Fakultas Ilmu Komputer UI

test_permissions.py 7.88 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
import json
from django.urls import reverse
from rest_framework import status
from rest_framework.authtoken.models import Token
from rest_framework.test import APITestCase, APIClient

from apps.accounts.tests.factories.accounts import AccountFactory, UserFactory
from apps.commons.permissions import (
    CreateOnly,
    IsAuthenticated,
    IsAuthorOrAdministrator,
    IsSelfOrAdministrator,
)
14
from apps.constants import HEADER_PREFIX
15

16

17
18
19
20
21
22
class IsAuthenticatedPermissionTest(APITestCase):
    @classmethod
    def setUpTestData(self):
        self.permission = IsAuthenticated()
        self.user_1 = UserFactory(username="user_1", password="justpass")
        self.user_2 = UserFactory(username="user_2", password="justpass")
23
        self.user_3 = UserFactory(username="user_3", password="justpass")
24

25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
        self.account_1 = AccountFactory(
            admin=True,
            user=self.user_1,
            is_active=True,
            is_verified=True
        )
        self.account_2 = AccountFactory(
            admin=False,
            user=self.user_2,
            is_active=False,
            is_verified=True
        )
        self.account_2 = AccountFactory(
            admin=False,
            user=self.user_3,
            is_active=True,
            is_verified=False
        )
43
44
45

        self.token_1, _ = Token.objects.get_or_create(user=self.user_1)
        self.token_2, _ = Token.objects.get_or_create(user=self.user_2)
46
        self.token_3, _ = Token.objects.get_or_create(user=self.user_3)
47

48
    def test_has_permission_true_for_active_and_verified_user(self):
49
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
50
51
52
53
54
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(self.permission.has_permission(request, None))

55
    def test_has_permission_false_for_inactive_user(self):
56
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
57
58
59
60
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

61
62
63
64
65
66
    def test_has_permission_false_for_unverified_user(self):
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_3.key)
        request = self.client.get("/").wsgi_request
        request.user = self.user_3
        self.assertFalse(self.permission.has_permission(request, None))

67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

class CreateOnlyPermissionTest(APITestCase):
    @classmethod
    def setUpTestData(self):
        self.permission = CreateOnly()
        self.client = APIClient()

    def test_has_permission_true_for_post_request(self):
        request = self.client.post("/").wsgi_request

        self.assertTrue(self.permission.has_permission(request, None))

    def test_has_permission_false_for_non_post_request(self):
        request = self.client.get("/").wsgi_request
        self.assertFalse(self.permission.has_permission(request, None))

        request = self.client.put("/").wsgi_request
        self.assertFalse(self.permission.has_permission(request, None))

        request = self.client.patch("/").wsgi_request
        self.assertFalse(self.permission.has_permission(request, None))

        request = self.client.delete("/").wsgi_request
        self.assertFalse(self.permission.has_permission(request, None))


class DummyObjectWithUser:
    def __init__(self, user=None):
        self.user = user


class IsSelfOrAdministratorPermissionTest(APITestCase):
    @classmethod
    def setUpTestData(self):
        self.permission = IsSelfOrAdministrator()
        self.user_1 = UserFactory(username="user_1", password="justpass")
        self.user_2 = UserFactory(username="user_2", password="justpass")

        self.account_1 = AccountFactory(admin=True, user=self.user_1)
        self.account_2 = AccountFactory(admin=False, user=self.user_2, is_active=False)

        self.token_1, _ = Token.objects.get_or_create(user=self.user_1)
        self.token_2, _ = Token.objects.get_or_create(user=self.user_2)

        self.object = DummyObjectWithUser(user=self.user_2)

    def test_has_permission_true_for_authenticated_user(self):
114
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
115
116
117
118
119
120
121
122
123
124
125
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(self.permission.has_permission(request, None))

    def test_has_permission_false_for_unauthenticated_user(self):
        self.client = APIClient()
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

126
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
127
128
129
130
131
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

    def test_has_object_permission_true_for_admin(self):
132
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
133
134
135
136
137
138
139
140
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(
            self.permission.has_object_permission(request, None, self.object)
        )

    def test_has_object_permission_true_for_self(self):
141
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
        request = self.client.get("/").wsgi_request
        request.user = self.user_2

        self.assertTrue(
            self.permission.has_object_permission(request, None, self.object)
        )


class DummyObjectWithAuthor:
    def __init__(self, author=None):
        self.author = author


class IsAuthorOrAdministratorPermissionTest(APITestCase):
    @classmethod
    def setUpTestData(self):
        self.permission = IsAuthorOrAdministrator()
        self.user_1 = UserFactory(username="user_1", password="justpass")
        self.user_2 = UserFactory(username="user_2", password="justpass")

        self.account_1 = AccountFactory(admin=True, user=self.user_1)
        self.account_2 = AccountFactory(admin=False, user=self.user_2, is_active=False)

        self.token_1, _ = Token.objects.get_or_create(user=self.user_1)
        self.token_2, _ = Token.objects.get_or_create(user=self.user_2)

        self.object = DummyObjectWithAuthor(author=self.account_2)
        self.wrong_object = DummyObjectWithUser(user=self.user_2)

    def test_has_permission_true_for_authenticated_user(self):
172
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
173
174
175
176
177
178
179
180
181
182
183
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(self.permission.has_permission(request, None))

    def test_has_permission_false_for_unauthenticated_user(self):
        self.client = APIClient()
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

184
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
185
186
187
188
189
        request = self.client.get("/").wsgi_request
        request.user = self.user_2
        self.assertFalse(self.permission.has_permission(request, None))

    def test_has_object_permission_true_for_admin(self):
190
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_1.key)
191
192
193
194
195
196
197
198
199
200
201
        request = self.client.get("/").wsgi_request
        request.user = self.user_1

        self.assertTrue(
            self.permission.has_object_permission(request, None, self.object)
        )
        self.assertTrue(
            self.permission.has_object_permission(request, None, self.wrong_object)
        )

    def test_has_object_permission_true_for_self(self):
202
        self.client = APIClient(HTTP_AUTHORIZATION=HEADER_PREFIX + self.token_2.key)
203
204
205
206
207
208
        request = self.client.get("/").wsgi_request
        request.user = self.user_2

        self.assertTrue(
            self.permission.has_object_permission(request, None, self.object)
        )