studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(backend) drop JWT authentication in API tests

Browse Source 
Force login to bypass authorization checks when necessary.

Note: Generating a session cookie through OIDC flow
is not supported while testing our API.
This commit is contained in:
Lebaud Antoine
2024-02-24 11:49:36 +01:00
committed by Samuel Paccoud
parent b9eee3e643
commit b1892ded17
8 changed files with 215 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/backend/core/tests/templates/test_api_templates_create.py
View File

@@ -6,7 +6,6 @@ from rest_framework.test import APIClient
from core import factories from core import factories
from core.models import Template from core.models import Template
from core.tests.utils import OIDCToken
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@@ -30,15 +29,16 @@ def test_api_templates_create_authenticated():
as the owner of the newly created template. as the owner of the newly created template.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
response = APIClient().post( client = APIClient()
client.force_login(user)
response = client.post(
"/api/v1.0/templates/", "/api/v1.0/templates/",
{ {
"title": "my template", "title": "my template",
}, },
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 201 assert response.status_code == 201

24
src/backend/core/tests/templates/test_api_templates_delete.py
View File

@@ -7,7 +7,6 @@ import pytest
from rest_framework.test import APIClient from rest_framework.test import APIClient
from core import factories, models from core import factories, models
from core.tests.utils import OIDCToken
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@@ -30,14 +29,15 @@ def test_api_templates_delete_authenticated_unrelated():
related. related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
is_public = random.choice([True, False]) is_public = random.choice([True, False])
template = factories.TemplateFactory(is_public=is_public) template = factories.TemplateFactory(is_public=is_public)
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{template.id!s}/", f"/api/v1.0/templates/{template.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 if is_public else 404 assert response.status_code == 403 if is_public else 404
@@ -51,12 +51,14 @@ def test_api_templates_delete_authenticated_member(role):
only a member. only a member.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, role)]) template = factories.TemplateFactory(users=[(user, role)])
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" f"/api/v1.0/templates/{template.id}/",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -72,12 +74,14 @@ def test_api_templates_delete_authenticated_owner():
owner. owner.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "owner")]) template = factories.TemplateFactory(users=[(user, "owner")])
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" f"/api/v1.0/templates/{template.id}/",
) )
assert response.status_code == 204 assert response.status_code == 204

22
src/backend/core/tests/templates/test_api_templates_generate_document.py
View File

@@ -5,7 +5,6 @@ import pytest
from rest_framework.test import APIClient from rest_framework.test import APIClient
from core import factories from core import factories
from core.tests.utils import OIDCToken
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@@ -50,16 +49,17 @@ def test_api_templates_generate_document_anonymous_not_public():
def test_api_templates_generate_document_authenticated_public(): def test_api_templates_generate_document_authenticated_public():
"""Authenticated users can generate pdf document with public templates.""" """Authenticated users can generate pdf document with public templates."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(is_public=True) template = factories.TemplateFactory(is_public=True)
data = {"body": "# Test markdown body"} data = {"body": "# Test markdown body"}
response = APIClient().post( response = client.post(
f"/api/v1.0/templates/{template.id!s}/generate-document/", f"/api/v1.0/templates/{template.id!s}/generate-document/",
data, data,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
@@ -72,16 +72,17 @@ def test_api_templates_generate_document_authenticated_not_public():
that are not marked as public. that are not marked as public.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(is_public=False) template = factories.TemplateFactory(is_public=False)
data = {"body": "# Test markdown body"} data = {"body": "# Test markdown body"}
response = APIClient().post( response = client.post(
f"/api/v1.0/templates/{template.id!s}/generate-document/", f"/api/v1.0/templates/{template.id!s}/generate-document/",
data, data,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 404 assert response.status_code == 404
@@ -91,16 +92,17 @@ def test_api_templates_generate_document_authenticated_not_public():
def test_api_templates_generate_document_related(): def test_api_templates_generate_document_related():
"""Users related to a template can generate pdf document.""" """Users related to a template can generate pdf document."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
access = factories.TemplateAccessFactory(user=user) access = factories.TemplateAccessFactory(user=user)
data = {"body": "# Test markdown body"} data = {"body": "# Test markdown body"}
response = APIClient().post( response = client.post(
f"/api/v1.0/templates/{access.template.id!s}/generate-document/", f"/api/v1.0/templates/{access.template.id!s}/generate-document/",
data, data,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200

29
src/backend/core/tests/templates/test_api_templates_list.py
View File

@@ -9,7 +9,6 @@ from rest_framework.status import HTTP_200_OK
from rest_framework.test import APIClient from rest_framework.test import APIClient
from core import factories from core import factories
from core.tests.utils import OIDCToken
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@@ -35,7 +34,9 @@ def test_api_templates_list_authenticated():
an owner/administrator/member of. an owner/administrator/member of.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
related_templates = [ related_templates = [
access.template access.template
@@ -48,8 +49,8 @@ def test_api_templates_list_authenticated():
str(template.id) for template in related_templates + public_templates str(template.id) for template in related_templates + public_templates
} }
response = APIClient().get( response = client.get(
"/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" "/api/v1.0/templates/",
) )
assert response.status_code == HTTP_200_OK assert response.status_code == HTTP_200_OK
@@ -65,7 +66,9 @@ def test_api_templates_list_pagination(
): ):
"""Pagination should work as expected.""" """Pagination should work as expected."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template_ids = [ template_ids = [
str(access.template.id) str(access.template.id)
@@ -73,8 +76,8 @@ def test_api_templates_list_pagination(
] ]
# Get page 1 # Get page 1
response = APIClient().get( response = client.get(
"/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" "/api/v1.0/templates/",
) )
assert response.status_code == HTTP_200_OK assert response.status_code == HTTP_200_OK
@@ -89,8 +92,8 @@ def test_api_templates_list_pagination(
template_ids.remove(item["id"]) template_ids.remove(item["id"])
# Get page 2 # Get page 2
response = APIClient().get( response = client.get(
"/api/v1.0/templates/?page=2", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" "/api/v1.0/templates/?page=2",
) )
assert response.status_code == HTTP_200_OK assert response.status_code == HTTP_200_OK
@@ -108,14 +111,16 @@ def test_api_templates_list_pagination(
def test_api_templates_list_authenticated_distinct(): def test_api_templates_list_authenticated_distinct():
"""A template with several related users should only be listed once.""" """A template with several related users should only be listed once."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
other_user = factories.UserFactory() other_user = factories.UserFactory()
template = factories.TemplateFactory(users=[user, other_user], is_public=True) template = factories.TemplateFactory(users=[user, other_user], is_public=True)
response = APIClient().get( response = client.get(
"/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" "/api/v1.0/templates/",
) )
assert response.status_code == HTTP_200_OK assert response.status_code == HTTP_200_OK

22
src/backend/core/tests/templates/test_api_templates_retrieve.py
View File

@@ -5,7 +5,6 @@ import pytest
from rest_framework.test import APIClient from rest_framework.test import APIClient
from core import factories from core import factories
from core.tests.utils import OIDCToken
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@@ -47,13 +46,14 @@ def test_api_templates_retrieve_authenticated_unrelated_public():
not related. not related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(is_public=True) template = factories.TemplateFactory(is_public=True)
response = APIClient().get( response = client.get(
f"/api/v1.0/templates/{template.id!s}/", f"/api/v1.0/templates/{template.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
assert response.json() == { assert response.json() == {
@@ -76,13 +76,14 @@ def test_api_templates_retrieve_authenticated_unrelated_not_public():
to which they are not related. to which they are not related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(is_public=False) template = factories.TemplateFactory(is_public=False)
response = APIClient().get( response = client.get(
f"/api/v1.0/templates/{template.id!s}/", f"/api/v1.0/templates/{template.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 404 assert response.status_code == 404
assert response.json() == {"detail": "Not found."} assert response.json() == {"detail": "Not found."}
@@ -94,15 +95,16 @@ def test_api_templates_retrieve_authenticated_related():
are related whatever the role. are related whatever the role.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory() template = factories.TemplateFactory()
access1 = factories.TemplateAccessFactory(template=template, user=user) access1 = factories.TemplateAccessFactory(template=template, user=user)
access2 = factories.TemplateAccessFactory(template=template) access2 = factories.TemplateAccessFactory(template=template)
response = APIClient().get( response = client.get(
f"/api/v1.0/templates/{template.id!s}/", f"/api/v1.0/templates/{template.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
content = response.json() content = response.json()

29
src/backend/core/tests/templates/test_api_templates_update.py
View File

@@ -8,7 +8,6 @@ from rest_framework.test import APIClient
from core import factories from core import factories
from core.api import serializers from core.api import serializers
from core.tests.utils import OIDCToken
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@@ -41,7 +40,9 @@ def test_api_templates_update_authenticated_unrelated():
Authenticated users should not be allowed to update a template to which they are not related. Authenticated users should not be allowed to update a template to which they are not related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(is_public=False) template = factories.TemplateFactory(is_public=False)
old_template_values = serializers.TemplateSerializer(instance=template).data old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -49,11 +50,10 @@ def test_api_templates_update_authenticated_unrelated():
new_template_values = serializers.TemplateSerializer( new_template_values = serializers.TemplateSerializer(
instance=factories.TemplateFactory() instance=factories.TemplateFactory()
).data ).data
response = APIClient().put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/", f"/api/v1.0/templates/{template.id!s}/",
new_template_values, new_template_values,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 404 assert response.status_code == 404
@@ -70,7 +70,9 @@ def test_api_templates_update_authenticated_members():
not be allowed to update it. not be allowed to update it.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "member")]) template = factories.TemplateFactory(users=[(user, "member")])
old_template_values = serializers.TemplateSerializer(instance=template).data old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -78,11 +80,10 @@ def test_api_templates_update_authenticated_members():
new_template_values = serializers.TemplateSerializer( new_template_values = serializers.TemplateSerializer(
instance=factories.TemplateFactory() instance=factories.TemplateFactory()
).data ).data
response = APIClient().put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/", f"/api/v1.0/templates/{template.id!s}/",
new_template_values, new_template_values,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -99,7 +100,9 @@ def test_api_templates_update_authenticated_members():
def test_api_templates_update_authenticated_administrators(role): def test_api_templates_update_authenticated_administrators(role):
"""Administrators of a template should be allowed to update it.""" """Administrators of a template should be allowed to update it."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, role)]) template = factories.TemplateFactory(users=[(user, role)])
old_template_values = serializers.TemplateSerializer(instance=template).data old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -107,11 +110,10 @@ def test_api_templates_update_authenticated_administrators(role):
new_template_values = serializers.TemplateSerializer( new_template_values = serializers.TemplateSerializer(
instance=factories.TemplateFactory() instance=factories.TemplateFactory()
).data ).data
response = APIClient().put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/", f"/api/v1.0/templates/{template.id!s}/",
new_template_values, new_template_values,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
@@ -130,7 +132,9 @@ def test_api_templates_update_administrator_or_owner_of_another():
another template. another template.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
factories.TemplateFactory(users=[(user, random.choice(["administrator", "owner"]))]) factories.TemplateFactory(users=[(user, random.choice(["administrator", "owner"]))])
is_public = random.choice([True, False]) is_public = random.choice([True, False])
@@ -140,11 +144,10 @@ def test_api_templates_update_administrator_or_owner_of_another():
new_template_values = serializers.TemplateSerializer( new_template_values = serializers.TemplateSerializer(
instance=factories.TemplateFactory() instance=factories.TemplateFactory()
).data ).data
response = APIClient().put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/", f"/api/v1.0/templates/{template.id!s}/",
new_template_values, new_template_values,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 if is_public else 404 assert response.status_code == 403 if is_public else 404

165
src/backend/core/tests/test_api_template_accesses.py
View File

@@ -10,7 +10,6 @@ from rest_framework.test import APIClient
from core import factories, models from core import factories, models
from core.api import serializers from core.api import serializers
from .utils import OIDCToken
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@@ -33,7 +32,9 @@ def test_api_template_accesses_list_authenticated_unrelated():
to which they are not related. to which they are not related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory() template = factories.TemplateFactory()
factories.TemplateAccessFactory.create_batch(3, template=template) factories.TemplateAccessFactory.create_batch(3, template=template)
@@ -42,9 +43,8 @@ def test_api_template_accesses_list_authenticated_unrelated():
other_access = factories.TemplateAccessFactory(user=user) other_access = factories.TemplateAccessFactory(user=user)
factories.TemplateAccessFactory(template=other_access.template) factories.TemplateAccessFactory(template=other_access.template)
response = APIClient().get( response = client.get(
f"/api/v1.0/templates/{template.id!s}/accesses/", f"/api/v1.0/templates/{template.id!s}/accesses/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
assert response.json() == { assert response.json() == {
@@ -61,7 +61,9 @@ def test_api_template_accesses_list_authenticated_related():
to which they are related, whatever their role in the template. to which they are related, whatever their role in the template.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory() template = factories.TemplateFactory()
user_access = models.TemplateAccess.objects.create( user_access = models.TemplateAccess.objects.create(
@@ -75,9 +77,8 @@ def test_api_template_accesses_list_authenticated_related():
other_access = factories.TemplateAccessFactory(user=user) other_access = factories.TemplateAccessFactory(user=user)
factories.TemplateAccessFactory(template=other_access.template) factories.TemplateAccessFactory(template=other_access.template)
response = APIClient().get( response = client.get(
f"/api/v1.0/templates/{template.id!s}/accesses/", f"/api/v1.0/templates/{template.id!s}/accesses/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
@@ -130,14 +131,15 @@ def test_api_template_accesses_retrieve_authenticated_unrelated():
a template to which they are not related. a template to which they are not related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory() template = factories.TemplateFactory()
access = factories.TemplateAccessFactory(template=template) access = factories.TemplateAccessFactory(template=template)
response = APIClient().get( response = client.get(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
assert response.json() == { assert response.json() == {
@@ -149,9 +151,8 @@ def test_api_template_accesses_retrieve_authenticated_unrelated():
factories.TemplateAccessFactory(), factories.TemplateAccessFactory(),
factories.TemplateAccessFactory(user=user), factories.TemplateAccessFactory(user=user),
]: ]:
response = APIClient().get( response = client.get(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 404 assert response.status_code == 404
@@ -164,14 +165,15 @@ def test_api_template_accesses_retrieve_authenticated_related():
associated template user accesses. associated template user accesses.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[user]) template = factories.TemplateFactory(users=[user])
access = factories.TemplateAccessFactory(template=template) access = factories.TemplateAccessFactory(template=template)
response = APIClient().get( response = client.get(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
@@ -211,18 +213,19 @@ def test_api_template_accesses_create_authenticated_unrelated():
which they are not related. which they are not related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
other_user = factories.UserFactory() other_user = factories.UserFactory()
template = factories.TemplateFactory() template = factories.TemplateFactory()
response = APIClient().post( response = client.post(
f"/api/v1.0/templates/{template.id!s}/accesses/", f"/api/v1.0/templates/{template.id!s}/accesses/",
{ {
"user": str(other_user.id), "user": str(other_user.id),
}, },
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -232,21 +235,21 @@ def test_api_template_accesses_create_authenticated_unrelated():
def test_api_template_accesses_create_authenticated_member(): def test_api_template_accesses_create_authenticated_member():
"""Members of a template should not be allowed to create template accesses.""" """Members of a template should not be allowed to create template accesses."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "member")]) template = factories.TemplateFactory(users=[(user, "member")])
other_user = factories.UserFactory() other_user = factories.UserFactory()
api_client = APIClient()
for role in [role[0] for role in models.RoleChoices.choices]: for role in [role[0] for role in models.RoleChoices.choices]:
response = api_client.post( response = client.post(
f"/api/v1.0/templates/{template.id!s}/accesses/", f"/api/v1.0/templates/{template.id!s}/accesses/",
{ {
"user": str(other_user.id), "user": str(other_user.id),
"role": role, "role": role,
}, },
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -260,7 +263,9 @@ def test_api_template_accesses_create_authenticated_administrator():
except for the "owner" role. except for the "owner" role.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "administrator")]) template = factories.TemplateFactory(users=[(user, "administrator")])
other_user = factories.UserFactory() other_user = factories.UserFactory()
@@ -268,14 +273,13 @@ def test_api_template_accesses_create_authenticated_administrator():
api_client = APIClient() api_client = APIClient()
# It should not be allowed to create an owner access # It should not be allowed to create an owner access
response = api_client.post( response = client.post(
f"/api/v1.0/templates/{template.id!s}/accesses/", f"/api/v1.0/templates/{template.id!s}/accesses/",
{ {
"user": str(other_user.id), "user": str(other_user.id),
"role": "owner", "role": "owner",
}, },
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -288,14 +292,13 @@ def test_api_template_accesses_create_authenticated_administrator():
[role[0] for role in models.RoleChoices.choices if role[0] != "owner"] [role[0] for role in models.RoleChoices.choices if role[0] != "owner"]
) )
response = api_client.post( response = client.post(
f"/api/v1.0/templates/{template.id!s}/accesses/", f"/api/v1.0/templates/{template.id!s}/accesses/",
{ {
"user": str(other_user.id), "user": str(other_user.id),
"role": role, "role": role,
}, },
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 201 assert response.status_code == 201
@@ -314,21 +317,22 @@ def test_api_template_accesses_create_authenticated_owner():
Owners of a template should be able to create template accesses whatever the role. Owners of a template should be able to create template accesses whatever the role.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "owner")]) template = factories.TemplateFactory(users=[(user, "owner")])
other_user = factories.UserFactory() other_user = factories.UserFactory()
role = random.choice([role[0] for role in models.RoleChoices.choices]) role = random.choice([role[0] for role in models.RoleChoices.choices])
response = APIClient().post( response = client.post(
f"/api/v1.0/templates/{template.id!s}/accesses/", f"/api/v1.0/templates/{template.id!s}/accesses/",
{ {
"user": str(other_user.id), "user": str(other_user.id),
"role": role, "role": role,
}, },
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 201 assert response.status_code == 201
@@ -373,7 +377,9 @@ def test_api_template_accesses_update_authenticated_unrelated():
they are not related. they are not related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
access = factories.TemplateAccessFactory() access = factories.TemplateAccessFactory()
old_values = serializers.TemplateAccessSerializer(instance=access).data old_values = serializers.TemplateAccessSerializer(instance=access).data
@@ -384,13 +390,11 @@ def test_api_template_accesses_update_authenticated_unrelated():
"role": random.choice(models.RoleChoices.choices)[0], "role": random.choice(models.RoleChoices.choices)[0],
} }
api_client = APIClient()
for field, value in new_values.items(): for field, value in new_values.items():
response = api_client.put( response = client.put(
f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
{**old_values, field: value}, {**old_values, field: value},
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -402,7 +406,9 @@ def test_api_template_accesses_update_authenticated_unrelated():
def test_api_template_accesses_update_authenticated_member(): def test_api_template_accesses_update_authenticated_member():
"""Members of a template should not be allowed to update its accesses.""" """Members of a template should not be allowed to update its accesses."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "member")]) template = factories.TemplateFactory(users=[(user, "member")])
access = factories.TemplateAccessFactory(template=template) access = factories.TemplateAccessFactory(template=template)
@@ -414,13 +420,11 @@ def test_api_template_accesses_update_authenticated_member():
"role": random.choice(models.RoleChoices.choices)[0], "role": random.choice(models.RoleChoices.choices)[0],
} }
api_client = APIClient()
for field, value in new_values.items(): for field, value in new_values.items():
response = api_client.put( response = client.put(
f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
{**old_values, field: value}, {**old_values, field: value},
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -435,7 +439,9 @@ def test_api_template_accesses_update_administrator_except_owner():
access for this template, as long as they don't try to set the role to owner. access for this template, as long as they don't try to set the role to owner.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "administrator")]) template = factories.TemplateFactory(users=[(user, "administrator")])
access = factories.TemplateAccessFactory( access = factories.TemplateAccessFactory(
@@ -450,14 +456,12 @@ def test_api_template_accesses_update_administrator_except_owner():
"role": random.choice(["administrator", "member"]), "role": random.choice(["administrator", "member"]),
} }
api_client = APIClient()
for field, value in new_values.items(): for field, value in new_values.items():
new_data = {**old_values, field: value} new_data = {**old_values, field: value}
response = api_client.put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
data=new_data, data=new_data,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
if ( if (
@@ -481,7 +485,9 @@ def test_api_template_accesses_update_administrator_from_owner():
the user access of an "owner" for this template. the user access of an "owner" for this template.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "administrator")]) template = factories.TemplateFactory(users=[(user, "administrator")])
other_user = factories.UserFactory() other_user = factories.UserFactory()
@@ -496,13 +502,11 @@ def test_api_template_accesses_update_administrator_from_owner():
"role": random.choice(models.RoleChoices.choices)[0], "role": random.choice(models.RoleChoices.choices)[0],
} }
api_client = APIClient()
for field, value in new_values.items(): for field, value in new_values.items():
response = api_client.put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
data={**old_values, field: value}, data={**old_values, field: value},
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -517,7 +521,9 @@ def test_api_template_accesses_update_administrator_to_owner():
the user access of another user to grant template ownership. the user access of another user to grant template ownership.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "administrator")]) template = factories.TemplateFactory(users=[(user, "administrator")])
other_user = factories.UserFactory() other_user = factories.UserFactory()
@@ -534,14 +540,12 @@ def test_api_template_accesses_update_administrator_to_owner():
"role": "owner", "role": "owner",
} }
api_client = APIClient()
for field, value in new_values.items(): for field, value in new_values.items():
new_data = {**old_values, field: value} new_data = {**old_values, field: value}
response = api_client.put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
data=new_data, data=new_data,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
# We are not allowed or not really updating the role # We are not allowed or not really updating the role
if field == "role" or new_data["role"] == old_values["role"]: if field == "role" or new_data["role"] == old_values["role"]:
@@ -560,7 +564,9 @@ def test_api_template_accesses_update_owner():
a user access for this template whatever the role. a user access for this template whatever the role.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "owner")]) template = factories.TemplateFactory(users=[(user, "owner")])
factories.UserFactory() factories.UserFactory()
@@ -575,14 +581,12 @@ def test_api_template_accesses_update_owner():
"role": random.choice(models.RoleChoices.choices)[0], "role": random.choice(models.RoleChoices.choices)[0],
} }
api_client = APIClient()
for field, value in new_values.items(): for field, value in new_values.items():
new_data = {**old_values, field: value} new_data = {**old_values, field: value}
response = api_client.put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
data=new_data, data=new_data,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
if ( if (
@@ -607,19 +611,19 @@ def test_api_template_accesses_update_owner_self():
their own user access provided there are other owners in the template. their own user access provided there are other owners in the template.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory() template = factories.TemplateFactory()
access = factories.TemplateAccessFactory(template=template, user=user, role="owner") access = factories.TemplateAccessFactory(template=template, user=user, role="owner")
old_values = serializers.TemplateAccessSerializer(instance=access).data old_values = serializers.TemplateAccessSerializer(instance=access).data
new_role = random.choice(["administrator", "member"]) new_role = random.choice(["administrator", "member"])
api_client = APIClient() response = client.put(
response = api_client.put(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
data={**old_values, "role": new_role}, data={**old_values, "role": new_role},
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -629,11 +633,10 @@ def test_api_template_accesses_update_owner_self():
# Add another owner and it should now work # Add another owner and it should now work
factories.TemplateAccessFactory(template=template, role="owner") factories.TemplateAccessFactory(template=template, role="owner")
response = api_client.put( response = client.put(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
data={**old_values, "role": new_role}, data={**old_values, "role": new_role},
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
@@ -662,13 +665,14 @@ def test_api_template_accesses_delete_authenticated():
template to which they are not related. template to which they are not related.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
access = factories.TemplateAccessFactory() access = factories.TemplateAccessFactory()
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -681,7 +685,9 @@ def test_api_template_accesses_delete_member():
template in which they are a simple member. template in which they are a simple member.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "member")]) template = factories.TemplateFactory(users=[(user, "member")])
access = factories.TemplateAccessFactory(template=template) access = factories.TemplateAccessFactory(template=template)
@@ -689,9 +695,8 @@ def test_api_template_accesses_delete_member():
assert models.TemplateAccess.objects.count() == 2 assert models.TemplateAccess.objects.count() == 2
assert models.TemplateAccess.objects.filter(user=access.user).exists() assert models.TemplateAccess.objects.filter(user=access.user).exists()
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -704,7 +709,9 @@ def test_api_template_accesses_delete_administrators_except_owners():
from the template provided it is not ownership. from the template provided it is not ownership.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "administrator")]) template = factories.TemplateFactory(users=[(user, "administrator")])
access = factories.TemplateAccessFactory( access = factories.TemplateAccessFactory(
@@ -714,9 +721,8 @@ def test_api_template_accesses_delete_administrators_except_owners():
assert models.TemplateAccess.objects.count() == 2 assert models.TemplateAccess.objects.count() == 2
assert models.TemplateAccess.objects.filter(user=access.user).exists() assert models.TemplateAccess.objects.filter(user=access.user).exists()
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 204 assert response.status_code == 204
@@ -729,7 +735,9 @@ def test_api_template_accesses_delete_administrators_owners():
access from the template. access from the template.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "administrator")]) template = factories.TemplateFactory(users=[(user, "administrator")])
access = factories.TemplateAccessFactory(template=template, role="owner") access = factories.TemplateAccessFactory(template=template, role="owner")
@@ -737,9 +745,8 @@ def test_api_template_accesses_delete_administrators_owners():
assert models.TemplateAccess.objects.count() == 2 assert models.TemplateAccess.objects.count() == 2
assert models.TemplateAccess.objects.filter(user=access.user).exists() assert models.TemplateAccess.objects.filter(user=access.user).exists()
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -752,7 +759,9 @@ def test_api_template_accesses_delete_owners():
for a template of which they are owner. for a template of which they are owner.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory(users=[(user, "owner")]) template = factories.TemplateFactory(users=[(user, "owner")])
access = factories.TemplateAccessFactory( access = factories.TemplateAccessFactory(
@@ -762,9 +771,8 @@ def test_api_template_accesses_delete_owners():
assert models.TemplateAccess.objects.count() == 2 assert models.TemplateAccess.objects.count() == 2
assert models.TemplateAccess.objects.filter(user=access.user).exists() assert models.TemplateAccess.objects.filter(user=access.user).exists()
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 204 assert response.status_code == 204
@@ -776,15 +784,16 @@ def test_api_template_accesses_delete_owners_last_owner():
It should not be possible to delete the last owner access from a template It should not be possible to delete the last owner access from a template
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
template = factories.TemplateFactory() template = factories.TemplateFactory()
access = factories.TemplateAccessFactory(template=template, user=user, role="owner") access = factories.TemplateAccessFactory(template=template, user=user, role="owner")
assert models.TemplateAccess.objects.count() == 1 assert models.TemplateAccess.objects.count() == 1
response = APIClient().delete( response = client.delete(
f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403

89
src/backend/core/tests/test_api_users.py
View File

@@ -7,7 +7,6 @@ from rest_framework.test import APIClient
from core import factories, models from core import factories, models
from core.api import serializers from core.api import serializers
from .utils import OIDCToken
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@@ -26,11 +25,13 @@ def test_api_users_list_authenticated():
Authenticated users should not be able to list users. Authenticated users should not be able to list users.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
factories.UserFactory.create_batch(2) factories.UserFactory.create_batch(2)
response = APIClient().get( response = client.get(
"/api/v1.0/users/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" "/api/v1.0/users/",
) )
assert response.status_code == 404 assert response.status_code == 404
assert "Not Found" in response.content.decode("utf-8") assert "Not Found" in response.content.decode("utf-8")
@@ -50,11 +51,13 @@ def test_api_users_retrieve_me_anonymous():
def test_api_users_retrieve_me_authenticated(): def test_api_users_retrieve_me_authenticated():
"""Authenticated users should be able to retrieve their own user via the "/users/me" path.""" """Authenticated users should be able to retrieve their own user via the "/users/me" path."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
factories.UserFactory.create_batch(2) factories.UserFactory.create_batch(2)
response = APIClient().get( response = client.get(
"/api/v1.0/users/me/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" "/api/v1.0/users/me/",
) )
assert response.status_code == 200 assert response.status_code == 200
@@ -85,10 +88,12 @@ def test_api_users_retrieve_authenticated_self():
The returned object should not contain the password. The returned object should not contain the password.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
response = APIClient().get( client = APIClient()
f"/api/v1.0/users/{user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" client.force_login(user)
response = client.get(
f"/api/v1.0/users/{user.id!s}/",
) )
assert response.status_code == 405 assert response.status_code == 405
assert response.json() == {"detail": 'Method "GET" not allowed.'} assert response.json() == {"detail": 'Method "GET" not allowed.'}
@@ -100,12 +105,14 @@ def test_api_users_retrieve_authenticated_other():
limited information. limited information.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
other_user = factories.UserFactory() other_user = factories.UserFactory()
response = APIClient().get( response = client.get(
f"/api/v1.0/users/{other_user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" f"/api/v1.0/users/{other_user.id!s}/",
) )
assert response.status_code == 405 assert response.status_code == 405
assert response.json() == {"detail": 'Method "GET" not allowed.'} assert response.json() == {"detail": 'Method "GET" not allowed.'}
@@ -128,16 +135,17 @@ def test_api_users_create_anonymous():
def test_api_users_create_authenticated(): def test_api_users_create_authenticated():
"""Authenticated users should not be able to create users via the API.""" """Authenticated users should not be able to create users via the API."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
response = APIClient().post( client = APIClient()
client.force_login(user)
response = client.post(
"/api/v1.0/users/", "/api/v1.0/users/",
{ {
"language": "fr-fr", "language": "fr-fr",
"password": "mypassword", "password": "mypassword",
}, },
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 404 assert response.status_code == 404
assert "Not Found" in response.content.decode("utf-8") assert "Not Found" in response.content.decode("utf-8")
@@ -174,18 +182,19 @@ def test_api_users_update_authenticated_self():
and "timezone" fields. and "timezone" fields.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
old_user_values = dict(serializers.UserSerializer(instance=user).data) old_user_values = dict(serializers.UserSerializer(instance=user).data)
new_user_values = dict( new_user_values = dict(
serializers.UserSerializer(instance=factories.UserFactory()).data serializers.UserSerializer(instance=factories.UserFactory()).data
) )
response = APIClient().put( response = client.put(
f"/api/v1.0/users/{user.id!s}/", f"/api/v1.0/users/{user.id!s}/",
new_user_values, new_user_values,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
@@ -201,17 +210,18 @@ def test_api_users_update_authenticated_self():
def test_api_users_update_authenticated_other(): def test_api_users_update_authenticated_other():
"""Authenticated users should not be allowed to update other users.""" """Authenticated users should not be allowed to update other users."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
user = factories.UserFactory() user = factories.UserFactory()
old_user_values = dict(serializers.UserSerializer(instance=user).data) old_user_values = dict(serializers.UserSerializer(instance=user).data)
new_user_values = serializers.UserSerializer(instance=factories.UserFactory()).data new_user_values = serializers.UserSerializer(instance=factories.UserFactory()).data
response = APIClient().put( response = client.put(
f"/api/v1.0/users/{user.id!s}/", f"/api/v1.0/users/{user.id!s}/",
new_user_values, new_user_values,
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -253,7 +263,9 @@ def test_api_users_patch_authenticated_self():
and "timezone" fields. and "timezone" fields.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
old_user_values = dict(serializers.UserSerializer(instance=user).data) old_user_values = dict(serializers.UserSerializer(instance=user).data)
new_user_values = dict( new_user_values = dict(
@@ -261,11 +273,10 @@ def test_api_users_patch_authenticated_self():
) )
for key, new_value in new_user_values.items(): for key, new_value in new_user_values.items():
response = APIClient().patch( response = client.patch(
f"/api/v1.0/users/{user.id!s}/", f"/api/v1.0/users/{user.id!s}/",
{key: new_value}, {key: new_value},
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 200 assert response.status_code == 200
@@ -281,7 +292,9 @@ def test_api_users_patch_authenticated_self():
def test_api_users_patch_authenticated_other(): def test_api_users_patch_authenticated_other():
"""Authenticated users should not be allowed to patch other users.""" """Authenticated users should not be allowed to patch other users."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
user = factories.UserFactory() user = factories.UserFactory()
old_user_values = dict(serializers.UserSerializer(instance=user).data) old_user_values = dict(serializers.UserSerializer(instance=user).data)
@@ -290,11 +303,10 @@ def test_api_users_patch_authenticated_other():
) )
for key, new_value in new_user_values.items(): for key, new_value in new_user_values.items():
response = APIClient().put( response = client.put(
f"/api/v1.0/users/{user.id!s}/", f"/api/v1.0/users/{user.id!s}/",
{key: new_value}, {key: new_value},
format="json", format="json",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 403 assert response.status_code == 403
@@ -319,11 +331,12 @@ def test_api_users_delete_list_authenticated():
"""Authenticated users should not be allowed to delete a list of users.""" """Authenticated users should not be allowed to delete a list of users."""
factories.UserFactory.create_batch(2) factories.UserFactory.create_batch(2)
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient() client = APIClient()
client.force_login(user)
response = client.delete( response = client.delete(
"/api/v1.0/users/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" "/api/v1.0/users/",
) )
assert response.status_code == 404 assert response.status_code == 404
@@ -345,11 +358,14 @@ def test_api_users_delete_authenticated():
Authenticated users should not be allowed to delete a user other than themselves. Authenticated users should not be allowed to delete a user other than themselves.
""" """
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
client = APIClient()
client.force_login(user)
other_user = factories.UserFactory() other_user = factories.UserFactory()
response = APIClient().delete( response = client.delete(
f"/api/v1.0/users/{other_user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" f"/api/v1.0/users/{other_user.id!s}/",
) )
assert response.status_code == 405 assert response.status_code == 405
@@ -359,11 +375,12 @@ def test_api_users_delete_authenticated():
def test_api_users_delete_self(): def test_api_users_delete_self():
"""Authenticated users should not be able to delete their own user.""" """Authenticated users should not be able to delete their own user."""
user = factories.UserFactory() user = factories.UserFactory()
jwt_token = OIDCToken.for_user(user)
response = APIClient().delete( client = APIClient()
client.force_login(user)
response = client.delete(
f"/api/v1.0/users/{user.id!s}/", f"/api/v1.0/users/{user.id!s}/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
) )
assert response.status_code == 405 assert response.status_code == 405