mirror of
https://github.com/netbox-community/netbox.git
synced 2024-05-10 07:54:54 +00:00
Restore model-level permission tests
This commit is contained in:
Jeremy Stretch
@ -17,6 +17,7 @@ from utilities.utils import flatten_dict
|
|||||||
|
|
||||||
|
|
||||||
__all__ = (
|
__all__ = (
|
||||||
|
'ObjectPermission',
|
||||||
'Token',
|
'Token',
|
||||||
'UserConfig',
|
'UserConfig',
|
||||||
)
|
)
|
||||||
|
|||||||
@ -155,6 +155,13 @@ class ViewTestCases:
|
|||||||
"""
|
"""
|
||||||
Retrieve a single instance.
|
Retrieve a single instance.
|
||||||
"""
|
"""
|
||||||
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
|
||||||
|
def test_get_object_anonymous(self):
|
||||||
|
# Make the request as an unauthenticated user
|
||||||
|
self.client.logout()
|
||||||
|
response = self.client.get(self.model.objects.first().get_absolute_url())
|
||||||
|
self.assertHttpStatus(response, 200)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_get_object_without_permission(self):
|
def test_get_object_without_permission(self):
|
||||||
instance = self.model.objects.first()
|
instance = self.model.objects.first()
|
||||||
@ -163,28 +170,29 @@ class ViewTestCases:
|
|||||||
with disable_warnings('django.request'):
|
with disable_warnings('django.request'):
|
||||||
self.assertHttpStatus(self.client.get(instance.get_absolute_url()), 403)
|
self.assertHttpStatus(self.client.get(instance.get_absolute_url()), 403)
|
||||||
|
|
||||||
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
# def test_get_object_with_model_permission(self):
|
def test_get_object_with_model_permission(self):
|
||||||
# instance = self.model.objects.first()
|
instance = self.model.objects.first()
|
||||||
#
|
|
||||||
# # Add model-level permission
|
# Add model-level permission
|
||||||
# self.add_permissions(get_permission_for_model(self.model, 'view'))
|
self.user.object_permissions.create(
|
||||||
#
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
# # Try GET with model-level permission
|
can_view=True
|
||||||
# self.assertHttpStatus(self.client.get(instance.get_absolute_url()), 200)
|
)
|
||||||
|
|
||||||
|
# Try GET with model-level permission
|
||||||
|
self.assertHttpStatus(self.client.get(instance.get_absolute_url()), 200)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_get_object_with_object_permission(self):
|
def test_get_object_with_object_permission(self):
|
||||||
instance1, instance2 = self.model.objects.all()[:2]
|
instance1, instance2 = self.model.objects.all()[:2]
|
||||||
|
|
||||||
# Add object-level permission
|
# Add object-level permission
|
||||||
obj_perm = ObjectPermission(
|
self.user.object_permissions.create(
|
||||||
model=ContentType.objects.get_for_model(self.model),
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
attrs={'pk': instance1.pk},
|
attrs={'pk': instance1.pk},
|
||||||
can_view=True
|
can_view=True
|
||||||
)
|
)
|
||||||
obj_perm.save()
|
|
||||||
obj_perm.users.add(self.user)
|
|
||||||
|
|
||||||
# Try GET to permitted object
|
# Try GET to permitted object
|
||||||
self.assertHttpStatus(self.client.get(instance1.get_absolute_url()), 200)
|
self.assertHttpStatus(self.client.get(instance1.get_absolute_url()), 200)
|
||||||
@ -192,13 +200,6 @@ class ViewTestCases:
|
|||||||
# Try GET to non-permitted object
|
# Try GET to non-permitted object
|
||||||
self.assertHttpStatus(self.client.get(instance2.get_absolute_url()), 404)
|
self.assertHttpStatus(self.client.get(instance2.get_absolute_url()), 404)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
|
|
||||||
def test_list_objects_anonymous(self):
|
|
||||||
# Make the request as an unauthenticated user
|
|
||||||
self.client.logout()
|
|
||||||
response = self.client.get(self.model.objects.first().get_absolute_url())
|
|
||||||
self.assertHttpStatus(response, 200)
|
|
||||||
|
|
||||||
class CreateObjectViewTestCase(ModelViewTestCase):
|
class CreateObjectViewTestCase(ModelViewTestCase):
|
||||||
"""
|
"""
|
||||||
Create a single new instance.
|
Create a single new instance.
|
||||||
@ -221,24 +222,27 @@ class ViewTestCases:
|
|||||||
with disable_warnings('django.request'):
|
with disable_warnings('django.request'):
|
||||||
self.assertHttpStatus(response, 403)
|
self.assertHttpStatus(response, 403)
|
||||||
|
|
||||||
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
# def test_create_object_with_model_permission(self):
|
def test_create_object_with_model_permission(self):
|
||||||
# initial_count = self.model.objects.count()
|
initial_count = self.model.objects.count()
|
||||||
#
|
|
||||||
# # Assign model-level permission
|
# Assign model-level permission
|
||||||
# self.add_permissions(get_permission_for_model(self.model, 'add'))
|
self.user.object_permissions.create(
|
||||||
#
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
# # Try GET with model-level permission
|
can_add=True
|
||||||
# self.assertHttpStatus(self.client.get(self._get_url('add')), 200)
|
)
|
||||||
#
|
|
||||||
# # Try POST with model-level permission
|
# Try GET with model-level permission
|
||||||
# request = {
|
self.assertHttpStatus(self.client.get(self._get_url('add')), 200)
|
||||||
# 'path': self._get_url('add'),
|
|
||||||
# 'data': post_data(self.form_data),
|
# Try POST with model-level permission
|
||||||
# }
|
request = {
|
||||||
# self.assertHttpStatus(self.client.post(**request), 302)
|
'path': self._get_url('add'),
|
||||||
# self.assertEqual(initial_count + 1, self.model.objects.count())
|
'data': post_data(self.form_data),
|
||||||
# self.assertInstanceEqual(self.model.objects.order_by('pk').last(), self.form_data)
|
}
|
||||||
|
self.assertHttpStatus(self.client.post(**request), 302)
|
||||||
|
self.assertEqual(initial_count + 1, self.model.objects.count())
|
||||||
|
self.assertInstanceEqual(self.model.objects.order_by('pk').last(), self.form_data)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_create_object_with_object_permission(self):
|
def test_create_object_with_object_permission(self):
|
||||||
@ -300,23 +304,26 @@ class ViewTestCases:
|
|||||||
with disable_warnings('django.request'):
|
with disable_warnings('django.request'):
|
||||||
self.assertHttpStatus(self.client.post(**request), 403)
|
self.assertHttpStatus(self.client.post(**request), 403)
|
||||||
|
|
||||||
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
# def test_edit_object_with_model_permission(self):
|
def test_edit_object_with_model_permission(self):
|
||||||
# instance = self.model.objects.first()
|
instance = self.model.objects.first()
|
||||||
#
|
|
||||||
# # Assign model-level permission
|
# Assign model-level permission
|
||||||
# self.add_permissions(get_permission_for_model(self.model, 'change'))
|
self.user.object_permissions.create(
|
||||||
#
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
# # Try GET with model-level permission
|
can_change=True
|
||||||
# self.assertHttpStatus(self.client.get(self._get_url('edit', instance)), 200)
|
)
|
||||||
#
|
|
||||||
# # Try POST with model-level permission
|
# Try GET with model-level permission
|
||||||
# request = {
|
self.assertHttpStatus(self.client.get(self._get_url('edit', instance)), 200)
|
||||||
# 'path': self._get_url('edit', instance),
|
|
||||||
# 'data': post_data(self.form_data),
|
# Try POST with model-level permission
|
||||||
# }
|
request = {
|
||||||
# self.assertHttpStatus(self.client.post(**request), 302)
|
'path': self._get_url('edit', instance),
|
||||||
# self.assertInstanceEqual(self.model.objects.get(pk=instance.pk), self.form_data)
|
'data': post_data(self.form_data),
|
||||||
|
}
|
||||||
|
self.assertHttpStatus(self.client.post(**request), 302)
|
||||||
|
self.assertInstanceEqual(self.model.objects.get(pk=instance.pk), self.form_data)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_edit_object_with_object_permission(self):
|
def test_edit_object_with_object_permission(self):
|
||||||
@ -372,24 +379,27 @@ class ViewTestCases:
|
|||||||
with disable_warnings('django.request'):
|
with disable_warnings('django.request'):
|
||||||
self.assertHttpStatus(self.client.post(**request), 403)
|
self.assertHttpStatus(self.client.post(**request), 403)
|
||||||
|
|
||||||
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
# def test_delete_object_with_model_permission(self):
|
def test_delete_object_with_model_permission(self):
|
||||||
# instance = self.model.objects.first()
|
instance = self.model.objects.first()
|
||||||
#
|
|
||||||
# # Assign model-level permission
|
# Assign model-level permission
|
||||||
# self.add_permissions(get_permission_for_model(self.model, 'delete'))
|
self.user.object_permissions.create(
|
||||||
#
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
# # Try GET with model-level permission
|
can_delete=True
|
||||||
# self.assertHttpStatus(self.client.get(self._get_url('delete', instance)), 200)
|
)
|
||||||
#
|
|
||||||
# # Try POST with model-level permission
|
# Try GET with model-level permission
|
||||||
# request = {
|
self.assertHttpStatus(self.client.get(self._get_url('delete', instance)), 200)
|
||||||
# 'path': self._get_url('delete', instance),
|
|
||||||
# 'data': post_data({'confirm': True}),
|
# Try POST with model-level permission
|
||||||
# }
|
request = {
|
||||||
# self.assertHttpStatus(self.client.post(**request), 302)
|
'path': self._get_url('delete', instance),
|
||||||
# with self.assertRaises(ObjectDoesNotExist):
|
'data': post_data({'confirm': True}),
|
||||||
# self.model.objects.get(pk=instance.pk)
|
}
|
||||||
|
self.assertHttpStatus(self.client.post(**request), 302)
|
||||||
|
with self.assertRaises(ObjectDoesNotExist):
|
||||||
|
self.model.objects.get(pk=instance.pk)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_delete_object_with_object_permission(self):
|
def test_delete_object_with_object_permission(self):
|
||||||
@ -431,6 +441,13 @@ class ViewTestCases:
|
|||||||
"""
|
"""
|
||||||
Retrieve multiple instances.
|
Retrieve multiple instances.
|
||||||
"""
|
"""
|
||||||
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
|
||||||
|
def test_list_objects_anonymous(self):
|
||||||
|
# Make the request as an unauthenticated user
|
||||||
|
self.client.logout()
|
||||||
|
response = self.client.get(self._get_url('list'))
|
||||||
|
self.assertHttpStatus(response, 200)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_list_objects_without_permission(self):
|
def test_list_objects_without_permission(self):
|
||||||
|
|
||||||
@ -438,20 +455,23 @@ class ViewTestCases:
|
|||||||
with disable_warnings('django.request'):
|
with disable_warnings('django.request'):
|
||||||
self.assertHttpStatus(self.client.get(self._get_url('list')), 403)
|
self.assertHttpStatus(self.client.get(self._get_url('list')), 403)
|
||||||
|
|
||||||
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
# def test_list_objects_with_model_permission(self):
|
def test_list_objects_with_model_permission(self):
|
||||||
#
|
|
||||||
# # Add model-level permission
|
# Add model-level permission
|
||||||
# self.add_permissions(get_permission_for_model(self.model, 'view'))
|
self.user.object_permissions.create(
|
||||||
#
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
# # Try GET with model-level permission
|
can_view=True
|
||||||
# self.assertHttpStatus(self.client.get(self._get_url('list')), 200)
|
)
|
||||||
#
|
|
||||||
# # Built-in CSV export
|
# Try GET with model-level permission
|
||||||
# if hasattr(self.model, 'csv_headers'):
|
self.assertHttpStatus(self.client.get(self._get_url('list')), 200)
|
||||||
# response = self.client.get('{}?export'.format(self._get_url('list')))
|
|
||||||
# self.assertHttpStatus(response, 200)
|
# Built-in CSV export
|
||||||
# self.assertEqual(response.get('Content-Type'), 'text/csv')
|
if hasattr(self.model, 'csv_headers'):
|
||||||
|
response = self.client.get('{}?export'.format(self._get_url('list')))
|
||||||
|
self.assertHttpStatus(response, 200)
|
||||||
|
self.assertEqual(response.get('Content-Type'), 'text/csv')
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_list_objects_with_object_permission(self):
|
def test_list_objects_with_object_permission(self):
|
||||||
@ -471,13 +491,6 @@ class ViewTestCases:
|
|||||||
|
|
||||||
# TODO: Verify that only the permitted object is returned
|
# TODO: Verify that only the permitted object is returned
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
|
|
||||||
def test_list_objects_anonymous(self):
|
|
||||||
# Make the request as an unauthenticated user
|
|
||||||
self.client.logout()
|
|
||||||
response = self.client.get(self._get_url('list'))
|
|
||||||
self.assertHttpStatus(response, 200)
|
|
||||||
|
|
||||||
class BulkCreateObjectsViewTestCase(ModelViewTestCase):
|
class BulkCreateObjectsViewTestCase(ModelViewTestCase):
|
||||||
"""
|
"""
|
||||||
Create multiple instances using a single form. Expects the creation of three new instances by default.
|
Create multiple instances using a single form. Expects the creation of three new instances by default.
|
||||||
@ -536,22 +549,25 @@ class ViewTestCases:
|
|||||||
with disable_warnings('django.request'):
|
with disable_warnings('django.request'):
|
||||||
self.assertHttpStatus(response, 403)
|
self.assertHttpStatus(response, 403)
|
||||||
|
|
||||||
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
# def test_bulk_import_objects_with_model_permission(self):
|
def test_bulk_import_objects_with_model_permission(self):
|
||||||
# initial_count = self.model.objects.count()
|
initial_count = self.model.objects.count()
|
||||||
# data = {
|
data = {
|
||||||
# 'csv': self._get_csv_data(),
|
'csv': self._get_csv_data(),
|
||||||
# }
|
}
|
||||||
#
|
|
||||||
# # Assign model-level permission
|
# Assign model-level permission
|
||||||
# self.add_permissions(get_permission_for_model(self.model, 'add'))
|
self.user.object_permissions.create(
|
||||||
#
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
# # Try GET with model-level permission
|
can_add=True
|
||||||
# self.assertHttpStatus(self.client.get(self._get_url('import')), 200)
|
)
|
||||||
#
|
|
||||||
# # Test POST with permission
|
# Try GET with model-level permission
|
||||||
# self.assertHttpStatus(self.client.post(self._get_url('import'), data), 200)
|
self.assertHttpStatus(self.client.get(self._get_url('import')), 200)
|
||||||
# self.assertEqual(self.model.objects.count(), initial_count + len(self.csv_data) - 1)
|
|
||||||
|
# Test POST with permission
|
||||||
|
self.assertHttpStatus(self.client.post(self._get_url('import'), data), 200)
|
||||||
|
self.assertEqual(self.model.objects.count(), initial_count + len(self.csv_data) - 1)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_bulk_import_objects_with_object_permission(self):
|
def test_bulk_import_objects_with_object_permission(self):
|
||||||
@ -597,24 +613,27 @@ class ViewTestCases:
|
|||||||
with disable_warnings('django.request'):
|
with disable_warnings('django.request'):
|
||||||
self.assertHttpStatus(self.client.post(self._get_url('bulk_edit'), data), 403)
|
self.assertHttpStatus(self.client.post(self._get_url('bulk_edit'), data), 403)
|
||||||
|
|
||||||
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
# def test_bulk_edit_objects_with_model_permission(self):
|
def test_bulk_edit_objects_with_model_permission(self):
|
||||||
# pk_list = self.model.objects.values_list('pk', flat=True)[:3]
|
pk_list = self.model.objects.values_list('pk', flat=True)[:3]
|
||||||
# data = {
|
data = {
|
||||||
# 'pk': pk_list,
|
'pk': pk_list,
|
||||||
# '_apply': True, # Form button
|
'_apply': True, # Form button
|
||||||
# }
|
}
|
||||||
#
|
|
||||||
# # Append the form data to the request
|
# Append the form data to the request
|
||||||
# data.update(post_data(self.bulk_edit_data))
|
data.update(post_data(self.bulk_edit_data))
|
||||||
#
|
|
||||||
# # Assign model-level permission
|
# Assign model-level permission
|
||||||
# self.add_permissions(get_permission_for_model(self.model, 'change'))
|
self.user.object_permissions.create(
|
||||||
#
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
# # Try POST with model-level permission
|
can_change=True
|
||||||
# self.assertHttpStatus(self.client.post(self._get_url('bulk_edit'), data), 302)
|
)
|
||||||
# for i, instance in enumerate(self.model.objects.filter(pk__in=pk_list)):
|
|
||||||
# self.assertInstanceEqual(instance, self.bulk_edit_data)
|
# Try POST with model-level permission
|
||||||
|
self.assertHttpStatus(self.client.post(self._get_url('bulk_edit'), data), 302)
|
||||||
|
for i, instance in enumerate(self.model.objects.filter(pk__in=pk_list)):
|
||||||
|
self.assertInstanceEqual(instance, self.bulk_edit_data)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_bulk_edit_objects_with_object_permission(self):
|
def test_bulk_edit_objects_with_object_permission(self):
|
||||||
@ -664,21 +683,24 @@ class ViewTestCases:
|
|||||||
with disable_warnings('django.request'):
|
with disable_warnings('django.request'):
|
||||||
self.assertHttpStatus(self.client.post(self._get_url('bulk_delete'), data), 403)
|
self.assertHttpStatus(self.client.post(self._get_url('bulk_delete'), data), 403)
|
||||||
|
|
||||||
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
# def test_bulk_delete_objects_with_model_permission(self):
|
def test_bulk_delete_objects_with_model_permission(self):
|
||||||
# pk_list = self.model.objects.values_list('pk', flat=True)
|
pk_list = self.model.objects.values_list('pk', flat=True)
|
||||||
# data = {
|
data = {
|
||||||
# 'pk': pk_list,
|
'pk': pk_list,
|
||||||
# 'confirm': True,
|
'confirm': True,
|
||||||
# '_confirm': True, # Form button
|
'_confirm': True, # Form button
|
||||||
# }
|
}
|
||||||
#
|
|
||||||
# # Assign model-level permission
|
# Assign model-level permission
|
||||||
# self.add_permissions(get_permission_for_model(self.model, 'delete'))
|
self.user.object_permissions.create(
|
||||||
#
|
model=ContentType.objects.get_for_model(self.model),
|
||||||
# # Try POST with model-level permission
|
can_delete=True
|
||||||
# self.assertHttpStatus(self.client.post(self._get_url('bulk_delete'), data), 302)
|
)
|
||||||
# self.assertEqual(self.model.objects.count(), 0)
|
|
||||||
|
# Try POST with model-level permission
|
||||||
|
self.assertHttpStatus(self.client.post(self._get_url('bulk_delete'), data), 302)
|
||||||
|
self.assertEqual(self.model.objects.count(), 0)
|
||||||
|
|
||||||
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
|
||||||
def test_bulk_delete_objects_with_object_permission(self):
|
def test_bulk_delete_objects_with_object_permission(self):
|
||||||
|
|||||||
@ -192,6 +192,7 @@ class InterfaceTestCase(
|
|||||||
model = Interface
|
model = Interface
|
||||||
|
|
||||||
# Disable inapplicable tests
|
# Disable inapplicable tests
|
||||||
|
test_list_objects_anonymous = None
|
||||||
test_list_objects_without_permission = None
|
test_list_objects_without_permission = None
|
||||||
test_list_objects_with_model_permission = None
|
test_list_objects_with_model_permission = None
|
||||||
test_list_objects_with_object_permission = None
|
test_list_objects_with_object_permission = None
|
||||||
|
|||||||
Reference in New Issue
Block a user