def test_admin_change_late_day_count_for_other_course_permission_denied(
self):
admin = obj_build.make_admin_user(self.course)
# Student for other course
other_course = obj_build.make_course()
other_course_student = obj_build.make_student_user(other_course)
self.assertFalse(other_course.is_admin(admin))
self.client.force_authenticate(admin)
response = self.client.put(
self.get_pk_url(other_course_student, other_course),
{'late_days_remaining': 10})
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
response = self.client.put(
self.get_username_url(other_course_student, other_course),
{'late_days_remaining': 10})
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
# Guest for other course
other_guest = obj_build.make_user()
response = self.client.put(self.get_pk_url(other_guest, other_course),
{'late_days_remaining': 7})
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
other_guest = obj_build.make_user()
response = self.client.put(
self.get_username_url(other_guest, other_course),
{'late_days_remaining': 7})
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
def test_guest_view_other_late_day_count_permission_denied(self):
guest1 = obj_build.make_user()
guest2 = obj_build.make_user()
self.client.force_authenticate(guest1)
response = self.client.get(self.get_pk_url(guest2, self.course))
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
response = self.client.get(self.get_username_url(guest2, self.course))
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
def test_error_missing_body_params(self):
superuser = obj_build.make_user(superuser=True)
new_name = 'steve'
new_semester = ag_models.Semester.summer
new_year = 2019
self.client.force_authenticate(superuser)
response = self.client.post(
reverse('copy-course', kwargs={'course_pk': self.course.pk}), {
'new_name': new_name,
'new_semester': new_semester.value
})
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
response = self.client.post(
reverse('copy-course', kwargs={'course_pk': self.course.pk}), {
'new_name': new_name,
'new_year': new_year
})
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
response = self.client.post(
reverse('copy-course', kwargs={'course_pk': self.course.pk}), {
'new_semester': new_semester.value,
'new_year': new_year
})
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
def test_staff_view_late_day_count_for_other_course_permission_denied(
self):
staff = obj_build.make_staff_user(self.course)
# Student for other course
other_course = obj_build.make_course()
other_course_student = obj_build.make_student_user(other_course)
self.assertFalse(other_course.is_staff(staff))
self.client.force_authenticate(staff)
response = self.client.get(
self.get_pk_url(other_course_student, other_course))
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
response = self.client.get(
self.get_username_url(other_course_student, other_course))
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
# Guest for other course
other_guest = obj_build.make_user()
response = self.client.get(self.get_pk_url(other_guest, other_course))
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
response = self.client.get(
self.get_username_url(other_guest, other_course))
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
def test_guest_get_project(self):
self.project.validate_and_update(visible_to_students=True,
guests_can_submit=True)
guest = obj_build.make_user()
self.do_get_object_test(
self.client, guest, self.url,
exclude_dict(self.project.to_dict(),
['closing_time', 'instructor_files']))
def test_other_create_course_permission_denied(self):
guest = obj_build.make_user()
name = 'spam'
self.client.force_authenticate(guest)
response = self.client.post(reverse('course-list'), {'name': name})
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
self.assertEqual(0, ag_models.Course.objects.count())
def test_superuser_create_course(self):
superuser = obj_build.make_user(superuser=True)
self.client.force_authenticate(superuser)
name = 'new_course'
response = self.client.post(reverse('course-list'), {'name': name})
self.assertEqual(status.HTTP_201_CREATED, response.status_code)
loaded_course = ag_models.Course.objects.get(name=name)
self.assertEqual(loaded_course.to_dict(), response.data)
self.assertTrue(loaded_course.is_admin(superuser))
def test_user_cannot_copy_courses_permission_denied(self):
user = obj_build.make_user(superuser=False)
self.client.force_authenticate(user)
response = self.client.post(
reverse('copy-course', kwargs={'course_pk': self.course.pk}), {
'new_name': 'New',
'new_semester': ag_models.Semester.summer.value,
'new_year': 2021
})
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
def test_user_with_create_course_permission_create_course(self):
user = obj_build.make_user()
user.user_permissions.add(
Permission.objects.get(codename='create_course'))
self.client.force_authenticate(user)
response = self.client.post(reverse('course-list'),
{'name': 'waluigi'})
self.assertEqual(status.HTTP_201_CREATED, response.status_code)
loaded_course = ag_models.Course.objects.get(name='waluigi')
self.assertEqual(loaded_course.to_dict(), response.data)
self.assertTrue(loaded_course.is_admin(user))
def test_user_can_copy_course_but_not_admin_permission_denied(self):
user = obj_build.make_user()
user.user_permissions.add(
Permission.objects.get(codename='create_course'))
self.client.force_authenticate(user)
response = self.client.post(
reverse('copy-course', kwargs={'course_pk': self.course.pk}), {
'new_name': 'New',
'new_semester': ag_models.Semester.summer.value,
'new_year': 2021
})
self.assertEqual(status.HTTP_403_FORBIDDEN, response.status_code)
def test_other_add_project_permission_denied(self):
staff = obj_build.make_staff_user(self.course)
student = obj_build.make_student_user(self.course)
handgrader = obj_build.make_handgrader_user(self.course)
guest = obj_build.make_user()
project_name = 'project123'
for user in staff, student, handgrader, guest:
self.client.force_authenticate(user)
response = self.client.post(self.url, {'name': project_name})
self.assertEqual(403, response.status_code)
with self.assertRaises(exceptions.ObjectDoesNotExist):
ag_models.Project.objects.get(name=project_name)
def test_invalid_semester(self):
course = obj_build.make_course(semester=ag_models.Semester.winter,
year=2019)
url = reverse('course-by-fields',
kwargs={
'name': course.name,
'semester': 'bad',
'year': course.year
})
guest = obj_build.make_user()
self.client.force_authenticate(guest)
response = self.client.get(url)
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
def test_error_non_unique_course(self):
superuser = obj_build.make_user(superuser=True)
self.client.force_authenticate(superuser)
self.course.semester = ag_models.Semester.fall
self.course.year = 2017
self.course.save()
response = self.client.post(
reverse('copy-course', kwargs={'course_pk': self.course.pk}), {
'new_name': self.course.name,
'new_semester': self.course.semester.value,
'new_year': self.course.year
})
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
self.assertIn('exists', response.data['__all__'][0])
def test_get_course_by_name_semester_and_year(self):
course = obj_build.make_course(semester=ag_models.Semester.winter,
year=2019)
url = reverse('course-by-fields',
kwargs={
'name': course.name,
'semester': course.semester.value,
'year': course.year
})
guest = obj_build.make_user()
self.client.force_authenticate(guest)
response = self.client.get(url)
self.assertEqual(status.HTTP_200_OK, response.status_code)
self.assertEqual(course.to_dict(), response.data)
def test_superuser_view_calls_copy_course(self):
superuser = obj_build.make_user(superuser=True)
dummy_course = obj_build.make_course()
mock_copy_course = mock.Mock(return_value=dummy_course)
with mock.patch(
'autograder.rest_api.views.course_views.course_views.copy_course',
new=mock_copy_course):
self.client.force_authenticate(superuser)
response = self.client.post(
reverse('copy-course', kwargs={'course_pk': self.course.pk}), {
'new_name': 'Clone',
'new_semester': ag_models.Semester.winter.value,
'new_year': 2020
})
mock_copy_course.assert_called_once_with(
course=self.course,
new_course_name='Clone',
new_course_semester=ag_models.Semester.winter,
new_course_year=2020)
def test_superuser_copy_course_new_name_semester_year(self):
superuser = obj_build.make_user(superuser=True)
new_name = 'steve'
new_semester = ag_models.Semester.summer
new_year = 2019
self.client.force_authenticate(superuser)
response = self.client.post(
reverse('copy-course', kwargs={'course_pk': self.course.pk}), {
'new_name': new_name,
'new_semester': new_semester.value,
'new_year': new_year
})
self.assertEqual(status.HTTP_201_CREATED, response.status_code)
new_course = ag_models.Course.objects.get(pk=response.data['pk'])
self.assertEqual(new_name, new_course.name)
self.assertEqual(new_semester, new_course.semester)
self.assertEqual(new_year, new_course.year)
self.assertEqual(new_course.to_dict(), response.data)
def test_guest_get_guest_allowed_hidden_project_permission_denied(self):
self.project.validate_and_update(visible_to_students=False,
guests_can_submit=True)
guest = obj_build.make_user()
self.do_permission_denied_get_test(self.client, guest, self.url)
def test_other_list_projects_permission_denied(self):
guest = obj_build.make_user()
self.do_permission_denied_get_test(self.client, guest, self.url)
def setUp(self):
super().setUp()
self.course = obj_build.make_course()
self.user = obj_build.make_user()
def test_guest_view_own_late_day_count(self):
guest = obj_build.make_user()
self.do_get_late_days_test(guest, guest, self.course,
self.initial_num_late_days)