Exemplo n.º 1
0
    def setUp(self):
        super(RESTAuthTestCase, self).setUp()

        # add_repo_user is another user with add_repo permission but who
        # does not have access to self.repo
        self.add_repo_user = User.objects.create_user(
            username="******", password=self.PASSWORD
        )
        add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM)
        self.add_repo_user.user_permissions.add(add_repo_perm)

        # curator_user doesn't have add_repo but have view_repo permission on
        # self.repo
        self.curator_user = User.objects.create_user(
            username="******", password=self.PASSWORD
        )
        assign_user_to_repo_group(
            self.curator_user, self.repo, GroupTypes.REPO_CURATOR)

        # author_user doesn't have manage_taxonomy permission
        self.author_user = User.objects.create_user(
            username="******", password=self.PASSWORD
        )
        assign_user_to_repo_group(
            self.author_user, self.repo, GroupTypes.REPO_AUTHOR
        )
Exemplo n.º 2
0
    def test_members_get(self):
        """
        Tests for members.
        Get requests: an user can see members if has at least basic permissions
        """
        # add an user to all groups
        for group_type in [GroupTypes.REPO_ADMINISTRATOR,
                           GroupTypes.REPO_CURATOR, GroupTypes.REPO_AUTHOR]:
            assign_user_to_repo_group(
                self.user, self.repo, group_type)

        self.logout()
        # as anonymous
        self.get_members(urlfor='base', repo_slug=self.repo.slug,
                         expected_status=HTTP_403_FORBIDDEN)
        # list of all groups for an user
        self.get_members(urlfor='users', repo_slug=self.repo.slug,
                         username=self.user.username,
                         expected_status=HTTP_403_FORBIDDEN)
        for group_type in BaseGroupTypes.all_base_groups():
            # specific group for an user
            self.get_members(urlfor='users', repo_slug=self.repo.slug,
                             username=self.user.username,
                             group_type=group_type,
                             expected_status=HTTP_403_FORBIDDEN)
            # list of all users for a group
            self.get_members(urlfor='groups', repo_slug=self.repo.slug,
                             group_type=group_type,
                             expected_status=HTTP_403_FORBIDDEN)
            # specific user for a group
            self.get_members(urlfor='groups', repo_slug=self.repo.slug,
                             username=self.user.username,
                             group_type=group_type,
                             expected_status=HTTP_403_FORBIDDEN)

        # any kind of user in the repo groups can retrieve infos
        for user in [self.author_user.username, self.curator_user.username,
                     self.user.username]:
            self.logout()
            self.login(user)
            # list of all groups for an user
            self.get_members(urlfor='base', repo_slug=self.repo.slug)
            # specific group for an user
            self.get_members(urlfor='users', repo_slug=self.repo.slug,
                             username=self.user.username)
            for group_type in BaseGroupTypes.all_base_groups():
                self.get_members(urlfor='users', repo_slug=self.repo.slug,
                                 username=self.user.username,
                                 group_type=group_type)
                # list of all users for a group
                self.get_members(urlfor='groups', repo_slug=self.repo.slug,
                                 group_type=group_type)
                # specific user for a group
                self.get_members(urlfor='groups', repo_slug=self.repo.slug,
                                 username=self.user.username,
                                 group_type=group_type)
Exemplo n.º 3
0
 def perform_create(self, serializer):
     """Add a group for a user."""
     # Validate the incoming data
     serializer.is_valid(raise_exception=True)
     # Get the user
     username = self.kwargs.get('username')
     user = User.objects.get(username=username)
     # Get the repo group type
     group_type = serializer.data.get('group_type')
     repo_group_type = GroupTypes.get_repo_groupname_by_base(group_type)
     # Get the repo object
     repo = Repository.objects.get(slug=self.kwargs['repo_slug'])
     assign_user_to_repo_group(user, repo, repo_group_type)
Exemplo n.º 4
0
    def test_single_repo(self):
        """
        Search should only return records for one repository
        at a time.
        """
        resp = self.client.get(reverse("repositories", args=(self.repo.slug,)))
        self.assertContains(resp, self.resource.title)

        # Make a new repo with no content.
        new_repo = create_repo("other", "whatever", self.user.id)
        assign_user_to_repo_group(
            self.user,
            new_repo,
            GroupTypes.REPO_ADMINISTRATOR
        )
        resp = self.client.get(reverse("repositories", args=(new_repo.slug,)))
        self.assertNotContains(resp, self.resource.title)
Exemplo n.º 5
0
Arquivo: base.py Projeto: jetej/lore
    def setUp(self):
        """set up"""
        super(LoreTestCase, self).setUp()
        self.user = User.objects.create_user(
            username=self.USERNAME, password=self.PASSWORD
        )
        add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM)
        self.user.user_permissions.add(add_repo_perm)
        # user without permission to add a repo
        self.user_norepo = User.objects.create_user(
            username=self.USERNAME_NO_REPO, password=self.PASSWORD
        )

        self.repo = create_repo(
            name="test repo",
            description="just a test",
            user_id=self.user.id,
        )
        self.course = create_course(
            org="test-org",
            repo_id=self.repo.id,
            course_number="infinity",
            run="Febtober",
            user_id=self.user.id,
        )
        self.resource = self.create_resource(
            course=self.course,
            parent=None,
            resource_type="example",
            title="silly example",
            content_xml="<blah>blah</blah>",
            mpath="/blah",
            url_name="url_name1",
        )

        assign_user_to_repo_group(
            self.user,
            self.repo,
            GroupTypes.REPO_ADMINISTRATOR
        )
        self.toy_resource_count = 18  # Resources in toy course.
        self.toy_asset_count = 5  # Static assets in toy course.
        self.client = Client()

        self.login(username=self.USERNAME)
Exemplo n.º 6
0
def add_creator_permission(sender, **kwargs):
    """
    Give the creator of a repository admin permissions
    over that repository.
    """
    from roles.api import assign_user_to_repo_group, roles_init_new_repo
    from roles.permissions import GroupTypes
    instance = kwargs.pop("instance", None)
    if not kwargs["created"]:
        return
    if not isinstance(instance, Repository):
        return
    roles_init_new_repo(instance)
    assign_user_to_repo_group(
        instance.created_by,
        instance,
        GroupTypes.REPO_ADMINISTRATOR,
    )
Exemplo n.º 7
0
def create_repo(request):
    """
    Create a new repository.
    """
    form = RepositoryForm()
    if request.method == "POST":
        form = RepositoryForm(data=request.POST)
        if form.is_valid():
            repo = form.save(request.user)
            assign_user_to_repo_group(
                request.user,
                repo,
                GroupTypes.REPO_ADMINISTRATOR
            )
            return redirect(reverse("repositories", args=(repo.slug,)))
    return render(
        request,
        "create_repo.html",
        {"form": form},
    )
Exemplo n.º 8
0
    def setUp(self):
        super(RESTAuthTestCase, self).setUp()

        # add_repo_user is another user with add_repo permission but who
        # does not have access to self.repo
        self.add_repo_user = User.objects.create_user(username="******",
                                                      password=self.PASSWORD)
        add_repo_perm = Permission.objects.get(codename=self.ADD_REPO_PERM)
        self.add_repo_user.user_permissions.add(add_repo_perm)

        # curator_user doesn't have add_repo but have view_repo permission on
        # self.repo
        self.curator_user = User.objects.create_user(username="******",
                                                     password=self.PASSWORD)
        assign_user_to_repo_group(self.curator_user, self.repo,
                                  GroupTypes.REPO_CURATOR)

        # author_user doesn't have manage_taxonomy permission
        self.author_user = User.objects.create_user(username="******",
                                                    password=self.PASSWORD)
        assign_user_to_repo_group(self.author_user, self.repo,
                                  GroupTypes.REPO_AUTHOR)
Exemplo n.º 9
0
    def test_assign_user_group_2(self):
        """
        Test for api.assign_user_to_repo_group
        """
        repo = Repository.objects.create(
            name=self.repo_name,
            description=self.repo_desc,
            created_by=self.user
        )
        admin = Group.objects.get(name=self.group_admin)
        curator = Group.objects.get(name=self.group_curator)
        author = Group.objects.get(name=self.group_author)

        self.assertIn(self.user, admin.user_set.all())
        self.assertNotIn(self.user, curator.user_set.all())
        self.assertNotIn(self.user, author.user_set.all())
        admin.user_set.clear()

        api.assign_user_to_repo_group(
            self.user,
            repo,
            group_type=GroupTypes.REPO_CURATOR
        )
        self.assertNotIn(self.user, admin.user_set.all())
        self.assertIn(self.user, curator.user_set.all())
        self.assertNotIn(self.user, author.user_set.all())
        curator.user_set.clear()

        api.assign_user_to_repo_group(
            self.user,
            repo,
            group_type=GroupTypes.REPO_AUTHOR
        )
        self.assertNotIn(self.user, admin.user_set.all())
        self.assertNotIn(self.user, curator.user_set.all())
        self.assertIn(self.user, author.user_set.all())
        author.user_set.clear()
Exemplo n.º 10
0
 def test_is_last_admin_in_repo(self):
     """
     Test for is_last_admin_in_repo
     """
     # By default the repo creator is also administrator
     self.assertTrue(
         api.is_last_admin_in_repo(self.user, self.repo)
     )
     # Add another user to the administrators.
     api.assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_ADMINISTRATOR
     )
     self.assertFalse(
         api.is_last_admin_in_repo(self.user, self.repo)
     )
     # Remove the first user from the administrators.
     api.remove_user_from_repo_group(
         self.user,
         self.repo,
         GroupTypes.REPO_ADMINISTRATOR
     )
     # Add user to the curators.
     api.assign_user_to_repo_group(
         self.user,
         self.repo,
         GroupTypes.REPO_CURATOR
     )
     # The user is not the last of the admins because he is not admin
     self.assertFalse(
         api.is_last_admin_in_repo(self.user, self.repo)
     )
     # The other user is indeed the last admin
     self.assertTrue(
         api.is_last_admin_in_repo(self.user_norepo, self.repo)
     )
Exemplo n.º 11
0
 def add_users_to_repo(self):
     """
     Helper function to add some users to the repository groups.
     """
     # add only 3 users to 3 different groups
     assign_user_to_repo_group(
         self.author_user, self.repo, GroupTypes.REPO_AUTHOR)
     assign_user_to_repo_group(
         self.curator_user, self.repo, GroupTypes.REPO_CURATOR)
     assign_user_to_repo_group(
         self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
Exemplo n.º 12
0
 def add_users_to_repo(self):
     """
     Helper function to add some users to the repository groups.
     """
     # add only 3 users to 3 different groups
     assign_user_to_repo_group(self.author_user, self.repo,
                               GroupTypes.REPO_AUTHOR)
     assign_user_to_repo_group(self.curator_user, self.repo,
                               GroupTypes.REPO_CURATOR)
     assign_user_to_repo_group(self.admin_user, self.repo,
                               GroupTypes.REPO_ADMINISTRATOR)
Exemplo n.º 13
0
    def test_upload_with_permissions(self):
        """GET upload page with different user permissions"""
        def check_user_no_permission():
            """
            Helper function to check that the user has
            no permission on the repo
            """
            # user cannot see the repository page
            self.assert_status_code(self.repository_url_slug, UNAUTHORIZED)
            # and cannot see the import page
            self.assert_status_code(self.import_url_slug, UNAUTHORIZED)

        self.logout()
        self.login(self.USERNAME_NO_REPO)
        # user has no permissions at all
        check_user_no_permission()
        # user has author permissions
        assign_user_to_repo_group(self.user_norepo, self.repo,
                                  GroupTypes.REPO_AUTHOR)
        # user can see the repository page
        self.assert_status_code(self.repository_url_slug, HTTP_OK)
        # but cannot see the import for the repo
        self.assert_status_code(self.import_url_slug, UNAUTHORIZED)
        # user has no permissions
        remove_user_from_repo_group(self.user_norepo, self.repo,
                                    GroupTypes.REPO_AUTHOR)
        check_user_no_permission()
        # user has curator permissions
        assign_user_to_repo_group(self.user_norepo, self.repo,
                                  GroupTypes.REPO_CURATOR)
        # user can see the repository page
        self.assert_status_code(self.repository_url_slug, HTTP_OK)
        # and can see the the import for the repo
        self.assert_status_code(self.import_url_slug, HTTP_OK)
        # remove curator permissions
        remove_user_from_repo_group(self.user_norepo, self.repo,
                                    GroupTypes.REPO_CURATOR)
        check_user_no_permission()
        # user has admin permissions
        assign_user_to_repo_group(self.user_norepo, self.repo,
                                  GroupTypes.REPO_ADMINISTRATOR)
        # user can see the repository page
        self.assert_status_code(self.repository_url_slug, HTTP_OK)
        # and can see the the import for the repo
        self.assert_status_code(self.import_url_slug, HTTP_OK)
Exemplo n.º 14
0
 def test_listing_importcourse_perms(self):
     """
     Tests the listing page with different user permissions
     to check who can see the import course html
     """
     self.logout()
     self.login(self.USERNAME_NO_REPO)
     # user has no permissions at all
     self.assert_status_code(self.repository_url, UNAUTHORIZED)
     # user has author permissions and cannot see the import for the repo
     assign_user_to_repo_group(self.user_norepo, self.repo,
                               GroupTypes.REPO_AUTHOR)
     body = self.assert_status_code(self.repository_url,
                                    HTTP_OK,
                                    return_body=True)
     self.assertFalse("Import Course</a>" in body)
     # user has no permissions
     remove_user_from_repo_group(self.user_norepo, self.repo,
                                 GroupTypes.REPO_AUTHOR)
     self.assert_status_code(self.repository_url, UNAUTHORIZED)
     # user has curator permissions and can see the the import for the repo
     assign_user_to_repo_group(self.user_norepo, self.repo,
                               GroupTypes.REPO_CURATOR)
     body = self.assert_status_code(self.repository_url,
                                    HTTP_OK,
                                    return_body=True)
     self.assertTrue("Import Course</a>" in body)
     # user has no permissions
     remove_user_from_repo_group(self.user_norepo, self.repo,
                                 GroupTypes.REPO_CURATOR)
     self.assert_status_code(self.repository_url, UNAUTHORIZED)
     # user has admin permissions and can see the the import for the repo
     assign_user_to_repo_group(self.user_norepo, self.repo,
                               GroupTypes.REPO_ADMINISTRATOR)
     body = self.assert_status_code(self.repository_url,
                                    HTTP_OK,
                                    return_body=True)
     self.assertTrue("Import Course</a>" in body)
Exemplo n.º 15
0
    def test_members_delete(self):
        """
        Members DELETE
        Testing only using an administrator used logged in.
        All the other kind of users don't have permissions to handle users.
        (tests for other users in rest_test_authorization.py)
        """
        # No users in the repo
        self.assert_users_count()
        # Populate repo groups.
        self.add_users_to_repo()
        # Add extra administrator
        assign_user_to_repo_group(self.admin_user2, self.repo,
                                  GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=2, curators=1, authors=1)
        self.login(self.admin_user2)

        # First part: delete group from user
        # Delete authors group
        self.delete_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            username=self.author_user.username,
            group_type=BaseGroupTypes.AUTHORS,
        )
        self.assert_users_count(admins=2, curators=1)
        # Delete curators group
        self.delete_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            username=self.curator_user.username,
            group_type=BaseGroupTypes.CURATORS,
        )
        self.assert_users_count(admins=2)
        # Delete administrators group
        self.delete_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            username=self.admin_user.username,
            group_type=BaseGroupTypes.ADMINISTRATORS,
        )
        self.assert_users_count(admins=1)
        # Trying to delete the last of administrators group will fail
        self.delete_member(urlfor='users',
                           repo_slug=self.repo.slug,
                           username=self.admin_user2.username,
                           group_type=BaseGroupTypes.ADMINISTRATORS,
                           expected_status=HTTP_400_BAD_REQUEST)
        self.assert_users_count(admins=1)
        # Add back second admin
        assign_user_to_repo_group(self.admin_user, self.repo,
                                  GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=2)
        # Admin is able to delete self if there is another admin
        self.delete_member(urlfor='users',
                           repo_slug=self.repo.slug,
                           username=self.admin_user2.username,
                           group_type=BaseGroupTypes.ADMINISTRATORS)
        self.assert_users_count(admins=1)

        # Reset users configuration
        # Populate repo groups.
        self.add_users_to_repo()
        # Add extra administrator
        assign_user_to_repo_group(self.admin_user2, self.repo,
                                  GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=2, curators=1, authors=1)

        # Second part: delete user from group
        # Delete user from authors group
        self.delete_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            username=self.author_user.username,
            group_type=BaseGroupTypes.AUTHORS,
        )
        self.assert_users_count(admins=2, curators=1)
        # Delete user from curators group
        self.delete_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            username=self.curator_user.username,
            group_type=BaseGroupTypes.CURATORS,
        )
        self.assert_users_count(admins=2)
        # Delete user from administrators group
        self.delete_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            username=self.admin_user.username,
            group_type=BaseGroupTypes.ADMINISTRATORS,
        )
        self.assert_users_count(admins=1)
        # Trying to delete the last of administrators group will fail
        self.delete_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           username=self.admin_user2.username,
                           group_type=BaseGroupTypes.ADMINISTRATORS,
                           expected_status=HTTP_400_BAD_REQUEST)
        self.assert_users_count(admins=1)
        # Add back second admin
        assign_user_to_repo_group(self.admin_user, self.repo,
                                  GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=2)
        # Admin is able to delete self if there is another admin
        self.delete_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           username=self.admin_user2.username,
                           group_type=BaseGroupTypes.ADMINISTRATORS)
        self.assert_users_count(admins=1)
Exemplo n.º 16
0
    def test_members_create(self):
        """
        Members POST
        Testing only using an administrator used logged in.
        All the other kind of users don't have permissions to handle users.
        (tests for other users in rest_test_authorization.py)
        """
        # No users in the repo
        self.assert_users_count()
        # One user must be admin.
        assign_user_to_repo_group(self.admin_user, self.repo,
                                  GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=1)
        self.login(self.admin_user.username)

        # First part: assign group to user
        # Assign unexpected group will fail
        self.create_member(urlfor='users',
                           repo_slug=self.repo.slug,
                           mem_dict={'group_type': 'foo'},
                           username=self.author_user.username,
                           expected_status=HTTP_400_BAD_REQUEST)
        # Assign real group to nonexistent user will fail
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': GroupTypes.REPO_ADMINISTRATOR},
            username='******',
            expected_status=HTTP_404_NOT_FOUND)
        # Assign authors group
        self.create_member(urlfor='users',
                           repo_slug=self.repo.slug,
                           mem_dict={'group_type': BaseGroupTypes.AUTHORS},
                           username=self.author_user.username,
                           reverse_str='repo-members-user-group-detail')
        self.assert_users_count(admins=1, authors=1)
        # Repeating the same assignment has no effect
        self.create_member(urlfor='users',
                           repo_slug=self.repo.slug,
                           mem_dict={'group_type': BaseGroupTypes.AUTHORS},
                           username=self.author_user.username,
                           reverse_str='repo-members-user-group-detail')
        self.assert_users_count(admins=1, authors=1)
        # Assign curators group
        self.create_member(urlfor='users',
                           repo_slug=self.repo.slug,
                           mem_dict={'group_type': BaseGroupTypes.CURATORS},
                           username=self.curator_user.username,
                           reverse_str='repo-members-user-group-detail')
        self.assert_users_count(admins=1, curators=1, authors=1)
        # Assign admin group
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS},
            username=self.admin_user2.username,
            reverse_str='repo-members-user-group-detail')
        self.assert_users_count(admins=2, curators=1, authors=1)
        # Assign admin group to curator user (user can have multiple groups)
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS},
            username=self.curator_user.username,
            reverse_str='repo-members-user-group-detail')
        self.assert_users_count(admins=3, curators=1, authors=1)

        # Reset users configuration
        self.remove_all_users_from_repo()
        self.assert_users_count()
        assign_user_to_repo_group(self.admin_user, self.repo,
                                  GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=1)

        # Second part: assign user to group
        # Assign unexpected group will fail
        self.create_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           mem_dict={'username': self.author_user.username},
                           group_type='foo',
                           expected_status=HTTP_404_NOT_FOUND)
        # Assign real group to nonexistent user will fail
        self.create_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           mem_dict={'username': '******'},
                           group_type=BaseGroupTypes.AUTHORS,
                           expected_status=HTTP_400_BAD_REQUEST)
        # Assign user to authors group
        self.create_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           mem_dict={'username': self.author_user.username},
                           group_type=BaseGroupTypes.AUTHORS,
                           reverse_str='repo-members-group-user-detail')
        self.assert_users_count(admins=1, authors=1)
        # Repeating the same assignment has no effect
        self.create_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           mem_dict={'username': self.author_user.username},
                           group_type=BaseGroupTypes.AUTHORS,
                           reverse_str='repo-members-group-user-detail')
        self.assert_users_count(admins=1, authors=1)
        # Assign user to curators group
        self.create_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           mem_dict={'username': self.curator_user.username},
                           group_type=BaseGroupTypes.CURATORS,
                           reverse_str='repo-members-group-user-detail')
        self.assert_users_count(admins=1, curators=1, authors=1)
        # Assign user to admins group
        self.create_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           mem_dict={'username': self.admin_user2.username},
                           group_type=BaseGroupTypes.ADMINISTRATORS,
                           reverse_str='repo-members-group-user-detail')
        self.assert_users_count(admins=2, curators=1, authors=1)
        # Assign curator user to admin group (user can have multiple groups)
        self.create_member(urlfor='groups',
                           repo_slug=self.repo.slug,
                           mem_dict={'username': self.curator_user.username},
                           group_type=BaseGroupTypes.ADMINISTRATORS,
                           reverse_str='repo-members-group-user-detail')
        self.assert_users_count(admins=3, curators=1, authors=1)
Exemplo n.º 17
0
 def test_upload_with_permissions(self):
     """GET upload page with different user permissions"""
     def check_user_no_permission():
         """
         Helper function to check that the user has
         no permission on the repo
         """
         # user cannot see the repository page
         self.assert_status_code(
             self.repository_url_slug,
             UNAUTHORIZED
         )
         # and cannot see the import page
         self.assert_status_code(
             self.import_url_slug,
             UNAUTHORIZED
         )
     self.logout()
     self.login(self.USERNAME_NO_REPO)
     # user has no permissions at all
     check_user_no_permission()
     # user has author permissions
     assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_AUTHOR
     )
     # user can see the repository page
     self.assert_status_code(
         self.repository_url_slug,
         HTTP_OK
     )
     # but cannot see the import for the repo
     self.assert_status_code(
         self.import_url_slug,
         UNAUTHORIZED
     )
     # user has no permissions
     remove_user_from_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_AUTHOR
     )
     check_user_no_permission()
     # user has curator permissions
     assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_CURATOR
     )
     # user can see the repository page
     self.assert_status_code(
         self.repository_url_slug,
         HTTP_OK
     )
     # and can see the the import for the repo
     self.assert_status_code(
         self.import_url_slug,
         HTTP_OK
     )
     # remove curator permissions
     remove_user_from_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_CURATOR
     )
     check_user_no_permission()
     # user has admin permissions
     assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_ADMINISTRATOR
     )
     # user can see the repository page
     self.assert_status_code(
         self.repository_url_slug,
         HTTP_OK
     )
     # and can see the the import for the repo
     self.assert_status_code(
         self.import_url_slug,
         HTTP_OK
     )
Exemplo n.º 18
0
    def test_members_create(self):
        """
        Members POST
        Testing only using an administrator used logged in.
        All the other kind of users don't have permissions to handle users.
        (tests for other users in rest_test_authorization.py)
        """
        # No users in the repo
        self.assert_users_count()
        # One user must be admin.
        assign_user_to_repo_group(
            self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=1)
        self.login(self.admin_user.username)

        # First part: assign group to user
        # Assign unexpected group will fail
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': 'foo'},
            username=self.author_user.username,
            expected_status=HTTP_400_BAD_REQUEST
        )
        # Assign real group to nonexistent user will fail
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': GroupTypes.REPO_ADMINISTRATOR},
            username='******',
            expected_status=HTTP_404_NOT_FOUND
        )
        # Assign authors group
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': BaseGroupTypes.AUTHORS},
            username=self.author_user.username,
            reverse_str='repo-members-user-group-detail'
        )
        self.assert_users_count(admins=1, authors=1)
        # Repeating the same assignment has no effect
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': BaseGroupTypes.AUTHORS},
            username=self.author_user.username,
            reverse_str='repo-members-user-group-detail'
        )
        self.assert_users_count(admins=1, authors=1)
        # Assign curators group
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': BaseGroupTypes.CURATORS},
            username=self.curator_user.username,
            reverse_str='repo-members-user-group-detail'
        )
        self.assert_users_count(admins=1, curators=1, authors=1)
        # Assign admin group
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS},
            username=self.admin_user2.username,
            reverse_str='repo-members-user-group-detail'
        )
        self.assert_users_count(admins=2, curators=1, authors=1)
        # Assign admin group to curator user (user can have multiple groups)
        self.create_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            mem_dict={'group_type': BaseGroupTypes.ADMINISTRATORS},
            username=self.curator_user.username,
            reverse_str='repo-members-user-group-detail'
        )
        self.assert_users_count(admins=3, curators=1, authors=1)

        # Reset users configuration
        self.remove_all_users_from_repo()
        self.assert_users_count()
        assign_user_to_repo_group(
            self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=1)

        # Second part: assign user to group
        # Assign unexpected group will fail
        self.create_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            mem_dict={'username': self.author_user.username},
            group_type='foo',
            expected_status=HTTP_404_NOT_FOUND
        )
        # Assign real group to nonexistent user will fail
        self.create_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            mem_dict={'username': '******'},
            group_type=BaseGroupTypes.AUTHORS,
            expected_status=HTTP_400_BAD_REQUEST
        )
        # Assign user to authors group
        self.create_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            mem_dict={'username': self.author_user.username},
            group_type=BaseGroupTypes.AUTHORS,
            reverse_str='repo-members-group-user-detail'
        )
        self.assert_users_count(admins=1, authors=1)
        # Repeating the same assignment has no effect
        self.create_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            mem_dict={'username': self.author_user.username},
            group_type=BaseGroupTypes.AUTHORS,
            reverse_str='repo-members-group-user-detail'
        )
        self.assert_users_count(admins=1, authors=1)
        # Assign user to curators group
        self.create_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            mem_dict={'username': self.curator_user.username},
            group_type=BaseGroupTypes.CURATORS,
            reverse_str='repo-members-group-user-detail'
        )
        self.assert_users_count(admins=1, curators=1, authors=1)
        # Assign user to admins group
        self.create_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            mem_dict={'username': self.admin_user2.username},
            group_type=BaseGroupTypes.ADMINISTRATORS,
            reverse_str='repo-members-group-user-detail'
        )
        self.assert_users_count(admins=2, curators=1, authors=1)
        # Assign curator user to admin group (user can have multiple groups)
        self.create_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            mem_dict={'username': self.curator_user.username},
            group_type=BaseGroupTypes.ADMINISTRATORS,
            reverse_str='repo-members-group-user-detail'
        )
        self.assert_users_count(admins=3, curators=1, authors=1)
Exemplo n.º 19
0
 def test_list_users_in_repo_no_base_group_type_specified(self):
     """
     Test for list_users_in_repo
     """
     self.assertListEqual(
         api.list_users_in_repo(self.repo),
         [
             UserGroup(self.user.username, BaseGroupTypes.ADMINISTRATORS)
         ]
     )
     # Remove the user from the administrators.
     api.remove_user_from_repo_group(
         self.user,
         self.repo,
         GroupTypes.REPO_ADMINISTRATOR
     )
     # No users in the repo.
     self.assertListEqual(
         api.list_users_in_repo(self.repo),
         []
     )
     # Add user to the curators.
     api.assign_user_to_repo_group(
         self.user,
         self.repo,
         GroupTypes.REPO_CURATOR
     )
     self.assertListEqual(
         api.list_users_in_repo(self.repo),
         [
             UserGroup(self.user.username, BaseGroupTypes.CURATORS)
         ]
     )
     # Add user back to the administrators.
     api.assign_user_to_repo_group(
         self.user,
         self.repo,
         GroupTypes.REPO_ADMINISTRATOR
     )
     self.assertListEqual(
         self.sort_user_group(
             api.list_users_in_repo(self.repo)
         ),
         self.sort_user_group(
             [
                 UserGroup(
                     self.user.username,
                     BaseGroupTypes.ADMINISTRATORS
                 ),
                 UserGroup(
                     self.user.username,
                     BaseGroupTypes.CURATORS
                 )
             ]
         )
     )
     # Add another user to the authors.
     api.assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_AUTHOR
     )
     self.assertListEqual(
         self.sort_user_group(
             api.list_users_in_repo(self.repo)
         ),
         self.sort_user_group(
             [
                 UserGroup(
                     self.user.username,
                     BaseGroupTypes.ADMINISTRATORS
                 ),
                 UserGroup(
                     self.user.username,
                     BaseGroupTypes.CURATORS
                 ),
                 UserGroup(
                     self.user_norepo.username,
                     BaseGroupTypes.AUTHORS
                 )
             ]
         )
     )
     # Adding again the same user in the same group
     # will not create multiple instances.
     api.assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_AUTHOR
     )
     self.assertListEqual(
         self.sort_user_group(
             api.list_users_in_repo(self.repo)
         ),
         self.sort_user_group(
             [
                 UserGroup(
                     self.user.username,
                     BaseGroupTypes.ADMINISTRATORS
                 ),
                 UserGroup(
                     self.user.username,
                     BaseGroupTypes.CURATORS
                 ),
                 UserGroup(
                     self.user_norepo.username,
                     BaseGroupTypes.AUTHORS
                 )
             ]
         )
     )
Exemplo n.º 20
0
    def test_members_delete(self):
        """
        Members DELETE
        Testing only using an administrator used logged in.
        All the other kind of users don't have permissions to handle users.
        (tests for other users in rest_test_authorization.py)
        """
        # No users in the repo
        self.assert_users_count()
        # Populate repo groups.
        self.add_users_to_repo()
        # Add extra administrator
        assign_user_to_repo_group(
            self.admin_user2, self.repo, GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=2, curators=1, authors=1)
        self.login(self.admin_user2)

        # First part: delete group from user
        # Delete authors group
        self.delete_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            username=self.author_user.username,
            group_type=BaseGroupTypes.AUTHORS,
        )
        self.assert_users_count(admins=2, curators=1)
        # Delete curators group
        self.delete_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            username=self.curator_user.username,
            group_type=BaseGroupTypes.CURATORS,
        )
        self.assert_users_count(admins=2)
        # Delete administrators group
        self.delete_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            username=self.admin_user.username,
            group_type=BaseGroupTypes.ADMINISTRATORS,
        )
        self.assert_users_count(admins=1)
        # Trying to delete the last of administrators group will fail
        self.delete_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            username=self.admin_user2.username,
            group_type=BaseGroupTypes.ADMINISTRATORS,
            expected_status=HTTP_400_BAD_REQUEST
        )
        self.assert_users_count(admins=1)
        # Add back second admin
        assign_user_to_repo_group(
            self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=2)
        # Admin is able to delete self if there is another admin
        self.delete_member(
            urlfor='users',
            repo_slug=self.repo.slug,
            username=self.admin_user2.username,
            group_type=BaseGroupTypes.ADMINISTRATORS
        )
        self.assert_users_count(admins=1)

        # Reset users configuration
        # Populate repo groups.
        self.add_users_to_repo()
        # Add extra administrator
        assign_user_to_repo_group(
            self.admin_user2, self.repo, GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=2, curators=1, authors=1)

        # Second part: delete user from group
        # Delete user from authors group
        self.delete_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            username=self.author_user.username,
            group_type=BaseGroupTypes.AUTHORS,
        )
        self.assert_users_count(admins=2, curators=1)
        # Delete user from curators group
        self.delete_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            username=self.curator_user.username,
            group_type=BaseGroupTypes.CURATORS,
        )
        self.assert_users_count(admins=2)
        # Delete user from administrators group
        self.delete_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            username=self.admin_user.username,
            group_type=BaseGroupTypes.ADMINISTRATORS,
        )
        self.assert_users_count(admins=1)
        # Trying to delete the last of administrators group will fail
        self.delete_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            username=self.admin_user2.username,
            group_type=BaseGroupTypes.ADMINISTRATORS,
            expected_status=HTTP_400_BAD_REQUEST
        )
        self.assert_users_count(admins=1)
        # Add back second admin
        assign_user_to_repo_group(
            self.admin_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
        self.assert_users_count(admins=2)
        # Admin is able to delete self if there is another admin
        self.delete_member(
            urlfor='groups',
            repo_slug=self.repo.slug,
            username=self.admin_user2.username,
            group_type=BaseGroupTypes.ADMINISTRATORS
        )
        self.assert_users_count(admins=1)
Exemplo n.º 21
0
    def test_learning_resource_exports(self):
        """Test for creating LearningResource ids in session shopping cart."""

        # set up our data
        self.logout()
        self.login(self.add_repo_user)

        repo_slug1 = self.repo.slug
        repo_slug2 = self.create_repository()['slug']
        repo2 = Repository.objects.get(slug=repo_slug2)

        # 'add_repo_user' will be able to see both repos
        assign_user_to_repo_group(
            self.add_repo_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
        self.import_course_tarball(repo2)

        repo1_lrid1 = get_resources(self.repo.id).all()[0].id
        repo2_lrid1 = get_resources(repo2.id).all()[0].id
        repo2_lrid2 = get_resources(repo2.id).all()[1].id

        self.logout()
        self.login(self.user)

        # make sure we start with an empty shopping cart
        self.assertEqual([],
                         self.get_learning_resource_exports(
                             repo_slug1)['results'])
        self.create_learning_resource_export(self.repo.slug, {
            'id': repo1_lrid1
        })
        self.assertEqual([{'id': repo1_lrid1}],
                         self.get_learning_resource_exports(
                             repo_slug1)['results'])

        # user doesn't have access to repo2
        self.get_learning_resource_exports(
            repo_slug2, expected_status=HTTP_403_FORBIDDEN)

        self.logout()
        self.login(self.add_repo_user)

        # make sure that session is not shared between users
        # user has an id in repo1 but add_repo_user does not
        self.assertEqual([], self.get_learning_resource_exports(
            repo_slug1
        )['results'])

        # don't store duplicates
        self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
        self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
        self.assertEqual(
            [{"id": repo1_lrid1}],
            self.get_learning_resource_exports(
                repo_slug1
            )['results'])

        # make sure export ids are confined to their own repos
        self.create_learning_resource_export(repo_slug2, {
            'id': repo2_lrid1
        })
        # not affected by POST in previous line
        self.assertEqual([{'id': repo1_lrid1}],
                         self.get_learning_resource_exports(
                             repo_slug1)['results'])
        # contains the new item
        self.assertEqual([{'id': repo2_lrid1}],
                         self.get_learning_resource_exports(
                             repo_slug2)['results'])

        # make sure we can't add export ids that don't belong to the repo
        self.create_learning_resource_export(repo_slug1, {
            'id': repo2_lrid1
        }, expected_status=HTTP_403_FORBIDDEN)

        # make sure detail view will 404 if out of bounds
        self.assertEqual(repo1_lrid1, self.get_learning_resource_export(
            repo_slug1, repo1_lrid1)['id'])
        self.get_learning_resource_export(
            repo_slug1, repo2_lrid1,
            expected_status=HTTP_404_NOT_FOUND)
        self.get_learning_resource_export(
            repo_slug2, repo1_lrid1,
            expected_status=HTTP_404_NOT_FOUND)
        self.assertEqual(repo2_lrid1, self.get_learning_resource_export(
            repo_slug2, repo2_lrid1)['id'])

        self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid1})
        self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid2})

        # finally, delete all of the things
        self.assertEqual(
            2, self.get_learning_resource_exports(repo_slug2)['count'])
        self.delete_learning_resource_exports(repo_slug2)
        self.assertEqual(
            0, self.get_learning_resource_exports(repo_slug2)['count'])

        # make sure deleting an empty list doesn't cause problems
        self.delete_learning_resource_exports(repo_slug2)
        self.assertEqual(
            0, self.get_learning_resource_exports(repo_slug2)['count'])

        # repo1 is unaffected
        self.assertEqual(
            1, self.get_learning_resource_exports(repo_slug1)['count'])
        self.delete_learning_resource_export(repo_slug1, repo1_lrid1)
        self.get_learning_resource_export(
            repo_slug1, repo1_lrid1, expected_status=HTTP_404_NOT_FOUND)

        self.logout()
        self.login(self.user)

        # Populate shopping cart one more time.
        self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})

        self.logout()
        self.login(self.user)

        # After logout and login session was cleared
        self.assertEqual(
            0, self.get_learning_resource_exports(repo_slug1)['count'])
Exemplo n.º 22
0
    def test_members_get(self):
        """
        Tests for members.
        Get requests: an user can see members if has at least basic permissions
        """
        # add an user to all groups
        for group_type in [
                GroupTypes.REPO_ADMINISTRATOR, GroupTypes.REPO_CURATOR,
                GroupTypes.REPO_AUTHOR
        ]:
            assign_user_to_repo_group(self.user, self.repo, group_type)

        self.logout()
        # as anonymous
        self.get_members(urlfor='base',
                         repo_slug=self.repo.slug,
                         expected_status=HTTP_403_FORBIDDEN)
        # list of all groups for an user
        self.get_members(urlfor='users',
                         repo_slug=self.repo.slug,
                         username=self.user.username,
                         expected_status=HTTP_403_FORBIDDEN)
        for group_type in BaseGroupTypes.all_base_groups():
            # specific group for an user
            self.get_members(urlfor='users',
                             repo_slug=self.repo.slug,
                             username=self.user.username,
                             group_type=group_type,
                             expected_status=HTTP_403_FORBIDDEN)
            # list of all users for a group
            self.get_members(urlfor='groups',
                             repo_slug=self.repo.slug,
                             group_type=group_type,
                             expected_status=HTTP_403_FORBIDDEN)
            # specific user for a group
            self.get_members(urlfor='groups',
                             repo_slug=self.repo.slug,
                             username=self.user.username,
                             group_type=group_type,
                             expected_status=HTTP_403_FORBIDDEN)

        # any kind of user in the repo groups can retrieve infos
        for user in [
                self.author_user.username, self.curator_user.username,
                self.user.username
        ]:
            self.logout()
            self.login(user)
            # list of all groups for an user
            self.get_members(urlfor='base', repo_slug=self.repo.slug)
            # specific group for an user
            self.get_members(urlfor='users',
                             repo_slug=self.repo.slug,
                             username=self.user.username)
            for group_type in BaseGroupTypes.all_base_groups():
                self.get_members(urlfor='users',
                                 repo_slug=self.repo.slug,
                                 username=self.user.username,
                                 group_type=group_type)
                # list of all users for a group
                self.get_members(urlfor='groups',
                                 repo_slug=self.repo.slug,
                                 group_type=group_type)
                # specific user for a group
                self.get_members(urlfor='groups',
                                 repo_slug=self.repo.slug,
                                 username=self.user.username,
                                 group_type=group_type)
Exemplo n.º 23
0
    def test_learning_resource_exports(self):
        """Test for creating LearningResource ids in session shopping cart."""

        # set up our data
        self.logout()
        self.login(self.add_repo_user)

        repo_slug1 = self.repo.slug
        repo_slug2 = self.create_repository()['slug']
        repo2 = Repository.objects.get(slug=repo_slug2)

        # 'add_repo_user' will be able to see both repos
        assign_user_to_repo_group(
            self.add_repo_user, self.repo, GroupTypes.REPO_ADMINISTRATOR)
        self.import_course_tarball(repo2)

        repo1_lrid1 = get_resources(self.repo.id).all()[0].id
        repo2_lrid1 = get_resources(repo2.id).all()[0].id
        repo2_lrid2 = get_resources(repo2.id).all()[1].id

        self.logout()
        self.login(self.user)

        # make sure we start with an empty shopping cart
        self.assertEqual([],
                         self.get_learning_resource_exports(
                             repo_slug1)['results'])
        self.create_learning_resource_export(self.repo.slug, {
            'id': repo1_lrid1
        })
        self.assertEqual([{'id': repo1_lrid1}],
                         self.get_learning_resource_exports(
                             repo_slug1)['results'])

        # user doesn't have access to repo2
        self.get_learning_resource_exports(
            repo_slug2, expected_status=HTTP_403_FORBIDDEN)

        self.logout()
        self.login(self.add_repo_user)

        # make sure that session is not shared between users
        # user has an id in repo1 but add_repo_user does not
        self.assertEqual([], self.get_learning_resource_exports(
            repo_slug1
        )['results'])

        # don't store duplicates
        self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
        self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})
        self.assertEqual(
            [{"id": repo1_lrid1}],
            self.get_learning_resource_exports(
                repo_slug1
            )['results'])

        # make sure export ids are confined to their own repos
        self.create_learning_resource_export(repo_slug2, {
            'id': repo2_lrid1
        })
        # not affected by POST in previous line
        self.assertEqual([{'id': repo1_lrid1}],
                         self.get_learning_resource_exports(
                             repo_slug1)['results'])
        # contains the new item
        self.assertEqual([{'id': repo2_lrid1}],
                         self.get_learning_resource_exports(
                             repo_slug2)['results'])

        # make sure we can't add export ids that don't belong to the repo
        self.create_learning_resource_export(repo_slug1, {
            'id': repo2_lrid1
        }, expected_status=HTTP_403_FORBIDDEN)

        # make sure detail view will 404 if out of bounds
        self.assertEqual(repo1_lrid1, self.get_learning_resource_export(
            repo_slug1, repo1_lrid1)['id'])
        self.get_learning_resource_export(
            repo_slug1, repo2_lrid1,
            expected_status=HTTP_404_NOT_FOUND)
        self.get_learning_resource_export(
            repo_slug2, repo1_lrid1,
            expected_status=HTTP_404_NOT_FOUND)
        self.assertEqual(repo2_lrid1, self.get_learning_resource_export(
            repo_slug2, repo2_lrid1)['id'])

        self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid1})
        self.create_learning_resource_export(repo_slug2, {"id": repo2_lrid2})

        # finally, delete all of the things
        self.assertEqual(
            2, self.get_learning_resource_exports(repo_slug2)['count'])
        self.delete_learning_resource_exports(repo_slug2)
        self.assertEqual(
            0, self.get_learning_resource_exports(repo_slug2)['count'])

        # make sure deleting an empty list doesn't cause problems
        self.delete_learning_resource_exports(repo_slug2)
        self.assertEqual(
            0, self.get_learning_resource_exports(repo_slug2)['count'])

        # repo1 is unaffected
        self.assertEqual(
            1, self.get_learning_resource_exports(repo_slug1)['count'])
        self.delete_learning_resource_export(repo_slug1, repo1_lrid1)
        self.get_learning_resource_export(
            repo_slug1, repo1_lrid1, expected_status=HTTP_404_NOT_FOUND)

        self.logout()
        self.login(self.user)

        # Populate shopping cart one more time.
        self.create_learning_resource_export(repo_slug1, {"id": repo1_lrid1})

        self.logout()
        self.login(self.user)

        # After logout and login session was cleared
        self.assertEqual(
            0, self.get_learning_resource_exports(repo_slug1)['count'])
Exemplo n.º 24
0
 def test_listing_importcourse_perms(self):
     """
     Tests the listing page with different user permissions
     to check who can see the import course html
     """
     self.logout()
     self.login(self.USERNAME_NO_REPO)
     # user has no permissions at all
     self.assert_status_code(
         self.repository_url,
         UNAUTHORIZED
     )
     # user has author permissions and cannot see the import for the repo
     assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_AUTHOR
     )
     body = self.assert_status_code(
         self.repository_url,
         HTTP_OK,
         return_body=True
     )
     self.assertFalse("Import Course</a>" in body)
     # user has no permissions
     remove_user_from_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_AUTHOR
     )
     self.assert_status_code(
         self.repository_url,
         UNAUTHORIZED
     )
     # user has curator permissions and can see the the import for the repo
     assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_CURATOR
     )
     body = self.assert_status_code(
         self.repository_url,
         HTTP_OK,
         return_body=True
     )
     self.assertTrue("Import Course</a>" in body)
     # user has no permissions
     remove_user_from_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_CURATOR
     )
     self.assert_status_code(
         self.repository_url,
         UNAUTHORIZED
     )
     # user has admin permissions and can see the the import for the repo
     assign_user_to_repo_group(
         self.user_norepo,
         self.repo,
         GroupTypes.REPO_ADMINISTRATOR
     )
     body = self.assert_status_code(
         self.repository_url,
         HTTP_OK,
         return_body=True
     )
     self.assertTrue("Import Course</a>" in body)