Fakultas Ilmu Komputer UI

test_permissions.py 7.11 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
import json
from django.urls import reverse
from rest_framework import status
from rest_framework.authtoken.models import Token
from rest_framework.test import APITestCase, APIClient

from apps.accounts.tests.factories.accounts import AccountFactory, UserFactory
from apps.commons.permissions import (
    CreateOnly,
    IsAuthenticated,
    IsAuthorOrAdministrator,
    IsSelfOrAdministrator,
)
14
from apps.constants import HEADER_PREFIX
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

class IsAuthenticatedPermissionTest(APITestCase):
    @classmethod
    def setUpTestData(self):
        self.permission = IsAuthenticated()
        self.user_1 = UserFactory(username="user_1", password="justpass")
        self.user_2 = UserFactory(username="user_2", password="justpass")

        self.account_1 = AccountFactory(admin=True, user=self.user_1)
        self.account_2 = AccountFactory(admin=False, user=self.user_2, is_active=False)

        self.token_1, _ = Token.objects.get_or_create(user=self.user_1)
        self.token_2, _ = Token.objects.get_or_create(user=self.user_2)

    def test_has_permission_true_for_authenticated_user(self):
30
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
31
32
33
34
35
36
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(self.permission.has_permission(request, None))

    def test_has_permission_false_for_unauthenticated_user(self):
37
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))


class CreateOnlyPermissionTest(APITestCase):
    @classmethod
    def setUpTestData(self):
        self.permission = CreateOnly()
        self.client = APIClient()

    def test_has_permission_true_for_post_request(self):
        request = self.client.post("/").wsgi_request

        self.assertTrue(self.permission.has_permission(request, None))

    def test_has_permission_false_for_non_post_request(self):
        request = self.client.get("/").wsgi_request
        self.assertFalse(self.permission.has_permission(request, None))

        request = self.client.put("/").wsgi_request
        self.assertFalse(self.permission.has_permission(request, None))

        request = self.client.patch("/").wsgi_request
        self.assertFalse(self.permission.has_permission(request, None))

        request = self.client.delete("/").wsgi_request
        self.assertFalse(self.permission.has_permission(request, None))


class DummyObjectWithUser:
    def __init__(self, user=None):
        self.user = user


class IsSelfOrAdministratorPermissionTest(APITestCase):
    @classmethod
    def setUpTestData(self):
        self.permission = IsSelfOrAdministrator()
        self.user_1 = UserFactory(username="user_1", password="justpass")
        self.user_2 = UserFactory(username="user_2", password="justpass")

        self.account_1 = AccountFactory(admin=True, user=self.user_1)
        self.account_2 = AccountFactory(admin=False, user=self.user_2, is_active=False)

        self.token_1, _ = Token.objects.get_or_create(user=self.user_1)
        self.token_2, _ = Token.objects.get_or_create(user=self.user_2)

        self.object = DummyObjectWithUser(user=self.user_2)

    def test_has_permission_true_for_authenticated_user(self):
89
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
90
91
92
93
94
95
96
97
98
99
100
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(self.permission.has_permission(request, None))

    def test_has_permission_false_for_unauthenticated_user(self):
        self.client = APIClient()
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

101
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
102
103
104
105
106
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

    def test_has_object_permission_true_for_admin(self):
107
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
108
109
110
111
112
113
114
115
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(
            self.permission.has_object_permission(request, None, self.object)
        )

    def test_has_object_permission_true_for_self(self):
116
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
        request = self.client.get("/").wsgi_request
        request.user = self.user_2

        self.assertTrue(
            self.permission.has_object_permission(request, None, self.object)
        )


class DummyObjectWithAuthor:
    def __init__(self, author=None):
        self.author = author


class IsAuthorOrAdministratorPermissionTest(APITestCase):
    @classmethod
    def setUpTestData(self):
        self.permission = IsAuthorOrAdministrator()
        self.user_1 = UserFactory(username="user_1", password="justpass")
        self.user_2 = UserFactory(username="user_2", password="justpass")

        self.account_1 = AccountFactory(admin=True, user=self.user_1)
        self.account_2 = AccountFactory(admin=False, user=self.user_2, is_active=False)

        self.token_1, _ = Token.objects.get_or_create(user=self.user_1)
        self.token_2, _ = Token.objects.get_or_create(user=self.user_2)

        self.object = DummyObjectWithAuthor(author=self.account_2)
        self.wrong_object = DummyObjectWithUser(user=self.user_2)

    def test_has_permission_true_for_authenticated_user(self):
147
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
148
149
150
151
152
153
154
155
156
157
158
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(self.permission.has_permission(request, None))

    def test_has_permission_false_for_unauthenticated_user(self):
        self.client = APIClient()
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

159
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
160
161
162
163
164
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

    def test_has_object_permission_true_for_admin(self):
165
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
166
167
168
169
170
171
172
173
174
175
176
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(
            self.permission.has_object_permission(request, None, self.object)
        )
        self.assertTrue(
            self.permission.has_object_permission(request, None, self.wrong_object)
        )

    def test_has_object_permission_true_for_self(self):
177
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
178
179
180
181
182
183
        request = self.client.get("/").wsgi_request
        request.user = self.user_2

        self.assertTrue(
            self.permission.has_object_permission(request, None, self.object)
        )