test_access.py 9.94 KB
Newer Older
1 2 3 4 5 6 7
import mock

from django.conf import settings
from django.contrib.auth.models import Group as AuthGroup
from django.urls import reverse

from core.tests.utils import GraceDbTestBase
8
from alerts.models import Contact, Notification
9 10 11


class TestIndexView(GraceDbTestBase):
12
    """Test user access to main alerts index page"""
13 14 15

    def test_internal_user_get(self):
        """Internal user can get to index view"""
16
        url = reverse('alerts:index')
17 18 19 20 21
        response = self.request_as_user(url, "GET", self.internal_user)
        self.assertEqual(response.status_code, 200)

    def test_lvem_user_get(self):
        """LV-EM user can get to index view"""
22
        url = reverse('alerts:index')
23 24 25 26 27
        response = self.request_as_user(url, "GET", self.lvem_user)
        self.assertEqual(response.status_code, 200)

    def test_public_user_get(self):
        """Public user can get to index view"""
28
        url = reverse('alerts:index')
29 30 31 32 33 34 35 36 37 38
        response = self.request_as_user(url, "GET")
        # Should be redirected to login page
        self.assertEqual(response.status_code, 302)


class TestManagePasswordView(GraceDbTestBase):
    """Test user access to page for generating basic auth password for API"""

    def test_internal_user_get(self):
        """Internal user *can't* get to manage password page"""
39
        url = reverse('alerts:manage-password')
40 41 42 43 44
        response = self.request_as_user(url, "GET", self.internal_user)
        self.assertEqual(response.status_code, 403)

    def test_lvem_user_get(self):
        """LV-EM user can get to manage password page"""
45
        url = reverse('alerts:manage-password')
46 47 48 49 50
        response = self.request_as_user(url, "GET", self.lvem_user)
        self.assertEqual(response.status_code, 200)

    def test_public_user_get(self):
        """Public user can't get to manage password page"""
51
        url = reverse('alerts:manage-password')
52 53 54 55 56 57 58 59 60
        response = self.request_as_user(url, "GET")
        self.assertEqual(response.status_code, 403)


class TestContactCreationView(GraceDbTestBase):
    """Test user access to contact creation view"""

    def test_internal_user_get(self):
        """Internal user can get contact creation view"""
61
        url = reverse('alerts:create-contact')
62 63 64 65 66
        response = self.request_as_user(url, "GET", self.internal_user)
        self.assertEqual(response.status_code, 200)

    def test_lvem_user_get(self):
        """LV-EM user can't get contact creation view"""
67
        url = reverse('alerts:create-contact')
68 69 70 71 72
        response = self.request_as_user(url, "GET", self.lvem_user)
        self.assertEqual(response.status_code, 403)

    def test_public_user_get(self):
        """Public user can't get contact creation view"""
73
        url = reverse('alerts:create-contact')
74 75 76 77 78
        response = self.request_as_user(url, "GET")
        self.assertEqual(response.status_code, 403)


# Prevent test emails from going out
79
@mock.patch('alerts.views.EmailMessage')
80 81 82 83 84 85 86 87 88
class TestContactTestView(GraceDbTestBase):
    """Test user access to contact testing view"""

    @classmethod
    def setUpTestData(cls):
        super(TestContactTestView, cls).setUpTestData()

        # Create a contact
        cls.contact = Contact.objects.create(user=cls.internal_user,
89
            description='test contact', email='test@test.com')
90 91 92

    def test_internal_user_test(self, mock_email_message):
        """Internal user can test contacts"""
93
        url = reverse('alerts:test-contact', args=[self.contact.id])
94
        response = self.request_as_user(url, "GET", self.internal_user)
95
        # Expect 302 since we are redirected to alerts index page
96 97
        # after the test
        self.assertEqual(response.status_code, 302)
98
        self.assertEqual(response.url, reverse('alerts:index'))
99 100 101

    def test_lvem_user_test(self, mock_email_message):
        """LV-EM user can't test contacts"""
102
        url = reverse('alerts:create-contact')
103 104 105 106 107
        response = self.request_as_user(url, "GET", self.lvem_user)
        self.assertEqual(response.status_code, 403)

    def test_public_user_test(self, mock_email_message):
        """Public user can't test contacts"""
108
        url = reverse('alerts:create-contact')
109 110 111 112 113 114 115 116 117 118 119 120 121
        response = self.request_as_user(url, "GET")
        self.assertEqual(response.status_code, 403)


class TestContactDeleteView(GraceDbTestBase):
    """Test user access to contact deletion view"""

    @classmethod
    def setUpTestData(cls):
        super(TestContactDeleteView, cls).setUpTestData()

        # Create a contact
        cls.contact = Contact.objects.create(user=cls.internal_user,
122
            description='test contact', email='test@test.com')
123 124 125

        # Create another contact
        cls.other_contact = Contact.objects.create(user=cls.lvem_user,
126
            description='test contact', email='test@test.com')
127 128 129

    def test_internal_user_delete(self):
        """Internal user can delete their contacts"""
130
        url = reverse('alerts:delete-contact', args=[self.contact.id])
131
        response = self.request_as_user(url, "GET", self.internal_user)
132
        # Expect 302 since we are redirected to alerts index page
133 134
        # after the contact is deleted
        self.assertEqual(response.status_code, 302)
135
        self.assertEqual(response.url, reverse('alerts:index'))
136 137 138 139 140 141
        # Assert that contact is deleted
        with self.assertRaises(self.contact.DoesNotExist):
            self.contact.refresh_from_db()

    def test_internal_user_delete_other(self):
        """Internal user can't delete other users' contacts"""
142
        url = reverse('alerts:delete-contact',
143 144
            args=[self.other_contact.id])
        response = self.request_as_user(url, "GET", self.internal_user)
145
        self.assertEqual(response.status_code, 404)
146 147 148 149 150 151

    def test_lvem_user_get(self):
        """LV-EM user can't delete contacts"""
        # Even if an LV-EM user somehow ended up with a contact
        # (see self.other_contact), they can't delete it.
        for c in Contact.objects.all():
152
            url = reverse('alerts:delete-contact', args=[c.id])
153 154 155 156 157 158
            response = self.request_as_user(url, "GET", self.lvem_user)
            self.assertEqual(response.status_code, 403)

    def test_public_user_get(self):
        """Public user can't delete contacts"""
        for c in Contact.objects.all():
159
            url = reverse('alerts:delete-contact', args=[c.id])
160 161 162 163 164 165 166 167 168
            response = self.request_as_user(url, "GET", self.lvem_user)
            self.assertEqual(response.status_code, 403)


class TestNotificationCreateView(GraceDbTestBase):
    """Test user access to notification creation view"""

    def test_internal_user_get(self):
        """Internal user can get notification creation view"""
169
        url = reverse('alerts:create-notification')
170 171 172 173 174
        response = self.request_as_user(url, "GET", self.internal_user)
        self.assertEqual(response.status_code, 200)

    def test_lvem_user_get(self):
        """LV-EM user can't get notification creation view"""
175
        url = reverse('alerts:create-notification')
176 177 178 179 180
        response = self.request_as_user(url, "GET", self.lvem_user)
        self.assertEqual(response.status_code, 403)

    def test_public_user_get(self):
        """Public user can't get notification creation view"""
181
        url = reverse('alerts:create-notification')
182
        response = self.request_as_user(url, "GET")
183
        # User should be redirected to login view
184 185 186 187 188 189 190 191 192 193
        self.assertEqual(response.status_code, 403)


class TestNotificationDeleteView(GraceDbTestBase):
    """Test user access to notification deletion view"""

    @classmethod
    def setUpTestData(cls):
        super(TestNotificationDeleteView, cls).setUpTestData()

194
        # Create a contact and a notification
195
        cls.contact = Contact.objects.create(user=cls.internal_user,
196
            description='test contact', email='test@test.com')
197
        cls.notification = Notification.objects.create(user=cls.internal_user)
198 199
        cls.notification.contacts.add(cls.contact)

200
        # Create another contact and notification
201 202 203
        # We use lvem_user as the user account just so it can be used for
        # testing deletion of another user's contacts. But in reality, an
        # LV-EM user should never have a contact or notification
204
        cls.other_contact = Contact.objects.create(user=cls.lvem_user,
205 206 207
            description='test contact', email='test@test.com')
        cls.other_notification = Notification.objects.create(
            user=cls.lvem_user)
208 209 210 211
        cls.other_notification.contacts.add(cls.other_contact)

    def test_internal_user_delete(self):
        """Internal user can delete their notifications"""
212 213
        url = reverse('alerts:delete-notification',
            args=[self.notification.id])
214
        response = self.request_as_user(url, "GET", self.internal_user)
215
        # Expect 302 since we are redirected to alerts index page
216 217
        # after the notification is deleted
        self.assertEqual(response.status_code, 302)
218
        self.assertEqual(response.url, reverse('alerts:index'))
219 220 221 222 223 224
        # Assert that contact is deleted
        with self.assertRaises(self.notification.DoesNotExist):
            self.notification.refresh_from_db()

    def test_internal_user_delete_other(self):
        """Internal user can't delete other users' notifications"""
225 226
        url = reverse('alerts:delete-notification',
            args=[self.other_notification.id])
227
        response = self.request_as_user(url, "GET", self.internal_user)
228
        self.assertEqual(response.status_code, 404)
229 230 231

    def test_lvem_user_delete(self):
        """LV-EM user can't delete notifications"""
232
        for t in Notification.objects.all():
233
            url = reverse('alerts:delete-notification', args=[t.id])
234 235 236 237
            response = self.request_as_user(url, "GET", self.lvem_user)
            self.assertEqual(response.status_code, 403)

    def test_public_user_delete(self):
238
        """Public user can't delete notifications"""
239
        for t in Notification.objects.all():
240
            url = reverse('alerts:delete-notification', args=[t.id])
241 242
            response = self.request_as_user(url, "GET")
            self.assertEqual(response.status_code, 403)