netbox-community-netbox/netbox/users/tests/test_permissions.py

from django.contrib.contenttypes.models import ContentType
from django.contrib.auth.models import Permission, User
from django.test import TestCase, override_settings

from dcim.models import Site
from tenancy.models import Tenant
from users.models import ObjectPermission


class UserConfigTest(TestCase):

    def setUp(self):

        self.user = User.objects.create_user(username='testuser')

    @classmethod
    def setUpTestData(cls):

        tenant = Tenant.objects.create(name='Tenant 1', slug='tenant-1')
        Site.objects.bulk_create((
            Site(name='Site 1', slug='site-1'),
            Site(name='Site 2', slug='site-2', tenant=tenant),
            Site(name='Site 3', slug='site-3'),
        ))

    @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
    def test_permission_view_object(self):

        # Sanity check to ensure the user has no model-level permission
        self.assertFalse(self.user.has_perm('dcim.view_site'))

        # The permission check for a specific object should fail.
        sites = Site.objects.all()
        self.assertFalse(self.user.has_perm('dcim.view_site', sites[0]))

        # Create and assign a new ObjectPermission specifying the first site by name.
        ct = ContentType.objects.get_for_model(sites[0])
        object_perm = ObjectPermission(
            model=ct,
            attrs={'name': 'Site 1'},
            can_view=True
        )
        object_perm.save()
        self.user.object_permissions.add(object_perm)

        # The test user should have permission to view only the first site.
        self.assertTrue(self.user.has_perm('dcim.view_site', sites[0]))
        self.assertFalse(self.user.has_perm('dcim.view_site', sites[1]))

        # Create a second ObjectPermission matching sites by assigned tenant.
        object_perm = ObjectPermission(
            model=ct,
            attrs={'tenant__name': 'Tenant 1'},
            can_view=True
        )
        object_perm.save()
        self.user.object_permissions.add(object_perm)

        # The user should now able to view the first two sites, but not the third.
        self.assertTrue(self.user.has_perm('dcim.view_site', sites[0]))
        self.assertTrue(self.user.has_perm('dcim.view_site', sites[1]))
        self.assertFalse(self.user.has_perm('dcim.view_site', sites[2]))