def test_api_permissions_admin_user(admin_user): users = [admin_user, UserFactory(), UserFactory(), UserFactory(), UserFactory()] get_default_shop() viewset = UserViewSet() client = _get_client(admin_user) permission_key = make_permission_config_key(viewset) # set API disabled config.set(None, permission_key, PermissionLevel.DISABLED) assert client.get("/api/test/user/").status_code == status.HTTP_403_FORBIDDEN assert client.post("/api/test/user/", {"email": "*****@*****.**"}).status_code == status.HTTP_403_FORBIDDEN # set API Public WRITE - access granted config.set(None, permission_key, PermissionLevel.PUBLIC_WRITE) response = client.get("/api/test/user/") assert response.status_code == status.HTTP_200_OK user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"]) for ix, user in enumerate(user_data): assert users[ix].id == user["id"] # DELETE data too assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT users.pop() # set API Public READ - access granted config.set(None, permission_key, PermissionLevel.PUBLIC_READ) response = client.get("/api/test/user/") assert response.status_code == status.HTTP_200_OK user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"]) for ix, user in enumerate(user_data): assert users[ix].id == user["id"] # DELETE data - YES assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT users.pop() # set API authenticated readonly - access only for readonly config.set(None, permission_key, PermissionLevel.AUTHENTICATED_READ) response = client.get("/api/test/user/") assert response.status_code == status.HTTP_200_OK user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"]) for ix, user in enumerate(user_data): assert users[ix].id == user["id"] assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT users.pop() # set API authenticated write - access granted config.set(None, permission_key, PermissionLevel.AUTHENTICATED_WRITE) assert client.get("/api/test/user/").status_code == status.HTTP_200_OK assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT users.pop() # set API admin only - aaaww yess config.set(None, permission_key, PermissionLevel.ADMIN) assert client.get("/api/test/user/").status_code == status.HTTP_200_OK assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT # as we deleted all users, we have left with just one - us get_user_model().objects.count() == 1
def test_api_permissions_anonymous(): users = [UserFactory(), UserFactory(), UserFactory(), UserFactory()] get_default_shop() viewset = UserViewSet() client = _get_client() permission_key = make_permission_config_key(viewset) # set API disabled config.set(None, permission_key, PermissionLevel.DISABLED) assert client.get("/api/test/user/").status_code == status.HTTP_401_UNAUTHORIZED assert client.post("/api/test/user/", {"email": "*****@*****.**"}).status_code == status.HTTP_401_UNAUTHORIZED # set API Public WRITE - access granted config.set(None, permission_key, PermissionLevel.PUBLIC_WRITE) response = client.get("/api/test/user/") assert response.status_code == status.HTTP_200_OK user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"]) for ix, user in enumerate(user_data): assert users[ix].id == user["id"] # DELETE data too assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_204_NO_CONTENT users.pop() # set API Public READ - access granted to read config.set(None, permission_key, PermissionLevel.PUBLIC_READ) response = client.get("/api/test/user/") assert response.status_code == status.HTTP_200_OK user_data = sorted(json.loads(response.content.decode("utf-8")), key=lambda u: u["id"]) for ix, user in enumerate(user_data): assert users[ix].id == user["id"] # DELETE data - nope, not a safe method assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_401_UNAUTHORIZED # set API authenticated readonly - no access config.set(None, permission_key, PermissionLevel.AUTHENTICATED_READ) assert client.get("/api/test/user/").status_code == status.HTTP_401_UNAUTHORIZED assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_401_UNAUTHORIZED # set API authenticated write - no access config.set(None, permission_key, PermissionLevel.AUTHENTICATED_WRITE) assert client.get("/api/test/user/").status_code == status.HTTP_401_UNAUTHORIZED assert client.delete("/api/test/user/%d/" % users[-1].id).status_code == status.HTTP_401_UNAUTHORIZED # set API admin only - not a chance config.set(None, permission_key, PermissionLevel.ADMIN) assert client.get("/api/test/user/").status_code == status.HTTP_401_UNAUTHORIZED # Remove None values before posting data since posting None data is not cool assert ( client.put("/api/test/user/", {k: v for k, v in user_data[0].items() if v is not None}).status_code == status.HTTP_401_UNAUTHORIZED )
def test_admin(rf): get_default_shop() # just visit to make sure GET is ok request = apply_request_middleware(rf.get("/")) response = APIPermissionView.as_view()(request) assert response.status_code == 200 perm_key = make_permission_config_key(UserViewSet()) assert configuration.get(None, perm_key) is None # now post the form to see what happens request = apply_request_middleware( rf.post("/", {perm_key: PermissionLevel.ADMIN})) response = APIPermissionView.as_view()(request) assert response.status_code == 302 # good assert int(configuration.get(None, perm_key)) == PermissionLevel.ADMIN