class PermissionsTestCase(APITestCase):
def setUp(self):
self.factory = APIRequestFactory()
self.perm = None
def check_model_perms(self, checks, user):
for method, check in checks.items():
request = self.factory.generic(method, '/url/')
request.user = user
self.assertEqual(
self.perm.has_permission(request, 'view'),
check,
msg="Invalid perms for user {} and method {}".format(
user, method))
def check_obj_perms(self, checks, user, obj):
for method, check in checks.items():
request = self.factory.generic(method, '/url/')
request.user = user
fail_msg = "Invalid obj perms for user {} and method {}".format(
user, method)
if type(check) == bool:
self.assertEqual(self.perm.has_object_permission(
request, 'view', obj),
check,
msg=fail_msg)
else:
with self.assertRaises(check, msg=fail_msg):
self.perm.has_object_permission(request, 'view', obj)
def check_box_obj_perms(self,
checks,
user,
box_owner=None,
share_with=None,
share_perm=None):
if box_owner is None:
box_owner = UserFactory()
for visibility in [Box.PRIVATE, Box.PUBLIC]:
box = BoxFactory(visibility=visibility, owner=box_owner)
if share_with:
box.share_with(share_with, share_perm)
self.check_obj_perms(checks, user, box)
class TestSerialize:
def setup(self):
from rest_framework.test import APIRequestFactory
class DummyJSONSerializer(serializers.Serializer):
json_field = fields.JSONField()
self.factory = APIRequestFactory()
self.Serializer = DummyJSONSerializer
def test_request_POST_with_form_content_JSONField(self):
data = b'-----------------------------20775962551482475149231161538\r\nContent-Disposition: form-data; name="json_field"\r\n\r\n{"a": true}\r\n-----------------------------20775962551482475149231161538--\r\n'
content_type = 'multipart/form-data; boundary=---------------------------20775962551482475149231161538'
wsgi_request = self.factory.generic('POST', '/', data, content_type)
request = Request(wsgi_request)
request.parsers = (FormParser(), MultiPartParser())
serializer = self.Serializer(data=request.data)
assert serializer.is_valid(raise_exception=True) == True
assert dict(serializer.data)['json_field'] == {'a': True}
def test_csv_with_excel_content_type(self):
"""
Often on Windows a csv file comes with an excel content-type (e.g: 'application/vnd.ms-excel')
Test that we handle the case.
"""
view = InferDatasetView.as_view()
columns = ['Name', 'Age', 'Weight', 'Comments']
rows = [
columns, ['Frederic', '56', '80.5', 'a comment'],
['Hilda', '24', '56', '']
]
file_ = helpers.rows_to_csv_file(rows)
factory = APIRequestFactory()
with open(file_, 'rb') as fp:
payload = {
'file': fp,
}
# In order to hack the Content-Type of the multipart form data we need to use the APIRequestFactory and work
# with the view directly. Can't use the classic API client.
# hack the content-type of the request.
data, content_type = factory._encode_data(payload,
format='multipart')
if six.PY3:
data = data.decode('utf-8')
data = data.replace('Content-Type: text/csv',
'Content-Type: application/vnd.ms-excel')
if six.PY3:
data = data.encode('utf-8')
request = factory.generic('POST',
self.url,
data,
content_type=content_type)
user = self.data_engineer_1_user
token, _ = Token.objects.get_or_create(user=user)
force_authenticate(request,
user=self.data_engineer_1_user,
token=token)
resp = view(request).render()
self.assertEqual(status.HTTP_200_OK, resp.status_code)
# should be json
self.assertEqual(resp.get('content-type'), 'application/json')
if six.PY3:
content = resp.content.decode('utf-8')
else:
content = resp.content
received = json.loads(content)
# name should be set with the file name
self.assertIn('name', received)
file_name = path.splitext(path.basename(fp.name))[0]
self.assertEqual(file_name, received.get('name'))
# type should be 'generic'
self.assertIn('type', received)
self.assertEqual('generic', received.get('type'))
# data_package verification
self.assertIn('data_package', received)
self.verify_inferred_data(received)
# verify schema
schema_descriptor = Package(
received.get('data_package')).resources[0].descriptor['schema']
schema = utils_data_package.GenericSchema(schema_descriptor)
self.assertEqual(len(schema.fields), len(columns))
self.assertEqual(schema.field_names, columns)
field = schema.get_field_by_name('Name')
self.assertEqual(field.type, 'string')
self.assertFalse(field.required)
self.assertEqual(field.format, 'default')
field = schema.get_field_by_name('Age')
self.assertEqual(field.type, 'integer')
self.assertFalse(field.required)
self.assertEqual(field.format, 'default')
field = schema.get_field_by_name('Weight')
self.assertEqual(field.type, 'number')
self.assertFalse(field.required)
self.assertEqual(field.format, 'default')
field = schema.get_field_by_name('Comments')
self.assertEqual(field.type, 'string')
self.assertFalse(field.required)
self.assertEqual(field.format, 'default')
class RecordViewSetsPermissions(TestCase):
views = [
# template
(RecordTemplateViewSet, 'create', 'partial_update', 'update',
'destroy', 'list', 'retrieve'),
# fields
(RecordEncryptedStandardFieldViewSet, 'create', 'partial_update',
'update', 'destroy'),
(RecordStandardFieldViewSet, 'create', 'partial_update', 'update',
'destroy'),
(RecordEncryptedFileFieldViewSet, 'create', 'partial_update', 'update',
'destroy'),
(RecordSelectFieldViewSet, 'create', 'partial_update', 'update',
'destroy'),
(RecordEncryptedSelectFieldViewSet, 'create', 'partial_update',
'update', 'destroy'),
(RecordStateFieldViewSet, 'create', 'partial_update', 'update',
'destroy'),
(RecordUsersFieldViewSet, 'create', 'partial_update', 'update',
'destroy'),
# record
(RecordViewSet, 'create', 'retrieve', 'destroy', 'list'),
# entry
(RecordEncryptedSelectEntryViewSet, 'create', 'partial_update',
'update', 'destroy'),
(RecordSelectEntryViewSet, 'create', 'partial_update', 'update',
'destroy'),
(RecordEncryptedFileEntryViewSet, 'create', 'partial_update', 'update',
'destroy'),
(RecordStandardEntryViewSet, 'create', 'partial_update', 'update',
'destroy'),
(RecordEncryptedStandardEntryViewSet, 'create', 'partial_update',
'update', 'destroy'),
(RecordUsersEntryViewSet, 'create', 'partial_update', 'update',
'destroy'),
(RecordStateEntryViewSet, 'create', 'partial_update', 'update',
'destroy')
]
action_mapper = {
'create': 'POST',
'update': 'PUT',
'partial_update': 'PATCH',
'destroy': 'DELETE',
'list': 'GET',
'retrieve': 'GET'
}
def setUp(self):
self.factory = APIRequestFactory()
self.rlc = Rlc.objects.create(name="Test RLC")
self.user = UserProfile.objects.create(email='*****@*****.**',
name='Dummy 1',
rlc=self.rlc)
self.user.set_password(settings.DUMMY_USER_PASSWORD)
self.user.save()
self.rlc_user = RlcUser.objects.create(user=self.user,
email_confirmed=True,
accepted=True)
def check_forbidden(self, view_class, actions):
for action in actions:
view = view_class.as_view(
actions={self.action_mapper[action]: action})
request = self.factory.generic(self.action_mapper[action], '')
response = view(request)
self.assertEqual(response.status_code, 401)
def check_not_existent(self, view_class, actions):
for action in actions:
view = view_class.as_view(
actions={self.action_mapper[action]: action})
request = self.factory.generic(self.action_mapper[action], '')
with self.assertRaises(AttributeError):
view(request)
def test_permissions(self):
for view_class in self.views:
self.check_forbidden(view_class[0], view_class[1:])
non_existent = list(self.action_mapper.keys())
[non_existent.remove(x) for x in view_class[1:]]
self.check_not_existent(view_class[0], non_existent)
class UserPermissionsTestCase(APITestCase):
def setUp(self):
self.factory = APIRequestFactory()
self.perm = UserPermissions()
self.user_obj = UserFactory()
def check_perms(self, checks, user):
for method, check in checks.items():
request = self.factory.generic(method, '/url/')
request.user = user
self.assertEqual(
self.perm.has_permission(request, 'view'),
check,
msg="Invalid perms for user {} and method {}"
.format(user, method))
def check_obj_perms(self, checks, user):
for method, check in checks.items():
request = self.factory.generic(method, '/url/')
request.user = user
self.assertEqual(
self.perm.has_object_permission(request, 'view', self.user_obj),
check,
msg="Invalid obj perms for user {} and method {}"
.format(user, method))
def test_staff_has_perms(self):
user = StaffFactory()
checks = {
'GET': True,
'PATCH': True,
'POST': True,
'DELETE': True,
}
self.check_perms(checks, user)
self.check_obj_perms(checks, user)
def test_authenticated_has_perms(self):
user = UserFactory()
checks = {
'GET': True,
'PATCH': True,
'POST': False,
'DELETE': False,
}
self.check_perms(checks, user)
checks = {
'GET': True,
'PATCH': False,
'POST': False,
'DELETE': False,
}
self.check_obj_perms(checks, user)
def test_user_owner_has_perms(self):
user = self.user_obj
checks = {
'GET': True,
'PATCH': True,
'POST': False,
'DELETE': False,
}
self.check_perms(checks, user)
checks = {
'GET': True,
'PATCH': True,
'POST': False,
'DELETE': False,
}
self.check_obj_perms(checks, user)
def test_anonymous_doesnt_has_perms(self):
user = AnonymousUser()
request = self.factory.post('/url/')
request.user = user
with self.assertRaises(Http404):
self.perm.has_permission(request, 'view')
request = self.factory.patch('/url/')
request.user = user
with self.assertRaises(Http404):
self.perm.has_permission(request, 'view')
request = self.factory.get('/url/')
request.user = user
with self.assertRaises(Http404):
self.perm.has_permission(request, 'view')
