def test_create_permissions(self): """ Users should only be allowed to create data for themselves. """ url = reverse('api_experiments:v0:data-list') # Authentication is required response = self.client.post(url, {}) self.assertEqual(response.status_code, 401) user = UserFactory() data = { 'experiment_id': 1, 'key': 'foo', 'value': 'bar', } self.client.login(username=user.username, password=UserFactory._DEFAULT_PASSWORD) # Users can create data for themselves response = self.client.post(url, data) self.assertEqual(response.status_code, 201) ExperimentData.objects.get(user=user) # A non-staff user cannot create data for another user other_user = UserFactory() data['user'] = other_user.username response = self.client.post(url, data) self.assertEqual(response.status_code, 403) self.assertFalse(ExperimentData.objects.filter(user=other_user).exists()) # A staff user can create data for other users user.is_staff = True user.save() response = self.client.post(url, data) self.assertEqual(response.status_code, 201) ExperimentData.objects.get(user=other_user)
def _get_toggle_state_response(self, is_staff=True): request = APIRequestFactory().get('/api/toggles/state/') user = UserFactory() user.is_staff = is_staff request.user = user view = ToggleStateView.as_view() response = view(request) return response
def create_mock_user(self, is_authenticated=True, is_staff=True, is_enrolled=True): """ Creates a mock user with the specified properties. """ user = UserFactory() user.name = 'mock_user' user.is_staff = is_staff user.is_enrolled = is_enrolled user.is_authenticated = lambda: is_authenticated return user
def test_entrance_exam_view_direct_missing_score_setting(self): """ Unit Test: test_entrance_exam_view_direct_missing_score_setting """ user = UserFactory() user.is_staff = True request = RequestFactory() request.user = user resp = create_entrance_exam(request, self.course.id, None) self.assertEqual(resp.status_code, 201)
def test_session_auth(self): """ Verify the endpoint supports session authentication, and only allows authorization for staff users. """ user = UserFactory(password=self.password, is_staff=False) self.client.login(username=user.username, password=self.password) # Non-staff users should not have access to the API response = self.client.get(self.path) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() response = self.client.get(self.path) self.assertEqual(response.status_code, 200)
def test_session_auth(self): """ Verify the endpoint supports session authentication, and only allows authorization for staff users. """ user = UserFactory(password=self.password, is_staff=False) self.client.login(username=user.username, password=self.password) # Non-staff users should not have access to the API response = self.client.get(self.path) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() # pylint: disable=no-member response = self.client.get(self.path) self.assertEqual(response.status_code, 200)
def test_oauth(self): """ Verify the endpoint supports OAuth, and only allows authorization for staff users. """ user = UserFactory(is_staff=False) oauth_client = ClientFactory.create() access_token = AccessTokenFactory.create(user=user, client=oauth_client).token headers = {"HTTP_AUTHORIZATION": "Bearer " + access_token} # Non-staff users should not have access to the API response = self.client.get(self.path, **headers) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() # pylint: disable=no-member response = self.client.get(self.path, **headers) self.assertEqual(response.status_code, 200)
def test_entrance_exam_feature_flag_gating(self): user = UserFactory() user.is_staff = True request = RequestFactory() request.user = user resp = self.client.get(self.exam_url) self.assertEqual(resp.status_code, 400) resp = create_entrance_exam(request, self.course.id, None) self.assertEqual(resp.status_code, 400) resp = delete_entrance_exam(request, self.course.id) self.assertEqual(resp.status_code, 400) # No return, so we'll just ensure no exception is thrown update_entrance_exam(request, self.course.id, {})
def test_oauth(self): """ Verify the endpoint supports OAuth, and only allows authorization for staff users. """ user = UserFactory(is_staff=False) oauth_client = ClientFactory.create() access_token = AccessTokenFactory.create(user=user, client=oauth_client).token headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token} # Non-staff users should not have access to the API response = self.client.get(self.path, **headers) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() # pylint: disable=no-member response = self.client.get(self.path, **headers) self.assertEqual(response.status_code, 200)
def test_oauth_list(self, path_name): """ Verify the endpoints supports OAuth, and only allows authorization for staff users. """ path = reverse(path_name, kwargs={'course_key_string': self.course_str}) user = UserFactory(is_staff=False) oauth_client = ClientFactory.create() access_token = AccessTokenFactory.create(user=user, client=oauth_client).token headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token} # Non-staff users should not have access to the API response = self.client.get(path=path, **headers) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() response = self.client.get(path=path, **headers) self.assertEqual(response.status_code, 200)
def test_oauth_list(self, path_name): """ Verify the endpoints supports OAuth, and only allows authorization for staff users. """ path = reverse(path_name, kwargs={'course_key_string': self.course_str}) user = UserFactory(is_staff=False) oauth_client = ClientFactory.create() access_token = AccessTokenFactory.create(user=user, client=oauth_client).token headers = { 'HTTP_AUTHORIZATION': 'Bearer ' + access_token } # Non-staff users should not have access to the API response = self.client.get(path=path, **headers) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() response = self.client.get(path=path, **headers) self.assertEqual(response.status_code, 200)
def test_oauth_csv(self): """ Verify the endpoint supports OAuth, and only allows authorization for staff users. """ cohorts.add_cohort(self.course_key, "DEFAULT", "random") path = reverse('api_cohorts:cohort_users_csv', kwargs={'course_key_string': self.course_str}) user = UserFactory(is_staff=False) oauth_client = ApplicationFactory.create() access_token = AccessTokenFactory.create( user=user, application=oauth_client).token headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token} # Non-staff users should not have access to the API response = self.client.post(path=path, **headers) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() response = self.client.post(path=path, **headers) self.assertEqual(response.status_code, 400)
def test_bulk_upsert_permissions(self): """ Only staff users can access the bulk upsert endpoint. """ url = reverse('api_experiments:v0:data-bulk-upsert') data = [] # Authentication is required response = self.client.put(url, data, format='json') self.assertEqual(response.status_code, 401) user = UserFactory() self.client.login(username=user.username, password=UserFactory._DEFAULT_PASSWORD) # No access to non-staff users response = self.client.put(url, data, format='json') self.assertEqual(response.status_code, 403) user.is_staff = True user.save() response = self.client.put(url, data, format='json') self.assertEqual(response.status_code, 200)
def test_oauth_users(self): """ Verify the endpoint supports OAuth, and only allows authorization for staff users. """ cohorts.add_cohort(self.course_key, "DEFAULT", "random") path = reverse('api_cohorts:cohort_users', kwargs={'course_key_string': self.course_str, 'cohort_id': 1}) user = UserFactory(is_staff=False) oauth_client = ClientFactory.create() access_token = AccessTokenFactory.create(user=user, client=oauth_client).token headers = { 'HTTP_AUTHORIZATION': 'Bearer ' + access_token } data = { 'users': [user.username] } # Non-staff users should not have access to the API response = self.client.post(path=path, data=data, **headers) self.assertEqual(response.status_code, 403) # Staff users should have access to the API user.is_staff = True user.save() response = self.client.post(path=path, data=data, **headers) self.assertEqual(response.status_code, 200)