from django.urls import reverse from model_bakery import baker from glitchtip.test_utils.test_case import APIPermissionTestCase from organizations_ext.models import OrganizationUserRole class ProjectAPIPermissionTests(APIPermissionTestCase): def setUp(self): self.create_user_org() self.set_client_credentials(self.auth_token.token) self.team = baker.make("teams.Team", organization=self.organization) self.project = baker.make("projects.Project", organization=self.organization) self.project.team_set.add(self.team) self.list_url = reverse("project-list") self.team_list_url = reverse( "team-projects-list", kwargs={"team_pk": self.organization.slug + "/" + self.team.slug}, ) self.detail_url = reverse( "project-detail", kwargs={"pk": self.organization.slug + "/" + self.project.slug}, ) self.team_detail_url = reverse( "team-projects-detail", kwargs={ "team_pk": self.organization.slug + "/" + self.team.slug, "slug": self.project.slug, }, ) def test_list(self): self.assertGetReqStatusCode(self.list_url, 403) self.assertGetReqStatusCode(self.team_list_url, 403) self.auth_token.add_permission("project:read") self.assertGetReqStatusCode(self.list_url, 200) self.assertGetReqStatusCode(self.team_list_url, 200) def test_retrieve(self): self.assertGetReqStatusCode(self.detail_url, 403) self.assertGetReqStatusCode(self.team_detail_url, 403) self.auth_token.add_permission("project:read") self.assertGetReqStatusCode(self.detail_url, 200) self.assertGetReqStatusCode(self.team_detail_url, 200) def test_create(self): self.auth_token.add_permission("project:read") data = {"name": "new project"} self.assertPostReqStatusCode(self.list_url, data, 403) self.assertPostReqStatusCode(self.team_list_url, data, 403) self.auth_token.add_permission("project:write") self.assertPostReqStatusCode( self.list_url, data, 405, "Post to project endpoint should have no way to select organization", ) self.assertPostReqStatusCode(self.team_list_url, data, 201) def test_destroy(self): self.auth_token.add_permissions(["project:read", "project:write"]) self.assertDeleteReqStatusCode(self.detail_url, 403) self.auth_token.add_permission("project:admin") self.assertDeleteReqStatusCode(self.detail_url, 204) def test_user_destroy(self): self.client.force_login(self.user) self.set_user_role(OrganizationUserRole.MEMBER) self.assertDeleteReqStatusCode(self.detail_url, 403) self.set_user_role(OrganizationUserRole.OWNER) self.assertDeleteReqStatusCode(self.detail_url, 204) def test_destory_team_project(self): self.assertDeleteReqStatusCode(self.team_detail_url, 403) self.auth_token.add_permission("project:admin") self.assertDeleteReqStatusCode(self.team_detail_url, 204) def test_user_destroy_team_project(self): self.client.force_login(self.user) self.set_user_role(OrganizationUserRole.MEMBER) self.assertDeleteReqStatusCode(self.team_detail_url, 403) self.set_user_role(OrganizationUserRole.OWNER) self.assertDeleteReqStatusCode(self.team_detail_url, 204) def test_update(self): self.auth_token.add_permission("project:read") data = {"name": "new name"} self.assertPutReqStatusCode(self.detail_url, data, 403) self.assertPutReqStatusCode(self.team_detail_url, data, 403) self.auth_token.add_permission("project:write") self.assertPutReqStatusCode(self.detail_url, data, 200) self.assertPutReqStatusCode(self.team_detail_url, data, 200) class ProjectKeyAPIPermissionTests(APIPermissionTestCase): def setUp(self): self.create_user_org() self.set_client_credentials(self.auth_token.token) self.team = baker.make("teams.Team", organization=self.organization) self.project = baker.make("projects.Project", organization=self.organization) self.project_key = baker.make("projects.ProjectKey", project=self.project) self.list_url = reverse( "project-keys-list", kwargs={"project_pk": f"{self.organization.slug}/{self.project.slug}"}, ) self.detail_url = reverse( "project-keys-detail", kwargs={ "project_pk": f"{self.organization.slug}/{self.project.slug}", "public_key": self.project_key.public_key, }, ) def test_list(self): self.assertGetReqStatusCode(self.list_url, 403) self.auth_token.add_permission("project:read") self.assertGetReqStatusCode(self.list_url, 200) def test_retrieve(self): self.assertGetReqStatusCode(self.detail_url, 403) self.auth_token.add_permission("project:read") self.assertGetReqStatusCode(self.detail_url, 200) def test_create(self): self.auth_token.add_permission("project:read") data = {"label": "new project key"} self.assertPostReqStatusCode(self.list_url, data, 403) self.auth_token.add_permission("project:write") self.assertPostReqStatusCode(self.list_url, data, 201) def test_destroy(self): self.auth_token.add_permissions(["project:read", "project:write"]) self.assertDeleteReqStatusCode(self.detail_url, 403) self.auth_token.add_permission("project:admin") self.assertDeleteReqStatusCode(self.detail_url, 204) def test_update(self): self.auth_token.add_permission("project:read") data = {"label": "new label"} self.assertPutReqStatusCode(self.detail_url, data, 403) self.auth_token.add_permission("project:write") self.assertPutReqStatusCode(self.detail_url, data, 200)