test_user_auth.py 6.36 KB
Edit Raw Blame History



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163


# -*- coding: utf8 -*-
# This file is part of PyBossa.
#
# Copyright (C) 2015 SciFabric LTD.
#
# PyBossa is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# PyBossa is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with PyBossa.  If not, see <http://www.gnu.org/licenses/>.

from default import Test, assert_not_raises
from pybossa.auth import ensure_authorized_to
from nose.tools import assert_raises
from werkzeug.exceptions import Forbidden, Unauthorized
from mock import patch
from test_authorization import mock_current_user
from factories import ProjectFactory, BlogpostFactory, UserFactory
from pybossa.model.user import User


class TestUserAuthorization(Test):

    mock_anonymous = mock_current_user()
    mock_authenticated = mock_current_user(anonymous=False, admin=False, id=2)
    mock_admin = mock_current_user(anonymous=False, admin=True, id=1)


    @patch('pybossa.auth.current_user', new=mock_anonymous)
    def test_anonymous_user_cannot_create(self):
        """Test anonymous users cannot create users"""
        assert_raises(Unauthorized, ensure_authorized_to, 'create', User)


    @patch('pybossa.auth.current_user', new=mock_authenticated)
    def test_authenticated_user_cannot_create(self):
        """Test authenticated users cannot create users"""
        assert_raises(Forbidden, ensure_authorized_to, 'create', User)


    @patch('pybossa.auth.current_user', new=mock_admin)
    def test_admins_can_create(self):
        """Test admins users can create users"""
        assert_not_raises(Exception, ensure_authorized_to, 'create', User)


    @patch('pybossa.auth.current_user', new=mock_anonymous)
    def test_anonymous_user_can_read(self):
        """Test anonymous users can read users"""
        assert_not_raises(Exception, ensure_authorized_to, 'read', User)


    @patch('pybossa.auth.current_user', new=mock_authenticated)
    def test_authenticated_user_can_read(self):
        """Test authenticated users can read users"""
        assert_not_raises(Exception, ensure_authorized_to, 'read', User)


    @patch('pybossa.auth.current_user', new=mock_admin)
    def test_admins_can_read(self):
        """Test admins users can read users"""
        assert_not_raises(Exception, ensure_authorized_to, 'read', User)


    @patch('pybossa.auth.current_user', new=mock_anonymous)
    def test_anonymous_user_can_read_given_user(self):
        """Test anonymous users can read a given user"""
        user = UserFactory.create()
        assert_not_raises(Exception, ensure_authorized_to, 'read', user)


    @patch('pybossa.auth.current_user', new=mock_authenticated)
    def test_authenticated_user_can_read_given_user(self):
        """Test authenticated users can read a given user"""
        user = UserFactory.create()
        assert_not_raises(Exception, ensure_authorized_to, 'read', user)


    @patch('pybossa.auth.current_user', new=mock_admin)
    def test_admins_can_read_given_user(self):
        """Test admins users can read a given user"""
        user = UserFactory.create()
        assert_not_raises(Exception, ensure_authorized_to, 'read', user)


    @patch('pybossa.auth.current_user', new=mock_anonymous)
    def test_anonymous_user_cannot_update_given_user(self):
        """Test anonymous users cannot update a given user"""
        user = UserFactory.create()
        assert_raises(Unauthorized, ensure_authorized_to, 'update', user)


    @patch('pybossa.auth.current_user', new=mock_authenticated)
    def test_authenticated_user_cannot_update_another_user(self):
        """Test authenticated users cannot update another user than themselves"""
        user = UserFactory.create()

        assert user.id != self.mock_authenticated.id, user.id
        assert_raises(Forbidden, ensure_authorized_to, 'update', user)


    @patch('pybossa.auth.current_user', new=mock_authenticated)
    def test_authenticated_user_can_update_themselves(self):
        """Test authenticated users can update themselves"""
        user = UserFactory.create_batch(2)[1]

        assert user.id == self.mock_authenticated.id, user.id
        assert_not_raises(Exception, ensure_authorized_to, 'update', user)


    @patch('pybossa.auth.current_user', new=mock_admin)
    def test_admins_can_update_any_user(self):
        """Test admins users can update any given user"""
        himself = UserFactory.create()
        other_user = UserFactory.create()

        assert himself.id == self.mock_admin.id
        assert other_user.id != self.mock_admin.id
        assert_not_raises(Exception, ensure_authorized_to, 'update', other_user)


    @patch('pybossa.auth.current_user', new=mock_anonymous)
    def test_anonymous_user_cannot_delete_given_user(self):
        """Test anonymous users cannot delete a given user"""
        user = UserFactory.create()
        assert_raises(Unauthorized, ensure_authorized_to, 'delete', user)


    @patch('pybossa.auth.current_user', new=mock_authenticated)
    def test_authenticated_user_cannot_delete_another_user(self):
        """Test authenticated users cannot delete another user than themselves"""
        user = UserFactory.create()

        assert user.id != self.mock_authenticated.id, user.id
        assert_raises(Forbidden, ensure_authorized_to, 'delete', user)


    @patch('pybossa.auth.current_user', new=mock_authenticated)
    def test_authenticated_user_can_delete_themselves(self):
        """Test authenticated users can delete themselves"""
        user = UserFactory.create_batch(2)[1]

        assert user.id == self.mock_authenticated.id, user.id
        assert_not_raises(Exception, ensure_authorized_to, 'delete', user)


    @patch('pybossa.auth.current_user', new=mock_admin)
    def test_admins_can_delete_any_user(self):
        """Test admins users can delete any given user"""
        himself = UserFactory.create()
        other_user = UserFactory.create()

        assert himself.id == self.mock_admin.id
        assert other_user.id != self.mock_admin.id
        assert_not_raises(Exception, ensure_authorized_to, 'delete', other_user)