def test_add_order_log(mdb):
"""
Confirm that logs are created when orders are added.
Checks:
* Confirm that a log entry is created after order is added.
"""
indata = {
"order": {
"description": "Test add order log description",
"title": "Test add order log title",
}
}
indata["order"].update(TEST_LABEL)
session = requests.Session()
helpers.as_user(session, USERS["edit"])
response = helpers.make_request(session,
"/api/v1/order",
method="POST",
data=indata,
ret_json=True)
assert response.code == 200
assert "id" in response.data
assert len(response.data["id"]) == 38
order = mdb["orders"].find_one({"_id": response.data["id"]})
logs = list(mdb["logs"].find({
"data_type": "order",
"data._id": response.data["id"]
}))
assert len(logs) == 1
assert logs[0]["data"] == order
assert logs[0]["action"] == "add"
def test_delete_user(mdb):
"""Test deleting users (added when testing to add users)"""
re_users = re.compile("@added.example.com")
users = list(mdb["users"].find({"email": re_users}, {"_id": 1}))
if not users:
assert False
session = requests.Session()
i = 0
while i < len(users):
for role in USERS:
as_user(session, USERS[role])
response = make_request(session,
f'/api/v1/user/{users[i]["_id"]}',
method="DELETE")
if role in ("users", "root"):
assert response.code == 200
assert not response.data
assert not mdb["users"].find_one({"_id": users[i]["_id"]})
assert mdb["logs"].find_one({
"data._id": users[i]["_id"],
"action": "delete",
"data_type": "user",
})
i += 1
if i >= len(users):
break
elif role == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 403
assert not response.data
def test_delete_collection_bad():
"""
Confirm that bad deletion attempts are handled correctly.
Checks:
* Random string as base user -> 403
* Random string as data user -> 404
* Random uuid as data user -> 404
"""
session = requests.Session()
as_user(session, USERS["base"])
for _ in range(2):
response = make_request(session,
f"/api/v1/collection/{random_string()}",
method="DELETE")
assert response.code == 403
assert not response.data
as_user(session, USERS["data"])
for _ in range(2):
response = make_request(session,
f"/api/v1/collection/{random_string()}",
method="DELETE")
assert response.code == 404
assert not response.data
for _ in range(2):
response = make_request(session,
f"/api/v1/collection/{uuid.uuid4()}",
method="DELETE")
assert response.code == 404
assert not response.data
def test_get_dataset_logs_permissions(mdb):
"""
Get dataset logs.
Assert that DATA_MANAGEMENT or user in editors is required.
"""
dataset_data = mdb["datasets"].aggregate([{"$sample": {"size": 1}}]).next()
order_data = mdb["orders"].find_one({"datasets": dataset_data["_id"]})
user_data = mdb["users"].find_one(
{"$or": [{
"_id": {
"$in": order_data["editors"]
}
}]})
responses = helpers.make_request_all_roles(
f'/api/v1/dataset/{dataset_data["_id"]}/log', ret_json=True)
for response in responses:
if response.role in ("data", "root"):
assert response.code == 200
assert "logs" in response.data
elif response.role == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 403
assert not response.data
session = requests.Session()
helpers.as_user(session, user_data["auth_ids"][0])
response = helpers.make_request(
session, f'/api/v1/dataset/{dataset_data["_id"]}/log', ret_json=True)
assert response.code == 200
assert "logs" in response.data
def test_key_login():
"""Test API key login for all users"""
session = requests.Session()
helpers.as_user(session, None)
for i, userid in enumerate(helpers.USERS):
response = helpers.make_request(
session,
"/api/v1/login/apikey",
data={
"api-user": helpers.USERS[userid],
"api-key": str(i - 1)
},
method="POST",
)
if userid == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 200
assert not response.data
response = helpers.make_request(session,
"/api/v1/developer/loginhello")
assert response.code == 200
assert response.data == {"test": "success"}
def test_get_dataset(mdb):
"""
Confirm that datasets are returned correctly.
Tests:
* Confirm that the correct dataset is returned
* Confirm that the dataset is not listed in ``related``
"""
session = requests.Session()
order_id = helpers.add_order()
ds_id = helpers.add_dataset(order_id)
ds_id2 = helpers.add_dataset(order_id)
coll_id = helpers.add_collection([ds_id])
coll_id2 = helpers.add_collection([ds_id])
helpers.as_user(session, helpers.USERS["edit"])
order_data = mdb["orders"].find_one({"_id": order_id})
response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}")
assert response.code == 200
result = response.data["dataset"]
assert result["order"]["id"] == str(order_id)
assert set(entry["id"] for entry in result["related"]) == {str(ds_id2)}
assert set(entry["id"] for entry in result["collections"]) == {
str(coll_id), str(coll_id2)
}
assert set(entry["id"] for entry in result["authors"]) == set(
str(entry) for entry in order_data["authors"])
assert set(entry["id"] for entry in result["generators"]) == set(
str(entry) for entry in order_data["generators"])
assert result["organisation"]["id"] == str(order_data["organisation"])
assert set(entry["id"] for entry in result["editors"]) == set(
str(entry) for entry in order_data["editors"])
helpers.as_user(session, helpers.USERS["base"])
order_data = mdb["orders"].find_one({"_id": order_id})
response = helpers.make_request(session, f"/api/v1/dataset/{ds_id}")
assert response.code == 200
result = response.data["dataset"]
assert "order" not in result
assert set(entry["id"] for entry in result["related"]) == {str(ds_id2)}
assert set(entry["id"] for entry in result["collections"]) == {
str(coll_id), str(coll_id2)
}
assert set(entry["id"] for entry in result["authors"]) == set(
str(entry) for entry in order_data["authors"])
assert set(entry["id"] for entry in result["generators"]) == set(
str(entry) for entry in order_data["generators"])
assert result["organisation"]["id"] == str(order_data["organisation"])
assert "editors" not in result
mdb["orders"].delete_one({"_id": order_id})
mdb["datasets"].delete_one({"_id": ds_id})
mdb["datasets"].delete_one({"_id": ds_id2})
mdb["collections"].delete_one({"_id": coll_id})
mdb["collections"].delete_one({"_id": coll_id2})
def test_info_add_dataset():
"""Confirm that the redirect information works as intended."""
session = requests.session()
helpers.as_user(session, helpers.USERS["data"])
response = helpers.make_request(session,
"/api/v1/dataset",
ret_json=False,
method="POST")
assert response.data == "Use http://localhost:5000/api/v1/order/-identifier-/dataset instead"
def test_get_collection_logs_permissions(mdb):
"""
Confirm that collection logs can only be accessed by the intended users.
Checks:
* DATA_MANAGEMENT can access any log.
* DATA_EDIT can access entries where they are editors.
* User in editors, but not DATA_EDIT cannot access logs.
* Other users cannot access logs.
"""
collections = list(mdb["collections"].aggregate([{
"$sample": {
"size": 5
}
}]))
session = requests.Session()
helpers.as_user(session, helpers.USERS["data"])
for collection in collections:
response = make_request(session,
f'/api/v1/collection/{collection["_id"]}/log',
ret_json=True)
assert response.code == 200
assert "logs" in response.data
coll_id = helpers.add_collection()
responses = make_request_all_roles(f"/api/v1/collection/{coll_id}/log",
ret_json=True)
for response in responses:
if response.role in ("edit", "data", "root"):
assert response.code == 200
assert "logs" in response.data
elif response.role == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 403
assert not response.data
base_user = mdb["users"].find_one({"auth_ids": helpers.USERS["base"]})
mdb["collections"].update_one({"_id": coll_id},
{"$set": {
"editors": [base_user["_id"]]
}})
for collection in collections:
responses = make_request_all_roles(
f'/api/v1/collection/{collection["_id"]}/log', ret_json=True)
for response in responses:
if response.role in ("data", "root"):
assert response.code == 200
assert "logs" in response.data
elif response.role == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 403
assert not response.data
def test_dataset_update_bad(dataset_for_tests):
"""Confirm that bad requests will be rejected."""
indata = {"dataset": {"title": "Updated title"}}
ds_uuid = helpers.random_string()
responses = helpers.make_request_all_roles(f"/api/v1/dataset/{ds_uuid}",
method="PATCH",
data=indata)
for response in responses:
if response.role in ("edit", "data", "root"):
assert response.code == 404
elif response.role == "no-login":
assert response.code == 401
else:
assert response.code == 403
assert not response.data
ds_uuid = uuid.uuid4().hex
responses = helpers.make_request_all_roles(f"/api/v1/dataset/{ds_uuid}",
method="PATCH",
data=indata)
for response in responses:
if response.role in ("edit", "data", "root"):
assert response.code == 404
elif response.role == "no-login":
assert response.code == 401
else:
assert response.code == 403
assert not response.data
ds_uuid = dataset_for_tests
session = requests.Session()
helpers.as_user(session, helpers.USERS["data"])
indata = {"title": ""}
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_uuid}",
method="PATCH",
data=indata)
assert response.code == 400
assert not response.data
indata = {"dataset": {"extra": "asd"}}
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_uuid}",
method="PATCH",
data=indata)
assert response.code == 400
assert not response.data
indata = {"dataset": {"timestamp": "asd"}}
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_uuid}",
method="PATCH",
data=indata)
assert response.code == 400
assert not response.data
def test_logout():
"""Assure that session is cleared after logging out."""
session = requests.Session()
helpers.as_user(session, helpers.USERS["root"])
response = helpers.make_request(session, "/api/v1/user/me")
for field in response.data["user"]:
assert response.data["user"][field]
response = helpers.make_request(session, "/api/v1/logout", ret_json=False)
response = helpers.make_request(session, "/api/v1/user/me")
for field in response.data["user"]:
assert not response.data["user"][field]
def test_add_dataset_data(mdb):
"""
Confirm that values are set correctly and logs are created.
Checks:
* All values can be set correctly
* Dataset is added correctly to the order
* Description is escaped
"""
order_id = helpers.add_order()
indata = {
"dataset": {
"title": "New add dataset data title",
"description": "<br />",
"tags": ["testing", "add_dataset"],
}
}
indata["dataset"].update(TEST_LABEL)
session = requests.session()
helpers.as_user(session, USERS["data"])
response = helpers.make_request(
session,
f"/api/v1/order/{order_id}/dataset",
method="POST",
data=indata,
ret_json=True,
)
assert response.code == 200
assert "id" in response.data
assert len(response.data["id"]) == 38
order_info = mdb["orders"].find_one({"_id": order_id})
assert len(order_info["datasets"]) == 1
added_ds = mdb["datasets"].find_one({"_id": response.data["id"]})
for key in indata["dataset"]:
if key == "description":
assert added_ds[key] == "<br />"
else:
assert added_ds[key] == indata["dataset"][key]
response = helpers.make_request(
session,
f"/api/v1/order/{order_id}/dataset",
method="POST",
data=indata,
ret_json=True,
)
assert response.code == 200
assert "id" in response.data
assert len(response.data["id"]) == 38
order_info = mdb["orders"].find_one({"_id": order_id})
assert len(order_info["datasets"]) == 2
def test_update_user(mdb):
"""Update the info for a user."""
user_info = mdb["users"].find_one({"auth_ids": USERS["base"]})
indata = {}
responses = make_request_all_roles(f'/api/v1/user/{user_info["_id"]}',
ret_json=True,
method="PATCH",
data=indata)
for response in responses:
if response.role in ("users", "root"):
assert response.code == 400
new_user_info = mdb["users"].find_one(
{"auth_ids": {
"$in": user_info["auth_ids"]
}})
assert user_info == new_user_info
elif response.role == "no-login":
assert response.code == 401
else:
assert response.code == 403
assert not response.data
indata = {
"user": {
"affiliation": "Updated University",
"name": "Updated name"
}
}
session = requests.session()
for user_type in USERS:
as_user(session, USERS[user_type])
response = make_request(
session,
f'/api/v1/user/{user_info["_id"]}',
ret_json=True,
method="PATCH",
data=indata,
)
if user_type in ("users", "root"):
assert response.code == 200
assert not response.data
new_user_info = mdb["users"].find_one(
{"auth_ids": user_info["auth_ids"]})
for key in indata["user"]:
assert new_user_info[key] == indata["user"][key]
mdb["users"].update_one(new_user_info, {"$set": user_info})
elif user_type == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 403
assert not response.data
def test_list_all_orders(mdb):
"""
Confirm that orders are listed correctly.
Checks:
* DATA_MANAGEMENT lists all orders
* DATA_EDIT gets all orders where they are editors
* Other users get 403 or 401
* Order should contain id, title, tags, properties
"""
nr_orders = mdb["orders"].count_documents({})
responses = helpers.make_request_all_roles("/api/v1/order", ret_json=True)
for response in responses:
if response.role in ("data", "root"):
assert response.code == 200
assert len(response.data["orders"]) == nr_orders
assert set(response.data["orders"][0].keys()) == {
"id",
"properties",
"tags",
"title",
}
elif response.role == "no-login":
assert response.code == 401
assert not response.data
elif response.role == "edit":
assert response.code == 200
edit_user = mdb["users"].find_one(
{"auth_ids": helpers.USERS["edit"]})
edit_orders = mdb["orders"].count_documents(
{"editors": edit_user["_id"]})
assert len(response.data["orders"]) == edit_orders
else:
assert response.code == 403
assert not response.data
order_id = next(mdb["orders"].aggregate([{"$sample": {"size": 1}}]))
user_info = mdb["users"].find_one({"_id": order_id["editors"][0]})
order_count = mdb["orders"].count_documents({"editors": user_info["_id"]})
session = requests.Session()
helpers.as_user(session, user_info["auth_ids"][0])
response = helpers.make_request(session, "/api/v1/order", ret_json=True)
assert response.code == 200
assert len(response.data["orders"]) == order_count
assert set(response.data["orders"][0].keys()) == {
"id",
"properties",
"tags",
"title",
}
def test_dataset_update_permissions(mdb):
"""
Confirm that permissions for updating datasets are correct.
Checks:
* DATA_MANAGER can update any dataset
* DATA_EDIT can update datasets where they are editors (in the order)
* Other users cannot update any dataset, even if they are editors
"""
session = requests.Session()
order_id = helpers.add_order()
ds_id = helpers.add_dataset(order_id)
indata = {"dataset": {"title": "Updated dataset permissions title"}}
responses = helpers.make_request_all_roles(f"/api/v1/dataset/{ds_id}",
method="PATCH",
data=indata)
for response in responses:
if response.role in ("edit", "data", "root"):
assert response.code == 200
elif response.role == "no-login":
assert response.code == 401
else:
assert response.code == 403
assert not response.data
indata = {"dataset": {"title": "Updated dataset permissions title 2"}}
edit_user = mdb["users"].find_one({"auth_ids": helpers.USERS["edit"]})
mdb["orders"].update_one({"_id": order_id},
{"$pull": {
"editors": edit_user["_id"]
}})
helpers.as_user(session, helpers.USERS["edit"])
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_id}",
method="PATCH",
data=indata)
assert response.code == 403
assert not response.data
base_user = mdb["users"].find_one({"auth_ids": helpers.USERS["base"]})
mdb["orders"].update_one({"_id": order_id},
{"$push": {
"editors": base_user["_id"]
}})
helpers.as_user(session, helpers.USERS["base"])
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_id}",
method="PATCH",
data=indata)
assert response.code == 403
assert not response.data
def test_get_order_data(mdb):
"""
Confirm that the retrieved data is from the correct order and contain the correct data.
Checks:
* Request multiple orders by uuid, one at a time.
- Request the order and confirm that it contains the correct data.
"""
session = requests.Session()
as_user(session, USERS["data"])
orders = list(mdb["orders"].aggregate([{"$sample": {"size": 3}}]))
for entry in orders:
# to simplify comparison
entry["_id"] = str(entry["_id"])
# user entries
for key in ("authors", "generators", "editors"):
entry[key] = utils.user_uuid_data(entry[key], mdb)
entry["organisation"] = utils.user_uuid_data(entry["organisation"],
mdb)[0]
for i, ds in enumerate(entry["datasets"]):
entry["datasets"][i] = next(mdb["datasets"].aggregate([{
"$match": {
"_id": ds
}
}, {
"$project": {
"_id": 1,
"title": 1
}
}]))
entry["datasets"][i]["_id"] = str(entry["datasets"][i]["_id"])
response = make_request(session, f'/api/v1/order/{entry["_id"]}')
assert response.code == 200
data = response.data["order"]
assert len(entry) == len(data)
for field in entry:
if field in ("authors", "datasets", "generators", "editors"):
assert len(entry[field]) == len(data[field])
assert set(subentry["_id"]
for subentry in entry[field]) == set(
subentry["id"] for subentry in data[field])
elif field == "_id":
assert entry["_id"] == data["id"]
elif field == "organisation":
assert entry[field]["_id"] == data[field]["id"]
else:
assert entry[field] == data[field]
def test_update_current_user(mdb):
"""Update the info about the current user."""
session = requests.Session()
indata = {"user": {}}
for user in USERS:
as_user(session, USERS[user])
user_info = mdb["users"].find_one({"auth_ids": USERS[user]})
response = make_request(session,
"/api/v1/user/me",
ret_json=True,
method="PATCH",
data=indata)
if user != "no-login":
assert response.code == 400
else:
assert response.code == 401
assert not response.data
new_user_info = mdb["users"].find_one({"auth_ids": USERS[user]})
assert user_info == new_user_info
indata = {
"user": {
"affiliation": "Updated University",
"name": "Updated name"
}
}
session = requests.Session()
for user in USERS:
as_user(session, USERS[user])
user_info = mdb["users"].find_one({"auth_ids": USERS[user]})
response = make_request(session,
"/api/v1/user/me",
ret_json=True,
method="PATCH",
data=indata)
if user != "no-login":
assert response.code == 200
assert not response.data
new_user_info = mdb["users"].find_one({"auth_ids": USERS[user]})
for key in new_user_info:
if key in indata["user"].keys():
assert new_user_info[key] == indata["user"][key]
else:
mdb["users"].update_one(new_user_info, {"$set": user_info})
else:
assert response.code == 401
assert not response.data
def test_get_collection_logs_bad():
"""Confirm that bad identifiers return 404."""
session = requests.session()
helpers.as_user(session, helpers.USERS["data"])
for _ in range(3):
response = make_request(session,
f"/api/v1/collection/{uuid.uuid4()}/log",
ret_json=True)
assert response.code == 404
assert not response.data
response = make_request(
session,
f"/api/v1/collection/{helpers.random_string()}/log",
ret_json=True)
assert response.code == 404
assert not response.data
def test_get_order_logs_bad():
"""
Request the logs for multiple orders.
Confirm that bad identifiers give response 404.
"""
session = requests.session()
for _ in range(2):
as_user(session, USERS["data"])
response = make_request(session,
f"/api/v1/order/{uuid.uuid4()}/log",
ret_json=True)
assert response.code == 404
response = make_request(session,
f"/api/v1/order/{random_string()}/log",
ret_json=True)
assert response.code == 404
def test_add_dataset_log(mdb):
"""
Confirm that logs are added correctly when datasets are added.
Checks:
* An add log is created for the dataset
* An edit log is created for the order
"""
order_id = helpers.add_order()
indata = {
"dataset": {
"title": "New add dataset log title",
"description": "<br />",
"tags": ["testing", "add_dataset"],
}
}
indata["dataset"].update(TEST_LABEL)
session = requests.session()
helpers.as_user(session, USERS["data"])
response = helpers.make_request(
session,
f"/api/v1/order/{order_id}/dataset",
method="POST",
data=indata,
ret_json=True,
)
assert response.code == 200
assert "id" in response.data
ds_add_log_count = mdb["logs"].count_documents({
"data_type":
"dataset",
"data._id":
response.data["id"],
"action":
"add",
})
assert ds_add_log_count == 1
order_edit_log_count = mdb["logs"].count_documents({
"data_type": "order",
"data._id": order_id,
"action": "edit"
})
assert order_edit_log_count == 1
def test_delete_order_bad():
"""Confirm that bad uuids get an appropriate response."""
session = requests.Session()
as_user(session, USERS["data"])
for _ in range(2):
response = make_request(session,
f"/api/v1/order/{random_string()}",
method="DELETE")
assert response.code == 404
assert not response.data
for _ in range(2):
response = make_request(session,
f"/api/v1/order/{uuid.uuid4()}",
method="DELETE")
assert response.code == 404
assert not response.data
def test_delete_bad():
"""Confirm that bad identifiers return 404."""
session = requests.Session()
helpers.as_user(session, helpers.USERS["data"])
for _ in range(3):
ds_uuid = helpers.random_string()
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_uuid}",
method="DELETE")
assert response.code == 404
assert not response.data
ds_uuid = uuid.uuid4()
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_uuid}",
method="DELETE")
assert response.code == 404
assert not response.data
def test_get_order_logs_permissions(mdb):
"""
Confirm that only the intended users can access the logs.
Checks:
* DATA_MANAGEMENT can access logs for any order
* DATA_EDIT required to be in editors
"""
order_data = mdb["orders"].aggregate([{"$sample": {"size": 1}}]).next()
edit_user = mdb["users"].find_one({"auth_ids": USERS["edit"]})
# in case the edit user is an editor
mdb["orders"].update_one({"_id": order_data["_id"]},
{"$pull": {
"editors": edit_user["_id"]
}})
responses = helpers.make_request_all_roles(
f'/api/v1/order/{order_data["_id"]}/log', ret_json=True)
for response in responses:
if response.role in ("data", "root"):
assert response.code == 200
assert "logs" in response.data
elif response.role == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 403
assert not response.data
session = requests.Session()
mdb["orders"].update_one({"_id": order_data["_id"]},
{"$push": {
"editors": edit_user["_id"]
}})
print(mdb["orders"].find_one({"_id": order_data["_id"]}))
print(edit_user)
helpers.as_user(session, USERS["edit"])
response = make_request(session,
f'/api/v1/order/{order_data["_id"]}/log',
ret_json=True)
assert response.code == 200
assert "logs" in response.data
def test_get_dataset_logs(mdb):
"""
Request the logs for multiple datasets.
Confirm that the logs contain only the intended fields.
"""
session = requests.session()
datasets = mdb["datasets"].aggregate([{"$sample": {"size": 2}}])
for dataset in datasets:
logs = list(mdb["logs"].find({
"data_type": "dataset",
"data._id": dataset["_id"]
}))
helpers.as_user(session, helpers.USERS["data"])
response = helpers.make_request(
session, f'/api/v1/dataset/{dataset["_id"]}/log', ret_json=True)
assert response.data["data_type"] == "dataset"
assert response.data["entry_id"] == str(dataset["_id"])
assert len(response.data["logs"]) == len(logs)
assert response.code == 200
def test_list_user_datasets_with_datasets(mdb):
"""
Confirm that users get the correct datasets.
Tests:
* Select a few users, confirm that the returned datasets are correct
* Confirm that the included fields are the intended ones
"""
session = requests.Session()
orders = mdb["orders"].aggregate([{
"$match": {
"datasets": {
"$not": {
"$size": 0
}
}
}
}, {
"$sample": {
"size": 2
}
}])
user_uuids = list(
itertools.chain.from_iterable(order["editors"] for order in orders))
users = mdb["users"].find({"_id": {"$in": list(user_uuids)}})
for user in users:
user_orders = list(mdb["orders"].find({"editors": user["_id"]},
{"datasets": 1}))
user_datasets = list(
itertools.chain.from_iterable(order["datasets"]
for order in user_orders))
user_datasets = [str(uuid) for uuid in user_datasets]
helpers.as_user(session, user["auth_ids"][0])
response = helpers.make_request(session, "/api/v1/dataset/user")
assert response.code == 200
assert len(user_datasets) == len(response.data["datasets"])
assert set(
entry["id"]
for entry in response.data["datasets"]) == set(user_datasets)
def test_get_user_logs(mdb):
"""
Request the logs for multiple users.
Confirm that the logs contain only the intended fields.
"""
session = requests.session()
users = mdb["users"].aggregate([{"$sample": {"size": 2}}])
for user in users:
logs = list(mdb["logs"].find({
"data_type": "user",
"data._id": user["_id"]
}))
as_user(session, USERS["users"])
response = make_request(session,
f'/api/v1/user/{user["_id"]}/log',
ret_json=True)
assert response.data["data_type"] == "user"
assert response.data["entry_id"] == str(user["_id"])
assert len(response.data["logs"]) == len(logs)
assert response.code == 200
def test_get_collection_logs(mdb):
"""
Request the logs for multiple collections.
Confirm that the logs contain only the intended fields.
"""
session = requests.session()
collections = mdb["collections"].aggregate([{"$sample": {"size": 2}}])
for collection in collections:
logs = list(mdb["logs"].find({
"data_type": "collection",
"data._id": collection["_id"]
}))
as_user(session, USERS["data"])
response = make_request(session,
f'/api/v1/collection/{collection["_id"]}/log',
ret_json=True)
assert response.data["data_type"] == "collection"
assert response.data["entry_id"] == str(collection["_id"])
assert len(response.data["logs"]) == len(logs)
assert response.code == 200
def test_get_order_permissions(mdb):
"""
Confirm that only the correct users can access order information.
Checks:
* DATA_MANAGEMENT can access any order
* DATA_EDIT can access orders where they are
* Other users cannot access data
"""
session = requests.Session()
orders = list(mdb["orders"].aggregate([{
"$match": {
"auth_ids": USER_RE
}
}, {
"$sample": {
"size": 2
}
}]))
for entry in orders:
owner = mdb["users"].find_one({"_id": entry["editors"][0]})
responses = helpers.make_request_all_roles(
f'/api/v1/entry/{entry["_id"]}', ret_json=True)
for response in responses:
if response.role in ("data", "root"):
assert response.code == 200
elif response.role == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 403
assert not response.data
helpers.as_user(session, owner["auth_ids"][0])
response = make_request(session, f'/api/v1/entry/{entry["_id"]}')
assert response.code == 200
def test_dataset_update_data(mdb):
"""
Confirm that the dataset is updated correctly.
Tests:
* All fields are correctly updated
* Confirm that description is escaped
* Confirm that a log entry is created
"""
session = requests.Session()
ds_id = helpers.add_dataset(helpers.add_order())
indata = {
"dataset": {
"description": "<br />",
"title": "Test title - dataset update data",
}
}
indata["dataset"].update(TEST_LABEL)
helpers.as_user(session, helpers.USERS["data"])
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_id}",
method="PATCH",
data=indata)
assert response.code == 200
assert not response.data
dataset = mdb["datasets"].find_one({"_id": ds_id})
assert dataset["title"] == indata["dataset"]["title"]
assert dataset["description"] == "<br />"
assert mdb["logs"].find_one({
"data._id": ds_id,
"action": "edit",
"data_type": "dataset"
})
def test_delete_dataset_permissions(mdb):
"""
Confirm that permissions for deleting datasets are correct.
Checks:
* DATA_MANAGER can delete any dataset
* DATA_EDIT can delete dataset where they are editors (in the order)
* Other users cannot delete any dataset, even if they are editors
"""
order_id = helpers.add_order()
ds_id = helpers.add_dataset(order_id)
session = requests.Session()
for role in helpers.USERS:
helpers.as_user(session, helpers.USERS[role])
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_id}",
method="DELETE",
ret_json=True)
if role in ("edit", "data", "root"):
assert response.code == 200
ds_id = helpers.add_dataset(order_id)
elif role == "no-login":
assert response.code == 401
else:
assert response.code == 403
assert not response.data
edit_user = mdb["users"].find_one({"auth_ids": helpers.USERS["edit"]})
mdb["orders"].update_one({"_id": order_id},
{"$pull": {
"editors": edit_user["_id"]
}})
helpers.as_user(session, helpers.USERS["edit"])
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_id}",
method="DELETE",
ret_json=True)
assert response.code == 403
assert not response.data
base_user = mdb["users"].find_one({"auth_ids": helpers.USERS["base"]})
mdb["orders"].update_one({"_id": order_id},
{"$push": {
"editors": base_user["_id"]
}})
helpers.as_user(session, helpers.USERS["base"])
response = helpers.make_request(session,
f"/api/v1/dataset/{ds_id}",
method="DELETE",
ret_json=True)
assert response.code == 403
assert not response.data
def test_add_user(mdb):
"""Add a user."""
indata = {"user": {"email": "*****@*****.**"}}
session = requests.Session()
for role in USERS:
as_user(session, USERS[role])
response = make_request(session,
"/api/v1/user",
ret_json=True,
method="POST",
data=indata)
if role in ("users", "root", "edit"):
assert response.code == 200
assert "id" in response.data
new_user_info = mdb["users"].find_one({"_id": response.data["id"]})
assert indata["user"]["email"] == new_user_info["email"]
indata["user"]["email"] = "new_" + indata["user"]["email"]
elif role == "no-login":
assert response.code == 401
assert not response.data
else:
assert response.code == 403
assert not response.data
indata = {
"user": {
"affiliation": "Added University",
"name": "Added name",
"email": "*****@*****.**",
"permissions": ["DATA_EDIT"],
}
}
session = requests.session()
as_user(session, USERS["edit"])
response = make_request(session,
"/api/v1/user",
ret_json=True,
method="POST",
data=indata)
assert response.code == 403
as_user(session, USERS["root"])
response = make_request(session,
"/api/v1/user",
ret_json=True,
method="POST",
data=indata)
assert response.code == 200
assert "id" in response.data
new_user_info = mdb["users"].find_one({"_id": response.data["id"]})
for key in indata["user"]:
assert new_user_info[key] == indata["user"][key]
