From 5b2820df37e5a864129aa5919f03e7e1ae1adde1 Mon Sep 17 00:00:00 2001 From: Scot Hacker Date: Tue, 27 Mar 2018 22:51:39 -0700 Subject: [PATCH] Add more permissions tests --- todo/tests/conftest.py | 4 ++-- todo/tests/test_views.py | 39 ++++++++++++++++++++++++++++++++++----- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/todo/tests/conftest.py b/todo/tests/conftest.py index ba58d89..aca0e88 100644 --- a/todo/tests/conftest.py +++ b/todo/tests/conftest.py @@ -14,7 +14,7 @@ def todo_setup(django_user_model): u1.groups.add(g1) tlist1 = TaskList.objects.create(group=g1, name="Zip", slug="zip") Item.objects.create(created_by=u1, title="Task 1", task_list=tlist1, priority=1) - Item.objects.create(created_by=u1, title="Task 2", task_list=tlist1, priority=2) + Item.objects.create(created_by=u1, title="Task 2", task_list=tlist1, priority=2, completed=True) Item.objects.create(created_by=u1, title="Task 3", task_list=tlist1, priority=3) g2 = Group.objects.create(name="Workgroup Two") @@ -22,5 +22,5 @@ def todo_setup(django_user_model): u2.groups.add(g2) tlist2 = TaskList.objects.create(group=g2, name="Zap", slug="zap") Item.objects.create(created_by=u2, title="Task 1", task_list=tlist2, priority=1) - Item.objects.create(created_by=u2, title="Task 2", task_list=tlist2, priority=2) + Item.objects.create(created_by=u2, title="Task 2", task_list=tlist2, priority=2, completed=True) Item.objects.create(created_by=u2, title="Task 3", task_list=tlist2, priority=3) diff --git a/todo/tests/test_views.py b/todo/tests/test_views.py index ee166cc..cc80740 100644 --- a/todo/tests/test_views.py +++ b/todo/tests/test_views.py @@ -1,6 +1,6 @@ import pytest -from django.contrib.auth import get_user_model +from django.contrib.auth.models import Group from django.urls import reverse from todo.models import Item, TaskList @@ -90,6 +90,7 @@ def test_view_search(todo_setup, admin_client): """ Some views are for staff users only. We've already smoke-tested with Admin user - try these with normal user. +These exercise our custom @staff_only decorator without calling that function explicitly. """ @@ -128,8 +129,36 @@ def test_view_list_not_mine(todo_setup, client): assert response.status_code == 403 +def test_view_task_mine(todo_setup, client): + # Users can always view their own tasks + task = Item.objects.filter(created_by__username="u1").first() + client.login(username="u1", password="password") + url = reverse('todo:task_detail', kwargs={'task_id': task.id}) + response = client.get(url) + assert response.status_code == 200 -# TODO -# View a task in a list in a group I do / don't belong to. -# Mark complete -# staff_only decorator + +def test_view_task_my_group(todo_setup, client, django_user_model): + # User can always view tasks that are NOT theirs IF the task is in a shared group. + # u1 and u2 are in different groups in the fixture - + # Put them in the same group. + g1 = Group.objects.get(name="Workgroup One") + u2 = django_user_model.objects.get(username="u2") + u2.groups.add(g1) + + # Now u2 should be able to view one of u1's tasks. + task = Item.objects.filter(created_by__username="u1").first() + url = reverse('todo:task_detail', kwargs={'task_id': task.id}) + client.login(username="u2", password="password") + response = client.get(url) + assert response.status_code == 200 + + +def test_view_task_not_in_my_group(todo_setup, client): + # User canNOT view a task that isn't theirs if the two users are not in a shared group. + # For this we can use the fixture data as-is. + task = Item.objects.filter(created_by__username="u1").first() + url = reverse('todo:task_detail', kwargs={'task_id': task.id}) + client.login(username="u2", password="password") + response = client.get(url) + assert response.status_code == 403