def test_is_supervisor(self): middle = factory.make_user('Username2', DEFAULT_PASSWORD, email='*****@*****.**', full_name='Test User') student = factory.make_user('Username3', DEFAULT_PASSWORD, email='*****@*****.**', full_name='Test User') role = factory.make_role_default_no_perms("TE", self.course1, can_view_course_users=True, can_view_all_journals=True) factory.make_participation(self.user, self.course1, role) role = factory.make_role_default_no_perms("MD", self.course1, can_view_course_users=True) factory.make_participation(middle, self.course1, role) role = factory.make_role_default_no_perms("SD", self.course1) factory.make_participation(student, self.course1, role) factory.make_journal(self.assignment, student) assert permissions.is_user_supervisor_of(self.user, student) assert permissions.is_user_supervisor_of(self.user, middle) assert permissions.is_user_supervisor_of(middle, self.user) assert permissions.is_user_supervisor_of(middle, student) assert not permissions.is_user_supervisor_of(student, self.user) assert not permissions.is_user_supervisor_of(student, middle) Participation.objects.get(course=self.course1, user=student).delete() assert permissions.is_user_supervisor_of(self.user, student) assert not permissions.is_user_supervisor_of(middle, student) assert not permissions.is_user_supervisor_of(student, self.user) assert not permissions.is_user_supervisor_of(student, middle)
def test_is_supervisor(self): middle = factory.make_user('Username2', 'Password', email='*****@*****.**') student = factory.make_user('Username3', 'Password', email='*****@*****.**') role = factory.make_role_default_no_perms("TE", self.course1, can_view_course_users=True, can_view_all_journals=True) factory.make_participation(self.user, self.course1, role) role = factory.make_role_default_no_perms("MD", self.course1, can_view_course_users=True) factory.make_participation(middle, self.course1, role) role = factory.make_role_default_no_perms("SD", self.course1) factory.make_participation(student, self.course1, role) factory.make_journal(self.assignment, student) self.assertTrue(permissions.is_user_supervisor_of(self.user, student)) self.assertTrue(permissions.is_user_supervisor_of(self.user, middle)) self.assertTrue(permissions.is_user_supervisor_of(middle, self.user)) self.assertTrue(permissions.is_user_supervisor_of(middle, student)) self.assertFalse(permissions.is_user_supervisor_of(student, self.user)) self.assertFalse(permissions.is_user_supervisor_of(student, middle)) Participation.objects.get(course=self.course1, user=student).delete() self.assertTrue(permissions.is_user_supervisor_of(self.user, student)) self.assertFalse(permissions.is_user_supervisor_of(middle, student)) self.assertFalse(permissions.is_user_supervisor_of(student, self.user)) self.assertFalse(permissions.is_user_supervisor_of(student, middle))
def to_string(self, user=None): if user is None: return "User" if not (self.is_superuser or self == user or permissions.is_user_supervisor_of(user, self)): return "User" return self.username + " (" + str(self.pk) + ")"
def retrieve(self, request, pk): """Get the user data of the requested user. Arguments: request -- request data pk -- user ID Returns: On failure: unauthorized -- when the user is not logged in not found -- when the user doesn't exists On success: success -- with the user data """ if int(pk) == 0: pk = request.user.id user = User.objects.get(pk=pk) if request.user == user or request.user.is_superuser: serializer = OwnUserSerializer(user, many=False) elif permissions.is_user_supervisor_of(request.user, user): serializer = UserSerializer(user, many=False) else: return response.forbidden('You are not allowed to view this users information.') return response.success({'user': serializer.data})
def test_get(self): student = factory.Student() admin = factory.Admin() journal = factory.Journal(user=student) teacher = journal.assignment.courses.first().author # Test get all users api.get(self, 'users', user=student, status=403) resp = api.get(self, 'users', user=admin)['users'] assert len(resp) == User.objects.count( ), 'Test if the admin got all the users' # Test get own user resp = api.get(self, 'users', params={'pk': 0}, user=student)['user'] assert 'id' in resp, 'Test if the student got userdata' assert 'verified_email' in resp, 'Test if the student got all their userdata' resp = api.get(self, 'users', params={'pk': 0}, user=admin)['user'] assert resp[ 'is_superuser'], 'Admin user should be flagged as superuser.' # Check if a user cant see other users data api.get(self, 'users', params={'pk': admin.pk}, user=student, status=403) # Test get user as supervisor assert permissions.is_user_supervisor_of( teacher, student), 'Teacher should be supervisor of student' resp = api.get(self, 'users', params={'pk': student.pk}, user=teacher)['user'] assert 'username' in resp, 'Supervisor can retrieve basic supervisee data' assert 'full_name' in resp, 'Supervisor can retrieve basic supervisee data' assert 'verified_email' not in resp, 'Supervisor can\'t retrieve all supervisee data' assert 'email' not in resp, 'Supervisor can\'t retrieve all supervisee data' # Test get user as admin resp = api.get(self, 'users', params={'pk': student.pk}, user=admin)['user'] assert 'id' in resp, 'Admin can retrieve basic user data' assert 'verified_email' in resp, 'Admin can retrieve all user data' assert 'email' in resp, 'Admin can retrieve all user data'