test(api): check model permissions for teams

!16 #15
2024-06-01 22:08:39 +09:30
parent 09cc1db665
commit 2bf692788c
1 changed files with 498 additions and 18 deletions
--- a/app/access/tests/team/test_team_permission_api.py
+++ b/app/access/tests/team/test_team_permission_api.py
@ -1,32 +1,512 @@
 # from django.conf import settings
-# from django.shortcuts import reverse
-from django.test import TestCase, Client
+from django.contrib.auth import get_user_model
+from django.contrib.auth.models import AnonymousUser, User
+from django.contrib.contenttypes.models import ContentType
+from django.shortcuts import reverse
+from django.test import TestCase, Client as nClient
+
+from rest_framework.test import APIClient as Client

 import pytest
 import unittest
 import requests

+from access.models import Organization, Team, TeamUsers, Permission


-@pytest.mark.skip(reason="to be written")
-def test_team_auth_view_api(user):
-    """ Check correct permission for view """
-    pass
+
+class TeamPermissionsAPI(TestCase):
+
+    model = Team
+
+    model_name = 'team'
+    app_label = 'access'
+
+    @classmethod
+    def setUpTestData(self):
+        """Setup Test
+
+        1. Create an organization for user and item
+        . create an organization that is different to item
+        2. Create a team
+        3. create teams with each permission: view, add, change, delete
+        4. create a user per team
+        """
+
+        organization = Organization.objects.create(name='test_org')
+
+        self.organization = organization
+
+        different_organization = Organization.objects.create(name='test_different_organization')


-@pytest.mark.skip(reason="to be written")
-def test_team_auth_add_api(user):
-    """ Check correct permission for add """
-    pass
+        self.item = self.model.objects.create(
+            organization=organization,
+            name = 'teamone'
+        )
+
+        view_permissions = Permission.objects.get(
+                codename = 'view_' + self.model_name,
+                content_type = ContentType.objects.get(
+                    app_label = self.app_label,
+                    model = self.model_name,
+                )
+            )
+
+        view_team = Team.objects.create(
+            team_name = 'view_team',
+            organization = organization,
+        )
+
+        view_team.permissions.set([view_permissions])


-@pytest.mark.skip(reason="to be written")
-def test_team_auth_change_api(user):
-    """ Check correct permission for change """
-    pass
+
+        add_permissions = Permission.objects.get(
+                codename = 'add_' + self.model_name,
+                content_type = ContentType.objects.get(
+                    app_label = self.app_label,
+                    model = self.model_name,
+                )
+            )
+
+        add_team = Team.objects.create(
+            team_name = 'add_team',
+            organization = organization,
+        )
+
+        add_team.permissions.set([add_permissions])


-@pytest.mark.skip(reason="to be written")
-def test_team_auth_delete_api(user):
-    """ Check correct permission for delete """
-    pass
+
+        change_permissions = Permission.objects.get(
+                codename = 'change_' + self.model_name,
+                content_type = ContentType.objects.get(
+                    app_label = self.app_label,
+                    model = self.model_name,
+                )
+            )
+
+        change_team = Team.objects.create(
+            team_name = 'change_team',
+            organization = organization,
+        )
+
+        change_team.permissions.set([change_permissions])
+
+
+
+        delete_permissions = Permission.objects.get(
+                codename = 'delete_' + self.model_name,
+                content_type = ContentType.objects.get(
+                    app_label = self.app_label,
+                    model = self.model_name,
+                )
+            )
+
+        delete_team = Team.objects.create(
+            team_name = 'delete_team',
+            organization = organization,
+        )
+
+        delete_team.permissions.set([delete_permissions])
+
+
+        self.no_permissions_user = User.objects.create_user(username="test_no_permissions", password="password")
+
+
+        self.view_user = User.objects.create_user(username="test_user_view", password="password")
+        teamuser = TeamUsers.objects.create(
+            team = view_team,
+            user = self.view_user
+        )
+
+        self.add_user = User.objects.create_user(username="test_user_add", password="password")
+        teamuser = TeamUsers.objects.create(
+            team = add_team,
+            user = self.add_user
+        )
+
+        self.change_user = User.objects.create_user(username="test_user_change", password="password")
+        teamuser = TeamUsers.objects.create(
+            team = change_team,
+            user = self.change_user
+        )
+
+        self.delete_user = User.objects.create_user(username="test_user_delete", password="password")
+        teamuser = TeamUsers.objects.create(
+            team = delete_team,
+            user = self.delete_user
+        )
+
+
+        self.different_organization_user = User.objects.create_user(username="test_different_organization_user", password="password")
+
+
+        different_organization_team = Team.objects.create(
+            team_name = 'different_organization_team',
+            organization = different_organization,
+        )
+
+        different_organization_team.permissions.set([
+            view_permissions,
+            add_permissions,
+            change_permissions,
+            delete_permissions,
+        ])
+
+        TeamUsers.objects.create(
+            team = different_organization_team,
+            user = self.different_organization_user
+        )
+
+
+
+    def test_team_auth_view_user_anon_denied(self):
+        """ Check correct permission for view
+
+        Attempt to view as anon user
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+        response = client.get(url)
+
+        assert response.status_code == 401
+
+
+    def test_team_auth_view_no_permission_denied(self):
+        """ Check correct permission for view
+
+        Attempt to view with user missing permission
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.no_permissions_user)
+        response = client.get(url)
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_view_different_organizaiton_denied(self):
+        """ Check correct permission for view
+
+        Attempt to view with user from different organization
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.different_organization_user)
+        response = client.get(url)
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_view_has_permission(self):
+        """ Check correct permission for view
+
+        Attempt to view as user with view permission
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.view_user)
+        response = client.get(url)
+
+        assert response.status_code == 200
+
+
+
+    def test_team_auth_add_user_anon_denied(self):
+        """ Check correct permission for add 
+
+        Attempt to add as anon user
+        """
+
+        client = Client()
+        url = reverse('API:_api_organization_teams', kwargs={'organization_id': self.organization.id})
+
+
+        response = client.post(url, data={'team_name': 'team'})
+
+        assert response.status_code == 401
+
+
+    def test_team_auth_add_no_permission_denied(self):
+        """ Check correct permission for add
+
+        Attempt to add as user with no permissions
+        """
+
+        client = Client()
+        url = reverse('API:_api_organization_teams', kwargs={'organization_id': self.organization.id})
+
+
+        client.force_login(self.no_permissions_user)
+        response = client.post(url, data={'team_name': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_add_different_organization_denied(self):
+        """ Check correct permission for add
+
+        attempt to add as user from different organization
+        """
+
+        client = Client()
+        url = reverse('API:_api_organization_teams', kwargs={'organization_id': self.organization.id})
+
+
+        client.force_login(self.different_organization_user)
+        response = client.post(url, data={'team_name': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_add_permission_view_denied(self):
+        """ Check correct permission for add
+
+        Attempt to add a user with view permission
+        """
+
+        client = Client()
+        url = reverse('API:_api_organization_teams', kwargs={'organization_id': self.organization.id})
+
+
+        client.force_login(self.view_user)
+        response = client.post(url, data={'team_name': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_add_has_permission(self):
+        """ Check correct permission for add 
+
+        Attempt to add as user with no permission
+        """
+
+        client = Client()
+        url = reverse('API:_api_organization_teams', kwargs={'organization_id': self.organization.id})
+
+
+        client.force_login(self.add_user)
+        response = client.post(url, {'team_name': 'team_post'})
+
+        assert response.status_code == 201
+
+
+
+    def test_team_auth_change_user_anon_denied(self):
+        """ Check correct permission for change
+
+        Attempt to change as anon
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        response = client.patch(url, data={'team': 'team'})
+
+        assert response.status_code == 401
+
+
+    def test_team_auth_change_no_permission_denied(self):
+        """ Ensure permission view cant make change
+
+        Attempt to make change as user without permissions
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.no_permissions_user)
+        response = client.patch(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_change_different_organization_denied(self):
+        """ Ensure permission view cant make change
+
+        Attempt to make change as user from different organization
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.different_organization_user)
+        response = client.patch(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_change_permission_view_denied(self):
+        """ Ensure permission view cant make change
+
+        Attempt to make change as user with view permission
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.view_user)
+        response = client.patch(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_change_permission_add_denied(self):
+        """ Ensure permission view cant make change
+
+        Attempt to make change as user with add permission
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.add_user)
+        response = client.patch(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_change_has_permission(self):
+        """ Check correct permission for change
+
+        Make change with user who has change permission
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.change_user)
+        response = client.patch(url, data={'id': self.item.id, 'team_name': 'team'})
+
+        assert response.status_code == 200
+
+
+
+    def test_team_auth_delete_user_anon_denied(self):
+        """ Check correct permission for delete
+
+        Attempt to delete item as anon user
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        response = client.delete(url, data={'team': 'team'})
+
+        assert response.status_code == 401
+
+
+    def test_team_auth_delete_no_permission_denied(self):
+        """ Check correct permission for delete
+
+        Attempt to delete as user with no permissons
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.no_permissions_user)
+        response = client.delete(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_delete_different_organization_denied(self):
+        """ Check correct permission for delete
+
+        Attempt to delete as user from different organization
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.different_organization_user)
+        response = client.delete(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_delete_permission_view_denied(self):
+        """ Check correct permission for delete
+
+        Attempt to delete as user with veiw permission only
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.view_user)
+        response = client.delete(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_delete_permission_add_denied(self):
+        """ Check correct permission for delete
+
+        Attempt to delete as user with add permission only
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.add_user)
+        response = client.delete(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_delete_permission_change_denied(self):
+        """ Check correct permission for delete
+
+        Attempt to delete as user with change permission only
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.change_user)
+        response = client.delete(url, data={'team': 'team'})
+
+        assert response.status_code == 403
+
+
+    def test_team_auth_delete_has_permission(self):
+        """ Check correct permission for delete
+
+        Delete item as user with delete permission
+        """
+
+        client = Client()
+        url = reverse('API:_api_team', kwargs={'organization_id': self.organization.id, 'group_ptr_id': self.item.id})
+
+
+        client.force_login(self.delete_user)
+        response = client.delete(url, data={'group_ptr_id': self.item.id}, content_type='application/json')
+
+        assert response.status_code == 204