Skip to content
Snippets Groups Projects
Commit 4ef4657b authored by Thibaud Duquennoy's avatar Thibaud Duquennoy
Browse files

bugfix: Permission issue - AnonymousReadOnly(#98) 

bugfix: Permission issue - AnonymousReadOnly(#98)
parent 854ef513
No related branches found
No related tags found
1 merge request!35bugfix: Permission issue - AnonymousReadOnly(#98)
Pipeline #803 passed
Hide whitespace changes
Inline Side-by-side
djangoldp/permissions.py
+ 3
1
View file @ 4ef4657b
...@@ -81,13 +81,15 @@ class AnonymousReadOnly(WACPermissions): ...@@ -81,13 +81,15 @@ class AnonymousReadOnly(WACPermissions):
def has_permission(self, request, view): def has_permission(self, request, view):
if view.action in ['list', 'retrieve']: if view.action in ['list', 'retrieve']:
return True return True
elif view.action == 'create' and request.user.is_authenticated():
return True
else: else:
return super().has_permission(request, view) return super().has_permission(request, view)
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
if view.action == "create" and request.user.is_authenticated(): if view.action == "create" and request.user.is_authenticated():
return True return True
elif view.action == "retrieve": elif view.action == ["list", "retrieve"]:
return True return True
elif view.action in ['update', 'partial_update', 'destroy']: elif view.action in ['update', 'partial_update', 'destroy']:
if hasattr(obj._meta, 'auto_author'): if hasattr(obj._meta, 'auto_author'):
......
djangoldp/tests/tests_anonymous_permissions.py
+ 15
18
View file @ 4ef4657b
from django.contrib.auth.models import AnonymousUser from django.contrib.auth.models import AnonymousUser
from django.test import TestCase, RequestFactory from django.test import TestCase
from rest_framework.test import APIRequestFactory
from guardian.shortcuts import get_anonymous_user from guardian.shortcuts import get_anonymous_user
...@@ -7,49 +8,45 @@ from djangoldp.permissions import AnonymousReadOnly ...@@ -7,49 +8,45 @@ from djangoldp.permissions import AnonymousReadOnly
from djangoldp.tests.models import JobOffer from djangoldp.tests.models import JobOffer
from djangoldp.views import LDPViewSet from djangoldp.views import LDPViewSet
import json
class TestAnonymousUserPermissions(TestCase): class TestAnonymousUserPermissions(TestCase):
def setUp(self): def setUp(self):
self.factory = RequestFactory() self.factory = APIRequestFactory()
self.user = get_anonymous_user() self.user = get_anonymous_user()
self.job = JobOffer.objects.create(title="job") self.job = JobOffer.objects.create(title="job")
def test_get_request_with_anonymousUser(self): def test_get_request_for_anonymousUser(self):
request = self.factory.get("/job-offers/") request = self.factory.get("/job-offers/")
request.user = self.user request.user = self.user
my_view = LDPViewSet.as_view({'get': 'list'}, my_view = LDPViewSet.as_view({'get': 'list'},
model=JobOffer, model=JobOffer,
nested_fields=["skills"], nested_fields=["skills"],
permission_classes=(AnonymousReadOnly,)) permission_classes=[AnonymousReadOnly])
response = my_view(request) response = my_view(request)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
def test_post_request_with_anonymousUser(self): def test_post_request_for_anonymousUser(self):
request = self.factory.post("/job-offers/") data = {'title': 'new idea'}
request.user = self.user request = self.factory.post('/job-offers/', json.dumps(data), content_type='application/ld+json')
my_view = LDPViewSet.as_view({'post': 'create'}, my_view = LDPViewSet.as_view({'post': 'create'}, model=JobOffer, nested_fields=["skills"], permission_classes=[AnonymousReadOnly])
model=JobOffer, response = my_view(request, pk=1)
nested_fields=["skills"],
permission_classes=(AnonymousReadOnly,))
response = my_view(request)
self.assertEqual(response.status_code, 403) self.assertEqual(response.status_code, 403)
def test_put_request_with_anonymousUser(self): def test_put_request_for_anonymousUser(self):
request = self.factory.put("/job-offers/") request = self.factory.put("/job-offers/")
request.user = self.user
my_view = LDPViewSet.as_view({'put': 'update'}, my_view = LDPViewSet.as_view({'put': 'update'},
model=JobOffer, model=JobOffer,
nested_fields=["skills"], nested_fields=["skills"],
permission_classes=(AnonymousReadOnly,)) permission_classes=[AnonymousReadOnly])
response = my_view(request, pk=self.job.pk) response = my_view(request, pk=self.job.pk)
self.assertEqual(response.status_code, 403) self.assertEqual(response.status_code, 403)
def test_patch_request_with_anonymousUser(self): def test_patch_request_for_anonymousUser(self):
request = self.factory.patch("/job-offers/") request = self.factory.patch("/job-offers/")
request.user = self.user
my_view = LDPViewSet.as_view({'patch': 'partial_update'}, my_view = LDPViewSet.as_view({'patch': 'partial_update'},
model=JobOffer, model=JobOffer,
nested_fields=["skills"], nested_fields=["skills"],
permission_classes=(AnonymousReadOnly,)) permission_classes=[AnonymousReadOnly])
response = my_view(request, pk=self.job.pk) response = my_view(request, pk=self.job.pk)
self.assertEqual(response.status_code, 403) self.assertEqual(response.status_code, 403)
\ No newline at end of file
djangoldp/tests/tests_user_permissions.py
+ 30
28
View file @ 4ef4657b
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.test import TestCase, RequestFactory from rest_framework.test import APIRequestFactory, APIClient, APITestCase
from djangoldp.permissions import AnonymousReadOnly from djangoldp.permissions import AnonymousReadOnly
from djangoldp.tests.models import JobOffer from .models import JobOffer
from djangoldp.views import LDPViewSet from djangoldp.views import LDPViewSet
import json
class TestUserPermissions(APITestCase):
class TestUserPermissions(TestCase):
def setUp(self): def setUp(self):
self.factory = RequestFactory() self.factory = APIRequestFactory()
self.client = APIClient()
self.user = User.objects.create_user(username='john', email='jlennon@beatles.com', password='glass onion') self.user = User.objects.create_user(username='john', email='jlennon@beatles.com', password='glass onion')
self.job = JobOffer.objects.create(title="job") self.job = JobOffer.objects.create(title="job")
def tearDown(self): def tearDown(self):
self.user.delete() self.user.delete()
def test_get_with_user(self): def test_get_for_authenticated_user(self):
request = self.factory.get('/job-offers/') request = self.factory.get('/job-offers/')
request.user = self.user request.user = self.user
my_view = LDPViewSet.as_view({'get': 'list'}, model=JobOffer, nested_fields=["skills"], my_view = LDPViewSet.as_view({'get': 'list'}, model=JobOffer, permission_classes=[AnonymousReadOnly])
permission_classes=[AnonymousReadOnly])
response = my_view(request)
self.assertEqual(response.status_code, 200)
def test_post_request_with_user(self):
request = self.factory.options('/job-offers/')
request.user = self.user
my_view = LDPViewSet.as_view({'post': 'create'}, model=JobOffer, nested_fields=["skills"],
permission_classes=[AnonymousReadOnly])
response = my_view(request) response = my_view(request)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
def test_put_request_with_user(self): def test_post_request_for_authenticated_user(self):
request = self.factory.options('/job-offers/' + str(self.job.pk) + "/") data = {'title': 'new idea'}
request.user = self.user request = self.factory.post('/job-offers/', json.dumps(data), content_type='application/ld+json')
my_view = LDPViewSet.as_view({'put': 'update'}, model=JobOffer, nested_fields=["skills"],
permission_classes=[AnonymousReadOnly])
response = my_view(request, pk=self.job.pk)
self.assertEqual(response.status_code, 200)
def test_request_patch_with_user(self):
request = self.factory.options('/job-offers/' + str(self.job.pk) + "/")
request.user = self.user request.user = self.user
my_view = LDPViewSet.as_view({'patch': 'partial_update'}, model=JobOffer, nested_fields=["skills"]) my_view = LDPViewSet.as_view({'post': 'create'}, model=JobOffer, nested_fields=["skills"], permission_classes=[AnonymousReadOnly])
response = my_view(request, pk=self.job.pk) response = my_view(request, pk=1)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 201)
\ No newline at end of file
# def test_put_request_for_authenticated_user(self):
# data = {'title':"job_updated"}
# request = self.factory.put('/job-offers/' + str(self.job.pk) + "/", data)
# request.user = self.user
# my_view = LDPViewSet.as_view({'put': 'update'}, model=JobOffer, permission_classes=[AnonymousReadOnly])
# response = my_view(request, pk=self.job.pk)
# self.assertEqual(response.status_code, 200)
#
# def test_request_patch_for_authenticated_user(self):
# request = self.factory.patch('/job-offers/' + str(self.job.pk) + "/")
# request.user = self.user
# my_view = LDPViewSet.as_view({'patch': 'partial_update'}, model=JobOffer, permission_classes=[AnonymousReadOnly])
# response = my_view(request, pk=self.job.pk)
# self.assertEqual(response.status_code, 200)
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment