Updated permissions tests.

mboersma · mboersma · commit e363b384a8d8 · 2013-12-11T14:47:39.000-07:00
diff --git a/.coveragerc b/.coveragerc
@@ -3,6 +3,7 @@ omit =
     */venv/*
     */virtualenv/*
     api/__init__.py
+    api/tests/*
     client/__init__.py
     client/models.py
     client/tests/__init__.py
diff --git a/api/tests/test_perm.py b/api/tests/test_perm.py
@@ -21,7 +21,7 @@ def test_first_signup(self):
         self.assertEqual(response.status_code, 201)
         self.assertTrue(response.data['is_superuser'])
         # register a second user
-        username, password = 'second', 'password'
+        username, password = 'seconduser', 'password'
         email = 'autotest@deis.io'
         submit = {
             'username': username,
@@ -50,6 +50,86 @@ def test_list(self):
         self.assertEqual(len(response.data['results']), 1)
         self.assertEqual(response.data['results'][0]['username'], 'firstuser')
         self.assertTrue(response.data['results'][0]['is_superuser'])
+        # register a non-superuser
+        submit = {
+            'username': 'seconduser',
+            'password': 'password',
+            'email': 'autotest@deis.io',
+        }
+        url = '/api/auth/register'
+        response = self.client.post(url, json.dumps(submit), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        self.assertFalse(response.data['is_superuser'])
+        self.assertTrue(
+            self.client.login(username='seconduser', password='password'))
+        response = self.client.get('/api/admin/perms', content_type='application/json')
+        self.assertEqual(response.status_code, 403)
+        self.assertIn('You do not have permission', response.data['detail'])
+
+    def test_create(self):
+        submit = {
+            'username': 'one',
+            'password': 'password',
+            'email': 'autotest@deis.io',
+        }
+        url = '/api/auth/register'
+        response = self.client.post(url, json.dumps(submit), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        self.assertTrue(response.data['is_superuser'])
+        submit = {
+            'username': 'two',
+            'password': 'password',
+            'email': 'autotest@deis.io',
+        }
+        url = '/api/auth/register'
+        response = self.client.post(url, json.dumps(submit), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        self.assertFalse(response.data['is_superuser'])
+        self.assertTrue(
+            self.client.login(username='one', password='password'))
+        # grant user 2 the superuser perm
+        url = '/api/admin/perms'
+        body = {'username': 'two'}
+        response = self.client.post(url, json.dumps(body), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data['results']), 2)
+        self.assertIn('two', str(response.data['results']))
+
+    def test_delete(self):
+        submit = {
+            'username': 'uno',
+            'password': 'password',
+            'email': 'autotest@deis.io',
+        }
+        url = '/api/auth/register'
+        response = self.client.post(url, json.dumps(submit), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        self.assertTrue(response.data['is_superuser'])
+        submit = {
+            'username': 'dos',
+            'password': 'password',
+            'email': 'autotest@deis.io',
+        }
+        url = '/api/auth/register'
+        response = self.client.post(url, json.dumps(submit), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        self.assertFalse(response.data['is_superuser'])
+        self.assertTrue(
+            self.client.login(username='uno', password='password'))
+        # grant user 2 the superuser perm
+        url = '/api/admin/perms'
+        body = {'username': 'dos'}
+        response = self.client.post(url, json.dumps(body), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        # revoke the superuser perm
+        response = self.client.delete(url + '/dos')
+        self.assertEqual(response.status_code, 204)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data['results']), 1)
+        self.assertNotIn('two', str(response.data['results']))
 
 
 class TestAppPerms(TestCase):
@@ -88,7 +168,37 @@ def test_create(self):
         # TODO:  check that user 2 can git push the app
 
     def test_delete(self):
-        pass
+        # give user 2 permission to user 1's app
+        self.assertTrue(
+            self.client.login(username='autotest-1', password='password'))
+        response = self.client.get('/api/apps')
+        app_id = response.data['results'][0]['id']
+        url = "/api/apps/{}/perms".format(app_id)
+        body = {'username': 'autotest-2'}
+        response = self.client.post(url, json.dumps(body), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        # check that user 2 can see the app
+        self.assertTrue(
+            self.client.login(username='autotest-2', password='password'))
+        response = self.client.get('/api/apps')
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data['results']), 1)
+        # try to delete the permission as user 2
+        url = "/api/apps/{}/perms/{}".format(app_id, 'autotest-2')
+        response = self.client.delete(url, content_type='application/json')
+        self.assertEqual(response.status_code, 403)
+        self.assertIsNone(response.data)
+        # delete permission to user 1's app
+        self.assertTrue(
+            self.client.login(username='autotest-1', password='password'))
+        response = self.client.delete(url, content_type='application/json')
+        self.assertEqual(response.status_code, 204)
+        self.assertIsNone(response.data)
+        # check that user 2 can't see any apps
+        self.assertTrue(
+            self.client.login(username='autotest-2', password='password'))
+        response = self.client.get('/api/apps')
+        self.assertEqual(len(response.data['results']), 0)
 
     def test_list(self):
         # check that user 1 sees her lone app
@@ -208,4 +318,17 @@ def test_delete_errors(self):
         self.assertEqual(response.status_code, 404)
 
     def test_list(self):
-        pass
+        # check that user 1 sees her lone formation
+        response = self.client.get('/api/formations')
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data['results']), 1)
+        formation_id = response.data['results'][0]['id']
+        # create a new object permission
+        url = "/api/formations/{}/perms".format(formation_id)
+        body = {'username': 'autotest-2'}
+        response = self.client.post(url, json.dumps(body), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        # list perms on the app
+        response = self.client.get(
+            "/api/formations/{}/perms".format(formation_id), content_type='application/json')
+        self.assertEqual(response.data, {'users': ['autotest-2']})
diff --git a/api/views.py b/api/views.py
@@ -382,7 +382,7 @@ def create(self, request, **kwargs):
         return Response(status=status.HTTP_201_CREATED)
 
     def destroy(self, request, **kwargs):
-        user = get_object_or_404(User, username=request.DATA['username'])
+        user = get_object_or_404(User, username=kwargs['username'])
         user.is_superuser = user.is_staff = False
         user.save(update_fields=['is_superuser', 'is_staff'])
         return Response(status=status.HTTP_204_NO_CONTENT)
