def test_func(self): """ implementation of the UserPassesTestMixin test_func """ user = self.request.user if not user.is_authenticated(): return False if not is_assessor(user): return False assessment = self.get_assessment() return assessment is not None and assessment.assessor_group in get_user_assessor_groups(user)
def test_func(self): """ implementation of the UserPassesTestMixin test_func """ user = self.request.user if not user.is_authenticated(): self.raise_exception = False return False self.raise_exception = True if is_customer(user) or is_officer(user): return False assessment = self.get_assessment() return assessment is not None and assessment.assessor_group in get_user_assessor_groups(user)
def test_func(self): """ implementation of the UserPassesTestMixin test_func """ user = self.request.user if not user.is_authenticated(): self.raise_exception = False return False self.raise_exception = True if is_customer(user) or is_officer(user): return False assessment = self.get_assessment() return assessment is not None and assessment.assessor_group in get_user_assessor_groups( user)
def test_assessor_access_limited(self): """ Test that an assessor cannot edit an assessment that doesn't belong to their group All accessor can search conditions """ assessor = get_or_create_default_assessor() self.client.login(assessor.email) # This assessor doesn't belong to a group self.assertTrue(is_assessor(assessor)) self.assertFalse(get_user_assessor_groups(assessor)) # forbidden urls_get_forbidden = [ reverse('wl_applications:enter_conditions', args=[self.application.pk]), reverse('wl_applications:enter_conditions_assessor', args=[self.application.pk, self.assessment.pk]), ] urls_post_forbidden = [ { 'url': reverse('wl_applications:create_condition'), 'data': { 'code': '123488374', 'text': 'condition text' } }, { 'url': reverse('wl_applications:set_assessment_condition_state'), 'data': { 'assessmentConditionID': self.assessment_condition.pk, 'acceptanceStatus': 'accepted', } }, { 'url': reverse('wl_applications:enter_conditions', args=[self.application.pk]), 'data': { 'conditionID': [self.condition.pk], } }, { 'url': reverse('wl_applications:enter_conditions_assessor', args=[self.application.pk, self.assessment.pk]), 'data': { 'conditionID': [self.condition.pk], } }, ] # Allowed urls_get_allowed = [ reverse('wl_applications:search_conditions') ] urls_post_allowed = [ ] for url in urls_get_forbidden: response = self.client.get(url, follow=True) if response.status_code != 403: self.assertRedirects(response, reverse('wl_dashboard:tables_assessor'), status_code=302, target_status_code=200) for url in urls_post_forbidden: response = self.client.post(url['url'], url['data'], follow=True) if response.status_code != 403: self.assertRedirects(response, reverse('wl_dashboard:tables_assessor'), status_code=302, target_status_code=200) for url in urls_get_allowed: response = self.client.get(url, follow=True) self.assertEqual(200, response.status_code) for url in urls_post_allowed: response = self.client.post(url['url'], url['data'], follow=True) self.assertEqual(200, response.status_code)
def test_assessor_access_limited(self): """ Test that an assessor cannot edit an assessment that doesn't belong to their group All accessor can search conditions """ assessor = get_or_create_default_assessor() self.client.login(assessor.email) # This assessor doesn't belong to a group self.assertTrue(is_assessor(assessor)) self.assertFalse(get_user_assessor_groups(assessor)) # forbidden urls_get_forbidden = [ reverse('wl_applications:enter_conditions', args=[self.application.pk]), reverse('wl_applications:enter_conditions_assessor', args=[self.application.pk, self.assessment.pk]), ] urls_post_forbidden = [ { 'url': reverse('wl_applications:create_condition', args=[self.application.pk]), 'data': { 'code': '123488374', 'text': 'condition text' } }, { 'url': reverse('wl_applications:set_assessment_condition_state'), 'data': { 'assessmentConditionID': self.assessment_condition.pk, 'acceptanceStatus': 'accepted', } }, { 'url': reverse('wl_applications:enter_conditions', args=[self.application.pk]), 'data': { 'conditionID': [self.condition.pk], } }, { 'url': reverse('wl_applications:enter_conditions_assessor', args=[self.application.pk, self.assessment.pk]), 'data': { 'conditionID': [self.condition.pk], } }, ] # Allowed urls_get_allowed = [reverse('wl_applications:search_conditions')] urls_post_allowed = [] for url in urls_get_forbidden: response = self.client.get(url, follow=True) if response.status_code != 403: self.assertRedirects(response, reverse('wl_dashboard:tables_assessor'), status_code=302, target_status_code=200) for url in urls_post_forbidden: response = self.client.post(url['url'], url['data'], follow=True) if response.status_code != 403: self.assertRedirects(response, reverse('wl_dashboard:tables_assessor'), status_code=302, target_status_code=200) for url in urls_get_allowed: response = self.client.get(url, follow=True) self.assertEqual(200, response.status_code) for url in urls_post_allowed: response = self.client.post(url['url'], url['data'], follow=True) self.assertEqual(200, response.status_code)