Add more tests for datalayer permissions

This commit is contained in:
Yohan Boniface 2023-09-09 11:44:35 +02:00
parent d6d55e619a
commit 42eb0e6ded
3 changed files with 158 additions and 7 deletions

View file

@ -202,7 +202,7 @@ class Map(NamedModel):
return settings.SITE_URL + path return settings.SITE_URL + path
def is_anonymous_owner(self, request): def is_anonymous_owner(self, request):
if self.owner: if not request or self.owner:
# edit cookies are only valid while map hasn't owner # edit cookies are only valid while map hasn't owner
return False return False
key, value = self.signed_cookie_elements key, value = self.signed_cookie_elements
@ -221,12 +221,10 @@ class Map(NamedModel):
In anononymous mode: only "anonymous owners" (having edit cookie set) In anononymous mode: only "anonymous owners" (having edit cookie set)
""" """
can = False can = False
if request and not self.owner: if not self.owner:
if getattr( if settings.UMAP_ALLOW_ANONYMOUS and self.is_anonymous_owner(request):
settings, "UMAP_ALLOW_ANONYMOUS", False
) and self.is_anonymous_owner(request):
can = True can = True
if user == self.owner: elif user == self.owner:
can = True can = True
elif user in self.editors.all(): elif user in self.editors.all():
can = True can = True

View file

@ -4,6 +4,7 @@ import pytest
from django.core.files.base import ContentFile from django.core.files.base import ContentFile
from .base import DataLayerFactory, MapFactory from .base import DataLayerFactory, MapFactory
from umap.models import DataLayer
pytestmark = pytest.mark.django_db pytestmark = pytest.mark.django_db
@ -21,7 +22,7 @@ def test_datalayers_should_be_ordered_by_rank(map, datalayer):
def test_upload_to(map, datalayer): def test_upload_to(map, datalayer):
map.pk = 302 map.pk = 302
datalayer.pk = 17 datalayer.pk = 17
assert datalayer.upload_to().startswith('datalayer/2/0/302/17_') assert datalayer.upload_to().startswith("datalayer/2/0/302/17_")
def test_save_should_use_pk_as_name(map, datalayer): def test_save_should_use_pk_as_name(map, datalayer):
@ -81,3 +82,64 @@ def test_should_remove_old_versions_on_save(datalayer, map, settings):
assert os.path.basename(other) in files assert os.path.basename(other) in files
assert os.path.basename(other + ".gz") in files assert os.path.basename(other + ".gz") in files
assert os.path.basename(older) not in files assert os.path.basename(older) not in files
assert os.path.basename(older + ".gz") not in files
def test_anonymous_cannot_edit_in_editors_mode(datalayer):
datalayer.edit_status = DataLayer.EDITORS
datalayer.save()
assert not datalayer.can_edit()
def test_owner_can_edit_in_editors_mode(datalayer, user):
datalayer.edit_status = DataLayer.EDITORS
datalayer.save()
assert datalayer.can_edit(datalayer.map.owner)
def test_editor_can_edit_in_editors_mode(datalayer, user):
map = datalayer.map
map.editors.add(user)
map.save()
datalayer.edit_status = DataLayer.EDITORS
datalayer.save()
assert datalayer.can_edit(user)
def test_anonymous_can_edit_in_public_mode(datalayer):
datalayer.edit_status = DataLayer.ANONYMOUS
datalayer.save()
assert datalayer.can_edit()
def test_owner_can_edit_in_public_mode(datalayer, user):
datalayer.edit_status = DataLayer.ANONYMOUS
datalayer.save()
assert datalayer.can_edit(datalayer.map.owner)
def test_editor_can_edit_in_public_mode(datalayer, user):
map = datalayer.map
map.editors.add(user)
map.save()
datalayer.edit_status = DataLayer.ANONYMOUS
datalayer.save()
assert datalayer.can_edit(user)
def test_anonymous_cannot_edit_in_anonymous_owner_mode(datalayer):
datalayer.edit_status = DataLayer.OWNER
datalayer.save()
map = datalayer.map
map.owner = None
map.save()
assert not datalayer.can_edit()
def test_anonymous_can_edit_in_anonymous_owner_but_public_mode(datalayer):
datalayer.edit_status = DataLayer.ANONYMOUS
datalayer.save()
map = datalayer.map
map.owner = None
map.save()
assert datalayer.can_edit()

View file

@ -245,3 +245,94 @@ def test_update_readonly(client, datalayer, map, post_data, settings):
client.login(username=map.owner.username, password="123123") client.login(username=map.owner.username, password="123123")
response = client.post(url, post_data, follow=True) response = client.post(url, post_data, follow=True)
assert response.status_code == 403 assert response.status_code == 403
@pytest.mark.usefixtures("allow_anonymous")
def test_anonymous_owner_can_edit_in_anonymous_owner_mode(
datalayer, cookieclient, anonymap, post_data
):
datalayer.edit_status = DataLayer.OWNER
datalayer.save()
url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk))
name = "new name"
post_data["name"] = name
response = cookieclient.post(url, post_data, follow=True)
assert response.status_code == 200
modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
assert modified_datalayer.name == name
@pytest.mark.usefixtures("allow_anonymous")
def test_anonymous_can_edit_in_anonymous_owner_but_public_mode(
datalayer, client, anonymap, post_data
):
datalayer.edit_status = DataLayer.ANONYMOUS
datalayer.save()
url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk))
name = "new name"
post_data["name"] = name
response = client.post(url, post_data, follow=True)
assert response.status_code == 200
modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
assert modified_datalayer.name == name
@pytest.mark.usefixtures("allow_anonymous")
def test_anonymous_cannot_edit_in_anonymous_owner_mode(
datalayer, client, anonymap, post_data
):
datalayer.edit_status = DataLayer.OWNER
datalayer.save()
url = reverse("datalayer_update", args=(anonymap.pk, datalayer.pk))
name = "new name"
post_data["name"] = name
response = client.post(url, post_data, follow=True)
assert response.status_code == 403
def test_anonymous_cannot_edit_in_owner_mode(datalayer, client, map, post_data):
datalayer.edit_status = DataLayer.OWNER
datalayer.save()
url = reverse("datalayer_update", args=(map.pk, datalayer.pk))
name = "new name"
post_data["name"] = name
response = client.post(url, post_data, follow=True)
assert response.status_code == 403
def test_anonymous_can_edit_in_owner_but_public_mode(datalayer, client, map, post_data):
datalayer.edit_status = DataLayer.ANONYMOUS
datalayer.save()
url = reverse("datalayer_update", args=(map.pk, datalayer.pk))
name = "new name"
post_data["name"] = name
response = client.post(url, post_data, follow=True)
assert response.status_code == 200
modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
assert modified_datalayer.name == name
def test_owner_can_edit_in_owner_mode(datalayer, client, map, post_data):
client.login(username=map.owner.username, password="123123")
datalayer.edit_status = DataLayer.OWNER
datalayer.save()
url = reverse("datalayer_update", args=(map.pk, datalayer.pk))
name = "new name"
post_data["name"] = name
response = client.post(url, post_data, follow=True)
assert response.status_code == 200
modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
assert modified_datalayer.name == name
def test_editor_can_edit_in_editors_mode(datalayer, client, map, post_data):
client.login(username=map.owner.username, password="123123")
datalayer.edit_status = DataLayer.EDITORS
datalayer.save()
url = reverse("datalayer_update", args=(map.pk, datalayer.pk))
name = "new name"
post_data["name"] = name
response = client.post(url, post_data, follow=True)
assert response.status_code == 200
modified_datalayer = DataLayer.objects.get(pk=datalayer.pk)
assert modified_datalayer.name == name