def test_asset_patch_validation(self):
"""User's only allow to PATCH an asset that has a department their are part of, and the
PATCH department has to be one he belongs to"""
client = APIClient()
asset_dict = copy.copy(COMPLETE_ASSET)
asset_dict['department'] = 'TESTDEPT2'
asset = Asset(**asset_dict)
asset.save()
result_patch = client.patch('/assets/%s/' % asset.pk,
{"name": "asset1"})
# Not allowed because the asset belongs to TESTDEPT2
self.assert_method_is_not_listed_as_allowed('PATCH', asset)
self.assertEqual(result_patch.status_code, 403)
# We fix the department, so now the user should be allow but we try to change the
# department to another that the user doesn't belong to
asset.department = 'TESTDEPT'
set_local_user(self.user)
asset.save()
# User is in principle allowed ...
self.assert_method_is_listed_as_allowed('PATCH', asset)
# ... but not in this case
result_patch = client.patch('/assets/%s/' % asset.pk,
{"department": "TESTDEPT2"})
self.assertEqual(result_patch.status_code, 403)
# This one should be allowed
result_patch = client.patch('/assets/%s/' % asset.pk,
{"name": "asset2"})
self.assert_method_is_listed_as_allowed('PATCH', asset)
self.assertEqual(result_patch.status_code, 200)
def test_asset_put_validation(self):
"""User's only allow to PUT an asset that has a department their are part of, and the
PUT department has to be one he belongs to"""
client = APIClient()
asset_dict = copy.copy(COMPLETE_ASSET)
asset_dict['department'] = 'TESTDEPT2'
asset = Asset(**asset_dict)
asset.save()
result_put = client.put('/assets/%s/' % asset.pk, COMPLETE_ASSET)
# Not allowed because the asset belongs to TESTDEPT2
self.assert_method_is_not_listed_as_allowed('PUT', asset)
self.assertEqual(result_put.status_code, 403)
# We fix the department, so now the user should be allow but we try to change the
# department to another that the user doesn't belong to
asset.department = 'TESTDEPT'
set_local_user(self.user)
asset.save()
# User can, in principle PUT...
self.assert_method_is_listed_as_allowed('PUT', asset)
# ... but not this asset
result_put = client.put('/assets/%s/' % asset.pk, asset_dict)
self.assertEqual(result_put.status_code, 403)
# This one should be allowed
asset_dict['department'] = 'TESTDEPT'
asset_dict['name'] = 'asset2'
result_put = client.put('/assets/%s/' % asset.pk, asset_dict)
self.assert_method_is_listed_as_allowed('PUT', asset)
self.assertEqual(result_put.status_code, 200)
def test_asset_put_validation(self):
"""User's only allow to PUT an asset that has a department their are part of, and the
PUT department has to be one he belongs to"""
client = APIClient()
asset_dict = copy.copy(COMPLETE_ASSET)
asset_dict['department'] = 'TESTDEPT2'
asset = Asset(**asset_dict)
asset.save()
result_patch = client.patch('/assets/%s/' % asset.pk, COMPLETE_ASSET)
# Not allowed because the asset belongs to TESTDEPT2
self.assertEqual(result_patch.status_code, 403)
# We fix the department, so now the user should be allow but we try to change the
# department to another that the user doesn't belong to
asset.department = 'TESTDEPT'
asset.save()
result_patch = client.patch('/assets/%s/' % asset.pk, asset_dict)
self.assertEqual(result_patch.status_code, 403)
# This one should be allowed
asset_dict['department'] = 'TESTDEPT'
asset_dict['name'] = 'asset2'
result_patch = client.patch('/assets/%s/' % asset.pk, asset_dict)
self.assertEqual(result_patch.status_code, 200)
