mirror of https://gitlab.crans.org/bde/nk20
Simple test to check permissions with the new OAuth2 implementation
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
parent
a3fd8ba063
commit
fbf64db16e
|
@ -48,7 +48,7 @@ class PermissionBackend(ModelBackend):
|
||||||
user = request.user
|
user = request.user
|
||||||
|
|
||||||
def permission_filter(membership_obj):
|
def permission_filter(membership_obj):
|
||||||
return Q(mask__rank__lte=request.session.get("permission_mask", -1))
|
return Q(mask__rank__lte=request.session.get("permission_mask", 42))
|
||||||
|
|
||||||
if user.is_anonymous:
|
if user.is_anonymous:
|
||||||
# Unauthenticated users have no permissions
|
# Unauthenticated users have no permissions
|
||||||
|
|
|
@ -0,0 +1,94 @@
|
||||||
|
# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
from datetime import timedelta
|
||||||
|
|
||||||
|
from django.contrib.auth.models import User
|
||||||
|
from django.test import TestCase
|
||||||
|
from django.urls import reverse
|
||||||
|
from django.utils import timezone
|
||||||
|
from django.utils.crypto import get_random_string
|
||||||
|
from member.models import Membership, Club
|
||||||
|
from note.models import NoteUser
|
||||||
|
from oauth2_provider.models import Application, AccessToken
|
||||||
|
|
||||||
|
from ..models import Role, Permission
|
||||||
|
|
||||||
|
|
||||||
|
class OAuth2TestCase(TestCase):
|
||||||
|
fixtures = ('initial', )
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
self.user = User.objects.create(
|
||||||
|
username="toto",
|
||||||
|
)
|
||||||
|
self.application = Application.objects.create(
|
||||||
|
name="Test",
|
||||||
|
client_type=Application.CLIENT_PUBLIC,
|
||||||
|
authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
|
||||||
|
user=self.user,
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_oauth2_access(self):
|
||||||
|
"""
|
||||||
|
Create a simple OAuth2 access token that only has the right to see data of the current user
|
||||||
|
and check that this token has required access, and nothing more.
|
||||||
|
"""
|
||||||
|
|
||||||
|
bde = Club.objects.get(name="BDE")
|
||||||
|
view_user_perm = Permission.objects.get(pk=1) # View own user detail
|
||||||
|
|
||||||
|
# Create access token that has access to our own user detail
|
||||||
|
token = AccessToken.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
application=self.application,
|
||||||
|
scope=f"{view_user_perm.pk}_{bde.pk}",
|
||||||
|
token=get_random_string(64),
|
||||||
|
expires=timezone.now() + timedelta(days=365),
|
||||||
|
)
|
||||||
|
|
||||||
|
# No access without token
|
||||||
|
resp = self.client.get(f'/api/user/{self.user.pk}/')
|
||||||
|
self.assertEqual(resp.status_code, 403)
|
||||||
|
|
||||||
|
# Valid token but user has no membership, so the query is not returning the user object
|
||||||
|
resp = self.client.get(f'/api/user/{self.user.pk}/', **{'Authorization': f'Bearer {token.token}'})
|
||||||
|
self.assertEqual(resp.status_code, 404)
|
||||||
|
|
||||||
|
# Create membership to validate permissions
|
||||||
|
NoteUser.objects.create(user=self.user)
|
||||||
|
membership = Membership.objects.create(user=self.user, club_id=bde.pk)
|
||||||
|
membership.roles.add(Role.objects.get(name="Adhérent BDE"))
|
||||||
|
membership.save()
|
||||||
|
|
||||||
|
# User is now a member and can now see its own user detail
|
||||||
|
resp = self.client.get(f'/api/user/{self.user.pk}/', **{'Authorization': f'Bearer {token.token}'})
|
||||||
|
self.assertEqual(resp.status_code, 200)
|
||||||
|
|
||||||
|
# Token is not granted to see profile detail
|
||||||
|
resp = self.client.get(f'/api/members/profile/{self.user.profile.pk}/',
|
||||||
|
**{'Authorization': f'Bearer {token.token}'})
|
||||||
|
self.assertEqual(resp.status_code, 404)
|
||||||
|
|
||||||
|
def test_scopes(self):
|
||||||
|
"""
|
||||||
|
Ensure that the scopes page is loading.
|
||||||
|
"""
|
||||||
|
self.client.force_login(self.user)
|
||||||
|
|
||||||
|
resp = self.client.get(reverse('permission:scopes'))
|
||||||
|
self.assertEqual(resp.status_code, 200)
|
||||||
|
self.assertIn(self.application, resp.context['scopes'])
|
||||||
|
self.assertNotIn('1_1', resp.context['scopes'][self.application]) # The user has not this permission
|
||||||
|
|
||||||
|
# Create membership to validate permissions
|
||||||
|
bde = Club.objects.get(name="BDE")
|
||||||
|
NoteUser.objects.create(user=self.user)
|
||||||
|
membership = Membership.objects.create(user=self.user, club_id=bde.pk)
|
||||||
|
membership.roles.add(Role.objects.get(name="Adhérent BDE"))
|
||||||
|
membership.save()
|
||||||
|
|
||||||
|
resp = self.client.get(reverse('permission:scopes'))
|
||||||
|
self.assertEqual(resp.status_code, 200)
|
||||||
|
self.assertIn(self.application, resp.context['scopes'])
|
||||||
|
self.assertIn('1_1', resp.context['scopes'][self.application]) # Now the user has this permission
|
Loading…
Reference in New Issue