class TestProjectStatsAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) def prepare_stats(self): project = ProjectFactory.create() stats.update_stats(project.id) return stats.get_stats(project.id, full=True) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_can_read_projectstats(self): """Test anonymous users can read projectstats""" ps = self.prepare_stats() assert_not_raises(Exception, ensure_authorized_to, 'read', ps) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_read_projectstats(self): """Test authenticated users can read projectstats""" ps = self.prepare_stats() assert_not_raises(Exception, ensure_authorized_to, 'read', ps) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_can_read_projectstats(self): """Test admin users can read projectstats""" ps = self.prepare_stats() assert_not_raises(Exception, ensure_authorized_to, 'read', ps) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_crud_projectstats(self): """Test anonymous users cannot crud projectstats""" ps = self.prepare_stats() assert_raises(Unauthorized, ensure_authorized_to, 'create', ps) assert_raises(Unauthorized, ensure_authorized_to, 'update', ps) assert_raises(Unauthorized, ensure_authorized_to, 'delete', ps) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_crud_projectstats(self): """Test authenticated users cannot crud project stats""" ps = self.prepare_stats() assert_raises(Forbidden, ensure_authorized_to, 'create', ps) assert_raises(Forbidden, ensure_authorized_to, 'update', ps) assert_raises(Forbidden, ensure_authorized_to, 'delete', ps) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_cannot_crud_projectstats(self): """Test admin users cannot crud project stats""" ps = self.prepare_stats() assert_raises(Forbidden, ensure_authorized_to, 'create', ps) assert_raises(Forbidden, ensure_authorized_to, 'update', ps) assert_raises(Forbidden, ensure_authorized_to, 'delete', ps)
class TestTaskAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_create(self): """Test anonymous users cannot create tasks""" user = UserFactory.create() app = AppFactory.create(owner=user) task = TaskFactory.create(app=app) with patch('pybossa.auth.task.current_user', new=self.mock_anonymous): assert_raises(Unauthorized, getattr(require, 'task').create) assert_not_raises(Forbidden, getattr(require, 'task').read, task) assert_raises(Unauthorized, getattr(require, 'task').update, task) assert_raises(Unauthorized, getattr(require, 'task').delete, task) def test_project_owner_can_crud(self): """Test project owner can crud tasks""" user = UserFactory.create() app = AppFactory.create(owner=user) task = TaskFactory.create(app=app) with patch('pybossa.auth.task.current_user', new=user): assert_not_raises(Forbidden, getattr(require, 'task').create, task) assert_not_raises(Forbidden, getattr(require, 'task').read, task) assert_not_raises(Forbidden, getattr(require, 'task').update, task) assert_not_raises(Forbidden, getattr(require, 'task').delete, task) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_not_project_owner_cannot_crud(self): """Test authenticated user cannot crud tasks""" user = UserFactory.create() user2 = UserFactory.create() app = AppFactory.create(owner=user) task = TaskFactory.create(app=app) with patch('pybossa.auth.task.current_user', new=user2): assert_raises(Forbidden, getattr(require, 'task').create, task) assert_not_raises(Forbidden, getattr(require, 'task').read, task) assert_raises(Forbidden, getattr(require, 'task').update, task) assert_raises(Forbidden, getattr(require, 'task').delete, task) def test_admin_can_crud(self): """Test admin user can crud tasks""" user = UserFactory.create() user2 = UserFactory.create() app = AppFactory.create(owner=user2) task = TaskFactory.create(app=app) with patch('pybossa.auth.task.current_user', new=user): assert_not_raises(Forbidden, getattr(require, 'task').create, task) assert_not_raises(Forbidden, getattr(require, 'task').read, task) assert_not_raises(Forbidden, getattr(require, 'task').update, task) assert_not_raises(Forbidden, getattr(require, 'task').delete, task)
class TestProjectAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_crud(self): """Test anonymous users cannot crud categories""" category = CategoryFactory.build() assert_raises(Unauthorized, ensure_authorized_to, 'create', category) assert_not_raises(Exception, ensure_authorized_to, 'read', category) assert_not_raises(Exception, ensure_authorized_to, 'read', Category) assert_raises(Unauthorized, ensure_authorized_to, 'update', category) assert_raises(Unauthorized, ensure_authorized_to, 'delete', category) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_crud(self): """Test authenticated users cannot crud categories""" category = CategoryFactory.build() assert_raises(Forbidden, ensure_authorized_to, 'create', category) assert_not_raises(Exception, ensure_authorized_to, 'read', category) assert_not_raises(Exception, ensure_authorized_to, 'read', Category) assert_raises(Forbidden, ensure_authorized_to, 'update', category) assert_raises(Forbidden, ensure_authorized_to, 'delete', category) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_can_crud(self): """Test admin user can crud categories""" category = CategoryFactory.build() assert_not_raises(Forbidden, ensure_authorized_to, 'create', category) assert_not_raises(Forbidden, ensure_authorized_to, 'read', category) assert_not_raises(Forbidden, ensure_authorized_to, 'read', Category) assert_not_raises(Forbidden, ensure_authorized_to, 'update', category) assert_not_raises(Forbidden, ensure_authorized_to, 'delete', category)
class TestTaskrunAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create_first_taskrun(self): """Test anonymous user can create a taskrun for a given task if he hasn't already done it""" task = TaskFactory.create() taskrun = AnonymousTaskRunFactory.build(task=task) assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create_repeated_taskrun(self): """Test anonymous user cannot create a taskrun for a task to which he has previously posted a taskrun""" task = TaskFactory.create() taskrun1 = AnonymousTaskRunFactory.create(task=task) taskrun2 = AnonymousTaskRunFactory.build(task=task) assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create_taskrun(self): """Test anonymous user can create a taskrun for a task even though he has posted taskruns for different tasks in the same project""" tasks = TaskFactory.create_batch(2) taskrun1 = AnonymousTaskRunFactory.create(task=tasks[0]) taskrun2 = AnonymousTaskRunFactory.build(task_id=tasks[1].id) assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun2) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create_taskrun_non_allow_anonymous_contrib(self): """Test anonymous user cannot create a taskrun for a project that does not allow for anonymous contributors""" project = AppFactory.create(allow_anonymous_contributors=False) task = TaskFactory.create(app=project) taskrun = AnonymousTaskRunFactory.build(task=task) assert_raises(Unauthorized, getattr(require, 'taskrun').create, taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create_first_taskrun(self): """Test authenticated user can create a taskrun for a given task if he hasn't already done it""" task = TaskFactory.create() taskrun = TaskRunFactory.build(task_id=task.id, user_id=self.mock_authenticated.id) assert self.mock_authenticated.id == taskrun.user_id, taskrun assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create_repeated_taskrun(self): """Test authenticated user cannot create a taskrun for a task to which he has previously posted a taskrun""" task = TaskFactory.create() taskrun1 = TaskRunFactory.create(task=task) taskrun2 = TaskRunFactory.build(task=task, user=taskrun1.user) assert self.mock_authenticated.id == taskrun1.user.id assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create_taskrun(self): """Test authenticated user can create a taskrun for a task even though he has posted taskruns for different tasks in the same project""" user = UserFactory.create_batch(2)[1] tasks = TaskFactory.create_batch(2) taskrun1 = TaskRunFactory.create(task=tasks[0], user=user) taskrun2 = TaskRunFactory.build(task_id=tasks[1].id, user_id=user.id) assert self.mock_authenticated.id == taskrun2.user_id assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun2) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create_taskrun_non_allow_anonymous_contrib( self): """Test authenticated user can create a taskrun for a project that does not allow for anonymous contributors""" project = AppFactory.create(allow_anonymous_contributors=False) task = TaskFactory.create(app=project) taskrun = TaskRunFactory.build(task_id=task.id) assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_read(self): """Test anonymous user can read any taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() user_taskrun = TaskRunFactory.create() assert_not_raises(Exception, getattr(require, 'taskrun').read, anonymous_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_read(self): """Test authenticated user can read any taskrun""" own_taskrun = TaskRunFactory.create() anonymous_taskrun = AnonymousTaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_not_raises(Exception, getattr(require, 'taskrun').read, anonymous_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, other_users_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, own_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_update_anoymous_taskrun(self): """Test anonymous users cannot update an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Unauthorized, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_update_anonymous_taskrun(self): """Test authenticated users cannot update an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Forbidden, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_update_anonymous_taskrun(self): """Test admins cannot update anonymously posted taskruns""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Forbidden, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_update_user_taskrun(self): """Test anonymous user cannot update taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert_raises(Unauthorized, getattr(require, 'taskrun').update, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_update_other_users_taskrun(self): """Test authenticated user cannot update any user taskrun""" own_taskrun = TaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_raises(Forbidden, getattr(require, 'taskrun').update, own_taskrun) assert_raises(Forbidden, getattr(require, 'taskrun').update, other_users_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_update_user_taskrun(self): """Test admins cannot update taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert self.mock_admin.id != user_taskrun.user.id assert_raises(Forbidden, getattr(require, 'taskrun').update, user_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_delete_anonymous_taskrun(self): """Test anonymous users cannot delete an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Unauthorized, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_delete_anonymous_taskrun(self): """Test authenticated users cannot delete an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Forbidden, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_delete_anonymous_taskrun(self): """Test admins can delete anonymously posted taskruns""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_not_raises(Exception, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_delete_user_taskrun(self): """Test anonymous user cannot delete taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert_raises(Unauthorized, getattr(require, 'taskrun').delete, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_delete_other_users_taskrun(self): """Test authenticated user cannot delete a taskrun if it was created by another authenticated user, but can delete his own taskruns""" own_taskrun = TaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_not_raises(Exception, getattr(require, 'taskrun').delete, own_taskrun) assert_raises(Forbidden, getattr(require, 'taskrun').delete, other_users_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_delete_user_taskrun(self): """Test admins can delete taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert self.mock_admin.id != user_taskrun.user.id, user_taskrun.user.id assert_not_raises(Exception, getattr(require, 'taskrun').delete, user_taskrun)
class TestAuditlogAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_pro = mock_current_user(anonymous=False, admin=False, id=2, pro=True) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.auditlog.current_user', new=mock_anonymous) def test_anonymous_user_cannot_read_auditlog(self): """Test anonymous users cannot read auditlogs""" log = AuditlogFactory.create() assert_raises(Unauthorized, getattr(require, 'auditlog').read, log) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.auditlog.current_user', new=mock_authenticated) def test_owner_user_cannot_read_auditlog(self): """Test owner users cannot read auditlogs""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner) log = AuditlogFactory.create(app_id=app.id) assert self.mock_authenticated.id == app.owner_id assert_raises(Forbidden, getattr(require, 'auditlog').read, log) @patch('pybossa.auth.current_user', new=mock_pro) @patch('pybossa.auth.auditlog.current_user', new=mock_pro) def test_pro_user_can_read_auditlog(self): """Test pro users can read auditlogs from owned projects""" owner = UserFactory.create_batch(2, pro=True)[1] app = AppFactory.create(owner=owner) log = AuditlogFactory.create(app_id=app.id) assert self.mock_pro.id == app.owner_id assert_not_raises(Exception, getattr(require, 'auditlog').read, log) @patch('pybossa.auth.current_user', new=mock_pro) @patch('pybossa.auth.auditlog.current_user', new=mock_pro) def test_pro_user_cannot_read_auditlog(self): """Test pro users cannot read auditlogs from non-owned projects""" users = UserFactory.create_batch(2, pro=True) app = AppFactory.create(owner=users[0]) log = AuditlogFactory.create(app_id=app.id) assert self.mock_pro.id != app.owner_id assert_raises(Forbidden, getattr(require, 'auditlog').read, log) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.auditlog.current_user', new=mock_admin) def test_admin_user_can_read_auditlog(self): """Test admin users can read auditlogs""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner) log = AuditlogFactory.create(app_id=app.id) assert self.mock_admin.id != app.owner_id assert_not_raises(Exception, getattr(require, 'auditlog').read, log) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.auditlog.current_user', new=mock_anonymous) def test_anonymous_user_cannot_crud_auditlog(self): """Test anonymous users cannot crud auditlogs""" log = Auditlog() assert_raises(Unauthorized, getattr(require, 'auditlog').create, log) assert_raises(Unauthorized, getattr(require, 'auditlog').update, log) assert_raises(Unauthorized, getattr(require, 'auditlog').delete, log) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.auditlog.current_user', new=mock_authenticated) def test_authenticated_user_cannot_crud_auditlog(self): """Test authenticated users cannot crud auditlogs""" log = Auditlog() assert_raises(Forbidden, getattr(require, 'auditlog').create, log) assert_raises(Forbidden, getattr(require, 'auditlog').update, log) assert_raises(Forbidden, getattr(require, 'auditlog').delete, log) @patch('pybossa.auth.current_user', new=mock_pro) @patch('pybossa.auth.auditlog.current_user', new=mock_pro) def test_pro_user_cannot_crud_auditlog(self): """Test pro users cannot crud auditlogs""" log = Auditlog() assert_raises(Forbidden, getattr(require, 'auditlog').create, log) assert_raises(Forbidden, getattr(require, 'auditlog').update, log) assert_raises(Forbidden, getattr(require, 'auditlog').delete, log) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.auditlog.current_user', new=mock_admin) def test_admin_user_cannot_crud_auditlog(self): """Test authenticated users cannot crud auditlogs""" log = Auditlog() assert_raises(Forbidden, getattr(require, 'auditlog').create, log) assert_raises(Forbidden, getattr(require, 'auditlog').update, log) assert_raises(Forbidden, getattr(require, 'auditlog').delete, log)
class TestTokenAuthorization(Test): auth_providers = ('twitter', 'facebook', 'google') mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_delete(self): """Test anonymous user is not allowed to delete an oauth token""" for token in self.auth_providers: assert_raises(Unauthorized, ensure_authorized_to, 'delete', 'token', token=token) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_delete(self): """Test authenticated user is not allowed to delete an oauth token""" for token in self.auth_providers: assert_raises(Forbidden, ensure_authorized_to, 'delete', 'token', token=token) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create(self): """Test anonymous user is not allowed to create an oauth token""" for token in self.auth_providers: assert_raises(Unauthorized, ensure_authorized_to, 'create', 'token', token=token) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_create(self): """Test authenticated user is not allowed to create an oauth token""" for token in self.auth_providers: assert_raises(Forbidden, ensure_authorized_to, 'create', 'token', token=token) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_update(self): """Test anonymous user is not allowed to update an oauth token""" for token in self.auth_providers: assert_raises(Unauthorized, ensure_authorized_to, 'update', 'token', token=token) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_update(self): """Test authenticated user is not allowed to update an oauth token""" for token in self.auth_providers: assert_raises(Forbidden, ensure_authorized_to, 'update', 'token', token=token) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read(self): """Test anonymous user is not allowed to read an oauth token""" for token in self.auth_providers: assert_raises(Unauthorized, ensure_authorized_to, 'read', 'token', token=token) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_read(self): """Test authenticated user is allowed to read his own oauth tokens""" for token in self.auth_providers: assert_not_raises(Exception, ensure_authorized_to, 'read', 'token', token=token)
class TestTaskrunAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) def setUp(self): super(TestTaskrunAuthorization, self).setUp() with self.flask_app.app_context(): self.create() def configure_fixtures(self): self.app = db.session.query(App).first() self.root = db.session.query(User).first() self.user1 = db.session.query(User).get(2) self.user2 = db.session.query(User).get(3) self.task = Task(app_id=self.app.id, state='0', n_answers=10) self.task.app = self.app db.session.add(self.task) db.session.commit() @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create_first_taskrun(self): """Test anonymous user can create a taskrun for a given task if he hasn't already done it""" with self.flask_app.test_request_context('/'): self.configure_fixtures() taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create_repeated_taskrun(self): """Test anonymous user cannot create a taskrun for a task to which he has previously posted a taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() taskrun1 = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") db.session.add(taskrun1) db.session.commit() taskrun2 = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="a different taskrun info") assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2) # But the user can still create taskruns for different tasks task2 = Task(app_id=self.app.id, state='0', n_answers=10) task2.app = self.app db.session.add(task2) db.session.commit() taskrun3 = TaskRun(app_id=self.app.id, task_id=task2.id, user_ip='127.0.0.0', info="some taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun3) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create_first_taskrun(self): """Test authenticated user can create a taskrun for a given task if he hasn't already done it""" with self.flask_app.test_request_context('/'): self.configure_fixtures() taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.mock_authenticated.id, info="some taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create_repeated_taskrun(self): """Test authenticated user cannot create a taskrun for a task to which he has previously posted a taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() taskrun1 = TaskRun(app_id=self.app.id, task_id=self.task.id, user=self.user1, info="some taskrun info") db.session.add(taskrun1) db.session.commit() taskrun2 = TaskRun(app_id=self.app.id, task_id=self.task.id, user=self.user1, info="a different taskrun info") assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2) # But the user can still create taskruns for different tasks task2 = Task(app_id=self.app.id, state='0', n_answers=10) task2.app = self.app db.session.add(task2) db.session.commit() taskrun3 = TaskRun(app_id=self.app.id, task_id=task2.id, user_id=self.mock_authenticated.id, info="some taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun3) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_read(self): """Test anonymous user can read any taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() anonymous_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") user_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.root.id, info="another taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').read, anonymous_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_read(self): """Test authenticated user can read any taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() anonymous_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") other_users_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.root.id, info="a different taskrun info") own_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.mock_authenticated.id, info="another taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').read, anonymous_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, other_users_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, own_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_update_anoymous_taskrun(self): """Test anonymous users cannot update an anonymously posted taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() anonymous_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") assert_raises(Unauthorized, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_update_anonymous_taskrun(self): """Test authenticated users cannot update an anonymously posted taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() anonymous_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") assert_raises(Forbidden, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_update_anonymous_taskrun(self): """Test admins cannot update anonymously posted taskruns""" with self.flask_app.test_request_context('/'): self.configure_fixtures() anonymous_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") assert_raises(Forbidden, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_update_user_taskrun(self): """Test anonymous user cannot update taskruns posted by authenticated users""" with self.flask_app.test_request_context('/'): self.configure_fixtures() user_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.root.id, info="some taskrun info") assert_raises(Unauthorized, getattr(require, 'taskrun').update, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_update_other_users_taskrun(self): """Test authenticated user cannot update any taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() own_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.mock_authenticated.id, info="some taskrun info") other_users_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.root.id, info="a different taskrun info") assert_raises(Forbidden, getattr(require, 'taskrun').update, own_taskrun) assert_raises(Forbidden, getattr(require, 'taskrun').update, other_users_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_update_user_taskrun(self): """Test admins cannot update taskruns posted by authenticated users""" with self.flask_app.test_request_context('/'): self.configure_fixtures() user_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.user1.id, info="some taskrun info") assert_raises(Forbidden, getattr(require, 'taskrun').update, user_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_delete_anonymous_taskrun(self): """Test anonymous users cannot delete an anonymously posted taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() anonymous_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") assert_raises(Unauthorized, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_delete_anonymous_taskrun(self): """Test authenticated users cannot delete an anonymously posted taskrun""" with self.flask_app.test_request_context('/'): self.configure_fixtures() anonymous_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") assert_raises(Forbidden, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_delete_anonymous_taskrun(self): """Test admins can delete anonymously posted taskruns""" with self.flask_app.test_request_context('/'): self.configure_fixtures() anonymous_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_ip='127.0.0.0', info="some taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_delete_user_taskrun(self): """Test anonymous user cannot delete taskruns posted by authenticated users""" with self.flask_app.test_request_context('/'): self.configure_fixtures() user_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.root.id, info="some taskrun info") assert_raises(Unauthorized, getattr(require, 'taskrun').delete, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_delete_other_users_taskrun(self): """Test authenticated user cannot delete a taskrun if it was created by another authenticated user, but can delete his own taskruns""" with self.flask_app.test_request_context('/'): self.configure_fixtures() own_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.mock_authenticated.id, info="some taskrun info") other_users_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.root.id, info="a different taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').delete, own_taskrun) assert_raises(Forbidden, getattr(require, 'taskrun').delete, other_users_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_delete_user_taskrun(self): """Test admins can delete taskruns posted by authenticated users""" with self.flask_app.test_request_context('/'): self.configure_fixtures() user_taskrun = TaskRun(app_id=self.app.id, task_id=self.task.id, user_id=self.user1.id, info="some taskrun info") assert_not_raises(Exception, getattr(require, 'taskrun').delete, user_taskrun)
class TestTaskAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_crud(self): """Test anonymous users cannot crud tasks""" user = UserFactory.create() project = ProjectFactory.create(owner=user) task = TaskFactory.create(project=project) assert_raises(Unauthorized, ensure_authorized_to, 'create', task) assert_not_raises(Forbidden, ensure_authorized_to, 'read', task) assert_not_raises(Forbidden, ensure_authorized_to, 'read', Task) assert_raises(Unauthorized, ensure_authorized_to, 'update', task) assert_raises(Unauthorized, ensure_authorized_to, 'delete', task) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_project_owner_can_crud(self): """Test project owner can crud tasks""" user = UserFactory.create() owner = UserFactory.create() project = ProjectFactory.create(owner=owner) task = TaskFactory.create(project=project) assert self.mock_authenticated.id == owner.id assert_not_raises(Forbidden, ensure_authorized_to, 'create', task) assert_not_raises(Forbidden, ensure_authorized_to, 'read', task) assert_not_raises(Forbidden, ensure_authorized_to, 'read', Task) assert_not_raises(Forbidden, ensure_authorized_to, 'update', task) assert_not_raises(Forbidden, ensure_authorized_to, 'delete', task) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_not_project_owner_cannot_crud(self): """Test non owner user cannot crud tasks""" owner = UserFactory.create() non_owner = UserFactory.create() project = ProjectFactory.create(owner=owner) task = TaskFactory.create(project=project) assert self.mock_authenticated.id != owner.id assert_raises(Forbidden, ensure_authorized_to, 'create', task) assert_not_raises(Forbidden, ensure_authorized_to, 'read', task) assert_not_raises(Forbidden, ensure_authorized_to, 'read', Task) assert_raises(Forbidden, ensure_authorized_to, 'update', task) assert_raises(Forbidden, ensure_authorized_to, 'delete', task) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_can_crud(self): """Test admin user can crud tasks""" admin = UserFactory.create() owner = UserFactory.create() project = ProjectFactory.create(owner=owner) task = TaskFactory.create(project=project) assert self.mock_admin.id != owner.id assert_not_raises(Forbidden, ensure_authorized_to, 'create', task) assert_not_raises(Forbidden, ensure_authorized_to, 'read', task) assert_not_raises(Forbidden, ensure_authorized_to, 'read', Task) assert_not_raises(Forbidden, ensure_authorized_to, 'update', task) assert_not_raises(Forbidden, ensure_authorized_to, 'delete', task)
class TestProjectAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_create(self): """Test anonymous users cannot projects""" assert_raises(Unauthorized, ensure_authorized_to, 'create', Project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_create(self): """Test authenticated users can create projects""" assert_not_raises(Exception, ensure_authorized_to, 'create', Project) @patch('pybossa.auth.current_user', new=mock_admin) def test_a_project_cannot_be_created_as_published(self): """Test a project cannot be created directly as published""" published_project = ProjectFactory.build(published=True) assert_raises(Forbidden, ensure_authorized_to, 'create', published_project) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_can_read_all_projects(self): """Test anonymous users can read projects""" assert_not_raises(Exception, ensure_authorized_to, 'read', Project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_read_all_projects(self): """Test authenticated users can read projects""" assert_not_raises(Exception, ensure_authorized_to, 'read', Project) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_can_read_given_published(self): """Test anonymous users can read a given published project""" project = ProjectFactory.create(published=True) assert_not_raises(Exception, ensure_authorized_to, 'read', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_read_given_published(self): """Test authenticated users can read a given published project""" project = ProjectFactory.create(published=True) assert_not_raises(Exception, ensure_authorized_to, 'read', project) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_read_given_draft(self): """Test anonymous users cannot read draft projects""" project = ProjectFactory.create(published=False) assert_raises(Unauthorized, ensure_authorized_to, 'read', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_read_given_draft(self): """Test authenticated users cannot read draft projects if are not owners""" project = ProjectFactory.create(published=False) assert project.owner.id != self.mock_authenticated.id, project.owner assert_raises(Forbidden, ensure_authorized_to, 'read', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owners_can_read_given_draft(self): """Test the owner of a project can read it despite being a draft""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(published=False, owner=owner) assert project.owner.id == self.mock_authenticated.id, project.owner assert_not_raises(Exception, ensure_authorized_to, 'read', project) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_can_read_given_draft(self): """Test an admin can read a project despite being a draft""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(published=False, owner=owner) assert project.owner.id != self.mock_admin.id, project.owner assert_not_raises(Exception, ensure_authorized_to, 'read', project) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_update(self): """Test anonymous users cannot update a project""" project = ProjectFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'update', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_update(self): """Test authenticated users cannot update a project if aren't owners""" project = ProjectFactory.create() assert project.owner.id != self.mock_authenticated.id, project.owner assert_raises(Forbidden, ensure_authorized_to, 'update', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_can_update(self): """Test owners can update a project""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner) assert project.owner.id == self.mock_authenticated.id, project.owner assert_not_raises(Exception, ensure_authorized_to, 'update', project) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_can_update(self): """Test an admin can update a project""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner) assert project.owner.id != self.mock_admin.id, project.owner assert_not_raises(Exception, ensure_authorized_to, 'update', project) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_delete(self): """Test anonymous users cannot delete a project""" project = ProjectFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'delete', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_delete(self): """Test authenticated users cannot delete a project if aren't owners""" project = ProjectFactory.create() assert project.owner.id != self.mock_authenticated.id, project.owner assert_raises(Forbidden, ensure_authorized_to, 'delete', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_can_delete(self): """Test owners can delete a project""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner) assert project.owner.id == self.mock_authenticated.id, project.owner assert_not_raises(Exception, ensure_authorized_to, 'delete', project) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_can_delete(self): """Test an admin can delete a project""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner) assert project.owner.id != self.mock_admin.id, project.owner assert_not_raises(Exception, ensure_authorized_to, 'delete', project) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_publish(self): """Test anonymous users cannot publish a project""" project = ProjectFactory.create(published=False) assert_raises(Unauthorized, ensure_authorized_to, 'publish', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_cannot_publish(self): """Test non-owners cannot publish a project""" project = ProjectFactory.create(published=False) assert project.owner.id != self.mock_authenticated.id, project.owner assert_raises(Forbidden, ensure_authorized_to, 'publish', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_cannot_publish_if_project_has_no_presenter(self): """Test owner cannot publish a project that has no presenter""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner, published=False, info={}) TaskFactory.create(project=project) assert project.owner.id == self.mock_authenticated.id, project.owner assert_raises(Forbidden, ensure_authorized_to, 'publish', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_cannot_publish_if_project_has_no_tasks(self): """Test owner cannot publish a project that has no tasks""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner, published=False) assert project.owner.id == self.mock_authenticated.id, project.owner assert_raises(Forbidden, ensure_authorized_to, 'publish', project) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_can_publish_if_project_has_tasks_and_presenter(self): """Test owner can publish a project that has tasks and a presenter""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner, published=False) TaskFactory.create(project=project) assert project.owner.id == self.mock_authenticated.id, project.owner assert_not_raises(Exception, ensure_authorized_to, 'publish', project) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_cannot_publish_if_project_has_no_presenter(self): """Test admins cannot publish a project that has no presenter""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner, published=False, info={}) TaskFactory.create(project=project) assert_raises(Forbidden, ensure_authorized_to, 'publish', project) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_cannot_publish_if_project_has_no_tasks(self): """Test admins cannot publish a project that has no tasks""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner, published=False) assert_raises(Forbidden, ensure_authorized_to, 'publish', project) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_can_publish_if_project_has_tasks_and_presenter(self): """Test admins can publish a project that has tasks and a presenter""" owner = UserFactory.build_batch(2)[1] project = ProjectFactory.create(owner=owner, published=False) TaskFactory.create(project=project) assert project.owner.id != self.mock_admin.id, project.owner assert_not_raises(Exception, ensure_authorized_to, 'publish', project)
class TestUserAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_create(self): """Test anonymous users cannot create users""" assert_raises(Unauthorized, ensure_authorized_to, 'create', User) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_create(self): """Test authenticated users cannot create users""" assert_raises(Forbidden, ensure_authorized_to, 'create', User) @patch('pybossa.auth.current_user', new=mock_admin) def test_admins_can_create(self): """Test admins users can create users""" assert_not_raises(Exception, ensure_authorized_to, 'create', User) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_can_read(self): """Test anonymous users can read users""" assert_not_raises(Exception, ensure_authorized_to, 'read', User) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_read(self): """Test authenticated users can read users""" assert_not_raises(Exception, ensure_authorized_to, 'read', User) @patch('pybossa.auth.current_user', new=mock_admin) def test_admins_can_read(self): """Test admins users can read users""" assert_not_raises(Exception, ensure_authorized_to, 'read', User) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_can_read_given_user(self): """Test anonymous users can read a given user""" user = UserFactory.create() assert_not_raises(Exception, ensure_authorized_to, 'read', user) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_read_given_user(self): """Test authenticated users can read a given user""" user = UserFactory.create() assert_not_raises(Exception, ensure_authorized_to, 'read', user) @patch('pybossa.auth.current_user', new=mock_admin) def test_admins_can_read_given_user(self): """Test admins users can read a given user""" user = UserFactory.create() assert_not_raises(Exception, ensure_authorized_to, 'read', user) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_update_given_user(self): """Test anonymous users cannot update a given user""" user = UserFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'update', user) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_update_another_user(self): """Test authenticated users cannot update another user than themselves""" user = UserFactory.create() assert user.id != self.mock_authenticated.id, user.id assert_raises(Forbidden, ensure_authorized_to, 'update', user) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_update_themselves(self): """Test authenticated users can update themselves""" user = UserFactory.create_batch(2)[1] assert user.id == self.mock_authenticated.id, user.id assert_not_raises(Exception, ensure_authorized_to, 'update', user) @patch('pybossa.auth.current_user', new=mock_admin) def test_admins_can_update_any_user(self): """Test admins users can update any given user""" himself = UserFactory.create() other_user = UserFactory.create() assert himself.id == self.mock_admin.id assert other_user.id != self.mock_admin.id assert_not_raises(Exception, ensure_authorized_to, 'update', other_user) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_delete_given_user(self): """Test anonymous users cannot delete a given user""" user = UserFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'delete', user) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_delete_another_user(self): """Test authenticated users cannot delete another user than themselves""" user = UserFactory.create() assert user.id != self.mock_authenticated.id, user.id assert_raises(Forbidden, ensure_authorized_to, 'delete', user) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_delete_themselves(self): """Test authenticated users can delete themselves""" user = UserFactory.create_batch(2)[1] assert user.id == self.mock_authenticated.id, user.id assert_not_raises(Exception, ensure_authorized_to, 'delete', user) @patch('pybossa.auth.current_user', new=mock_admin) def test_admins_can_delete_any_user(self): """Test admins users can delete any given user""" himself = UserFactory.create() other_user = UserFactory.create() assert himself.id == self.mock_admin.id assert other_user.id != self.mock_admin.id assert_not_raises(Exception, ensure_authorized_to, 'delete', other_user)
class TestAuditlogAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_read_auditlog(self): """Test anonymous users cannot read an auditlog""" log = AuditlogFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'read', log) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_read_project_auditlogs(self): """Test anonymous users cannot read auditlogs of a specific project""" project = ProjectFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'read', Auditlog, project_id=project.id) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_user_cannot_read_auditlog(self): """Test owner users can read an auditlog""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) log = AuditlogFactory.create(project_id=project.id) assert self.mock_authenticated.id == project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'read', log) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_user_cannot_read_project_auditlogs(self): """Test owner users can read auditlogs of a specific project""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) assert_not_raises(Exception, ensure_authorized_to, 'read', Auditlog, project_id=project.id) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_can_read_auditlog(self): """Test admin users can read an auditlog""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) log = AuditlogFactory.create(project_id=project.id) assert self.mock_admin.id != project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'read', log) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_can_read_project_auditlogs(self): """Test admin users can read auditlogs from a project""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) assert self.mock_admin.id != project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'read', Auditlog, project_id=project.id) @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_crud_auditlog(self): """Test anonymous users cannot crud auditlogs""" log = Auditlog() assert_raises(Unauthorized, ensure_authorized_to, 'create', log) assert_raises(Unauthorized, ensure_authorized_to, 'update', log) assert_raises(Unauthorized, ensure_authorized_to, 'delete', log) @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_crud_auditlog(self): """Test authenticated users cannot crud auditlogs""" log = Auditlog() assert_raises(Forbidden, ensure_authorized_to, 'create', log) assert_raises(Forbidden, ensure_authorized_to, 'update', log) assert_raises(Forbidden, ensure_authorized_to, 'delete', log) @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_cannot_crud_auditlog(self): """Test admin users cannot crud auditlogs""" log = Auditlog() assert_raises(Forbidden, ensure_authorized_to, 'create', log) assert_raises(Forbidden, ensure_authorized_to, 'update', log) assert_raises(Forbidden, ensure_authorized_to, 'delete', log)
class TestProjectAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.app.current_user', new=mock_anonymous) def test_anonymous_user_cannot_create(self): """Test anonymous users cannot projects""" assert_raises(Unauthorized, getattr(require, 'app').create) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_authenticated_user_can_create(self): """Test authenticated users can create projects""" assert_not_raises(Exception, getattr(require, 'app').create) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.app.current_user', new=mock_anonymous) def test_anonymous_user_can_read_all_projects(self): """Test anonymous users can read non hidden projects""" assert_not_raises(Exception, getattr(require, 'app').read) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_authenticated_user_can_read_all_projects(self): """Test authenticated users can read non hidden projects""" assert_not_raises(Exception, getattr(require, 'app').read) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.app.current_user', new=mock_anonymous) def test_anonymous_user_can_read_given_non_hidden(self): """Test anonymous users can read a given non hidden project""" project = AppFactory.create() assert_not_raises(Exception, getattr(require, 'app').read, project) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_authenticated_user_can_read_given_non_hidden(self): """Test authenticated users can read a given non hidden project""" project = AppFactory.create() assert_not_raises(Exception, getattr(require, 'app').read, project) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.app.current_user', new=mock_anonymous) def test_anonymous_user_cannot_read_given_hidden(self): """Test anonymous users cannot read hidden projects""" project = AppFactory.create(hidden=1) assert_raises(Unauthorized, getattr(require, 'app').read, project) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_authenticated_user_cannot_read_given_hidden(self): """Test authenticated users cannot read hidden projects if are not owners""" project = AppFactory.create(hidden=1) assert project.owner.id != self.mock_authenticated.id, project.owner assert_raises(Forbidden, getattr(require, 'app').read, project) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_owners_can_read_given_hidden(self): """Test the owner of a project can read it despite being hidden""" owner = UserFactory.build_batch(2)[1] project = AppFactory.create(hidden=1, owner=owner) assert project.owner.id == self.mock_authenticated.id, project.owner assert_not_raises(Exception, getattr(require, 'app').read, project) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.app.current_user', new=mock_admin) def test_admin_can_read_given_hidden(self): """Test an admin can read a project despite being hidden""" owner = UserFactory.build_batch(2)[1] project = AppFactory.create(hidden=1, owner=owner) assert project.owner.id != self.mock_admin.id, project.owner assert_not_raises(Exception, getattr(require, 'app').read, project) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.app.current_user', new=mock_anonymous) def test_anonymous_user_cannot_update(self): """Test anonymous users cannot update a project""" project = AppFactory.create() assert_raises(Unauthorized, getattr(require, 'app').update, project) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_authenticated_user_cannot_update(self): """Test authenticated users cannot update a project if aren't owners""" project = AppFactory.create() assert project.owner.id != self.mock_authenticated.id, project.owner assert_raises(Forbidden, getattr(require, 'app').update, project) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_owner_can_update(self): """Test owners can update a project""" owner = UserFactory.build_batch(2)[1] project = AppFactory.create(owner=owner) assert project.owner.id == self.mock_authenticated.id, project.owner assert_not_raises(Exception, getattr(require, 'app').update, project) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.app.current_user', new=mock_admin) def test_admin_can_update(self): """Test an admin can update a project""" owner = UserFactory.build_batch(2)[1] project = AppFactory.create(hidden=1, owner=owner) assert project.owner.id != self.mock_admin.id, project.owner assert_not_raises(Exception, getattr(require, 'app').update, project) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.app.current_user', new=mock_anonymous) def test_anonymous_user_cannot_delete(self): """Test anonymous users cannot delete a project""" project = AppFactory.create() assert_raises(Unauthorized, getattr(require, 'app').delete, project) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_authenticated_user_cannot_delete(self): """Test authenticated users cannot delete a project if aren't owners""" project = AppFactory.create() assert project.owner.id != self.mock_authenticated.id, project.owner assert_raises(Forbidden, getattr(require, 'app').delete, project) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.app.current_user', new=mock_authenticated) def test_owner_can_delete(self): """Test owners can delete a project""" owner = UserFactory.build_batch(2)[1] project = AppFactory.create(owner=owner) assert project.owner.id == self.mock_authenticated.id, project.owner assert_not_raises(Exception, getattr(require, 'app').delete, project) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.app.current_user', new=mock_admin) def test_admin_can_delete(self): """Test an admin can delete a project""" owner = UserFactory.build_batch(2)[1] project = AppFactory.create(hidden=1, owner=owner) assert project.owner.id != self.mock_admin.id, project.owner assert_not_raises(Exception, getattr(require, 'app').delete, project)
class TestTaskrunAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create_first_taskrun(self): """Test anonymous user can create a taskrun for a given task if he hasn't already done it""" taskrun = AnonymousTaskRunFactory.build() assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create_repeated_taskrun(self): """Test anonymous user cannot create a taskrun for a task to which he has previously posted a taskrun""" task = TaskFactory.create() taskrun1 = AnonymousTaskRunFactory.create(task=task) taskrun2 = AnonymousTaskRunFactory.build(task=task) assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2) # But the user can still create taskruns for different tasks task2 = TaskFactory.create(app=task.app) taskrun3 = AnonymousTaskRunFactory.build(task=task2) assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun3) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create_first_taskrun(self): """Test authenticated user can create a taskrun for a given task if he hasn't already done it""" taskrun = TaskRunFactory.build() assert self.mock_authenticated.id == taskrun.user.id assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create_repeated_taskrun(self): """Test authenticated user cannot create a taskrun for a task to which he has previously posted a taskrun""" task = TaskFactory.create() taskrun1 = TaskRunFactory.create(task=task) taskrun2 = TaskRunFactory.build(task=task, user=taskrun1.user) assert self.mock_authenticated.id == taskrun1.user.id assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2) # But the user can still create taskruns for different tasks task2 = TaskFactory.create(app=task.app) taskrun3 = TaskRunFactory.build(task=task2, user=taskrun1.user) assert self.mock_authenticated.id == taskrun3.user.id assert_not_raises(Exception, getattr(require, 'taskrun').create, taskrun3) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_read(self): """Test anonymous user can read any taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() user_taskrun = TaskRunFactory.create() assert_not_raises(Exception, getattr(require, 'taskrun').read, anonymous_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_read(self): """Test authenticated user can read any taskrun""" own_taskrun = TaskRunFactory.create() anonymous_taskrun = AnonymousTaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_not_raises(Exception, getattr(require, 'taskrun').read, anonymous_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, other_users_taskrun) assert_not_raises(Exception, getattr(require, 'taskrun').read, own_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_update_anoymous_taskrun(self): """Test anonymous users cannot update an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Unauthorized, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_update_anonymous_taskrun(self): """Test authenticated users cannot update an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Forbidden, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_update_anonymous_taskrun(self): """Test admins cannot update anonymously posted taskruns""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Forbidden, getattr(require, 'taskrun').update, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_update_user_taskrun(self): """Test anonymous user cannot update taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert_raises(Unauthorized, getattr(require, 'taskrun').update, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_update_other_users_taskrun(self): """Test authenticated user cannot update any user taskrun""" own_taskrun = TaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_raises(Forbidden, getattr(require, 'taskrun').update, own_taskrun) assert_raises(Forbidden, getattr(require, 'taskrun').update, other_users_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_update_user_taskrun(self): """Test admins cannot update taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert self.mock_admin.id != user_taskrun.user.id assert_raises(Forbidden, getattr(require, 'taskrun').update, user_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_delete_anonymous_taskrun(self): """Test anonymous users cannot delete an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Unauthorized, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_delete_anonymous_taskrun(self): """Test authenticated users cannot delete an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Forbidden, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_delete_anonymous_taskrun(self): """Test admins can delete anonymously posted taskruns""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_not_raises(Exception, getattr(require, 'taskrun').delete, anonymous_taskrun) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_delete_user_taskrun(self): """Test anonymous user cannot delete taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert_raises(Unauthorized, getattr(require, 'taskrun').delete, user_taskrun) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_delete_other_users_taskrun(self): """Test authenticated user cannot delete a taskrun if it was created by another authenticated user, but can delete his own taskruns""" own_taskrun = TaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_not_raises(Exception, getattr(require, 'taskrun').delete, own_taskrun) assert_raises(Forbidden, getattr(require, 'taskrun').delete, other_users_taskrun) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.taskrun.current_user', new=mock_admin) def test_admin_delete_user_taskrun(self): """Test admins can delete taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert self.mock_admin.id != user_taskrun.user.id, user_taskrun.user.id assert_not_raises(Exception, getattr(require, 'taskrun').delete, user_taskrun)
class TestHelpingMaterialAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_given_helpingmaterial(self): """Test anonymous users cannot create helping materials for a project""" project = ProjectFactory.create() helping = HelpingMaterialFactory.build(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'create', helping) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_helpingmaterials_for_given_project(self): """Test anonymous users cannot create helpingmaterials for a given project""" project = ProjectFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'create', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_helpingmaterials(self): """Test anonymous users cannot create any helpingmaterials""" assert_raises(Unauthorized, ensure_authorized_to, 'create', HelpingMaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_create_given_helpingmaterial(self): """Test authenticated user cannot create a given helpingmaterial if is not the project owner""" project = ProjectFactory.create() helpingmaterial = HelpingMaterialFactory.build(project_id=project.id) assert self.mock_authenticated.id != project.owner_id assert_raises(Forbidden, ensure_authorized_to, 'create', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_create_helpingmaterial_for_given_project( self): """Test authenticated user cannot create helpingmaterials for a given project if is not the project owner""" owner = UserFactory.create(id=3) project = ProjectFactory.create(owner=owner) assert self.mock_authenticated.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'create', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_create_given_helpingmaterial(self): """Test authenticated user can create a given helpingmaterial if it's project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner) helpingmaterial = HelpingMaterialFactory.build(project_id=project.id) assert self.mock_authenticated.id == project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'create', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_create_helpingmaterial_for_given_project(self): """Test authenticated user can create helpingmaterials for a given project if it's project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'create', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_create_helpingmaterial_for_given_project(self): """Test admin user can create helpingmaterials for a given project even if it's not project owner""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner) assert self.mock_admin.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'create', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_given_helpingmaterial(self): """Test anonymous users can read a given helpingmaterial""" project = ProjectFactory.create(published=True) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert_not_raises(Exception, ensure_authorized_to, 'read', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_helpingmaterials_for_given_project(self): """Test anonymous users can read helpingmaterials of a given project""" project = ProjectFactory.create(published=True) assert_not_raises(Exception, ensure_authorized_to, 'read', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_given_helpingmaterial_draft_project(self): """Test anonymous users cannot read a given helpingmaterial of a draft project""" project = ProjectFactory.create(published=False) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'read', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_helpingmaterials_for_given_draft_project( self): """Test anonymous users cannot read helpingmaterials of a given project if is a draft""" project = ProjectFactory.create(published=False) assert_raises(Unauthorized, ensure_authorized_to, 'read', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_helpingmaterial(self): """Test authenticated user can read a given helpingmaterial if is not the project owner""" project = ProjectFactory.create(published=True) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert self.mock_authenticated.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_helpingmaterials_for_given_project( self): """Test authenticated user can read helpingmaterials of a given project if is not the project owner""" project = ProjectFactory.create(published=True) assert self.mock_authenticated.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_helpingmaterial_draft_project( self): """Test authenticated user cannot read a given helpingmaterial of a draft project if is not the project owner""" project = ProjectFactory.create(published=False) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert self.mock_authenticated.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'read', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_helpingmaterials_for_given_draft_project( self): """Test authenticated user cannot read helpingmaterials of a given project if is a draft and is not the project owner""" project = ProjectFactory.create(published=False) assert self.mock_authenticated.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'read', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_given_helpingmaterial(self): """Test authenticated user can read a given helpingmaterial if is the project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner, published=True) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_helpingmaterials_for_given_project(self): """Test authenticated user can read helpingmaterials of a given project if is the project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner, published=True) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_given_helpingmaterial_draft_project(self): """Test authenticated user can read a given helpingmaterial of a draft project if it's the project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner, published=False) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_helpingmaterials_for_given_draft_project(self): """Test authenticated user can read helpingmaterials of a given draft project if it's the project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner, published=False) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_read_given_helpingmaterial_draft_project(self): """Test admin can read a given helpingmaterial of a draft project""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner, published=False) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert self.mock_admin.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_read_helpingmaterials_for_given_draft_project(self): """Test admin can read helpingmaterials of a given draft project""" owner = UserFactory.create(id=5) project = ProjectFactory.create(published=False, owner=owner) assert self.mock_admin.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', HelpingMaterial, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_update_helpingmaterial(self): """Test anonymous users cannot update helpingmaterials""" project = ProjectFactory.create(published=True) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'update', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_update_helpingmaterial(self): """Test authenticated user can update helpingmaterial if it's the post owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert_not_raises(Exception, ensure_authorized_to, 'update', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_owner_update_helpingmaterial(self): """Test admins can update helpingmaterial even if it's not the post owner""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert_not_raises(Exception, ensure_authorized_to, 'update', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_delete_helpingmaterial(self): """Test anonymous users cannot delete helpingmaterials""" project = ProjectFactory.create(published=True) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'delete', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_delete_helpingmaterial(self): """Test authenticated user cannot delete a helpingmaterial if is not the post owner and is not admin""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner, published=True) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert self.mock_authenticated.id != owner.id assert not self.mock_authenticated.admin assert_raises(Forbidden, ensure_authorized_to, 'delete', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_delete_helpingmaterial(self): """Test authenticated user can delete a helpingmaterial if is the post owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert self.mock_authenticated.id == owner.id assert_not_raises(Exception, ensure_authorized_to, 'delete', helpingmaterial) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_authenticated_user_delete_helpingmaterial(self): """Test authenticated user can delete any helpingmaterial if it's admin""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner) helpingmaterial = HelpingMaterialFactory.create(project_id=project.id) assert self.mock_admin.id != owner.id assert_not_raises(Exception, ensure_authorized_to, 'delete', helpingmaterial)
class TestResultAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_pro = mock_current_user(anonymous=False, admin=False, id=2, pro=True) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) mock_owner = mock_current_user(anonymous=False, admin=False, id=1) def setUp(self): super(TestResultAuthorization, self).setUp() self.result_repo = ResultRepository(db) def create_result(self, n_answers=1, filter_by=False): task = TaskFactory.create(n_answers=n_answers) TaskRunFactory.create(task=task) if filter_by: return self.result_repo.filter_by(project_id=1) else: return self.result_repo.get_by(project_id=1) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_can_read_result(self): """Test anonymous users can read results""" result = self.create_result() assert ensure_authorized_to('read', result) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_auth_user_can_read_result(self): """Test auth users can read results""" result = self.create_result() assert ensure_authorized_to('read', result) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_can_read_result(self): """Test admin users can read results""" result = self.create_result() assert ensure_authorized_to('read', result) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_save_results(self): """Test anonymous users cannot save results of a specific project""" result = Result() assert_raises(Unauthorized, ensure_authorized_to, 'create', result) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_save_results(self): """Test authenticated users cannot save results of a specific project""" result = Result() assert_raises(Forbidden, ensure_authorized_to, 'create', result) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_cannot_save_results(self): """Test admin users cannot save results of a specific project""" result = Result() assert_raises(Forbidden, ensure_authorized_to, 'create', result) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_delete_results(self): """Test anonymous users cannot delete results of a specific project""" result = Result() assert_raises(Unauthorized, ensure_authorized_to, 'delete', result) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_delete_results(self): """Test authenticated users cannot delete results of a specific project""" result = Result() assert_raises(Forbidden, ensure_authorized_to, 'delete', result) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_cannot_delete_results(self): """Test admin users cannot delete results of a specific project""" result = Result() assert_raises(Forbidden, ensure_authorized_to, 'delete', result) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_update_results(self): """Test anonymous users cannot update results of a specific project""" result = self.create_result() assert_raises(Unauthorized, ensure_authorized_to, 'update', result) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_auth_user_cannot_update_results(self): """Test auth users but not owner cannot update results of a specific project""" result = self.create_result() assert_raises(Forbidden, ensure_authorized_to, 'update', result) @with_context @patch('pybossa.auth.current_user', new=mock_owner) def test_auth_owner_can_update_results(self): """Test auth owner can update results of a specific project""" result = self.create_result() result.info = dict(new='value') assert ensure_authorized_to('update', result) updated_result = self.result_repo.get_by(id=result.id) err_msg = "The result has not been updated" assert updated_result.info['new'] == 'value', err_msg
class TestTokenAuthorization(Test): auth_providers = ('twitter', 'facebook', 'google') mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_delete(self): """Test anonymous user is not allowed to delete an oauth token""" with self.flask_app.test_request_context('/'): for token in self.auth_providers: assert_raises(Unauthorized, getattr(require, 'token').delete, token) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_delete(self): """Test authenticated user is not allowed to delete an oauth token""" with self.flask_app.test_request_context('/'): for token in self.auth_providers: assert_raises(Forbidden, getattr(require, 'token').delete, token) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_create(self): """Test anonymous user is not allowed to create an oauth token""" with self.flask_app.test_request_context('/'): for token in self.auth_providers: assert_raises(Unauthorized, getattr(require, 'token').create, token) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_create(self): """Test authenticated user is not allowed to create an oauth token""" with self.flask_app.test_request_context('/'): for token in self.auth_providers: assert_raises(Forbidden, getattr(require, 'token').create, token) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_update(self): """Test anonymous user is not allowed to update an oauth token""" with self.flask_app.test_request_context('/'): for token in self.auth_providers: assert_raises(Unauthorized, getattr(require, 'token').update, token) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_update(self): """Test authenticated user is not allowed to update an oauth token""" with self.flask_app.test_request_context('/'): for token in self.auth_providers: assert_raises(Forbidden, getattr(require, 'token').update, token) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.taskrun.current_user', new=mock_anonymous) def test_anonymous_user_read(self): """Test anonymous user is not allowed to read an oauth token""" with self.flask_app.test_request_context('/'): for token in self.auth_providers: assert_raises(Unauthorized, getattr(require, 'token').read, token) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.taskrun.current_user', new=mock_authenticated) def test_authenticated_user_read(self): """Test authenticated user is allowed to read his own oauth tokens""" with self.flask_app.test_request_context('/'): for token in self.auth_providers: assert_raises(Forbidden, getattr(require, 'token').read, token)
class TestTaskrunAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_first_taskrun(self): """Test anonymous user can create a taskrun for a given task if he hasn't already done it""" task = TaskFactory.create() taskrun = AnonymousTaskRunFactory.build(task=task) assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_repeated_taskrun(self): """Test anonymous user cannot create two taskruns for the same task""" task = TaskFactory.create() taskrun1 = AnonymousTaskRunFactory.create(task=task) taskrun2 = AnonymousTaskRunFactory.build(task=task) assert_raises(Forbidden, ensure_authorized_to, 'create', taskrun2) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_taskrun(self): """Test anonymous user can create a taskrun for a task even though he has posted taskruns for different tasks in the same project""" project = ProjectFactory.create() tasks = TaskFactory.create_batch(2, project=project) taskrun1 = AnonymousTaskRunFactory.create(task=tasks[0]) taskrun2 = AnonymousTaskRunFactory.build(task_id=tasks[1].id, project_id=project.id) assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun2) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_taskrun_non_allow_anonymous_contrib(self): """Test anonymous user cannot create a taskrun for a project that does not allow for anonymous contributors""" project = ProjectFactory.create(allow_anonymous_contributors=False) task = TaskFactory.create(project=project) taskrun = AnonymousTaskRunFactory.build(task=task) assert_raises(Unauthorized, ensure_authorized_to, 'create', taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_can_create_taskrun_for_draft_project(self): """Test anonymous users can create a taskrun for a project that is a draft""" project = ProjectFactory.create(published=False) task = TaskFactory.create(project=project) taskrun = AnonymousTaskRunFactory.build(task_id=task.id, project_id=project.id) assert_not_raises(Forbidden, ensure_authorized_to, 'create', taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_create_first_taskrun(self): """Test authenticated user can create a taskrun for a given task if he hasn't already done it""" task = TaskFactory.create() taskrun = TaskRunFactory.build(task_id=task.id, project_id=task.project_id, user_id=self.mock_authenticated.id) assert self.mock_authenticated.id == taskrun.user_id, taskrun assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_create_repeated_taskrun(self): """Test authenticated user cannot create two taskruns for the same task""" task = TaskFactory.create() taskrun1 = TaskRunFactory.create(task=task) taskrun2 = TaskRunFactory.build(task=task, user=taskrun1.user) assert self.mock_authenticated.id == taskrun1.user.id assert_raises(Forbidden, ensure_authorized_to, 'create', taskrun2) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_create_taskrun(self): """Test authenticated user can create a taskrun for a task even though he has posted taskruns for different tasks in the same project""" user = UserFactory.create_batch(2)[1] project = ProjectFactory.create() tasks = TaskFactory.create_batch(2, project=project) taskrun1 = TaskRunFactory.create(task=tasks[0], user=user) taskrun2 = TaskRunFactory.build(task_id=tasks[1].id, user_id=user.id, project_id=tasks[1].project_id) assert self.mock_authenticated.id == taskrun2.user_id assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun2) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_create_taskrun_non_allow_anonymous_contrib( self): """Test authenticated user can create a taskrun for a project that does not allow for anonymous contributors""" project = ProjectFactory.create(allow_anonymous_contributors=False) task = TaskFactory.create(project=project) taskrun = TaskRunFactory.build(task_id=task.id, project_id=project.id) assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_can_create_taskrun_for_draft_project(self): """Test authenticated users can create a taskrun for a project that is a draft""" project = ProjectFactory.create(published=False) task = TaskFactory.create(project=project) taskrun = TaskRunFactory.build(task_id=task.id, project_id=project.id) assert_not_raises(Forbidden, ensure_authorized_to, 'create', taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read(self): """Test anonymous user cannot read any taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() user_taskrun = TaskRunFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'read', anonymous_taskrun) assert_raises(Unauthorized, ensure_authorized_to, 'read', user_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_read(self): """Test authenticated user cannot read any taskrun""" own_taskrun = TaskRunFactory.create() anonymous_taskrun = AnonymousTaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_not_raises(Forbidden, ensure_authorized_to, 'read', anonymous_taskrun) assert_not_raises(Forbidden, ensure_authorized_to, 'read', own_taskrun) assert_not_raises(Forbidden, ensure_authorized_to, 'read', other_users_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_update_anoymous_taskrun_result(self): """Test anonymous users cannot update an anonymously posted taskrun with result""" task = TaskFactory.create(n_answers=1) anonymous_taskrun = AnonymousTaskRunFactory.create(task=task) assert_raises(Unauthorized, ensure_authorized_to, 'update', anonymous_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_update_anoymous_taskrun(self): """Test anonymous users cannot update an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'read', anonymous_taskrun) assert_raises(Unauthorized, ensure_authorized_to, 'update', anonymous_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_update_anonymous_taskrun(self): """Test authenticated users cannot update an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Forbidden, ensure_authorized_to, 'update', anonymous_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_update_anonymous_taskrun_result(self): """Test admins cannot update anonymously posted taskruns when there is a result associated.""" task = TaskFactory.create(n_answers=1) anonymous_taskrun = AnonymousTaskRunFactory.create(task=task) assert_raises(Forbidden, ensure_authorized_to, 'update', anonymous_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_update_anonymous_taskrun(self): """Test admins can update anonymously posted taskruns when no result is associated.""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_not_raises(Exception, ensure_authorized_to, 'update', anonymous_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_update_user_taskrun(self): """Test anonymous user cannot update taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'update', user_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_update_other_users_taskrun(self): """Test authenticated user cannot update any user taskrun except own.""" own_taskrun = TaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_not_raises(Exception, ensure_authorized_to, 'update', own_taskrun) assert_raises(Forbidden, ensure_authorized_to, 'update', other_users_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_update_other_users_taskrun_result(self): """Test authenticated user cannot update any user taskrun when task runs have associated results.""" task = TaskFactory.create(n_answers=1) own_taskrun = TaskRunFactory.create(task=task) task2 = TaskFactory.create(n_answers=1) other_users_taskrun = TaskRunFactory.create(task=task2) assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_raises(Forbidden, ensure_authorized_to, 'update', own_taskrun) assert_raises(Forbidden, ensure_authorized_to, 'update', other_users_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_update_user_taskrun(self): """Test admins can update taskruns posted by authenticated when there is no result associated.""" user_taskrun = TaskRunFactory.create() assert self.mock_admin.id != user_taskrun.user.id assert_not_raises(Exception, ensure_authorized_to, 'update', user_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_update_user_taskrun_with_result(self): """Test admins cannot update taskruns posted by authenticated when there is a result associated.""" task = TaskFactory.create(n_answers=1) user_taskrun = TaskRunFactory.create(task=task) assert self.mock_admin.id != user_taskrun.user.id assert_raises(Forbidden, ensure_authorized_to, 'update', user_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_delete_anonymous_taskrun(self): """Test anonymous users cannot delete an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'delete', anonymous_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_delete_anonymous_taskrun(self): """Test authenticated users cannot delete an anonymously posted taskrun""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_raises(Forbidden, ensure_authorized_to, 'delete', anonymous_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_delete_anonymous_taskrun(self): """Test admins can delete anonymously posted taskruns""" anonymous_taskrun = AnonymousTaskRunFactory.create() assert_not_raises(Exception, ensure_authorized_to, 'delete', anonymous_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_delete_user_taskrun(self): """Test anonymous user cannot delete taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'delete', user_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_delete_other_users_taskrun(self): """Test authenticated user cannot delete a taskrun if it was created by another authenticated user, but can delete his own taskruns""" own_taskrun = TaskRunFactory.create() other_users_taskrun = TaskRunFactory.create() assert self.mock_authenticated.id == own_taskrun.user.id assert self.mock_authenticated.id != other_users_taskrun.user.id assert_not_raises(Exception, ensure_authorized_to, 'delete', own_taskrun) assert_raises(Forbidden, ensure_authorized_to, 'delete', other_users_taskrun) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_delete_user_taskrun(self): """Test admins can delete taskruns posted by authenticated users""" user_taskrun = TaskRunFactory.create() assert self.mock_admin.id != user_taskrun.user.id, user_taskrun.user.id assert_not_raises(Exception, ensure_authorized_to, 'delete', user_taskrun)
class TestBlogpostAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_create_given_blogpost(self): """Test anonymous users cannot create a given blogpost""" app = AppFactory.create() blogpost = BlogpostFactory.build(app=app, owner=None) assert_raises(Unauthorized, getattr(require, 'blogpost').create, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_create_blogposts_for_given_app(self): """Test anonymous users cannot create blogposts for a given project""" app = AppFactory.create() assert_raises(Unauthorized, getattr(require, 'blogpost').create, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_create_blogposts(self): """Test anonymous users cannot create any blogposts""" assert_raises(Unauthorized, getattr(require, 'blogpost').create) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_non_owner_authenticated_user_create_given_blogpost(self): """Test authenticated user cannot create a given blogpost if is not the project owner, even if is admin""" admin = UserFactory.create() app = AppFactory.create() blogpost = BlogpostFactory.build(app=app, owner=admin) assert self.mock_admin.id != app.owner.id assert_raises(Forbidden, getattr(require, 'blogpost').create, blogpost) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_non_owner_authenticated_user_create_blogpost_for_given_app(self): """Test authenticated user cannot create blogposts for a given project if is not the project owner, even if is admin""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner) assert self.mock_admin.id != app.owner.id assert_raises(Forbidden, getattr(require, 'blogpost').create, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_create_given_blogpost(self): """Test authenticated user can create a given blogpost if is project owner""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner) blogpost = BlogpostFactory.build(app=app, owner=owner) assert self.mock_authenticated.id == app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').create, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_create_blogpost_for_given_app(self): """Test authenticated user can create blogposts for a given project if is project owner""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner) assert self.mock_authenticated.id == app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').create, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_create_blogpost_as_other_user(self): """Test authenticated user cannot create blogpost if is project owner but sets another person as the author of the blogpost""" another_user = UserFactory.create() app = AppFactory.create() blogpost = BlogpostFactory.build(app_id=app.id, owner=another_user) assert self.mock_authenticated.id == app.owner.id assert_raises(Forbidden, getattr(require, 'blogpost').create, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_read_given_blogpost(self): """Test anonymous users can read a given blogpost""" app = AppFactory.create() blogpost = BlogpostFactory.create(app=app) assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_read_blogposts_for_given_app(self): """Test anonymous users can read blogposts of a given project""" app = AppFactory.create() assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_read_given_blogpost_hidden_app(self): """Test anonymous users cannot read a given blogpost of a hidden project""" app = AppFactory.create(hidden=1) blogpost = BlogpostFactory.create(app=app) assert_raises(Unauthorized, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_read_blogposts_for_given_hidden_app(self): """Test anonymous users cannot read blogposts of a given project if is hidden""" app = AppFactory.create(hidden=1) assert_raises(Unauthorized, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_blogpost(self): """Test authenticated user can read a given blogpost if is not the project owner""" app = AppFactory.create() user = UserFactory.create() blogpost = BlogpostFactory.create(app=app) assert self.mock_authenticated.id != app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_blogposts_for_given_app(self): """Test authenticated user can read blogposts of a given project if is not the project owner""" app = AppFactory.create() user = UserFactory.create() assert self.mock_authenticated.id != app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_blogpost_hidden_app(self): """Test authenticated user cannot read a given blogpost of a hidden project if is not the project owner""" app = AppFactory.create(hidden=1) user = UserFactory.create() blogpost = BlogpostFactory.create(app=app) assert self.mock_authenticated.id != app.owner.id assert_raises(Forbidden, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_blogposts_for_given_hidden_app( self): """Test authenticated user cannot read blogposts of a given project if is hidden and is not the project owner""" app = AppFactory.create(hidden=1) user = UserFactory.create() assert self.mock_authenticated.id != app.owner.id assert_raises(Forbidden, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_read_given_blogpost(self): """Test authenticated user can read a given blogpost if is the project owner""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner) blogpost = BlogpostFactory.create(app=app) assert self.mock_authenticated.id == app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_read_blogposts_for_given_app(self): """Test authenticated user can read blogposts of a given project if is the project owner""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner) assert self.mock_authenticated.id == app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_read_given_blogpost_hidden_app(self): """Test authenticated user can read a given blogpost of a hidden project if is the project owner""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner, hidden=1) blogpost = BlogpostFactory.create(app=app) assert self.mock_authenticated.id == app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_read_blogposts_for_given_hidden_app(self): """Test authenticated user can read blogposts of a given hidden project if is the project owner""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create(owner=owner, hidden=1) assert self.mock_authenticated.id == app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_admin_read_given_blogpost_hidden_app(self): """Test admin can read a given blogpost of a hidden project""" admin = UserFactory.create() app = AppFactory.create(hidden=1) blogpost = BlogpostFactory.create(app=app) assert self.mock_admin.id != app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_admin_read_blogposts_for_given_hidden_app(self): """Test admin can read blogposts of a given hidden project""" admin = UserFactory.create() app = AppFactory.create(hidden=1) assert self.mock_admin.id != app.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_update_blogpost(self): """Test anonymous users cannot update blogposts""" blogpost = BlogpostFactory.create() assert_raises(Unauthorized, getattr(require, 'blogpost').update, blogpost) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_non_owner_authenticated_user_update_blogpost(self): """Test authenticated user cannot update a blogpost if is not the post owner, even if is admin""" admin = UserFactory.create() app = AppFactory.create() blogpost = BlogpostFactory.create(app=app) assert self.mock_admin.id != blogpost.owner.id assert_raises(Forbidden, getattr(require, 'blogpost').update, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_update_blogpost(self): """Test authenticated user can update blogpost if is the post owner""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create() blogpost = BlogpostFactory.create(app=app, owner=owner) assert self.mock_authenticated.id == blogpost.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').update, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_delete_blogpost(self): """Test anonymous users cannot delete blogposts""" blogpost = BlogpostFactory.create() assert_raises(Unauthorized, getattr(require, 'blogpost').delete, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_delete_blogpost(self): """Test authenticated user cannot delete a blogpost if is not the post owner and is not admin""" blogpost = BlogpostFactory.create() assert self.mock_authenticated.id != blogpost.owner.id assert not self.mock_authenticated.admin assert_raises(Forbidden, getattr(require, 'blogpost').delete, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_delete_blogpost(self): """Test authenticated user can delete a blogpost if is the post owner""" owner = UserFactory.create_batch(2)[1] app = AppFactory.create() blogpost = BlogpostFactory.create(app=app, owner=owner) assert self.mock_authenticated.id == blogpost.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').delete, blogpost) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_admin_authenticated_user_delete_blogpost(self): """Test authenticated user can delete any blogpost if is admin""" admin = UserFactory.create() blogpost = BlogpostFactory.create() assert self.mock_admin.id != blogpost.owner.id assert_not_raises(Exception, getattr(require, 'blogpost').delete, blogpost)
class TestBlogpostAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_given_blogpost(self): """Test anonymous users cannot create a given blogpost""" project = ProjectFactory.create() blogpost = BlogpostFactory.build(project=project, owner=None) assert_raises(Unauthorized, ensure_authorized_to, 'create', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_blogposts_for_given_project(self): """Test anonymous users cannot create blogposts for a given project""" project = ProjectFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'create', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_blogposts(self): """Test anonymous users cannot create any blogposts""" assert_raises(Unauthorized, ensure_authorized_to, 'create', Blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_non_owner_authenticated_user_create_given_blogpost(self): """Test authenticated user cannot create a given blogpost if is not the project owner, even if is admin""" admin = UserFactory.create() project = ProjectFactory.create() blogpost = BlogpostFactory.build(project=project, owner=admin) assert self.mock_admin.id != project.owner_id assert_raises(Forbidden, ensure_authorized_to, 'create', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_non_owner_authenticated_user_create_blogpost_for_given_project(self): """Test authenticated user cannot create blogposts for a given project if is not the project owner, even if is admin""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) assert self.mock_admin.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'create', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_create_given_blogpost(self): """Test authenticated user can create a given blogpost if is project owner""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) blogpost = BlogpostFactory.build(project=project, owner=owner) assert self.mock_authenticated.id == project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'create', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_create_blogpost_for_given_project(self): """Test authenticated user can create blogposts for a given project if is project owner""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'create', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_create_blogpost_as_other_user(self): """Test authenticated user cannot create blogpost if is project owner but sets another person as the author of the blogpost""" another_user = UserFactory.create() project = ProjectFactory.create() blogpost = BlogpostFactory.build(project_id=project.id, owner=another_user) assert self.mock_authenticated.id == project.owner_id assert_raises(Forbidden, ensure_authorized_to, 'create', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_given_blogpost(self): """Test anonymous users can read a given blogpost""" project = ProjectFactory.create(published=True) blogpost = BlogpostFactory.create(project=project) assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_blogposts_for_given_project(self): """Test anonymous users can read blogposts of a given project""" project = ProjectFactory.create(published=True) assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_given_blogpost_draft_project(self): """Test anonymous users cannot read a given blogpost of a draft project""" project = ProjectFactory.create(published=False) blogpost = BlogpostFactory.create(project=project) assert_raises(Unauthorized, ensure_authorized_to, 'read', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_blogposts_for_given_draft_project(self): """Test anonymous users cannot read blogposts of a given project if is a draft""" project = ProjectFactory.create(published=False) assert_raises(Unauthorized, ensure_authorized_to, 'read', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_blogpost(self): """Test authenticated user can read a given blogpost if is not the project owner""" project = ProjectFactory.create(published=True) user = UserFactory.create() blogpost = BlogpostFactory.create(project=project) assert self.mock_authenticated.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_blogposts_for_given_project(self): """Test authenticated user can read blogposts of a given project if is not the project owner""" project = ProjectFactory.create(published=True) user = UserFactory.create() assert self.mock_authenticated.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_blogpost_draft_project(self): """Test authenticated user cannot read a given blogpost of a draft project if is not the project owner""" project = ProjectFactory.create(published=False) user = UserFactory.create() blogpost = BlogpostFactory.create(project=project) assert self.mock_authenticated.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'read', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_blogposts_for_given_draft_project(self): """Test authenticated user cannot read blogposts of a given project if is a draft and is not the project owner""" project = ProjectFactory.create(published=False) user = UserFactory.create() assert self.mock_authenticated.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'read', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_given_blogpost(self): """Test authenticated user can read a given blogpost if is the project owner""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner, published=True) blogpost = BlogpostFactory.create(project=project) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_blogposts_for_given_project(self): """Test authenticated user can read blogposts of a given project if is the project owner""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner, published=True) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_given_blogpost_draft_project(self): """Test authenticated user can read a given blogpost of a draft project if is the project owner""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner, published=False) blogpost = BlogpostFactory.create(project=project) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_blogposts_for_given_draft_project(self): """Test authenticated user can read blogposts of a given draft project if is the project owner""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner, published=False) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_read_given_blogpost_draft_project(self): """Test admin can read a given blogpost of a draft project""" admin = UserFactory.create() project = ProjectFactory.create(published=False) blogpost = BlogpostFactory.create(project=project) assert self.mock_admin.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_read_blogposts_for_given_draft_project(self): """Test admin can read blogposts of a given draft project""" admin = UserFactory.create() project = ProjectFactory.create(published=False) assert self.mock_admin.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_update_blogpost(self): """Test anonymous users cannot update blogposts""" blogpost = BlogpostFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'update', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_non_owner_authenticated_user_update_blogpost(self): """Test authenticated user cannot update a blogpost if is not the post owner, even if is admin""" admin = UserFactory.create() project = ProjectFactory.create() blogpost = BlogpostFactory.create(project=project) assert self.mock_admin.id != blogpost.owner.id assert_raises(Forbidden, ensure_authorized_to, 'update', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_update_blogpost(self): """Test authenticated user can update blogpost if is the post owner""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create() blogpost = BlogpostFactory.create(project=project, owner=owner) assert self.mock_authenticated.id == blogpost.owner.id assert_not_raises(Exception, ensure_authorized_to, 'update', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_delete_blogpost(self): """Test anonymous users cannot delete blogposts""" blogpost = BlogpostFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'delete', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_delete_blogpost(self): """Test authenticated user cannot delete a blogpost if is not the post owner and is not admin""" blogpost = BlogpostFactory.create() assert self.mock_authenticated.id != blogpost.owner.id assert not self.mock_authenticated.admin assert_raises(Forbidden, ensure_authorized_to, 'delete', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_delete_blogpost(self): """Test authenticated user can delete a blogpost if is the post owner""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create() blogpost = BlogpostFactory.create(project=project, owner=owner) assert self.mock_authenticated.id == blogpost.owner.id assert_not_raises(Exception, ensure_authorized_to, 'delete', blogpost) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_authenticated_user_delete_blogpost(self): """Test authenticated user can delete any blogpost if is admin""" admin = UserFactory.create() blogpost = BlogpostFactory.create() assert self.mock_admin.id != blogpost.owner.id assert_not_raises(Exception, ensure_authorized_to, 'delete', blogpost)
class TestPageAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_given_page(self): """Test anonymous users cannot create pages for a project""" project = ProjectFactory.create() page = PageFactory.build(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'create', page) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_pages_for_given_project(self): """Test anonymous users cannot create pages for a given project""" project = ProjectFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'create', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_create_pages(self): """Test anonymous users cannot create any pages""" assert_raises(Unauthorized, ensure_authorized_to, 'create', Page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_create_given_page(self): """Test authenticated user cannot create a given page if is not the project owner""" project = ProjectFactory.create() page = PageFactory.build(project_id=project.id) assert self.mock_authenticated.id != project.owner_id assert_raises(Forbidden, ensure_authorized_to, 'create', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_create_page_for_given_project(self): """Test authenticated user cannot create pages for a given project if is not the project owner""" owner = UserFactory.create(id=3) project = ProjectFactory.create(owner=owner) assert self.mock_authenticated.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'create', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_create_given_page(self): """Test authenticated user can create a given page if it's project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner) page = PageFactory.build(project_id=project.id) assert self.mock_authenticated.id == project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'create', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_create_page_for_given_project(self): """Test authenticated user can create pages for a given project if it's project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'create', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_create_page_for_given_project(self): """Test admin user can create pages for a given project even if it's not project owner""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner) assert self.mock_admin.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'create', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_given_page(self): """Test anonymous users can read a given page""" project = ProjectFactory.create(published=True) page = PageFactory.create(project_id=project.id) assert_not_raises(Exception, ensure_authorized_to, 'read', page) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_pages_for_given_project(self): """Test anonymous users can read pages of a given project""" project = ProjectFactory.create(published=True) assert_not_raises(Exception, ensure_authorized_to, 'read', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_given_page_draft_project(self): """Test anonymous users cannot read a given page of a draft project""" project = ProjectFactory.create(published=False) page = PageFactory.create(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'read', page) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_read_pages_for_given_draft_project(self): """Test anonymous users cannot read pages of a given project if is a draft""" project = ProjectFactory.create(published=False) assert_raises(Unauthorized, ensure_authorized_to, 'read', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_page(self): """Test authenticated user can read a given page if is not the project owner""" project = ProjectFactory.create(published=True) page = PageFactory.create(project_id=project.id) assert self.mock_authenticated.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_pages_for_given_project(self): """Test authenticated user can read pages of a given project if is not the project owner""" project = ProjectFactory.create(published=True) assert self.mock_authenticated.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_page_draft_project(self): """Test authenticated user cannot read a given page of a draft project if is not the project owner""" project = ProjectFactory.create(published=False) page = PageFactory.create(project_id=project.id) assert self.mock_authenticated.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'read', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_pages_for_given_draft_project( self): """Test authenticated user cannot read pages of a given project if is a draft and is not the project owner""" project = ProjectFactory.create(published=False) assert self.mock_authenticated.id != project.owner.id assert_raises(Forbidden, ensure_authorized_to, 'read', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_given_page(self): """Test authenticated user can read a given page if is the project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner, published=True) page = PageFactory.create(project_id=project.id) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_pages_for_given_project(self): """Test authenticated user can read pages of a given project if is the project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner, published=True) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_given_page_draft_project(self): """Test authenticated user can read a given page of a draft project if it's the project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner, published=False) page = PageFactory.create(project_id=project.id) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_read_pages_for_given_draft_project(self): """Test authenticated user can read pages of a given draft project if it's the project owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner, published=False) assert self.mock_authenticated.id == project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_read_given_page_draft_project(self): """Test admin can read a given page of a draft project""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner, published=False) page = PageFactory.create(project_id=project.id) assert self.mock_admin.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', page) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_read_pages_for_given_draft_project(self): """Test admin can read pages of a given draft project""" owner = UserFactory.create(id=5) project = ProjectFactory.create(published=False, owner=owner) assert self.mock_admin.id != project.owner.id assert_not_raises(Exception, ensure_authorized_to, 'read', Page, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_update_page(self): """Test anonymous users cannot update pages""" project = ProjectFactory.create(published=True) page = PageFactory.create(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'update', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_update_page(self): """Test authenticated user can update page if it's the project's page owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner) page = PageFactory.create(project_id=project.id) assert_not_raises(Exception, ensure_authorized_to, 'update', page) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_update_page(self): """Test admins can update page even if it's not the post owner""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner) page = PageFactory.create(project_id=project.id) assert_not_raises(Exception, ensure_authorized_to, 'update', page) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_delete_page(self): """Test anonymous users cannot delete pages""" project = ProjectFactory.create(published=True) page = PageFactory.create(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'delete', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_delete_page(self): """Test authenticated user cannot delete a page if is not the page's owner and is not admin""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner, published=True) page = PageFactory.create(project_id=project.id) assert self.mock_authenticated.id != owner.id assert not self.mock_authenticated.admin assert_raises(Forbidden, ensure_authorized_to, 'delete', page) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_delete_page(self): """Test authenticated user can delete a page if is the page owner""" owner = UserFactory.create(id=2) project = ProjectFactory.create(owner=owner) page = PageFactory.create(project_id=project.id) assert self.mock_authenticated.id == owner.id assert_not_raises(Exception, ensure_authorized_to, 'delete', page) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_authenticated_user_delete_page(self): """Test authenticated user can delete any page if it's admin""" owner = UserFactory.create(id=5) project = ProjectFactory.create(owner=owner) page = PageFactory.create(project_id=project.id) assert self.mock_admin.id != owner.id assert_not_raises(Exception, ensure_authorized_to, 'delete', page)
class TestWebhookAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_read_webhook(self): """Test anonymous users cannot read a webhook""" project = ProjectFactory.create() webhook = WebhookFactory.create(project_id=project.id) assert_raises(Unauthorized, ensure_authorized_to, 'read', webhook) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_read_project_webhooks(self): """Test anonymous users cannot read webhooks of a specific project""" project = ProjectFactory.create() assert_raises(Unauthorized, ensure_authorized_to, 'read', Webhook, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_user_cannot_read_webhook(self): """Test owner users can read a webhook""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) webhook = WebhookFactory.create(project_id=project.id) assert self.mock_authenticated.id == project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'read', webhook) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_owner_user_cannot_read_project_webhooks(self): """Test owner users can read webhooks of a specific project""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) assert_not_raises(Exception, ensure_authorized_to, 'read', Webhook, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_can_read_webhook(self): """Test admin users can read a webhook""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) webhook = WebhookFactory.create(project_id=project.id) assert self.mock_admin.id != project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'read', webhook) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_can_read_project_webhooks(self): """Test admin users can read webhooks from a project""" owner = UserFactory.create_batch(2)[1] project = ProjectFactory.create(owner=owner) assert self.mock_admin.id != project.owner_id assert_not_raises(Exception, ensure_authorized_to, 'read', Webhook, project_id=project.id) @with_context @patch('pybossa.auth.current_user', new=mock_anonymous) def test_anonymous_user_cannot_crud_webhook(self): """Test anonymous users cannot crud webhooks""" webhook = Webhook() assert_raises(Unauthorized, ensure_authorized_to, 'create', webhook) assert_raises(Unauthorized, ensure_authorized_to, 'update', webhook) assert_raises(Unauthorized, ensure_authorized_to, 'delete', webhook) @with_context @patch('pybossa.auth.current_user', new=mock_authenticated) def test_authenticated_user_cannot_crud_webhook(self): """Test authenticated users cannot crud webhooks""" webhook = Webhook() assert_raises(Forbidden, ensure_authorized_to, 'create', webhook) assert_raises(Forbidden, ensure_authorized_to, 'update', webhook) assert_raises(Forbidden, ensure_authorized_to, 'delete', webhook) @with_context @patch('pybossa.auth.current_user', new=mock_admin) def test_admin_user_cannot_crud_webhook(self): """Test admin users cannot crud webhooks""" webhook = Webhook() assert_raises(Forbidden, ensure_authorized_to, 'create', webhook) assert_raises(Forbidden, ensure_authorized_to, 'update', webhook) assert_raises(Forbidden, ensure_authorized_to, 'delete', webhook)
class TestBlogpostAuthorization(Test): mock_anonymous = mock_current_user() mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2) mock_admin = mock_current_user(anonymous=False, admin=True, id=1) def setUp(self): super(TestBlogpostAuthorization, self).setUp() with self.flask_app.app_context(): self.create() @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_create_given_blogpost(self): """Test anonymous users cannot create a given blogpost""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() blogpost = Blogpost(title='title', app_id=app.id, owner=None) assert_raises(Unauthorized, getattr(require, 'blogpost').create, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_create_blogposts_for_given_app(self): """Test anonymous users cannot create blogposts for a given app""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() assert_raises(Unauthorized, getattr(require, 'blogpost').create, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_create_blogposts(self): """Test anonymous users cannot create any blogposts""" with self.flask_app.test_request_context('/'): assert_raises(Unauthorized, getattr(require, 'blogpost').create) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_non_owner_authenticated_user_create_given_blogpost(self): """Test authenticated user cannot create a given blogpost if is not the app owner, even if is admin""" with self.flask_app.app_context(): app = db.session.query(App).first() root = db.session.query(User).first() blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=root.id) assert_raises(Forbidden, getattr(require, 'blogpost').create, blogpost) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_non_owner_authenticated_user_create_blogpost_for_given_app(self): """Test authenticated user cannot create blogposts for a given app if is not the app owner, even if is admin""" with self.flask_app.app_context(): app = db.session.query(App).first() assert_raises(Forbidden, getattr(require, 'blogpost').create, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_create_given_blogpost(self): """Test authenticated user can create a given blogpost if is app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() user1 = db.session.query(User).get(2) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id) assert_not_raises(Exception, getattr(require, 'blogpost').create, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_create_blogpost_for_given_app(self): """Test authenticated user can create blogposts for a given app if is app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() assert_not_raises(Exception, getattr(require, 'blogpost').create, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_create_blogpost_as_other_user(self): """Test authenticated user cannot create blogpost if is app owner but sets another person as the author of the blogpost""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() user2 = db.session.query(User).get(3) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user2.id) assert_raises(Forbidden, getattr(require, 'blogpost').create, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_read_given_blogpost(self): """Test anonymous users can read a given blogpost""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() blogpost = Blogpost(title='title', body='body', app_id=app.id, owner=None) db.session.add(blogpost) db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_read_blogposts_for_given_app(self): """Test anonymous users can read blogposts of a given app""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_read_given_blogpost_hidden_app(self): """Test anonymous users cannot read a given blogpost of a hidden app""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() app.hidden = 1 blogpost = Blogpost(title='title', body='body', app_id=app.id, owner=None) db.session.add(blogpost) db.session.commit() assert_raises(Unauthorized, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_read_blogposts_for_given_hidden_app(self): """Test anonymous users cannot read blogposts of a given app if is hidden""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() app.hidden = 1 assert_raises(Unauthorized, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_blogpost(self): """Test authenticated user can read a given blogpost if is not the app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() root = db.session.query(User).get(1) app.owner = root blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=root.id) db.session.add(blogpost) db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_blogposts_for_given_app(self): """Test authenticated user can read blogposts of a given app if is not the app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() root = db.session.query(User).get(1) app.owner = root db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_given_blogpost_hidden_app(self): """Test authenticated user cannot read a given blogpost of a hidden app if is not the app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() root = db.session.query(User).get(1) app.hidden = 1 app.owner = root blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=root.id) db.session.add(blogpost) db.session.commit() assert_raises(Forbidden, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_read_blogposts_for_given_hidden_app(self): """Test authenticated user cannot read blogposts of a given app if is hidden and is not the app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() root = db.session.query(User).get(1) app.hidden = 1 app.owner = root db.session.commit() assert_raises(Forbidden, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_read_given_blogpost(self): """Test authenticated user can read a given blogpost if is the app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() user1 = db.session.query(User).get(2) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id) db.session.add(blogpost) db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_read_blogposts_for_given_app(self): """Test authenticated user can read blogposts of a given app if is the owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_read_given_blogpost_hidden_app(self): """Test authenticated user can read a given blogpost of a hidden app if is the app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() user1 = db.session.query(User).get(2) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id) db.session.add(blogpost) db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_read_blogposts_for_given_hidden_app(self): """Test authenticated user can read blogposts of a given hidden app if is the app owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() app.hidden = 1 assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_admin_read_given_blogpost_hidden_app(self): """Test admin can read a given blogpost of a hidden app""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() app.hidden = 1 user1 = db.session.query(User).get(2) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id) db.session.add(blogpost) db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_admin_read_blogposts_for_given_hidden_app(self): """Test admin can read blogposts of a given hidden app""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() app.hidden = 1 assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_update_blogpost(self): """Test anonymous users cannot update blogposts""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() blogpost = Blogpost(title='title', body='body', app_id=app.id, owner=None) db.session.add(blogpost) db.session.commit() assert_raises(Unauthorized, getattr(require, 'blogpost').update, blogpost) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_non_owner_authenticated_user_update_blogpost(self): """Test authenticated user cannot update a blogpost if is not the post owner, even if is admin""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() user1 = db.session.query(User).get(2) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id) db.session.add(blogpost) db.session.commit() assert_raises(Forbidden, getattr(require, 'blogpost').update, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_update_blogpost(self): """Test authenticated user can update blogpost if is the post owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() user1 = db.session.query(User).get(2) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id) db.session.add(blogpost) db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').update, blogpost) @patch('pybossa.auth.current_user', new=mock_anonymous) @patch('pybossa.auth.blogpost.current_user', new=mock_anonymous) def test_anonymous_user_delete_blogpost(self): """Test anonymous users cannot delete blogposts""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() blogpost = Blogpost(title='title', body='body', app_id=app.id, owner=None) db.session.add(blogpost) db.session.commit() assert_raises(Unauthorized, getattr(require, 'blogpost').delete, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_non_owner_authenticated_user_delete_blogpost(self): """Test authenticated user cannot delete a blogpost if is not the post owner or is not admin""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() root = db.session.query(User).get(1) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=root.id) db.session.add(blogpost) db.session.commit() assert_raises(Forbidden, getattr(require, 'blogpost').delete, blogpost) @patch('pybossa.auth.current_user', new=mock_authenticated) @patch('pybossa.auth.blogpost.current_user', new=mock_authenticated) def test_owner_delete_blogpost(self): """Test authenticated user can delete blogpost if is the post owner""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() user1 = db.session.query(User).get(2) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id) db.session.add(blogpost) db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').delete, blogpost) @patch('pybossa.auth.current_user', new=mock_admin) @patch('pybossa.auth.blogpost.current_user', new=mock_admin) def test_admin_authenticated_user_delete_blogpost(self): """Test authenticated user can delete a blogpost if is admin""" with self.flask_app.test_request_context('/'): app = db.session.query(App).first() user1 = db.session.query(User).get(2) blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id) db.session.add(blogpost) db.session.commit() assert_not_raises(Exception, getattr(require, 'blogpost').delete, blogpost)