class TestProjectStatsAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
def prepare_stats(self):
project = ProjectFactory.create()
stats.update_stats(project.id)
return stats.get_stats(project.id, full=True)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_can_read_projectstats(self):
"""Test anonymous users can read projectstats"""
ps = self.prepare_stats()
assert_not_raises(Exception, ensure_authorized_to, 'read', ps)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_read_projectstats(self):
"""Test authenticated users can read projectstats"""
ps = self.prepare_stats()
assert_not_raises(Exception, ensure_authorized_to, 'read', ps)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_can_read_projectstats(self):
"""Test admin users can read projectstats"""
ps = self.prepare_stats()
assert_not_raises(Exception, ensure_authorized_to, 'read', ps)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_crud_projectstats(self):
"""Test anonymous users cannot crud projectstats"""
ps = self.prepare_stats()
assert_raises(Unauthorized, ensure_authorized_to, 'create', ps)
assert_raises(Unauthorized, ensure_authorized_to, 'update', ps)
assert_raises(Unauthorized, ensure_authorized_to, 'delete', ps)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_crud_projectstats(self):
"""Test authenticated users cannot crud project stats"""
ps = self.prepare_stats()
assert_raises(Forbidden, ensure_authorized_to, 'create', ps)
assert_raises(Forbidden, ensure_authorized_to, 'update', ps)
assert_raises(Forbidden, ensure_authorized_to, 'delete', ps)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_cannot_crud_projectstats(self):
"""Test admin users cannot crud project stats"""
ps = self.prepare_stats()
assert_raises(Forbidden, ensure_authorized_to, 'create', ps)
assert_raises(Forbidden, ensure_authorized_to, 'update', ps)
assert_raises(Forbidden, ensure_authorized_to, 'delete', ps)
class TestTaskAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_create(self):
"""Test anonymous users cannot create tasks"""
user = UserFactory.create()
app = AppFactory.create(owner=user)
task = TaskFactory.create(app=app)
with patch('pybossa.auth.task.current_user', new=self.mock_anonymous):
assert_raises(Unauthorized, getattr(require, 'task').create)
assert_not_raises(Forbidden, getattr(require, 'task').read, task)
assert_raises(Unauthorized, getattr(require, 'task').update, task)
assert_raises(Unauthorized, getattr(require, 'task').delete, task)
def test_project_owner_can_crud(self):
"""Test project owner can crud tasks"""
user = UserFactory.create()
app = AppFactory.create(owner=user)
task = TaskFactory.create(app=app)
with patch('pybossa.auth.task.current_user', new=user):
assert_not_raises(Forbidden, getattr(require, 'task').create, task)
assert_not_raises(Forbidden, getattr(require, 'task').read, task)
assert_not_raises(Forbidden, getattr(require, 'task').update, task)
assert_not_raises(Forbidden, getattr(require, 'task').delete, task)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_not_project_owner_cannot_crud(self):
"""Test authenticated user cannot crud tasks"""
user = UserFactory.create()
user2 = UserFactory.create()
app = AppFactory.create(owner=user)
task = TaskFactory.create(app=app)
with patch('pybossa.auth.task.current_user', new=user2):
assert_raises(Forbidden, getattr(require, 'task').create, task)
assert_not_raises(Forbidden, getattr(require, 'task').read, task)
assert_raises(Forbidden, getattr(require, 'task').update, task)
assert_raises(Forbidden, getattr(require, 'task').delete, task)
def test_admin_can_crud(self):
"""Test admin user can crud tasks"""
user = UserFactory.create()
user2 = UserFactory.create()
app = AppFactory.create(owner=user2)
task = TaskFactory.create(app=app)
with patch('pybossa.auth.task.current_user', new=user):
assert_not_raises(Forbidden, getattr(require, 'task').create, task)
assert_not_raises(Forbidden, getattr(require, 'task').read, task)
assert_not_raises(Forbidden, getattr(require, 'task').update, task)
assert_not_raises(Forbidden, getattr(require, 'task').delete, task)
class TestProjectAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_crud(self):
"""Test anonymous users cannot crud categories"""
category = CategoryFactory.build()
assert_raises(Unauthorized, ensure_authorized_to, 'create', category)
assert_not_raises(Exception, ensure_authorized_to, 'read', category)
assert_not_raises(Exception, ensure_authorized_to, 'read', Category)
assert_raises(Unauthorized, ensure_authorized_to, 'update', category)
assert_raises(Unauthorized, ensure_authorized_to, 'delete', category)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_crud(self):
"""Test authenticated users cannot crud categories"""
category = CategoryFactory.build()
assert_raises(Forbidden, ensure_authorized_to, 'create', category)
assert_not_raises(Exception, ensure_authorized_to, 'read', category)
assert_not_raises(Exception, ensure_authorized_to, 'read', Category)
assert_raises(Forbidden, ensure_authorized_to, 'update', category)
assert_raises(Forbidden, ensure_authorized_to, 'delete', category)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_can_crud(self):
"""Test admin user can crud categories"""
category = CategoryFactory.build()
assert_not_raises(Forbidden, ensure_authorized_to, 'create', category)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', category)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', Category)
assert_not_raises(Forbidden, ensure_authorized_to, 'update', category)
assert_not_raises(Forbidden, ensure_authorized_to, 'delete', category)
class TestTaskrunAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create_first_taskrun(self):
"""Test anonymous user can create a taskrun for a given task if he
hasn't already done it"""
task = TaskFactory.create()
taskrun = AnonymousTaskRunFactory.build(task=task)
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create_repeated_taskrun(self):
"""Test anonymous user cannot create a taskrun for a task to which
he has previously posted a taskrun"""
task = TaskFactory.create()
taskrun1 = AnonymousTaskRunFactory.create(task=task)
taskrun2 = AnonymousTaskRunFactory.build(task=task)
assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create_taskrun(self):
"""Test anonymous user can create a taskrun for a task even though
he has posted taskruns for different tasks in the same project"""
tasks = TaskFactory.create_batch(2)
taskrun1 = AnonymousTaskRunFactory.create(task=tasks[0])
taskrun2 = AnonymousTaskRunFactory.build(task_id=tasks[1].id)
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun2)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create_taskrun_non_allow_anonymous_contrib(self):
"""Test anonymous user cannot create a taskrun for a project that does
not allow for anonymous contributors"""
project = AppFactory.create(allow_anonymous_contributors=False)
task = TaskFactory.create(app=project)
taskrun = AnonymousTaskRunFactory.build(task=task)
assert_raises(Unauthorized,
getattr(require, 'taskrun').create, taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create_first_taskrun(self):
"""Test authenticated user can create a taskrun for a given task if he
hasn't already done it"""
task = TaskFactory.create()
taskrun = TaskRunFactory.build(task_id=task.id,
user_id=self.mock_authenticated.id)
assert self.mock_authenticated.id == taskrun.user_id, taskrun
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create_repeated_taskrun(self):
"""Test authenticated user cannot create a taskrun for a task to which
he has previously posted a taskrun"""
task = TaskFactory.create()
taskrun1 = TaskRunFactory.create(task=task)
taskrun2 = TaskRunFactory.build(task=task, user=taskrun1.user)
assert self.mock_authenticated.id == taskrun1.user.id
assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create_taskrun(self):
"""Test authenticated user can create a taskrun for a task even though
he has posted taskruns for different tasks in the same project"""
user = UserFactory.create_batch(2)[1]
tasks = TaskFactory.create_batch(2)
taskrun1 = TaskRunFactory.create(task=tasks[0], user=user)
taskrun2 = TaskRunFactory.build(task_id=tasks[1].id, user_id=user.id)
assert self.mock_authenticated.id == taskrun2.user_id
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun2)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create_taskrun_non_allow_anonymous_contrib(
self):
"""Test authenticated user can create a taskrun for a project that does
not allow for anonymous contributors"""
project = AppFactory.create(allow_anonymous_contributors=False)
task = TaskFactory.create(app=project)
taskrun = TaskRunFactory.build(task_id=task.id)
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_read(self):
"""Test anonymous user can read any taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
user_taskrun = TaskRunFactory.create()
assert_not_raises(Exception,
getattr(require, 'taskrun').read, anonymous_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read, user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_read(self):
"""Test authenticated user can read any taskrun"""
own_taskrun = TaskRunFactory.create()
anonymous_taskrun = AnonymousTaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').read, anonymous_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read,
other_users_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read, own_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_update_anoymous_taskrun(self):
"""Test anonymous users cannot update an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Unauthorized,
getattr(require, 'taskrun').update, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_update_anonymous_taskrun(self):
"""Test authenticated users cannot update an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Forbidden,
getattr(require, 'taskrun').update, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_update_anonymous_taskrun(self):
"""Test admins cannot update anonymously posted taskruns"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Forbidden,
getattr(require, 'taskrun').update, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_update_user_taskrun(self):
"""Test anonymous user cannot update taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert_raises(Unauthorized,
getattr(require, 'taskrun').update, user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_update_other_users_taskrun(self):
"""Test authenticated user cannot update any user taskrun"""
own_taskrun = TaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_raises(Forbidden,
getattr(require, 'taskrun').update, own_taskrun)
assert_raises(Forbidden,
getattr(require, 'taskrun').update, other_users_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_update_user_taskrun(self):
"""Test admins cannot update taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert self.mock_admin.id != user_taskrun.user.id
assert_raises(Forbidden,
getattr(require, 'taskrun').update, user_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_delete_anonymous_taskrun(self):
"""Test anonymous users cannot delete an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Unauthorized,
getattr(require, 'taskrun').delete, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_delete_anonymous_taskrun(self):
"""Test authenticated users cannot delete an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Forbidden,
getattr(require, 'taskrun').delete, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_delete_anonymous_taskrun(self):
"""Test admins can delete anonymously posted taskruns"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_not_raises(Exception,
getattr(require, 'taskrun').delete,
anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_delete_user_taskrun(self):
"""Test anonymous user cannot delete taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert_raises(Unauthorized,
getattr(require, 'taskrun').delete, user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_delete_other_users_taskrun(self):
"""Test authenticated user cannot delete a taskrun if it was created
by another authenticated user, but can delete his own taskruns"""
own_taskrun = TaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').delete, own_taskrun)
assert_raises(Forbidden,
getattr(require, 'taskrun').delete, other_users_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_delete_user_taskrun(self):
"""Test admins can delete taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert self.mock_admin.id != user_taskrun.user.id, user_taskrun.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').delete, user_taskrun)
class TestAuditlogAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_pro = mock_current_user(anonymous=False, admin=False, id=2, pro=True)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.auditlog.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_read_auditlog(self):
"""Test anonymous users cannot read auditlogs"""
log = AuditlogFactory.create()
assert_raises(Unauthorized, getattr(require, 'auditlog').read, log)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.auditlog.current_user', new=mock_authenticated)
def test_owner_user_cannot_read_auditlog(self):
"""Test owner users cannot read auditlogs"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner)
log = AuditlogFactory.create(app_id=app.id)
assert self.mock_authenticated.id == app.owner_id
assert_raises(Forbidden, getattr(require, 'auditlog').read, log)
@patch('pybossa.auth.current_user', new=mock_pro)
@patch('pybossa.auth.auditlog.current_user', new=mock_pro)
def test_pro_user_can_read_auditlog(self):
"""Test pro users can read auditlogs from owned projects"""
owner = UserFactory.create_batch(2, pro=True)[1]
app = AppFactory.create(owner=owner)
log = AuditlogFactory.create(app_id=app.id)
assert self.mock_pro.id == app.owner_id
assert_not_raises(Exception, getattr(require, 'auditlog').read, log)
@patch('pybossa.auth.current_user', new=mock_pro)
@patch('pybossa.auth.auditlog.current_user', new=mock_pro)
def test_pro_user_cannot_read_auditlog(self):
"""Test pro users cannot read auditlogs from non-owned projects"""
users = UserFactory.create_batch(2, pro=True)
app = AppFactory.create(owner=users[0])
log = AuditlogFactory.create(app_id=app.id)
assert self.mock_pro.id != app.owner_id
assert_raises(Forbidden, getattr(require, 'auditlog').read, log)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.auditlog.current_user', new=mock_admin)
def test_admin_user_can_read_auditlog(self):
"""Test admin users can read auditlogs"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner)
log = AuditlogFactory.create(app_id=app.id)
assert self.mock_admin.id != app.owner_id
assert_not_raises(Exception, getattr(require, 'auditlog').read, log)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.auditlog.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_crud_auditlog(self):
"""Test anonymous users cannot crud auditlogs"""
log = Auditlog()
assert_raises(Unauthorized, getattr(require, 'auditlog').create, log)
assert_raises(Unauthorized, getattr(require, 'auditlog').update, log)
assert_raises(Unauthorized, getattr(require, 'auditlog').delete, log)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.auditlog.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_crud_auditlog(self):
"""Test authenticated users cannot crud auditlogs"""
log = Auditlog()
assert_raises(Forbidden, getattr(require, 'auditlog').create, log)
assert_raises(Forbidden, getattr(require, 'auditlog').update, log)
assert_raises(Forbidden, getattr(require, 'auditlog').delete, log)
@patch('pybossa.auth.current_user', new=mock_pro)
@patch('pybossa.auth.auditlog.current_user', new=mock_pro)
def test_pro_user_cannot_crud_auditlog(self):
"""Test pro users cannot crud auditlogs"""
log = Auditlog()
assert_raises(Forbidden, getattr(require, 'auditlog').create, log)
assert_raises(Forbidden, getattr(require, 'auditlog').update, log)
assert_raises(Forbidden, getattr(require, 'auditlog').delete, log)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.auditlog.current_user', new=mock_admin)
def test_admin_user_cannot_crud_auditlog(self):
"""Test authenticated users cannot crud auditlogs"""
log = Auditlog()
assert_raises(Forbidden, getattr(require, 'auditlog').create, log)
assert_raises(Forbidden, getattr(require, 'auditlog').update, log)
assert_raises(Forbidden, getattr(require, 'auditlog').delete, log)
class TestTokenAuthorization(Test):
auth_providers = ('twitter', 'facebook', 'google')
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_delete(self):
"""Test anonymous user is not allowed to delete an oauth token"""
for token in self.auth_providers:
assert_raises(Unauthorized,
ensure_authorized_to,
'delete',
'token',
token=token)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_delete(self):
"""Test authenticated user is not allowed to delete an oauth token"""
for token in self.auth_providers:
assert_raises(Forbidden,
ensure_authorized_to,
'delete',
'token',
token=token)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create(self):
"""Test anonymous user is not allowed to create an oauth token"""
for token in self.auth_providers:
assert_raises(Unauthorized,
ensure_authorized_to,
'create',
'token',
token=token)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_create(self):
"""Test authenticated user is not allowed to create an oauth token"""
for token in self.auth_providers:
assert_raises(Forbidden,
ensure_authorized_to,
'create',
'token',
token=token)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_update(self):
"""Test anonymous user is not allowed to update an oauth token"""
for token in self.auth_providers:
assert_raises(Unauthorized,
ensure_authorized_to,
'update',
'token',
token=token)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_update(self):
"""Test authenticated user is not allowed to update an oauth token"""
for token in self.auth_providers:
assert_raises(Forbidden,
ensure_authorized_to,
'update',
'token',
token=token)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read(self):
"""Test anonymous user is not allowed to read an oauth token"""
for token in self.auth_providers:
assert_raises(Unauthorized,
ensure_authorized_to,
'read',
'token',
token=token)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_read(self):
"""Test authenticated user is allowed to read his own oauth tokens"""
for token in self.auth_providers:
assert_not_raises(Exception,
ensure_authorized_to,
'read',
'token',
token=token)
class TestTaskrunAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
def setUp(self):
super(TestTaskrunAuthorization, self).setUp()
with self.flask_app.app_context():
self.create()
def configure_fixtures(self):
self.app = db.session.query(App).first()
self.root = db.session.query(User).first()
self.user1 = db.session.query(User).get(2)
self.user2 = db.session.query(User).get(3)
self.task = Task(app_id=self.app.id, state='0', n_answers=10)
self.task.app = self.app
db.session.add(self.task)
db.session.commit()
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create_first_taskrun(self):
"""Test anonymous user can create a taskrun for a given task if he
hasn't already done it"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').create,
taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create_repeated_taskrun(self):
"""Test anonymous user cannot create a taskrun for a task to which
he has previously posted a taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
taskrun1 = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
db.session.add(taskrun1)
db.session.commit()
taskrun2 = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="a different taskrun info")
assert_raises(Forbidden,
getattr(require, 'taskrun').create,
taskrun2)
# But the user can still create taskruns for different tasks
task2 = Task(app_id=self.app.id, state='0', n_answers=10)
task2.app = self.app
db.session.add(task2)
db.session.commit()
taskrun3 = TaskRun(app_id=self.app.id,
task_id=task2.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').create,
taskrun3)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create_first_taskrun(self):
"""Test authenticated user can create a taskrun for a given task if he
hasn't already done it"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.mock_authenticated.id,
info="some taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').create,
taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create_repeated_taskrun(self):
"""Test authenticated user cannot create a taskrun for a task to which
he has previously posted a taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
taskrun1 = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user=self.user1,
info="some taskrun info")
db.session.add(taskrun1)
db.session.commit()
taskrun2 = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user=self.user1,
info="a different taskrun info")
assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2)
# But the user can still create taskruns for different tasks
task2 = Task(app_id=self.app.id, state='0', n_answers=10)
task2.app = self.app
db.session.add(task2)
db.session.commit()
taskrun3 = TaskRun(app_id=self.app.id,
task_id=task2.id,
user_id=self.mock_authenticated.id,
info="some taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').create,
taskrun3)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_read(self):
"""Test anonymous user can read any taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
anonymous_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
user_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.root.id,
info="another taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').read,
anonymous_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read,
user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_read(self):
"""Test authenticated user can read any taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
anonymous_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
other_users_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.root.id,
info="a different taskrun info")
own_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.mock_authenticated.id,
info="another taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').read,
anonymous_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read,
other_users_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read,
own_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_update_anoymous_taskrun(self):
"""Test anonymous users cannot update an anonymously posted taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
anonymous_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_raises(Unauthorized,
getattr(require, 'taskrun').update,
anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_update_anonymous_taskrun(self):
"""Test authenticated users cannot update an anonymously posted taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
anonymous_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_raises(Forbidden,
getattr(require, 'taskrun').update,
anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_update_anonymous_taskrun(self):
"""Test admins cannot update anonymously posted taskruns"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
anonymous_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_raises(Forbidden,
getattr(require, 'taskrun').update,
anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_update_user_taskrun(self):
"""Test anonymous user cannot update taskruns posted by authenticated users"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
user_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.root.id,
info="some taskrun info")
assert_raises(Unauthorized,
getattr(require, 'taskrun').update,
user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_update_other_users_taskrun(self):
"""Test authenticated user cannot update any taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
own_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.mock_authenticated.id,
info="some taskrun info")
other_users_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.root.id,
info="a different taskrun info")
assert_raises(Forbidden,
getattr(require, 'taskrun').update,
own_taskrun)
assert_raises(Forbidden,
getattr(require, 'taskrun').update,
other_users_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_update_user_taskrun(self):
"""Test admins cannot update taskruns posted by authenticated users"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
user_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.user1.id,
info="some taskrun info")
assert_raises(Forbidden,
getattr(require, 'taskrun').update,
user_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_delete_anonymous_taskrun(self):
"""Test anonymous users cannot delete an anonymously posted taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
anonymous_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_raises(Unauthorized,
getattr(require, 'taskrun').delete,
anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_delete_anonymous_taskrun(self):
"""Test authenticated users cannot delete an anonymously posted taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
anonymous_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_raises(Forbidden,
getattr(require, 'taskrun').delete,
anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_delete_anonymous_taskrun(self):
"""Test admins can delete anonymously posted taskruns"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
anonymous_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').delete,
anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_delete_user_taskrun(self):
"""Test anonymous user cannot delete taskruns posted by authenticated users"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
user_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.root.id,
info="some taskrun info")
assert_raises(Unauthorized,
getattr(require, 'taskrun').delete,
user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_delete_other_users_taskrun(self):
"""Test authenticated user cannot delete a taskrun if it was created
by another authenticated user, but can delete his own taskruns"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
own_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.mock_authenticated.id,
info="some taskrun info")
other_users_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.root.id,
info="a different taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').delete,
own_taskrun)
assert_raises(Forbidden,
getattr(require, 'taskrun').delete,
other_users_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_delete_user_taskrun(self):
"""Test admins can delete taskruns posted by authenticated users"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
user_taskrun = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_id=self.user1.id,
info="some taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').delete,
user_taskrun)
class TestTaskAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_crud(self):
"""Test anonymous users cannot crud tasks"""
user = UserFactory.create()
project = ProjectFactory.create(owner=user)
task = TaskFactory.create(project=project)
assert_raises(Unauthorized, ensure_authorized_to, 'create', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', Task)
assert_raises(Unauthorized, ensure_authorized_to, 'update', task)
assert_raises(Unauthorized, ensure_authorized_to, 'delete', task)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_project_owner_can_crud(self):
"""Test project owner can crud tasks"""
user = UserFactory.create()
owner = UserFactory.create()
project = ProjectFactory.create(owner=owner)
task = TaskFactory.create(project=project)
assert self.mock_authenticated.id == owner.id
assert_not_raises(Forbidden, ensure_authorized_to, 'create', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', Task)
assert_not_raises(Forbidden, ensure_authorized_to, 'update', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'delete', task)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_not_project_owner_cannot_crud(self):
"""Test non owner user cannot crud tasks"""
owner = UserFactory.create()
non_owner = UserFactory.create()
project = ProjectFactory.create(owner=owner)
task = TaskFactory.create(project=project)
assert self.mock_authenticated.id != owner.id
assert_raises(Forbidden, ensure_authorized_to, 'create', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', Task)
assert_raises(Forbidden, ensure_authorized_to, 'update', task)
assert_raises(Forbidden, ensure_authorized_to, 'delete', task)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_can_crud(self):
"""Test admin user can crud tasks"""
admin = UserFactory.create()
owner = UserFactory.create()
project = ProjectFactory.create(owner=owner)
task = TaskFactory.create(project=project)
assert self.mock_admin.id != owner.id
assert_not_raises(Forbidden, ensure_authorized_to, 'create', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', Task)
assert_not_raises(Forbidden, ensure_authorized_to, 'update', task)
assert_not_raises(Forbidden, ensure_authorized_to, 'delete', task)
class TestProjectAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_create(self):
"""Test anonymous users cannot projects"""
assert_raises(Unauthorized, ensure_authorized_to, 'create', Project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_create(self):
"""Test authenticated users can create projects"""
assert_not_raises(Exception, ensure_authorized_to, 'create', Project)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_a_project_cannot_be_created_as_published(self):
"""Test a project cannot be created directly as published"""
published_project = ProjectFactory.build(published=True)
assert_raises(Forbidden, ensure_authorized_to, 'create',
published_project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_can_read_all_projects(self):
"""Test anonymous users can read projects"""
assert_not_raises(Exception, ensure_authorized_to, 'read', Project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_read_all_projects(self):
"""Test authenticated users can read projects"""
assert_not_raises(Exception, ensure_authorized_to, 'read', Project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_can_read_given_published(self):
"""Test anonymous users can read a given published project"""
project = ProjectFactory.create(published=True)
assert_not_raises(Exception, ensure_authorized_to, 'read', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_read_given_published(self):
"""Test authenticated users can read a given published project"""
project = ProjectFactory.create(published=True)
assert_not_raises(Exception, ensure_authorized_to, 'read', project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_read_given_draft(self):
"""Test anonymous users cannot read draft projects"""
project = ProjectFactory.create(published=False)
assert_raises(Unauthorized, ensure_authorized_to, 'read', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_read_given_draft(self):
"""Test authenticated users cannot read draft projects if are not owners"""
project = ProjectFactory.create(published=False)
assert project.owner.id != self.mock_authenticated.id, project.owner
assert_raises(Forbidden, ensure_authorized_to, 'read', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owners_can_read_given_draft(self):
"""Test the owner of a project can read it despite being a draft"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(published=False, owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'read', project)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_can_read_given_draft(self):
"""Test an admin can read a project despite being a draft"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(published=False, owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'read', project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_update(self):
"""Test anonymous users cannot update a project"""
project = ProjectFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'update', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_update(self):
"""Test authenticated users cannot update a project if aren't owners"""
project = ProjectFactory.create()
assert project.owner.id != self.mock_authenticated.id, project.owner
assert_raises(Forbidden, ensure_authorized_to, 'update', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_can_update(self):
"""Test owners can update a project"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'update', project)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_can_update(self):
"""Test an admin can update a project"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'update', project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_delete(self):
"""Test anonymous users cannot delete a project"""
project = ProjectFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'delete', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_delete(self):
"""Test authenticated users cannot delete a project if aren't owners"""
project = ProjectFactory.create()
assert project.owner.id != self.mock_authenticated.id, project.owner
assert_raises(Forbidden, ensure_authorized_to, 'delete', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_can_delete(self):
"""Test owners can delete a project"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'delete', project)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_can_delete(self):
"""Test an admin can delete a project"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'delete', project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_publish(self):
"""Test anonymous users cannot publish a project"""
project = ProjectFactory.create(published=False)
assert_raises(Unauthorized, ensure_authorized_to, 'publish', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_cannot_publish(self):
"""Test non-owners cannot publish a project"""
project = ProjectFactory.create(published=False)
assert project.owner.id != self.mock_authenticated.id, project.owner
assert_raises(Forbidden, ensure_authorized_to, 'publish', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_cannot_publish_if_project_has_no_presenter(self):
"""Test owner cannot publish a project that has no presenter"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False, info={})
TaskFactory.create(project=project)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_raises(Forbidden, ensure_authorized_to, 'publish', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_cannot_publish_if_project_has_no_tasks(self):
"""Test owner cannot publish a project that has no tasks"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_raises(Forbidden, ensure_authorized_to, 'publish', project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_can_publish_if_project_has_tasks_and_presenter(self):
"""Test owner can publish a project that has tasks and a presenter"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False)
TaskFactory.create(project=project)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'publish', project)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_cannot_publish_if_project_has_no_presenter(self):
"""Test admins cannot publish a project that has no presenter"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False, info={})
TaskFactory.create(project=project)
assert_raises(Forbidden, ensure_authorized_to, 'publish', project)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_cannot_publish_if_project_has_no_tasks(self):
"""Test admins cannot publish a project that has no tasks"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False)
assert_raises(Forbidden, ensure_authorized_to, 'publish', project)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_can_publish_if_project_has_tasks_and_presenter(self):
"""Test admins can publish a project that has tasks and a presenter"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False)
TaskFactory.create(project=project)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'publish', project)
class TestUserAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_create(self):
"""Test anonymous users cannot create users"""
assert_raises(Unauthorized, ensure_authorized_to, 'create', User)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_create(self):
"""Test authenticated users cannot create users"""
assert_raises(Forbidden, ensure_authorized_to, 'create', User)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admins_can_create(self):
"""Test admins users can create users"""
assert_not_raises(Exception, ensure_authorized_to, 'create', User)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_can_read(self):
"""Test anonymous users can read users"""
assert_not_raises(Exception, ensure_authorized_to, 'read', User)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_read(self):
"""Test authenticated users can read users"""
assert_not_raises(Exception, ensure_authorized_to, 'read', User)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admins_can_read(self):
"""Test admins users can read users"""
assert_not_raises(Exception, ensure_authorized_to, 'read', User)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_can_read_given_user(self):
"""Test anonymous users can read a given user"""
user = UserFactory.create()
assert_not_raises(Exception, ensure_authorized_to, 'read', user)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_read_given_user(self):
"""Test authenticated users can read a given user"""
user = UserFactory.create()
assert_not_raises(Exception, ensure_authorized_to, 'read', user)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admins_can_read_given_user(self):
"""Test admins users can read a given user"""
user = UserFactory.create()
assert_not_raises(Exception, ensure_authorized_to, 'read', user)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_update_given_user(self):
"""Test anonymous users cannot update a given user"""
user = UserFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'update', user)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_update_another_user(self):
"""Test authenticated users cannot update another user than themselves"""
user = UserFactory.create()
assert user.id != self.mock_authenticated.id, user.id
assert_raises(Forbidden, ensure_authorized_to, 'update', user)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_update_themselves(self):
"""Test authenticated users can update themselves"""
user = UserFactory.create_batch(2)[1]
assert user.id == self.mock_authenticated.id, user.id
assert_not_raises(Exception, ensure_authorized_to, 'update', user)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admins_can_update_any_user(self):
"""Test admins users can update any given user"""
himself = UserFactory.create()
other_user = UserFactory.create()
assert himself.id == self.mock_admin.id
assert other_user.id != self.mock_admin.id
assert_not_raises(Exception, ensure_authorized_to, 'update', other_user)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_delete_given_user(self):
"""Test anonymous users cannot delete a given user"""
user = UserFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'delete', user)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_delete_another_user(self):
"""Test authenticated users cannot delete another user than themselves"""
user = UserFactory.create()
assert user.id != self.mock_authenticated.id, user.id
assert_raises(Forbidden, ensure_authorized_to, 'delete', user)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_delete_themselves(self):
"""Test authenticated users can delete themselves"""
user = UserFactory.create_batch(2)[1]
assert user.id == self.mock_authenticated.id, user.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', user)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admins_can_delete_any_user(self):
"""Test admins users can delete any given user"""
himself = UserFactory.create()
other_user = UserFactory.create()
assert himself.id == self.mock_admin.id
assert other_user.id != self.mock_admin.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', other_user)
class TestAuditlogAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_read_auditlog(self):
"""Test anonymous users cannot read an auditlog"""
log = AuditlogFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'read', log)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_read_project_auditlogs(self):
"""Test anonymous users cannot read auditlogs of a specific project"""
project = ProjectFactory.create()
assert_raises(Unauthorized,
ensure_authorized_to,
'read',
Auditlog,
project_id=project.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_user_cannot_read_auditlog(self):
"""Test owner users can read an auditlog"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
log = AuditlogFactory.create(project_id=project.id)
assert self.mock_authenticated.id == project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', log)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_user_cannot_read_project_auditlogs(self):
"""Test owner users can read auditlogs of a specific project"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert_not_raises(Exception,
ensure_authorized_to,
'read',
Auditlog,
project_id=project.id)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_can_read_auditlog(self):
"""Test admin users can read an auditlog"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
log = AuditlogFactory.create(project_id=project.id)
assert self.mock_admin.id != project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', log)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_can_read_project_auditlogs(self):
"""Test admin users can read auditlogs from a project"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert self.mock_admin.id != project.owner_id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
Auditlog,
project_id=project.id)
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_crud_auditlog(self):
"""Test anonymous users cannot crud auditlogs"""
log = Auditlog()
assert_raises(Unauthorized, ensure_authorized_to, 'create', log)
assert_raises(Unauthorized, ensure_authorized_to, 'update', log)
assert_raises(Unauthorized, ensure_authorized_to, 'delete', log)
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_crud_auditlog(self):
"""Test authenticated users cannot crud auditlogs"""
log = Auditlog()
assert_raises(Forbidden, ensure_authorized_to, 'create', log)
assert_raises(Forbidden, ensure_authorized_to, 'update', log)
assert_raises(Forbidden, ensure_authorized_to, 'delete', log)
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_cannot_crud_auditlog(self):
"""Test admin users cannot crud auditlogs"""
log = Auditlog()
assert_raises(Forbidden, ensure_authorized_to, 'create', log)
assert_raises(Forbidden, ensure_authorized_to, 'update', log)
assert_raises(Forbidden, ensure_authorized_to, 'delete', log)
class TestProjectAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.app.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_create(self):
"""Test anonymous users cannot projects"""
assert_raises(Unauthorized, getattr(require, 'app').create)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_authenticated_user_can_create(self):
"""Test authenticated users can create projects"""
assert_not_raises(Exception, getattr(require, 'app').create)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.app.current_user', new=mock_anonymous)
def test_anonymous_user_can_read_all_projects(self):
"""Test anonymous users can read non hidden projects"""
assert_not_raises(Exception, getattr(require, 'app').read)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_authenticated_user_can_read_all_projects(self):
"""Test authenticated users can read non hidden projects"""
assert_not_raises(Exception, getattr(require, 'app').read)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.app.current_user', new=mock_anonymous)
def test_anonymous_user_can_read_given_non_hidden(self):
"""Test anonymous users can read a given non hidden project"""
project = AppFactory.create()
assert_not_raises(Exception, getattr(require, 'app').read, project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_authenticated_user_can_read_given_non_hidden(self):
"""Test authenticated users can read a given non hidden project"""
project = AppFactory.create()
assert_not_raises(Exception, getattr(require, 'app').read, project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.app.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_read_given_hidden(self):
"""Test anonymous users cannot read hidden projects"""
project = AppFactory.create(hidden=1)
assert_raises(Unauthorized, getattr(require, 'app').read, project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_read_given_hidden(self):
"""Test authenticated users cannot read hidden projects if are not owners"""
project = AppFactory.create(hidden=1)
assert project.owner.id != self.mock_authenticated.id, project.owner
assert_raises(Forbidden, getattr(require, 'app').read, project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_owners_can_read_given_hidden(self):
"""Test the owner of a project can read it despite being hidden"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(hidden=1, owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').read, project)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.app.current_user', new=mock_admin)
def test_admin_can_read_given_hidden(self):
"""Test an admin can read a project despite being hidden"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(hidden=1, owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').read, project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.app.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_update(self):
"""Test anonymous users cannot update a project"""
project = AppFactory.create()
assert_raises(Unauthorized, getattr(require, 'app').update, project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_update(self):
"""Test authenticated users cannot update a project if aren't owners"""
project = AppFactory.create()
assert project.owner.id != self.mock_authenticated.id, project.owner
assert_raises(Forbidden, getattr(require, 'app').update, project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_owner_can_update(self):
"""Test owners can update a project"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').update, project)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.app.current_user', new=mock_admin)
def test_admin_can_update(self):
"""Test an admin can update a project"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(hidden=1, owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').update, project)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.app.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_delete(self):
"""Test anonymous users cannot delete a project"""
project = AppFactory.create()
assert_raises(Unauthorized, getattr(require, 'app').delete, project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_delete(self):
"""Test authenticated users cannot delete a project if aren't owners"""
project = AppFactory.create()
assert project.owner.id != self.mock_authenticated.id, project.owner
assert_raises(Forbidden, getattr(require, 'app').delete, project)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.app.current_user', new=mock_authenticated)
def test_owner_can_delete(self):
"""Test owners can delete a project"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').delete, project)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.app.current_user', new=mock_admin)
def test_admin_can_delete(self):
"""Test an admin can delete a project"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(hidden=1, owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').delete, project)
class TestTaskrunAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create_first_taskrun(self):
"""Test anonymous user can create a taskrun for a given task if he
hasn't already done it"""
taskrun = AnonymousTaskRunFactory.build()
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create_repeated_taskrun(self):
"""Test anonymous user cannot create a taskrun for a task to which
he has previously posted a taskrun"""
task = TaskFactory.create()
taskrun1 = AnonymousTaskRunFactory.create(task=task)
taskrun2 = AnonymousTaskRunFactory.build(task=task)
assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2)
# But the user can still create taskruns for different tasks
task2 = TaskFactory.create(app=task.app)
taskrun3 = AnonymousTaskRunFactory.build(task=task2)
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun3)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create_first_taskrun(self):
"""Test authenticated user can create a taskrun for a given task if he
hasn't already done it"""
taskrun = TaskRunFactory.build()
assert self.mock_authenticated.id == taskrun.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create_repeated_taskrun(self):
"""Test authenticated user cannot create a taskrun for a task to which
he has previously posted a taskrun"""
task = TaskFactory.create()
taskrun1 = TaskRunFactory.create(task=task)
taskrun2 = TaskRunFactory.build(task=task, user=taskrun1.user)
assert self.mock_authenticated.id == taskrun1.user.id
assert_raises(Forbidden, getattr(require, 'taskrun').create, taskrun2)
# But the user can still create taskruns for different tasks
task2 = TaskFactory.create(app=task.app)
taskrun3 = TaskRunFactory.build(task=task2, user=taskrun1.user)
assert self.mock_authenticated.id == taskrun3.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun3)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_read(self):
"""Test anonymous user can read any taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
user_taskrun = TaskRunFactory.create()
assert_not_raises(Exception,
getattr(require, 'taskrun').read, anonymous_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read, user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_read(self):
"""Test authenticated user can read any taskrun"""
own_taskrun = TaskRunFactory.create()
anonymous_taskrun = AnonymousTaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').read, anonymous_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read,
other_users_taskrun)
assert_not_raises(Exception,
getattr(require, 'taskrun').read, own_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_update_anoymous_taskrun(self):
"""Test anonymous users cannot update an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Unauthorized,
getattr(require, 'taskrun').update, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_update_anonymous_taskrun(self):
"""Test authenticated users cannot update an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Forbidden,
getattr(require, 'taskrun').update, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_update_anonymous_taskrun(self):
"""Test admins cannot update anonymously posted taskruns"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Forbidden,
getattr(require, 'taskrun').update, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_update_user_taskrun(self):
"""Test anonymous user cannot update taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert_raises(Unauthorized,
getattr(require, 'taskrun').update, user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_update_other_users_taskrun(self):
"""Test authenticated user cannot update any user taskrun"""
own_taskrun = TaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_raises(Forbidden,
getattr(require, 'taskrun').update, own_taskrun)
assert_raises(Forbidden,
getattr(require, 'taskrun').update, other_users_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_update_user_taskrun(self):
"""Test admins cannot update taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert self.mock_admin.id != user_taskrun.user.id
assert_raises(Forbidden,
getattr(require, 'taskrun').update, user_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_delete_anonymous_taskrun(self):
"""Test anonymous users cannot delete an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Unauthorized,
getattr(require, 'taskrun').delete, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_delete_anonymous_taskrun(self):
"""Test authenticated users cannot delete an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Forbidden,
getattr(require, 'taskrun').delete, anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_delete_anonymous_taskrun(self):
"""Test admins can delete anonymously posted taskruns"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_not_raises(Exception,
getattr(require, 'taskrun').delete,
anonymous_taskrun)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_delete_user_taskrun(self):
"""Test anonymous user cannot delete taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert_raises(Unauthorized,
getattr(require, 'taskrun').delete, user_taskrun)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_delete_other_users_taskrun(self):
"""Test authenticated user cannot delete a taskrun if it was created
by another authenticated user, but can delete his own taskruns"""
own_taskrun = TaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').delete, own_taskrun)
assert_raises(Forbidden,
getattr(require, 'taskrun').delete, other_users_taskrun)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.taskrun.current_user', new=mock_admin)
def test_admin_delete_user_taskrun(self):
"""Test admins can delete taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert self.mock_admin.id != user_taskrun.user.id, user_taskrun.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').delete, user_taskrun)
class TestHelpingMaterialAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_given_helpingmaterial(self):
"""Test anonymous users cannot create helping materials for a project"""
project = ProjectFactory.create()
helping = HelpingMaterialFactory.build(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'create', helping)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_helpingmaterials_for_given_project(self):
"""Test anonymous users cannot create helpingmaterials for a given project"""
project = ProjectFactory.create()
assert_raises(Unauthorized,
ensure_authorized_to,
'create',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_helpingmaterials(self):
"""Test anonymous users cannot create any helpingmaterials"""
assert_raises(Unauthorized, ensure_authorized_to, 'create',
HelpingMaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_create_given_helpingmaterial(self):
"""Test authenticated user cannot create a given helpingmaterial if is not the
project owner"""
project = ProjectFactory.create()
helpingmaterial = HelpingMaterialFactory.build(project_id=project.id)
assert self.mock_authenticated.id != project.owner_id
assert_raises(Forbidden, ensure_authorized_to, 'create',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_create_helpingmaterial_for_given_project(
self):
"""Test authenticated user cannot create helpingmaterials for a given project
if is not the project owner"""
owner = UserFactory.create(id=3)
project = ProjectFactory.create(owner=owner)
assert self.mock_authenticated.id != project.owner.id
assert_raises(Forbidden,
ensure_authorized_to,
'create',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_create_given_helpingmaterial(self):
"""Test authenticated user can create a given helpingmaterial if it's project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
helpingmaterial = HelpingMaterialFactory.build(project_id=project.id)
assert self.mock_authenticated.id == project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'create',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_create_helpingmaterial_for_given_project(self):
"""Test authenticated user can create helpingmaterials for a given project
if it's project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'create',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_create_helpingmaterial_for_given_project(self):
"""Test admin user can create helpingmaterials for a given project
even if it's not project owner"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'create',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_helpingmaterial(self):
"""Test anonymous users can read a given helpingmaterial"""
project = ProjectFactory.create(published=True)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'read',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_helpingmaterials_for_given_project(self):
"""Test anonymous users can read helpingmaterials of a given project"""
project = ProjectFactory.create(published=True)
assert_not_raises(Exception,
ensure_authorized_to,
'read',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_helpingmaterial_draft_project(self):
"""Test anonymous users cannot read a given helpingmaterial of
a draft project"""
project = ProjectFactory.create(published=False)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'read',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_helpingmaterials_for_given_draft_project(
self):
"""Test anonymous users cannot read helpingmaterials of a
given project if is a draft"""
project = ProjectFactory.create(published=False)
assert_raises(Unauthorized,
ensure_authorized_to,
'read',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_helpingmaterial(self):
"""Test authenticated user can read a given helpingmaterial
if is not the project owner"""
project = ProjectFactory.create(published=True)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_helpingmaterials_for_given_project(
self):
"""Test authenticated user can read helpingmaterials of a given project if
is not the project owner"""
project = ProjectFactory.create(published=True)
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_helpingmaterial_draft_project(
self):
"""Test authenticated user cannot read a given helpingmaterial of a
draft project if is not the project owner"""
project = ProjectFactory.create(published=False)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert self.mock_authenticated.id != project.owner.id
assert_raises(Forbidden, ensure_authorized_to, 'read', helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_helpingmaterials_for_given_draft_project(
self):
"""Test authenticated user cannot read helpingmaterials of a given project if is
a draft and is not the project owner"""
project = ProjectFactory.create(published=False)
assert self.mock_authenticated.id != project.owner.id
assert_raises(Forbidden,
ensure_authorized_to,
'read',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_given_helpingmaterial(self):
"""Test authenticated user can read a given helpingmaterial
if is the project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner, published=True)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_helpingmaterials_for_given_project(self):
"""Test authenticated user can read helpingmaterials of a given project
if is the project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner, published=True)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_given_helpingmaterial_draft_project(self):
"""Test authenticated user can read a given helpingmaterial
of a draft project if it's the project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner, published=False)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_helpingmaterials_for_given_draft_project(self):
"""Test authenticated user can read helpingmaterials of a given
draft project if it's the project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner, published=False)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_read_given_helpingmaterial_draft_project(self):
"""Test admin can read a given helpingmaterial of a draft project"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner, published=False)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_read_helpingmaterials_for_given_draft_project(self):
"""Test admin can read helpingmaterials of a given draft project"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(published=False, owner=owner)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
HelpingMaterial,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_update_helpingmaterial(self):
"""Test anonymous users cannot update helpingmaterials"""
project = ProjectFactory.create(published=True)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'update',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_update_helpingmaterial(self):
"""Test authenticated user can update helpingmaterial
if it's the post owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'update',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_owner_update_helpingmaterial(self):
"""Test admins can update helpingmaterial
even if it's not the post owner"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'update',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_delete_helpingmaterial(self):
"""Test anonymous users cannot delete helpingmaterials"""
project = ProjectFactory.create(published=True)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'delete',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_delete_helpingmaterial(self):
"""Test authenticated user cannot delete a helpingmaterial if is not the post
owner and is not admin"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner, published=True)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert self.mock_authenticated.id != owner.id
assert not self.mock_authenticated.admin
assert_raises(Forbidden, ensure_authorized_to, 'delete',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_delete_helpingmaterial(self):
"""Test authenticated user can delete a helpingmaterial if is the post
owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert self.mock_authenticated.id == owner.id
assert_not_raises(Exception, ensure_authorized_to, 'delete',
helpingmaterial)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_authenticated_user_delete_helpingmaterial(self):
"""Test authenticated user can delete any helpingmaterial if
it's admin"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner)
helpingmaterial = HelpingMaterialFactory.create(project_id=project.id)
assert self.mock_admin.id != owner.id
assert_not_raises(Exception, ensure_authorized_to, 'delete',
helpingmaterial)
class TestResultAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_pro = mock_current_user(anonymous=False, admin=False, id=2, pro=True)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
mock_owner = mock_current_user(anonymous=False, admin=False, id=1)
def setUp(self):
super(TestResultAuthorization, self).setUp()
self.result_repo = ResultRepository(db)
def create_result(self, n_answers=1, filter_by=False):
task = TaskFactory.create(n_answers=n_answers)
TaskRunFactory.create(task=task)
if filter_by:
return self.result_repo.filter_by(project_id=1)
else:
return self.result_repo.get_by(project_id=1)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_can_read_result(self):
"""Test anonymous users can read results"""
result = self.create_result()
assert ensure_authorized_to('read', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_auth_user_can_read_result(self):
"""Test auth users can read results"""
result = self.create_result()
assert ensure_authorized_to('read', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_can_read_result(self):
"""Test admin users can read results"""
result = self.create_result()
assert ensure_authorized_to('read', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_save_results(self):
"""Test anonymous users cannot save results of a specific project"""
result = Result()
assert_raises(Unauthorized, ensure_authorized_to, 'create', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_save_results(self):
"""Test authenticated users cannot save results of a specific project"""
result = Result()
assert_raises(Forbidden, ensure_authorized_to, 'create', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_cannot_save_results(self):
"""Test admin users cannot save results of a specific project"""
result = Result()
assert_raises(Forbidden, ensure_authorized_to, 'create', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_delete_results(self):
"""Test anonymous users cannot delete results of a specific project"""
result = Result()
assert_raises(Unauthorized, ensure_authorized_to, 'delete', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_delete_results(self):
"""Test authenticated users cannot delete results of a specific project"""
result = Result()
assert_raises(Forbidden, ensure_authorized_to, 'delete', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_cannot_delete_results(self):
"""Test admin users cannot delete results of a specific project"""
result = Result()
assert_raises(Forbidden, ensure_authorized_to, 'delete', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_update_results(self):
"""Test anonymous users cannot update results of a specific project"""
result = self.create_result()
assert_raises(Unauthorized, ensure_authorized_to, 'update', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_auth_user_cannot_update_results(self):
"""Test auth users but not owner cannot update results of a specific project"""
result = self.create_result()
assert_raises(Forbidden, ensure_authorized_to, 'update', result)
@with_context
@patch('pybossa.auth.current_user', new=mock_owner)
def test_auth_owner_can_update_results(self):
"""Test auth owner can update results of a specific project"""
result = self.create_result()
result.info = dict(new='value')
assert ensure_authorized_to('update', result)
updated_result = self.result_repo.get_by(id=result.id)
err_msg = "The result has not been updated"
assert updated_result.info['new'] == 'value', err_msg
class TestTokenAuthorization(Test):
auth_providers = ('twitter', 'facebook', 'google')
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_delete(self):
"""Test anonymous user is not allowed to delete an oauth token"""
with self.flask_app.test_request_context('/'):
for token in self.auth_providers:
assert_raises(Unauthorized,
getattr(require, 'token').delete,
token)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_delete(self):
"""Test authenticated user is not allowed to delete an oauth token"""
with self.flask_app.test_request_context('/'):
for token in self.auth_providers:
assert_raises(Forbidden,
getattr(require, 'token').delete,
token)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_create(self):
"""Test anonymous user is not allowed to create an oauth token"""
with self.flask_app.test_request_context('/'):
for token in self.auth_providers:
assert_raises(Unauthorized,
getattr(require, 'token').create,
token)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_create(self):
"""Test authenticated user is not allowed to create an oauth token"""
with self.flask_app.test_request_context('/'):
for token in self.auth_providers:
assert_raises(Forbidden,
getattr(require, 'token').create,
token)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_update(self):
"""Test anonymous user is not allowed to update an oauth token"""
with self.flask_app.test_request_context('/'):
for token in self.auth_providers:
assert_raises(Unauthorized,
getattr(require, 'token').update,
token)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_update(self):
"""Test authenticated user is not allowed to update an oauth token"""
with self.flask_app.test_request_context('/'):
for token in self.auth_providers:
assert_raises(Forbidden,
getattr(require, 'token').update,
token)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.taskrun.current_user', new=mock_anonymous)
def test_anonymous_user_read(self):
"""Test anonymous user is not allowed to read an oauth token"""
with self.flask_app.test_request_context('/'):
for token in self.auth_providers:
assert_raises(Unauthorized,
getattr(require, 'token').read,
token)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.taskrun.current_user', new=mock_authenticated)
def test_authenticated_user_read(self):
"""Test authenticated user is allowed to read his own oauth tokens"""
with self.flask_app.test_request_context('/'):
for token in self.auth_providers:
assert_raises(Forbidden,
getattr(require, 'token').read,
token)
class TestTaskrunAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_first_taskrun(self):
"""Test anonymous user can create a taskrun for a given task if he
hasn't already done it"""
task = TaskFactory.create()
taskrun = AnonymousTaskRunFactory.build(task=task)
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_repeated_taskrun(self):
"""Test anonymous user cannot create two taskruns for the same task"""
task = TaskFactory.create()
taskrun1 = AnonymousTaskRunFactory.create(task=task)
taskrun2 = AnonymousTaskRunFactory.build(task=task)
assert_raises(Forbidden, ensure_authorized_to, 'create', taskrun2)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_taskrun(self):
"""Test anonymous user can create a taskrun for a task even though
he has posted taskruns for different tasks in the same project"""
project = ProjectFactory.create()
tasks = TaskFactory.create_batch(2, project=project)
taskrun1 = AnonymousTaskRunFactory.create(task=tasks[0])
taskrun2 = AnonymousTaskRunFactory.build(task_id=tasks[1].id,
project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun2)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_taskrun_non_allow_anonymous_contrib(self):
"""Test anonymous user cannot create a taskrun for a project that does
not allow for anonymous contributors"""
project = ProjectFactory.create(allow_anonymous_contributors=False)
task = TaskFactory.create(project=project)
taskrun = AnonymousTaskRunFactory.build(task=task)
assert_raises(Unauthorized, ensure_authorized_to, 'create', taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_can_create_taskrun_for_draft_project(self):
"""Test anonymous users can create a taskrun for a project that
is a draft"""
project = ProjectFactory.create(published=False)
task = TaskFactory.create(project=project)
taskrun = AnonymousTaskRunFactory.build(task_id=task.id,
project_id=project.id)
assert_not_raises(Forbidden, ensure_authorized_to, 'create', taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_create_first_taskrun(self):
"""Test authenticated user can create a taskrun for a given task if he
hasn't already done it"""
task = TaskFactory.create()
taskrun = TaskRunFactory.build(task_id=task.id,
project_id=task.project_id,
user_id=self.mock_authenticated.id)
assert self.mock_authenticated.id == taskrun.user_id, taskrun
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_create_repeated_taskrun(self):
"""Test authenticated user cannot create two taskruns for the same task"""
task = TaskFactory.create()
taskrun1 = TaskRunFactory.create(task=task)
taskrun2 = TaskRunFactory.build(task=task, user=taskrun1.user)
assert self.mock_authenticated.id == taskrun1.user.id
assert_raises(Forbidden, ensure_authorized_to, 'create', taskrun2)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_create_taskrun(self):
"""Test authenticated user can create a taskrun for a task even though
he has posted taskruns for different tasks in the same project"""
user = UserFactory.create_batch(2)[1]
project = ProjectFactory.create()
tasks = TaskFactory.create_batch(2, project=project)
taskrun1 = TaskRunFactory.create(task=tasks[0], user=user)
taskrun2 = TaskRunFactory.build(task_id=tasks[1].id,
user_id=user.id,
project_id=tasks[1].project_id)
assert self.mock_authenticated.id == taskrun2.user_id
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun2)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_create_taskrun_non_allow_anonymous_contrib(
self):
"""Test authenticated user can create a taskrun for a project that does
not allow for anonymous contributors"""
project = ProjectFactory.create(allow_anonymous_contributors=False)
task = TaskFactory.create(project=project)
taskrun = TaskRunFactory.build(task_id=task.id, project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_can_create_taskrun_for_draft_project(self):
"""Test authenticated users can create a taskrun for a project that
is a draft"""
project = ProjectFactory.create(published=False)
task = TaskFactory.create(project=project)
taskrun = TaskRunFactory.build(task_id=task.id, project_id=project.id)
assert_not_raises(Forbidden, ensure_authorized_to, 'create', taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read(self):
"""Test anonymous user cannot read any taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
user_taskrun = TaskRunFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'read',
anonymous_taskrun)
assert_raises(Unauthorized, ensure_authorized_to, 'read', user_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_read(self):
"""Test authenticated user cannot read any taskrun"""
own_taskrun = TaskRunFactory.create()
anonymous_taskrun = AnonymousTaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_not_raises(Forbidden, ensure_authorized_to, 'read',
anonymous_taskrun)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', own_taskrun)
assert_not_raises(Forbidden, ensure_authorized_to, 'read',
other_users_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_update_anoymous_taskrun_result(self):
"""Test anonymous users cannot update an anonymously posted taskrun
with result"""
task = TaskFactory.create(n_answers=1)
anonymous_taskrun = AnonymousTaskRunFactory.create(task=task)
assert_raises(Unauthorized, ensure_authorized_to, 'update',
anonymous_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_update_anoymous_taskrun(self):
"""Test anonymous users cannot update an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'read',
anonymous_taskrun)
assert_raises(Unauthorized, ensure_authorized_to, 'update',
anonymous_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_update_anonymous_taskrun(self):
"""Test authenticated users cannot update an anonymously
posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Forbidden, ensure_authorized_to, 'update',
anonymous_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_update_anonymous_taskrun_result(self):
"""Test admins cannot update anonymously posted taskruns
when there is a result associated."""
task = TaskFactory.create(n_answers=1)
anonymous_taskrun = AnonymousTaskRunFactory.create(task=task)
assert_raises(Forbidden, ensure_authorized_to, 'update',
anonymous_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_update_anonymous_taskrun(self):
"""Test admins can update anonymously posted taskruns
when no result is associated."""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_not_raises(Exception, ensure_authorized_to, 'update',
anonymous_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_update_user_taskrun(self):
"""Test anonymous user cannot update taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'update',
user_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_update_other_users_taskrun(self):
"""Test authenticated user cannot update any user taskrun
except own."""
own_taskrun = TaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_not_raises(Exception, ensure_authorized_to, 'update',
own_taskrun)
assert_raises(Forbidden, ensure_authorized_to, 'update',
other_users_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_update_other_users_taskrun_result(self):
"""Test authenticated user cannot update any user taskrun
when task runs have associated results."""
task = TaskFactory.create(n_answers=1)
own_taskrun = TaskRunFactory.create(task=task)
task2 = TaskFactory.create(n_answers=1)
other_users_taskrun = TaskRunFactory.create(task=task2)
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_raises(Forbidden, ensure_authorized_to, 'update', own_taskrun)
assert_raises(Forbidden, ensure_authorized_to, 'update',
other_users_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_update_user_taskrun(self):
"""Test admins can update taskruns posted by authenticated
when there is no result associated."""
user_taskrun = TaskRunFactory.create()
assert self.mock_admin.id != user_taskrun.user.id
assert_not_raises(Exception, ensure_authorized_to, 'update',
user_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_update_user_taskrun_with_result(self):
"""Test admins cannot update taskruns posted by authenticated
when there is a result associated."""
task = TaskFactory.create(n_answers=1)
user_taskrun = TaskRunFactory.create(task=task)
assert self.mock_admin.id != user_taskrun.user.id
assert_raises(Forbidden, ensure_authorized_to, 'update', user_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_delete_anonymous_taskrun(self):
"""Test anonymous users cannot delete an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'delete',
anonymous_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_delete_anonymous_taskrun(self):
"""Test authenticated users cannot delete an anonymously posted taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_raises(Forbidden, ensure_authorized_to, 'delete',
anonymous_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_delete_anonymous_taskrun(self):
"""Test admins can delete anonymously posted taskruns"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_not_raises(Exception, ensure_authorized_to, 'delete',
anonymous_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_delete_user_taskrun(self):
"""Test anonymous user cannot delete taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'delete',
user_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_delete_other_users_taskrun(self):
"""Test authenticated user cannot delete a taskrun if it was created
by another authenticated user, but can delete his own taskruns"""
own_taskrun = TaskRunFactory.create()
other_users_taskrun = TaskRunFactory.create()
assert self.mock_authenticated.id == own_taskrun.user.id
assert self.mock_authenticated.id != other_users_taskrun.user.id
assert_not_raises(Exception, ensure_authorized_to, 'delete',
own_taskrun)
assert_raises(Forbidden, ensure_authorized_to, 'delete',
other_users_taskrun)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_delete_user_taskrun(self):
"""Test admins can delete taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert self.mock_admin.id != user_taskrun.user.id, user_taskrun.user.id
assert_not_raises(Exception, ensure_authorized_to, 'delete',
user_taskrun)
class TestBlogpostAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_create_given_blogpost(self):
"""Test anonymous users cannot create a given blogpost"""
app = AppFactory.create()
blogpost = BlogpostFactory.build(app=app, owner=None)
assert_raises(Unauthorized,
getattr(require, 'blogpost').create, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_create_blogposts_for_given_app(self):
"""Test anonymous users cannot create blogposts for a given project"""
app = AppFactory.create()
assert_raises(Unauthorized,
getattr(require, 'blogpost').create,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_create_blogposts(self):
"""Test anonymous users cannot create any blogposts"""
assert_raises(Unauthorized, getattr(require, 'blogpost').create)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_non_owner_authenticated_user_create_given_blogpost(self):
"""Test authenticated user cannot create a given blogpost if is not the
project owner, even if is admin"""
admin = UserFactory.create()
app = AppFactory.create()
blogpost = BlogpostFactory.build(app=app, owner=admin)
assert self.mock_admin.id != app.owner.id
assert_raises(Forbidden, getattr(require, 'blogpost').create, blogpost)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_non_owner_authenticated_user_create_blogpost_for_given_app(self):
"""Test authenticated user cannot create blogposts for a given project
if is not the project owner, even if is admin"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner)
assert self.mock_admin.id != app.owner.id
assert_raises(Forbidden,
getattr(require, 'blogpost').create,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_create_given_blogpost(self):
"""Test authenticated user can create a given blogpost if is project owner"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner)
blogpost = BlogpostFactory.build(app=app, owner=owner)
assert self.mock_authenticated.id == app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').create, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_create_blogpost_for_given_app(self):
"""Test authenticated user can create blogposts for a given project
if is project owner"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner)
assert self.mock_authenticated.id == app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').create,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_create_blogpost_as_other_user(self):
"""Test authenticated user cannot create blogpost if is project owner but
sets another person as the author of the blogpost"""
another_user = UserFactory.create()
app = AppFactory.create()
blogpost = BlogpostFactory.build(app_id=app.id, owner=another_user)
assert self.mock_authenticated.id == app.owner.id
assert_raises(Forbidden, getattr(require, 'blogpost').create, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_blogpost(self):
"""Test anonymous users can read a given blogpost"""
app = AppFactory.create()
blogpost = BlogpostFactory.create(app=app)
assert_not_raises(Exception,
getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_read_blogposts_for_given_app(self):
"""Test anonymous users can read blogposts of a given project"""
app = AppFactory.create()
assert_not_raises(Exception,
getattr(require, 'blogpost').read,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_blogpost_hidden_app(self):
"""Test anonymous users cannot read a given blogpost of a hidden project"""
app = AppFactory.create(hidden=1)
blogpost = BlogpostFactory.create(app=app)
assert_raises(Unauthorized,
getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_read_blogposts_for_given_hidden_app(self):
"""Test anonymous users cannot read blogposts of a given project if is hidden"""
app = AppFactory.create(hidden=1)
assert_raises(Unauthorized,
getattr(require, 'blogpost').read,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_blogpost(self):
"""Test authenticated user can read a given blogpost if is not the project owner"""
app = AppFactory.create()
user = UserFactory.create()
blogpost = BlogpostFactory.create(app=app)
assert self.mock_authenticated.id != app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_blogposts_for_given_app(self):
"""Test authenticated user can read blogposts of a given project if
is not the project owner"""
app = AppFactory.create()
user = UserFactory.create()
assert self.mock_authenticated.id != app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').read,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_blogpost_hidden_app(self):
"""Test authenticated user cannot read a given blogpost of a hidden project
if is not the project owner"""
app = AppFactory.create(hidden=1)
user = UserFactory.create()
blogpost = BlogpostFactory.create(app=app)
assert self.mock_authenticated.id != app.owner.id
assert_raises(Forbidden, getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_blogposts_for_given_hidden_app(
self):
"""Test authenticated user cannot read blogposts of a given project if is
hidden and is not the project owner"""
app = AppFactory.create(hidden=1)
user = UserFactory.create()
assert self.mock_authenticated.id != app.owner.id
assert_raises(Forbidden,
getattr(require, 'blogpost').read,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_read_given_blogpost(self):
"""Test authenticated user can read a given blogpost if is the project owner"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner)
blogpost = BlogpostFactory.create(app=app)
assert self.mock_authenticated.id == app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_read_blogposts_for_given_app(self):
"""Test authenticated user can read blogposts of a given project if is the
project owner"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner)
assert self.mock_authenticated.id == app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').read,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_read_given_blogpost_hidden_app(self):
"""Test authenticated user can read a given blogpost of a hidden project if
is the project owner"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner, hidden=1)
blogpost = BlogpostFactory.create(app=app)
assert self.mock_authenticated.id == app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_read_blogposts_for_given_hidden_app(self):
"""Test authenticated user can read blogposts of a given hidden project if
is the project owner"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner, hidden=1)
assert self.mock_authenticated.id == app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').read,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_admin_read_given_blogpost_hidden_app(self):
"""Test admin can read a given blogpost of a hidden project"""
admin = UserFactory.create()
app = AppFactory.create(hidden=1)
blogpost = BlogpostFactory.create(app=app)
assert self.mock_admin.id != app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_admin_read_blogposts_for_given_hidden_app(self):
"""Test admin can read blogposts of a given hidden project"""
admin = UserFactory.create()
app = AppFactory.create(hidden=1)
assert self.mock_admin.id != app.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').read,
app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_update_blogpost(self):
"""Test anonymous users cannot update blogposts"""
blogpost = BlogpostFactory.create()
assert_raises(Unauthorized,
getattr(require, 'blogpost').update, blogpost)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_non_owner_authenticated_user_update_blogpost(self):
"""Test authenticated user cannot update a blogpost if is not the post
owner, even if is admin"""
admin = UserFactory.create()
app = AppFactory.create()
blogpost = BlogpostFactory.create(app=app)
assert self.mock_admin.id != blogpost.owner.id
assert_raises(Forbidden, getattr(require, 'blogpost').update, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_update_blogpost(self):
"""Test authenticated user can update blogpost if is the post owner"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create()
blogpost = BlogpostFactory.create(app=app, owner=owner)
assert self.mock_authenticated.id == blogpost.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').update, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_delete_blogpost(self):
"""Test anonymous users cannot delete blogposts"""
blogpost = BlogpostFactory.create()
assert_raises(Unauthorized,
getattr(require, 'blogpost').delete, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_delete_blogpost(self):
"""Test authenticated user cannot delete a blogpost if is not the post
owner and is not admin"""
blogpost = BlogpostFactory.create()
assert self.mock_authenticated.id != blogpost.owner.id
assert not self.mock_authenticated.admin
assert_raises(Forbidden, getattr(require, 'blogpost').delete, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_delete_blogpost(self):
"""Test authenticated user can delete a blogpost if is the post owner"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create()
blogpost = BlogpostFactory.create(app=app, owner=owner)
assert self.mock_authenticated.id == blogpost.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').delete, blogpost)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_admin_authenticated_user_delete_blogpost(self):
"""Test authenticated user can delete any blogpost if is admin"""
admin = UserFactory.create()
blogpost = BlogpostFactory.create()
assert self.mock_admin.id != blogpost.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').delete, blogpost)
class TestBlogpostAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_given_blogpost(self):
"""Test anonymous users cannot create a given blogpost"""
project = ProjectFactory.create()
blogpost = BlogpostFactory.build(project=project, owner=None)
assert_raises(Unauthorized, ensure_authorized_to, 'create', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_blogposts_for_given_project(self):
"""Test anonymous users cannot create blogposts for a given project"""
project = ProjectFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'create', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_blogposts(self):
"""Test anonymous users cannot create any blogposts"""
assert_raises(Unauthorized, ensure_authorized_to, 'create', Blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_non_owner_authenticated_user_create_given_blogpost(self):
"""Test authenticated user cannot create a given blogpost if is not the
project owner, even if is admin"""
admin = UserFactory.create()
project = ProjectFactory.create()
blogpost = BlogpostFactory.build(project=project, owner=admin)
assert self.mock_admin.id != project.owner_id
assert_raises(Forbidden, ensure_authorized_to, 'create', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_non_owner_authenticated_user_create_blogpost_for_given_project(self):
"""Test authenticated user cannot create blogposts for a given project
if is not the project owner, even if is admin"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert self.mock_admin.id != project.owner.id
assert_raises(Forbidden, ensure_authorized_to, 'create', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_create_given_blogpost(self):
"""Test authenticated user can create a given blogpost if is project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
blogpost = BlogpostFactory.build(project=project, owner=owner)
assert self.mock_authenticated.id == project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'create', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_create_blogpost_for_given_project(self):
"""Test authenticated user can create blogposts for a given project
if is project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'create', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_create_blogpost_as_other_user(self):
"""Test authenticated user cannot create blogpost if is project owner but
sets another person as the author of the blogpost"""
another_user = UserFactory.create()
project = ProjectFactory.create()
blogpost = BlogpostFactory.build(project_id=project.id,
owner=another_user)
assert self.mock_authenticated.id == project.owner_id
assert_raises(Forbidden, ensure_authorized_to, 'create', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_blogpost(self):
"""Test anonymous users can read a given blogpost"""
project = ProjectFactory.create(published=True)
blogpost = BlogpostFactory.create(project=project)
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_blogposts_for_given_project(self):
"""Test anonymous users can read blogposts of a given project"""
project = ProjectFactory.create(published=True)
assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_blogpost_draft_project(self):
"""Test anonymous users cannot read a given blogpost of a draft project"""
project = ProjectFactory.create(published=False)
blogpost = BlogpostFactory.create(project=project)
assert_raises(Unauthorized, ensure_authorized_to, 'read', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_blogposts_for_given_draft_project(self):
"""Test anonymous users cannot read blogposts of a given project if is a draft"""
project = ProjectFactory.create(published=False)
assert_raises(Unauthorized, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_blogpost(self):
"""Test authenticated user can read a given blogpost if is not the project owner"""
project = ProjectFactory.create(published=True)
user = UserFactory.create()
blogpost = BlogpostFactory.create(project=project)
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_blogposts_for_given_project(self):
"""Test authenticated user can read blogposts of a given project if
is not the project owner"""
project = ProjectFactory.create(published=True)
user = UserFactory.create()
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_blogpost_draft_project(self):
"""Test authenticated user cannot read a given blogpost of a draft project
if is not the project owner"""
project = ProjectFactory.create(published=False)
user = UserFactory.create()
blogpost = BlogpostFactory.create(project=project)
assert self.mock_authenticated.id != project.owner.id
assert_raises(Forbidden, ensure_authorized_to, 'read', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_blogposts_for_given_draft_project(self):
"""Test authenticated user cannot read blogposts of a given project if is
a draft and is not the project owner"""
project = ProjectFactory.create(published=False)
user = UserFactory.create()
assert self.mock_authenticated.id != project.owner.id
assert_raises(Forbidden, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_given_blogpost(self):
"""Test authenticated user can read a given blogpost if is the project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=True)
blogpost = BlogpostFactory.create(project=project)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_blogposts_for_given_project(self):
"""Test authenticated user can read blogposts of a given project if is the
project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=True)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_given_blogpost_draft_project(self):
"""Test authenticated user can read a given blogpost of a draft project if
is the project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False)
blogpost = BlogpostFactory.create(project=project)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_blogposts_for_given_draft_project(self):
"""Test authenticated user can read blogposts of a given draft project if
is the project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_read_given_blogpost_draft_project(self):
"""Test admin can read a given blogpost of a draft project"""
admin = UserFactory.create()
project = ProjectFactory.create(published=False)
blogpost = BlogpostFactory.create(project=project)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_read_blogposts_for_given_draft_project(self):
"""Test admin can read blogposts of a given draft project"""
admin = UserFactory.create()
project = ProjectFactory.create(published=False)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_update_blogpost(self):
"""Test anonymous users cannot update blogposts"""
blogpost = BlogpostFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'update', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_non_owner_authenticated_user_update_blogpost(self):
"""Test authenticated user cannot update a blogpost if is not the post
owner, even if is admin"""
admin = UserFactory.create()
project = ProjectFactory.create()
blogpost = BlogpostFactory.create(project=project)
assert self.mock_admin.id != blogpost.owner.id
assert_raises(Forbidden, ensure_authorized_to, 'update', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_update_blogpost(self):
"""Test authenticated user can update blogpost if is the post owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create()
blogpost = BlogpostFactory.create(project=project, owner=owner)
assert self.mock_authenticated.id == blogpost.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'update', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_delete_blogpost(self):
"""Test anonymous users cannot delete blogposts"""
blogpost = BlogpostFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'delete', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_delete_blogpost(self):
"""Test authenticated user cannot delete a blogpost if is not the post
owner and is not admin"""
blogpost = BlogpostFactory.create()
assert self.mock_authenticated.id != blogpost.owner.id
assert not self.mock_authenticated.admin
assert_raises(Forbidden, ensure_authorized_to, 'delete', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_delete_blogpost(self):
"""Test authenticated user can delete a blogpost if is the post owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create()
blogpost = BlogpostFactory.create(project=project, owner=owner)
assert self.mock_authenticated.id == blogpost.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', blogpost)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_authenticated_user_delete_blogpost(self):
"""Test authenticated user can delete any blogpost if is admin"""
admin = UserFactory.create()
blogpost = BlogpostFactory.create()
assert self.mock_admin.id != blogpost.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', blogpost)
class TestPageAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_given_page(self):
"""Test anonymous users cannot create pages for a project"""
project = ProjectFactory.create()
page = PageFactory.build(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'create', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_pages_for_given_project(self):
"""Test anonymous users cannot create pages for a given project"""
project = ProjectFactory.create()
assert_raises(Unauthorized,
ensure_authorized_to,
'create',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_create_pages(self):
"""Test anonymous users cannot create any pages"""
assert_raises(Unauthorized, ensure_authorized_to, 'create', Page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_create_given_page(self):
"""Test authenticated user cannot create a given page if is not the
project owner"""
project = ProjectFactory.create()
page = PageFactory.build(project_id=project.id)
assert self.mock_authenticated.id != project.owner_id
assert_raises(Forbidden, ensure_authorized_to, 'create', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_create_page_for_given_project(self):
"""Test authenticated user cannot create pages for a given project
if is not the project owner"""
owner = UserFactory.create(id=3)
project = ProjectFactory.create(owner=owner)
assert self.mock_authenticated.id != project.owner.id
assert_raises(Forbidden,
ensure_authorized_to,
'create',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_create_given_page(self):
"""Test authenticated user can create a given page
if it's project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
page = PageFactory.build(project_id=project.id)
assert self.mock_authenticated.id == project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'create', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_create_page_for_given_project(self):
"""Test authenticated user can create pages for a given project
if it's project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'create',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_create_page_for_given_project(self):
"""Test admin user can create pages for a given project
even if it's not project owner"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'create',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_page(self):
"""Test anonymous users can read a given page"""
project = ProjectFactory.create(published=True)
page = PageFactory.create(project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'read', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_pages_for_given_project(self):
"""Test anonymous users can read pages of a given project"""
project = ProjectFactory.create(published=True)
assert_not_raises(Exception,
ensure_authorized_to,
'read',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_page_draft_project(self):
"""Test anonymous users cannot read a given page of
a draft project"""
project = ProjectFactory.create(published=False)
page = PageFactory.create(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'read', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_read_pages_for_given_draft_project(self):
"""Test anonymous users cannot read pages of a
given project if is a draft"""
project = ProjectFactory.create(published=False)
assert_raises(Unauthorized,
ensure_authorized_to,
'read',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_page(self):
"""Test authenticated user can read a given page
if is not the project owner"""
project = ProjectFactory.create(published=True)
page = PageFactory.create(project_id=project.id)
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_pages_for_given_project(self):
"""Test authenticated user can read pages of a given project if
is not the project owner"""
project = ProjectFactory.create(published=True)
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_page_draft_project(self):
"""Test authenticated user cannot read a given page of a
draft project if is not the project owner"""
project = ProjectFactory.create(published=False)
page = PageFactory.create(project_id=project.id)
assert self.mock_authenticated.id != project.owner.id
assert_raises(Forbidden, ensure_authorized_to, 'read', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_pages_for_given_draft_project(
self):
"""Test authenticated user cannot read pages of a given project if is
a draft and is not the project owner"""
project = ProjectFactory.create(published=False)
assert self.mock_authenticated.id != project.owner.id
assert_raises(Forbidden,
ensure_authorized_to,
'read',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_given_page(self):
"""Test authenticated user can read a given page
if is the project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner, published=True)
page = PageFactory.create(project_id=project.id)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_pages_for_given_project(self):
"""Test authenticated user can read pages of a given project
if is the project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner, published=True)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_given_page_draft_project(self):
"""Test authenticated user can read a given page
of a draft project if it's the project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner, published=False)
page = PageFactory.create(project_id=project.id)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_read_pages_for_given_draft_project(self):
"""Test authenticated user can read pages of a given
draft project if it's the project owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner, published=False)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_read_given_page_draft_project(self):
"""Test admin can read a given page of a draft project"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner, published=False)
page = PageFactory.create(project_id=project.id)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_read_pages_for_given_draft_project(self):
"""Test admin can read pages of a given draft project"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(published=False, owner=owner)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception,
ensure_authorized_to,
'read',
Page,
project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_update_page(self):
"""Test anonymous users cannot update pages"""
project = ProjectFactory.create(published=True)
page = PageFactory.create(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'update', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_update_page(self):
"""Test authenticated user can update page
if it's the project's page owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
page = PageFactory.create(project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'update', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_update_page(self):
"""Test admins can update page
even if it's not the post owner"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner)
page = PageFactory.create(project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'update', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_delete_page(self):
"""Test anonymous users cannot delete pages"""
project = ProjectFactory.create(published=True)
page = PageFactory.create(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'delete', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_delete_page(self):
"""Test authenticated user cannot delete a page if is not the page's
owner and is not admin"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner, published=True)
page = PageFactory.create(project_id=project.id)
assert self.mock_authenticated.id != owner.id
assert not self.mock_authenticated.admin
assert_raises(Forbidden, ensure_authorized_to, 'delete', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_delete_page(self):
"""Test authenticated user can delete a page if is the page
owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
page = PageFactory.create(project_id=project.id)
assert self.mock_authenticated.id == owner.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', page)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_authenticated_user_delete_page(self):
"""Test authenticated user can delete any page if
it's admin"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner)
page = PageFactory.create(project_id=project.id)
assert self.mock_admin.id != owner.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', page)
class TestWebhookAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_read_webhook(self):
"""Test anonymous users cannot read a webhook"""
project = ProjectFactory.create()
webhook = WebhookFactory.create(project_id=project.id)
assert_raises(Unauthorized, ensure_authorized_to, 'read', webhook)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_read_project_webhooks(self):
"""Test anonymous users cannot read webhooks of a specific project"""
project = ProjectFactory.create()
assert_raises(Unauthorized, ensure_authorized_to, 'read', Webhook, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_user_cannot_read_webhook(self):
"""Test owner users can read a webhook"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
webhook = WebhookFactory.create(project_id=project.id)
assert self.mock_authenticated.id == project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', webhook)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_owner_user_cannot_read_project_webhooks(self):
"""Test owner users can read webhooks of a specific project"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert_not_raises(Exception, ensure_authorized_to, 'read', Webhook, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_can_read_webhook(self):
"""Test admin users can read a webhook"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
webhook = WebhookFactory.create(project_id=project.id)
assert self.mock_admin.id != project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', webhook)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_can_read_project_webhooks(self):
"""Test admin users can read webhooks from a project"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert self.mock_admin.id != project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', Webhook, project_id=project.id)
@with_context
@patch('pybossa.auth.current_user', new=mock_anonymous)
def test_anonymous_user_cannot_crud_webhook(self):
"""Test anonymous users cannot crud webhooks"""
webhook = Webhook()
assert_raises(Unauthorized, ensure_authorized_to, 'create', webhook)
assert_raises(Unauthorized, ensure_authorized_to, 'update', webhook)
assert_raises(Unauthorized, ensure_authorized_to, 'delete', webhook)
@with_context
@patch('pybossa.auth.current_user', new=mock_authenticated)
def test_authenticated_user_cannot_crud_webhook(self):
"""Test authenticated users cannot crud webhooks"""
webhook = Webhook()
assert_raises(Forbidden, ensure_authorized_to, 'create', webhook)
assert_raises(Forbidden, ensure_authorized_to, 'update', webhook)
assert_raises(Forbidden, ensure_authorized_to, 'delete', webhook)
@with_context
@patch('pybossa.auth.current_user', new=mock_admin)
def test_admin_user_cannot_crud_webhook(self):
"""Test admin users cannot crud webhooks"""
webhook = Webhook()
assert_raises(Forbidden, ensure_authorized_to, 'create', webhook)
assert_raises(Forbidden, ensure_authorized_to, 'update', webhook)
assert_raises(Forbidden, ensure_authorized_to, 'delete', webhook)
class TestBlogpostAuthorization(Test):
mock_anonymous = mock_current_user()
mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
mock_admin = mock_current_user(anonymous=False, admin=True, id=1)
def setUp(self):
super(TestBlogpostAuthorization, self).setUp()
with self.flask_app.app_context():
self.create()
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_create_given_blogpost(self):
"""Test anonymous users cannot create a given blogpost"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
blogpost = Blogpost(title='title', app_id=app.id, owner=None)
assert_raises(Unauthorized, getattr(require, 'blogpost').create, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_create_blogposts_for_given_app(self):
"""Test anonymous users cannot create blogposts for a given app"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
assert_raises(Unauthorized, getattr(require, 'blogpost').create, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_create_blogposts(self):
"""Test anonymous users cannot create any blogposts"""
with self.flask_app.test_request_context('/'):
assert_raises(Unauthorized, getattr(require, 'blogpost').create)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_non_owner_authenticated_user_create_given_blogpost(self):
"""Test authenticated user cannot create a given blogpost if is not the
app owner, even if is admin"""
with self.flask_app.app_context():
app = db.session.query(App).first()
root = db.session.query(User).first()
blogpost = Blogpost(title='title', body='body',
app_id=app.id, user_id=root.id)
assert_raises(Forbidden, getattr(require, 'blogpost').create, blogpost)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_non_owner_authenticated_user_create_blogpost_for_given_app(self):
"""Test authenticated user cannot create blogposts for a given app
if is not the app owner, even if is admin"""
with self.flask_app.app_context():
app = db.session.query(App).first()
assert_raises(Forbidden, getattr(require, 'blogpost').create, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_create_given_blogpost(self):
"""Test authenticated user can create a given blogpost if is app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
user1 = db.session.query(User).get(2)
blogpost = Blogpost(title='title', body='body',
app_id=app.id, user_id=user1.id)
assert_not_raises(Exception, getattr(require, 'blogpost').create, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_create_blogpost_for_given_app(self):
"""Test authenticated user can create blogposts for a given app
if is app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
assert_not_raises(Exception, getattr(require, 'blogpost').create, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_create_blogpost_as_other_user(self):
"""Test authenticated user cannot create blogpost if is app owner but
sets another person as the author of the blogpost"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
user2 = db.session.query(User).get(3)
blogpost = Blogpost(title='title', body='body',
app_id=app.id, user_id=user2.id)
assert_raises(Forbidden, getattr(require, 'blogpost').create, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_blogpost(self):
"""Test anonymous users can read a given blogpost"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
blogpost = Blogpost(title='title', body='body', app_id=app.id, owner=None)
db.session.add(blogpost)
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_read_blogposts_for_given_app(self):
"""Test anonymous users can read blogposts of a given app"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_read_given_blogpost_hidden_app(self):
"""Test anonymous users cannot read a given blogpost of a hidden app"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
app.hidden = 1
blogpost = Blogpost(title='title', body='body', app_id=app.id, owner=None)
db.session.add(blogpost)
db.session.commit()
assert_raises(Unauthorized, getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_read_blogposts_for_given_hidden_app(self):
"""Test anonymous users cannot read blogposts of a given app if is hidden"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
app.hidden = 1
assert_raises(Unauthorized, getattr(require, 'blogpost').read, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_blogpost(self):
"""Test authenticated user can read a given blogpost if is not the app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
root = db.session.query(User).get(1)
app.owner = root
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=root.id)
db.session.add(blogpost)
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_blogposts_for_given_app(self):
"""Test authenticated user can read blogposts of a given app if
is not the app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
root = db.session.query(User).get(1)
app.owner = root
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_given_blogpost_hidden_app(self):
"""Test authenticated user cannot read a given blogpost of a hidden app
if is not the app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
root = db.session.query(User).get(1)
app.hidden = 1
app.owner = root
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=root.id)
db.session.add(blogpost)
db.session.commit()
assert_raises(Forbidden, getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_read_blogposts_for_given_hidden_app(self):
"""Test authenticated user cannot read blogposts of a given app if is
hidden and is not the app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
root = db.session.query(User).get(1)
app.hidden = 1
app.owner = root
db.session.commit()
assert_raises(Forbidden, getattr(require, 'blogpost').read, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_read_given_blogpost(self):
"""Test authenticated user can read a given blogpost if is the app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
user1 = db.session.query(User).get(2)
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id)
db.session.add(blogpost)
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_read_blogposts_for_given_app(self):
"""Test authenticated user can read blogposts of a given app if is the owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_read_given_blogpost_hidden_app(self):
"""Test authenticated user can read a given blogpost of a hidden app if
is the app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
user1 = db.session.query(User).get(2)
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id)
db.session.add(blogpost)
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_read_blogposts_for_given_hidden_app(self):
"""Test authenticated user can read blogposts of a given hidden app if
is the app owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
app.hidden = 1
assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_admin_read_given_blogpost_hidden_app(self):
"""Test admin can read a given blogpost of a hidden app"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
app.hidden = 1
user1 = db.session.query(User).get(2)
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id)
db.session.add(blogpost)
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_admin_read_blogposts_for_given_hidden_app(self):
"""Test admin can read blogposts of a given hidden app"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
app.hidden = 1
assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_update_blogpost(self):
"""Test anonymous users cannot update blogposts"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
blogpost = Blogpost(title='title', body='body', app_id=app.id, owner=None)
db.session.add(blogpost)
db.session.commit()
assert_raises(Unauthorized, getattr(require, 'blogpost').update, blogpost)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_non_owner_authenticated_user_update_blogpost(self):
"""Test authenticated user cannot update a blogpost if is not the post
owner, even if is admin"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
user1 = db.session.query(User).get(2)
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id)
db.session.add(blogpost)
db.session.commit()
assert_raises(Forbidden, getattr(require, 'blogpost').update, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_update_blogpost(self):
"""Test authenticated user can update blogpost if is the post owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
user1 = db.session.query(User).get(2)
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id)
db.session.add(blogpost)
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').update, blogpost)
@patch('pybossa.auth.current_user', new=mock_anonymous)
@patch('pybossa.auth.blogpost.current_user', new=mock_anonymous)
def test_anonymous_user_delete_blogpost(self):
"""Test anonymous users cannot delete blogposts"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
blogpost = Blogpost(title='title', body='body', app_id=app.id, owner=None)
db.session.add(blogpost)
db.session.commit()
assert_raises(Unauthorized, getattr(require, 'blogpost').delete, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_non_owner_authenticated_user_delete_blogpost(self):
"""Test authenticated user cannot delete a blogpost if is not the post
owner or is not admin"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
root = db.session.query(User).get(1)
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=root.id)
db.session.add(blogpost)
db.session.commit()
assert_raises(Forbidden, getattr(require, 'blogpost').delete, blogpost)
@patch('pybossa.auth.current_user', new=mock_authenticated)
@patch('pybossa.auth.blogpost.current_user', new=mock_authenticated)
def test_owner_delete_blogpost(self):
"""Test authenticated user can delete blogpost if is the post owner"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
user1 = db.session.query(User).get(2)
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id)
db.session.add(blogpost)
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').delete, blogpost)
@patch('pybossa.auth.current_user', new=mock_admin)
@patch('pybossa.auth.blogpost.current_user', new=mock_admin)
def test_admin_authenticated_user_delete_blogpost(self):
"""Test authenticated user can delete a blogpost if is admin"""
with self.flask_app.test_request_context('/'):
app = db.session.query(App).first()
user1 = db.session.query(User).get(2)
blogpost = Blogpost(title='title', body='body', app_id=app.id, user_id=user1.id)
db.session.add(blogpost)
db.session.commit()
assert_not_raises(Exception, getattr(require, 'blogpost').delete, blogpost)
