Raise permission denied on CreateView if you don't have the permission to create a sample instance, see #53

2025-06-21 01:48:21 +02:00 · 2020-08-13 15:20:15 +02:00
parent 71f6436d06
commit c466715e8a
15 changed files with 584 additions and 173 deletions
--- a/apps/permission/tests/init.py
+++ b/apps/permission/tests/init.py
--- a/apps/permission/tests/test_permission_denied.py
+++ b/apps/permission/tests/test_permission_denied.py
@ -0,0 +1,150 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from datetime import timedelta
+
+from django.contrib.auth.models import User
+from django.test import TestCase
+from django.urls import reverse
+from django.utils import timezone
+from activity.models import Activity
+from member.models import Club, Membership
+from note.models import NoteUser
+from wei.models import WEIClub, Bus, WEIRegistration
+
+
+class TestPermissionDenied(TestCase):
+    """
+    Load some protected pages and check that we have 403 errors.
+    """
+    fixtures = ('initial',)
+
+    def setUp(self) -> None:
+        # Create sample user with no rights
+        self.user = User.objects.create(
+            username="toto",
+        )
+        NoteUser.objects.create(user=self.user)
+        self.client.force_login(self.user)
+
+    def test_consos(self):
+        response = self.client.get(reverse("note:consos"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_activity(self):
+        response = self.client.get(reverse("activity:activity_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_activity_entries(self):
+        activity = Activity.objects.create(
+            name="",
+            description="",
+            creater=self.user,
+            activity_type_id=1,
+            organizer_id=1,
+            attendees_club_id=1,
+            date_start=timezone.now(),
+            date_end=timezone.now(),
+        )
+        response = self.client.get(reverse("activity:activity_entry", kwargs=dict(pk=activity.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_invite_activity(self):
+        activity = Activity.objects.create(
+            name="",
+            description="",
+            creater=self.user,
+            activity_type_id=1,
+            organizer_id=1,
+            attendees_club_id=1,
+            date_start=timezone.now(),
+            date_end=timezone.now(),
+        )
+        response = self.client.get(reverse("activity:activity_invite", kwargs=dict(pk=activity.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_club(self):
+        response = self.client.get(reverse("member:club_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_add_member_club(self):
+        club = Club.objects.create()
+        response = self.client.get(reverse("member:club_add_member", kwargs=dict(club_pk=club.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_renew_membership(self):
+        club = Club.objects.create()
+        membership = Membership.objects.create(user=self.user, club=club)
+        response = self.client.get(reverse("member:club_renew_membership", kwargs=dict(pk=membership.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_weiclub(self):
+        response = self.client.get(reverse("wei:wei_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_wei_bus(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        response = self.client.get(reverse("wei:add_bus", kwargs=dict(pk=wei.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_wei_team(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        bus = Bus.objects.create(wei=wei)
+        response = self.client.get(reverse("wei:add_team", kwargs=dict(pk=bus.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_1a_weiregistration(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        response = self.client.get(reverse("wei:wei_register_1A", kwargs=dict(wei_pk=wei.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_old_weiregistration(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        response = self.client.get(reverse("wei:wei_register_2A", kwargs=dict(wei_pk=wei.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_validate_weiregistration(self):
+        wei = WEIClub.objects.create(
+            membership_start=timezone.now().date(),
+            date_start=timezone.now().date() + timedelta(days=1),
+            date_end=timezone.now().date() + timedelta(days=1),
+        )
+        registration = WEIRegistration.objects.create(wei=wei, user=self.user, birth_date="2000-01-01")
+        response = self.client.get(reverse("wei:validate_registration", kwargs=dict(pk=registration.pk)))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_invoice(self):
+        response = self.client.get(reverse("treasury:invoice_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_list_invoices(self):
+        response = self.client.get(reverse("treasury:invoice_list"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_create_remittance(self):
+        response = self.client.get(reverse("treasury:remittance_create"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_list_remittance(self):
+        response = self.client.get(reverse("treasury:remittance_list"))
+        self.assertEqual(response.status_code, 403)
+
+    def test_list_soge_credits(self):
+        response = self.client.get(reverse("treasury:soge_credits"))
+        self.assertEqual(response.status_code, 403)
--- a/apps/permission/tests/test_permission_queries.py
+++ b/apps/permission/tests/test_permission_queries.py
@ -0,0 +1,84 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib.auth.models import User
+from django.core.exceptions import FieldError
+from django.db.models import F, Q
+from django.test import TestCase
+from django.utils import timezone
+from member.models import Club, Membership
+from note.models import NoteUser, Note, NoteClub, NoteSpecial
+from wei.models import WEIMembership, WEIRegistration, WEIClub, Bus, BusTeam
+
+from ..models import Permission
+
+
+class PermissionQueryTestCase(TestCase):
+    fixtures = ('initial', )
+
+    @classmethod
+    def setUpTestData(cls):
+        user = User.objects.create(username="user")
+        NoteUser.objects.create(user=user)
+        wei = WEIClub.objects.create(
+            name="wei",
+            date_start=timezone.now().date(),
+            date_end=timezone.now().date(),
+        )
+        NoteClub.objects.create(club=wei)
+        weiregistration = WEIRegistration.objects.create(
+            user=user,
+            wei=wei,
+            birth_date=timezone.now().date(),
+        )
+        bus = Bus.objects.create(
+            name="bus",
+            wei=wei,
+        )
+        team = BusTeam.objects.create(
+            name="team",
+            bus=bus,
+            color=0xFFFFFF,
+        )
+        WEIMembership.objects.create(
+            user=user,
+            club=wei,
+            registration=weiregistration,
+            bus=bus,
+            team=team,
+        )
+
+    def test_permission_queries(self):
+        """
+        Check for all permissions that the query is compilable and that the database can parse the query.
+        We use a random user with a random WEIClub (to use permissions for the WEI) in a random team in a random bus.
+        """
+        for perm in Permission.objects.all():
+            instanced = perm.about(
+                user=User.objects.get(),
+                club=WEIClub.objects.get(),
+                membership=Membership.objects.get(),
+                User=User,
+                Club=Club,
+                Membership=Membership,
+                Note=Note,
+                NoteUser=NoteUser,
+                NoteClub=NoteClub,
+                NoteSpecial=NoteSpecial,
+                F=F,
+                Q=Q,
+                now=timezone.now(),
+                today=timezone.now().date(),
+            )
+            try:
+                instanced.update_query()
+                query = instanced.query
+                model = perm.model.model_class()
+                model.objects.filter(query).all()
+                # print("Good query for permission", perm)
+            except (FieldError, AttributeError, ValueError, TypeError):
+                print("Query error for permission", perm)
+                print("Query:", perm.query)
+                if instanced.query:
+                    print("Compiled query:", instanced.query)
+                raise