diff --git a/rowers/tests/test_permissions2.py b/rowers/tests/test_permissions2.py index e3d0edef..054aed95 100644 --- a/rowers/tests/test_permissions2.py +++ b/rowers/tests/test_permissions2.py @@ -149,6 +149,7 @@ class PermissionsViewTests(TestCase): self.uplan['user'].rower.team.add(self.teamcoach) self.ubasic['user'].rower.team.add(self.teamcoach) self.ucoach['user'].rower.team.add(self.teamcoach) + self.upro['user'].rower.team.add(self.teamcoach) self.upro['user'].rower.team.add(self.teamplan) self.uplan2['user'].rower.team.add(self.teamplan) @@ -294,10 +295,10 @@ class PermissionsViewTests(TestCase): # test logged as user with no permissions (e.g. too low plan) for url in falseurlstotest: - print(url) - login = self.c.login(username = notuser['username'],password = notuser['password']) - result = self.c.get(url) - self.assertEqual(result.status_code, permissions['own_nonperm']) + print(url) + login = self.c.login(username = notuser['username'],password = notuser['password']) + result = self.c.get(url) + self.assertEqual(result.status_code, permissions['own_nonperm']) # test as user with permissions, accessing object of non-related user for url in otheruserurls: @@ -314,7 +315,7 @@ class PermissionsViewTests(TestCase): @patch('requests.get',side_effect=mocked_requests) @patch('requests.post',side_effect=mocked_requests) @patch('rowers.dataprep.get_video_data',side_effect=mocked_get_video_data) - def test_permissions_own( + def test_permissions_member( self,view,permissions, mocked_sqlalchemy, mocked_read_df_sql, @@ -329,27 +330,29 @@ class PermissionsViewTests(TestCase): falseurlstotest = [] otheruserurls = [] - if permissions['own'] == 'basic': + if permissions['member'] == 'basic': thisuser = self.ubasic + memberuser = self.uplan notuser = None - elif permissions['own'] == 'pro': + elif permissions['member'] == 'pro': thisuser = self.upro + memberuser = self.uplan notuser = self.ubasic - elif permissions['own'] == 'plan': + elif permissions['member'] == 'plan': thisuser = self.uplan + memberuser = self.ubasic notuser = self.upro - elif permissions['own'] == 'coach': + elif permissions['member'] == 'coach': thisuser = self.ucoach + memberuser = self.uplan notuser = self.uplan if permissions['workoutid']: - workouts = thisuser['workouts'] + workouts = memberuser['workouts'] url = reverse(view,kwargs={'id':encoder.encode_hex(workouts[0].id)}) urlstotest.append(url) if notuser: - workouts = notuser['workouts'] - url = reverse(view,kwargs={'id':encoder.encode_hex(workouts[0].id)}) falseurlstotest.append(url) elif permissions['userid']: url = reverse(view,kwargs={'userid':thisuser['user'].id}) @@ -360,17 +363,73 @@ class PermissionsViewTests(TestCase): # test logged in as user who has permissions for url in urlstotest: - print(url) - login = self.c.login(username = thisuser['username'],password = thisuser['password']) - result = self.c.get(url) - self.assertEqual(result.status_code, permissions['own_response']) + print(url) + login = self.c.login(username = thisuser['username'],password = thisuser['password']) + result = self.c.get(url) + self.assertEqual(result.status_code, permissions['member_response']) # test logged as user with no permissions (e.g. too low plan) for url in falseurlstotest: - print(url) - login = self.c.login(username = notuser['username'],password = notuser['password']) - result = self.c.get(url) - self.assertEqual(result.status_code, permissions['own_nonperm']) + print(url) + login = self.c.login(username = notuser['username'],password = notuser['password']) + result = self.c.get(url) + self.assertEqual(result.status_code, permissions['member_nonperm']) + + # test as user with permissions, accessing object of non-related user + for url in otheruserurls: + print(url) + login = self.c.login(username=thisuser['username'],password = thisuser['password']) + result = self.c.get(url) + self.assertEqual(result.status_code,403) + + # Test access for logged in users - accessing coachee + @parameterized.expand(viewstotest) + @patch('rowers.dataprep.create_engine') + @patch('rowers.dataprep.read_df_sql') + @patch('rowers.dataprep.getsmallrowdata_db') + @patch('requests.get',side_effect=mocked_requests) + @patch('requests.post',side_effect=mocked_requests) + @patch('rowers.dataprep.get_video_data',side_effect=mocked_get_video_data) + def test_permissions_member( + self,view,permissions, + mocked_sqlalchemy, + mocked_read_df_sql, + mocked_getsmallrowdata_db, + mock_get, + mock_post, + mocked_get_video_data, + ): + + if permissions['own'] and not permissions['is_staff']: + urlstotest = [] + falseurlstotest = [] + otheruserurls = [] + + if permissions['coachee'] == 'coach': + thisuser = self.ucoach + coacheeuser = self.ubasic + notuser = self.uplan + + + + if permissions['workoutid']: + workouts = coacheeuser['workouts'] + url = reverse(view,kwargs={'id':encoder.encode_hex(workouts[0].id)}) + urlstotest.append(url) + + elif permissions['userid']: + url = reverse(view,kwargs={'userid':coacheeuser['user'].id}) + urlstotest.append(url) + + url = reverse(view,kwargs={'userid':self.ustrange['user'].id}) + otheruserurls.append(url) + + # test logged in as user who has permissions + for url in urlstotest: + print(url) + login = self.c.login(username = thisuser['username'],password = thisuser['password']) + result = self.c.get(url) + self.assertEqual(result.status_code, permissions['coachee_response']) # test as user with permissions, accessing object of non-related user for url in otheruserurls: