def test_improperly_scoped_token_can_not_create_or_email(
self, mock_auth, mock_mail, app, user, email_unconfirmed, data,
url_base):
token = ApiOAuth2PersonalToken(
owner=user,
name='Unauthorized Token',
)
token.save()
scope = ApiOAuth2ScopeFactory()
scope.name = 'unauthorized scope'
scope.save()
token.scopes.add(scope)
mock_cas_resp = CasResponse(authenticated=True,
user=user._id,
attributes={
'accessToken':
token.token_id,
'accessTokenScope':
[s.name for s in token.scopes.all()]
})
mock_auth.return_value = user, mock_cas_resp
assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0
res = app.post_json_api(
'{}?send_email=true'.format(url_base),
data,
headers={'Authorization': 'Bearer {}'.format(token.token_id)},
expect_errors=True)
assert res.status_code == 403
assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0
assert mock_mail.call_count == 0
def test_admin_scoped_token_can_create_and_send_email(
self, mock_auth, mock_mail, app, user, email_unconfirmed, data,
url_base):
token = ApiOAuth2PersonalToken(
owner=user,
name='Admin Token',
)
scope = ApiOAuth2ScopeFactory()
scope.name = 'osf.admin'
scope.save()
token.scopes.add(scope)
mock_cas_resp = CasResponse(authenticated=True,
user=user._id,
attributes={
'accessToken':
token.token_id,
'accessTokenScope':
[s.name for s in token.scopes.all()]
})
mock_auth.return_value = user, mock_cas_resp
assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0
res = app.post_json_api(
'{}?send_email=true'.format(url_base),
data,
headers={'Authorization': 'Bearer {}'.format(token.token_id)})
assert res.status_code == 201
assert res.json['data']['attributes']['username'] == email_unconfirmed
assert OSFUser.objects.filter(username=email_unconfirmed).count() == 1
assert mock_mail.call_count == 1
def test_admin_scoped_token_has_admin(self, mock_auth):
token = ApiOAuth2PersonalToken(
owner=self.user,
name='Admin Token',
)
token.save()
scope = ApiOAuth2ScopeFactory()
scope.name = 'osf.admin'
scope.save()
token.scopes.add(scope)
mock_cas_resp = CasResponse(authenticated=True,
user=self.user._id,
attributes={
'accessToken':
token.token_id,
'accessTokenScope':
[s.name for s in token.scopes.all()]
})
mock_auth.return_value = self.user, mock_cas_resp
res = self.app.get(
self.url,
headers={'Authorization': 'Bearer {}'.format(token.token_id)})
assert_equal(res.status_code, 200)
assert_equal(res.json['meta'][ADMIN], True)
def test_non_admin_scoped_token_does_not_have_admin(self, mock_auth):
token = ApiOAuth2PersonalToken(
owner=self.user,
name='Admin Token',
scopes=' '.join([key for key in public_scopes if key != 'osf.admin'])
)
mock_cas_resp = CasResponse(
authenticated=True,
user=self.user._id,
attributes={
'accessToken': token.token_id,
'accessTokenScope': [s for s in token.scopes.split(' ')]
}
)
mock_auth.return_value = self.user, mock_cas_resp
res = self.app.get(
self.url,
headers={
'Authorization': 'Bearer {}'.format(token.token_id)
}
)
assert_equal(res.status_code, 200)
assert_not_in('admin', res.json['meta'].keys())
def test_admin_scoped_token_can_create_and_send_email(
self, mock_auth, mock_mail):
token = ApiOAuth2PersonalToken(owner=self.user,
name='Admin Token',
scopes='osf.admin')
mock_cas_resp = CasResponse(authenticated=True,
user=self.user._id,
attributes={
'accessToken':
token.token_id,
'accessTokenScope':
[s for s in token.scopes.split(' ')]
})
mock_auth.return_value = self.user, mock_cas_resp
assert_equal(
User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0)
res = self.app.post_json_api(
'{}?send_email=true'.format(self.base_url),
self.data,
headers={'Authorization': 'Bearer {}'.format(token.token_id)})
assert_equal(res.status_code, 201)
assert_equal(res.json['data']['attributes']['username'],
self.unconfirmed_email)
assert_equal(
User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 1)
assert_equal(mock_mail.call_count, 1)
def test_improperly_scoped_token_can_not_create_or_email(
self, mock_auth, mock_mail):
token = ApiOAuth2PersonalToken(owner=self.user,
name='Unauthorized Token',
scopes='osf.full_write')
mock_cas_resp = CasResponse(authenticated=True,
user=self.user._id,
attributes={
'accessToken':
token.token_id,
'accessTokenScope':
[s for s in token.scopes.split(' ')]
})
mock_auth.return_value = self.user, mock_cas_resp
assert_equal(
User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0)
res = self.app.post_json_api(
'{}?send_email=true'.format(self.base_url),
self.data,
headers={'Authorization': 'Bearer {}'.format(token.token_id)},
expect_errors=True)
assert_equal(res.status_code, 403)
assert_equal(
User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0)
assert_equal(mock_mail.call_count, 0)
def test_properly_scoped_token_can_create_without_username_but_not_send_email(
self, mock_auth, mock_mail):
token = ApiOAuth2PersonalToken(owner=self.user,
name='Authorized Token',
scopes='osf.users.create')
mock_cas_resp = CasResponse(authenticated=True,
user=self.user._id,
attributes={
'accessToken':
token.token_id,
'accessTokenScope':
[s for s in token.scopes.split(' ')]
})
mock_auth.return_value = self.user, mock_cas_resp
self.data['data']['attributes'] = {'full_name': 'No Email'}
assert_equal(User.find(Q('fullname', 'eq', 'No Email')).count(), 0)
res = self.app.post_json_api(
'{}?send_email=true'.format(self.base_url),
self.data,
headers={'Authorization': 'Bearer {}'.format(token.token_id)})
assert_equal(res.status_code, 201)
assert_equal(res.json['data']['attributes']['username'], None)
assert_equal(User.find(Q('fullname', 'eq', 'No Email')).count(), 1)
assert_equal(mock_mail.call_count, 0)
def test_properly_scoped_token_can_create_without_username_but_not_send_email(
self, mock_auth, mock_mail, app, user, data, url_base):
token = ApiOAuth2PersonalToken(owner=user,
name='Authorized Token',
scopes='osf.users.create')
mock_cas_resp = CasResponse(authenticated=True,
user=user._id,
attributes={
'accessToken':
token.token_id,
'accessTokenScope':
[s for s in token.scopes.split(' ')]
})
mock_auth.return_value = user, mock_cas_resp
data['data']['attributes'] = {'full_name': 'No Email'}
assert OSFUser.objects.filter(fullname='No Email').count() == 0
res = app.post_json_api(
'{}?send_email=true'.format(url_base),
data,
headers={'Authorization': 'Bearer {}'.format(token.token_id)})
assert res.status_code == 201
username = res.json['data']['attributes']['username']
try:
UUID(username)
except ValueError:
raise AssertionError('Username is not a valid UUID')
assert OSFUser.objects.filter(fullname='No Email').count() == 1
assert mock_mail.call_count == 0
def test_properly_scoped_token_does_not_send_email_without_kwarg(
self, mock_auth, mock_mail, app, user, email_unconfirmed, data,
url_base):
token = ApiOAuth2PersonalToken(owner=user,
name='Authorized Token',
scopes='osf.users.create')
mock_cas_resp = CasResponse(authenticated=True,
user=user._id,
attributes={
'accessToken':
token.token_id,
'accessTokenScope':
[s for s in token.scopes.split(' ')]
})
mock_auth.return_value = user, mock_cas_resp
assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0
res = app.post_json_api(
url_base,
data,
headers={'Authorization': 'Bearer {}'.format(token.token_id)})
assert res.status_code == 201
assert res.json['data']['attributes']['username'] == email_unconfirmed
assert OSFUser.objects.filter(username=email_unconfirmed).count() == 1
assert mock_mail.call_count == 0
