def test_permissions_delete(self): self.app.config["BLOGGING_PERMISSIONS"] = True # Assuming "BLOGGING_PERMISSIONNAME" read failure # self.app.config["BLOGGING_PERMISSIONNAME"] = None user_id = "testuser" self._set_identity_loader( self.app.config.get("BLOGGING_PERMISSIONNAME", "blogger")) with self.client: # Anonymous user cannot delete response = self.client.post("/blog/delete/1/") self.assertEqual(response.status_code, 401) self.login(user_id) # non blogger cannot delete posts response = self.client.post("/blog/delete/1/") self.assertEqual(response.status_code, 302) # will be redirected self.logout() self.login(user_id, blogger=True) response = self.client.post("/blog/delete/1/", follow_redirects=True) assert "Your post was successfully deleted" in str(response.data) # a user cannot delete another person's post self.assertEquals(current_user.get_id(), user_id) response = self.client.post("/blog/delete/11/", follow_redirects=True) assert "You do not have the rights to delete this post" in \ str(response.data) test_permission = Permission(RoleNeed("testblogger")) blogger_permission = Permission(RoleNeed("blogger")) self.assertFalse( test_permission.issubset(self.engine.blogger_permission)) self.assertTrue( blogger_permission.issubset(self.engine.blogger_permission))
def test_permissions_delete(self): self.app.config["BLOGGING_PERMISSIONS"] = True # Assuming "BLOGGING_PERMISSIONNAME" read failure # self.app.config["BLOGGING_PERMISSIONNAME"] = None user_id = "testuser" self._set_identity_loader(self.app.config.get( "BLOGGING_PERMISSIONNAME", "blogger")) with self.client: # Anonymous user cannot delete response = self.client.post("/blog/delete/%s/" % self.pids[0]) self.assertEqual(response.status_code, 401) self.login(user_id) # non blogger cannot delete posts response = self.client.post("/blog/delete/%s/" % self.pids[0]) self.assertEqual(response.status_code, 302) # will be redirected self.logout() self.login(user_id, blogger=True) response = self.client.post("/blog/delete/%s/" % self.pids[0], follow_redirects=True) assert "Your post was successfully deleted" in str(response.data) # a user cannot delete another person's post self.assertEquals(current_user.get_id(), user_id) response = self.client.post("/blog/delete/%s/" % self.pids[10], follow_redirects=True) assert "You do not have the rights to delete this post" in \ str(response.data) test_permission = Permission(RoleNeed("testblogger")) blogger_permission = Permission(RoleNeed("blogger")) self.assertFalse(test_permission.issubset( self.engine.blogger_permission)) self.assertTrue(blogger_permission.issubset( self.engine.blogger_permission))
def test_permissions_editor(self): self.app.config["BLOGGING_PERMISSIONS"] = True self.app.config["BLOGGING_PERMISSIONNAME"] = "testblogger" user_id = "newuser" self._set_identity_loader( self.app.config.get("BLOGGING_PERMISSIONNAME", "blogger")) with self.client: response = self.client.post("/blog/editor/") self.assertEqual(response.status_code, 401) response = self.client.post("/blog/editor/1/") self.assertEqual(response.status_code, 401) self.login(user_id) response = self.client.post("/blog/editor/") self.assertEqual(response.status_code, 302) response = self.client.post("/blog/editor/1/") self.assertEqual(response.status_code, 302) self.logout() self.login(user_id, blogger=True) response = self.client.post("/blog/editor/") self.assertEqual(response.status_code, 200) response = self.client.post("/blog/editor/1/") self.assertEqual(response.status_code, 200) test_permission = Permission(RoleNeed("testblogger")) blogger_permission = Permission(RoleNeed("blogger")) self.assertTrue( test_permission.issubset(self.engine.blogger_permission)) self.assertFalse( blogger_permission.issubset(self.engine.blogger_permission))
def test_permissions_editor(self): self.app.config["BLOGGING_PERMISSIONS"] = True self.app.config["BLOGGING_PERMISSIONNAME"] = "testblogger" user_id = "newuser" self._set_identity_loader(self.app.config.get( "BLOGGING_PERMISSIONNAME", "blogger")) with self.client: response = self.client.post("/blog/editor/") self.assertEqual(response.status_code, 401) response = self.client.post("/blog/editor/1/") self.assertEqual(response.status_code, 401) self.login(user_id) response = self.client.post("/blog/editor/") self.assertEqual(response.status_code, 302) response = self.client.post("/blog/editor/1/") self.assertEqual(response.status_code, 302) self.logout() self.login(user_id, blogger=True) response = self.client.post("/blog/editor/") self.assertEqual(response.status_code, 200) response = self.client.post("/blog/editor/1/") self.assertEqual(response.status_code, 200) test_permission = Permission(RoleNeed("testblogger")) blogger_permission = Permission(RoleNeed("blogger")) self.assertTrue(test_permission.issubset( self.engine.blogger_permission)) self.assertFalse(blogger_permission.issubset( self.engine.blogger_permission))
def test_contains(self): p1 = Permission(RoleNeed('boss'), RoleNeed('lackey')) p2 = Permission(RoleNeed('lackey')) assert p2.issubset(p1) assert p2 in p1
def test_permission_union_denial(self): p1 = Permission(('a', 'b')) p2 = Denial(('a', 'c')) p3 = p1.union(p2) assert p1.issubset(p3) assert p2.issubset(p3)
def test_contains(self): p1 = Permission(RoleNeed('boss'), RoleNeed('lackey')) p2 = Permission(RoleNeed('lackey')) assert p2.issubset(p1) assert p2 in p1
def test_permission_union_denial(self): p1 = Permission(('a', 'b')) p2 = Denial(('a', 'c')) p3 = p1.union(p2) assert p1.issubset(p3) assert p2.issubset(p3)