| author | Simon Descarpentries <sid@sopinspace.com> |
| Thu, 13 Mar 2014 18:19:43 +0100 | |
| changeset 613 | a0b695aace0a |
| parent 606 | 52f3e090eed9 |
| child 608 | 047aab3a53cf |
| permissions | -rw-r--r-- |
from django.test import TestCase from django.test.client import Client from django.core import management from django.core.cache import cache from cm.models import * from cm.security import * from cm.tests.test_comment_positioning import create_comment class FalseRequest(object): def __init__(self, user): self.user = user class SecurityTest(TestCase): fixtures = ['initial_data', 'roles_generic','test_content'] def test_access_rights(self): # anon user sees no text request = FalseRequest(None) self.assertEqual(get_texts_with_perm(request, 'can_view_text').count(), 2) # user 1 sees all texts user1 = UserProfile.objects.get(id=1).user request = FalseRequest(user1) self.assertEqual(get_texts_with_perm(request, 'can_view_text').count(), 5) # user 2 sees only 4 texts user2 = UserProfile.objects.get(id=2).user request = FalseRequest(user2) self.assertEqual(get_texts_with_perm(request, 'can_view_text').count(), 4) # user 4 manages only 2 texts (global manager but commentator on text 4 user4 = UserProfile.objects.get(id=4).user request = FalseRequest(user4) self.assertEqual(get_texts_with_perm(request, 'can_manage_text').count(), 2) def test_moderation_tricks_a_priori(self): # text a priori moderated # a new comment is unapproved -> owner can edit -> gets approved -> owner cannot edit it (unless moderator) user2 = UserProfile.objects.get(id=2).user user3 = UserProfile.objects.get(id=3).user text2 = Text.objects.get(id=2) # user 3 is Commentator on text 2 (a priori mod) # user 2 is Editor on text 2 (a priori mod) c2 = create_comment(user=user2) self.assertTrue(has_own_perm(FalseRequest(user2), "can_edit_comment" + "_own", text2, c2),'can edit own comment') c3 = create_comment(user=user3) self.assertTrue(has_own_perm(FalseRequest(user3), "can_edit_comment" + "_own", text2, c3),'can edit own comment') c2.state = 'approved' c2.save() c3.state = 'approved' c3.save() cache.clear() self.assertFalse(has_own_perm(FalseRequest(user3), "can_edit_comment" + "_own", text2, c3),'CANNOT edit own comment (there is a reply)') self.assertTrue(has_own_perm(FalseRequest(user2), "can_edit_comment" + "_own", text2, c2),"CAN edit own comment (is moderator)") self.assertTrue(has_perm(FalseRequest(user2), "can_edit_comment", text2),"CAN edit other comment (is moderator)") def test_moderation_tricks_a_posteriori(self): # text a posteriori moderated # a new comment is approved -> owner can edit -> get a reply -> owner cannot edit it (unless moderator) user2 = UserProfile.objects.get(id=2).user user3 = UserProfile.objects.get(id=3).user text2 = Text.objects.get(id=2) text2.last_text_version.mod_posteriori = True text2.last_text_version.save() # user 3 is Commentator on text 2 (a priori mod) # user 2 is Editor on text 2 (a priori mod) c3 = create_comment(user=user3, state='approved') self.assertTrue(has_own_perm(FalseRequest(user3), "can_edit_comment" + "_own", text2, c3),'CAN edit own comment (there is NO reply)') # create a reply c2 = create_comment(user=user3, reply_to=c3, state='approved') self.assertFalse(has_own_perm(FalseRequest(user3), "can_edit_comment" + "_own", text2, c3),'CANNOT edit own comment (there is a reply)') self.assertTrue(has_perm(FalseRequest(user2), "can_edit_comment", text2),"CAN edit other's comment (moderator)")