': last_id,
'person_id': self.jane_id,
'group_id': self.corp_id},
headers=headers,
status=200)
assert out.json['person_id'] == self.jane_id
out = self.api.delete('/api/v1/membership/records/%s' % last_id,
headers=headers)
self.api.get('/api/v1/membership/records/%s' % last_id,
headers=headers,
status=404)