mirror of
https://github.com/logos-co/open-law.git
synced 2025-01-09 22:35:50 +00:00
603 lines
19 KiB
Python
603 lines
19 KiB
Python
import json
|
|
|
|
from flask import current_app as Response
|
|
|
|
from app import models as m
|
|
from tests.utils import (
|
|
login,
|
|
logout,
|
|
create_book,
|
|
create_collection,
|
|
create_section,
|
|
create_interpretation,
|
|
create_comment,
|
|
create_sub_collection,
|
|
)
|
|
|
|
|
|
def test_editor_permissions_entire_and_local(client):
|
|
login(client)
|
|
book = create_book(client)
|
|
|
|
editor = m.User(username="editor", password="editor").save()
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/add_contributor",
|
|
data=dict(user_id=editor.id, role=m.BookContributor.Roles.EDITOR),
|
|
follow_redirects=True,
|
|
)
|
|
assert response.status_code == 200
|
|
assert b"Contributor was added!" in response.data
|
|
logout(client)
|
|
|
|
login(client, "editor", "editor")
|
|
|
|
# access to settings page
|
|
response: Response = client.get(f"/book/{book.id}/settings", follow_redirects=True)
|
|
assert b"You do not have permission" not in response.data
|
|
|
|
# access to edit book
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/edit",
|
|
data=dict(book_id=book.id, label="BookEdited"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# dont have access to delete
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/delete",
|
|
data=dict(book_id=book.id),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" in response.data
|
|
|
|
# access to create collection
|
|
collection, response = create_collection(client, book.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to edit collection
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{collection.id}/edit",
|
|
data=dict(label="NewLabel"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to delete collection
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{collection.id}/delete", follow_redirects=True
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# restore collection
|
|
collection.is_deleted = False
|
|
collection.save()
|
|
|
|
# access to create section
|
|
section, response = create_section(client, book.id, collection.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to edit section
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{section.id}/edit_section",
|
|
data=dict(section_id=section.id, label="NewLabel"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to delete section
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{section.id}/delete_section", follow_redirects=True
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# restore section
|
|
section.is_deleted = False
|
|
section.save()
|
|
|
|
# access to create interpretation
|
|
interpretation, response = create_interpretation(client, book.id, section.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to approve interpretation
|
|
response: Response = client.post(
|
|
f"/approve/interpretation/{interpretation.id}",
|
|
follow_redirects=True,
|
|
)
|
|
|
|
assert response
|
|
assert response.json["message"] == "success"
|
|
assert response.json["approve"]
|
|
assert interpretation.approved
|
|
|
|
# access to delete interpretation
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{interpretation.id}/delete_interpretation",
|
|
data=dict(interpretation_id=interpretation.id),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# restore interpretation
|
|
interpretation.is_deleted = False
|
|
interpretation.save()
|
|
|
|
# access to create comment
|
|
comment, response = create_comment(client, book.id, interpretation.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to approve comment
|
|
response: Response = client.post(
|
|
f"/approve/comment/{comment.id}",
|
|
follow_redirects=True,
|
|
)
|
|
|
|
assert response
|
|
assert response.json["message"] == "success"
|
|
assert response.json["approve"]
|
|
assert interpretation.approved
|
|
|
|
# access to delete comment
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{interpretation.id}/comment_delete",
|
|
data=dict(
|
|
text=comment.text,
|
|
interpretation_id=interpretation.id,
|
|
comment_id=comment.id,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# set local permissions
|
|
logout(client)
|
|
login(client)
|
|
|
|
collection_1, response = create_collection(client, book.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
collection_2, response = create_collection(client, book.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
json_string = json.dumps({"collection": [collection_1.id]})
|
|
response: Response = client.post(
|
|
"/permission/set",
|
|
data=dict(
|
|
book_id=book.id,
|
|
user_id=editor.id,
|
|
permissions=json_string,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"Success!" in response.data
|
|
logout(client)
|
|
|
|
login(client, "editor", "editor")
|
|
|
|
# access to settings page
|
|
response: Response = client.get(f"/book/{book.id}/settings", follow_redirects=True)
|
|
assert b"You do not have permission" in response.data
|
|
|
|
# access to edit book
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/edit",
|
|
data=dict(book_id=book.id, label="BookEdited"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" in response.data
|
|
|
|
# dont have access to delete
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/delete",
|
|
data=dict(book_id=book.id),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" in response.data
|
|
|
|
# access to create collection
|
|
_, response = create_collection(client, book.id)
|
|
assert b"You do not have permission" in response.data
|
|
|
|
# access to edit collection
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{collection.id}/edit",
|
|
data=dict(label="NewLabel"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" in response.data
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{collection_2.id}/edit",
|
|
data=dict(label="NewLabel"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" in response.data
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{collection_1.id}/edit",
|
|
data=dict(label="NewLabel-LocalPermission"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success" in response.data
|
|
|
|
# access to create sub collection
|
|
_, response = create_sub_collection(client, book.id, collection_2.id)
|
|
assert b"You do not have permission" in response.data
|
|
sub_collection, response = create_sub_collection(client, book.id, collection_1.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success" in response.data
|
|
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{sub_collection.id}/edit",
|
|
data=dict(label="NewSubLabel-LocalPermission"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success" in response.data
|
|
|
|
logout(client)
|
|
login(client)
|
|
json_string = json.dumps(
|
|
{"collection": [collection_1.id, collection_2.id, sub_collection.id]}
|
|
)
|
|
response: Response = client.post(
|
|
"/permission/set",
|
|
data=dict(
|
|
book_id=book.id,
|
|
user_id=editor.id,
|
|
permissions=json_string,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"Success!" in response.data
|
|
logout(client)
|
|
login(client, "editor", "editor")
|
|
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{sub_collection.id}/delete",
|
|
follow_redirects=True,
|
|
)
|
|
assert response.status_code == 200
|
|
assert b"Success!" in response.data
|
|
assert sub_collection.is_deleted
|
|
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{collection_2.id}/edit",
|
|
data=dict(label="NewSLabel"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success" in response.data
|
|
|
|
|
|
def test_moderator_access_to_entire_book(client):
|
|
login(client)
|
|
book = create_book(client)
|
|
|
|
moderator = m.User(username="moderator", password="moderator").save()
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/add_contributor",
|
|
data=dict(user_id=moderator.id, role=m.BookContributor.Roles.MODERATOR),
|
|
follow_redirects=True,
|
|
)
|
|
assert response.status_code == 200
|
|
assert b"Contributor was added!" in response.data
|
|
|
|
logout(client)
|
|
login(client, "moderator", "moderator")
|
|
|
|
# access to settings page
|
|
response: Response = client.get(f"/book/{book.id}/settings", follow_redirects=True)
|
|
assert b"You do not have permission" in response.data
|
|
|
|
# access to edit book
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/edit",
|
|
data=dict(book_id=book.id, label="BookEdited"),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" in response.data
|
|
|
|
# dont have access to delete
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/delete",
|
|
data=dict(book_id=book.id),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" in response.data
|
|
|
|
logout(client)
|
|
login(client)
|
|
collection, response = create_collection(client, book.id)
|
|
section, response = create_section(client, book.id, collection.id)
|
|
login(client, "moderator", "moderator")
|
|
|
|
# access to create interpretation
|
|
interpretation, response = create_interpretation(client, book.id, section.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to approve interpretation
|
|
response: Response = client.post(
|
|
f"/approve/interpretation/{interpretation.id}",
|
|
follow_redirects=True,
|
|
)
|
|
|
|
assert response
|
|
assert response.json["message"] == "success"
|
|
assert response.json["approve"]
|
|
assert interpretation.approved
|
|
|
|
# access to delete interpretation
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{interpretation.id}/delete_interpretation",
|
|
data=dict(interpretation_id=interpretation.id),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# restore interpretation
|
|
interpretation.is_deleted = False
|
|
interpretation.save()
|
|
|
|
# access to create comment
|
|
comment, response = create_comment(client, book.id, interpretation.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to approve comment
|
|
response: Response = client.post(
|
|
f"/approve/comment/{comment.id}",
|
|
follow_redirects=True,
|
|
)
|
|
|
|
assert response
|
|
assert response.json["message"] == "success"
|
|
assert response.json["approve"]
|
|
assert interpretation.approved
|
|
|
|
# access to delete comment
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{interpretation.id}/comment_delete",
|
|
data=dict(
|
|
text=comment.text,
|
|
interpretation_id=interpretation.id,
|
|
comment_id=comment.id,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# set local permissions
|
|
logout(client)
|
|
login(client)
|
|
|
|
collection_1, response = create_collection(client, book.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
section_1, response = create_section(client, book.id, collection_1.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
collection_2, response = create_collection(client, book.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
section_2, response = create_section(client, book.id, collection_2.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
json_string = json.dumps(
|
|
{"collection": [collection_1.id], "section": [section_1.id]}
|
|
)
|
|
response: Response = client.post(
|
|
"/permission/set",
|
|
data=dict(
|
|
book_id=book.id,
|
|
user_id=moderator.id,
|
|
permissions=json_string,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"Success!" in response.data
|
|
logout(client)
|
|
login(client, "moderator", "moderator")
|
|
|
|
#
|
|
#
|
|
#
|
|
#
|
|
|
|
# access to create interpretation
|
|
interpretation_1, response = create_interpretation(client, book.id, section_1.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to approve interpretation
|
|
response: Response = client.post(
|
|
f"/approve/interpretation/{interpretation_1.id}",
|
|
follow_redirects=True,
|
|
)
|
|
|
|
assert response
|
|
assert response.json["message"] == "success"
|
|
assert response.json["approve"]
|
|
assert interpretation_1.approved
|
|
|
|
# access to delete interpretation
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{interpretation_1.id}/delete_interpretation",
|
|
data=dict(interpretation_id=interpretation_1.id),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# restore interpretation
|
|
interpretation_1.is_deleted = False
|
|
interpretation_1.save()
|
|
|
|
# access to create comment
|
|
comment, response = create_comment(client, book.id, interpretation_1.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to approve comment
|
|
response: Response = client.post(
|
|
f"/approve/comment/{comment.id}",
|
|
follow_redirects=True,
|
|
)
|
|
|
|
assert response
|
|
assert response.json["message"] == "success"
|
|
assert response.json["approve"]
|
|
assert interpretation_1.approved
|
|
|
|
# access to delete comment
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{interpretation_1.id}/comment_delete",
|
|
data=dict(
|
|
text=comment.text,
|
|
interpretation_1=interpretation_1.id,
|
|
comment_id=comment.id,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to create interpretation
|
|
interpretation_2, response = create_interpretation(client, book.id, section_2.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to approve interpretation
|
|
response: Response = client.post(
|
|
f"/approve/interpretation/{interpretation_2.id}",
|
|
follow_redirects=True,
|
|
)
|
|
assert response
|
|
assert b"You do not have permission" in response.data
|
|
assert not interpretation_2.approved
|
|
|
|
# access to delete interpretation
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{interpretation_2.id}/delete_interpretation",
|
|
data=dict(interpretation_id=interpretation_2.id),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# restore interpretation
|
|
interpretation_2.is_deleted = False
|
|
interpretation_2.save()
|
|
|
|
# access to create comment
|
|
comment, response = create_comment(client, book.id, interpretation_2.id)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
# access to approve comment
|
|
response: Response = client.post(
|
|
f"/approve/comment/{comment.id}",
|
|
follow_redirects=True,
|
|
)
|
|
assert response
|
|
assert b"You do not have permission" in response.data
|
|
assert not comment.approved
|
|
|
|
# access to delete comment
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/{interpretation_2.id}/comment_delete",
|
|
data=dict(
|
|
text=comment.text,
|
|
interpretation_2=interpretation_2.id,
|
|
comment_id=comment.id,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert b"You do not have permission" not in response.data
|
|
assert b"Success!" in response.data
|
|
|
|
|
|
def test_editor_access_tree_entire_book(client):
|
|
login(client)
|
|
book = create_book(client)
|
|
collection_1, _ = create_collection(client, book.id)
|
|
collection_2, _ = create_collection(client, book.id)
|
|
|
|
editor = m.User(username="editor", password="editor").save()
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/add_contributor",
|
|
data=dict(user_id=editor.id, role=m.BookContributor.Roles.EDITOR),
|
|
follow_redirects=True,
|
|
)
|
|
assert response.status_code == 200
|
|
assert b"Contributor was added!" in response.data
|
|
|
|
response: Response = client.get(
|
|
f"/permission/access_tree?user_id={editor.id}&book_id={book.id}",
|
|
follow_redirects=True,
|
|
)
|
|
assert response.status_code == 200
|
|
json = response.json
|
|
access_tree = json.get("access_tree")
|
|
assert access_tree
|
|
assert book.id in access_tree.get("book")
|
|
collections_ids = access_tree.get("collection")
|
|
assert collections_ids
|
|
assert collection_1.id in collections_ids
|
|
assert collection_2.id in collections_ids
|
|
|
|
|
|
def test_set_access_level(client):
|
|
login(client)
|
|
book = create_book(client)
|
|
collection_1, _ = create_collection(client, book.id)
|
|
|
|
editor = m.User(username="editor", password="editor").save()
|
|
response: Response = client.post(
|
|
f"/book/{book.id}/add_contributor",
|
|
data=dict(user_id=editor.id, role=m.BookContributor.Roles.EDITOR),
|
|
follow_redirects=True,
|
|
)
|
|
assert response.status_code == 200
|
|
assert b"Contributor was added!" in response.data
|
|
assert len(book.list_access_groups) == 2
|
|
|
|
json_string = json.dumps({"collection": [collection_1.id]})
|
|
response: Response = client.post(
|
|
"/permission/set",
|
|
data=dict(
|
|
book_id=book.id,
|
|
user_id=editor.id,
|
|
permissions=json_string,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert response.status_code == 200
|
|
assert len(book.list_access_groups) == 3
|
|
|
|
response: Response = client.post(
|
|
"/permission/set",
|
|
data=dict(
|
|
book_id=book.id,
|
|
user_id=editor.id,
|
|
),
|
|
follow_redirects=True,
|
|
)
|
|
assert response.status_code == 200
|
|
assert b"Success!" not in response.data
|