def test_permissions_delete(self):
self.app.config["BLOGGING_PERMISSIONS"] = True
# Assuming "BLOGGING_PERMISSIONNAME" read failure
# self.app.config["BLOGGING_PERMISSIONNAME"] = None
user_id = "testuser"
self._set_identity_loader(
self.app.config.get("BLOGGING_PERMISSIONNAME", "blogger"))
with self.client:
# Anonymous user cannot delete
response = self.client.post("/blog/delete/1/")
self.assertEqual(response.status_code, 401)
self.login(user_id)
# non blogger cannot delete posts
response = self.client.post("/blog/delete/1/")
self.assertEqual(response.status_code, 302) # will be redirected
self.logout()
self.login(user_id, blogger=True)
response = self.client.post("/blog/delete/1/",
follow_redirects=True)
assert "Your post was successfully deleted" in str(response.data)
# a user cannot delete another person's post
self.assertEquals(current_user.get_id(), user_id)
response = self.client.post("/blog/delete/11/",
follow_redirects=True)
assert "You do not have the rights to delete this post" in \
str(response.data)
test_permission = Permission(RoleNeed("testblogger"))
blogger_permission = Permission(RoleNeed("blogger"))
self.assertFalse(
test_permission.issubset(self.engine.blogger_permission))
self.assertTrue(
blogger_permission.issubset(self.engine.blogger_permission))
def test_permissions_delete(self):
self.app.config["BLOGGING_PERMISSIONS"] = True
# Assuming "BLOGGING_PERMISSIONNAME" read failure
# self.app.config["BLOGGING_PERMISSIONNAME"] = None
user_id = "testuser"
self._set_identity_loader(self.app.config.get(
"BLOGGING_PERMISSIONNAME", "blogger"))
with self.client:
# Anonymous user cannot delete
response = self.client.post("/blog/delete/%s/" % self.pids[0])
self.assertEqual(response.status_code, 401)
self.login(user_id)
# non blogger cannot delete posts
response = self.client.post("/blog/delete/%s/" % self.pids[0])
self.assertEqual(response.status_code, 302) # will be redirected
self.logout()
self.login(user_id, blogger=True)
response = self.client.post("/blog/delete/%s/" % self.pids[0],
follow_redirects=True)
assert "Your post was successfully deleted" in str(response.data)
# a user cannot delete another person's post
self.assertEquals(current_user.get_id(), user_id)
response = self.client.post("/blog/delete/%s/" % self.pids[10],
follow_redirects=True)
assert "You do not have the rights to delete this post" in \
str(response.data)
test_permission = Permission(RoleNeed("testblogger"))
blogger_permission = Permission(RoleNeed("blogger"))
self.assertFalse(test_permission.issubset(
self.engine.blogger_permission))
self.assertTrue(blogger_permission.issubset(
self.engine.blogger_permission))
def test_permissions_editor(self):
self.app.config["BLOGGING_PERMISSIONS"] = True
self.app.config["BLOGGING_PERMISSIONNAME"] = "testblogger"
user_id = "newuser"
self._set_identity_loader(
self.app.config.get("BLOGGING_PERMISSIONNAME", "blogger"))
with self.client:
response = self.client.post("/blog/editor/")
self.assertEqual(response.status_code, 401)
response = self.client.post("/blog/editor/1/")
self.assertEqual(response.status_code, 401)
self.login(user_id)
response = self.client.post("/blog/editor/")
self.assertEqual(response.status_code, 302)
response = self.client.post("/blog/editor/1/")
self.assertEqual(response.status_code, 302)
self.logout()
self.login(user_id, blogger=True)
response = self.client.post("/blog/editor/")
self.assertEqual(response.status_code, 200)
response = self.client.post("/blog/editor/1/")
self.assertEqual(response.status_code, 200)
test_permission = Permission(RoleNeed("testblogger"))
blogger_permission = Permission(RoleNeed("blogger"))
self.assertTrue(
test_permission.issubset(self.engine.blogger_permission))
self.assertFalse(
blogger_permission.issubset(self.engine.blogger_permission))
def test_permissions_editor(self):
self.app.config["BLOGGING_PERMISSIONS"] = True
self.app.config["BLOGGING_PERMISSIONNAME"] = "testblogger"
user_id = "newuser"
self._set_identity_loader(self.app.config.get(
"BLOGGING_PERMISSIONNAME", "blogger"))
with self.client:
response = self.client.post("/blog/editor/")
self.assertEqual(response.status_code, 401)
response = self.client.post("/blog/editor/1/")
self.assertEqual(response.status_code, 401)
self.login(user_id)
response = self.client.post("/blog/editor/")
self.assertEqual(response.status_code, 302)
response = self.client.post("/blog/editor/1/")
self.assertEqual(response.status_code, 302)
self.logout()
self.login(user_id, blogger=True)
response = self.client.post("/blog/editor/")
self.assertEqual(response.status_code, 200)
response = self.client.post("/blog/editor/1/")
self.assertEqual(response.status_code, 200)
test_permission = Permission(RoleNeed("testblogger"))
blogger_permission = Permission(RoleNeed("blogger"))
self.assertTrue(test_permission.issubset(
self.engine.blogger_permission))
self.assertFalse(blogger_permission.issubset(
self.engine.blogger_permission))
def test_contains(self):
p1 = Permission(RoleNeed('boss'), RoleNeed('lackey'))
p2 = Permission(RoleNeed('lackey'))
assert p2.issubset(p1)
assert p2 in p1
def test_permission_union_denial(self):
p1 = Permission(('a', 'b'))
p2 = Denial(('a', 'c'))
p3 = p1.union(p2)
assert p1.issubset(p3)
assert p2.issubset(p3)
def test_contains(self):
p1 = Permission(RoleNeed('boss'), RoleNeed('lackey'))
p2 = Permission(RoleNeed('lackey'))
assert p2.issubset(p1)
assert p2 in p1
def test_permission_union_denial(self):
p1 = Permission(('a', 'b'))
p2 = Denial(('a', 'c'))
p3 = p1.union(p2)
assert p1.issubset(p3)
assert p2.issubset(p3)
