def test_shows_logged_in_user_all_users(self):
me = UserFactory.create()
user_1 = UserFactory.create()
user_2 = UserFactory.create()
org = OrganisationFactory.create()
org.members.add(me)
org.admins.add(me)
self.client.force_authenticate(me)
response = self.client.get(f"/{VERSION}/api/users/")
assert response.status_code == status.HTTP_200_OK
expected = [
{
"id": f"{me.id}",
"name": me.username
},
{
"id": f"{user_1.id}",
"name": user_1.username
},
{
"id": f"{user_2.id}",
"name": user_2.username
},
]
assert expected == response.json()
def test_shows_logged_in_users_organisations(self):
me = UserFactory.create(
last_login=datetime.datetime(2019, 6, 3, 16, 35, 0, 0, pytz.UTC))
my_org = OrganisationFactory.create()
org_admin = UserFactory.create(
last_login=datetime.datetime(2019, 6, 3, 13, 21, 0, 0, pytz.UTC))
my_org.members.add(org_admin)
my_org.admins.add(org_admin)
AssessmentFactory.create(owner=me, organisation=my_org)
AssessmentFactory.create(owner=me, organisation=my_org)
my_org.members.add(me)
my_org.librarians.add(me)
OrganisationFactory.create(
) # make another organisation: it shouldn't show up
self.client.force_authenticate(me)
response = self.client.get(f"/{VERSION}/api/organisations/")
assert response.status_code == status.HTTP_200_OK
expected = [
OrderedDict([
("id", f"{my_org.id}"),
("name", my_org.name),
("assessments", 2),
(
"members",
[
{
"id": f"{me.id}",
"name": me.username,
"is_admin": False,
"is_librarian": True,
"last_login": me.last_login.isoformat(),
},
{
"id": f"{org_admin.id}",
"name": org_admin.username,
"is_admin": True,
"is_librarian": False,
"last_login": org_admin.last_login.isoformat(),
},
],
),
(
"permissions",
{
"can_add_remove_members": False,
"can_promote_demote_librarians": False,
},
),
("report_template", ""),
])
]
assert expected == response.data
def setUpClass(cls):
super().setUpClass()
cls.org = OrganisationFactory.create()
cls.org_admin = UserFactory.create()
cls.member = UserFactory.create()
cls.org.members.add(cls.org_admin)
cls.org.members.add(cls.member)
cls.org.admins.add(cls.org_admin)
def setUpClass(cls):
super().setUpClass()
cls.org = OrganisationFactory.create()
cls.member_1 = UserFactory.create(
last_login=datetime.datetime(2019, 6, 3, 16, 35, 0, 0, pytz.UTC))
cls.org.members.add(cls.member_1)
cls.org_admin = UserFactory.create(
last_login=datetime.datetime(2019, 6, 3, 13, 21, 0, 0, pytz.UTC))
cls.org.members.add(cls.org_admin)
cls.org.admins.add(cls.org_admin)
def test_only_returns_assessments_for_logged_in_user(self):
me = UserFactory.create()
someone_else = UserFactory.create()
self.client.force_authenticate(me)
AssessmentFactory.create(owner=me)
AssessmentFactory.create(owner=me)
AssessmentFactory.create(owner=someone_else)
response = self.client.get("/api/v1/assessments/")
assert response.status_code == status.HTTP_200_OK
assert 2 == len(response.data)
def test_shows_logged_in_users_organisations(self):
me = UserFactory.create(last_login=datetime.datetime(2019, 6, 3, 16, 35, 0, 0, pytz.UTC))
my_org = OrganisationFactory.create()
AssessmentFactory.create(owner=me, organisation=my_org)
AssessmentFactory.create(owner=me, organisation=my_org)
my_org.members.add(me)
OrganisationFactory.create() # make another organisation: it shouldn't show up
self.client.force_authenticate(me)
response = self.client.get("/api/v1/organisations/")
assert response.status_code == status.HTTP_200_OK
expected = [
OrderedDict([
("id", f"{my_org.id}"),
("name", my_org.name),
("assessments", 2),
("members", [
{
"userid": f"{me.id}",
"name": me.username,
"last_login": me.last_login.isoformat(),
}
]),
]),
]
assert expected == response.data
def test_list_libraries(self):
with freeze_time("2019-06-01T16:35:34Z"):
l1 = LibraryFactory.create(owner=self.me)
l2 = LibraryFactory.create(owner=self.me)
LibraryFactory.create(
owner=UserFactory.create()) # another library (someone else's)
self.client.force_authenticate(self.me)
response = self.client.get(f"/{VERSION}/api/libraries/")
assert response.status_code == status.HTTP_200_OK
assert 2 == len(response.data)
assert {
"id": "{}".format(l1.pk),
"created_at": "2019-06-01T16:35:34Z",
"updated_at": "2019-06-01T16:35:34Z",
"name": l1.name,
"type": l1.type,
"writeable": True,
"data": l1.data,
} == response.data[0]
assert {
"id": "{}".format(l2.pk),
"created_at": "2019-06-01T16:35:34Z",
"updated_at": "2019-06-01T16:35:34Z",
"name": l2.name,
"type": l2.type,
"writeable": True,
"data": l2.data,
} == response.data[1]
def setUpClass(cls):
super().setUpClass()
cls.org_admin = UserFactory.create()
cls.normal_member = UserFactory.create()
cls.non_member = UserFactory.create()
cls.librarian = UserFactory.create()
cls.org = OrganisationFactory.create()
cls.org.members.add(cls.org_admin)
cls.org.members.add(cls.normal_member)
cls.org.members.add(cls.librarian)
cls.org.admins.add(cls.org_admin)
cls.org.librarians.add(cls.librarian)
def test_returns_assessments_with_expected_result_structure(self):
user = UserFactory.create()
self.client.force_authenticate(user)
with freeze_time("2019-06-01T16:35:34Z"):
a1 = AssessmentFactory.create(
name="test assessment 1",
description="test description",
data={"foo": "bar"},
openbem_version="10.1.1",
owner=user,
)
response = self.client.get("/api/v1/assessments/")
expected_structure = {
"id": "{}".format(a1.pk),
"created_at": "2019-06-01T16:35:34Z",
"updated_at": "2019-06-01T16:35:34Z",
"mdate": "1559406934",
"status": "In progress",
"openbem_version": "10.1.1",
"name": "test assessment 1",
"description": "test description",
"author": user.username,
"userid": f"{user.id}",
}
assert expected_structure == response.data.pop()
def test_user_who_is_superuser_can_delete_item_in_global_library(self):
library = self.create_library(owner_organisation=None, owner_user=None)
self.client.force_authenticate(UserFactory.create(is_superuser=True))
response = self._call_endpoint(library)
assert status.HTTP_204_NO_CONTENT == response.status_code
def test_returns_organisation_assessments(self):
user = UserFactory.create()
organisation = OrganisationFactory.create()
organisation.members.add(user)
self.client.force_authenticate(user)
with freeze_time("2019-06-01T16:35:34Z"):
a1 = AssessmentFactory.create(
name="test assessment 1",
description="test description",
data={"foo": "bar"},
owner=user,
organisation=organisation,
)
response = self.client.get(f"/{VERSION}/api/assessments/")
expected_structure = {
"id": "{}".format(a1.pk),
"created_at": "2019-06-01T16:35:34Z",
"updated_at": "2019-06-01T16:35:34Z",
"mdate": "1559406934",
"status": "In progress",
"name": "test assessment 1",
"description": "test description",
"author": user.username,
"userid": f"{user.id}",
"organisation": {
"id": organisation.pk,
"name": organisation.name
},
}
assert expected_structure == response.data.pop()
def test_clean_username(self):
# A user with proto_user params does not exist yet.
proto_user = UserFactory.build()
form = UserCreationForm({
"username": proto_user.username,
"password1": proto_user._password,
"password2": proto_user._password,
})
assert form.is_valid()
assert form.clean_username() == proto_user.username
# Creating a user.
form.save()
# The user with proto_user params already exists,
# hence cannot be created.
form = UserCreationForm({
"username": proto_user.username,
"password1": proto_user._password,
"password2": proto_user._password,
})
assert not form.is_valid()
assert len(form.errors) == 1
assert "username" in form.errors
def test_returns_forbidden_if_listing_for_organisation_not_a_member_of(self):
someone_else = UserFactory.create()
self.client.force_authenticate(someone_else)
response = self.client.get(f"/api/v1/organisations/{self.organisation.pk}/assessments/")
assert status.HTTP_403_FORBIDDEN == response.status_code
assert {"detail": "You are not a member of the Organisation."} == response.json()
def test_an_organisation_admin_can_list_all_users(self):
me = UserFactory.create()
org = OrganisationFactory.create()
org.members.add(me)
org.admins.add(me)
self.client.force_authenticate(me)
response = self.client.get(f"/{VERSION}/api/users/")
assert response.status_code == status.HTTP_200_OK
def test_user_who_isnt_an_organisation_admin_cannot_list_users(self):
self.client.force_authenticate(UserFactory.create())
response = self.client.get(f"/{VERSION}/api/users/")
self._assert_error(
response,
status.HTTP_403_FORBIDDEN,
"You are not an admin of an organisation.",
)
def test_user_who_isnt_owner_and_isnt_organisation_member_cannot_access(self):
assessment = AssessmentFactory.create()
non_owner = UserFactory.create()
self.client.force_authenticate(non_owner)
response = self._call_endpoint(assessment)
self._assert_error(response, status.HTTP_404_NOT_FOUND, "Not found.")
def test_librarian_of_organisation_can_create_a_library_in_organisation(self):
person = UserFactory.create()
organisation = OrganisationFactory.create()
organisation.members.add(person)
organisation.librarians.add(person)
self.client.force_authenticate(person)
response = self._call_endpoint(organisation)
assert status.HTTP_201_CREATED == response.status_code
def test_user_who_isnt_owner_cannot_delete_library_item(self):
non_owner = UserFactory.create()
self.client.force_authenticate(non_owner)
response = self._call_endpoint(self.create_library())
self._assert_error(
response,
status.HTTP_404_NOT_FOUND,
"Not found.",
)
def test_user_who_isnt_member_cannot_delete_a_library_item_in_organisation(
self):
org_with_no_members = OrganisationFactory.create()
library = self.create_library(owner_organisation=org_with_no_members,
owner_user=None)
person = UserFactory.create()
self.client.force_authenticate(person)
response = self._call_endpoint(library)
self._assert_error(response, status.HTTP_404_NOT_FOUND, "Not found.")
def test_returns_not_found_if_not_owner(self):
someone_else = UserFactory.create()
someone_else.set_password("foo")
someone_else.save()
someone_elses_assessment = AssessmentFactory.create(owner=someone_else)
self.client.login(username=self.me.username, password="******")
not_my_assessment_url = f"/assessments/{someone_elses_assessment.pk}/"
response = self.client.get(not_my_assessment_url)
assert status.HTTP_404_NOT_FOUND == response.status_code
def test_if_last_login_is_none_shows_never(self):
me = UserFactory.create(last_login=None)
my_org = OrganisationFactory.create()
my_org.members.add(me)
self.client.force_authenticate(me)
response = self.client.get(f"/{VERSION}/api/organisations/")
assert response.status_code == status.HTTP_200_OK
assert "never" == response.data[0]["members"][0]["last_login"]
def setUpClass(cls):
super().setUpClass()
cls.my_org = OrganisationFactory.create()
cls.other_org = OrganisationFactory.create()
cls.org_admin = UserFactory.create()
cls.my_org.members.add(cls.org_admin)
cls.my_org.admins.add(cls.org_admin)
cls.library = LibraryFactory.create(owner_organisation=cls.my_org, owner_user=None)
def test_not_my_assessment(self):
someone_else = UserFactory.create()
a = factories.AssessmentFactory.create(owner=someone_else)
i1 = factories.ImageFactory.create(assessment=a)
self.client.force_authenticate(self.me)
response = self.client.delete(f"/{VERSION}/api/images/{i1.pk}/")
assert response.status_code == status.HTTP_403_FORBIDDEN
def test_user_who_isnt_member_cannot_create_a_library_in_organisation(self):
person = UserFactory.create()
org_with_no_members = OrganisationFactory.create()
self.client.force_authenticate(person)
response = self._call_endpoint(org_with_no_members)
self._assert_error(
response,
status.HTTP_403_FORBIDDEN,
"You are not a librarian of the Organisation.",
)
def test_user_who_isnt_owner_and_isnt_organisation_member_cannot_access(
self):
assessment = AssessmentFactory.create()
non_owner = UserFactory.create()
self.client.force_authenticate(non_owner)
self.call_endpoint_and_assert(
assessment, False,
"You do not have permission to perform this action.")
def test_organisation_member_who_isnt_owner_can_access(self):
organisation = OrganisationFactory.create()
assessment = AssessmentFactory.create(organisation=organisation)
org_member = UserFactory.create()
organisation.members.add(org_member)
self.client.force_authenticate(org_member)
response = self._call_endpoint(assessment)
self._assert_success(response)
def test_returns_404_if_user_is_not_owner(self):
other_user = UserFactory.create()
assessment_count = Assessment.objects.count()
self.client.force_authenticate(other_user)
response = self.client.post(
f"/{VERSION}/api/assessments/{self.assessment.pk}/duplicate/")
assert status.HTTP_404_NOT_FOUND == response.status_code
assert assessment_count == Assessment.objects.count()
assert self.assessment.data == Assessment.objects.last().data
def test_org_member_who_is_not_an_org_admin_cannot_list_library_shares(self):
normal_member = UserFactory.create()
self.my_org.members.add(normal_member)
self.client.force_authenticate(normal_member)
response = self._call_endpoint(self.my_org, self.shared_library)
self._assert_error(
response,
status.HTTP_403_FORBIDDEN,
"You are not an admin of the Organisation.",
)
def setUpClass(cls):
cls.me = UserFactory.create()
with freeze_time("2019-06-01T16:35:34Z"):
cls.assessment = AssessmentFactory.create(
owner=cls.me,
name="test name",
description="test description",
data={"foo": "bar"},
status="In progress",
)
super().setUpClass()
def test_user_who_isnt_superuser_cannot_delete_item_in_global_library(
self):
library = self.create_library(owner_organisation=None, owner_user=None)
self.client.force_authenticate(UserFactory.create(is_superuser=False))
response = self._call_endpoint(library)
self._assert_error(
response,
status.HTTP_403_FORBIDDEN,
"You do not have permission to perform this action.",
)
