def test_as_auditor_questionnaire_is_not_listed_if_not_associated_with_user_control():
control_in = factories.ControlFactory()
control_out = factories.ControlFactory()
factories.QuestionnaireFactory(control=control_in, is_draft=False, title='MUST BE LISTED')
factories.QuestionnaireFactory(control=control_out, is_draft=False, title='MUST NOT BE LISTED')
user = utils.make_audited_user(control_in)
response = list_control(user)
assert response.status_code == 200
assert 'MUST BE LISTED' in str(response.content)
assert 'MUST NOT BE LISTED' not in str(response.content)
def test_cannot_get_users_of_neigboring_control():
# testing for a specific bug we had.
control_1 = factories.ControlFactory()
inspector_1 = utils.make_inspector_user(control_1)
control_2 = factories.ControlFactory()
inspector_2 = utils.make_inspector_user(control_2)
inspector_2.profile.controls.add(control_1)
# control_2 is unknown to inspector_1.
# inspector_2 is known to inspector_1/
# So inspector_1 should not be able to get info on control_2.
assert get_users_of_control(inspector_1, control_2).status_code == 404
def test_as_auditor_questionnaire_is_not_listed_if_associated_with_deleted_control():
control_active = factories.ControlFactory()
control_deleted = factories.ControlFactory()
factories.QuestionnaireFactory(
control=control_active, is_draft=False, title='MUST BE LISTED')
factories.QuestionnaireFactory(
control=control_deleted, is_draft=False, title='MUST NOT BE LISTED')
user = utils.make_audited_user(control_active)
user.profile.controls.add(control_deleted)
control_deleted.delete()
response = list_control(user)
assert response.status_code == 200
assert 'MUST BE LISTED' in str(response.content)
assert 'MUST NOT BE LISTED' not in str(response.content)
def test_cannot_get_users_of_control_if_control_does_not_belong_to_user():
control = factories.ControlFactory()
inspector = utils.make_inspector_user()
audited = utils.make_audited_user()
assert get_users_of_control(inspector, control).status_code == 404
assert get_users_of_control(audited, control).status_code == 404
def test_can_get_users_of_control_if_control_belongs_to_user():
control = factories.ControlFactory()
inspector = utils.make_inspector_user(control)
audited = utils.make_audited_user(control)
assert get_users_of_control(inspector, control).status_code == 200
assert get_users_of_control(audited, control).status_code == 200
def test_inspector_can_update_an_existing_user_with_different_casing():
inspector = factories.UserProfileFactory(
profile_type=UserProfile.INSPECTOR)
control = factories.ControlFactory()
existing_user = factories.UserProfileFactory(
profile_type=UserProfile.AUDITED)
inspector.controls.add(control)
existing_user.controls.add(control)
post_data = {
'first_name': 'Marcel',
'last_name': 'Proust',
'profile_type': UserProfile.AUDITED,
'organization': '',
'email': existing_user.user.email.upper(), # uppercase the email
}
assert existing_user.user.first_name != 'Marcel'
assert existing_user.user.last_name != 'Proust'
utils.login(client, user=inspector.user)
url = reverse('api:user-list')
count_before = User.objects.count()
client.post(url, post_data)
count_after = User.objects.count()
modified_user = UserProfile.objects.get(pk=existing_user.pk)
# Update has happened successfully
assert count_after == count_before
assert modified_user.user.first_name == 'Marcel'
assert modified_user.user.last_name == 'Proust'
# Email is still lowercase
assert modified_user.user.email.lower() == modified_user.user.email
def test_inspector_can_update_an_existing_user():
inspector = factories.UserProfileFactory(
profile_type=UserProfile.INSPECTOR)
control = factories.ControlFactory()
existing_user = factories.UserProfileFactory(
profile_type=UserProfile.AUDITED)
inspector.controls.add(control)
existing_user.controls.add(control)
post_data = {
'first_name': 'Marcel',
'last_name': 'Proust',
'profile_type': UserProfile.AUDITED,
'organization': '',
'email': existing_user.user.email,
}
assert existing_user.user.first_name != 'Marcel'
assert existing_user.user.last_name != 'Proust'
utils.login(client, user=inspector.user)
url = reverse('api:user-list')
count_before = User.objects.count()
client.post(url, post_data)
count_after = User.objects.count()
modified_user = UserProfile.objects.get(pk=existing_user.pk)
assert count_after == count_before
assert modified_user.user.first_name == 'Marcel'
assert modified_user.user.last_name == 'Proust'
def test_cannot_get_response_file_if_control_is_not_associated_with_the_user():
response_file = factories.ResponseFileFactory()
control = factories.ControlFactory()
user = utils.make_audited_user(control)
response = get_response_file(user, response_file.id)
assert 400 <= response.status_code <= 499
def test_cannot_get_users_of_control_if_control_is_deleted():
control = factories.ControlFactory()
inspector = utils.make_inspector_user(control)
audited = utils.make_audited_user(control)
control.delete()
assert get_users_of_control(inspector, control).status_code == 404
assert get_users_of_control(audited, control).status_code == 404
def test_user_cannot_set_editor_if_they_cannot_access_the_questionnaire():
control = factories.ControlFactory()
user = utils.make_inspector_user(control=None, assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True)
response = call_api(user, questionnaire.id, user.id)
assert 400 <= response.status_code < 500
def test_delete_twice_raise_404():
inspector = factories.UserProfileFactory(profile_type=UserProfile.INSPECTOR)
control = factories.ControlFactory()
inspector.controls.add(control)
utils.login(client, user=inspector.user)
url = reverse('api:deletion-delete-control', args=[control.pk])
control.delete()
response = client.post(url)
assert response.status_code == 404
def test_draft_questionnaire_is_listed_in_controls_data_if_user_is_inspector():
control = factories.ControlFactory()
factories.QuestionnaireFactory(control=control, is_draft=False, title='MUST BE LISTED')
factories.QuestionnaireFactory(control=control, is_draft=True, title='MUST ALSO BE LISTED')
user = utils.make_inspector_user(control)
response = list_control(user)
assert response.status_code == 200
assert 'MUST BE LISTED' in str(response.content)
assert 'MUST ALSO BE LISTED' in str(response.content)
def test_cannot_trash_response_file_if_control_is_not_associated_with_the_user():
response_file = factories.ResponseFileFactory()
control = factories.ControlFactory()
user = utils.make_audited_user(control)
payload = { "is_deleted": "true" }
response = trash_response_file(user, response_file.id, payload)
assert 400 <= response.status_code <= 499
def test_questionnaire_create_fails_with_malformed_question():
control = factories.ControlFactory()
user = utils.make_inspector_user(control)
payload = make_create_payload(control.id)
payload['themes'][0]['questions'][0].pop('description')
response = create_questionnaire(user, payload)
assert response.status_code == 400
assert_no_data_is_saved()
def test_no_questionnaire_create_if_control_is_deleted():
increment_ids()
control = factories.ControlFactory()
user = utils.make_inspector_user(control)
payload = make_create_payload(control.id)
assert_no_data_is_saved()
control.delete()
response = create_questionnaire(user, payload)
assert 403 <= response.status_code <= 404
def test_send_response_file_list_fails_for_inspector_if_the_control_is_not_associated_with_the_user(
client):
questionnaire = factories.QuestionnaireFactory(is_draft=False)
unauthorized_control = factories.ControlFactory()
user = utils.make_inspector_user(unauthorized_control)
response = get_response_list(client, user, questionnaire.id)
assert response.status_code != 200
def test_noneditor_can_get_rights_on_questionnaire_without_editor():
control = factories.ControlFactory()
user = utils.make_inspector_user(control, assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=None)
assert_questionnaire_has_editor(questionnaire, None)
response = call_api(user, questionnaire.id, user.id)
assert response.status_code == 200
assert_questionnaire_has_editor(questionnaire, user)
def test_audited_cannot_access_api():
control = factories.ControlFactory()
user = utils.make_audited_user(control)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user)
assert_questionnaire_has_editor(questionnaire, user)
response = call_api(user, questionnaire.id, user.id)
assert 400 <= response.status_code < 500
assert_questionnaire_has_editor(questionnaire, user)
def test_download_question_file_fails_if_the_control_is_not_associated_with_the_user(
client):
question_file = factories.QuestionFileFactory()
unauthorized_control = factories.ControlFactory()
assert unauthorized_control != question_file.question.theme.questionnaire.control
user = utils.make_audited_user(unauthorized_control)
utils.login(client, user=user)
url = reverse('send-question-file', args=[question_file.id])
response = client.get(url)
assert response.status_code != 200
def test_audited_cannot_delete_a_control():
audited = factories.UserProfileFactory(profile_type=UserProfile.AUDITED)
control = factories.ControlFactory()
audited.controls.add(control)
utils.login(client, user=audited.user)
url = reverse('api:deletion-delete-control', args=[control.pk])
count_before = Control.objects.active().count()
response = client.post(url)
count_after = Control.objects.active().count()
assert count_after == count_before
assert response.status_code == 403
def test_editor_can_transfer_rights():
control = factories.ControlFactory()
user = utils.make_inspector_user(control, assign_questionnaire_editor=False)
other_user = utils.make_inspector_user(control, assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user)
assert_questionnaire_has_editor(questionnaire, user)
response = call_api(user, questionnaire.id, other_user.id)
assert response.status_code == 200
assert_questionnaire_has_editor(questionnaire, other_user)
def test_inspector_cannot_update_published_questionnaire():
increment_ids()
control = factories.ControlFactory()
user = utils.make_inspector_user(control)
questionnaire = factories.QuestionnaireFactory(is_draft=False,
control=control,
editor=user)
payload = make_update_payload(questionnaire)
# Here we are trying to update a questionnaire that's already published
response = update_questionnaire(user, payload)
assert 400 <= response.status_code < 500
def test_questionnaire_draft_update__editor_can_update():
increment_ids()
control = factories.ControlFactory()
user = utils.make_inspector_user(control)
questionnaire = create_questionnaire_through_api(user, control)
payload = questionnaire
payload['description'] = 'this is a great questionnaire.'
response = update_questionnaire(user, payload)
assert response.status_code == 200
def access_control_page(client, page_name, is_control_associated_with_user, profile_type):
control = factories.ControlFactory()
if is_control_associated_with_user:
user = utils.make_user(profile_type, control)
else:
user = utils.make_user(profile_type, None)
utils.login(client, user=user)
url = reverse(page_name, args=[control.id])
response = client.get(url)
return response
def test_inspector_can_delete_a_control():
inspector = factories.UserProfileFactory(profile_type=UserProfile.INSPECTOR)
control = factories.ControlFactory()
inspector.controls.add(control)
utils.login(client, user=inspector.user)
url = reverse('api:deletion-delete-control', args=[control.pk])
count_before = Control.objects.active().count()
response = client.post(url)
count_after = Control.objects.active().count()
assert count_after == count_before - 1
assert response.status_code == 200
def test_no_access_to_editor_api_for_deleted_control():
control = factories.ControlFactory()
user = utils.make_inspector_user(control,
assign_questionnaire_editor=False)
questionnaire = factories.QuestionnaireFactory(control=control,
is_draft=True,
editor=user)
assert_questionnaire_has_editor(questionnaire, user)
control.delete()
response = call_api(user, questionnaire.id, user.id)
assert response.status_code == 404
def test_download_response_file_fails_if_the_control_is_not_associated_with_the_user(
client):
response_file = factories.ResponseFileFactory()
user = response_file.author
unauthorized_control = factories.ControlFactory()
assert unauthorized_control != response_file.question.theme.questionnaire.control
user.profile.controls.add(unauthorized_control)
user.profile.save()
utils.login(client, user=response_file.author)
url = reverse('send-response-file', args=[response_file.id])
response = client.get(url)
assert response.status_code != 200
def test_no_access_to_questionnaire_page_if_control_is_not_associated_with_the_user(
client):
questionnaire = factories.QuestionnaireFactory()
user = factories.UserFactory()
unautorized_control = factories.ControlFactory()
assert unautorized_control != questionnaire.control
user.profile.controls.add(unautorized_control)
user.profile.save()
utils.login(client, user=user)
url = reverse('questionnaire-detail', args=[questionnaire.id])
response = client.get(url)
assert response.status_code != 200
def test_inspector_can_remove_user_from_control():
someone = factories.UserProfileFactory(profile_type='audited')
inspector = factories.UserProfileFactory(profile_type='inspector')
control = factories.ControlFactory()
inspector.controls.add(control)
someone.controls.add(control)
utils.login(client, user=inspector.user)
url = reverse('api:user-remove-control', args=[someone.pk])
count_before = User.objects.filter(profile__controls=control).count()
response = client.post(url, {'control': control.pk})
count_after = User.objects.filter(profile__controls=control).count()
assert count_after == count_before - 1
assert response.status_code == 200
def test_questionnaire_draft_update__non_author_cannot_update():
increment_ids()
# Create questionnaire draft through api, to set the author properly.
control = factories.ControlFactory()
user = utils.make_inspector_user(control)
questionnaire = create_questionnaire_through_api(user, control)
non_author = utils.make_inspector_user(control)
payload = questionnaire
payload['description'] = 'this is a great questionnaire.'
response = update_questionnaire(non_author, payload)
assert 400 <= response.status_code < 500
