def test_is_supervisor(self):
middle = factory.make_user('Username2', DEFAULT_PASSWORD, email='*****@*****.**', full_name='Test User')
student = factory.make_user('Username3', DEFAULT_PASSWORD, email='*****@*****.**', full_name='Test User')
role = factory.make_role_default_no_perms("TE", self.course1,
can_view_course_users=True, can_view_all_journals=True)
factory.make_participation(self.user, self.course1, role)
role = factory.make_role_default_no_perms("MD", self.course1, can_view_course_users=True)
factory.make_participation(middle, self.course1, role)
role = factory.make_role_default_no_perms("SD", self.course1)
factory.make_participation(student, self.course1, role)
factory.make_journal(self.assignment, student)
assert permissions.is_user_supervisor_of(self.user, student)
assert permissions.is_user_supervisor_of(self.user, middle)
assert permissions.is_user_supervisor_of(middle, self.user)
assert permissions.is_user_supervisor_of(middle, student)
assert not permissions.is_user_supervisor_of(student, self.user)
assert not permissions.is_user_supervisor_of(student, middle)
Participation.objects.get(course=self.course1, user=student).delete()
assert permissions.is_user_supervisor_of(self.user, student)
assert not permissions.is_user_supervisor_of(middle, student)
assert not permissions.is_user_supervisor_of(student, self.user)
assert not permissions.is_user_supervisor_of(student, middle)
def test_is_supervisor(self):
middle = factory.make_user('Username2', 'Password', email='*****@*****.**')
student = factory.make_user('Username3', 'Password', email='*****@*****.**')
role = factory.make_role_default_no_perms("TE", self.course1,
can_view_course_users=True, can_view_all_journals=True)
factory.make_participation(self.user, self.course1, role)
role = factory.make_role_default_no_perms("MD", self.course1, can_view_course_users=True)
factory.make_participation(middle, self.course1, role)
role = factory.make_role_default_no_perms("SD", self.course1)
factory.make_participation(student, self.course1, role)
factory.make_journal(self.assignment, student)
self.assertTrue(permissions.is_user_supervisor_of(self.user, student))
self.assertTrue(permissions.is_user_supervisor_of(self.user, middle))
self.assertTrue(permissions.is_user_supervisor_of(middle, self.user))
self.assertTrue(permissions.is_user_supervisor_of(middle, student))
self.assertFalse(permissions.is_user_supervisor_of(student, self.user))
self.assertFalse(permissions.is_user_supervisor_of(student, middle))
Participation.objects.get(course=self.course1, user=student).delete()
self.assertTrue(permissions.is_user_supervisor_of(self.user, student))
self.assertFalse(permissions.is_user_supervisor_of(middle, student))
self.assertFalse(permissions.is_user_supervisor_of(student, self.user))
self.assertFalse(permissions.is_user_supervisor_of(student, middle))
def to_string(self, user=None):
if user is None:
return "User"
if not (self.is_superuser or self == user
or permissions.is_user_supervisor_of(user, self)):
return "User"
return self.username + " (" + str(self.pk) + ")"
def retrieve(self, request, pk):
"""Get the user data of the requested user.
Arguments:
request -- request data
pk -- user ID
Returns:
On failure:
unauthorized -- when the user is not logged in
not found -- when the user doesn't exists
On success:
success -- with the user data
"""
if int(pk) == 0:
pk = request.user.id
user = User.objects.get(pk=pk)
if request.user == user or request.user.is_superuser:
serializer = OwnUserSerializer(user, many=False)
elif permissions.is_user_supervisor_of(request.user, user):
serializer = UserSerializer(user, many=False)
else:
return response.forbidden('You are not allowed to view this users information.')
return response.success({'user': serializer.data})
def test_get(self):
student = factory.Student()
admin = factory.Admin()
journal = factory.Journal(user=student)
teacher = journal.assignment.courses.first().author
# Test get all users
api.get(self, 'users', user=student, status=403)
resp = api.get(self, 'users', user=admin)['users']
assert len(resp) == User.objects.count(
), 'Test if the admin got all the users'
# Test get own user
resp = api.get(self, 'users', params={'pk': 0}, user=student)['user']
assert 'id' in resp, 'Test if the student got userdata'
assert 'verified_email' in resp, 'Test if the student got all their userdata'
resp = api.get(self, 'users', params={'pk': 0}, user=admin)['user']
assert resp[
'is_superuser'], 'Admin user should be flagged as superuser.'
# Check if a user cant see other users data
api.get(self,
'users',
params={'pk': admin.pk},
user=student,
status=403)
# Test get user as supervisor
assert permissions.is_user_supervisor_of(
teacher, student), 'Teacher should be supervisor of student'
resp = api.get(self, 'users', params={'pk': student.pk},
user=teacher)['user']
assert 'username' in resp, 'Supervisor can retrieve basic supervisee data'
assert 'full_name' in resp, 'Supervisor can retrieve basic supervisee data'
assert 'verified_email' not in resp, 'Supervisor can\'t retrieve all supervisee data'
assert 'email' not in resp, 'Supervisor can\'t retrieve all supervisee data'
# Test get user as admin
resp = api.get(self, 'users', params={'pk': student.pk},
user=admin)['user']
assert 'id' in resp, 'Admin can retrieve basic user data'
assert 'verified_email' in resp, 'Admin can retrieve all user data'
assert 'email' in resp, 'Admin can retrieve all user data'