def test_query_stock_requires_permission(staff_api_client, stock):
assert not staff_api_client.user.has_perm(
ProductPermissions.MANAGE_PRODUCTS)
stock_id = graphene.Node.to_global_id("Stock", stock.pk)
response = staff_api_client.post_graphql(QUERY_STOCK,
variables={"id": stock_id})
assert_no_permission(response)
def test_stored_payment_sources_restriction(
mocker, staff_api_client, customer_user, permission_manage_users
):
# Only owner of storedPaymentSources can fetch it.
card = CreditCardInfo(
last_4="5678", exp_year=2020, exp_month=12, name_on_card="JohnDoe"
)
source = CustomerSource(id="test1", gateway="dummy", credit_card_info=card)
mocker.patch(
"saleor.graphql.account.resolvers.gateway.list_payment_sources",
return_value=[source],
autospec=True,
)
customer_user_id = graphene.Node.to_global_id("User", customer_user.pk)
query = """
query PaymentSources($id: ID!) {
user(id: $id) {
storedPaymentSources {
creditCardInfo {
firstDigits
}
}
}
}
"""
variables = {"id": customer_user_id}
response = staff_api_client.post_graphql(
query, variables, permissions=[permission_manage_users]
)
assert_no_permission(response)
def test_query_warehouses_requires_permissions(staff_api_client, warehouse):
assert not staff_api_client.user.has_perm(
ProductPermissions.MANAGE_PRODUCTS)
response = staff_api_client.post_graphql(QUERY_WAREHOUSES)
content = get_graphql_content(response, ignore_errors=True)
errors = content["errors"]
assert len(errors) == 1
assert_no_permission(response)
def test_query_plugin_configuration_as_customer_user(user_api_client, settings):
settings.PLUGINS = ["tests.api.test_plugins.PluginSample"]
manager = get_plugins_manager()
sample_plugin = manager.get_plugin(PluginSample.PLUGIN_NAME)
variables = {"id": sample_plugin.PLUGIN_NAME}
response = user_api_client.post_graphql(PLUGIN_QUERY, variables)
assert_no_permission(response)
def test_delete_warehouse_requires_permission(staff_api_client, warehouse):
assert not staff_api_client.user.has_perm(
ProductPermissions.MANAGE_PRODUCTS)
warehouse_id = graphene.Node.to_global_id("Warehouse", warehouse.pk)
response = staff_api_client.post_graphql(MUTATION_DELETE_WAREHOUSE,
variables={"id": warehouse_id})
content = get_graphql_content(response, ignore_errors=True)
errors = content["errors"]
assert len(errors) == 1
assert_no_permission(response)
def test_fulfillment_update_metadata_user_has_no_permision(
staff_api_client, staff_user, update_metadata_mutation,
update_metadata_variables):
assert not staff_user.has_perm(OrderPermissions.MANAGE_ORDERS)
response = staff_api_client.post_graphql(
update_metadata_mutation,
update_metadata_variables,
permissions=[],
check_no_permissions=False,
)
assert_no_permission(response)
def test_mutation_update_warehouse_requires_permission(staff_api_client,
warehouse):
assert not staff_api_client.user.has_perm(
ProductPermissions.MANAGE_PRODUCTS)
warehouse_id = graphene.Node.to_global_id("Warehouse", warehouse.pk)
variables = {"input": {"name": "New test name"}, "id": warehouse_id}
response = staff_api_client.post_graphql(MUTATION_UPDATE_WAREHOUSE,
variables=variables)
content = get_graphql_content(response, ignore_errors=True)
errors = content["errors"]
assert len(errors) == 1
assert_no_permission(response)
def test_fulfillment_clear_private_meta_user_has_no_permission(
staff_api_client,
staff_user,
fulfillment,
clear_meta_variables,
clear_private_metadata_mutation,
):
assert not staff_user.has_perm(OrderPermissions.MANAGE_ORDERS)
fulfillment.store_value_in_private_metadata(items={"foo": "bar"})
fulfillment.save()
response = staff_api_client.post_graphql(clear_private_metadata_mutation,
clear_meta_variables)
assert_no_permission(response)
def test_staff_clear_meta_without_permissions(staff_api_client,
customer_with_meta, mutation):
user_id = graphene.Node.to_global_id("User", customer_with_meta.id)
variables = {
"id": user_id,
"input": {
"namespace": PUBLIC_META_NAMESPACE,
"clientName": META_CLIENT,
"key": PUBLIC_KEY,
},
}
response = staff_api_client.post_graphql(mutation, variables)
assert_no_permission(response)
def test_plugin_configuration_update_as_customer_user(user_api_client, settings):
settings.PLUGINS = ["tests.plugins.sample_plugins.PluginSample"]
manager = get_plugins_manager()
plugin = manager.get_plugin(PluginSample.PLUGIN_NAME)
variables = {
"id": plugin.PLUGIN_NAME,
"active": True,
"configuration": [{"name": "Username", "value": "user"}],
}
response = user_api_client.post_graphql(PLUGIN_UPDATE_MUTATION, variables)
assert_no_permission(response)
def test_staff_update_meta_without_permissions(staff_api_client,
customer_with_meta, mutation):
user_id = graphene.Node.to_global_id("User", customer_with_meta.id)
variables = {
"id": user_id,
"input": {
"namespace": "new_namespace",
"clientName": "client_name",
"key": "meta_key",
"value": "value",
},
}
response = staff_api_client.post_graphql(mutation, variables)
assert_no_permission(response)
def test_warehouse_cannot_query_without_permissions(user_api_client,
warehouse):
assert not user_api_client.user.has_perm(
ProductPermissions.MANAGE_PRODUCTS)
warehouse_id = graphene.Node.to_global_id("Warehouse", warehouse.pk)
response = user_api_client.post_graphql(QUERY_WAREHOUSE,
variables={"id": warehouse_id})
content = get_graphql_content(response, ignore_errors=True)
queried_warehouse = content["data"]["warehouse"]
errors = content["errors"]
assert queried_warehouse is None
assert len(errors) == 1
assert_no_permission(response)
def test_fulfillment_update_private_metadata_user_has_no_permision(
staff_api_client,
staff_user,
update_private_metadata_mutation,
update_metadata_variables,
):
assert not staff_user.has_perm("order.manage_orders")
response = staff_api_client.post_graphql(
update_private_metadata_mutation,
update_metadata_variables,
permissions=[],
check_no_permissions=False,
)
assert_no_permission(response)
def test_fulfillment_clear_private_meta_user_has_no_permission(
staff_api_client,
staff_user,
fulfillment,
clear_meta_variables,
clear_private_metadata_mutation,
):
assert not staff_user.has_perm("order.manage_orders")
fulfillment.store_private_meta(namespace="test",
client="client1",
item={"foo": "bar"})
fulfillment.save()
response = staff_api_client.post_graphql(clear_private_metadata_mutation,
clear_meta_variables)
assert_no_permission(response)
def test_mutation_create_warehouse_requires_permission(staff_api_client):
Warehouse.objects.all().delete()
assert not staff_api_client.user.has_perm(
ProductPermissions.MANAGE_PRODUCTS)
variables = {
"input": {
"name": "Test warehouse",
"companyName": "Amazing Company Inc",
"email": "*****@*****.**",
"address": {
"streetAddress1": "Teczowa 8",
"city": "Wroclaw",
"country": "PL",
},
}
}
response = staff_api_client.post_graphql(MUTATION_CREATE_WAREHOUSE,
variables=variables)
content = get_graphql_content(response, ignore_errors=True)
assert not Warehouse.objects.exists()
errors = content["errors"]
assert len(errors) == 1
assert_no_permission(response)
def test_query_plugin_configurations_as_customer_user(user_api_client,
settings):
settings.PLUGINS = ["tests.plugins.sample_plugins.PluginSample"]
response = user_api_client.post_graphql(PLUGINS_QUERY)
assert_no_permission(response)
def test_query_stocks_requires_permissions(staff_api_client):
assert not staff_api_client.user.has_perm(
ProductPermissions.MANAGE_PRODUCTS)
response = staff_api_client.post_graphql(QUERY_STOCKS)
assert_no_permission(response)
