def test_get_members_by_authenticated(self): user1 = UserFactory() user2 = UserFactory() box = BoxFactory(visibility=Box.PRIVATE) box.share_with(user2, BoxMember.PERM_R) request = APIRequestFactory().get('/url/') request.user = user1 self.serializer.context['request'] = request members = self.serializer.get_members(box) self.assertEqual(len(members), 0)
def test_get_members_by_box_owner(self): user1 = UserFactory() user2 = UserFactory() box = BoxFactory(owner=user1, visibility=Box.PRIVATE) box.share_with(user2, BoxMember.PERM_R) request = APIRequestFactory().get('/url/') request.user = user1 self.serializer.context['request'] = request members = self.serializer.get_members(box) self.assertEqual(len(members), 1) self.assertEqual(members[0]['username'], user2.username)
def test_get_boxes(self): user1 = UserFactory() user2 = UserFactory() b1 = BoxFactory(owner=user1, visibility=Box.PRIVATE) b2 = BoxFactory(owner=user1, visibility=Box.PUBLIC) request = APIRequestFactory().get('/url/') request.user = user2 self.serializer.context['request'] = request boxes = self.serializer.get_boxes(user1) self.assertEqual(len(boxes), 1, msg="Private box shouldn't be shown") self.assertIn(b2.name, boxes[0]) self.assertIn('http://', boxes[0], msg="Should be absolute URL")
def test_list_user_boxes(self): user = UserFactory() user1 = UserFactory() b1 = BoxFactory(visibility=Box.PRIVATE, owner=user1) b2 = BoxFactory(visibility=Box.PRIVATE, owner=user1) b2.share_with(user, BoxMember.PERM_R) request = self.factory.get('/url/') force_authenticate(request, user=user) response = self.view_list(request, username=user1.username) self.assertEqual(response.status_code, status.HTTP_200_OK) # only b2; b1 not shared with user; b4 different owner self.assertEqual(response.data['count'], 1) self.assertEqual(response.data['results'][0]['name'], b2.name)
def test_box_owner_can_view_box_members(self): user = UserFactory() box = BoxFactory(owner=user) user1 = UserFactory() box.share_with(user1, BoxMember.PERM_RW) user2 = UserFactory() box.share_with(user2, BoxMember.PERM_R) request = self.factory.get('/url/') force_authenticate(request, user=user) response = self.view_list(request, username=user.username, box_name=box.name) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data['count'], 2)
def test_user_cant_create_box_for_other_user(self): user = UserFactory() user1 = UserFactory() data = { 'name': 'testbox1', 'description': 'some description', 'short_description': 'Test box', 'visibility': Box.PRIVATE, } request = self.factory.post('/url/', data=data) force_authenticate(request, user=user) response = self.view_list(request, username=user1.username) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(Box.objects.count(), 0)
def test_user_updated(self): user = UserFactory() data = { 'username': '******', 'email': '*****@*****.**', 'password': '******', 'profile': { 'boxes_permissions': UserProfile.BOXES_PERM_R, } } user = self.serializer.update(user, data) self.assertEqual(user.username, data['username']) self.assertEqual(user.email, data['email']) self.assertTrue(user.check_password(data['password'])) self.assertEqual(user.profile.boxes_permissions, data['profile']['boxes_permissions'])
def test_get_perms_for_authenticated(self): user = UserFactory() box = BoxFactory(visibility=Box.PRIVATE) self.check_perms(user, box, '') box = BoxFactory(visibility=Box.PUBLIC) self.check_perms(user, box, BoxMember.PERM_R)
def test_box_owner_can_add_box_member(self): user = UserFactory() box = BoxFactory(owner=user) user1 = UserFactory() data = { 'permissions': BoxMember.PERM_RW, } request = self.factory.post('/url/', data=data) force_authenticate(request, user=user) response = self.view_detail(request, username=user.username, box_name=box.name, member_username=user1.username) self.assertEqual(response.status_code, status.HTTP_201_CREATED) self.assertListEqual(list(box.shared_with.all()), [user1])
def test_authenticated_without_model_perms(self): user = UserFactory(profile__boxes_permissions='') checks = { 'GET': False, 'PATCH': False, 'POST': False, 'DELETE': False, } self.check_model_perms(checks, user)
def test_authenticated_with_read_write_boxes_perms(self): user = UserFactory() checks = { 'GET': True, 'PATCH': True, 'POST': True, 'DELETE': True, } self.check_model_perms(checks, user)
def test_box_owner_perms(self): user = UserFactory() checks = { 'GET': True, 'PATCH': True, 'POST': True, 'DELETE': True, } self.check_box_obj_perms(checks, user, box_owner=user)
def test_authenticated_perms(self): user = UserFactory() checks = { 'GET': False, 'PATCH': False, 'POST': False, 'DELETE': False, } self.check_box_obj_perms(checks, user)
def test_authenticated_with_read_boxes_perms(self): user = UserFactory(profile__boxes_permissions=UserProfile.BOXES_PERM_R) checks = { 'GET': True, 'PATCH': False, 'POST': False, 'DELETE': False, } self.check_model_perms(checks, user)
def test_token_in_query_string(self): user = UserFactory() token = user.auth_token request = self.factory.get('/url/') request.query_params = {'auth_token': token.key} auth_user, auth_token = self.auth.authenticate(request) self.assertEqual(auth_user, user) self.assertEqual(auth_token, token)
def test_get_perms_for_user_with_push_access(self): user = UserFactory() box = BoxFactory(visibility=Box.PRIVATE) box.share_with(user, BoxMember.PERM_RW) self.check_perms(user, box, BoxMember.PERM_RW) box = BoxFactory(visibility=Box.PUBLIC) box.share_with(user, BoxMember.PERM_RW) self.check_perms(user, box, BoxMember.PERM_RW)
def test_box_member_with_read_write_permissions(self): user = UserFactory() checks = { 'GET': True, 'PATCH': False, 'POST': False, 'DELETE': False, } box = BoxFactory(visibility=Box.PRIVATE) box.share_with(user, BoxMember.PERM_RW) self.check_obj_perms(checks, user, box)
def test_box_owner_cannot_add_already_added_box_member(self): user = UserFactory() box = BoxFactory(owner=user) user1 = UserFactory() box.share_with(user1, BoxMember.PERM_RW) data = { 'permissions': BoxMember.PERM_RW, } request = self.factory.post('/url/', data=data) force_authenticate(request, user=user) # Wrap in atomic transaction because of UNIQUER DB error with transaction.atomic(): response = self.view_detail(request, username=user.username, box_name=box.name, member_username=user1.username) self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST) self.assertListEqual(list(box.shared_with.all()), [user1])
def test_token_expired(self): user = UserFactory() token = user.auth_token token.created -= timedelta(hours=settings.TOKEN_EXPIRE_AFTER + 1) token.save() request = self.factory.get('/url/', HTTP_AUTHORIZATION='Token {}'.format( token.key)) with self.assertRaises(AuthenticationFailed): self.auth.authenticate(request)
def test_token_valid(self): user = UserFactory() token = user.auth_token request = self.factory.get('/url/', HTTP_AUTHORIZATION='Token {}'.format( token.key)) auth_user, auth_token = self.auth.authenticate(request) self.assertEqual(auth_user, user) self.assertEqual(auth_token, token)
def test_box_member_perms(self): user = UserFactory() checks = { 'GET': False, 'PATCH': False, 'POST': False, 'DELETE': False, } self.check_box_obj_perms(checks, user, share_with=user, share_perm=BoxMember.PERM_RW)
def check_box_obj_perms(self, checks, user, box_owner=None, share_with=None, share_perm=None): if box_owner is None: box_owner = UserFactory() for visibility in [Box.PRIVATE, Box.PUBLIC]: box = BoxFactory(visibility=visibility, owner=box_owner) if share_with: box.share_with(share_with, share_perm) self.check_obj_perms(checks, user, box)
def test_user_with_permissions_cannot_read_box_members(self): user = UserFactory() box = BoxFactory() box.share_with(user, BoxMember.PERM_RW) request = self.factory.get('/url/') force_authenticate(request, user=user) response = self.view_list(request, username=box.owner.username, box_name=box.name) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data['count'], 0) self.assertListEqual(list(box.shared_with.all()), [user])
def test_user_with_permissions_can_view_versions(self): user = UserFactory() box = BoxFactory() box.share_with(user, BoxMember.PERM_R) BoxVersionFactory(box=box, version='1.0.0') BoxVersionFactory(box=box, version='1.0.1') request = self.factory.get('/url/') force_authenticate(request, user=user) response = self.view_list(request, username=box.owner.username, box_name=box.name) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data['count'], 2)
def test_get_boxes_for_authenticated(self): user = UserFactory() b1 = BoxFactory(visibility=Box.PRIVATE) b2 = BoxFactory(visibility=Box.PRIVATE, owner=user) b3 = BoxFactory(visibility=Box.PRIVATE) b3.share_with(user, BoxMember.PERM_RW) b4 = BoxFactory(visibility=Box.PRIVATE) b4.share_with(user, BoxMember.PERM_R) b5 = BoxFactory(visibility=Box.PUBLIC) self.assertCountEqual( list(Box.objects.for_user(user)), [b2, b3, b4, b5] )
def test_user_with_permissions_can_view_metadata(self): user = UserFactory() box = BoxFactory() box.share_with(user, BoxMember.PERM_R) version = BoxVersionFactory(box=box) BoxProviderFactory(version=version, provider='virtualbox') BoxProviderFactory(version=version, provider='vmware') BoxProviderFactory() request = self.factory.get('/url/') force_authenticate(request, user=user) response = self.view_detail(request, username=box.owner.username, box_name=box.name) self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_box_owner_can_create_version(self): user = UserFactory() box = BoxFactory(owner=user) data = { 'version': '1.0.1', 'changes': 'Initial release', } request = self.factory.post('/url/', data=data) force_authenticate(request, user=user) response = self.view_list(request, username=box.owner.username, box_name=box.name) self.assertEqual(response.status_code, status.HTTP_201_CREATED) self.assertTrue(box.versions.filter(**data).exists())
def test_user_creates_own_box(self): user = UserFactory() data = { 'name': 'testbox1', 'description': 'some description', 'short_description': 'Test box', 'visibility': Box.PRIVATE, } request = self.factory.post('/url/', data=data) force_authenticate(request, user=user) response = self.view_list(request, username=user.username) self.assertEqual(response.status_code, status.HTTP_201_CREATED) self.assertEqual(Box.objects.count(), 1) self.assertTrue(Box.objects.filter(**data).exists())
def test_user_with_permissions_cannot_delete_provider(self): user = UserFactory() box = BoxFactory() box.share_with(user, BoxMember.PERM_R) version = BoxVersionFactory(box=box) provider = BoxProviderFactory(version=version) request = self.factory.delete('/url/') force_authenticate(request, user=user) response = self.view_detail(request, username=box.owner.username, box_name=box.name, version=version.version, provider=provider.provider) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_user_creates_box_with_the_same_name(self): user = UserFactory() box = BoxFactory(owner=user, visibility=Box.PRIVATE) data = { 'name': box.name, 'description': 'some description', 'short_description': 'Test box', 'visibility': Box.PUBLIC, } request = self.factory.post('/url/', data=data) force_authenticate(request, user=user) # Wrap in atomic transaction because of UNIQUER DB error with transaction.atomic(): response = self.view_list(request, username=user.username) self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST) self.assertEqual(Box.objects.count(), 1)