TeamRolesList permission tests and fix, organize tests

2026-05-16 15:58:39 -05:00 · 2016-06-13 09:16:03 -04:00
parent 7f38227e11
commit b485b85076
4 changed files with 92 additions and 52 deletions
@@ -0,0 +1,48 @@
+import pytest
+
+from django.core.urlresolvers import reverse
+
+
+@pytest.mark.django_db
+def test_user_role_view_access(rando, inventory, mocker, post):
+    "Assure correct access method is called when assigning users new roles"
+    role_pk = inventory.admin_role.pk
+    data = {"id": role_pk}
+    mock_access = mocker.MagicMock(can_attach=mocker.MagicMock(return_value=False))
+    with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
+        post(url=reverse('api:user_roles_list', args=(rando.pk,)),
+             data=data, user=rando, expect=403)
+    mock_access.can_attach.assert_called_once_with(
+        inventory.admin_role, rando, 'members', data,
+        skip_sub_obj_read_check=False)
+    assert rando not in inventory.admin_role
+
+@pytest.mark.django_db
+def test_team_role_view_access(rando, team, inventory, mocker, post):
+    "Assure correct access method is called when assigning teams new roles"
+    team.admin_role.members.add(rando)
+    role_pk = inventory.admin_role.pk
+    data = {"id": role_pk}
+    mock_access = mocker.MagicMock(can_attach=mocker.MagicMock(return_value=False))
+    with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
+        post(url=reverse('api:team_roles_list', args=(team.pk,)),
+             data=data, user=rando, expect=403)
+    mock_access.can_attach.assert_called_once_with(
+        inventory.admin_role, team, 'member_role.parents', data,
+        skip_sub_obj_read_check=False)
+    assert team not in inventory.admin_role
+
+@pytest.mark.django_db
+def test_role_team_view_access(rando, team, inventory, mocker, post):
+    """Assure that /role/N/teams/ enforces the same permission restrictions
+    that /teams/N/roles/ does when assigning teams new roles"""
+    role_pk = inventory.admin_role.pk
+    data = {"id": team.pk}
+    mock_access = mocker.MagicMock(return_value=False, __name__='mocked')
+    with mocker.patch('awx.main.access.RoleAccess.can_attach', mock_access):
+        post(url=reverse('api:role_teams_list', args=(role_pk,)),
+             data=data, user=rando, expect=403)
+    mock_access.assert_called_once_with(
+        inventory.admin_role, team, 'member_role.parents', data,
+        skip_sub_obj_read_check=False)
+    assert team not in inventory.admin_role
@@ -1,64 +1,32 @@
-import mock
 import pytest

 from awx.main.access import (
    RoleAccess,
-    UserAccess
-)
-
-from django.core.urlresolvers import reverse
-from django.contrib.auth.models import User
+    UserAccess,
+    TeamAccess)


@pytest.mark.django_db
-def test_user_role_access_view(rando, inventory, mocker, post):
-    # rando has read access for the inventory
-    inventory.read_role.members.add(rando)
-
-    role_pk = inventory.admin_role.pk
-    mock_access = mocker.MagicMock(spec=RoleAccess, can_attach=mock.MagicMock(return_value=False))
-    with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
-        response = post(url=reverse('api:user_roles_list', args=(rando.pk,)),
-                        data={'id': role_pk}, user=rando)
-    mock_access.can_attach.assert_called_once_with(
-        inventory.admin_role, rando, 'members', {"id": role_pk},
-        skip_sub_obj_read_check=False)
-    assert rando not in inventory.admin_role
-
-@pytest.mark.django_db
-def test_role_team_access_view(rando, team, inventory, mocker, post):
+def test_team_access_attach(rando, team, inventory):
    # rando is admin of the team
    team.admin_role.members.add(rando)
+    inventory.read_role.members.add(rando)
    # team has read_role for the inventory
    team.member_role.children.add(inventory.read_role)
-    
-    role_pk = inventory.admin_role.pk
-    mock_access = mocker.MagicMock(spec=RoleAccess)
-    with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
-        response = post(url=reverse('api:role_teams_list', args=(role_pk,)),
-                        data={'id': team.pk}, user=rando)
-    mock_access.can_attach.assert_called_once_with(
-        inventory.admin_role, team, 'members', {"id": role_pk},
-        skip_sub_obj_read_check=False)
-    assert team not in inventory.admin_role
+
+    access = TeamAccess(rando)
+    data = {'id': inventory.admin_role.pk}
+    assert not access.can_attach(team, inventory.admin_role, 'member_role.children', data, False)

@pytest.mark.django_db
-def test_inventory_read_role_user_can_access(rando, inventory):
-    inventory.read_role.members.add(rando)
-    access = RoleAccess(rando)
-    assert not rando.can_access(
-        User, 'attach', rando, inventory.admin_role, 'roles',
-        {'id': inventory.admin_role.pk}, False)
-
-@pytest.mark.django_db
-def test_inventory_read_role_user_access(rando, inventory):
+def test_user_access_attach(rando, inventory):
    inventory.read_role.members.add(rando)
    access = UserAccess(rando)
    data = {'id': inventory.admin_role.pk}
    assert not access.can_attach(rando, inventory.admin_role, 'roles', data, False)

@pytest.mark.django_db
-def test_inventory_read_role_access(rando, inventory):
+def test_role_access_attach(rando, inventory):
    inventory.read_role.members.add(rando)
    access = RoleAccess(rando)
    assert not access.can_attach(inventory.admin_role, rando, 'members', None)