def other_user(self): # User created on first access if not hasattr(self, "_other_user"): self._other_user = create_test_user( "attacker", "*****@*****.**", "alksjdghalskdjfh" ) return self._other_user
def test_auth_report_viewer_denied(self): user = create_test_user("alice", "*****@*****.**") self.workflow.acl.create(email="*****@*****.**", role=Role.REPORT_VIEWER) self.client.force_login(user) response = self._request_step(self.step2) self.assertEqual(response.status_code, 403)
def setUp(self): super().setUp() self.user = create_test_user() self.client.force_login(self.user) self.log_patcher = patch("server.utils.log_user_event_from_request") self.log_patch = self.log_patcher.start()
def test_auth_report_viewer_allowed_auto_report_chart(self): write_to_rendercache( self.workflow, self.step, 1, make_table(make_column("A", [1])), json={"hello": "world!"}, ) user = create_test_user("alice", "*****@*****.**") self.workflow.acl.create(email="*****@*****.**", role=Role.REPORT_VIEWER) self.client.force_login(user) create_module_zipfile("chart", spec_kwargs={"html_output": True}) self.step.module_id_name = "chart" self.step.save(update_fields=["module_id_name"]) response = self._request() self.assertEqual(response.status_code, 200, "Should have access to Chart step")
def test_auth_report_viewer_allowed_custom_report_chart(self): user = create_test_user("alice", "*****@*****.**") self.workflow.acl.create(email="*****@*****.**", role=Role.REPORT_VIEWER) self.client.force_login(user) create_module_zipfile("chart", spec_kwargs={"html_output": True}) create_module_zipfile("notchart", spec_kwargs={"html_output": False}) self.step1.module_id_name = "chart" self.step1.save(update_fields=["module_id_name"]) self.step2.module_id_name = "notchart" self.step2.save(update_fields=["module_id_name"]) response = self._request_step(self.step1) self.assertEqual(response.status_code, 200, "Should have access to Chart step") response = self._request_step(self.step2) self.assertEqual(response.status_code, 403, "Should not have access to non-Chart step")
def test_auth_report_viewer_allowed_custom_report_table(self): user = create_test_user("alice", "*****@*****.**") self.workflow.acl.create(email="*****@*****.**", role=Role.REPORT_VIEWER) self.workflow.has_custom_report = True self.workflow.save(update_fields=["has_custom_report"]) self.workflow.blocks.create(position=0, slug="block-1", block_type="Table", tab_id=self.tab.id) self.client.force_login(user) response = self._request_step(self.step1) self.assertEqual(response.status_code, 403, "Should not have access to not-last step of tab") response = self._request_step(self.step2) self.assertEqual(response.status_code, 200, "Should have access to last step of tab")
def test_auth_report_viewer_allowed_custom_report_chart(self): write_to_rendercache( self.workflow, self.step, 1, make_table(make_column("A", [1])), json={"hello": "world!"}, ) user = create_test_user("alice", "*****@*****.**") self.workflow.acl.create(email="*****@*****.**", role=Role.REPORT_VIEWER) self.workflow.has_custom_report = True self.workflow.save(update_fields=["has_custom_report"]) self.workflow.blocks.create( position=0, slug="block-1", block_type="Chart", step_id=self.step.id ) self.client.force_login(user) response = self._request() self.assertEqual(response.status_code, 200, "Should have access to Chart step")
def test_auth_report_viewer_denied_custom_report_chart(self): user = create_test_user("alice", "*****@*****.**") self.workflow.acl.create(email="*****@*****.**", role=Role.REPORT_VIEWER) self.workflow.has_custom_report = True self.workflow.save(update_fields=["has_custom_report"]) self.workflow.blocks.create(position=0, slug="block-1", block_type="Chart", step_id=self.step1.id) self.client.force_login(user) response = self._request_step(self.step1) self.assertEqual(response.status_code, 403, "Should not have access to table data") response = self._request_step(self.step2) self.assertEqual( response.status_code, 403, "Should not have access to non-reported Chart step", )
def test_auth_report_viewer_denied_custom_report_table(self): cache_render_result( self.workflow, self.step, 1, RenderResult(arrow_table({"A": ["a", "b"]}), json={"hello": "world!"}), ) user = create_test_user("alice", "*****@*****.**") self.workflow.acl.create(email="*****@*****.**", role=Role.REPORT_VIEWER) self.workflow.has_custom_report = True self.workflow.save(update_fields=["has_custom_report"]) self.workflow.blocks.create(position=0, slug="block-1", block_type="Table", tab_id=self.tab.id) self.client.force_login(user) response = self._request() self.assertEqual(response.status_code, 403, "Table access does not imply Chart access")
def test_auth_user_without_acl_entry_not_allowed(self): user = create_test_user("alice", "*****@*****.**") self.client.force_login(user) response = self._request_step(self.step2) self.assertEqual(response.status_code, 403)
def test_auth_editor_allowed(self): user = create_test_user("alice", "*****@*****.**") self.workflow.acl.create(email="*****@*****.**", role=Role.EDITOR) self.client.force_login(user) response = self._request_step(self.step2) self.assertEqual(response.status_code, 200)
def test_auth_read_secret(self): workflow = Workflow.objects.create(owner=create_test_user(), public=False, secret_id="wsecret") assert_lock(workflow, "read", secret_id="wsecret")
def setUp(self): super().setUp() self.user = create_test_user() self.client.force_login(self.user)
def test_auth_read_public(self): workflow = Workflow.objects.create(owner=create_test_user(), public=True) assert_lock(workflow, "read")
def create_test_user_with_profile(**kwargs): user = create_test_user(**kwargs) UserProfile.objects.create(user=user) return user
def test_auth_read_deny_non_owner(self): workflow = Workflow.objects.create(owner=create_test_user()) with self.assertRaises(HandlerError, msg="AuthError: no read access to workflow"): assert_lock(workflow, "read")
def test_auth_write_owner(self): workflow = Workflow.objects.create(owner=create_test_user()) assert_lock(workflow, "write", user=workflow.owner)
def log_in(self): self.user = create_test_user() self.client.force_login(self.user)
def test_auth_owner_deny_public(self): workflow = Workflow.objects.create(owner=create_test_user(), public=True) with self.assertRaises(HandlerError, msg="AuthError: no owner access to workflow"): assert_lock(workflow, "owner")