def test_invalid_permission_for_agreement_bases(read_only_client, mocker, field): # verify missing base:read permission mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=["transfer_agreement:read"]) query = f"query {{ transferAgreement(id: 1) {{ {field} {{ id }} }} }}" assert_forbidden_request(read_only_client, query, value={field: None})
def test_shipment_mutations_cancel_as_member_of_neither_org( read_only_client, mocker, default_shipment): # Test case 3.2.10 mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( organisation_id=3, user_id=2) mutation = f"mutation {{ cancelShipment(id: {default_shipment['id']}) {{ id }} }}" assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission_for_organisation_bases(unauthorized, read_only_client, default_organisation): # verify missing base:read permission org_id = default_organisation["id"] query = f"""query {{ organisation(id: "{org_id}") {{ bases {{ id }} }} }}""" assert_forbidden_request(read_only_client, query, value={"bases": None})
def test_invalid_permission_for_base_locations(read_only_client, mocker): # verify missing location:read permission mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=["base:read"]) query = "query { base(id: 1) { locations { id } } }" assert_forbidden_request(read_only_client, query, value={"locations": None})
def test_invalid_permission_for_beneficiary_tokens(read_only_client, mocker, default_beneficiary): # verify missing transaction:read permission mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=["beneficiary:read"]) id = default_beneficiary["id"] query = f"query {{ beneficiary(id: {id}) {{ tokens }} }}" assert_forbidden_request(read_only_client, query, value={"tokens": None})
def test_invalid_permission_for_qr_code_box(read_only_client, mocker, default_qr_code): # verify missing stock:read permission mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=["qr:read"]) code = default_qr_code["code"] query = f"""query {{ qrCode(qrCode: "{code}") {{ box {{ id }} }} }}""" assert_forbidden_request(read_only_client, query, value={"box": None})
def test_invalid_permission_for_box_field(read_only_client, mocker, default_box, field): # verify missing field:read permission mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=["stock:read"]) query = f"""query {{ box(labelIdentifier: "{default_box["label_identifier"]}") {{ {field} {{ id }} }} }}""" assert_forbidden_request(read_only_client, query, value={field: None})
def test_invalid_permission_for_resource_base(read_only_client, mocker, default_product, resource): # verify missing base:read permission mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=[f"{resource}:read"]) query = f"""query {{ {resource}(id: 1) {{ base {{ id }} }} }}""" assert_forbidden_request(read_only_client, query, value={"base": None})
def test_transfer_agreement_mutations_cancel_as_member_of_neither_org( read_only_client, mocker, default_transfer_agreement): mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( organisation_id=3, user_id=2) # Test case 2.2.20 agreement_id = default_transfer_agreement["id"] mutation = f"mutation {{ cancelTransferAgreement(id: {agreement_id}) {{ id }} }}" assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission_for_given_resource_id(read_only_client, mocker, query): """Verify missing resource:read permission, or missing permission to access specified resource (base or organisation). """ mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=["base_1/base:read"], organisation_id=1) assert_forbidden_request(read_only_client, f"query {{ {query} }}")
def test_shipment_mutations_update_as_member_of_non_creating_org( read_only_client, another_shipment, default_bases): # Test case 3.2.25 # The default user (see auth_service fixture) is member of organisation 1 but # organisation 2 is the one that created another_shipment mutation = _generate_update_shipment_mutation( shipment=another_shipment, target_base=default_bases[2], ) assert_forbidden_request(read_only_client, mutation)
def test_shipment_mutations_update_mark_lost_boxes_as_member_of_creating_org( read_only_client, sent_shipment, marked_for_shipment_box, ): # Test case 3.2.41 mutation = _generate_update_shipment_mutation( shipment=sent_shipment, lost_boxes=[marked_for_shipment_box], ) assert_forbidden_request(read_only_client, mutation)
def test_shipment_mutations_create_as_member_of_neither_org( read_only_client, mocker, default_transfer_agreement): # Test case 3.2.4b mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( organisation_id=3, user_id=2) mutation = _generate_create_shipment_mutation( source_base={"id": 0}, target_base={"id": 0}, agreement=default_transfer_agreement, ) assert_forbidden_request(read_only_client, mutation)
def test_shipment_mutations_create_as_target_org_member_in_unidirectional_agreement( read_only_client, default_bases, unidirectional_transfer_agreement): # Test case 3.2.4a # The default user (see auth_service fixture) is member of organisation 1 which is # the target organisation in the unidirectional_transfer_agreement fixture mutation = _generate_create_shipment_mutation( source_base=default_bases[3], target_base=default_bases[2], agreement=unidirectional_transfer_agreement, ) assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission_for_shipment_details_field(read_only_client, mocker, default_box, field): # verify missing field:read permission mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=["shipment:read"]) query = f"""query {{ shipment(id: 1) {{ details {{ {field} {{ id }} }} }} }}""" assert_forbidden_request(read_only_client, query, value={"details": [{ field: None }]})
def test_shipment_mutations_update_checked_in_boxes_as_member_of_creating_org( read_only_client, sent_shipment, default_shipment_detail, another_location, another_product, ): # Test case 3.2.35 mutation = _generate_update_shipment_mutation( shipment=sent_shipment, received_details=[default_shipment_detail], target_location=another_location, target_product=another_product, ) assert_forbidden_request(read_only_client, mutation)
def test_invalid_read_permissions(unauthorized, read_only_client, resource): """Verify missing resource:read permission when executing query.""" # Build plural form resources = f"{resource}s" if resource.endswith("y"): resources = f"{resource[:-1]}ies" query = f"""query {{ {resources} {{ id }} }}""" if resources == "beneficiaries": query = "query { beneficiaries { elements { id } } }" elif resources == "products": query = "query { products { elements { id } } }" assert_forbidden_request(read_only_client, query, none_data=True) query = f"""query {{ {resource}(id: 2) {{ id }} }}""" assert_forbidden_request(read_only_client, query)
def test_shipment_mutations_send_as_member_of_non_creating_org( read_only_client, another_shipment): # Test case 3.2.14 mutation = f"mutation {{ sendShipment(id: {another_shipment['id']}) {{ id }} }}" assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission(unauthorized, read_only_client, query): """Verify missing resource:read permission.""" assert_forbidden_request(read_only_client, f"query {{ {query} }}")
def test_invalid_permission_for_location_boxes(read_only_client, mocker): # verify missing stock:read permission mocker.patch("jose.jwt.decode").return_value = create_jwt_payload( permissions=["location:read"]) query = "query { location(id: 1) { boxes { elements { id } } } }" assert_forbidden_request(read_only_client, query, value={"boxes": None})
def test_transfer_agreement_mutations_as_member_of_source_org( read_only_client, reviewed_transfer_agreement, action): # Test cases 2.2.9, 2.2.10 agreement_id = reviewed_transfer_agreement["id"] mutation = f"mutation {{ {action}TransferAgreement(id: {agreement_id}) {{ id }} }}" assert_forbidden_request(read_only_client, mutation)
def test_invalid_permission_for_metrics(read_only_client, mocker): query = "query { metrics(organisationId: 2) { numberOfSales } }" assert_forbidden_request(read_only_client, query)
def test_invalid_write_permission(unauthorized, read_only_client, mutation): """Verify missing resource:write permission when executing mutation.""" assert_forbidden_request(read_only_client, f"mutation {{ {mutation} }}", field=operation_name(mutation))