diff --git a/intervention/models.py b/intervention/models.py index 46cc0950..ec01e15f 100644 --- a/intervention/models.py +++ b/intervention/models.py @@ -249,7 +249,7 @@ class Intervention(BaseObject, RecordableMixin, CheckableMixin): ) # Create random token - token = generators.generate_random_string(15) + token = generators.generate_random_string(15, True, True, False) token_used_in = Intervention.objects.filter(access_token=token) # Make sure the token is not used anywhere as access_token, yet. # Make use of QuerySet lazy method for checking if it exists or not. diff --git a/intervention/tests.py b/intervention/tests.py deleted file mode 100644 index 7ce503c2..00000000 --- a/intervention/tests.py +++ /dev/null @@ -1,3 +0,0 @@ -from django.test import TestCase - -# Create your tests here. diff --git a/intervention/tests/__init__.py b/intervention/tests/__init__.py new file mode 100644 index 00000000..10799e80 --- /dev/null +++ b/intervention/tests/__init__.py @@ -0,0 +1,7 @@ +""" +Author: Michel Peltriaux +Organization: Struktur- und Genehmigungsdirektion Nord, Rhineland-Palatinate, Germany +Contact: michel.peltriaux@sgdnord.rlp.de +Created on: 26.10.21 + +""" diff --git a/intervention/tests/test_views.py b/intervention/tests/test_views.py new file mode 100644 index 00000000..95527748 --- /dev/null +++ b/intervention/tests/test_views.py @@ -0,0 +1,293 @@ +""" +Author: Michel Peltriaux +Organization: Struktur- und Genehmigungsdirektion Nord, Rhineland-Palatinate, Germany +Contact: michel.peltriaux@sgdnord.rlp.de +Created on: 26.10.21 + +""" +from django.test import TestCase, Client + +from django.contrib.auth.models import User, Group +from django.urls import reverse + +from intervention.models import Intervention, LegalData, ResponsibilityData +from konova.management.commands.setup_data import GROUPS_DATA +from konova.models import Geometry +from konova.settings import DEFAULT_GROUP, ZB_GROUP, ETS_GROUP +from user.models import UserActionLogEntry, UserAction + + +class ViewTestCase(TestCase): + def setUp(self) -> None: + # Create superuser and regular user + self.superuser = User.objects.create_superuser( + username="root", + email="root@root.com", + password="root", + ) + self.user = User.objects.create_user( + username="user1", + email="user@root.com", + password="user1" + ) + # Create groups + for group_data in GROUPS_DATA: + name = group_data.get("name") + Group.objects.get_or_create( + name=name, + ) + + # Create dummy data + # Create log entry + action = UserActionLogEntry.objects.create( + user=self.superuser, + action=UserAction.CREATED, + ) + # Create legal data object (without M2M laws first) + legal_data = LegalData.objects.create() + # Create responsible data object + responsibility_data = ResponsibilityData.objects.create() + geometry = Geometry.objects.create() + # Finally create main object, holding the other objects + intervention = Intervention.objects.create( + identifier="TEST", + title="Test_title", + responsible=responsibility_data, + legal=legal_data, + created=action, + geometry=geometry, + comment="Test", + ) + intervention.generate_access_token(make_unique=True) + + # Prepare urls + self.index_url = reverse("intervention:index", args=()) + self.new_url = reverse("intervention:new", args=()) + self.new_id_url = reverse("intervention:new-id", args=()) + self.detail_url = reverse("intervention:detail", args=(intervention.id,)) + self.log_url = reverse("intervention:log", args=(intervention.id,)) + self.edit_url = reverse("intervention:edit", args=(intervention.id,)) + self.remove_url = reverse("intervention:remove", args=(intervention.id,)) + self.share_url = reverse("intervention:share", args=(intervention.id, intervention.access_token,)) + self.share_create_url = reverse("intervention:share-create", args=(intervention.id,)) + self.run_check_url = reverse("intervention:run-check", args=(intervention.id,)) + self.record_url = reverse("intervention:record", args=(intervention.id,)) + self.report_url = reverse("intervention:report", args=(intervention.id,)) + self.login_url = reverse("simple-sso-login") + + def test_views_logged_in_no_groups(self): + """ Check correct status code for all requests + + Assertion: User logged in but has no groups + + Returns: + + """ + # Login client + client = Client() + client.login(username="root", password="root") + + success_urls = [ + self.index_url, + self.report_url, + self.detail_url, + ] + fail_urls = [ + self.log_url, + self.new_id_url, + self.new_url, + self.edit_url, + self.remove_url, + self.share_url, + self.share_create_url, + self.run_check_url, + self.record_url, + ] + + for url in success_urls: + response = client.get(url) + self.assertEqual(response.status_code, 200, msg=f"Failed for {url}") + + for url in fail_urls: + response = client.get(url) + self.assertEqual(response.status_code, 302, msg=f"Failed for {url}") + + def test_views_anonymous_user(self): + """ Check correct status code for all requests + + Assertion: User logged in but has no groups + + Returns: + + """ + # Unknown client + client = Client() + + success_urls = [ + self.report_url, + ] + fail_urls = [ + self.detail_url, + self.index_url, + self.log_url, + self.new_id_url, + self.new_url, + self.edit_url, + self.remove_url, + self.share_url, + self.share_create_url, + self.run_check_url, + self.record_url, + ] + + for url in success_urls: + response = client.get(url) + self.assertEqual(response.status_code, 200, msg=f"Failed for {url}") + + for url in fail_urls: + response = client.get(url, follow=True) + self.assertEqual(response.redirect_chain[0], (f"{self.login_url}?next={url}", 302), msg=f"Failed for {url}. Redirect chain is {response.redirect_chain}") + + def test_views_logged_in_default_group(self): + """ Check correct status code for all requests + + Assertion: User logged in and is default group member + + Returns: + + """ + # Login client + client = Client() + client.login(username="root", password="root") + + # Add user to default group + default_group = Group.objects.get(name=DEFAULT_GROUP) + self.superuser.groups.set([default_group]) + + success_urls = [ + self.index_url, + self.report_url, + self.detail_url, + self.log_url, + self.new_id_url, + self.new_url, + self.edit_url, + self.remove_url, + self.share_create_url, + ] + fail_urls = [ + self.run_check_url, + self.record_url, + ] + success_urls_redirect = { + self.share_url: self.detail_url + } + + for url in success_urls: + response = client.get(url) + self.assertEqual(response.status_code, 200, msg=f"Failed for {url}") + + for url in fail_urls: + response = client.get(url) + self.assertEqual(response.status_code, 302, msg=f"Failed for {url}") + + for url, redirect_to in success_urls_redirect.items(): + response = client.get(url, follow=True) + # Expect redirects to the landing page + self.assertEqual(response.redirect_chain[0], (redirect_to, 302), msg=f"Failed for {url}") + + def test_views_logged_in_zb_group(self): + """ Check correct status code for all requests + + Assertion: User logged in and is registration office member + + Returns: + + """ + # Login client + client = Client() + client.login(username="root", password="root") + + # Add user to default group + zb_group = Group.objects.get(name=ZB_GROUP) + self.superuser.groups.set([zb_group]) + + success_urls = [ + self.index_url, + self.report_url, + self.detail_url, + self.run_check_url, + ] + fail_urls = [ + self.log_url, + self.new_id_url, + self.new_url, + self.edit_url, + self.remove_url, + self.share_create_url, + self.record_url, + ] + success_urls_redirect = { + self.share_url: self.detail_url + } + + for url in success_urls: + response = client.get(url) + self.assertEqual(response.status_code, 200, msg=f"Failed for {url}") + + for url in fail_urls: + response = client.get(url) + self.assertEqual(response.status_code, 302, msg=f"Failed for {url}") + + for url, redirect_to in success_urls_redirect.items(): + response = client.get(url, follow=True) + # Expect redirects to the landing page + self.assertEqual(response.redirect_chain[0], (redirect_to, 302), msg=f"Failed for {url}") + + def test_views_logged_in_ets_group(self): + """ Check correct status code for all requests + + Assertion: User logged in and is registration office member + + Returns: + + """ + # Login client + client = Client() + client.login(username="root", password="root") + + # Add user to default group + ets_group = Group.objects.get(name=ETS_GROUP) + self.superuser.groups.set([ets_group]) + + success_urls = [ + self.index_url, + self.report_url, + self.detail_url, + self.record_url, + ] + fail_urls = [ + self.log_url, + self.new_id_url, + self.new_url, + self.edit_url, + self.remove_url, + self.share_create_url, + self.run_check_url, + ] + success_urls_redirect = { + self.share_url: self.detail_url + } + + for url in success_urls: + response = client.get(url) + self.assertEqual(response.status_code, 200, msg=f"Failed for {url}") + + for url in fail_urls: + response = client.get(url) + self.assertEqual(response.status_code, 302, msg=f"Failed for {url}") + + for url, redirect_to in success_urls_redirect.items(): + response = client.get(url, follow=True) + # Expect redirects to the landing page + self.assertEqual(response.redirect_chain[0], (redirect_to, 302), msg=f"Failed for {url}") diff --git a/intervention/views.py b/intervention/views.py index 6c2f524d..667c4289 100644 --- a/intervention/views.py +++ b/intervention/views.py @@ -93,6 +93,7 @@ def new_view(request: HttpRequest): @login_required +@default_group_required def new_id_view(request: HttpRequest): """ JSON endpoint @@ -111,6 +112,7 @@ def new_id_view(request: HttpRequest): @login_required +@default_group_required def new_document_view(request: HttpRequest, id: str): """ Renders a form for uploading new documents @@ -129,6 +131,7 @@ def new_document_view(request: HttpRequest, id: str): @login_required +@default_group_required def get_revocation_view(request: HttpRequest, doc_id: str): """ Returns the revocation document as downloadable file @@ -142,10 +145,18 @@ def get_revocation_view(request: HttpRequest, doc_id: str): """ doc = get_object_or_404(RevocationDocument, id=doc_id) + # File download only possible if related instance is shared with user + if not doc.instance.users.filter(id=request.user.id): + messages.info( + request, + DATA_UNSHARED + ) + return redirect("intervention:detail", id=doc.instance.id) return get_document(doc) @login_required +@default_group_required def get_document_view(request: HttpRequest, doc_id: str): """ Returns the document as downloadable file @@ -172,6 +183,7 @@ def get_document_view(request: HttpRequest, doc_id: str): @login_required +@default_group_required def remove_document_view(request: HttpRequest, doc_id: str): """ Removes the document from the database and file system @@ -251,6 +263,7 @@ def detail_view(request: HttpRequest, id: str): @login_required +@default_group_required def edit_view(request: HttpRequest, id: str): """ Renders a view for editing interventions @@ -374,6 +387,7 @@ def share_view(request: HttpRequest, id: str, token: str): @login_required +@default_group_required def create_share_view(request: HttpRequest, id: str): """ Renders sharing form for an intervention @@ -393,6 +407,7 @@ def create_share_view(request: HttpRequest, id: str): @login_required +@registration_office_group_required def run_check_view(request: HttpRequest, id: str): """ Renders check form for an intervention @@ -413,6 +428,7 @@ def run_check_view(request: HttpRequest, id: str): @login_required +@default_group_required def new_revocation_view(request: HttpRequest, id: str): """ Renders sharing form for an intervention @@ -432,6 +448,7 @@ def new_revocation_view(request: HttpRequest, id: str): @login_required +@default_group_required def log_view(request: HttpRequest, id: str): """ Renders a log view using modal diff --git a/konova/settings.py b/konova/settings.py index 51e5bade..1355fbae 100644 --- a/konova/settings.py +++ b/konova/settings.py @@ -50,7 +50,7 @@ PAGE_DEFAULT = 1 # SSO settings SSO_SERVER_BASE = "http://127.0.0.1:8000/" -SSO_SERVER = "{}sso/".format(SSO_SERVER_BASE) +SSO_SERVER = f"{SSO_SERVER_BASE}sso/" SSO_PRIVATE_KEY = "CHANGE_ME" SSO_PUBLIC_KEY = "CHANGE_ME"