91 lines
5.5 KiB
Python
91 lines
5.5 KiB
Python
|
from django.test import TestCase, Client
|
||
|
from django.contrib.auth.models import Permission
|
||
|
from knox.models import AuthToken
|
||
|
|
||
|
from authentication.models import EventPermission, ExtendedUser
|
||
|
from inventory.models import Event
|
||
|
|
||
|
|
||
|
class PermissionsTestCase(TestCase):
|
||
|
def setUp(self):
|
||
|
super().setUp()
|
||
|
self.user = ExtendedUser.objects.create_user('testuser', 'test', 'test')
|
||
|
self.user.user_permissions.add(*Permission.objects.all())
|
||
|
event1 = Event.objects.create(slug='testevent1', name='testevent1')
|
||
|
event2 = Event.objects.create(slug='testevent2', name='testevent2')
|
||
|
permission1 = Permission.objects.get(codename='view_event')
|
||
|
EventPermission.objects.create(user=self.user, permission=permission1, event=event1)
|
||
|
EventPermission.objects.create(user=self.user, permission=permission1, event=event2)
|
||
|
self.token = AuthToken.objects.create(user=self.user)
|
||
|
self.client = Client(headers={'Authorization': 'Token ' + self.token[1]})
|
||
|
self.newuser = ExtendedUser.objects.create_user('newuser', 'test', 'test')
|
||
|
self.newuser_token = AuthToken.objects.create(user=self.newuser)
|
||
|
self.newuser_client = Client(headers={'Authorization': 'Token ' + self.newuser_token[1]})
|
||
|
|
||
|
def test_user_permissions(self):
|
||
|
"""
|
||
|
Test that a user can only access their own data.
|
||
|
"""
|
||
|
response = self.client.get('/api/2/users/')
|
||
|
self.assertEqual(response.status_code, 200)
|
||
|
self.assertEqual(len(response.json()), 3)
|
||
|
self.assertEqual(response.json()[0]['username'], 'legacy_user')
|
||
|
self.assertEqual(response.json()[0]['email'], 'mail@localhost')
|
||
|
self.assertEqual(response.json()[0]['first_name'], '')
|
||
|
self.assertEqual(response.json()[0]['last_name'], '')
|
||
|
self.assertEqual(response.json()[0]['id'], 1)
|
||
|
self.assertEqual(response.json()[1]['username'], 'testuser')
|
||
|
self.assertEqual(response.json()[1]['email'], 'test')
|
||
|
self.assertEqual(response.json()[1]['first_name'], '')
|
||
|
self.assertEqual(response.json()[1]['last_name'], '')
|
||
|
|
||
|
def test_user_permission(self):
|
||
|
"""
|
||
|
Test that a user can only access their own data.
|
||
|
"""
|
||
|
#ä['add_logentry', 'change_logentry', 'delete_logentry', 'view_logentry', 'add_group', 'change_group',
|
||
|
#ä 'delete_group', 'view_group', 'add_permission', 'change_permission', 'delete_permission', 'view_permission',
|
||
|
#ä 'add_authtokeneventpermissions', 'change_authtokeneventpermissions', 'delete_authtokeneventpermissions',
|
||
|
#ä 'view_authtokeneventpermissions', 'add_eventpermission', 'change_eventpermission', 'delete_eventpermission',
|
||
|
#ä 'view_eventpermission', 'add_extendedauthtoken', 'change_extendedauthtoken', 'delete_extendedauthtoken',
|
||
|
#ä 'view_extendedauthtoken', 'add_extendeduser', 'change_extendeduser', 'delete_extendeduser',
|
||
|
#ä 'view_extendeduser', 'add_contenttype', 'change_contenttype', 'delete_contenttype', 'view_contenttype',
|
||
|
#ä 'add_file', 'change_file', 'delete_file', 'view_file', 'add_container', 'change_container', 'delete_container',
|
||
|
#ä 'view_container', 'add_event', 'change_event', 'delete_event', 'view_event', 'add_item', 'change_item',
|
||
|
#ä 'delete_item', 'match_item', 'view_item', 'add_authtoken', 'change_authtoken', 'delete_authtoken',
|
||
|
#ä 'view_authtoken', 'add_email', 'change_email', 'delete_email', 'view_email', 'add_eventaddress',
|
||
|
#ä 'change_eventaddress', 'delete_eventaddress', 'view_eventaddress', 'add_systemevent', 'change_systemevent',
|
||
|
#ä 'delete_systemevent', 'view_systemevent', 'add_session', 'change_session', 'delete_session', 'view_session',
|
||
|
#ä 'add_comment', 'change_comment', 'delete_comment', 'view_comment', 'add_issuethread', 'change_issuethread',
|
||
|
#ä 'delete_issuethread', 'send_mail', 'view_issuethread', 'add_statechange', 'change_statechange',
|
||
|
#ä 'delete_statechange', 'view_statechange']
|
||
|
|
||
|
user = ExtendedUser.objects.create_user('testuser2', 'test', 'test')
|
||
|
user.event_permissions.create(permission=Permission.objects.get(codename='view_item'), event=Event.objects.get(slug='testevent1'))
|
||
|
user.event_permissions.create(permission=Permission.objects.get(codename='view_item'), event=Event.objects.get(slug='testevent2'))
|
||
|
user.event_permissions.create(permission=Permission.objects.get(codename='add_item'), event=Event.objects.get(slug='testevent1'))
|
||
|
user.save()
|
||
|
#self.assertTrue(user.has_perm('inventory.view_event', Event.objects.get(slug='testevent1')))
|
||
|
#self.assertTrue(user.has_perm('inventory.view_event', Event.objects.get(slug='testevent2')))
|
||
|
#self.assertFalse(user.has_perm('inventory.add_event', Event.objects.get(slug='testevent1')))
|
||
|
#self.assertFalse(user.has_perm('inventory.add_event', Event.objects.get(slug='testevent2')))
|
||
|
|
||
|
def test_item_api_permissions(self):
|
||
|
"""
|
||
|
Test that a user can only access their own data.
|
||
|
"""
|
||
|
response = self.client.get('/api/2/testevent1/items/')
|
||
|
self.assertEqual(response.status_code, 200)
|
||
|
self.assertEqual(len(response.json()), 0)
|
||
|
|
||
|
response = self.client.get('/api/2/testevent2/items/')
|
||
|
self.assertEqual(response.status_code, 200)
|
||
|
self.assertEqual(len(response.json()), 0)
|
||
|
|
||
|
response = self.newuser_client.get('/api/2/testevent1/items/')
|
||
|
self.assertEqual(response.status_code, 403)
|
||
|
|
||
|
response = self.newuser_client.get('/api/2/testevent2/items/')
|
||
|
self.assertEqual(response.status_code, 403)
|
||
|
|