From b24cf332072a07e53efa70453f2ad8dea9990656 Mon Sep 17 00:00:00 2001
From: Jon <jonathon.lockwood@networkedweb.com>
Date: Thu, 6 Jun 2024 01:20:50 +0930
Subject: [PATCH] test(settings): view permission check for user settings

!18 #48 #15
---
 .../test_user_settings_permissions.py         | 153 ++++++++++++++++++
 1 file changed, 153 insertions(+)
 create mode 100644 app/settings/tests/user_settings/test_user_settings_permissions.py

diff --git a/app/settings/tests/user_settings/test_user_settings_permissions.py b/app/settings/tests/user_settings/test_user_settings_permissions.py
new file mode 100644
index 00000000..cdce5676
--- /dev/null
+++ b/app/settings/tests/user_settings/test_user_settings_permissions.py
@@ -0,0 +1,153 @@
+
+import pytest
+import unittest
+import requests
+
+from django.contrib.auth import get_user_model
+from django.contrib.auth.models import AnonymousUser, User
+from django.contrib.contenttypes.models import ContentType
+from django.shortcuts import reverse
+from django.test import TestCase, Client
+
+from access.models import Organization, Team, TeamUsers, Permission
+
+from settings.models.user_settings import UserSettings
+
+class UserSettingsPermissions(TestCase):
+
+
+    model = UserSettings
+
+    model_name = 'usersettings'
+    app_label = 'settings'
+
+
+    @classmethod
+    def setUpTestData(self):
+        """Setup Test
+
+        1. Create an organization for user and item
+        . create an organization that is different to item
+        2. Create a device
+        3. create teams with each permission: view, add, change, delete
+        4. create a user per team
+        """
+
+        organization = Organization.objects.create(name='test_org')
+
+        self.organization = organization
+
+        different_organization = Organization.objects.create(name='test_different_organization')
+
+
+        view_permissions = Permission.objects.get(
+                codename = 'view_' + self.model_name,
+                content_type = ContentType.objects.get(
+                    app_label = self.app_label,
+                    model = self.model_name,
+                )
+            )
+
+        view_team = Team.objects.create(
+            team_name = 'view_team',
+            organization = organization,
+        )
+
+        view_team.permissions.set([view_permissions])
+
+
+        self.no_permissions_user = User.objects.create_user(username="test_no_permissions", password="password")
+
+
+        self.view_user = User.objects.create_user(username="test_user_view", password="password")
+        teamuser = TeamUsers.objects.create(
+            team = view_team,
+            user = self.view_user
+        )
+
+
+        self.different_organization_user = User.objects.create_user(username="test_different_organization_user", password="password")
+
+
+        different_organization_team = Team.objects.create(
+            team_name = 'different_organization_team',
+            organization = different_organization,
+        )
+
+        different_organization_team.permissions.set([
+            view_permissions,
+        ])
+
+        TeamUsers.objects.create(
+            team = different_organization_team,
+            user = self.different_organization_user
+        )
+
+
+        self.item = self.model.objects.get(
+            user=self.view_user,
+        )
+
+
+
+
+    def test_user_settings_auth_view_user_anon_denied(self):
+        """ Check correct permission for view
+
+        Attempt to view as anon user
+        """
+
+        client = Client()
+        url = reverse('_settings_user', kwargs={'pk': self.view_user.id})
+
+        response = client.get(url)
+
+        assert response.status_code == 403
+
+
+    def test_user_settings_auth_view_no_permission_denied(self):
+        """ Check correct permission for view
+
+        Attempt to view with user missing permission
+        """
+
+        client = Client()
+        url = reverse('_settings_user', kwargs={'pk': self.view_user.id})
+
+
+        client.force_login(self.no_permissions_user)
+        response = client.get(url)
+
+        assert response.status_code == 403
+
+
+    def test_device_auth_view_different_organizaiton_denied(self):
+        """ Check correct permission for view
+
+        Attempt to view with user from different organization
+        """
+
+        client = Client()
+        url = reverse('_settings_user', kwargs={'pk': self.view_user.id})
+
+
+        client.force_login(self.different_organization_user)
+        response = client.get(url)
+
+        assert response.status_code == 403
+
+
+    def test_device_auth_view_has_permission(self):
+        """ Check correct permission for view
+
+        Attempt to view as user with view permission
+        """
+
+        client = Client()
+        url = reverse('_settings_user', kwargs={'pk': self.view_user.id})
+
+
+        client.force_login(self.view_user)
+        response = client.get(url)
+
+        assert response.status_code == 200