mirror/netbox-community-netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2024-05-10 07:54:54 +00:00
Code Activity

Restore model-level permission tests

Browse Source
This commit is contained in:
Jeremy Stretch
2020-05-28 11:08:35 -04:00
parent dc56e49410
commit 5d36d81ae1
3 changed files with 166 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
netbox/users/models.py
View File

@ -17,6 +17,7 @@ from utilities.utils import flatten_dict
__all__ = (
'ObjectPermission',
'Token',
'UserConfig',
)

306
netbox/utilities/testing/testcases.py
View File

@ -155,6 +155,13 @@ class ViewTestCases:
"""
Retrieve a single instance.
"""
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
def test_get_object_anonymous(self):
# Make the request as an unauthenticated user
self.client.logout()
response = self.client.get(self.model.objects.first().get_absolute_url())
self.assertHttpStatus(response, 200)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_get_object_without_permission(self):
instance = self.model.objects.first()
@ -163,28 +170,29 @@ class ViewTestCases:
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.get(instance.get_absolute_url()), 403)
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
# def test_get_object_with_model_permission(self):
# instance = self.model.objects.first()
#
# # Add model-level permission
# self.add_permissions(get_permission_for_model(self.model, 'view'))
#
# # Try GET with model-level permission
# self.assertHttpStatus(self.client.get(instance.get_absolute_url()), 200)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_get_object_with_model_permission(self):
instance = self.model.objects.first()
# Add model-level permission
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
can_view=True
)
# Try GET with model-level permission
self.assertHttpStatus(self.client.get(instance.get_absolute_url()), 200)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_get_object_with_object_permission(self):
instance1, instance2 = self.model.objects.all()[:2]
# Add object-level permission
obj_perm = ObjectPermission(
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
attrs={'pk': instance1.pk},
can_view=True
)
obj_perm.save()
obj_perm.users.add(self.user)
# Try GET to permitted object
self.assertHttpStatus(self.client.get(instance1.get_absolute_url()), 200)
@ -192,13 +200,6 @@ class ViewTestCases:
# Try GET to non-permitted object
self.assertHttpStatus(self.client.get(instance2.get_absolute_url()), 404)
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
def test_list_objects_anonymous(self):
# Make the request as an unauthenticated user
self.client.logout()
response = self.client.get(self.model.objects.first().get_absolute_url())
self.assertHttpStatus(response, 200)
class CreateObjectViewTestCase(ModelViewTestCase):
"""
Create a single new instance.
@ -221,24 +222,27 @@ class ViewTestCases:
with disable_warnings('django.request'):
self.assertHttpStatus(response, 403)
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
# def test_create_object_with_model_permission(self):
# initial_count = self.model.objects.count()
#
# # Assign model-level permission
# self.add_permissions(get_permission_for_model(self.model, 'add'))
#
# # Try GET with model-level permission
# self.assertHttpStatus(self.client.get(self._get_url('add')), 200)
#
# # Try POST with model-level permission
# request = {
# 'path': self._get_url('add'),
# 'data': post_data(self.form_data),
# }
# self.assertHttpStatus(self.client.post(**request), 302)
# self.assertEqual(initial_count + 1, self.model.objects.count())
# self.assertInstanceEqual(self.model.objects.order_by('pk').last(), self.form_data)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_create_object_with_model_permission(self):
initial_count = self.model.objects.count()
# Assign model-level permission
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
can_add=True
)
# Try GET with model-level permission
self.assertHttpStatus(self.client.get(self._get_url('add')), 200)
# Try POST with model-level permission
request = {
'path': self._get_url('add'),
'data': post_data(self.form_data),
}
self.assertHttpStatus(self.client.post(**request), 302)
self.assertEqual(initial_count + 1, self.model.objects.count())
self.assertInstanceEqual(self.model.objects.order_by('pk').last(), self.form_data)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_create_object_with_object_permission(self):
@ -300,23 +304,26 @@ class ViewTestCases:
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.post(**request), 403)
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
# def test_edit_object_with_model_permission(self):
# instance = self.model.objects.first()
#
# # Assign model-level permission
# self.add_permissions(get_permission_for_model(self.model, 'change'))
#
# # Try GET with model-level permission
# self.assertHttpStatus(self.client.get(self._get_url('edit', instance)), 200)
#
# # Try POST with model-level permission
# request = {
# 'path': self._get_url('edit', instance),
# 'data': post_data(self.form_data),
# }
# self.assertHttpStatus(self.client.post(**request), 302)
# self.assertInstanceEqual(self.model.objects.get(pk=instance.pk), self.form_data)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_edit_object_with_model_permission(self):
instance = self.model.objects.first()
# Assign model-level permission
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
can_change=True
)
# Try GET with model-level permission
self.assertHttpStatus(self.client.get(self._get_url('edit', instance)), 200)
# Try POST with model-level permission
request = {
'path': self._get_url('edit', instance),
'data': post_data(self.form_data),
}
self.assertHttpStatus(self.client.post(**request), 302)
self.assertInstanceEqual(self.model.objects.get(pk=instance.pk), self.form_data)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_edit_object_with_object_permission(self):
@ -372,24 +379,27 @@ class ViewTestCases:
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.post(**request), 403)
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
# def test_delete_object_with_model_permission(self):
# instance = self.model.objects.first()
#
# # Assign model-level permission
# self.add_permissions(get_permission_for_model(self.model, 'delete'))
#
# # Try GET with model-level permission
# self.assertHttpStatus(self.client.get(self._get_url('delete', instance)), 200)
#
# # Try POST with model-level permission
# request = {
# 'path': self._get_url('delete', instance),
# 'data': post_data({'confirm': True}),
# }
# self.assertHttpStatus(self.client.post(**request), 302)
# with self.assertRaises(ObjectDoesNotExist):
# self.model.objects.get(pk=instance.pk)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_delete_object_with_model_permission(self):
instance = self.model.objects.first()
# Assign model-level permission
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
can_delete=True
)
# Try GET with model-level permission
self.assertHttpStatus(self.client.get(self._get_url('delete', instance)), 200)
# Try POST with model-level permission
request = {
'path': self._get_url('delete', instance),
'data': post_data({'confirm': True}),
}
self.assertHttpStatus(self.client.post(**request), 302)
with self.assertRaises(ObjectDoesNotExist):
self.model.objects.get(pk=instance.pk)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_delete_object_with_object_permission(self):
@ -431,6 +441,13 @@ class ViewTestCases:
"""
Retrieve multiple instances.
"""
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
def test_list_objects_anonymous(self):
# Make the request as an unauthenticated user
self.client.logout()
response = self.client.get(self._get_url('list'))
self.assertHttpStatus(response, 200)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_list_objects_without_permission(self):
@ -438,20 +455,23 @@ class ViewTestCases:
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.get(self._get_url('list')), 403)
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
# def test_list_objects_with_model_permission(self):
#
# # Add model-level permission
# self.add_permissions(get_permission_for_model(self.model, 'view'))
#
# # Try GET with model-level permission
# self.assertHttpStatus(self.client.get(self._get_url('list')), 200)
#
# # Built-in CSV export
# if hasattr(self.model, 'csv_headers'):
# response = self.client.get('{}?export'.format(self._get_url('list')))
# self.assertHttpStatus(response, 200)
# self.assertEqual(response.get('Content-Type'), 'text/csv')
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_list_objects_with_model_permission(self):
# Add model-level permission
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
can_view=True
)
# Try GET with model-level permission
self.assertHttpStatus(self.client.get(self._get_url('list')), 200)
# Built-in CSV export
if hasattr(self.model, 'csv_headers'):
response = self.client.get('{}?export'.format(self._get_url('list')))
self.assertHttpStatus(response, 200)
self.assertEqual(response.get('Content-Type'), 'text/csv')
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_list_objects_with_object_permission(self):
@ -471,13 +491,6 @@ class ViewTestCases:
# TODO: Verify that only the permitted object is returned
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
def test_list_objects_anonymous(self):
# Make the request as an unauthenticated user
self.client.logout()
response = self.client.get(self._get_url('list'))
self.assertHttpStatus(response, 200)
class BulkCreateObjectsViewTestCase(ModelViewTestCase):
"""
Create multiple instances using a single form. Expects the creation of three new instances by default.
@ -536,22 +549,25 @@ class ViewTestCases:
with disable_warnings('django.request'):
self.assertHttpStatus(response, 403)
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
# def test_bulk_import_objects_with_model_permission(self):
# initial_count = self.model.objects.count()
# data = {
# 'csv': self._get_csv_data(),
# }
#
# # Assign model-level permission
# self.add_permissions(get_permission_for_model(self.model, 'add'))
#
# # Try GET with model-level permission
# self.assertHttpStatus(self.client.get(self._get_url('import')), 200)
#
# # Test POST with permission
# self.assertHttpStatus(self.client.post(self._get_url('import'), data), 200)
# self.assertEqual(self.model.objects.count(), initial_count + len(self.csv_data) - 1)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_bulk_import_objects_with_model_permission(self):
initial_count = self.model.objects.count()
data = {
'csv': self._get_csv_data(),
}
# Assign model-level permission
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
can_add=True
)
# Try GET with model-level permission
self.assertHttpStatus(self.client.get(self._get_url('import')), 200)
# Test POST with permission
self.assertHttpStatus(self.client.post(self._get_url('import'), data), 200)
self.assertEqual(self.model.objects.count(), initial_count + len(self.csv_data) - 1)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_bulk_import_objects_with_object_permission(self):
@ -597,24 +613,27 @@ class ViewTestCases:
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.post(self._get_url('bulk_edit'), data), 403)
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
# def test_bulk_edit_objects_with_model_permission(self):
# pk_list = self.model.objects.values_list('pk', flat=True)[:3]
# data = {
# 'pk': pk_list,
# '_apply': True, # Form button
# }
#
# # Append the form data to the request
# data.update(post_data(self.bulk_edit_data))
#
# # Assign model-level permission
# self.add_permissions(get_permission_for_model(self.model, 'change'))
#
# # Try POST with model-level permission
# self.assertHttpStatus(self.client.post(self._get_url('bulk_edit'), data), 302)
# for i, instance in enumerate(self.model.objects.filter(pk__in=pk_list)):
# self.assertInstanceEqual(instance, self.bulk_edit_data)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_bulk_edit_objects_with_model_permission(self):
pk_list = self.model.objects.values_list('pk', flat=True)[:3]
data = {
'pk': pk_list,
'_apply': True, # Form button
}
# Append the form data to the request
data.update(post_data(self.bulk_edit_data))
# Assign model-level permission
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
can_change=True
)
# Try POST with model-level permission
self.assertHttpStatus(self.client.post(self._get_url('bulk_edit'), data), 302)
for i, instance in enumerate(self.model.objects.filter(pk__in=pk_list)):
self.assertInstanceEqual(instance, self.bulk_edit_data)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_bulk_edit_objects_with_object_permission(self):
@ -664,21 +683,24 @@ class ViewTestCases:
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.post(self._get_url('bulk_delete'), data), 403)
# @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
# def test_bulk_delete_objects_with_model_permission(self):
# pk_list = self.model.objects.values_list('pk', flat=True)
# data = {
# 'pk': pk_list,
# 'confirm': True,
# '_confirm': True, # Form button
# }
#
# # Assign model-level permission
# self.add_permissions(get_permission_for_model(self.model, 'delete'))
#
# # Try POST with model-level permission
# self.assertHttpStatus(self.client.post(self._get_url('bulk_delete'), data), 302)
# self.assertEqual(self.model.objects.count(), 0)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_bulk_delete_objects_with_model_permission(self):
pk_list = self.model.objects.values_list('pk', flat=True)
data = {
'pk': pk_list,
'confirm': True,
'_confirm': True, # Form button
}
# Assign model-level permission
self.user.object_permissions.create(
model=ContentType.objects.get_for_model(self.model),
can_delete=True
)
# Try POST with model-level permission
self.assertHttpStatus(self.client.post(self._get_url('bulk_delete'), data), 302)
self.assertEqual(self.model.objects.count(), 0)
@override_settings(EXEMPT_VIEW_PERMISSIONS=[])
def test_bulk_delete_objects_with_object_permission(self):

1
netbox/virtualization/tests/test_views.py
View File

@ -192,6 +192,7 @@ class InterfaceTestCase(
model = Interface
# Disable inapplicable tests
test_list_objects_anonymous = None
test_list_objects_without_permission = None
test_list_objects_with_model_permission = None
test_list_objects_with_object_permission = None