|
1 from django.test import TestCase |
|
2 from django.test.client import Client |
|
3 from django.core import management |
|
4 |
|
5 |
|
6 from cm.models import * |
|
7 from cm.security import * |
|
8 from cm.tests.test_comment_positioning import create_comment |
|
9 |
|
10 class FalseRequest(object): |
|
11 def __init__(self, user): |
|
12 self.user = user |
|
13 |
|
14 class SecurityTest(TestCase): |
|
15 fixtures = ['roles_generic','test_content'] |
|
16 |
|
17 def test_access_rights(self): |
|
18 # anon user sees no text |
|
19 request = FalseRequest(None) |
|
20 self.assertEqual(get_texts_with_perm(request, 'can_view_text').count(), 0) |
|
21 |
|
22 # user 1 sees all texts |
|
23 user1 = UserProfile.objects.get(id=1).user |
|
24 request = FalseRequest(user1) |
|
25 self.assertEqual(get_texts_with_perm(request, 'can_view_text').count(), 3) |
|
26 |
|
27 # user 2 sees only 2 texts |
|
28 user2 = UserProfile.objects.get(id=2).user |
|
29 request = FalseRequest(user2) |
|
30 self.assertEqual(get_texts_with_perm(request, 'can_view_text').count(), 2) |
|
31 |
|
32 # user 4 sees only 2 texts (global manager but commentator on text 4 |
|
33 user4 = UserProfile.objects.get(id=4).user |
|
34 request = FalseRequest(user4) |
|
35 self.assertEqual(get_texts_with_perm(request, 'can_manage_text').count(), 2) |
|
36 |
|
37 def test_moderation_tricks_a_priori(self): |
|
38 # text a priori moderated |
|
39 # a new comment is unapproved -> owner can edit -> gets approved -> owner cannot edit it (unless moderator) |
|
40 user2 = UserProfile.objects.get(id=2).user |
|
41 user3 = UserProfile.objects.get(id=3).user |
|
42 text2 = Text.objects.get(id=2) |
|
43 |
|
44 # user 3 is Commentator on text 2 (a priori mod) |
|
45 # user 2 is Editor on text 2 (a priori mod) |
|
46 c2 = create_comment(user=user2) |
|
47 self.assertTrue(has_own_perm(FalseRequest(user2), "can_edit_comment" + "_own", text2, c2),'can edit own comment') |
|
48 |
|
49 c3 = create_comment(user=user3) |
|
50 self.assertTrue(has_own_perm(FalseRequest(user3), "can_edit_comment" + "_own", text2, c3),'can edit own comment') |
|
51 |
|
52 c2.state = 'approved' |
|
53 c2.save() |
|
54 c3.state = 'approved' |
|
55 c3.save() |
|
56 |
|
57 self.assertFalse(has_own_perm(FalseRequest(user3), "can_edit_comment" + "_own", text2, c3),'CANNOT edit own comment (there is a reply)') |
|
58 self.assertTrue(has_own_perm(FalseRequest(user2), "can_edit_comment" + "_own", text2, c2),"CAN edit own comment (is moderator)") |
|
59 self.assertTrue(has_perm(FalseRequest(user2), "can_edit_comment", text2),"CAN edit other comment (is moderator)") |
|
60 |
|
61 def test_moderation_tricks_a_posteriori(self): |
|
62 # text a posteriori moderated |
|
63 # a new comment is approved -> owner can edit -> get a reply -> owner cannot edit it (unless moderator) |
|
64 user2 = UserProfile.objects.get(id=2).user |
|
65 user3 = UserProfile.objects.get(id=3).user |
|
66 text2 = Text.objects.get(id=2) |
|
67 text2.last_text_version.mod_posteriori = True |
|
68 text2.last_text_version.save() |
|
69 |
|
70 # user 3 is Commentator on text 2 (a priori mod) |
|
71 # user 2 is Editor on text 2 (a priori mod) |
|
72 c3 = create_comment(user=user3, state='approved') |
|
73 self.assertTrue(has_own_perm(FalseRequest(user3), "can_edit_comment" + "_own", text2, c3),'CAN edit own comment (there is NO reply)') |
|
74 |
|
75 # create a reply |
|
76 c2 = create_comment(user=user3, reply_to=c3, state='approved') |
|
77 |
|
78 self.assertFalse(has_own_perm(FalseRequest(user3), "can_edit_comment" + "_own", text2, c3),'CANNOT edit own comment (there is a reply)') |
|
79 self.assertTrue(has_perm(FalseRequest(user2), "can_edit_comment", text2),"CAN edit other's comment (moderator)") |
|
80 |