def test_as_auditor_questionnaire_is_not_listed_if_not_associated_with_user_control(): control_in = factories.ControlFactory() control_out = factories.ControlFactory() factories.QuestionnaireFactory(control=control_in, is_draft=False, title='MUST BE LISTED') factories.QuestionnaireFactory(control=control_out, is_draft=False, title='MUST NOT BE LISTED') user = utils.make_audited_user(control_in) response = list_control(user) assert response.status_code == 200 assert 'MUST BE LISTED' in str(response.content) assert 'MUST NOT BE LISTED' not in str(response.content)
def test_cannot_get_users_of_neigboring_control(): # testing for a specific bug we had. control_1 = factories.ControlFactory() inspector_1 = utils.make_inspector_user(control_1) control_2 = factories.ControlFactory() inspector_2 = utils.make_inspector_user(control_2) inspector_2.profile.controls.add(control_1) # control_2 is unknown to inspector_1. # inspector_2 is known to inspector_1/ # So inspector_1 should not be able to get info on control_2. assert get_users_of_control(inspector_1, control_2).status_code == 404
def test_as_auditor_questionnaire_is_not_listed_if_associated_with_deleted_control(): control_active = factories.ControlFactory() control_deleted = factories.ControlFactory() factories.QuestionnaireFactory( control=control_active, is_draft=False, title='MUST BE LISTED') factories.QuestionnaireFactory( control=control_deleted, is_draft=False, title='MUST NOT BE LISTED') user = utils.make_audited_user(control_active) user.profile.controls.add(control_deleted) control_deleted.delete() response = list_control(user) assert response.status_code == 200 assert 'MUST BE LISTED' in str(response.content) assert 'MUST NOT BE LISTED' not in str(response.content)
def test_cannot_get_users_of_control_if_control_does_not_belong_to_user(): control = factories.ControlFactory() inspector = utils.make_inspector_user() audited = utils.make_audited_user() assert get_users_of_control(inspector, control).status_code == 404 assert get_users_of_control(audited, control).status_code == 404
def test_can_get_users_of_control_if_control_belongs_to_user(): control = factories.ControlFactory() inspector = utils.make_inspector_user(control) audited = utils.make_audited_user(control) assert get_users_of_control(inspector, control).status_code == 200 assert get_users_of_control(audited, control).status_code == 200
def test_inspector_can_update_an_existing_user_with_different_casing(): inspector = factories.UserProfileFactory( profile_type=UserProfile.INSPECTOR) control = factories.ControlFactory() existing_user = factories.UserProfileFactory( profile_type=UserProfile.AUDITED) inspector.controls.add(control) existing_user.controls.add(control) post_data = { 'first_name': 'Marcel', 'last_name': 'Proust', 'profile_type': UserProfile.AUDITED, 'organization': '', 'email': existing_user.user.email.upper(), # uppercase the email } assert existing_user.user.first_name != 'Marcel' assert existing_user.user.last_name != 'Proust' utils.login(client, user=inspector.user) url = reverse('api:user-list') count_before = User.objects.count() client.post(url, post_data) count_after = User.objects.count() modified_user = UserProfile.objects.get(pk=existing_user.pk) # Update has happened successfully assert count_after == count_before assert modified_user.user.first_name == 'Marcel' assert modified_user.user.last_name == 'Proust' # Email is still lowercase assert modified_user.user.email.lower() == modified_user.user.email
def test_inspector_can_update_an_existing_user(): inspector = factories.UserProfileFactory( profile_type=UserProfile.INSPECTOR) control = factories.ControlFactory() existing_user = factories.UserProfileFactory( profile_type=UserProfile.AUDITED) inspector.controls.add(control) existing_user.controls.add(control) post_data = { 'first_name': 'Marcel', 'last_name': 'Proust', 'profile_type': UserProfile.AUDITED, 'organization': '', 'email': existing_user.user.email, } assert existing_user.user.first_name != 'Marcel' assert existing_user.user.last_name != 'Proust' utils.login(client, user=inspector.user) url = reverse('api:user-list') count_before = User.objects.count() client.post(url, post_data) count_after = User.objects.count() modified_user = UserProfile.objects.get(pk=existing_user.pk) assert count_after == count_before assert modified_user.user.first_name == 'Marcel' assert modified_user.user.last_name == 'Proust'
def test_cannot_get_response_file_if_control_is_not_associated_with_the_user(): response_file = factories.ResponseFileFactory() control = factories.ControlFactory() user = utils.make_audited_user(control) response = get_response_file(user, response_file.id) assert 400 <= response.status_code <= 499
def test_cannot_get_users_of_control_if_control_is_deleted(): control = factories.ControlFactory() inspector = utils.make_inspector_user(control) audited = utils.make_audited_user(control) control.delete() assert get_users_of_control(inspector, control).status_code == 404 assert get_users_of_control(audited, control).status_code == 404
def test_user_cannot_set_editor_if_they_cannot_access_the_questionnaire(): control = factories.ControlFactory() user = utils.make_inspector_user(control=None, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True) response = call_api(user, questionnaire.id, user.id) assert 400 <= response.status_code < 500
def test_delete_twice_raise_404(): inspector = factories.UserProfileFactory(profile_type=UserProfile.INSPECTOR) control = factories.ControlFactory() inspector.controls.add(control) utils.login(client, user=inspector.user) url = reverse('api:deletion-delete-control', args=[control.pk]) control.delete() response = client.post(url) assert response.status_code == 404
def test_draft_questionnaire_is_listed_in_controls_data_if_user_is_inspector(): control = factories.ControlFactory() factories.QuestionnaireFactory(control=control, is_draft=False, title='MUST BE LISTED') factories.QuestionnaireFactory(control=control, is_draft=True, title='MUST ALSO BE LISTED') user = utils.make_inspector_user(control) response = list_control(user) assert response.status_code == 200 assert 'MUST BE LISTED' in str(response.content) assert 'MUST ALSO BE LISTED' in str(response.content)
def test_cannot_trash_response_file_if_control_is_not_associated_with_the_user(): response_file = factories.ResponseFileFactory() control = factories.ControlFactory() user = utils.make_audited_user(control) payload = { "is_deleted": "true" } response = trash_response_file(user, response_file.id, payload) assert 400 <= response.status_code <= 499
def test_questionnaire_create_fails_with_malformed_question(): control = factories.ControlFactory() user = utils.make_inspector_user(control) payload = make_create_payload(control.id) payload['themes'][0]['questions'][0].pop('description') response = create_questionnaire(user, payload) assert response.status_code == 400 assert_no_data_is_saved()
def test_no_questionnaire_create_if_control_is_deleted(): increment_ids() control = factories.ControlFactory() user = utils.make_inspector_user(control) payload = make_create_payload(control.id) assert_no_data_is_saved() control.delete() response = create_questionnaire(user, payload) assert 403 <= response.status_code <= 404
def test_send_response_file_list_fails_for_inspector_if_the_control_is_not_associated_with_the_user( client): questionnaire = factories.QuestionnaireFactory(is_draft=False) unauthorized_control = factories.ControlFactory() user = utils.make_inspector_user(unauthorized_control) response = get_response_list(client, user, questionnaire.id) assert response.status_code != 200
def test_noneditor_can_get_rights_on_questionnaire_without_editor(): control = factories.ControlFactory() user = utils.make_inspector_user(control, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=None) assert_questionnaire_has_editor(questionnaire, None) response = call_api(user, questionnaire.id, user.id) assert response.status_code == 200 assert_questionnaire_has_editor(questionnaire, user)
def test_audited_cannot_access_api(): control = factories.ControlFactory() user = utils.make_audited_user(control) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user) assert_questionnaire_has_editor(questionnaire, user) response = call_api(user, questionnaire.id, user.id) assert 400 <= response.status_code < 500 assert_questionnaire_has_editor(questionnaire, user)
def test_download_question_file_fails_if_the_control_is_not_associated_with_the_user( client): question_file = factories.QuestionFileFactory() unauthorized_control = factories.ControlFactory() assert unauthorized_control != question_file.question.theme.questionnaire.control user = utils.make_audited_user(unauthorized_control) utils.login(client, user=user) url = reverse('send-question-file', args=[question_file.id]) response = client.get(url) assert response.status_code != 200
def test_audited_cannot_delete_a_control(): audited = factories.UserProfileFactory(profile_type=UserProfile.AUDITED) control = factories.ControlFactory() audited.controls.add(control) utils.login(client, user=audited.user) url = reverse('api:deletion-delete-control', args=[control.pk]) count_before = Control.objects.active().count() response = client.post(url) count_after = Control.objects.active().count() assert count_after == count_before assert response.status_code == 403
def test_editor_can_transfer_rights(): control = factories.ControlFactory() user = utils.make_inspector_user(control, assign_questionnaire_editor=False) other_user = utils.make_inspector_user(control, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user) assert_questionnaire_has_editor(questionnaire, user) response = call_api(user, questionnaire.id, other_user.id) assert response.status_code == 200 assert_questionnaire_has_editor(questionnaire, other_user)
def test_inspector_cannot_update_published_questionnaire(): increment_ids() control = factories.ControlFactory() user = utils.make_inspector_user(control) questionnaire = factories.QuestionnaireFactory(is_draft=False, control=control, editor=user) payload = make_update_payload(questionnaire) # Here we are trying to update a questionnaire that's already published response = update_questionnaire(user, payload) assert 400 <= response.status_code < 500
def test_questionnaire_draft_update__editor_can_update(): increment_ids() control = factories.ControlFactory() user = utils.make_inspector_user(control) questionnaire = create_questionnaire_through_api(user, control) payload = questionnaire payload['description'] = 'this is a great questionnaire.' response = update_questionnaire(user, payload) assert response.status_code == 200
def access_control_page(client, page_name, is_control_associated_with_user, profile_type): control = factories.ControlFactory() if is_control_associated_with_user: user = utils.make_user(profile_type, control) else: user = utils.make_user(profile_type, None) utils.login(client, user=user) url = reverse(page_name, args=[control.id]) response = client.get(url) return response
def test_inspector_can_delete_a_control(): inspector = factories.UserProfileFactory(profile_type=UserProfile.INSPECTOR) control = factories.ControlFactory() inspector.controls.add(control) utils.login(client, user=inspector.user) url = reverse('api:deletion-delete-control', args=[control.pk]) count_before = Control.objects.active().count() response = client.post(url) count_after = Control.objects.active().count() assert count_after == count_before - 1 assert response.status_code == 200
def test_no_access_to_editor_api_for_deleted_control(): control = factories.ControlFactory() user = utils.make_inspector_user(control, assign_questionnaire_editor=False) questionnaire = factories.QuestionnaireFactory(control=control, is_draft=True, editor=user) assert_questionnaire_has_editor(questionnaire, user) control.delete() response = call_api(user, questionnaire.id, user.id) assert response.status_code == 404
def test_download_response_file_fails_if_the_control_is_not_associated_with_the_user( client): response_file = factories.ResponseFileFactory() user = response_file.author unauthorized_control = factories.ControlFactory() assert unauthorized_control != response_file.question.theme.questionnaire.control user.profile.controls.add(unauthorized_control) user.profile.save() utils.login(client, user=response_file.author) url = reverse('send-response-file', args=[response_file.id]) response = client.get(url) assert response.status_code != 200
def test_no_access_to_questionnaire_page_if_control_is_not_associated_with_the_user( client): questionnaire = factories.QuestionnaireFactory() user = factories.UserFactory() unautorized_control = factories.ControlFactory() assert unautorized_control != questionnaire.control user.profile.controls.add(unautorized_control) user.profile.save() utils.login(client, user=user) url = reverse('questionnaire-detail', args=[questionnaire.id]) response = client.get(url) assert response.status_code != 200
def test_inspector_can_remove_user_from_control(): someone = factories.UserProfileFactory(profile_type='audited') inspector = factories.UserProfileFactory(profile_type='inspector') control = factories.ControlFactory() inspector.controls.add(control) someone.controls.add(control) utils.login(client, user=inspector.user) url = reverse('api:user-remove-control', args=[someone.pk]) count_before = User.objects.filter(profile__controls=control).count() response = client.post(url, {'control': control.pk}) count_after = User.objects.filter(profile__controls=control).count() assert count_after == count_before - 1 assert response.status_code == 200
def test_questionnaire_draft_update__non_author_cannot_update(): increment_ids() # Create questionnaire draft through api, to set the author properly. control = factories.ControlFactory() user = utils.make_inspector_user(control) questionnaire = create_questionnaire_through_api(user, control) non_author = utils.make_inspector_user(control) payload = questionnaire payload['description'] = 'this is a great questionnaire.' response = update_questionnaire(non_author, payload) assert 400 <= response.status_code < 500