From 42eb0e6dedb23ce82748e907670b0f3b49f77042 Mon Sep 17 00:00:00 2001 From: Yohan Boniface Date: Sat, 9 Sep 2023 11:44:35 +0200 Subject: [PATCH] Add more tests for datalayer permissions --- umap/models.py | 10 ++-- umap/tests/test_datalayer.py | 64 ++++++++++++++++++++- umap/tests/test_datalayer_views.py | 91 ++++++++++++++++++++++++++++++ 3 files changed, 158 insertions(+), 7 deletions(-) diff --git a/umap/models.py b/umap/models.py index fbeaa559..97df55f9 100644 --- a/umap/models.py +++ b/umap/models.py @@ -202,7 +202,7 @@ class Map(NamedModel): return settings.SITE_URL + path def is_anonymous_owner(self, request): - if self.owner: + if not request or self.owner: # edit cookies are only valid while map hasn't owner return False key, value = self.signed_cookie_elements @@ -221,12 +221,10 @@ class Map(NamedModel): In anononymous mode: only "anonymous owners" (having edit cookie set) """ can = False - if request and not self.owner: - if getattr( - settings, "UMAP_ALLOW_ANONYMOUS", False - ) and self.is_anonymous_owner(request): + if not self.owner: + if settings.UMAP_ALLOW_ANONYMOUS and self.is_anonymous_owner(request): can = True - if user == self.owner: + elif user == self.owner: can = True elif user in self.editors.all(): can = True diff --git a/umap/tests/test_datalayer.py b/umap/tests/test_datalayer.py index 5818a541..d2b70797 100644 --- a/umap/tests/test_datalayer.py +++ b/umap/tests/test_datalayer.py @@ -4,6 +4,7 @@ import pytest from django.core.files.base import ContentFile from .base import DataLayerFactory, MapFactory +from umap.models import DataLayer pytestmark = pytest.mark.django_db @@ -21,7 +22,7 @@ def test_datalayers_should_be_ordered_by_rank(map, datalayer): def test_upload_to(map, datalayer): map.pk = 302 datalayer.pk = 17 - assert datalayer.upload_to().startswith('datalayer/2/0/302/17_') + assert datalayer.upload_to().startswith("datalayer/2/0/302/17_") def test_save_should_use_pk_as_name(map, datalayer): @@ -81,3 +82,64 @@ def test_should_remove_old_versions_on_save(datalayer, map, settings): assert os.path.basename(other) in files assert os.path.basename(other + ".gz") in files assert os.path.basename(older) not in files + assert os.path.basename(older + ".gz") not in files + + +def test_anonymous_cannot_edit_in_editors_mode(datalayer): + datalayer.edit_status = DataLayer.EDITORS + datalayer.save() + assert not datalayer.can_edit() + + +def test_owner_can_edit_in_editors_mode(datalayer, user): + datalayer.edit_status = DataLayer.EDITORS + datalayer.save() + assert datalayer.can_edit(datalayer.map.owner) + + +def test_editor_can_edit_in_editors_mode(datalayer, user): + map = datalayer.map + map.editors.add(user) + map.save() + datalayer.edit_status = DataLayer.EDITORS + datalayer.save() + assert datalayer.can_edit(user) + + +def test_anonymous_can_edit_in_public_mode(datalayer): + datalayer.edit_status = DataLayer.ANONYMOUS + datalayer.save() + assert datalayer.can_edit() + + +def test_owner_can_edit_in_public_mode(datalayer, user): + datalayer.edit_status = DataLayer.ANONYMOUS + datalayer.save() + assert datalayer.can_edit(datalayer.map.owner) + + +def test_editor_can_edit_in_public_mode(datalayer, user): + map = datalayer.map + map.editors.add(user) + map.save() + datalayer.edit_status = DataLayer.ANONYMOUS + datalayer.save() + assert datalayer.can_edit(user) + + +def test_anonymous_cannot_edit_in_anonymous_owner_mode(datalayer): + datalayer.edit_status = DataLayer.OWNER + datalayer.save() + map = datalayer.map + map.owner = None + map.save() + assert not datalayer.can_edit() + + +def test_anonymous_can_edit_in_anonymous_owner_but_public_mode(datalayer): + datalayer.edit_status = DataLayer.ANONYMOUS + datalayer.save() + map = datalayer.map + map.owner = None + map.save() + assert datalayer.can_edit() diff --git a/umap/tests/test_datalayer_views.py b/umap/tests/test_datalayer_views.py index 43a6d49d..01c65db7 100644 --- a/umap/tests/test_datalayer_views.py +++ b/umap/tests/test_datalayer_views.py @@ -245,3 +245,94 @@ def test_update_readonly(client, datalayer, map, post_data, settings): client.login(username=map.owner.username, password="123123") response = client.post(url, post_data, follow=True) assert response.status_code == 403 + + +@pytest.mark.usefixtures("allow_anonymous") +def test_anonymous_owner_can_edit_in_anonymous_owner_mode( + datalayer, cookieclient, anonymap, post_data +): + datalayer.edit_status = DataLayer.OWNER + datalayer.save() + url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk)) + name = "new name" + post_data["name"] = name + response = cookieclient.post(url, post_data, follow=True) + assert response.status_code == 200 + modified_datalayer = DataLayer.objects.get(pk=datalayer.pk) + assert modified_datalayer.name == name + + +@pytest.mark.usefixtures("allow_anonymous") +def test_anonymous_can_edit_in_anonymous_owner_but_public_mode( + datalayer, client, anonymap, post_data +): + datalayer.edit_status = DataLayer.ANONYMOUS + datalayer.save() + url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk)) + name = "new name" + post_data["name"] = name + response = client.post(url, post_data, follow=True) + assert response.status_code == 200 + modified_datalayer = DataLayer.objects.get(pk=datalayer.pk) + assert modified_datalayer.name == name + + +@pytest.mark.usefixtures("allow_anonymous") +def test_anonymous_cannot_edit_in_anonymous_owner_mode( + datalayer, client, anonymap, post_data +): + datalayer.edit_status = DataLayer.OWNER + datalayer.save() + url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk)) + name = "new name" + post_data["name"] = name + response = client.post(url, post_data, follow=True) + assert response.status_code == 403 + + +def test_anonymous_cannot_edit_in_owner_mode(datalayer, client, map, post_data): + datalayer.edit_status = DataLayer.OWNER + datalayer.save() + url = reverse("datalayer_update", args=(map.pk, datalayer.pk)) + name = "new name" + post_data["name"] = name + response = client.post(url, post_data, follow=True) + assert response.status_code == 403 + + +def test_anonymous_can_edit_in_owner_but_public_mode(datalayer, client, map, post_data): + datalayer.edit_status = DataLayer.ANONYMOUS + datalayer.save() + url = reverse("datalayer_update", args=(map.pk, datalayer.pk)) + name = "new name" + post_data["name"] = name + response = client.post(url, post_data, follow=True) + assert response.status_code == 200 + modified_datalayer = DataLayer.objects.get(pk=datalayer.pk) + assert modified_datalayer.name == name + + +def test_owner_can_edit_in_owner_mode(datalayer, client, map, post_data): + client.login(username=map.owner.username, password="123123") + datalayer.edit_status = DataLayer.OWNER + datalayer.save() + url = reverse("datalayer_update", args=(map.pk, datalayer.pk)) + name = "new name" + post_data["name"] = name + response = client.post(url, post_data, follow=True) + assert response.status_code == 200 + modified_datalayer = DataLayer.objects.get(pk=datalayer.pk) + assert modified_datalayer.name == name + + +def test_editor_can_edit_in_editors_mode(datalayer, client, map, post_data): + client.login(username=map.owner.username, password="123123") + datalayer.edit_status = DataLayer.EDITORS + datalayer.save() + url = reverse("datalayer_update", args=(map.pk, datalayer.pk)) + name = "new name" + post_data["name"] = name + response = client.post(url, post_data, follow=True) + assert response.status_code == 200 + modified_datalayer = DataLayer.objects.get(pk=datalayer.pk) + assert modified_datalayer.name == name