SMusatov
/
GlitchTip
mirror of https://gitlab.com/glitchtip/glitchtip-backend.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133
							from django.urls import reverse
from model_bakery import baker

from glitchtip.test_utils.test_case import APIPermissionTestCase
from organizations_ext.models import OrganizationUserRole


class OrganizationAPIPermissionTests(APIPermissionTestCase):
    def setUp(self):
        self.create_user_org()
        self.set_client_credentials(self.auth_token.token)
        self.list_url = reverse("organization-list")
        self.detail_url = reverse("organization-detail", args=[self.organization.slug])

    def test_list(self):
        self.assertGetReqStatusCode(self.list_url, 403)
        self.auth_token.add_permission("org:read")
        self.assertGetReqStatusCode(self.list_url, 200)

    def test_retrieve(self):
        self.assertGetReqStatusCode(self.detail_url, 403)
        self.auth_token.add_permission("org:read")
        self.assertGetReqStatusCode(self.detail_url, 200)

    def test_create(self):
        self.auth_token.add_permission("org:read")
        data = {"name": "new org"}
        self.assertPostReqStatusCode(self.list_url, data, 403)
        self.auth_token.add_permission("org:write")
        self.assertPostReqStatusCode(self.list_url, data, 201)

    def test_destroy(self):
        self.auth_token.add_permissions(["org:read", "org:write"])
        self.assertDeleteReqStatusCode(self.detail_url, 403)
        self.auth_token.add_permission("org:admin")
        self.assertDeleteReqStatusCode(self.detail_url, 204)

    def test_user_destroy(self):
        self.client.force_login(self.user)
        self.set_user_role(OrganizationUserRole.MEMBER)
        self.assertDeleteReqStatusCode(self.detail_url, 403)
        self.set_user_role(OrganizationUserRole.OWNER)
        self.assertDeleteReqStatusCode(self.detail_url, 204)

    def test_update(self):
        self.auth_token.add_permission("org:read")
        data = {"name": "new name"}
        self.assertPutReqStatusCode(self.detail_url, data, 403)
        self.auth_token.add_permission("org:write")
        self.assertPutReqStatusCode(self.detail_url, data, 200)

    def test_user_update(self):
        self.client.force_login(self.user)
        self.set_user_role(OrganizationUserRole.MEMBER)
        data = {"name": "new name"}
        self.assertPutReqStatusCode(self.detail_url, data, 403)
        self.set_user_role(OrganizationUserRole.MANAGER)
        self.assertPutReqStatusCode(self.detail_url, data, 200)


class OrganizationMemberAPIPermissionTests(APIPermissionTestCase):
    def setUp(self):
        self.create_user_org()

        # Change owner to avoid restrictions on org owners
        # deleting their own organization
        new_user = baker.make("users.User")
        new_owner = self.organization.add_user(new_user)
        self.organization.change_owner(new_owner)
        self.set_client_credentials(self.auth_token.token)
        self.list_url = reverse(
            "organization-members-list",
            kwargs={"organization_slug": self.organization.slug},
        )
        self.detail_url = reverse(
            "organization-members-detail",
            kwargs={
                "organization_slug": self.organization.slug,
                "pk": self.org_user.pk,
            },
        )

    def test_list(self):
        self.assertGetReqStatusCode(self.list_url, 403)
        self.auth_token.add_permission("member:read")
        self.assertGetReqStatusCode(self.list_url, 200)

    def test_retrieve(self):
        self.assertGetReqStatusCode(self.detail_url, 403)
        self.auth_token.add_permission("member:read")
        self.assertGetReqStatusCode(self.detail_url, 200)

    def test_create(self):
        self.auth_token.add_permission("member:read")
        data = {"email": "lol@example.com", "role": "member"}
        self.assertPostReqStatusCode(self.list_url, data, 403)
        self.auth_token.add_permission("member:write")
        self.assertPostReqStatusCode(self.list_url, data, 201)

    def test_destroy(self):
        self.auth_token.add_permissions(["member:read", "member:write"])
        self.assertDeleteReqStatusCode(self.detail_url, 403)
        self.auth_token.add_permission("member:admin")
        self.assertDeleteReqStatusCode(self.detail_url, 204)

    def test_user_destroy(self):
        self.client.force_login(self.user)
        self.set_user_role(OrganizationUserRole.MEMBER)
        self.assertDeleteReqStatusCode(self.detail_url, 403)
        self.set_user_role(OrganizationUserRole.OWNER)
        self.assertDeleteReqStatusCode(self.detail_url, 204)

    def test_update(self):
        self.auth_token.add_permission("member:read")
        data = {"email": "lol@example.com", "role": "member"}
        self.assertPutReqStatusCode(self.detail_url, data, 403)
        self.auth_token.add_permission("member:write")
        self.assertPutReqStatusCode(self.detail_url, data, 200)

    def test_teams_add(self):
        self.team = baker.make("teams.Team", organization=self.organization)
        url = self.detail_url + "teams/" + self.team.slug + "/"
        data = {}
        self.assertPostReqStatusCode(url, data, 403)
        self.auth_token.add_permissions(["org:read", "org:write"])
        self.assertPostReqStatusCode(url, data, 201)

    def test_teams_remove(self):
        self.team = baker.make("teams.Team", organization=self.organization)
        url = self.detail_url + "teams/" + self.team.slug + "/"
        self.assertDeleteReqStatusCode(url, 403)
        self.auth_token.add_permissions(["org:read", "org:write"])
        self.assertDeleteReqStatusCode(url, 200)