test_api_permissions.py 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194
  1. from django.urls import reverse
  2. from model_bakery import baker
  3. from glitchtip.test_utils.test_case import APIPermissionTestCase
  4. from organizations_ext.models import OrganizationUserRole
  5. class IssueAPIPermissionTests(APIPermissionTestCase):
  6. def setUp(self):
  7. self.create_user_org()
  8. self.set_client_credentials(self.auth_token.token)
  9. self.team = baker.make("teams.Team", organization=self.organization)
  10. self.team.members.add(self.org_user)
  11. self.project = baker.make("projects.Project", organization=self.organization)
  12. self.project.team_set.add(self.team)
  13. self.issue = baker.make("issues.Issue", project=self.project)
  14. self.list_url = reverse("issue-list")
  15. self.organization_list_url = reverse(
  16. "organization-issues-list",
  17. kwargs={"organization_slug": self.organization.slug},
  18. )
  19. self.project_list_url = reverse(
  20. "project-issues-list",
  21. kwargs={"project_pk": self.organization.slug + "/" + self.project.slug},
  22. )
  23. self.detail_url = reverse("issue-detail", kwargs={"pk": self.issue.pk})
  24. self.organization_detail_url = reverse(
  25. "organization-issues-detail",
  26. kwargs={"organization_slug": self.organization.slug, "pk": self.issue.pk},
  27. )
  28. self.project_detail_url = reverse(
  29. "project-issues-detail",
  30. kwargs={
  31. "project_pk": self.organization.slug + "/" + self.project.slug,
  32. "pk": self.issue.pk,
  33. },
  34. )
  35. def test_list(self):
  36. self.assertGetReqStatusCode(self.list_url, 403)
  37. self.assertGetReqStatusCode(self.organization_list_url, 403)
  38. self.assertGetReqStatusCode(self.project_list_url, 403)
  39. self.auth_token.add_permission("event:read")
  40. self.assertGetReqStatusCode(self.list_url, 200)
  41. self.assertGetReqStatusCode(self.project_list_url, 200)
  42. def test_retrieve(self):
  43. self.assertGetReqStatusCode(self.detail_url, 403)
  44. self.assertGetReqStatusCode(self.organization_detail_url, 403)
  45. self.assertGetReqStatusCode(self.project_detail_url, 403)
  46. self.auth_token.add_permission("event:read")
  47. self.assertGetReqStatusCode(self.detail_url, 200)
  48. self.assertGetReqStatusCode(self.organization_detail_url, 200)
  49. self.assertGetReqStatusCode(self.project_detail_url, 200)
  50. def test_create(self):
  51. data = {"not": "supported"}
  52. self.auth_token.add_permission("event:admin")
  53. self.assertPostReqStatusCode(self.list_url, data, 405)
  54. def test_destroy(self):
  55. self.auth_token.add_permissions(["event:read", "event:write"])
  56. self.assertDeleteReqStatusCode(self.detail_url, 403)
  57. self.auth_token.add_permission("event:admin")
  58. self.assertDeleteReqStatusCode(self.detail_url, 204)
  59. def test_user_destroy(self):
  60. self.client.force_login(self.user)
  61. self.set_user_role(OrganizationUserRole.MEMBER)
  62. self.assertDeleteReqStatusCode(self.detail_url, 204)
  63. def test_update(self):
  64. self.auth_token.add_permission("event:read")
  65. data = {"status": "resolved"}
  66. self.assertPutReqStatusCode(self.detail_url, data, 403)
  67. self.assertPutReqStatusCode(self.organization_detail_url, data, 403)
  68. self.assertPutReqStatusCode(self.project_detail_url, data, 403)
  69. self.auth_token.add_permission("event:write")
  70. self.assertPutReqStatusCode(self.detail_url, data, 200)
  71. self.assertPutReqStatusCode(self.organization_detail_url, data, 200)
  72. self.assertPutReqStatusCode(self.project_detail_url, data, 200)
  73. class EventAPIPermissionTests(APIPermissionTestCase):
  74. def setUp(self):
  75. self.create_user_org()
  76. self.set_client_credentials(self.auth_token.token)
  77. self.team = baker.make("teams.Team", organization=self.organization)
  78. self.team.members.add(self.org_user)
  79. self.project = baker.make("projects.Project", organization=self.organization)
  80. self.project.team_set.add(self.team)
  81. self.event = baker.make("events.Event", issue__project=self.project)
  82. self.list_url = reverse(
  83. "issue-events-list", kwargs={"issue_pk": self.event.issue.pk}
  84. )
  85. self.project_list_url = reverse(
  86. "project-events-list",
  87. kwargs={"project_pk": self.organization.slug + "/" + self.project.slug},
  88. )
  89. self.detail_url = reverse(
  90. "issue-events-detail",
  91. kwargs={"issue_pk": self.event.issue.pk, "pk": self.event.pk},
  92. )
  93. self.project_detail_url = reverse(
  94. "project-events-detail",
  95. kwargs={
  96. "project_pk": self.organization.slug + "/" + self.project.slug,
  97. "pk": self.event.pk,
  98. },
  99. )
  100. self.latest_detail_url = self.list_url + "latest/"
  101. def test_list(self):
  102. self.assertGetReqStatusCode(self.list_url, 403)
  103. self.assertGetReqStatusCode(self.project_list_url, 403)
  104. self.auth_token.add_permission("event:read")
  105. self.assertGetReqStatusCode(self.list_url, 200)
  106. self.assertGetReqStatusCode(self.project_list_url, 200)
  107. def test_retrieve(self):
  108. self.assertGetReqStatusCode(self.detail_url, 403)
  109. self.assertGetReqStatusCode(self.project_detail_url, 403)
  110. self.assertGetReqStatusCode(self.latest_detail_url, 403)
  111. self.auth_token.add_permission("event:read")
  112. self.assertGetReqStatusCode(self.detail_url, 200)
  113. self.assertGetReqStatusCode(self.project_detail_url, 200)
  114. self.assertGetReqStatusCode(self.latest_detail_url, 200)
  115. def test_event_json_view(self):
  116. url = reverse(
  117. "event_json",
  118. kwargs={
  119. "org": self.organization.slug,
  120. "issue": self.event.issue.pk,
  121. "event": self.event.pk,
  122. },
  123. )
  124. self.assertGetReqStatusCode(url, 403)
  125. self.auth_token.add_permission("event:read")
  126. self.assertGetReqStatusCode(url, 200)
  127. class CommentsAPIPermissionTests(APIPermissionTestCase):
  128. def setUp(self):
  129. self.create_user_org()
  130. self.set_client_credentials(self.auth_token.token)
  131. self.project = baker.make("projects.Project", organization=self.organization)
  132. self.issue = baker.make("issues.Issue", project=self.project)
  133. self.comment = baker.make("issues.Comment", issue=self.issue)
  134. self.list_url = reverse(
  135. "issue-comments-list",
  136. kwargs={"issue_pk": self.issue.pk},
  137. )
  138. self.detail_url = reverse(
  139. "issue-comments-detail",
  140. kwargs={"issue_pk": self.issue.pk, "pk": self.comment.pk},
  141. )
  142. def test_list(self):
  143. self.assertGetReqStatusCode(self.list_url, 403)
  144. self.auth_token.add_permission("event:read")
  145. self.assertGetReqStatusCode(self.list_url, 200)
  146. def test_create(self):
  147. self.auth_token.add_permission("event:read")
  148. data = {"data": {"text": "Test"}}
  149. res = self.client.post(self.list_url, data, format="json")
  150. self.assertEqual(res.status_code, 403)
  151. self.auth_token.add_permission("event:write")
  152. res = self.client.post(self.list_url, data, format="json")
  153. self.assertEqual(res.status_code, 201)
  154. def test_destroy(self):
  155. self.auth_token.add_permissions(["event:read", "event:write"])
  156. self.assertDeleteReqStatusCode(self.detail_url, 403)
  157. self.auth_token.add_permission("event:admin")
  158. self.assertDeleteReqStatusCode(self.detail_url, 204)
  159. def test_update(self):
  160. self.auth_token.add_permission("event:read")
  161. data = {"data": {"text": "Test"}}
  162. res = self.client.put(self.detail_url, data, format="json")
  163. self.assertEqual(res.status_code, 403)
  164. self.auth_token.add_permission("event:write")
  165. res = self.client.put(self.detail_url, data, format="json")
  166. self.assertEqual(res.status_code, 200)