♻️(models) rename document/template access rights
The "member" access right does not make sense for documents and templates. What we really need are "editor" and "reader" access rights.
This commit is contained in:
Samuel Paccoud - DINUM
committed by
Samuel Paccoud
Samuel Paccoud
parent
51325df7d9
commit
926fe37e85
@@ -45,14 +45,12 @@ def test_api_documents_delete_authenticated_unrelated():
|
||||
assert models.Document.objects.count() == 1
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["member", "administrator"])
|
||||
@pytest.mark.parametrize("role", ["reader", "editor", "administrator"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_documents_delete_authenticated_member_or_administrator(
|
||||
via, role, mock_user_get_teams
|
||||
):
|
||||
def test_api_documents_delete_authenticated_not_owner(via, role, mock_user_get_teams):
|
||||
"""
|
||||
Authenticated users should not be allowed to delete a document for which they are
|
||||
only a member or administrator.
|
||||
only a reader, editor or administrator.
|
||||
"""
|
||||
user = factories.UserFactory()
|
||||
|
||||
|
||||
@@ -161,7 +161,10 @@ def test_api_documents_retrieve_authenticated_related_team_none(mock_user_get_te
|
||||
document = factories.DocumentFactory(is_public=False)
|
||||
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="members", role="member"
|
||||
document=document, team="readers", role="reader"
|
||||
)
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="editors", role="editor"
|
||||
)
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="administrators", role="administrator"
|
||||
@@ -178,8 +181,10 @@ def test_api_documents_retrieve_authenticated_related_team_none(mock_user_get_te
|
||||
@pytest.mark.parametrize(
|
||||
"teams",
|
||||
[
|
||||
["members"],
|
||||
["unknown", "members"],
|
||||
["readers"],
|
||||
["unknown", "readers"],
|
||||
["editors"],
|
||||
["unknown", "editors"],
|
||||
],
|
||||
)
|
||||
def test_api_documents_retrieve_authenticated_related_team_members(
|
||||
@@ -198,8 +203,11 @@ def test_api_documents_retrieve_authenticated_related_team_members(
|
||||
|
||||
document = factories.DocumentFactory(is_public=False)
|
||||
|
||||
access_member = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="members", role="member"
|
||||
access_reader = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="readers", role="reader"
|
||||
)
|
||||
access_editor = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="editors", role="editor"
|
||||
)
|
||||
access_administrator = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="administrators", role="administrator"
|
||||
@@ -222,10 +230,17 @@ def test_api_documents_retrieve_authenticated_related_team_members(
|
||||
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
|
||||
[
|
||||
{
|
||||
"id": str(access_member.id),
|
||||
"id": str(access_reader.id),
|
||||
"user": None,
|
||||
"team": "members",
|
||||
"role": access_member.role,
|
||||
"team": "readers",
|
||||
"role": access_reader.role,
|
||||
"abilities": expected_abilities,
|
||||
},
|
||||
{
|
||||
"id": str(access_editor.id),
|
||||
"user": None,
|
||||
"team": "editors",
|
||||
"role": access_editor.role,
|
||||
"abilities": expected_abilities,
|
||||
},
|
||||
{
|
||||
@@ -265,7 +280,7 @@ def test_api_documents_retrieve_authenticated_related_team_members(
|
||||
"teams",
|
||||
[
|
||||
["administrators"],
|
||||
["members", "administrators"],
|
||||
["editors", "administrators"],
|
||||
["unknown", "administrators"],
|
||||
],
|
||||
)
|
||||
@@ -285,8 +300,11 @@ def test_api_documents_retrieve_authenticated_related_team_administrators(
|
||||
|
||||
document = factories.DocumentFactory(is_public=False)
|
||||
|
||||
access_member = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="members", role="member"
|
||||
access_reader = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="readers", role="reader"
|
||||
)
|
||||
access_editor = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="editors", role="editor"
|
||||
)
|
||||
access_administrator = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="administrators", role="administrator"
|
||||
@@ -305,14 +323,26 @@ def test_api_documents_retrieve_authenticated_related_team_administrators(
|
||||
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
|
||||
[
|
||||
{
|
||||
"id": str(access_member.id),
|
||||
"id": str(access_reader.id),
|
||||
"user": None,
|
||||
"team": "members",
|
||||
"role": "member",
|
||||
"team": "readers",
|
||||
"role": "reader",
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["administrator"],
|
||||
"set_role_to": ["administrator", "editor"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
{
|
||||
"id": str(access_editor.id),
|
||||
"user": None,
|
||||
"team": "editors",
|
||||
"role": "editor",
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["administrator", "reader"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
@@ -324,7 +354,7 @@ def test_api_documents_retrieve_authenticated_related_team_administrators(
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["member"],
|
||||
"set_role_to": ["editor", "reader"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
@@ -384,8 +414,11 @@ def test_api_documents_retrieve_authenticated_related_team_owners(
|
||||
|
||||
document = factories.DocumentFactory(is_public=False)
|
||||
|
||||
access_member = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="members", role="member"
|
||||
access_reader = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="readers", role="reader"
|
||||
)
|
||||
access_editor = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="editors", role="editor"
|
||||
)
|
||||
access_administrator = factories.TeamDocumentAccessFactory(
|
||||
document=document, team="administrators", role="administrator"
|
||||
@@ -404,14 +437,26 @@ def test_api_documents_retrieve_authenticated_related_team_owners(
|
||||
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
|
||||
[
|
||||
{
|
||||
"id": str(access_member.id),
|
||||
"id": str(access_reader.id),
|
||||
"user": None,
|
||||
"team": "members",
|
||||
"role": "member",
|
||||
"team": "readers",
|
||||
"role": "reader",
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["owner", "administrator"],
|
||||
"set_role_to": ["owner", "administrator", "editor"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
{
|
||||
"id": str(access_editor.id),
|
||||
"user": None,
|
||||
"team": "editors",
|
||||
"role": "editor",
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["owner", "administrator", "reader"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
@@ -423,7 +468,7 @@ def test_api_documents_retrieve_authenticated_related_team_owners(
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["owner", "member"],
|
||||
"set_role_to": ["owner", "editor", "reader"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
@@ -436,7 +481,7 @@ def test_api_documents_retrieve_authenticated_related_team_owners(
|
||||
# editable only if there is another owner role than the user's team...
|
||||
"destroy": other_access.role == "owner",
|
||||
"retrieve": True,
|
||||
"set_role_to": ["administrator", "member"]
|
||||
"set_role_to": ["administrator", "editor", "reader"]
|
||||
if other_access.role == "owner"
|
||||
else [],
|
||||
"update": other_access.role == "owner",
|
||||
|
||||
@@ -66,9 +66,9 @@ def test_api_documents_update_authenticated_unrelated():
|
||||
|
||||
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_documents_update_authenticated_members(via, mock_user_get_teams):
|
||||
def test_api_documents_update_authenticated_reader(via, mock_user_get_teams):
|
||||
"""
|
||||
Users who are members of a document but not administrators should
|
||||
Users who are editors or reader of a document but not administrators should
|
||||
not be allowed to update it.
|
||||
"""
|
||||
user = factories.UserFactory()
|
||||
@@ -78,11 +78,11 @@ def test_api_documents_update_authenticated_members(via, mock_user_get_teams):
|
||||
|
||||
document = factories.DocumentFactory()
|
||||
if via == USER:
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="member")
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="reader")
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="lasuite", role="member"
|
||||
document=document, team="lasuite", role="reader"
|
||||
)
|
||||
|
||||
old_document_values = serializers.DocumentSerializer(instance=document).data
|
||||
@@ -106,12 +106,12 @@ def test_api_documents_update_authenticated_members(via, mock_user_get_teams):
|
||||
assert document_values == old_document_values
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["administrator", "owner"])
|
||||
@pytest.mark.parametrize("role", ["editor", "administrator", "owner"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_documents_update_authenticated_administrator_or_owner(
|
||||
def test_api_documents_update_authenticated_editor_administrator_or_owner(
|
||||
via, role, mock_user_get_teams
|
||||
):
|
||||
"""Administrator or owner of a document should be allowed to update it."""
|
||||
"""A user who is editor, administrator or owner of a document should be allowed to update it."""
|
||||
user = factories.UserFactory()
|
||||
|
||||
client = APIClient()
|
||||
|
||||
@@ -45,7 +45,7 @@ def test_api_templates_delete_authenticated_unrelated():
|
||||
assert models.Template.objects.count() == 1
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["member", "administrator"])
|
||||
@pytest.mark.parametrize("role", ["reader", "editor", "administrator"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_templates_delete_authenticated_member_or_administrator(
|
||||
via, role, mock_user_get_teams
|
||||
|
||||
@@ -160,7 +160,10 @@ def test_api_templates_retrieve_authenticated_related_team_none(mock_user_get_te
|
||||
template = factories.TemplateFactory(is_public=False)
|
||||
|
||||
factories.TeamTemplateAccessFactory(
|
||||
template=template, team="members", role="member"
|
||||
template=template, team="readers", role="reader"
|
||||
)
|
||||
factories.TeamTemplateAccessFactory(
|
||||
template=template, team="editors", role="editor"
|
||||
)
|
||||
factories.TeamTemplateAccessFactory(
|
||||
template=template, team="administrators", role="administrator"
|
||||
@@ -177,11 +180,13 @@ def test_api_templates_retrieve_authenticated_related_team_none(mock_user_get_te
|
||||
@pytest.mark.parametrize(
|
||||
"teams",
|
||||
[
|
||||
["members"],
|
||||
["unknown", "members"],
|
||||
["readers"],
|
||||
["unknown", "readers"],
|
||||
["editors"],
|
||||
["unknown", "editors"],
|
||||
],
|
||||
)
|
||||
def test_api_templates_retrieve_authenticated_related_team_members(
|
||||
def test_api_templates_retrieve_authenticated_related_team_readers_or_editors(
|
||||
teams, mock_user_get_teams
|
||||
):
|
||||
"""
|
||||
@@ -197,8 +202,11 @@ def test_api_templates_retrieve_authenticated_related_team_members(
|
||||
|
||||
template = factories.TemplateFactory(is_public=False)
|
||||
|
||||
access_member = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="members", role="member"
|
||||
access_reader = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="readers", role="reader"
|
||||
)
|
||||
access_editor = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="editors", role="editor"
|
||||
)
|
||||
access_administrator = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="administrators", role="administrator"
|
||||
@@ -221,10 +229,17 @@ def test_api_templates_retrieve_authenticated_related_team_members(
|
||||
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
|
||||
[
|
||||
{
|
||||
"id": str(access_member.id),
|
||||
"id": str(access_reader.id),
|
||||
"user": None,
|
||||
"team": "members",
|
||||
"role": access_member.role,
|
||||
"team": "readers",
|
||||
"role": access_reader.role,
|
||||
"abilities": expected_abilities,
|
||||
},
|
||||
{
|
||||
"id": str(access_editor.id),
|
||||
"user": None,
|
||||
"team": "editors",
|
||||
"role": access_editor.role,
|
||||
"abilities": expected_abilities,
|
||||
},
|
||||
{
|
||||
@@ -285,8 +300,11 @@ def test_api_templates_retrieve_authenticated_related_team_administrators(
|
||||
|
||||
template = factories.TemplateFactory(is_public=False)
|
||||
|
||||
access_member = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="members", role="member"
|
||||
access_reader = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="readers", role="reader"
|
||||
)
|
||||
access_editor = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="editors", role="editor"
|
||||
)
|
||||
access_administrator = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="administrators", role="administrator"
|
||||
@@ -304,14 +322,26 @@ def test_api_templates_retrieve_authenticated_related_team_administrators(
|
||||
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
|
||||
[
|
||||
{
|
||||
"id": str(access_member.id),
|
||||
"id": str(access_reader.id),
|
||||
"user": None,
|
||||
"team": "members",
|
||||
"role": "member",
|
||||
"team": "readers",
|
||||
"role": "reader",
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["administrator"],
|
||||
"set_role_to": ["administrator", "editor"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
{
|
||||
"id": str(access_editor.id),
|
||||
"user": None,
|
||||
"team": "editors",
|
||||
"role": "editor",
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["administrator", "reader"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
@@ -323,7 +353,7 @@ def test_api_templates_retrieve_authenticated_related_team_administrators(
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["member"],
|
||||
"set_role_to": ["editor", "reader"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
@@ -384,8 +414,11 @@ def test_api_templates_retrieve_authenticated_related_team_owners(
|
||||
|
||||
template = factories.TemplateFactory(is_public=False)
|
||||
|
||||
access_member = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="members", role="member"
|
||||
access_reader = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="readers", role="reader"
|
||||
)
|
||||
access_editor = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="editors", role="editor"
|
||||
)
|
||||
access_administrator = factories.TeamTemplateAccessFactory(
|
||||
template=template, team="administrators", role="administrator"
|
||||
@@ -403,14 +436,26 @@ def test_api_templates_retrieve_authenticated_related_team_owners(
|
||||
assert sorted(content.pop("accesses"), key=lambda x: x["id"]) == sorted(
|
||||
[
|
||||
{
|
||||
"id": str(access_member.id),
|
||||
"id": str(access_reader.id),
|
||||
"user": None,
|
||||
"team": "members",
|
||||
"role": "member",
|
||||
"team": "readers",
|
||||
"role": "reader",
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["owner", "administrator"],
|
||||
"set_role_to": ["owner", "administrator", "editor"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
{
|
||||
"id": str(access_editor.id),
|
||||
"user": None,
|
||||
"team": "editors",
|
||||
"role": "editor",
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["owner", "administrator", "reader"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
@@ -422,7 +467,7 @@ def test_api_templates_retrieve_authenticated_related_team_owners(
|
||||
"abilities": {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"set_role_to": ["owner", "member"],
|
||||
"set_role_to": ["owner", "editor", "reader"],
|
||||
"update": True,
|
||||
},
|
||||
},
|
||||
@@ -435,7 +480,7 @@ def test_api_templates_retrieve_authenticated_related_team_owners(
|
||||
# editable only if there is another owner role than the user's team...
|
||||
"destroy": other_access.role == "owner",
|
||||
"retrieve": True,
|
||||
"set_role_to": ["administrator", "member"]
|
||||
"set_role_to": ["administrator", "editor", "reader"]
|
||||
if other_access.role == "owner"
|
||||
else [],
|
||||
"update": other_access.role == "owner",
|
||||
|
||||
@@ -66,10 +66,9 @@ def test_api_templates_update_authenticated_unrelated():
|
||||
|
||||
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_templates_update_authenticated_members(via, mock_user_get_teams):
|
||||
def test_api_templates_update_authenticated_readers(via, mock_user_get_teams):
|
||||
"""
|
||||
Users who are members of a template but not administrators should
|
||||
not be allowed to update it.
|
||||
Users who are readers of a template should not be allowed to update it.
|
||||
"""
|
||||
user = factories.UserFactory()
|
||||
|
||||
@@ -78,11 +77,11 @@ def test_api_templates_update_authenticated_members(via, mock_user_get_teams):
|
||||
|
||||
template = factories.TemplateFactory()
|
||||
if via == USER:
|
||||
factories.UserTemplateAccessFactory(template=template, user=user, role="member")
|
||||
factories.UserTemplateAccessFactory(template=template, user=user, role="reader")
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamTemplateAccessFactory(
|
||||
template=template, team="lasuite", role="member"
|
||||
template=template, team="lasuite", role="reader"
|
||||
)
|
||||
|
||||
old_template_values = serializers.TemplateSerializer(instance=template).data
|
||||
@@ -106,9 +105,9 @@ def test_api_templates_update_authenticated_members(via, mock_user_get_teams):
|
||||
assert template_values == old_template_values
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["administrator", "owner"])
|
||||
@pytest.mark.parametrize("role", ["editor", "administrator", "owner"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_templates_update_authenticated_administrator_or_owner(
|
||||
def test_api_templates_update_authenticated_editor_or_administrator_or_owner(
|
||||
via, role, mock_user_get_teams
|
||||
):
|
||||
"""Administrator or owner of a template should be allowed to update it."""
|
||||
|
||||
@@ -254,9 +254,12 @@ def test_api_document_accesses_create_authenticated_unrelated():
|
||||
assert not models.DocumentAccess.objects.filter(user=other_user).exists()
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["reader", "editor"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_document_accesses_create_authenticated_member(via, mock_user_get_teams):
|
||||
"""Members of a document should not be allowed to create document accesses."""
|
||||
def test_api_document_accesses_create_authenticated_reader_or_editor(
|
||||
via, role, mock_user_get_teams
|
||||
):
|
||||
"""Readers or editors of a document should not be allowed to create document accesses."""
|
||||
user = factories.UserFactory()
|
||||
|
||||
client = APIClient()
|
||||
@@ -264,21 +267,21 @@ def test_api_document_accesses_create_authenticated_member(via, mock_user_get_te
|
||||
|
||||
document = factories.DocumentFactory()
|
||||
if via == USER:
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="member")
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role=role)
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="lasuite", role="member"
|
||||
document=document, team="lasuite", role=role
|
||||
)
|
||||
|
||||
other_user = factories.UserFactory()
|
||||
|
||||
for role in [role[0] for role in models.RoleChoices.choices]:
|
||||
for new_role in [role[0] for role in models.RoleChoices.choices]:
|
||||
response = client.post(
|
||||
f"/api/v1.0/documents/{document.id!s}/accesses/",
|
||||
{
|
||||
"user": str(other_user.id),
|
||||
"role": role,
|
||||
"role": new_role,
|
||||
},
|
||||
format="json",
|
||||
)
|
||||
@@ -456,9 +459,12 @@ def test_api_document_accesses_update_authenticated_unrelated():
|
||||
assert updated_values == old_values
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["reader", "editor"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_document_accesses_update_authenticated_member(via, mock_user_get_teams):
|
||||
"""Members of a document should not be allowed to update its accesses."""
|
||||
def test_api_document_accesses_update_authenticated_reader_or_editor(
|
||||
via, role, mock_user_get_teams
|
||||
):
|
||||
"""Readers or editors of a document should not be allowed to update its accesses."""
|
||||
user = factories.UserFactory()
|
||||
|
||||
client = APIClient()
|
||||
@@ -466,11 +472,11 @@ def test_api_document_accesses_update_authenticated_member(via, mock_user_get_te
|
||||
|
||||
document = factories.DocumentFactory()
|
||||
if via == USER:
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="member")
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role=role)
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="lasuite", role="member"
|
||||
document=document, team="lasuite", role=role
|
||||
)
|
||||
|
||||
access = factories.UserDocumentAccessFactory(document=document)
|
||||
@@ -521,14 +527,14 @@ def test_api_document_accesses_update_administrator_except_owner(
|
||||
|
||||
access = factories.UserDocumentAccessFactory(
|
||||
document=document,
|
||||
role=random.choice(["administrator", "member"]),
|
||||
role=random.choice(["administrator", "editor", "reader"]),
|
||||
)
|
||||
old_values = serializers.DocumentAccessSerializer(instance=access).data
|
||||
|
||||
new_values = {
|
||||
"id": uuid4(),
|
||||
"user_id": factories.UserFactory().id,
|
||||
"role": random.choice(["administrator", "member"]),
|
||||
"role": random.choice(["administrator", "editor", "reader"]),
|
||||
}
|
||||
|
||||
for field, value in new_values.items():
|
||||
@@ -629,7 +635,7 @@ def test_api_document_accesses_update_administrator_to_owner(via, mock_user_get_
|
||||
access = factories.UserDocumentAccessFactory(
|
||||
document=document,
|
||||
user=other_user,
|
||||
role=random.choice(["administrator", "member"]),
|
||||
role=random.choice(["administrator", "editor", "reader"]),
|
||||
)
|
||||
old_values = serializers.DocumentAccessSerializer(instance=access).data
|
||||
|
||||
@@ -736,7 +742,7 @@ def test_api_document_accesses_update_owner_self(via, mock_user_get_teams):
|
||||
)
|
||||
|
||||
old_values = serializers.DocumentAccessSerializer(instance=access).data
|
||||
new_role = random.choice(["administrator", "member"])
|
||||
new_role = random.choice(["administrator", "editor", "reader"])
|
||||
|
||||
response = client.put(
|
||||
f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
|
||||
@@ -797,11 +803,12 @@ def test_api_document_accesses_delete_authenticated():
|
||||
assert models.DocumentAccess.objects.count() == 1
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["reader", "editor"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_document_accesses_delete_member(via, mock_user_get_teams):
|
||||
def test_api_document_accesses_delete_reader_or_editor(via, role, mock_user_get_teams):
|
||||
"""
|
||||
Authenticated users should not be allowed to delete a document access for a
|
||||
document in which they are a simple member.
|
||||
document in which they are a simple reader or editor.
|
||||
"""
|
||||
user = factories.UserFactory()
|
||||
|
||||
@@ -810,11 +817,11 @@ def test_api_document_accesses_delete_member(via, mock_user_get_teams):
|
||||
|
||||
document = factories.DocumentFactory()
|
||||
if via == USER:
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="member")
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role=role)
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="lasuite", role="member"
|
||||
document=document, team="lasuite", role=role
|
||||
)
|
||||
|
||||
access = factories.UserDocumentAccessFactory(document=document)
|
||||
@@ -855,7 +862,7 @@ def test_api_document_accesses_delete_administrators_except_owners(
|
||||
)
|
||||
|
||||
access = factories.UserDocumentAccessFactory(
|
||||
document=document, role=random.choice(["member", "administrator"])
|
||||
document=document, role=random.choice(["reader", "editor", "administrator"])
|
||||
)
|
||||
|
||||
assert models.DocumentAccess.objects.count() == 2
|
||||
|
||||
@@ -57,13 +57,20 @@ def test_api_document_invitations__create__authenticated_outsider():
|
||||
@pytest.mark.parametrize(
|
||||
"inviting,invited,is_allowed",
|
||||
(
|
||||
["member", "member", False],
|
||||
["member", "administrator", False],
|
||||
["member", "owner", False],
|
||||
["administrator", "member", True],
|
||||
["reader", "reader", False],
|
||||
["reader", "editor", False],
|
||||
["reader", "administrator", False],
|
||||
["reader", "owner", False],
|
||||
["editor", "reader", False],
|
||||
["editor", "editor", False],
|
||||
["editor", "administrator", False],
|
||||
["editor", "owner", False],
|
||||
["administrator", "reader", True],
|
||||
["administrator", "editor", True],
|
||||
["administrator", "administrator", True],
|
||||
["administrator", "owner", False],
|
||||
["owner", "member", True],
|
||||
["owner", "reader", True],
|
||||
["owner", "editor", True],
|
||||
["owner", "administrator", True],
|
||||
["owner", "owner", True],
|
||||
),
|
||||
@@ -146,7 +153,7 @@ def test_api_document_invitations__create__cannot_duplicate_invitation():
|
||||
# Create a new invitation to the same document with the exact same email address
|
||||
invitation_values = {
|
||||
"email": existing_invitation.email,
|
||||
"role": random.choice(["administrator", "member"]),
|
||||
"role": random.choice(["administrator", "editor", "reader"]),
|
||||
}
|
||||
|
||||
client = APIClient()
|
||||
@@ -222,12 +229,12 @@ def test_api_document_invitations__list__authenticated(
|
||||
document=document, role="administrator", issuer=user
|
||||
)
|
||||
other_invitations = factories.InvitationFactory.create_batch(
|
||||
2, document=document, role="member", issuer=other_user
|
||||
2, document=document, role="reader", issuer=other_user
|
||||
)
|
||||
|
||||
# invitations from other documents should not be listed
|
||||
other_document = factories.DocumentFactory()
|
||||
factories.InvitationFactory.create_batch(2, document=other_document, role="member")
|
||||
factories.InvitationFactory.create_batch(2, document=other_document, role="reader")
|
||||
|
||||
client = APIClient()
|
||||
client.force_login(user)
|
||||
@@ -275,7 +282,7 @@ def test_api_document_invitations__list__expired_invitations_still_listed(settin
|
||||
settings.INVITATION_VALIDITY_DURATION = 1 # second
|
||||
expired_invitation = factories.InvitationFactory(
|
||||
document=document,
|
||||
role="member",
|
||||
role="reader",
|
||||
issuer=user,
|
||||
)
|
||||
time.sleep(1)
|
||||
@@ -467,17 +474,20 @@ def test_api_document_invitations__delete__privileged_members(
|
||||
assert response.status_code == status.HTTP_204_NO_CONTENT
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["reader", "editor"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_document_invitations__delete__members(via, mock_user_get_teams):
|
||||
"""Member should not be able to cancel invitation."""
|
||||
def test_api_document_invitations_delete_readers_or_editors(
|
||||
via, role, mock_user_get_teams
|
||||
):
|
||||
"""Readers or editors should not be able to cancel invitation."""
|
||||
user = factories.UserFactory()
|
||||
document = factories.DocumentFactory()
|
||||
if via == USER:
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="member")
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role=role)
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="lasuite", role="member"
|
||||
document=document, team="lasuite", role=role
|
||||
)
|
||||
|
||||
invitation = factories.InvitationFactory(document=document)
|
||||
|
||||
@@ -437,11 +437,12 @@ def test_api_document_versions_delete_authenticated_private():
|
||||
assert response.json() == {"detail": "Not found."}
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["reader", "editor"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_document_versions_delete_member(via, mock_user_get_teams):
|
||||
def test_api_document_versions_delete_reader_or_editor(via, role, mock_user_get_teams):
|
||||
"""
|
||||
Authenticated users should not be allowed to delete a document version for a
|
||||
document in which they are a simple member.
|
||||
document in which they are a simple reader or editor.
|
||||
"""
|
||||
user = factories.UserFactory()
|
||||
|
||||
@@ -450,11 +451,11 @@ def test_api_document_versions_delete_member(via, mock_user_get_teams):
|
||||
|
||||
document = factories.DocumentFactory()
|
||||
if via == USER:
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="member")
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role=role)
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="lasuite", role="member"
|
||||
document=document, team="lasuite", role=role
|
||||
)
|
||||
|
||||
# Create a new version should make it available to the user
|
||||
|
||||
@@ -254,9 +254,12 @@ def test_api_template_accesses_create_authenticated_unrelated():
|
||||
assert not models.TemplateAccess.objects.filter(user=other_user).exists()
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["reader", "editor"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_template_accesses_create_authenticated_member(via, mock_user_get_teams):
|
||||
"""Members of a template should not be allowed to create template accesses."""
|
||||
def test_api_template_accesses_create_authenticated_editor_or_reader(
|
||||
via, role, mock_user_get_teams
|
||||
):
|
||||
"""Editors or readers of a template should not be allowed to create template accesses."""
|
||||
user = factories.UserFactory()
|
||||
|
||||
client = APIClient()
|
||||
@@ -264,21 +267,21 @@ def test_api_template_accesses_create_authenticated_member(via, mock_user_get_te
|
||||
|
||||
template = factories.TemplateFactory()
|
||||
if via == USER:
|
||||
factories.UserTemplateAccessFactory(template=template, user=user, role="member")
|
||||
factories.UserTemplateAccessFactory(template=template, user=user, role=role)
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamTemplateAccessFactory(
|
||||
template=template, team="lasuite", role="member"
|
||||
template=template, team="lasuite", role=role
|
||||
)
|
||||
|
||||
other_user = factories.UserFactory()
|
||||
|
||||
for role in [role[0] for role in models.RoleChoices.choices]:
|
||||
for new_role in [role[0] for role in models.RoleChoices.choices]:
|
||||
response = client.post(
|
||||
f"/api/v1.0/templates/{template.id!s}/accesses/",
|
||||
{
|
||||
"user": str(other_user.id),
|
||||
"role": role,
|
||||
"role": new_role,
|
||||
},
|
||||
format="json",
|
||||
)
|
||||
@@ -456,9 +459,12 @@ def test_api_template_accesses_update_authenticated_unrelated():
|
||||
assert updated_values == old_values
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["reader", "editor"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_template_accesses_update_authenticated_member(via, mock_user_get_teams):
|
||||
"""Members of a template should not be allowed to update its accesses."""
|
||||
def test_api_template_accesses_update_authenticated_editor_or_reader(
|
||||
via, role, mock_user_get_teams
|
||||
):
|
||||
"""Editors or readers of a template should not be allowed to update its accesses."""
|
||||
user = factories.UserFactory()
|
||||
|
||||
client = APIClient()
|
||||
@@ -466,11 +472,11 @@ def test_api_template_accesses_update_authenticated_member(via, mock_user_get_te
|
||||
|
||||
template = factories.TemplateFactory()
|
||||
if via == USER:
|
||||
factories.UserTemplateAccessFactory(template=template, user=user, role="member")
|
||||
factories.UserTemplateAccessFactory(template=template, user=user, role=role)
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamTemplateAccessFactory(
|
||||
template=template, team="lasuite", role="member"
|
||||
template=template, team="lasuite", role=role
|
||||
)
|
||||
|
||||
access = factories.UserTemplateAccessFactory(template=template)
|
||||
@@ -521,14 +527,14 @@ def test_api_template_accesses_update_administrator_except_owner(
|
||||
|
||||
access = factories.UserTemplateAccessFactory(
|
||||
template=template,
|
||||
role=random.choice(["administrator", "member"]),
|
||||
role=random.choice(["administrator", "editor", "reader"]),
|
||||
)
|
||||
old_values = serializers.TemplateAccessSerializer(instance=access).data
|
||||
|
||||
new_values = {
|
||||
"id": uuid4(),
|
||||
"user_id": factories.UserFactory().id,
|
||||
"role": random.choice(["administrator", "member"]),
|
||||
"role": random.choice(["administrator", "editor", "reader"]),
|
||||
}
|
||||
|
||||
for field, value in new_values.items():
|
||||
@@ -629,7 +635,7 @@ def test_api_template_accesses_update_administrator_to_owner(via, mock_user_get_
|
||||
access = factories.UserTemplateAccessFactory(
|
||||
template=template,
|
||||
user=other_user,
|
||||
role=random.choice(["administrator", "member"]),
|
||||
role=random.choice(["administrator", "editor", "reader"]),
|
||||
)
|
||||
old_values = serializers.TemplateAccessSerializer(instance=access).data
|
||||
|
||||
@@ -736,7 +742,7 @@ def test_api_template_accesses_update_owner_self(via, mock_user_get_teams):
|
||||
)
|
||||
|
||||
old_values = serializers.TemplateAccessSerializer(instance=access).data
|
||||
new_role = random.choice(["administrator", "member"])
|
||||
new_role = random.choice(["administrator", "editor", "reader"])
|
||||
|
||||
response = client.put(
|
||||
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
|
||||
@@ -797,11 +803,12 @@ def test_api_template_accesses_delete_authenticated():
|
||||
assert models.TemplateAccess.objects.count() == 1
|
||||
|
||||
|
||||
@pytest.mark.parametrize("role", ["reader", "editor"])
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_api_template_accesses_delete_member(via, mock_user_get_teams):
|
||||
def test_api_template_accesses_delete_editor_or_reader(via, role, mock_user_get_teams):
|
||||
"""
|
||||
Authenticated users should not be allowed to delete a template access for a
|
||||
template in which they are a simple member.
|
||||
template in which they are a simple editor or reader.
|
||||
"""
|
||||
user = factories.UserFactory()
|
||||
|
||||
@@ -810,11 +817,11 @@ def test_api_template_accesses_delete_member(via, mock_user_get_teams):
|
||||
|
||||
template = factories.TemplateFactory()
|
||||
if via == USER:
|
||||
factories.UserTemplateAccessFactory(template=template, user=user, role="member")
|
||||
factories.UserTemplateAccessFactory(template=template, user=user, role=role)
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamTemplateAccessFactory(
|
||||
template=template, team="lasuite", role="member"
|
||||
template=template, team="lasuite", role=role
|
||||
)
|
||||
|
||||
access = factories.UserTemplateAccessFactory(template=template)
|
||||
@@ -855,7 +862,7 @@ def test_api_template_accesses_delete_administrators_except_owners(
|
||||
)
|
||||
|
||||
access = factories.UserTemplateAccessFactory(
|
||||
template=template, role=random.choice(["member", "administrator"])
|
||||
template=template, role=random.choice(["reader", "editor", "administrator"])
|
||||
)
|
||||
|
||||
assert models.TemplateAccess.objects.count() == 2
|
||||
|
||||
@@ -17,11 +17,11 @@ def test_models_document_accesses_str():
|
||||
"""
|
||||
user = factories.UserFactory(email="david.bowman@example.com")
|
||||
access = factories.UserDocumentAccessFactory(
|
||||
role="member",
|
||||
role="reader",
|
||||
user=user,
|
||||
document__title="admins",
|
||||
)
|
||||
assert str(access) == "david.bowman@example.com is member in document admins"
|
||||
assert str(access) == "david.bowman@example.com is reader in document admins"
|
||||
|
||||
|
||||
def test_models_document_accesses_unique_user():
|
||||
@@ -119,7 +119,7 @@ def test_models_document_access_get_abilities_for_owner_of_self_allowed():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["administrator", "member"],
|
||||
"set_role_to": ["administrator", "editor", "reader"],
|
||||
}
|
||||
|
||||
|
||||
@@ -149,7 +149,7 @@ def test_models_document_access_get_abilities_for_owner_of_owner():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["administrator", "member"],
|
||||
"set_role_to": ["administrator", "editor", "reader"],
|
||||
}
|
||||
|
||||
|
||||
@@ -165,13 +165,13 @@ def test_models_document_access_get_abilities_for_owner_of_administrator():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["owner", "member"],
|
||||
"set_role_to": ["owner", "editor", "reader"],
|
||||
}
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_owner_of_member():
|
||||
"""Check abilities of member access for the owner of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="member")
|
||||
def test_models_document_access_get_abilities_for_owner_of_editor():
|
||||
"""Check abilities of editor access for the owner of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="editor")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="owner"
|
||||
@@ -181,7 +181,23 @@ def test_models_document_access_get_abilities_for_owner_of_member():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["owner", "administrator"],
|
||||
"set_role_to": ["owner", "administrator", "reader"],
|
||||
}
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_owner_of_reader():
|
||||
"""Check abilities of reader access for the owner of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="reader")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="owner"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["owner", "administrator", "editor"],
|
||||
}
|
||||
|
||||
|
||||
@@ -216,13 +232,13 @@ def test_models_document_access_get_abilities_for_administrator_of_administrator
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["member"],
|
||||
"set_role_to": ["editor", "reader"],
|
||||
}
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_administrator_of_member():
|
||||
"""Check abilities of member access for the administrator of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="member")
|
||||
def test_models_document_access_get_abilities_for_administrator_of_editor():
|
||||
"""Check abilities of editor access for the administrator of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="editor")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="administrator"
|
||||
@@ -232,19 +248,35 @@ def test_models_document_access_get_abilities_for_administrator_of_member():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["administrator"],
|
||||
"set_role_to": ["administrator", "reader"],
|
||||
}
|
||||
|
||||
|
||||
# - for member
|
||||
def test_models_document_access_get_abilities_for_administrator_of_reader():
|
||||
"""Check abilities of reader access for the administrator of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="reader")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="administrator"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["administrator", "editor"],
|
||||
}
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_member_of_owner():
|
||||
"""Check abilities of owner access for the member of a document."""
|
||||
# - for editor
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_editor_of_owner():
|
||||
"""Check abilities of owner access for the editor of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="owner")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="member"
|
||||
document=access.document, role="editor"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
@@ -255,12 +287,12 @@ def test_models_document_access_get_abilities_for_member_of_owner():
|
||||
}
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_member_of_administrator():
|
||||
"""Check abilities of administrator access for the member of a document."""
|
||||
def test_models_document_access_get_abilities_for_editor_of_administrator():
|
||||
"""Check abilities of administrator access for the editor of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="administrator")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="member"
|
||||
document=access.document, role="editor"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
@@ -271,14 +303,70 @@ def test_models_document_access_get_abilities_for_member_of_administrator():
|
||||
}
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_member_of_member_user(
|
||||
def test_models_document_access_get_abilities_for_editor_of_editor_user(
|
||||
django_assert_num_queries
|
||||
):
|
||||
"""Check abilities of member access for the member of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="member")
|
||||
"""Check abilities of editor access for the editor of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="editor")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="member"
|
||||
document=access.document, role="editor"
|
||||
).user
|
||||
|
||||
with django_assert_num_queries(1):
|
||||
abilities = access.get_abilities(user)
|
||||
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"update": False,
|
||||
"set_role_to": [],
|
||||
}
|
||||
|
||||
|
||||
# - for reader
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_reader_of_owner():
|
||||
"""Check abilities of owner access for the reader of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="owner")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="reader"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"update": False,
|
||||
"set_role_to": [],
|
||||
}
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_reader_of_administrator():
|
||||
"""Check abilities of administrator access for the reader of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="administrator")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="reader"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"update": False,
|
||||
"set_role_to": [],
|
||||
}
|
||||
|
||||
|
||||
def test_models_document_access_get_abilities_for_reader_of_reader_user(
|
||||
django_assert_num_queries
|
||||
):
|
||||
"""Check abilities of reader access for the reader of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="reader")
|
||||
factories.UserDocumentAccessFactory(document=access.document) # another one
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="reader"
|
||||
).user
|
||||
|
||||
with django_assert_num_queries(1):
|
||||
@@ -294,11 +382,11 @@ def test_models_document_access_get_abilities_for_member_of_member_user(
|
||||
|
||||
def test_models_document_access_get_abilities_preset_role(django_assert_num_queries):
|
||||
"""No query is done if the role is preset, e.g., with a query annotation."""
|
||||
access = factories.UserDocumentAccessFactory(role="member")
|
||||
access = factories.UserDocumentAccessFactory(role="reader")
|
||||
user = factories.UserDocumentAccessFactory(
|
||||
document=access.document, role="member"
|
||||
document=access.document, role="reader"
|
||||
).user
|
||||
access.user_roles = ["member"]
|
||||
access.user_roles = ["reader"]
|
||||
|
||||
with django_assert_num_queries(0):
|
||||
abilities = access.get_abilities(user)
|
||||
|
||||
@@ -147,9 +147,28 @@ def test_models_documents_get_abilities_administrator():
|
||||
}
|
||||
|
||||
|
||||
def test_models_documents_get_abilities_member_user(django_assert_num_queries):
|
||||
"""Check abilities returned for the member of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="member")
|
||||
def test_models_documents_get_abilities_editor_user(django_assert_num_queries):
|
||||
"""Check abilities returned for the editor of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="editor")
|
||||
|
||||
with django_assert_num_queries(1):
|
||||
abilities = access.document.get_abilities(access.user)
|
||||
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"manage_accesses": False,
|
||||
"partial_update": True,
|
||||
"versions_destroy": False,
|
||||
"versions_list": True,
|
||||
"versions_retrieve": True,
|
||||
}
|
||||
|
||||
|
||||
def test_models_documents_get_abilities_reader_user(django_assert_num_queries):
|
||||
"""Check abilities returned for the reader of a document."""
|
||||
access = factories.UserDocumentAccessFactory(role="reader")
|
||||
|
||||
with django_assert_num_queries(1):
|
||||
abilities = access.document.get_abilities(access.user)
|
||||
@@ -168,8 +187,8 @@ def test_models_documents_get_abilities_member_user(django_assert_num_queries):
|
||||
|
||||
def test_models_documents_get_abilities_preset_role(django_assert_num_queries):
|
||||
"""No query is done if the role is preset e.g. with query annotation."""
|
||||
access = factories.UserDocumentAccessFactory(role="member")
|
||||
access.document.user_roles = ["member"]
|
||||
access = factories.UserDocumentAccessFactory(role="reader")
|
||||
access.document.user_roles = ["reader"]
|
||||
|
||||
with django_assert_num_queries(0):
|
||||
abilities = access.document.get_abilities(access.user)
|
||||
|
||||
@@ -170,7 +170,7 @@ def test_models_invitation__new_user__user_creation_constant_num_queries(
|
||||
|
||||
def test_models_document_invitations_email():
|
||||
"""Check email invitation during invitation creation."""
|
||||
member_access = factories.UserDocumentAccessFactory(role="member")
|
||||
member_access = factories.UserDocumentAccessFactory(role="reader")
|
||||
document = member_access.document
|
||||
|
||||
# pylint: disable-next=no-member
|
||||
@@ -201,7 +201,7 @@ def test_models_document_invitations_email():
|
||||
def test_models_document_invitations_email_failed(mock_logger, _mock_send_mail):
|
||||
"""Check invitation behavior when an SMTP error occurs during invitation creation."""
|
||||
|
||||
member_access = factories.UserDocumentAccessFactory(role="member")
|
||||
member_access = factories.UserDocumentAccessFactory(role="reader")
|
||||
document = member_access.document
|
||||
|
||||
# pylint: disable-next=no-member
|
||||
@@ -288,17 +288,42 @@ def test_models_document_invitations_get_abilities_privileged_member(
|
||||
|
||||
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_models_document_invitations_get_abilities_member(via, mock_user_get_teams):
|
||||
"""Check abilities for a document member with 'member' role."""
|
||||
def test_models_document_invitations_get_abilities_reader(via, mock_user_get_teams):
|
||||
"""Check abilities for a document reader with 'reader' role."""
|
||||
|
||||
user = factories.UserFactory()
|
||||
document = factories.DocumentFactory()
|
||||
if via == USER:
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="member")
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="reader")
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="lasuite", role="member"
|
||||
document=document, team="lasuite", role="reader"
|
||||
)
|
||||
|
||||
invitation = factories.InvitationFactory(document=document)
|
||||
abilities = invitation.get_abilities(user)
|
||||
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"partial_update": False,
|
||||
"update": False,
|
||||
}
|
||||
|
||||
|
||||
@pytest.mark.parametrize("via", VIA)
|
||||
def test_models_document_invitations_get_abilities_editor(via, mock_user_get_teams):
|
||||
"""Check abilities for a document editor with 'editor' role."""
|
||||
|
||||
user = factories.UserFactory()
|
||||
document = factories.DocumentFactory()
|
||||
if via == USER:
|
||||
factories.UserDocumentAccessFactory(document=document, user=user, role="editor")
|
||||
elif via == TEAM:
|
||||
mock_user_get_teams.return_value = ["lasuite", "unknown"]
|
||||
factories.TeamDocumentAccessFactory(
|
||||
document=document, team="lasuite", role="editor"
|
||||
)
|
||||
|
||||
invitation = factories.InvitationFactory(document=document)
|
||||
|
||||
@@ -17,11 +17,11 @@ def test_models_template_accesses_str():
|
||||
"""
|
||||
user = factories.UserFactory(email="david.bowman@example.com")
|
||||
access = factories.UserTemplateAccessFactory(
|
||||
role="member",
|
||||
role="reader",
|
||||
user=user,
|
||||
template__title="admins",
|
||||
)
|
||||
assert str(access) == "david.bowman@example.com is member in template admins"
|
||||
assert str(access) == "david.bowman@example.com is reader in template admins"
|
||||
|
||||
|
||||
def test_models_template_accesses_unique_user():
|
||||
@@ -119,7 +119,7 @@ def test_models_template_access_get_abilities_for_owner_of_self_allowed():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["administrator", "member"],
|
||||
"set_role_to": ["administrator", "editor", "reader"],
|
||||
}
|
||||
|
||||
|
||||
@@ -149,7 +149,7 @@ def test_models_template_access_get_abilities_for_owner_of_owner():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["administrator", "member"],
|
||||
"set_role_to": ["administrator", "editor", "reader"],
|
||||
}
|
||||
|
||||
|
||||
@@ -165,13 +165,13 @@ def test_models_template_access_get_abilities_for_owner_of_administrator():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["owner", "member"],
|
||||
"set_role_to": ["owner", "editor", "reader"],
|
||||
}
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_owner_of_member():
|
||||
"""Check abilities of member access for the owner of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="member")
|
||||
def test_models_template_access_get_abilities_for_owner_of_editor():
|
||||
"""Check abilities of editor access for the owner of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="editor")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="owner"
|
||||
@@ -181,7 +181,23 @@ def test_models_template_access_get_abilities_for_owner_of_member():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["owner", "administrator"],
|
||||
"set_role_to": ["owner", "administrator", "reader"],
|
||||
}
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_owner_of_reader():
|
||||
"""Check abilities of reader access for the owner of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="reader")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="owner"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["owner", "administrator", "editor"],
|
||||
}
|
||||
|
||||
|
||||
@@ -216,13 +232,13 @@ def test_models_template_access_get_abilities_for_administrator_of_administrator
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["member"],
|
||||
"set_role_to": ["editor", "reader"],
|
||||
}
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_administrator_of_member():
|
||||
"""Check abilities of member access for the administrator of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="member")
|
||||
def test_models_template_access_get_abilities_for_administrator_of_editor():
|
||||
"""Check abilities of editor access for the administrator of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="editor")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="administrator"
|
||||
@@ -232,19 +248,35 @@ def test_models_template_access_get_abilities_for_administrator_of_member():
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["administrator"],
|
||||
"set_role_to": ["administrator", "reader"],
|
||||
}
|
||||
|
||||
|
||||
# - for member
|
||||
def test_models_template_access_get_abilities_for_administrator_of_reader():
|
||||
"""Check abilities of reader access for the administrator of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="reader")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="administrator"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
"destroy": True,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"set_role_to": ["administrator", "editor"],
|
||||
}
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_member_of_owner():
|
||||
"""Check abilities of owner access for the member of a template."""
|
||||
# - For editor
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_editor_of_owner():
|
||||
"""Check abilities of owner access for the editor of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="owner")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="member"
|
||||
template=access.template, role="editor"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
@@ -255,12 +287,12 @@ def test_models_template_access_get_abilities_for_member_of_owner():
|
||||
}
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_member_of_administrator():
|
||||
"""Check abilities of administrator access for the member of a template."""
|
||||
def test_models_template_access_get_abilities_for_editor_of_administrator():
|
||||
"""Check abilities of administrator access for the editor of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="administrator")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="member"
|
||||
template=access.template, role="editor"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
@@ -271,14 +303,70 @@ def test_models_template_access_get_abilities_for_member_of_administrator():
|
||||
}
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_member_of_member_user(
|
||||
def test_models_template_access_get_abilities_for_editor_of_editor_user(
|
||||
django_assert_num_queries
|
||||
):
|
||||
"""Check abilities of member access for the member of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="member")
|
||||
"""Check abilities of editor access for the editor of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="editor")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="member"
|
||||
template=access.template, role="editor"
|
||||
).user
|
||||
|
||||
with django_assert_num_queries(1):
|
||||
abilities = access.get_abilities(user)
|
||||
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"update": False,
|
||||
"set_role_to": [],
|
||||
}
|
||||
|
||||
|
||||
# - For reader
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_reader_of_owner():
|
||||
"""Check abilities of owner access for the reader of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="owner")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="reader"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"update": False,
|
||||
"set_role_to": [],
|
||||
}
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_reader_of_administrator():
|
||||
"""Check abilities of administrator access for the reader of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="administrator")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="reader"
|
||||
).user
|
||||
abilities = access.get_abilities(user)
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"update": False,
|
||||
"set_role_to": [],
|
||||
}
|
||||
|
||||
|
||||
def test_models_template_access_get_abilities_for_reader_of_reader_user(
|
||||
django_assert_num_queries
|
||||
):
|
||||
"""Check abilities of reader access for the reader of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="reader")
|
||||
factories.UserTemplateAccessFactory(template=access.template) # another one
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="reader"
|
||||
).user
|
||||
|
||||
with django_assert_num_queries(1):
|
||||
@@ -294,11 +382,11 @@ def test_models_template_access_get_abilities_for_member_of_member_user(
|
||||
|
||||
def test_models_template_access_get_abilities_preset_role(django_assert_num_queries):
|
||||
"""No query is done if the role is preset, e.g., with a query annotation."""
|
||||
access = factories.UserTemplateAccessFactory(role="member")
|
||||
access = factories.UserTemplateAccessFactory(role="reader")
|
||||
user = factories.UserTemplateAccessFactory(
|
||||
template=access.template, role="member"
|
||||
template=access.template, role="reader"
|
||||
).user
|
||||
access.user_roles = ["member"]
|
||||
access.user_roles = ["reader"]
|
||||
|
||||
with django_assert_num_queries(0):
|
||||
abilities = access.get_abilities(user)
|
||||
|
||||
@@ -134,9 +134,26 @@ def test_models_templates_get_abilities_administrator():
|
||||
}
|
||||
|
||||
|
||||
def test_models_templates_get_abilities_member_user(django_assert_num_queries):
|
||||
"""Check abilities returned for the member of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="member")
|
||||
def test_models_templates_get_abilities_editor_user(django_assert_num_queries):
|
||||
"""Check abilities returned for the editor of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="editor")
|
||||
|
||||
with django_assert_num_queries(1):
|
||||
abilities = access.template.get_abilities(access.user)
|
||||
|
||||
assert abilities == {
|
||||
"destroy": False,
|
||||
"retrieve": True,
|
||||
"update": True,
|
||||
"manage_accesses": False,
|
||||
"partial_update": True,
|
||||
"generate_document": True,
|
||||
}
|
||||
|
||||
|
||||
def test_models_templates_get_abilities_reader_user(django_assert_num_queries):
|
||||
"""Check abilities returned for the reader of a template."""
|
||||
access = factories.UserTemplateAccessFactory(role="reader")
|
||||
|
||||
with django_assert_num_queries(1):
|
||||
abilities = access.template.get_abilities(access.user)
|
||||
@@ -153,8 +170,8 @@ def test_models_templates_get_abilities_member_user(django_assert_num_queries):
|
||||
|
||||
def test_models_templates_get_abilities_preset_role(django_assert_num_queries):
|
||||
"""No query is done if the role is preset e.g. with query annotation."""
|
||||
access = factories.UserTemplateAccessFactory(role="member")
|
||||
access.template.user_roles = ["member"]
|
||||
access = factories.UserTemplateAccessFactory(role="reader")
|
||||
access.template.user_roles = ["reader"]
|
||||
|
||||
with django_assert_num_queries(0):
|
||||
abilities = access.template.get_abilities(access.user)
|
||||
|
||||
Reference in New Issue
Block a user