avm/state-corp-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
state-corp-backend/tests/apps/core/test_permissions.py
Aleksandr Meshchriakov e9d7f24aaa
Some checks failed
CI/CD Pipeline / Run Tests (push) Failing after 0s
Details
CI/CD Pipeline / Code Quality Checks (push) Failing after 1m43s
Details
CI/CD Pipeline / Build Docker Images (push) Has been skipped
Details
CI/CD Pipeline / Push to Gitea Registry (push) Has been skipped
Details
first commit
2026-01-21 12:07:35 +01:00

253 lines
8.1 KiB
Python
Raw Permalink Blame History

"""Tests for core permissions"""
from apps.core.permissions import (
IsAdmin,
IsAdminOrReadOnly,
IsOwner,
IsOwnerOrAdmin,
IsOwnerOrReadOnly,
IsSuperuser,
IsVerified,
)
from django.contrib.auth import get_user_model
from django.test import RequestFactory, TestCase
from rest_framework.views import APIView
from tests.apps.user.factories import UserFactory
User = get_user_model()
class MockObject:
"""Mock object for testing ownership"""
def __init__(self, user=None, owner=None):
self.user = user
self.owner = owner
class IsOwnerTest(TestCase):
"""Tests for IsOwner permission"""
def setUp(self):
self.factory = RequestFactory()
self.permission = IsOwner()
self.user = UserFactory.create_user()
self.other_user = UserFactory.create_user()
def test_owner_has_permission(self):
"""Test owner has permission to object"""
request = self.factory.get("/")
request.user = self.user
obj = MockObject(user=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertTrue(result)
def test_non_owner_denied(self):
"""Test non-owner is denied"""
request = self.factory.get("/")
request.user = self.other_user
obj = MockObject(user=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertFalse(result)
def test_owner_field_fallback(self):
"""Test fallback to 'owner' field"""
request = self.factory.get("/")
request.user = self.user
obj = MockObject(owner=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertTrue(result)
class IsOwnerOrReadOnlyTest(TestCase):
"""Tests for IsOwnerOrReadOnly permission"""
def setUp(self):
self.factory = RequestFactory()
self.permission = IsOwnerOrReadOnly()
self.user = UserFactory.create_user()
self.other_user = UserFactory.create_user()
def test_safe_methods_allowed_for_all(self):
"""Test GET/HEAD/OPTIONS allowed for non-owners"""
for method in ["get", "head", "options"]:
request = getattr(self.factory, method)("/")
request.user = self.other_user
obj = MockObject(user=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertTrue(result, f"{method.upper()} should be allowed")
def test_unsafe_methods_denied_for_non_owner(self):
"""Test POST/PUT/PATCH/DELETE denied for non-owners"""
for method in ["post", "put", "patch", "delete"]:
request = getattr(self.factory, method)("/")
request.user = self.other_user
obj = MockObject(user=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertFalse(result, f"{method.upper()} should be denied")
def test_unsafe_methods_allowed_for_owner(self):
"""Test unsafe methods allowed for owner"""
request = self.factory.put("/")
request.user = self.user
obj = MockObject(user=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertTrue(result)
class IsAdminOrReadOnlyTest(TestCase):
"""Tests for IsAdminOrReadOnly permission"""
def setUp(self):
self.factory = RequestFactory()
self.permission = IsAdminOrReadOnly()
self.user = UserFactory.create_user()
self.admin = UserFactory.create_user(is_staff=True)
def test_safe_methods_allowed_for_all(self):
"""Test GET allowed for non-admins"""
request = self.factory.get("/")
request.user = self.user
result = self.permission.has_permission(request, APIView())
self.assertTrue(result)
def test_unsafe_methods_denied_for_non_admin(self):
"""Test POST denied for non-admins"""
request = self.factory.post("/")
request.user = self.user
result = self.permission.has_permission(request, APIView())
self.assertFalse(result)
def test_unsafe_methods_allowed_for_admin(self):
"""Test POST allowed for admins"""
request = self.factory.post("/")
request.user = self.admin
result = self.permission.has_permission(request, APIView())
self.assertTrue(result)
class IsAdminTest(TestCase):
"""Tests for IsAdmin permission"""
def setUp(self):
self.factory = RequestFactory()
self.permission = IsAdmin()
self.user = UserFactory.create_user()
self.admin = UserFactory.create_user(is_staff=True)
def test_admin_has_permission(self):
"""Test admin has permission"""
request = self.factory.get("/")
request.user = self.admin
result = self.permission.has_permission(request, APIView())
self.assertTrue(result)
def test_non_admin_denied(self):
"""Test non-admin is denied"""
request = self.factory.get("/")
request.user = self.user
result = self.permission.has_permission(request, APIView())
self.assertFalse(result)
class IsSuperuserTest(TestCase):
"""Tests for IsSuperuser permission"""
def setUp(self):
self.factory = RequestFactory()
self.permission = IsSuperuser()
self.user = UserFactory.create_user()
self.superuser = UserFactory.create_superuser()
def test_superuser_has_permission(self):
"""Test superuser has permission"""
request = self.factory.get("/")
request.user = self.superuser
result = self.permission.has_permission(request, APIView())
self.assertTrue(result)
def test_non_superuser_denied(self):
"""Test non-superuser is denied"""
request = self.factory.get("/")
request.user = self.user
result = self.permission.has_permission(request, APIView())
self.assertFalse(result)
class IsVerifiedTest(TestCase):
"""Tests for IsVerified permission"""
def setUp(self):
self.factory = RequestFactory()
self.permission = IsVerified()
self.user = UserFactory.create_user(is_verified=False)
self.verified_user = UserFactory.create_user(is_verified=True)
def test_verified_user_has_permission(self):
"""Test verified user has permission"""
request = self.factory.get("/")
request.user = self.verified_user
result = self.permission.has_permission(request, APIView())
self.assertTrue(result)
def test_unverified_user_denied(self):
"""Test unverified user is denied"""
request = self.factory.get("/")
request.user = self.user
result = self.permission.has_permission(request, APIView())
self.assertFalse(result)
class IsOwnerOrAdminTest(TestCase):
"""Tests for IsOwnerOrAdmin permission"""
def setUp(self):
self.factory = RequestFactory()
self.permission = IsOwnerOrAdmin()
self.user = UserFactory.create_user()
self.other_user = UserFactory.create_user()
self.admin = UserFactory.create_user(is_staff=True)
def test_owner_has_permission(self):
"""Test owner has permission"""
request = self.factory.get("/")
request.user = self.user
obj = MockObject(user=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertTrue(result)
def test_admin_has_permission(self):
"""Test admin has permission to any object"""
request = self.factory.get("/")
request.user = self.admin
obj = MockObject(user=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertTrue(result)
def test_non_owner_non_admin_denied(self):
"""Test non-owner non-admin is denied"""
request = self.factory.get("/")
request.user = self.other_user
obj = MockObject(user=self.user)
result = self.permission.has_object_permission(request, APIView(), obj)
self.assertFalse(result)
Reference in New Issue View Git Blame Copy Permalink