diff --git a/backend/api/tests/api/test_role.py b/backend/api/tests/api/test_role.py index 38fd3533..ce494550 100644 --- a/backend/api/tests/api/test_role.py +++ b/backend/api/tests/api/test_role.py @@ -1,170 +1,144 @@ from django.conf import settings -from django.contrib.auth.models import User -from model_mommy import mommy from rest_framework import status from rest_framework.reverse import reverse from rest_framework.test import APITestCase -from ...models import Role -from .utils import assign_user_to_role, create_default_roles +from ...models import Role, RoleMapping +from .utils import create_default_roles, make_user, prepare_project class TestRoleAPI(APITestCase): @classmethod def setUpTestData(cls): - cls.user_name = 'user_name' - cls.user_pass = 'user_pass' - cls.project_admin_name = 'project_admin_name' - cls.project_admin_pass = 'project_admin_pass' create_default_roles() - cls.user = User.objects.create_user(username=cls.user_name, - password=cls.user_pass) - User.objects.create_superuser(username=cls.project_admin_name, - password=cls.project_admin_pass, - email='fizz@buzz.com') + cls.user = make_user() cls.url = reverse(viewname='roles') - def test_cannot_create_multiple_roles_with_same_name(self): - self.client.login(username=self.project_admin_name, - password=self.project_admin_pass) - roles = [ - {'name': 'examplerole', 'description': 'example'}, - {'name': 'examplerole', 'description': 'example'} - ] - self.client.post(self.url, format='json', data=roles[0]) - second_response = self.client.post(self.url, format='json', data=roles[1]) - self.assertEqual(second_response.status_code, status.HTTP_400_BAD_REQUEST) - - def test_nonadmin_cannot_create_role(self): - self.client.login(username=self.user_name, - password=self.user_pass) - data = {'name': 'testrole', 'description': 'example'} - response = self.client.post(self.url, format='json', data=data) - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - - def test_admin_can_create_role(self): - self.client.login(username=self.project_admin_name, - password=self.project_admin_pass) - data = {'name': 'testrole', 'description': 'example'} - response = self.client.post(self.url, format='json', data=data) - self.assertEqual(response.status_code, status.HTTP_201_CREATED) - - def test_admin_can_get_roles(self): - self.client.login(username=self.project_admin_name, - password=self.project_admin_pass) - response = self.client.get(self.url, format='json') + def test_allows_authenticated_user_to_get_roles(self): + self.client.force_login(self.user) + response = self.client.get(self.url) self.assertEqual(response.status_code, status.HTTP_200_OK) + def test_disallows_unauthenticated_user_to_get_roles(self): + response = self.client.get(self.url) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + class TestRoleMappingListAPI(APITestCase): - @classmethod - def setUpTestData(cls): - cls.project_member_name = 'project_member_name' - cls.project_member_pass = 'project_member_pass' - cls.second_project_member_name = 'second_project_member_name' - cls.second_project_member_pass = 'second_project_member_pass' - cls.project_admin_name = 'project_admin_name' - cls.project_admin_pass = 'project_admin_pass' - create_default_roles() - project_member = User.objects.create_user(username=cls.project_member_name, - password=cls.project_member_pass) - cls.second_project_member = User.objects.create_user(username=cls.second_project_member_name, - password=cls.second_project_member_pass) - project_admin = User.objects.create_user(username=cls.project_admin_name, - password=cls.project_admin_pass) - cls.main_project = mommy.make('Project', users=[project_member, project_admin, cls.second_project_member]) - cls.other_project = mommy.make('Project', users=[cls.second_project_member, project_admin]) - cls.admin_role = Role.objects.get(name=settings.ROLE_PROJECT_ADMIN) - cls.role = mommy.make('Role', name='otherrole') - assign_user_to_role(project_admin, cls.main_project, cls.admin_role) - cls.data = {'user': project_member.id, 'role': cls.admin_role.id, 'project': cls.main_project.id} - cls.other_url = reverse(viewname='rolemapping_list', args=[cls.other_project.id]) - cls.url = reverse(viewname='rolemapping_list', args=[cls.main_project.id]) - - def test_returns_mappings_to_project_admin(self): - self.client.login(username=self.project_admin_name, - password=self.project_admin_pass) - response = self.client.get(self.url, format='json') - self.assertEqual(response.status_code, status.HTTP_200_OK) + def setUp(self): + self.project = prepare_project() + self.non_member = make_user() + admin_role = Role.objects.get(name=settings.ROLE_PROJECT_ADMIN) + self.data = {'user': self.non_member.id, 'role': admin_role.id, 'project': self.project.item.id} + self.url = reverse(viewname='rolemapping_list', args=[self.project.item.id]) + + def assert_list(self, user=None, expected=status.HTTP_403_FORBIDDEN): + if user: + self.client.force_login(user) + response = self.client.get(self.url) + self.assertEqual(response.status_code, expected) + + def test_allows_project_admin_to_get_mappings(self): + self.assert_list(self.project.users[0], status.HTTP_200_OK) + + def test_denies_non_project_admin_to_get_mappings(self): + for member in self.project.users[1:]: + self.assert_list(member, status.HTTP_403_FORBIDDEN) + + def test_denies_non_project_member_to_get_mappings(self): + self.assert_list(self.non_member, status.HTTP_403_FORBIDDEN) + + def test_denies_unauthenticated_user_to_get_mappings(self): + self.assert_list(expected=status.HTTP_403_FORBIDDEN) + + def assert_create(self, user=None, expected=status.HTTP_403_FORBIDDEN): + if user: + self.client.force_login(user) + response = self.client.post(self.url, data=self.data, format='json') + self.assertEqual(response.status_code, expected) + + def test_allows_project_admin_to_create_mapping(self): + self.assert_create(self.project.users[0], status.HTTP_201_CREATED) + + def test_denies_non_project_admin_to_create_mapping(self): + for member in self.project.users[1:]: + self.assert_create(member, status.HTTP_403_FORBIDDEN) + + def test_denies_non_project_member_to_create_mapping(self): + self.assert_create(self.non_member, status.HTTP_403_FORBIDDEN) - # Todo: refactoring testing. - # def test_allows_superuser_to_create_mapping(self): - # self.client.login(username=self.project_admin_name, - # password=self.project_admin_pass) - # response = self.client.post(self.url, format='json', data=self.data) - # self.assertEqual(response.status_code, status.HTTP_201_CREATED) - # - # def test_do_not_allow_nonadmin_to_create_mapping(self): - # self.client.login(username=self.project_member_name, - # password=self.project_member_pass) - # response = self.client.post(self.url, format='json', data=self.data) - # self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - # - # def test_do_not_return_mappings_to_nonadmin(self): - # self.client.login(username=self.project_member_name, - # password=self.project_member_pass) - # response = self.client.get(self.url, format='json') - # self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + def test_denies_unauthenticated_user_to_create_mapping(self): + self.assert_create(expected=status.HTTP_403_FORBIDDEN) + + def assert_bulk_delete(self, user=None, expected=status.HTTP_403_FORBIDDEN): + if user: + self.client.force_login(user) + ids = [item.id for item in self.project.item.role_mappings.all()] + response = self.client.delete(self.url, data={'ids': ids}, format='json') + self.assertEqual(response.status_code, expected) + + def test_allows_project_admin_to_bulk_delete(self): + self.assert_bulk_delete(self.project.users[0], status.HTTP_204_NO_CONTENT) + response = self.client.get(self.url) + self.assertEqual(len(response.data), 1) + + def test_denies_non_project_admin_to_bulk_delete(self): + for member in self.project.users[1:]: + self.assert_bulk_delete(member, status.HTTP_403_FORBIDDEN) + + def test_denies_non_project_member_to_bulk_delete(self): + self.assert_bulk_delete(self.non_member, status.HTTP_403_FORBIDDEN) + + def test_denies_unauthenticated_user_to_bulk_delete(self): + self.assert_bulk_delete(expected=status.HTTP_403_FORBIDDEN) class TestRoleMappingDetailAPI(APITestCase): - @classmethod - def setUpTestData(cls): - cls.project_admin_name = 'project_admin_name' - cls.project_admin_pass = 'project_admin_pass' - cls.project_member_name = 'project_member_name' - cls.project_member_pass = 'project_member_pass' - cls.non_project_member_name = 'non_project_member_name' - cls.non_project_member_pass = 'non_project_member_pass' - create_default_roles() - project_admin = User.objects.create_user(username=cls.project_admin_name, - password=cls.project_admin_pass) - project_member = User.objects.create_user(username=cls.project_member_name, - password=cls.project_member_pass) - User.objects.create_user(username=cls.non_project_member_name, password=cls.non_project_member_pass) - project = mommy.make('Project', users=[project_admin, project_member]) + def setUp(self): + self.project = prepare_project() + self.non_member = make_user() admin_role = Role.objects.get(name=settings.ROLE_PROJECT_ADMIN) - annotator_role = Role.objects.get(name=settings.ROLE_ANNOTATOR) - cls.rolemapping = assign_user_to_role(project_admin, project, admin_role) - assign_user_to_role(project_member, project, annotator_role) - cls.url = reverse(viewname='rolemapping_detail', args=[project.id, cls.rolemapping.id]) - cls.data = {'role': admin_role.id} - - def test_returns_rolemapping_to_project_member(self): - self.client.login(username=self.project_admin_name, - password=self.project_admin_pass) - response = self.client.get(self.url, format='json') - self.assertEqual(response.data['id'], self.rolemapping.id) - - def test_do_not_return_mapping_to_non_project_member(self): - self.client.login(username=self.non_project_member_name, - password=self.non_project_member_pass) - response = self.client.get(self.url, format='json') - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + mapping = RoleMapping.objects.get(user=self.project.users[1]) + self.url = reverse(viewname='rolemapping_detail', args=[self.project.item.id, mapping.id]) + self.data = {'role': admin_role.id} - def test_allows_admin_to_update_mapping(self): - self.client.login(username=self.project_admin_name, - password=self.project_admin_pass) - response = self.client.patch(self.url, format='json', data=self.data) - self.assertEqual(response.data['role'], self.data['role']) + def assert_get(self, user=None, expected=status.HTTP_403_FORBIDDEN): + if user: + self.client.force_login(user) + response = self.client.get(self.url) + self.assertEqual(response.status_code, expected) - def test_disallows_project_member_to_update_mapping(self): - self.client.login(username=self.project_member_name, - password=self.project_member_pass) - response = self.client.patch(self.url, format='json', data=self.data) - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + def test_allows_project_admin_to_get_mapping(self): + self.assert_get(self.project.users[0], status.HTTP_200_OK) - def test_allows_admin_to_delete_mapping(self): - self.client.login(username=self.project_admin_name, - password=self.project_admin_pass) - response = self.client.delete(self.url, format='json') - self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + def test_denies_non_project_admin_to_get_mapping(self): + for member in self.project.users[1:]: + self.assert_get(member, status.HTTP_403_FORBIDDEN) - def test_disallows_project_member_to_delete_mapping(self): - self.client.login(username=self.project_member_name, - password=self.project_member_pass) - response = self.client.delete(self.url, format='json') - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + def test_denies_non_project_member_to_get_mapping(self): + self.assert_get(self.non_member, status.HTTP_403_FORBIDDEN) + + def test_denies_unauthenticated_user_to_get_mapping(self): + self.assert_get(expected=status.HTTP_403_FORBIDDEN) + + def assert_update(self, user=None, expected=status.HTTP_403_FORBIDDEN): + if user: + self.client.force_login(user) + response = self.client.patch(self.url, data=self.data, format='json') + self.assertEqual(response.status_code, expected) + + def test_allows_project_admin_to_update_mapping(self): + self.assert_update(self.project.users[0], status.HTTP_200_OK) + + def test_denies_non_project_admin_to_update_mapping(self): + for member in self.project.users[1:]: + self.assert_update(member, status.HTTP_403_FORBIDDEN) + + def test_denies_non_project_member_to_update_mapping(self): + self.assert_update(self.non_member, status.HTTP_403_FORBIDDEN) + + def test_denies_unauthenticated_user_to_update_mapping(self): + self.assert_update(expected=status.HTTP_403_FORBIDDEN) diff --git a/backend/api/tests/api/utils.py b/backend/api/tests/api/utils.py index 90f1ee47..53d04794 100644 --- a/backend/api/tests/api/utils.py +++ b/backend/api/tests/api/utils.py @@ -36,7 +36,7 @@ def remove_all_role_mappings(): RoleMapping.objects.all().delete() -def make_user(username: str): +def make_user(username: str = 'bob'): user_model = get_user_model() user, _ = user_model.objects.get_or_create(username=username, password='pass') return user diff --git a/backend/api/views/role.py b/backend/api/views/role.py index fa32a5f2..43d1cf3a 100644 --- a/backend/api/views/role.py +++ b/backend/api/views/role.py @@ -10,10 +10,10 @@ from ..permissions import IsProjectAdmin from ..serializers import RoleMappingSerializer, RoleSerializer -class Roles(generics.ListCreateAPIView): +class Roles(generics.ListAPIView): serializer_class = RoleSerializer pagination_class = None - permission_classes = [IsAuthenticated & IsProjectAdmin] + permission_classes = [IsAuthenticated] queryset = Role.objects.all() @@ -43,7 +43,7 @@ class RoleMappingList(generics.ListCreateAPIView): return Response(status=status.HTTP_204_NO_CONTENT) -class RoleMappingDetail(generics.RetrieveUpdateDestroyAPIView): +class RoleMappingDetail(generics.RetrieveUpdateAPIView): queryset = RoleMapping.objects.all() serializer_class = RoleMappingSerializer lookup_url_kwarg = 'rolemapping_id'