Add more tests for datalayer permissions

2023-09-09 11:44:35 +02:00 · 2023-09-09 11:44:35 +02:00 · 42eb0e6ded
commit 42eb0e6ded
parent d6d55e619a
3 changed files with 158 additions and 7 deletions
--- a/umap/models.py
+++ b/umap/models.py
@ -202,7 +202,7 @@ class Map(NamedModel):
        return settings.SITE_URL + path

    def is_anonymous_owner(self, request):
-        if self.owner:
+        if not request or self.owner:
            # edit cookies are only valid while map hasn't owner
            return False
        key, value = self.signed_cookie_elements
@ -221,12 +221,10 @@ class Map(NamedModel):
        In anononymous mode: only "anonymous owners" (having edit cookie set)
        """
        can = False
-        if request and not self.owner:
-            if getattr(
-                settings, "UMAP_ALLOW_ANONYMOUS", False
-            ) and self.is_anonymous_owner(request):
+        if not self.owner:
+            if settings.UMAP_ALLOW_ANONYMOUS and self.is_anonymous_owner(request):
                can = True
-        if user == self.owner:
+        elif user == self.owner:
            can = True
        elif user in self.editors.all():
            can = True
--- a/umap/tests/test_datalayer.py
+++ b/umap/tests/test_datalayer.py
@ -4,6 +4,7 @@ import pytest
 from django.core.files.base import ContentFile

 from .base import DataLayerFactory, MapFactory
+from umap.models import DataLayer

 pytestmark = pytest.mark.django_db

@ -21,7 +22,7 @@ def test_datalayers_should_be_ordered_by_rank(map, datalayer):
 def test_upload_to(map, datalayer):
    map.pk = 302
    datalayer.pk = 17
-    assert datalayer.upload_to().startswith('datalayer/2/0/302/17_')
+    assert datalayer.upload_to().startswith("datalayer/2/0/302/17_")


 def test_save_should_use_pk_as_name(map, datalayer):
@ -81,3 +82,64 @@ def test_should_remove_old_versions_on_save(datalayer, map, settings):
    assert os.path.basename(other) in files
    assert os.path.basename(other + ".gz") in files
    assert os.path.basename(older) not in files
+    assert os.path.basename(older + ".gz") not in files
+
+
+def test_anonymous_cannot_edit_in_editors_mode(datalayer):
+    datalayer.edit_status = DataLayer.EDITORS
+    datalayer.save()
+    assert not datalayer.can_edit()
+
+
+def test_owner_can_edit_in_editors_mode(datalayer, user):
+    datalayer.edit_status = DataLayer.EDITORS
+    datalayer.save()
+    assert datalayer.can_edit(datalayer.map.owner)
+
+
+def test_editor_can_edit_in_editors_mode(datalayer, user):
+    map = datalayer.map
+    map.editors.add(user)
+    map.save()
+    datalayer.edit_status = DataLayer.EDITORS
+    datalayer.save()
+    assert datalayer.can_edit(user)
+
+
+def test_anonymous_can_edit_in_public_mode(datalayer):
+    datalayer.edit_status = DataLayer.ANONYMOUS
+    datalayer.save()
+    assert datalayer.can_edit()
+
+
+def test_owner_can_edit_in_public_mode(datalayer, user):
+    datalayer.edit_status = DataLayer.ANONYMOUS
+    datalayer.save()
+    assert datalayer.can_edit(datalayer.map.owner)
+
+
+def test_editor_can_edit_in_public_mode(datalayer, user):
+    map = datalayer.map
+    map.editors.add(user)
+    map.save()
+    datalayer.edit_status = DataLayer.ANONYMOUS
+    datalayer.save()
+    assert datalayer.can_edit(user)
+
+
+def test_anonymous_cannot_edit_in_anonymous_owner_mode(datalayer):
+    datalayer.edit_status = DataLayer.OWNER
+    datalayer.save()
+    map = datalayer.map
+    map.owner = None
+    map.save()
+    assert not datalayer.can_edit()
+
+
+def test_anonymous_can_edit_in_anonymous_owner_but_public_mode(datalayer):
+    datalayer.edit_status = DataLayer.ANONYMOUS
+    datalayer.save()
+    map = datalayer.map
+    map.owner = None
+    map.save()
+    assert datalayer.can_edit()
--- a/umap/tests/test_datalayer_views.py
+++ b/umap/tests/test_datalayer_views.py
@ -245,3 +245,94 @@ def test_update_readonly(client, datalayer, map, post_data, settings):
    client.login(username=map.owner.username, password="123123")
    response = client.post(url, post_data, follow=True)
    assert response.status_code == 403
+
+
+@pytest.mark.usefixtures("allow_anonymous")
+def test_anonymous_owner_can_edit_in_anonymous_owner_mode(
+    datalayer, cookieclient, anonymap, post_data
+):
+    datalayer.edit_status = DataLayer.OWNER
+    datalayer.save()
+    url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk))
+    name = "new name"
+    post_data["name"] = name
+    response = cookieclient.post(url, post_data, follow=True)
+    assert response.status_code == 200
+    modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
+    assert modified_datalayer.name == name
+
+
+@pytest.mark.usefixtures("allow_anonymous")
+def test_anonymous_can_edit_in_anonymous_owner_but_public_mode(
+    datalayer, client, anonymap, post_data
+):
+    datalayer.edit_status = DataLayer.ANONYMOUS
+    datalayer.save()
+    url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk))
+    name = "new name"
+    post_data["name"] = name
+    response = client.post(url, post_data, follow=True)
+    assert response.status_code == 200
+    modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
+    assert modified_datalayer.name == name
+
+
+@pytest.mark.usefixtures("allow_anonymous")
+def test_anonymous_cannot_edit_in_anonymous_owner_mode(
+    datalayer, client, anonymap, post_data
+):
+    datalayer.edit_status = DataLayer.OWNER
+    datalayer.save()
+    url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk))
+    name = "new name"
+    post_data["name"] = name
+    response = client.post(url, post_data, follow=True)
+    assert response.status_code == 403
+
+
+def test_anonymous_cannot_edit_in_owner_mode(datalayer, client, map, post_data):
+    datalayer.edit_status = DataLayer.OWNER
+    datalayer.save()
+    url = reverse("datalayer_update", args=(map.pk, datalayer.pk))
+    name = "new name"
+    post_data["name"] = name
+    response = client.post(url, post_data, follow=True)
+    assert response.status_code == 403
+
+
+def test_anonymous_can_edit_in_owner_but_public_mode(datalayer, client, map, post_data):
+    datalayer.edit_status = DataLayer.ANONYMOUS
+    datalayer.save()
+    url = reverse("datalayer_update", args=(map.pk, datalayer.pk))
+    name = "new name"
+    post_data["name"] = name
+    response = client.post(url, post_data, follow=True)
+    assert response.status_code == 200
+    modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
+    assert modified_datalayer.name == name
+
+
+def test_owner_can_edit_in_owner_mode(datalayer, client, map, post_data):
+    client.login(username=map.owner.username, password="123123")
+    datalayer.edit_status = DataLayer.OWNER
+    datalayer.save()
+    url = reverse("datalayer_update", args=(map.pk, datalayer.pk))
+    name = "new name"
+    post_data["name"] = name
+    response = client.post(url, post_data, follow=True)
+    assert response.status_code == 200
+    modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
+    assert modified_datalayer.name == name
+
+
+def test_editor_can_edit_in_editors_mode(datalayer, client, map, post_data):
+    client.login(username=map.owner.username, password="123123")
+    datalayer.edit_status = DataLayer.EDITORS
+    datalayer.save()
+    url = reverse("datalayer_update", args=(map.pk, datalayer.pk))
+    name = "new name"
+    post_data["name"] = name
+    response = client.post(url, post_data, follow=True)
+    assert response.status_code == 200
+    modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
+    assert modified_datalayer.name == name