status-im
/
spiff-arena
mirror of https://github.com/status-im/spiff-arena.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added tests to make sure users can only list process models and groups that they have access to

This commit is contained in:
jasquat 2023-05-08 11:31:57 -04:00
parent 11952aaaa7
commit 6f59d2f828
1 changed files with 72 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
View File

@ -702,7 +702,6 @@ class TestProcessApi(BaseTest):
with_db_and_bpmn_file_cleanup: None, with_db_and_bpmn_file_cleanup: None,
with_super_admin_user: UserModel, with_super_admin_user: UserModel,
) -> None: ) -> None:
"""Test_process_group_list."""
# add 5 groups # add 5 groups
for i in range(5): for i in range(5):
group_id = f"test_process_group_{i}" group_id = f"test_process_group_{i}"
@ -997,14 +996,13 @@ class TestProcessApi(BaseTest):
assert response.json is not None assert response.json is not None
assert "test_group/random_fact" == response.json["process_model_identifier"] assert "test_group/random_fact" == response.json["process_model_identifier"]
def test_get_process_groups_when_none( def test_process_group_list_when_none(
self, self,
app: Flask, app: Flask,
client: FlaskClient, client: FlaskClient,
with_db_and_bpmn_file_cleanup: None, with_db_and_bpmn_file_cleanup: None,
with_super_admin_user: UserModel, with_super_admin_user: UserModel,
) -> None: ) -> None:
"""Test_get_process_groups_when_none."""
response = client.get( response = client.get(
"/v1.0/process-groups", "/v1.0/process-groups",
headers=self.logged_in_headers(with_super_admin_user), headers=self.logged_in_headers(with_super_admin_user),
@ -1013,14 +1011,13 @@ class TestProcessApi(BaseTest):
assert response.json is not None assert response.json is not None
assert response.json["results"] == [] assert response.json["results"] == []
def test_get_process_groups_when_there_are_some( def test_process_group_list_when_there_are_some(
self, self,
app: Flask, app: Flask,
client: FlaskClient, client: FlaskClient,
with_db_and_bpmn_file_cleanup: None, with_db_and_bpmn_file_cleanup: None,
with_super_admin_user: UserModel, with_super_admin_user: UserModel,
) -> None: ) -> None:
"""Test_get_process_groups_when_there_are_some."""
self.create_group_and_model_with_bpmn(client, with_super_admin_user) self.create_group_and_model_with_bpmn(client, with_super_admin_user)
response = client.get( response = client.get(
"/v1.0/process-groups", "/v1.0/process-groups",
@ -1033,6 +1030,76 @@ class TestProcessApi(BaseTest):
assert response.json["pagination"]["total"] == 1 assert response.json["pagination"]["total"] == 1
assert response.json["pagination"]["pages"] == 1 assert response.json["pagination"]["pages"] == 1
def test_process_group_list_when_user_has_resticted_access(
self,
app: Flask,
client: FlaskClient,
with_db_and_bpmn_file_cleanup: None,
with_super_admin_user: UserModel,
) -> None:
self.create_group_and_model_with_bpmn(client, with_super_admin_user, process_group_id="admin_only", process_model_id='random_fact')
self.create_group_and_model_with_bpmn(client, with_super_admin_user, process_group_id="all_users", process_model_id='hello_world')
user_one = self.create_user_with_permission(username="user_one", target_uri='/v1.0/process-groups/all_users:*')
self.add_permissions_to_user(user=user_one, target_uri='/v1.0/process-groups', permission_names=['read'])
response = client.get(
"/v1.0/process-groups",
headers=self.logged_in_headers(with_super_admin_user),
)
assert response.status_code == 200
assert response.json is not None
assert len(response.json["results"]) == 2
assert response.json["pagination"]["count"] == 2
assert response.json["pagination"]["total"] == 2
assert response.json["pagination"]["pages"] == 1
response = client.get(
"/v1.0/process-groups",
headers=self.logged_in_headers(user_one),
)
assert response.status_code == 200
assert response.json is not None
assert len(response.json["results"]) == 1
assert response.json['results'][0]['id'] == 'all_users'
assert response.json["pagination"]["count"] == 1
assert response.json["pagination"]["total"] == 1
assert response.json["pagination"]["pages"] == 1
def test_process_model_list_when_user_has_resticted_access(
self,
app: Flask,
client: FlaskClient,
with_db_and_bpmn_file_cleanup: None,
with_super_admin_user: UserModel,
) -> None:
self.create_group_and_model_with_bpmn(client, with_super_admin_user, process_group_id="admin_only", process_model_id='random_fact')
self.create_group_and_model_with_bpmn(client, with_super_admin_user, process_group_id="all_users", process_model_id='hello_world')
user_one = self.create_user_with_permission(username="user_one", target_uri='/v1.0/process-models/all_users:*')
self.add_permissions_to_user(user=user_one, target_uri='/v1.0/process-models', permission_names=['read'])
response = client.get(
"/v1.0/process-models?recursive=true",
headers=self.logged_in_headers(with_super_admin_user),
)
assert response.status_code == 200
assert response.json is not None
assert len(response.json["results"]) == 2
assert response.json["pagination"]["count"] == 2
assert response.json["pagination"]["total"] == 2
assert response.json["pagination"]["pages"] == 1
response = client.get(
"/v1.0/process-models?recursive=true",
headers=self.logged_in_headers(user_one),
)
assert response.status_code == 200
assert response.json is not None
assert len(response.json["results"]) == 1
assert response.json['results'][0]['id'] == 'all_users/hello_world'
assert response.json["pagination"]["count"] == 1
assert response.json["pagination"]["total"] == 1
assert response.json["pagination"]["pages"] == 1
def test_get_process_group_when_found( def test_get_process_group_when_found(
self, self,
app: Flask, app: Flask,