def test_not_authorized(self):
"""
Unauthorized users should get an empty list.
"""
user = StaffFactory(course_key=self.course.id)
access_token = AccessTokenFactory.create(
user=user, client=self.oauth_client).token
auth_header = 'Bearer ' + access_token
# Data should be returned if the user is authorized.
response = self.http_get(reverse(self.view),
HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
url = "{}?course_id={}".format(reverse(self.view), self.course_id)
response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
data = response.data['results']
self.assertEqual(len(data), 1)
self.assertEqual(data[0]['name'], self.course.display_name)
# The view should return an empty list if the user cannot access any courses.
url = "{}?course_id={}".format(reverse(self.view),
unicode(self.empty_course.id))
response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
self.assertDictContainsSubset({
'count': 0,
u'results': []
}, response.data)
def test_not_authorized(self):
"""
Unauthorized users should get an empty list.
"""
user = StaffFactory(course_key=self.course.id)
access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
auth_header = 'Bearer ' + access_token
# If debug mode is enabled, the view should always return data.
with override_settings(DEBUG=True):
response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
# Data should be returned if the user is authorized.
response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
url = "{}?course_id={}".format(reverse(self.view), self.course_id)
response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
data = response.data['results']
self.assertEqual(len(data), 1)
self.assertEqual(data[0]['name'], self.course.display_name)
# The view should return an empty list if the user cannot access any courses.
url = "{}?course_id={}".format(reverse(self.view), unicode(self.empty_course.id))
response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
self.assertDictContainsSubset({'count': 0, u'results': []}, response.data)
def test_not_authorized(self):
user = StaffFactory(course_key=self.course.id)
access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
auth_header = 'Bearer ' + access_token
# Access should be granted if the proper access token is supplied.
response = self.http_get_for_course(HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
# Access should be denied if the user is not course staff.
response = self.http_get_for_course(course_id=unicode(self.empty_course.id), HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 404)
def test_not_authorized(self):
user = StaffFactory(course_key=self.course.id)
access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
auth_header = 'Bearer ' + access_token
# Access should be granted if the proper access token is supplied.
response = self.http_get_for_course(HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
# Access should be denied if the user is not course staff.
response = self.http_get_for_course(course_id=unicode(self.empty_course.id), HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 404)
def test_oauth(self):
""" Verify the endpoint supports OAuth, and only allows authorization for staff users. """
user = UserFactory(is_staff=False)
oauth_client = ClientFactory.create()
access_token = AccessTokenFactory.create(user=user, client=oauth_client).token
headers = {"HTTP_AUTHORIZATION": "Bearer " + access_token}
# Non-staff users should not have access to the API
response = self.client.get(self.path, **headers)
self.assertEqual(response.status_code, 403)
# Staff users should have access to the API
user.is_staff = True
user.save() # pylint: disable=no-member
response = self.client.get(self.path, **headers)
self.assertEqual(response.status_code, 200)
def test_oauth(self):
""" Verify the endpoint supports OAuth, and only allows authorization for staff users. """
user = UserFactory(is_staff=False)
oauth_client = ClientFactory.create()
access_token = AccessTokenFactory.create(user=user,
client=oauth_client).token
headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token}
# Non-staff users should not have access to the API
response = self.client.get(self.path, **headers)
self.assertEqual(response.status_code, 403)
# Staff users should have access to the API
user.is_staff = True
user.save() # pylint: disable=no-member
response = self.client.get(self.path, **headers)
self.assertEqual(response.status_code, 200)
def test_not_authorized(self):
user = StaffFactory(course_key=self.course.id)
access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
auth_header = 'Bearer ' + access_token
# If debug mode is enabled, the view should always return data.
with override_settings(DEBUG=True):
response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}),
HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
# Access should be granted if the proper access token is supplied.
response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}),
HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
# Access should be denied if the user is not course staff.
response = self.http_get(reverse(self.view, kwargs={'course_id': unicode(self.empty_course.id)}),
HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 403)
def test_not_authorized(self):
user = StaffFactory(course_key=self.course.id)
access_token = AccessTokenFactory.create(
user=user, client=self.oauth_client).token
auth_header = 'Bearer ' + access_token
# If debug mode is enabled, the view should always return data.
with override_settings(DEBUG=True):
response = self.http_get(reverse(
self.view, kwargs={'course_id': self.course_id}),
HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
# Access should be granted if the proper access token is supplied.
response = self.http_get(reverse(self.view,
kwargs={'course_id': self.course_id}),
HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
# Access should be denied if the user is not course staff.
response = self.http_get(reverse(
self.view, kwargs={'course_id': unicode(self.empty_course.id)}),
HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 403)
def test_not_authorized(self):
"""
Unauthorized users should get an empty list.
"""
user = StaffFactory(course_key=self.course.id)
access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
auth_header = "Bearer " + access_token
# Data should be returned if the user is authorized.
response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
url = "{}?course_id={}".format(reverse(self.view), self.course_id)
response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
data = response.data["results"]
self.assertEqual(len(data), 1)
self.assertEqual(data[0]["name"], self.course.display_name)
# The view should return an empty list if the user cannot access any courses.
url = "{}?course_id={}".format(reverse(self.view), unicode(self.empty_course.id))
response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
self.assertEqual(response.status_code, 200)
self.assertDictContainsSubset({"count": 0, u"results": []}, response.data)
def create_user_and_access_token(self):
self.user = GlobalStaffFactory.create()
self.oauth_client = ClientFactory.create()
self.access_token = AccessTokenFactory.create(
user=self.user, client=self.oauth_client).token
def create_user_and_access_token(self):
self.create_user()
self.oauth_client = ClientFactory.create()
self.access_token = AccessTokenFactory.create(user=self.user, client=self.oauth_client).token
