def setUp(self):
super(RESTAuthTestCase, self).setUp()
# add_repo_user is another user with add_repo permission but who
# does not have access to self.repo
self.add_repo_user = User.objects.create_user(
username="******", password=self.PASSWORD
)
add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM)
self.add_repo_user.user_permissions.add(add_repo_perm)
# curator_user doesn't have add_repo but have view_repo permission on
# self.repo
self.curator_user = User.objects.create_user(
username="******", password=self.PASSWORD
)
assign_user_to_repo_group(
self.curator_user, self.repo, GroupTypes.REPO_CURATOR)
# author_user doesn't have manage_taxonomy permission
self.author_user = User.objects.create_user(
username="******", password=self.PASSWORD
)
assign_user_to_repo_group(
self.author_user, self.repo, GroupTypes.REPO_AUTHOR
)
def test_members_get(self):
"""
Tests for members.
Get requests: an user can see members if has at least basic permissions
"""
# add an user to all groups
for group_type in [GroupTypes.REPO_ADMINISTRATOR,
GroupTypes.REPO_CURATOR, GroupTypes.REPO_AUTHOR]:
assign_user_to_repo_group(
self.user, self.repo, group_type)
self.logout()
# as anonymous
self.get_members(urlfor='base', repo_slug=self.repo.slug,
expected_status=HTTP_403_FORBIDDEN)
# list of all groups for an user
self.get_members(urlfor='users', repo_slug=self.repo.slug,
username=self.user.username,
expected_status=HTTP_403_FORBIDDEN)
for group_type in BaseGroupTypes.all_base_groups():
# specific group for an user
self.get_members(urlfor='users', repo_slug=self.repo.slug,
username=self.user.username,
group_type=group_type,
expected_status=HTTP_403_FORBIDDEN)
# list of all users for a group
self.get_members(urlfor='groups', repo_slug=self.repo.slug,
group_type=group_type,
expected_status=HTTP_403_FORBIDDEN)
# specific user for a group
self.get_members(urlfor='groups', repo_slug=self.repo.slug,
username=self.user.username,
group_type=group_type,
expected_status=HTTP_403_FORBIDDEN)
# any kind of user in the repo groups can retrieve infos
for user in [self.author_user.username, self.curator_user.username,
self.user.username]:
self.logout()
self.login(user)
# list of all groups for an user
self.get_members(urlfor='base', repo_slug=self.repo.slug)
# specific group for an user
self.get_members(urlfor='users', repo_slug=self.repo.slug,
username=self.user.username)
for group_type in BaseGroupTypes.all_base_groups():
self.get_members(urlfor='users', repo_slug=self.repo.slug,
username=self.user.username,
group_type=group_type)
# list of all users for a group
self.get_members(urlfor='groups', repo_slug=self.repo.slug,
group_type=group_type)
# specific user for a group
self.get_members(urlfor='groups', repo_slug=self.repo.slug,
username=self.user.username,
group_type=group_type)
def perform_create(self, serializer):
"""Add a group for a user."""
# Validate the incoming data
serializer.is_valid(raise_exception=True)
# Get the user
username = self.kwargs.get('username')
user = User.objects.get(username=username)
# Get the repo group type
group_type = serializer.data.get('group_type')
repo_group_type = GroupTypes.get_repo_groupname_by_base(group_type)
# Get the repo object
repo = Repository.objects.get(slug=self.kwargs['repo_slug'])
assign_user_to_repo_group(user, repo, repo_group_type)
def test_single_repo(self):
"""
Search should only return records for one repository
at a time.
"""
resp = self.client.get(reverse("repositories", args=(self.repo.slug,)))
self.assertContains(resp, self.resource.title)
# Make a new repo with no content.
new_repo = create_repo("other", "whatever", self.user.id)
assign_user_to_repo_group(
self.user,
new_repo,
GroupTypes.REPO_ADMINISTRATOR
)
resp = self.client.get(reverse("repositories", args=(new_repo.slug,)))
self.assertNotContains(resp, self.resource.title)
def setUp(self):
"""set up"""
super(LoreTestCase, self).setUp()
self.user = User.objects.create_user(
username=self.USERNAME, password=self.PASSWORD
)
add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM)
self.user.user_permissions.add(add_repo_perm)
# user without permission to add a repo
self.user_norepo = User.objects.create_user(
username=self.USERNAME_NO_REPO, password=self.PASSWORD
)
self.repo = create_repo(
name="test repo",
description="just a test",
user_id=self.user.id,
)
self.course = create_course(
org="test-org",
repo_id=self.repo.id,
course_number="infinity",
run="Febtober",
user_id=self.user.id,
)
self.resource = self.create_resource(
course=self.course,
parent=None,
resource_type="example",
title="silly example",
content_xml="<blah>blah</blah>",
mpath="/blah",
url_name="url_name1",
)
assign_user_to_repo_group(
self.user,
self.repo,
GroupTypes.REPO_ADMINISTRATOR
)
self.toy_resource_count = 18 # Resources in toy course.
self.toy_asset_count = 5 # Static assets in toy course.
self.client = Client()
self.login(username=self.USERNAME)
def add_creator_permission(sender, **kwargs):
"""
Give the creator of a repository admin permissions
over that repository.
"""
from roles.api import assign_user_to_repo_group, roles_init_new_repo
from roles.permissions import GroupTypes
instance = kwargs.pop("instance", None)
if not kwargs["created"]:
return
if not isinstance(instance, Repository):
return
roles_init_new_repo(instance)
assign_user_to_repo_group(
instance.created_by,
instance,
GroupTypes.REPO_ADMINISTRATOR,
)
def create_repo(request):
"""
Create a new repository.
"""
form = RepositoryForm()
if request.method == "POST":
form = RepositoryForm(data=request.POST)
if form.is_valid():
repo = form.save(request.user)
assign_user_to_repo_group(
request.user,
repo,
GroupTypes.REPO_ADMINISTRATOR
)
return redirect(reverse("repositories", args=(repo.slug,)))
return render(
request,
"create_repo.html",
{"form": form},
)
def setUp(self):
super(RESTAuthTestCase, self).setUp()
# add_repo_user is another user with add_repo permission but who
# does not have access to self.repo
self.add_repo_user = User.objects.create_user(username="******",
password=self.PASSWORD)
add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM)
self.add_repo_user.user_permissions.add(add_repo_perm)
# curator_user doesn't have add_repo but have view_repo permission on
# self.repo
self.curator_user = User.objects.create_user(username="******",
password=self.PASSWORD)
assign_user_to_repo_group(self.curator_user, self.repo,
GroupTypes.REPO_CURATOR)
# author_user doesn't have manage_taxonomy permission
self.author_user = User.objects.create_user(username="******",
password=self.PASSWORD)
assign_user_to_repo_group(self.author_user, self.repo,
GroupTypes.REPO_AUTHOR)
def test_assign_user_group_2(self):
"""
Test for api.assign_user_to_repo_group
"""
repo = Repository.objects.create(
name=self.repo_name,
description=self.repo_desc,
created_by=self.user
)
admin = Group.objects.get(name=self.group_admin)
curator = Group.objects.get(name=self.group_curator)
author = Group.objects.get(name=self.group_author)
self.assertIn(self.user, admin.user_set.all())
self.assertNotIn(self.user, curator.user_set.all())
self.assertNotIn(self.user, author.user_set.all())
admin.user_set.clear()
api.assign_user_to_repo_group(
self.user,
repo,
group_type=GroupTypes.REPO_CURATOR
)
self.assertNotIn(self.user, admin.user_set.all())
self.assertIn(self.user, curator.user_set.all())
self.assertNotIn(self.user, author.user_set.all())
curator.user_set.clear()
api.assign_user_to_repo_group(
self.user,
repo,
group_type=GroupTypes.REPO_AUTHOR
)
self.assertNotIn(self.user, admin.user_set.all())
self.assertNotIn(self.user, curator.user_set.all())
self.assertIn(self.user, author.user_set.all())
author.user_set.clear()
def test_is_last_admin_in_repo(self):
"""
Test for is_last_admin_in_repo
"""
# By default the repo creator is also administrator
self.assertTrue(
api.is_last_admin_in_repo(self.user, self.repo)
)
# Add another user to the administrators.
api.assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_ADMINISTRATOR
)
self.assertFalse(
api.is_last_admin_in_repo(self.user, self.repo)
)
# Remove the first user from the administrators.
api.remove_user_from_repo_group(
self.user,
self.repo,
GroupTypes.REPO_ADMINISTRATOR
)
# Add user to the curators.
api.assign_user_to_repo_group(
self.user,
self.repo,
GroupTypes.REPO_CURATOR
)
# The user is not the last of the admins because he is not admin
self.assertFalse(
api.is_last_admin_in_repo(self.user, self.repo)
)
# The other user is indeed the last admin
self.assertTrue(
api.is_last_admin_in_repo(self.user_norepo, self.repo)
)
def add_users_to_repo(self):
"""
Helper function to add some users to the repository groups.
"""
# add only 3 users to 3 different groups
assign_user_to_repo_group(
self.author_user, self.repo, GroupTypes.REPO_AUTHOR)
assign_user_to_repo_group(
self.curator_user, self.repo, GroupTypes.REPO_CURATOR)
assign_user_to_repo_group(
self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
def add_users_to_repo(self):
"""
Helper function to add some users to the repository groups.
"""
# add only 3 users to 3 different groups
assign_user_to_repo_group(self.author_user, self.repo,
GroupTypes.REPO_AUTHOR)
assign_user_to_repo_group(self.curator_user, self.repo,
GroupTypes.REPO_CURATOR)
assign_user_to_repo_group(self.admin_user, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
def test_upload_with_permissions(self):
"""GET upload page with different user permissions"""
def check_user_no_permission():
"""
Helper function to check that the user has
no permission on the repo
"""
# user cannot see the repository page
self.assert_status_code(self.repository_url_slug, UNAUTHORIZED)
# and cannot see the import page
self.assert_status_code(self.import_url_slug, UNAUTHORIZED)
self.logout()
self.login(self.USERNAME_NO_REPO)
# user has no permissions at all
check_user_no_permission()
# user has author permissions
assign_user_to_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_AUTHOR)
# user can see the repository page
self.assert_status_code(self.repository_url_slug, HTTP_OK)
# but cannot see the import for the repo
self.assert_status_code(self.import_url_slug, UNAUTHORIZED)
# user has no permissions
remove_user_from_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_AUTHOR)
check_user_no_permission()
# user has curator permissions
assign_user_to_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_CURATOR)
# user can see the repository page
self.assert_status_code(self.repository_url_slug, HTTP_OK)
# and can see the the import for the repo
self.assert_status_code(self.import_url_slug, HTTP_OK)
# remove curator permissions
remove_user_from_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_CURATOR)
check_user_no_permission()
# user has admin permissions
assign_user_to_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
# user can see the repository page
self.assert_status_code(self.repository_url_slug, HTTP_OK)
# and can see the the import for the repo
self.assert_status_code(self.import_url_slug, HTTP_OK)
def test_listing_importcourse_perms(self):
"""
Tests the listing page with different user permissions
to check who can see the import course html
"""
self.logout()
self.login(self.USERNAME_NO_REPO)
# user has no permissions at all
self.assert_status_code(self.repository_url, UNAUTHORIZED)
# user has author permissions and cannot see the import for the repo
assign_user_to_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_AUTHOR)
body = self.assert_status_code(self.repository_url,
HTTP_OK,
return_body=True)
self.assertFalse("Import Course</a>" in body)
# user has no permissions
remove_user_from_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_AUTHOR)
self.assert_status_code(self.repository_url, UNAUTHORIZED)
# user has curator permissions and can see the the import for the repo
assign_user_to_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_CURATOR)
body = self.assert_status_code(self.repository_url,
HTTP_OK,
return_body=True)
self.assertTrue("Import Course</a>" in body)
# user has no permissions
remove_user_from_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_CURATOR)
self.assert_status_code(self.repository_url, UNAUTHORIZED)
# user has admin permissions and can see the the import for the repo
assign_user_to_repo_group(self.user_norepo, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
body = self.assert_status_code(self.repository_url,
HTTP_OK,
return_body=True)
self.assertTrue("Import Course</a>" in body)
def test_members_delete(self):
"""
Members DELETE
Testing only using an administrator used logged in.
All the other kind of users don't have permissions to handle users.
(tests for other users in rest_test_authorization.py)
"""
# No users in the repo
self.assert_users_count()
# Populate repo groups.
self.add_users_to_repo()
# Add extra administrator
assign_user_to_repo_group(self.admin_user2, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=2, curators=1, authors=1)
self.login(self.admin_user2)
# First part: delete group from user
# Delete authors group
self.delete_member(
urlfor='users',
repo_slug=self.repo.slug,
username=self.author_user.username,
group_type=BaseGroupTypes.AUTHORS,
)
self.assert_users_count(admins=2, curators=1)
# Delete curators group
self.delete_member(
urlfor='users',
repo_slug=self.repo.slug,
username=self.curator_user.username,
group_type=BaseGroupTypes.CURATORS,
)
self.assert_users_count(admins=2)
# Delete administrators group
self.delete_member(
urlfor='users',
repo_slug=self.repo.slug,
username=self.admin_user.username,
group_type=BaseGroupTypes.ADMINISTRATORS,
)
self.assert_users_count(admins=1)
# Trying to delete the last of administrators group will fail
self.delete_member(urlfor='users',
repo_slug=self.repo.slug,
username=self.admin_user2.username,
group_type=BaseGroupTypes.ADMINISTRATORS,
expected_status=HTTP_400_BAD_REQUEST)
self.assert_users_count(admins=1)
# Add back second admin
assign_user_to_repo_group(self.admin_user, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=2)
# Admin is able to delete self if there is another admin
self.delete_member(urlfor='users',
repo_slug=self.repo.slug,
username=self.admin_user2.username,
group_type=BaseGroupTypes.ADMINISTRATORS)
self.assert_users_count(admins=1)
# Reset users configuration
# Populate repo groups.
self.add_users_to_repo()
# Add extra administrator
assign_user_to_repo_group(self.admin_user2, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=2, curators=1, authors=1)
# Second part: delete user from group
# Delete user from authors group
self.delete_member(
urlfor='groups',
repo_slug=self.repo.slug,
username=self.author_user.username,
group_type=BaseGroupTypes.AUTHORS,
)
self.assert_users_count(admins=2, curators=1)
# Delete user from curators group
self.delete_member(
urlfor='groups',
repo_slug=self.repo.slug,
username=self.curator_user.username,
group_type=BaseGroupTypes.CURATORS,
)
self.assert_users_count(admins=2)
# Delete user from administrators group
self.delete_member(
urlfor='groups',
repo_slug=self.repo.slug,
username=self.admin_user.username,
group_type=BaseGroupTypes.ADMINISTRATORS,
)
self.assert_users_count(admins=1)
# Trying to delete the last of administrators group will fail
self.delete_member(urlfor='groups',
repo_slug=self.repo.slug,
username=self.admin_user2.username,
group_type=BaseGroupTypes.ADMINISTRATORS,
expected_status=HTTP_400_BAD_REQUEST)
self.assert_users_count(admins=1)
# Add back second admin
assign_user_to_repo_group(self.admin_user, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=2)
# Admin is able to delete self if there is another admin
self.delete_member(urlfor='groups',
repo_slug=self.repo.slug,
username=self.admin_user2.username,
group_type=BaseGroupTypes.ADMINISTRATORS)
self.assert_users_count(admins=1)
def test_members_create(self):
"""
Members POST
Testing only using an administrator used logged in.
All the other kind of users don't have permissions to handle users.
(tests for other users in rest_test_authorization.py)
"""
# No users in the repo
self.assert_users_count()
# One user must be admin.
assign_user_to_repo_group(self.admin_user, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=1)
self.login(self.admin_user.username)
# First part: assign group to user
# Assign unexpected group will fail
self.create_member(urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': 'foo'},
username=self.author_user.username,
expected_status=HTTP_400_BAD_REQUEST)
# Assign real group to nonexistent user will fail
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': GroupTypes.REPO_ADMINISTRATOR},
username='******',
expected_status=HTTP_404_NOT_FOUND)
# Assign authors group
self.create_member(urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.AUTHORS},
username=self.author_user.username,
reverse_str='repo-members-user-group-detail')
self.assert_users_count(admins=1, authors=1)
# Repeating the same assignment has no effect
self.create_member(urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.AUTHORS},
username=self.author_user.username,
reverse_str='repo-members-user-group-detail')
self.assert_users_count(admins=1, authors=1)
# Assign curators group
self.create_member(urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.CURATORS},
username=self.curator_user.username,
reverse_str='repo-members-user-group-detail')
self.assert_users_count(admins=1, curators=1, authors=1)
# Assign admin group
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS},
username=self.admin_user2.username,
reverse_str='repo-members-user-group-detail')
self.assert_users_count(admins=2, curators=1, authors=1)
# Assign admin group to curator user (user can have multiple groups)
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS},
username=self.curator_user.username,
reverse_str='repo-members-user-group-detail')
self.assert_users_count(admins=3, curators=1, authors=1)
# Reset users configuration
self.remove_all_users_from_repo()
self.assert_users_count()
assign_user_to_repo_group(self.admin_user, self.repo,
GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=1)
# Second part: assign user to group
# Assign unexpected group will fail
self.create_member(urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.author_user.username},
group_type='foo',
expected_status=HTTP_404_NOT_FOUND)
# Assign real group to nonexistent user will fail
self.create_member(urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': '******'},
group_type=BaseGroupTypes.AUTHORS,
expected_status=HTTP_400_BAD_REQUEST)
# Assign user to authors group
self.create_member(urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.author_user.username},
group_type=BaseGroupTypes.AUTHORS,
reverse_str='repo-members-group-user-detail')
self.assert_users_count(admins=1, authors=1)
# Repeating the same assignment has no effect
self.create_member(urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.author_user.username},
group_type=BaseGroupTypes.AUTHORS,
reverse_str='repo-members-group-user-detail')
self.assert_users_count(admins=1, authors=1)
# Assign user to curators group
self.create_member(urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.curator_user.username},
group_type=BaseGroupTypes.CURATORS,
reverse_str='repo-members-group-user-detail')
self.assert_users_count(admins=1, curators=1, authors=1)
# Assign user to admins group
self.create_member(urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.admin_user2.username},
group_type=BaseGroupTypes.ADMINISTRATORS,
reverse_str='repo-members-group-user-detail')
self.assert_users_count(admins=2, curators=1, authors=1)
# Assign curator user to admin group (user can have multiple groups)
self.create_member(urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.curator_user.username},
group_type=BaseGroupTypes.ADMINISTRATORS,
reverse_str='repo-members-group-user-detail')
self.assert_users_count(admins=3, curators=1, authors=1)
def test_upload_with_permissions(self):
"""GET upload page with different user permissions"""
def check_user_no_permission():
"""
Helper function to check that the user has
no permission on the repo
"""
# user cannot see the repository page
self.assert_status_code(
self.repository_url_slug,
UNAUTHORIZED
)
# and cannot see the import page
self.assert_status_code(
self.import_url_slug,
UNAUTHORIZED
)
self.logout()
self.login(self.USERNAME_NO_REPO)
# user has no permissions at all
check_user_no_permission()
# user has author permissions
assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_AUTHOR
)
# user can see the repository page
self.assert_status_code(
self.repository_url_slug,
HTTP_OK
)
# but cannot see the import for the repo
self.assert_status_code(
self.import_url_slug,
UNAUTHORIZED
)
# user has no permissions
remove_user_from_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_AUTHOR
)
check_user_no_permission()
# user has curator permissions
assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_CURATOR
)
# user can see the repository page
self.assert_status_code(
self.repository_url_slug,
HTTP_OK
)
# and can see the the import for the repo
self.assert_status_code(
self.import_url_slug,
HTTP_OK
)
# remove curator permissions
remove_user_from_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_CURATOR
)
check_user_no_permission()
# user has admin permissions
assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_ADMINISTRATOR
)
# user can see the repository page
self.assert_status_code(
self.repository_url_slug,
HTTP_OK
)
# and can see the the import for the repo
self.assert_status_code(
self.import_url_slug,
HTTP_OK
)
def test_members_create(self):
"""
Members POST
Testing only using an administrator used logged in.
All the other kind of users don't have permissions to handle users.
(tests for other users in rest_test_authorization.py)
"""
# No users in the repo
self.assert_users_count()
# One user must be admin.
assign_user_to_repo_group(
self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=1)
self.login(self.admin_user.username)
# First part: assign group to user
# Assign unexpected group will fail
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': 'foo'},
username=self.author_user.username,
expected_status=HTTP_400_BAD_REQUEST
)
# Assign real group to nonexistent user will fail
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': GroupTypes.REPO_ADMINISTRATOR},
username='******',
expected_status=HTTP_404_NOT_FOUND
)
# Assign authors group
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.AUTHORS},
username=self.author_user.username,
reverse_str='repo-members-user-group-detail'
)
self.assert_users_count(admins=1, authors=1)
# Repeating the same assignment has no effect
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.AUTHORS},
username=self.author_user.username,
reverse_str='repo-members-user-group-detail'
)
self.assert_users_count(admins=1, authors=1)
# Assign curators group
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.CURATORS},
username=self.curator_user.username,
reverse_str='repo-members-user-group-detail'
)
self.assert_users_count(admins=1, curators=1, authors=1)
# Assign admin group
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS},
username=self.admin_user2.username,
reverse_str='repo-members-user-group-detail'
)
self.assert_users_count(admins=2, curators=1, authors=1)
# Assign admin group to curator user (user can have multiple groups)
self.create_member(
urlfor='users',
repo_slug=self.repo.slug,
mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS},
username=self.curator_user.username,
reverse_str='repo-members-user-group-detail'
)
self.assert_users_count(admins=3, curators=1, authors=1)
# Reset users configuration
self.remove_all_users_from_repo()
self.assert_users_count()
assign_user_to_repo_group(
self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=1)
# Second part: assign user to group
# Assign unexpected group will fail
self.create_member(
urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.author_user.username},
group_type='foo',
expected_status=HTTP_404_NOT_FOUND
)
# Assign real group to nonexistent user will fail
self.create_member(
urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': '******'},
group_type=BaseGroupTypes.AUTHORS,
expected_status=HTTP_400_BAD_REQUEST
)
# Assign user to authors group
self.create_member(
urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.author_user.username},
group_type=BaseGroupTypes.AUTHORS,
reverse_str='repo-members-group-user-detail'
)
self.assert_users_count(admins=1, authors=1)
# Repeating the same assignment has no effect
self.create_member(
urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.author_user.username},
group_type=BaseGroupTypes.AUTHORS,
reverse_str='repo-members-group-user-detail'
)
self.assert_users_count(admins=1, authors=1)
# Assign user to curators group
self.create_member(
urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.curator_user.username},
group_type=BaseGroupTypes.CURATORS,
reverse_str='repo-members-group-user-detail'
)
self.assert_users_count(admins=1, curators=1, authors=1)
# Assign user to admins group
self.create_member(
urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.admin_user2.username},
group_type=BaseGroupTypes.ADMINISTRATORS,
reverse_str='repo-members-group-user-detail'
)
self.assert_users_count(admins=2, curators=1, authors=1)
# Assign curator user to admin group (user can have multiple groups)
self.create_member(
urlfor='groups',
repo_slug=self.repo.slug,
mem_dict={'username': self.curator_user.username},
group_type=BaseGroupTypes.ADMINISTRATORS,
reverse_str='repo-members-group-user-detail'
)
self.assert_users_count(admins=3, curators=1, authors=1)
def test_list_users_in_repo_no_base_group_type_specified(self):
"""
Test for list_users_in_repo
"""
self.assertListEqual(
api.list_users_in_repo(self.repo),
[
UserGroup(self.user.username, BaseGroupTypes.ADMINISTRATORS)
]
)
# Remove the user from the administrators.
api.remove_user_from_repo_group(
self.user,
self.repo,
GroupTypes.REPO_ADMINISTRATOR
)
# No users in the repo.
self.assertListEqual(
api.list_users_in_repo(self.repo),
[]
)
# Add user to the curators.
api.assign_user_to_repo_group(
self.user,
self.repo,
GroupTypes.REPO_CURATOR
)
self.assertListEqual(
api.list_users_in_repo(self.repo),
[
UserGroup(self.user.username, BaseGroupTypes.CURATORS)
]
)
# Add user back to the administrators.
api.assign_user_to_repo_group(
self.user,
self.repo,
GroupTypes.REPO_ADMINISTRATOR
)
self.assertListEqual(
self.sort_user_group(
api.list_users_in_repo(self.repo)
),
self.sort_user_group(
[
UserGroup(
self.user.username,
BaseGroupTypes.ADMINISTRATORS
),
UserGroup(
self.user.username,
BaseGroupTypes.CURATORS
)
]
)
)
# Add another user to the authors.
api.assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_AUTHOR
)
self.assertListEqual(
self.sort_user_group(
api.list_users_in_repo(self.repo)
),
self.sort_user_group(
[
UserGroup(
self.user.username,
BaseGroupTypes.ADMINISTRATORS
),
UserGroup(
self.user.username,
BaseGroupTypes.CURATORS
),
UserGroup(
self.user_norepo.username,
BaseGroupTypes.AUTHORS
)
]
)
)
# Adding again the same user in the same group
# will not create multiple instances.
api.assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_AUTHOR
)
self.assertListEqual(
self.sort_user_group(
api.list_users_in_repo(self.repo)
),
self.sort_user_group(
[
UserGroup(
self.user.username,
BaseGroupTypes.ADMINISTRATORS
),
UserGroup(
self.user.username,
BaseGroupTypes.CURATORS
),
UserGroup(
self.user_norepo.username,
BaseGroupTypes.AUTHORS
)
]
)
)
def test_members_delete(self):
"""
Members DELETE
Testing only using an administrator used logged in.
All the other kind of users don't have permissions to handle users.
(tests for other users in rest_test_authorization.py)
"""
# No users in the repo
self.assert_users_count()
# Populate repo groups.
self.add_users_to_repo()
# Add extra administrator
assign_user_to_repo_group(
self.admin_user2, self.repo, GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=2, curators=1, authors=1)
self.login(self.admin_user2)
# First part: delete group from user
# Delete authors group
self.delete_member(
urlfor='users',
repo_slug=self.repo.slug,
username=self.author_user.username,
group_type=BaseGroupTypes.AUTHORS,
)
self.assert_users_count(admins=2, curators=1)
# Delete curators group
self.delete_member(
urlfor='users',
repo_slug=self.repo.slug,
username=self.curator_user.username,
group_type=BaseGroupTypes.CURATORS,
)
self.assert_users_count(admins=2)
# Delete administrators group
self.delete_member(
urlfor='users',
repo_slug=self.repo.slug,
username=self.admin_user.username,
group_type=BaseGroupTypes.ADMINISTRATORS,
)
self.assert_users_count(admins=1)
# Trying to delete the last of administrators group will fail
self.delete_member(
urlfor='users',
repo_slug=self.repo.slug,
username=self.admin_user2.username,
group_type=BaseGroupTypes.ADMINISTRATORS,
expected_status=HTTP_400_BAD_REQUEST
)
self.assert_users_count(admins=1)
# Add back second admin
assign_user_to_repo_group(
self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=2)
# Admin is able to delete self if there is another admin
self.delete_member(
urlfor='users',
repo_slug=self.repo.slug,
username=self.admin_user2.username,
group_type=BaseGroupTypes.ADMINISTRATORS
)
self.assert_users_count(admins=1)
# Reset users configuration
# Populate repo groups.
self.add_users_to_repo()
# Add extra administrator
assign_user_to_repo_group(
self.admin_user2, self.repo, GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=2, curators=1, authors=1)
# Second part: delete user from group
# Delete user from authors group
self.delete_member(
urlfor='groups',
repo_slug=self.repo.slug,
username=self.author_user.username,
group_type=BaseGroupTypes.AUTHORS,
)
self.assert_users_count(admins=2, curators=1)
# Delete user from curators group
self.delete_member(
urlfor='groups',
repo_slug=self.repo.slug,
username=self.curator_user.username,
group_type=BaseGroupTypes.CURATORS,
)
self.assert_users_count(admins=2)
# Delete user from administrators group
self.delete_member(
urlfor='groups',
repo_slug=self.repo.slug,
username=self.admin_user.username,
group_type=BaseGroupTypes.ADMINISTRATORS,
)
self.assert_users_count(admins=1)
# Trying to delete the last of administrators group will fail
self.delete_member(
urlfor='groups',
repo_slug=self.repo.slug,
username=self.admin_user2.username,
group_type=BaseGroupTypes.ADMINISTRATORS,
expected_status=HTTP_400_BAD_REQUEST
)
self.assert_users_count(admins=1)
# Add back second admin
assign_user_to_repo_group(
self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
self.assert_users_count(admins=2)
# Admin is able to delete self if there is another admin
self.delete_member(
urlfor='groups',
repo_slug=self.repo.slug,
username=self.admin_user2.username,
group_type=BaseGroupTypes.ADMINISTRATORS
)
self.assert_users_count(admins=1)
def test_learning_resource_exports(self):
"""Test for creating LearningResource ids in session shopping cart."""
# set up our data
self.logout()
self.login(self.add_repo_user)
repo_slug1 = self.repo.slug
repo_slug2 = self.create_repository()['slug']
repo2 = Repository.objects.get(slug=repo_slug2)
# 'add_repo_user' will be able to see both repos
assign_user_to_repo_group(
self.add_repo_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
self.import_course_tarball(repo2)
repo1_lrid1 = get_resources(self.repo.id).all()[0].id
repo2_lrid1 = get_resources(repo2.id).all()[0].id
repo2_lrid2 = get_resources(repo2.id).all()[1].id
self.logout()
self.login(self.user)
# make sure we start with an empty shopping cart
self.assertEqual([],
self.get_learning_resource_exports(
repo_slug1)['results'])
self.create_learning_resource_export(self.repo.slug, {
'id': repo1_lrid1
})
self.assertEqual([{'id': repo1_lrid1}],
self.get_learning_resource_exports(
repo_slug1)['results'])
# user doesn't have access to repo2
self.get_learning_resource_exports(
repo_slug2, expected_status=HTTP_403_FORBIDDEN)
self.logout()
self.login(self.add_repo_user)
# make sure that session is not shared between users
# user has an id in repo1 but add_repo_user does not
self.assertEqual([], self.get_learning_resource_exports(
repo_slug1
)['results'])
# don't store duplicates
self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
self.assertEqual(
[{"id": repo1_lrid1}],
self.get_learning_resource_exports(
repo_slug1
)['results'])
# make sure export ids are confined to their own repos
self.create_learning_resource_export(repo_slug2, {
'id': repo2_lrid1
})
# not affected by POST in previous line
self.assertEqual([{'id': repo1_lrid1}],
self.get_learning_resource_exports(
repo_slug1)['results'])
# contains the new item
self.assertEqual([{'id': repo2_lrid1}],
self.get_learning_resource_exports(
repo_slug2)['results'])
# make sure we can't add export ids that don't belong to the repo
self.create_learning_resource_export(repo_slug1, {
'id': repo2_lrid1
}, expected_status=HTTP_403_FORBIDDEN)
# make sure detail view will 404 if out of bounds
self.assertEqual(repo1_lrid1, self.get_learning_resource_export(
repo_slug1, repo1_lrid1)['id'])
self.get_learning_resource_export(
repo_slug1, repo2_lrid1,
expected_status=HTTP_404_NOT_FOUND)
self.get_learning_resource_export(
repo_slug2, repo1_lrid1,
expected_status=HTTP_404_NOT_FOUND)
self.assertEqual(repo2_lrid1, self.get_learning_resource_export(
repo_slug2, repo2_lrid1)['id'])
self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid1})
self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid2})
# finally, delete all of the things
self.assertEqual(
2, self.get_learning_resource_exports(repo_slug2)['count'])
self.delete_learning_resource_exports(repo_slug2)
self.assertEqual(
0, self.get_learning_resource_exports(repo_slug2)['count'])
# make sure deleting an empty list doesn't cause problems
self.delete_learning_resource_exports(repo_slug2)
self.assertEqual(
0, self.get_learning_resource_exports(repo_slug2)['count'])
# repo1 is unaffected
self.assertEqual(
1, self.get_learning_resource_exports(repo_slug1)['count'])
self.delete_learning_resource_export(repo_slug1, repo1_lrid1)
self.get_learning_resource_export(
repo_slug1, repo1_lrid1, expected_status=HTTP_404_NOT_FOUND)
self.logout()
self.login(self.user)
# Populate shopping cart one more time.
self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
self.logout()
self.login(self.user)
# After logout and login session was cleared
self.assertEqual(
0, self.get_learning_resource_exports(repo_slug1)['count'])
def test_members_get(self):
"""
Tests for members.
Get requests: an user can see members if has at least basic permissions
"""
# add an user to all groups
for group_type in [
GroupTypes.REPO_ADMINISTRATOR, GroupTypes.REPO_CURATOR,
GroupTypes.REPO_AUTHOR
]:
assign_user_to_repo_group(self.user, self.repo, group_type)
self.logout()
# as anonymous
self.get_members(urlfor='base',
repo_slug=self.repo.slug,
expected_status=HTTP_403_FORBIDDEN)
# list of all groups for an user
self.get_members(urlfor='users',
repo_slug=self.repo.slug,
username=self.user.username,
expected_status=HTTP_403_FORBIDDEN)
for group_type in BaseGroupTypes.all_base_groups():
# specific group for an user
self.get_members(urlfor='users',
repo_slug=self.repo.slug,
username=self.user.username,
group_type=group_type,
expected_status=HTTP_403_FORBIDDEN)
# list of all users for a group
self.get_members(urlfor='groups',
repo_slug=self.repo.slug,
group_type=group_type,
expected_status=HTTP_403_FORBIDDEN)
# specific user for a group
self.get_members(urlfor='groups',
repo_slug=self.repo.slug,
username=self.user.username,
group_type=group_type,
expected_status=HTTP_403_FORBIDDEN)
# any kind of user in the repo groups can retrieve infos
for user in [
self.author_user.username, self.curator_user.username,
self.user.username
]:
self.logout()
self.login(user)
# list of all groups for an user
self.get_members(urlfor='base', repo_slug=self.repo.slug)
# specific group for an user
self.get_members(urlfor='users',
repo_slug=self.repo.slug,
username=self.user.username)
for group_type in BaseGroupTypes.all_base_groups():
self.get_members(urlfor='users',
repo_slug=self.repo.slug,
username=self.user.username,
group_type=group_type)
# list of all users for a group
self.get_members(urlfor='groups',
repo_slug=self.repo.slug,
group_type=group_type)
# specific user for a group
self.get_members(urlfor='groups',
repo_slug=self.repo.slug,
username=self.user.username,
group_type=group_type)
def test_learning_resource_exports(self):
"""Test for creating LearningResource ids in session shopping cart."""
# set up our data
self.logout()
self.login(self.add_repo_user)
repo_slug1 = self.repo.slug
repo_slug2 = self.create_repository()['slug']
repo2 = Repository.objects.get(slug=repo_slug2)
# 'add_repo_user' will be able to see both repos
assign_user_to_repo_group(
self.add_repo_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
self.import_course_tarball(repo2)
repo1_lrid1 = get_resources(self.repo.id).all()[0].id
repo2_lrid1 = get_resources(repo2.id).all()[0].id
repo2_lrid2 = get_resources(repo2.id).all()[1].id
self.logout()
self.login(self.user)
# make sure we start with an empty shopping cart
self.assertEqual([],
self.get_learning_resource_exports(
repo_slug1)['results'])
self.create_learning_resource_export(self.repo.slug, {
'id': repo1_lrid1
})
self.assertEqual([{'id': repo1_lrid1}],
self.get_learning_resource_exports(
repo_slug1)['results'])
# user doesn't have access to repo2
self.get_learning_resource_exports(
repo_slug2, expected_status=HTTP_403_FORBIDDEN)
self.logout()
self.login(self.add_repo_user)
# make sure that session is not shared between users
# user has an id in repo1 but add_repo_user does not
self.assertEqual([], self.get_learning_resource_exports(
repo_slug1
)['results'])
# don't store duplicates
self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
self.assertEqual(
[{"id": repo1_lrid1}],
self.get_learning_resource_exports(
repo_slug1
)['results'])
# make sure export ids are confined to their own repos
self.create_learning_resource_export(repo_slug2, {
'id': repo2_lrid1
})
# not affected by POST in previous line
self.assertEqual([{'id': repo1_lrid1}],
self.get_learning_resource_exports(
repo_slug1)['results'])
# contains the new item
self.assertEqual([{'id': repo2_lrid1}],
self.get_learning_resource_exports(
repo_slug2)['results'])
# make sure we can't add export ids that don't belong to the repo
self.create_learning_resource_export(repo_slug1, {
'id': repo2_lrid1
}, expected_status=HTTP_403_FORBIDDEN)
# make sure detail view will 404 if out of bounds
self.assertEqual(repo1_lrid1, self.get_learning_resource_export(
repo_slug1, repo1_lrid1)['id'])
self.get_learning_resource_export(
repo_slug1, repo2_lrid1,
expected_status=HTTP_404_NOT_FOUND)
self.get_learning_resource_export(
repo_slug2, repo1_lrid1,
expected_status=HTTP_404_NOT_FOUND)
self.assertEqual(repo2_lrid1, self.get_learning_resource_export(
repo_slug2, repo2_lrid1)['id'])
self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid1})
self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid2})
# finally, delete all of the things
self.assertEqual(
2, self.get_learning_resource_exports(repo_slug2)['count'])
self.delete_learning_resource_exports(repo_slug2)
self.assertEqual(
0, self.get_learning_resource_exports(repo_slug2)['count'])
# make sure deleting an empty list doesn't cause problems
self.delete_learning_resource_exports(repo_slug2)
self.assertEqual(
0, self.get_learning_resource_exports(repo_slug2)['count'])
# repo1 is unaffected
self.assertEqual(
1, self.get_learning_resource_exports(repo_slug1)['count'])
self.delete_learning_resource_export(repo_slug1, repo1_lrid1)
self.get_learning_resource_export(
repo_slug1, repo1_lrid1, expected_status=HTTP_404_NOT_FOUND)
self.logout()
self.login(self.user)
# Populate shopping cart one more time.
self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
self.logout()
self.login(self.user)
# After logout and login session was cleared
self.assertEqual(
0, self.get_learning_resource_exports(repo_slug1)['count'])
def test_listing_importcourse_perms(self):
"""
Tests the listing page with different user permissions
to check who can see the import course html
"""
self.logout()
self.login(self.USERNAME_NO_REPO)
# user has no permissions at all
self.assert_status_code(
self.repository_url,
UNAUTHORIZED
)
# user has author permissions and cannot see the import for the repo
assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_AUTHOR
)
body = self.assert_status_code(
self.repository_url,
HTTP_OK,
return_body=True
)
self.assertFalse("Import Course</a>" in body)
# user has no permissions
remove_user_from_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_AUTHOR
)
self.assert_status_code(
self.repository_url,
UNAUTHORIZED
)
# user has curator permissions and can see the the import for the repo
assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_CURATOR
)
body = self.assert_status_code(
self.repository_url,
HTTP_OK,
return_body=True
)
self.assertTrue("Import Course</a>" in body)
# user has no permissions
remove_user_from_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_CURATOR
)
self.assert_status_code(
self.repository_url,
UNAUTHORIZED
)
# user has admin permissions and can see the the import for the repo
assign_user_to_repo_group(
self.user_norepo,
self.repo,
GroupTypes.REPO_ADMINISTRATOR
)
body = self.assert_status_code(
self.repository_url,
HTTP_OK,
return_body=True
)
self.assertTrue("Import Course</a>" in body)
