def test_get_serializer_class__staff_user_allow_to_modify_all_fields(self):
assessment = AssessmentFactory(status=STATUS.new,
start_date=Day().date,
end_date=Day().date)
self.client.force_authenticate(self.staff_user)
user, decision_by = UserFactory(), UserFactory()
data = {
'user': {
'id': user.id
},
'decision_by': {
'id': decision_by.id
},
'status': STATUS.completed,
'start_date': Day(ago=15).date,
'end_date': Day(ago=10).date,
'plan': self.fake.text(),
'comments': self.fake.text(),
'notes': self.fake.text(),
}
response = self.client.patch(self.get_detail_url(assessment.id),
data=data)
assessment.refresh_from_db()
assert assessment.user.id == data['user']['id']
assert assessment.decision_by.id == data['decision_by']['id']
assert response.data['user']['id'] == data['user']['id']
assert response.data['decision_by']['id'] == data['decision_by']['id']
data.pop('user'), data.pop('decision_by')
for field in data.keys():
assert response.data[field] == (format(data[field]) if isinstance(
data[field], date) else data[field])
assert getattr(assessment, field) == data[field]
def test_get_serializer_class_non_staff_user_allow_to_modify_non_read_only_fields(
self):
assessment = AssessmentFactory(user=self.simple_user,
start_date=Day().date,
end_date=Day().date)
self.client.force_authenticate(self.simple_user)
user, decision_by = UserFactory(), UserFactory()
data = {
'user': {
'id': user.id
},
'decision_by': {
'id': decision_by.id
},
'status': STATUS.completed,
'start_date': Day(ago=15).date,
'end_date': Day(ago=10).date,
'plan': self.fake.text(),
'comments': self.fake.text(),
'notes': self.fake.text(),
}
response = self.client.patch(self.get_detail_url(assessment.id),
data=data)
assert response.status_code == HTTP_403_FORBIDDEN
assessment.refresh_from_db()
assert assessment.user.id != data['user']['id']
assert assessment.decision_by.id != data['decision_by']['id']
data.pop('user'), data.pop('decision_by')
for field in data.keys():
assert getattr(assessment, field) != data[field]
def test__read_only_fields(self):
absence = AbsenceFactory(status=STATUS.new,
reason=REASON.illness,
start_date=Day().date,
end_date=Day().date)
user, decision_by = UserFactory(), UserFactory()
data = {
'user': {
'id': user.id
},
'decision_by': {
'id': decision_by.id
},
'status': STATUS.verifying,
'reason': REASON.other,
'start_date': Day(ago=5).date,
'end_date': Day(ago=4).date,
'notes': 'Test notes',
}
serializer = AbsenceSerializer(absence, data=data)
assert serializer.is_valid()
absence = serializer.save()
assert absence.user.id == data['user']['id']
assert absence.decision_by.id != data['decision_by']['id']
data.pop('user'), data.pop('decision_by'), data.pop('notes')
for field in data.keys():
assert getattr(absence, field) == data[field]
def test_permission_classes__staff_allow_to_use_any_rest_method(self):
self.client.force_authenticate(self.staff_user)
# POST
assert Event.objects.count() == 0
data = {
'title': self.fake.text(),
'description': self.fake.text(),
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
'active': self.fake.boolean()
}
response = self.client.post(self.get_list_url(), data=data)
assert response.status_code == HTTP_201_CREATED
assert response.data['title'] == data['title']
assert Event.objects.count() == 1
event = Event.objects.first()
self.assert_fields(event, data, self.staff_user)
# GET(id)
response = self.client.get(self.get_detail_url(response.data['id']))
assert response.status_code == HTTP_200_OK
serializer = StaffEventSerializer(event)
assert response.data == serializer.data
# PATCH
data = {'title': self.fake.text()}
response = self.client.patch(self.get_detail_url(response.data['id']),
data=data)
event.refresh_from_db()
assert response.status_code == HTTP_200_OK
assert response.data['title'] == data['title']
assert event.title == data['title']
# PUT
data = {**response.data, **{'title': self.fake.text()}}
response = self.client.put(self.get_detail_url(response.data['id']),
data=data)
event.refresh_from_db()
assert response.status_code == HTTP_200_OK
assert response.data['title'] == data['title']
assert event.title == data['title']
# DELETE
response = self.client.delete(self.get_detail_url(response.data['id']))
assert response.status_code == HTTP_204_NO_CONTENT
assert Event.objects.count() == 0
# GET(all)
[EventFactory() for _ in range(3)]
events = Event.objects.all()
response = self.client.get(self.get_list_url())
assert response.status_code == HTTP_200_OK
assert len(response.data['results']) == 3
serializer = StaffEventSerializer(events, many=True)
assert response.data['results'] == serializer.data
assert set(entity['id'] for entity in response.data['results']) == set(
entity.id for entity in events)
def test_permission_classes__non_staff_allow_to_use_subset_of_rest_api_methods(
self):
self.client.force_authenticate(self.simple_user)
event = EventFactory(active=True)
event.refresh_from_db()
# POST
assert Event.objects.count() == 1
data = {
'title': self.fake.text(),
'description': self.fake.text(),
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
'active': self.fake.boolean()
}
response = self.client.post(self.get_list_url(), data=data)
assert response.status_code == HTTP_403_FORBIDDEN
assert Event.objects.count() == 1
# GET(id)
response = self.client.get(self.get_detail_url(event.id))
assert response.status_code == HTTP_200_OK
serializer = EventSerializer(event)
assert response.data == serializer.data
# PATCH
data = {'title': self.fake.text()}
response = self.client.patch(self.get_detail_url(event.id), data=data)
event.refresh_from_db()
assert response.status_code == HTTP_403_FORBIDDEN
assert event.title != data['title']
# PUT
data = {**response.data, **{'title': self.fake.text()}}
response = self.client.put(self.get_detail_url(event.id), data=data)
event.refresh_from_db()
assert response.status_code == HTTP_403_FORBIDDEN
assert event.title != data['title']
# DELETE
response = self.client.delete(self.get_detail_url(event.id))
assert response.status_code == HTTP_403_FORBIDDEN
assert Event.objects.count() == 1
# GET(all)
[EventFactory(active=active) for active in [True, False, True]]
events = Event.objects.filter(active=True)
response = self.client.get(self.get_list_url())
assert response.status_code == HTTP_200_OK
assert len(response.data['results']) == 3
serializer = EventSerializer(events, many=True)
assert response.data['results'] == serializer.data
assert set(entity['id'] for entity in response.data['results']) == set(
entity.id for entity in events)
def test_permission_classes__staff_allow_to_use_any_rest_method(self):
self.client.force_authenticate(self.staff_user)
# POST
assert Absence.objects.count() == 0
data = {
'user': {'id': self.staff_user.id, 'email': self.staff_user.email},
'reason': REASON.illness,
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
}
response = self.client.post(self.get_list_url(), data=data)
assert response.status_code == HTTP_201_CREATED
assert Absence.objects.count() == 1
absence = Absence.objects.first()
self.assert_fields(absence, data, self.staff_user)
# GET(id)
response = self.client.get(self.get_detail_url(response.data['id']))
assert response.status_code == HTTP_200_OK
assert response.data['reason'] == data['reason']
serializer = StaffAbsenceSerializer(absence)
assert response.data == serializer.data
# PATCH
data = {'reason': REASON.other}
response = self.client.patch(self.get_detail_url(response.data['id']), data=data)
absence.refresh_from_db()
assert response.status_code == HTTP_200_OK
assert response.data['reason'] == data['reason']
assert absence.reason == data['reason']
# PUT
data = {**response.data, **{'reason': REASON.illness}}
response = self.client.put(self.get_detail_url(response.data['id']), data=data)
absence.refresh_from_db()
assert response.status_code == HTTP_200_OK
assert response.data['reason'] == data['reason']
assert absence.reason == data['reason']
# DELETE
response = self.client.delete(self.get_detail_url(response.data['id']))
assert response.status_code == HTTP_204_NO_CONTENT
assert Absence.objects.count() == 0
# GET(all)
[AbsenceFactory(user=user) for user in [self.staff_user] + [self.simple_user] * 2]
absences = Absence.objects.all()
response = self.client.get(self.get_list_url())
assert response.status_code == HTTP_200_OK
assert len(response.data['results']) == 3
serializer = StaffAbsenceSerializer(absences, many=True)
assert response.data['results'] == serializer.data
assert set(absence['id'] for absence in response.data['results']) == set(absence.id for absence in absences)
def test_permission_classes__non_staff_allow_to_use_subset_of_rest_api_methods(self):
self.client.force_authenticate(self.simple_user)
# POST
assert Absence.objects.count() == 0
data = {
'user': {'id': self.simple_user.id, 'email': self.simple_user.email},
'status': STATUS.new,
'reason': REASON.illness,
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
}
response = self.client.post(self.get_list_url(), data=data)
assert response.status_code == HTTP_201_CREATED
assert response.data['status'] == data['status']
assert Absence.objects.count() == 1
absence = Absence.objects.first()
self.assert_fields(absence, data, self.simple_user)
# GET(id)
response = self.client.get(self.get_detail_url(response.data['id']))
assert response.status_code == HTTP_200_OK
serializer = AbsenceSerializer(absence)
assert response.data == serializer.data
# PATCH
data = {'reason': REASON.other}
response = self.client.patch(self.get_detail_url(response.data['id']), data=data)
absence.refresh_from_db()
assert response.status_code == HTTP_200_OK
assert response.data['reason'] == data['reason']
assert absence.reason == data['reason']
# PUT
data = {**response.data, **{'reason': REASON.illness}}
response = self.client.put(self.get_detail_url(response.data['id']), data=data)
absence.refresh_from_db()
assert response.status_code == HTTP_403_FORBIDDEN
assert absence.reason != data['reason']
# DELETE
response = self.client.delete(self.get_detail_url(absence.id))
assert response.status_code == HTTP_403_FORBIDDEN
assert Absence.objects.count() == 1
# GET(all)
[AbsenceFactory(user=user) for user in [self.staff_user, self.simple_user]]
absences = Absence.objects.filter(user=self.simple_user)
response = self.client.get(self.get_list_url())
assert response.status_code == HTTP_200_OK
assert len(response.data['results']) == 2
serializer = AbsenceSerializer(absences, many=True)
assert response.data['results'] == serializer.data
assert set(entity['id'] for entity in response.data['results']) == set(entity.id for entity in absences)
def test_get_serializer_class__staff_user_allow_to_modify_all_fields(self):
event = EventFactory()
self.client.force_authenticate(self.staff_user)
data = {
'title': self.fake.text(),
'description': self.fake.text(),
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
'active': self.fake.boolean()
}
response = self.client.patch(self.get_detail_url(event.id), data=data)
event.refresh_from_db()
for field in data.keys():
assert response.data[field] == (format(data[field]) if isinstance(
data[field], date) else data[field])
assert getattr(event, field) == data[field]
def test__read_only_fields(self):
event = EventFactory(start_date=Day().date, end_date=Day().date, notify=True, active=True)
data = {
'title': 'Test',
'description': 'Test',
'start_date': Day(ago=5).date,
'end_date': Day(ago=5).date,
'notify': False,
'to': '*****@*****.**',
'active': False,
}
serializer = EventSerializer(event, data=data)
assert serializer.is_valid()
event = serializer.save()
for field in data.keys():
assert getattr(event, field) != data[field]
def test_permission_classes__non_staff_allows_to_access_only_his_data(
self):
self.client.force_authenticate(self.simple_user)
assessment = AssessmentFactory(user=self.staff_user)
# POST
assert Assessment.objects.count() == 1
data = {
'user': {
'id': self.staff_user.id,
'email': self.staff_user.email
},
'status': STATUS.new,
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
}
response = self.client.post(self.get_list_url(), data=data)
assert response.status_code == HTTP_403_FORBIDDEN
assert Assessment.objects.count() == 1
# GET(id)
response = self.client.get(self.get_detail_url(assessment.id))
assert response.status_code == HTTP_404_NOT_FOUND
# PATCH
data = {'status': STATUS.in_progress}
response = self.client.patch(self.get_detail_url(assessment.id),
data=data)
assert response.status_code == HTTP_403_FORBIDDEN
# DELETE
response = self.client.delete(self.get_detail_url(assessment.id))
assert response.status_code == HTTP_403_FORBIDDEN
# GET(all)
[
AssessmentFactory(user=user)
for user in [self.simple_user] * 2 + [self.staff_user]
]
assessments = Assessment.objects.filter(user=self.simple_user)
response = self.client.get(self.get_list_url())
assert response.status_code == HTTP_200_OK
assert len(response.data['results']) == 2
assert Assessment.objects.count() == 4
serializer = StaffAssessmentSerializer(assessments, many=True)
assert response.data['results'] == serializer.data
def test__read_only_fields(self):
assessment = AssessmentFactory(status=STATUS.new, start_date=Day().date, end_date=Day().date)
user, decision_by = UserFactory(), UserFactory()
data = {
'user': {'id': user.id},
'decision_by': {'id': decision_by.id},
'status': STATUS.in_progress,
'start_date': Day(ago=5).date,
'end_date': Day(ago=5).date,
'plan': 'Test plan',
'comments': 'Test comments',
'notes': 'Test notes',
}
serializer = AssessmentSerializer(assessment, data=data)
assert serializer.is_valid()
assessment = serializer.save()
assert assessment.user.id != data['user']['id']
assert assessment.decision_by.id != data['user']['id']
data.pop('user'), data.pop('decision_by')
for field in data.keys():
assert getattr(assessment, field) != data[field]
def test_permission_classes__non_staff_allows_to_access_and_modify_only_his_data(self):
self.client.force_authenticate(self.simple_user)
absence = AbsenceFactory(user=self.staff_user)
# POST
assert Absence.objects.count() == 1
data = {
'user': {'id': self.staff_user.id, 'email': self.staff_user.email},
'reason': REASON.illness,
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
}
response = self.client.post(self.get_list_url(), data=data)
assert response.status_code == HTTP_403_FORBIDDEN
assert Absence.objects.count() == 1
# GET(id)
response = self.client.get(self.get_detail_url(absence.id))
assert response.status_code == HTTP_404_NOT_FOUND
# PATCH
data = {'reason': REASON.other}
response = self.client.patch(self.get_detail_url(absence.id), data=data)
assert response.status_code == HTTP_404_NOT_FOUND
# DELETE
response = self.client.delete(self.get_detail_url(absence.id))
assert response.status_code == HTTP_403_FORBIDDEN
# GET(all)
[AbsenceFactory(user=user) for user in [self.simple_user] * 2 + [self.staff_user]]
absences = Absence.objects.filter(user=self.simple_user)
response = self.client.get(self.get_list_url())
assert response.status_code == HTTP_200_OK
assert len(response.data['results']) == 2
assert Absence.objects.count() == 4
serializer = StaffAbsenceSerializer(absences, many=True)
assert response.data['results'] == serializer.data
def test_get_serializer_class__staff_user_allow_to_modify_all_fields(self):
absence = AbsenceFactory(status=STATUS.new, reason=REASON.illness, start_date=Day().date, end_date=Day().date)
self.client.force_authenticate(self.staff_user)
user, decision_by = UserFactory(), UserFactory()
data = {
'user': {'id': user.id},
'decision_by': {'id': decision_by.id},
'status': STATUS.verifying,
'reason': REASON.other,
'start_date': Day(ago=5).date,
'end_date': Day(ago=4).date,
'notes': self.fake.text(),
}
response = self.client.patch(self.get_detail_url(absence.id), data=data)
absence.refresh_from_db()
assert absence.user.id == data['user']['id']
assert absence.decision_by.id == data['decision_by']['id']
assert response.data['user']['id'] == data['user']['id']
assert response.data['decision_by']['id'] == data['decision_by']['id']
data.pop('user'), data.pop('decision_by')
for field in data.keys():
assert response.data[field] == (format(data[field]) if isinstance(data[field], date) else data[field])
assert getattr(absence, field) == data[field]
def test_get_serializer_class_non_staff_user_allow_to_modify_non_read_only_fields(self):
data = {
'user': self.simple_user,
'status': STATUS.new,
'reason': REASON.illness,
'start_date': Day().date,
'end_date': Day().date,
}
absence = AbsenceFactory(**data)
self.client.force_authenticate(self.simple_user)
user, decision_by = UserFactory(), UserFactory()
data = {
'user': {'id': user.id},
'decision_by': {'id': decision_by.id},
'status': STATUS.verifying,
'reason': REASON.other,
'start_date': Day(ago=5).date,
'end_date': Day(ago=4).date,
'notes': self.fake.text(),
}
response = self.client.patch(self.get_detail_url(absence.id), data=data)
assert response.status_code == HTTP_403_FORBIDDEN
absence.refresh_from_db()
assert absence.user.id != data['user']['id']
assert absence.decision_by.id != data['decision_by']['id']
data.pop('user'), data.pop('decision_by')
for field in data.keys():
assert getattr(absence, field) != data[field]
data = {
'status': STATUS.verifying,
'reason': REASON.other,
'start_date': Day(ago=5).date,
'end_date': Day(ago=4).date,
}
response = self.client.patch(self.get_detail_url(absence.id), data=data)
assert response.status_code == HTTP_200_OK
absence.refresh_from_db()
for field in data.keys():
assert getattr(absence, field) == data[field]
def test_permission_classes__staff_allow_to_use_any_rest_method(self):
self.client.force_authenticate(self.staff_user)
# POST
assert Assessment.objects.count() == 0
data = {
'user': {
'id': self.staff_user.id,
'email': self.staff_user.email
},
'status': STATUS.in_progress,
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
}
response = self.client.post(self.get_list_url(), data=data)
assert response.status_code == HTTP_201_CREATED
assert response.data['status'] == data['status']
assert Assessment.objects.count() == 1
assessment = Assessment.objects.first()
self.assert_fields(assessment, data, self.staff_user)
# GET(id)
response = self.client.get(self.get_detail_url(response.data['id']))
assert response.status_code == HTTP_200_OK
serializer = StaffAssessmentSerializer(assessment)
assert response.data == serializer.data
# PATCH
data = {'status': STATUS.completed}
response = self.client.patch(self.get_detail_url(response.data['id']),
data=data)
assessment.refresh_from_db()
assert response.status_code == HTTP_200_OK
assert response.data['status'] == data['status']
assert assessment.status == data['status']
# PUT
data = {**response.data, **{'status': STATUS.completed}}
response = self.client.put(self.get_detail_url(response.data['id']),
data=data)
assessment.refresh_from_db()
assert response.status_code == HTTP_200_OK
assert response.data['status'] == data['status']
assert assessment.status == data['status']
# DELETE
response = self.client.delete(self.get_detail_url(response.data['id']))
assert response.status_code == HTTP_204_NO_CONTENT
assert Assessment.objects.count() == 0
# GET(all)
[
AssessmentFactory(user=user)
for user in [self.staff_user] + [self.simple_user] * 2
]
assessments = Assessment.objects.all()
response = self.client.get(self.get_list_url())
assert response.status_code == HTTP_200_OK
assert len(response.data['results']) == 3
serializer = StaffAssessmentSerializer(assessments, many=True)
assert response.data['results'] == serializer.data
assert set(entity['id'] for entity in response.data['results']) == set(
entity.id for entity in assessments)
def test_permission_classes__non_staff_allow_to_use_subset_of_rest_api_methods(
self):
self.client.force_authenticate(self.simple_user)
assessment = AssessmentFactory(user=self.simple_user)
assessment.refresh_from_db()
# POST
assert Assessment.objects.count() == 1
data = {
'user': {
'id': self.simple_user.id,
'email': self.simple_user.email
},
'status': STATUS.new,
'start_date': Day(ago=40).date,
'end_date': Day(ago=35).date,
}
response = self.client.post(self.get_list_url(), data=data)
assert response.status_code == HTTP_403_FORBIDDEN
assert Assessment.objects.count() == 1
# GET(id)
response = self.client.get(self.get_detail_url(assessment.id))
assert response.status_code == HTTP_200_OK
serializer = AssessmentSerializer(assessment)
assert response.data == serializer.data
# PATCH
data = {'status': STATUS.in_progress}
response = self.client.patch(self.get_detail_url(assessment.id),
data=data)
assessment.refresh_from_db()
assert response.status_code == HTTP_403_FORBIDDEN
assert assessment.status != data['status']
# PUT
data = {**response.data, **{'status': STATUS.failed}}
response = self.client.put(self.get_detail_url(assessment.id),
data=data)
assessment.refresh_from_db()
assert response.status_code == HTTP_403_FORBIDDEN
assert assessment.status != data['status']
# DELETE
response = self.client.delete(self.get_detail_url(assessment.id))
assert response.status_code == HTTP_403_FORBIDDEN
assert Assessment.objects.count() == 1
# GET(all)
[
AssessmentFactory(user=user)
for user in [self.staff_user, self.simple_user]
]
assessments = Assessment.objects.filter(user=self.simple_user)
response = self.client.get(self.get_list_url())
assert response.status_code == HTTP_200_OK
assert len(response.data['results']) == 2
serializer = AssessmentSerializer(assessments, many=True)
assert response.data['results'] == serializer.data
assert set(entity['id'] for entity in response.data['results']) == set(
entity.id for entity in assessments)
def test_is_birthday__false_5_days_ahead(self):
self.user.date_of_birth = Day(ago=-5).date
assert not self.user.is_birthday()