def test_list_users_without_being_manager(self):
noam_api_session = RelativeSession(self.portal_url)
noam_api_session.headers.update({'Accept': 'application/json'})
noam_api_session.auth = ('noam', 'password')
response = noam_api_session.get('/@users')
self.assertEqual(response.status_code, 401)
def test_get_other_user_info_when_logged_in(self):
noam_api_session = RelativeSession(self.portal_url)
noam_api_session.headers.update({'Accept': 'application/json'})
noam_api_session.auth = ('noam', 'password')
response = noam_api_session.get('/@users/otheruser')
self.assertEqual(response.status_code, 401)
def test_list_users_without_being_manager(self):
noam_api_session = RelativeSession(self.portal_url)
noam_api_session.headers.update({"Accept": "application/json"})
noam_api_session.auth = ("noam", "password")
response = noam_api_session.get("/@users")
self.assertEqual(response.status_code, 401)
noam_api_session.close()
def test_get_other_user_info_when_logged_in(self):
noam_api_session = RelativeSession(self.portal_url)
noam_api_session.headers.update({"Accept": "application/json"})
noam_api_session.auth = ("noam", "password")
response = noam_api_session.get("/@users/otheruser")
self.assertEqual(response.status_code, 401)
noam_api_session.close()
def test_users_can_get_list_of_vocabularies(self):
api_session = RelativeSession(self.portal_url)
api_session.headers.update({"Accept": "application/json"})
api_session.auth = ("member", "secret")
response = api_session.get("/@vocabularies")
self.assertEqual(response.status_code, 200)
api_session.auth = ("contributor", "secret")
response = api_session.get("/@vocabularies")
self.assertEqual(response.status_code, 200)
api_session.auth = ("editor", "secret")
response = api_session.get("/@vocabularies")
self.assertEqual(response.status_code, 200)
api_session.close()
def test_users_cant_get_other_vocabularies(self):
api_session = RelativeSession(self.portal_url)
api_session.headers.update({"Accept": "application/json"})
api_session.auth = ("member", "secret")
response = api_session.get("/@vocabularies/plone.app.vocabularies.Users")
self.assertEqual(response.status_code, 403)
api_session.close()
def test_gestore_comunicati_can_get_data(self):
api_session = RelativeSession(self.portal_url)
api_session.headers.update({"Accept": "application/json"})
api_session.auth = ("memberuser", "secret")
url = "{}/@subscriptions".format(self.portal_url)
self.assertEqual(api_session.get(url).status_code, 401)
setRoles(self.portal, "memberuser", ["Gestore Comunicati"])
transaction.commit()
self.assertEqual(api_session.get(url).status_code, 200)
api_session.close()
def test_authenticated_can_get_allowed_vocabularies(self):
api_session = RelativeSession(self.portal_url)
api_session.headers.update({"Accept": "application/json"})
for username in ["member", "contributor", "editor"]:
api_session.auth = (username, "secret")
response = api_session.get("/@vocabularies/plone.app.vocabularies.Keywords")
self.assertEqual(response.status_code, 200)
self.assertEqual(response.json()["items_total"], 2)
self.assertEqual(response.json()["items"][0]["title"], "bar")
self.assertEqual(response.json()["items"][1]["title"], "foo")
api_session.close()
def test_gestore_comunicati_can_update_data(self):
api_session = RelativeSession(self.portal_url)
api_session.headers.update({"Accept": "application/json"})
api_session.auth = ("memberuser", "secret")
url = "{}/123".format(self.url)
self.assertEqual(api_session.patch(url, json={}).status_code, 401)
setRoles(self.portal, "memberuser", ["Gestore Comunicati"])
transaction.commit()
# 400 because it's a fake id
self.assertEqual(api_session.patch(self.url, json={}).status_code, 400)
api_session.close()
def test_api_do_not_return_related_items_with_effective_date_in_future_for_users_that_cant_edit_context(
self,
):
api.user.create(
email="*****@*****.**",
username="******",
password="******",
)
api_session = RelativeSession(self.portal_url)
api_session.headers.update({"Accept": "application/json"})
api_session.auth = ("foo", "secret")
present = api.content.create(
container=self.portal, type="Document", title="present"
)
future = api.content.create(
container=self.portal, type="Document", title="future"
)
present.setEffectiveDate(DateTime())
future.setEffectiveDate(DateTime() + 1)
api.content.transition(obj=present, transition="publish")
api.content.transition(obj=future, transition="publish")
page = api.content.create(
container=self.portal,
type="Document",
title="Page",
relatedItems=[
RelationValue(self.intids.getId(present)),
RelationValue(self.intids.getId(future)),
],
)
api.content.transition(obj=page, transition="publish")
commit()
setRoles(self.portal, "foo", ["Reader"])
commit()
res = api_session.get(page.absolute_url()).json()
relatedItems = res.get("relatedItems", [])
self.assertEqual(len(relatedItems), 1)
setRoles(self.portal, "foo", ["Editor"])
commit()
res = api_session.get(page.absolute_url()).json()
relatedItems = res.get("relatedItems", [])
self.assertEqual(len(relatedItems), 2)
def test_get_search_user_with_filter_as_unauthorized_user(self):
response = self.api_session.post(
'/@users',
json={
"username": "******",
"email": "*****@*****.**",
"password": "******"
},
)
transaction.commit()
noam_api_session = RelativeSession(self.portal_url)
noam_api_session.headers.update({'Accept': 'application/json'})
noam_api_session.auth = ('noam', 'password')
response = noam_api_session.get('/@users', params={'query': 'howa'})
self.assertEqual(response.status_code, 401)
def test_get_search_user_with_filter_as_unauthorized_user(self):
response = self.api_session.post(
"/@users",
json={
"username": "******",
"email": "*****@*****.**",
"password": "******",
},
)
transaction.commit()
noam_api_session = RelativeSession(self.portal_url)
noam_api_session.headers.update({"Accept": "application/json"})
noam_api_session.auth = ("noam", "password")
response = noam_api_session.get("/@users", params={"query": "howa"})
self.assertEqual(response.status_code, 401)
noam_api_session.close()
