def test_stream_access_cant_change(activity_stream_entry, organization, org_admin, settings):
settings.ACTIVITY_STREAM_ENABLED = True
access = ActivityStreamAccess(org_admin)
# These should always return false because the activity stream cannot be edited
assert not access.can_add(activity_stream_entry)
assert not access.can_change(activity_stream_entry, {'organization': None})
assert not access.can_delete(activity_stream_entry)
def test_app_activity_stream(self, org_admin, alice, organization):
app = Application.objects.create(name='test app for {}'.format(
org_admin.username),
user=org_admin,
client_type='confidential',
authorization_grant_type='password',
organization=organization)
access = OAuth2ApplicationAccess(org_admin)
assert access.can_read(app) is True
access = ActivityStreamAccess(org_admin)
activity_stream = ActivityStream.objects.filter(
o_auth2_application=app).latest('pk')
assert access.can_read(activity_stream) is True
access = ActivityStreamAccess(alice)
assert access.can_read(app) is False
assert access.can_read(activity_stream) is False
def test_token_activity_stream(self, org_admin, alice, organization, post):
app = Application.objects.create(
name='test app for {}'.format(org_admin.username),
user=org_admin,
client_type='confidential',
authorization_grant_type='password',
organization=organization,
)
response = post(reverse('api:o_auth2_application_token_list', kwargs={'pk': app.pk}), {'scope': 'read'}, org_admin, expect=201)
token = AccessToken.objects.get(token=response.data['token'])
access = OAuth2ApplicationAccess(org_admin)
assert access.can_read(app) is True
access = ActivityStreamAccess(org_admin)
activity_stream = ActivityStream.objects.filter(o_auth2_access_token=token).latest('pk')
assert access.can_read(activity_stream) is True
access = ActivityStreamAccess(alice)
assert access.can_read(token) is False
assert access.can_read(activity_stream) is False
def test_stream_queryset_hides_shows_items(
activity_stream_entry,
organization,
user,
org_admin,
project,
org_credential,
inventory,
label,
deploy_jobtemplate,
notification_template,
group,
host,
team,
settings,
):
settings.ACTIVITY_STREAM_ENABLED = True
# this user is not in any organizations and should not see any resource activity
no_access_user = user('no-access-user', False)
queryset = ActivityStreamAccess(no_access_user).get_queryset()
assert not queryset.filter(project__pk=project.pk)
assert not queryset.filter(credential__pk=org_credential.pk)
assert not queryset.filter(inventory__pk=inventory.pk)
assert not queryset.filter(label__pk=label.pk)
assert not queryset.filter(job_template__pk=deploy_jobtemplate.pk)
assert not queryset.filter(group__pk=group.pk)
assert not queryset.filter(host__pk=host.pk)
assert not queryset.filter(team__pk=team.pk)
assert not queryset.filter(notification_template__pk=notification_template.pk)
# Organization admin should be able to see most things in the ActivityStream
queryset = ActivityStreamAccess(org_admin).get_queryset()
assert queryset.filter(project__pk=project.pk, operation='create').count() == 1
assert queryset.filter(credential__pk=org_credential.pk, operation='create').count() == 1
assert queryset.filter(inventory__pk=inventory.pk, operation='create').count() == 1
assert queryset.filter(label__pk=label.pk, operation='create').count() == 1
assert queryset.filter(job_template__pk=deploy_jobtemplate.pk, operation='create').count() == 1
assert queryset.filter(group__pk=group.pk, operation='create').count() == 1
assert queryset.filter(host__pk=host.pk, operation='create').count() == 1
assert queryset.filter(team__pk=team.pk, operation='create').count() == 1
assert queryset.filter(notification_template__pk=notification_template.pk, operation='create').count() == 1