| | 1 | |
| | 2 | from django.test import TestCase |
| | 3 | from django.contrib.auth.models import User, Permission |
| | 4 | from django.contrib.contenttypes.models import ContentType |
| | 5 | from django.contrib.admin.sites import LOGIN_FORM_KEY, _encode_post_data |
| | 6 | |
| | 7 | # local test models |
| | 8 | from models import Article |
| | 9 | |
| | 10 | def get_perm(Model, perm): |
| | 11 | """Return the permission object, for the Model""" |
| | 12 | ct = ContentType.objects.get_for_model(Model) |
| | 13 | return Permission.objects.get(content_type=ct,codename=perm) |
| | 14 | |
| | 15 | |
| | 16 | class AdminViewPermissionsTest(TestCase): |
| | 17 | """Tests for Admin Views Permissions.""" |
| | 18 | |
| | 19 | fixtures = ['admin-views-users.xml'] |
| | 20 | |
| | 21 | def setUp(self): |
| | 22 | """Test setup.""" |
| | 23 | # Setup permissions, for our users who can add, change, and delete. |
| | 24 | # We can't put this into the fixture, because the content type id |
| | 25 | # and the permission id could be different on each run of the test. |
| | 26 | |
| | 27 | opts = Article._meta |
| | 28 | |
| | 29 | # User who can add Articles |
| | 30 | add_user = User.objects.get(username='adduser') |
| | 31 | add_user.user_permissions.add(get_perm(Article, opts.get_add_permission())) |
| | 32 | |
| | 33 | # User who can change Articles |
| | 34 | change_user = User.objects.get(username='changeuser') |
| | 35 | change_user.user_permissions.add(get_perm(Article, opts.get_change_permission())) |
| | 36 | |
| | 37 | # User who can delete Articles |
| | 38 | delete_user = User.objects.get(username='deleteuser') |
| | 39 | delete_user.user_permissions.add(get_perm(Article, opts.get_delete_permission())) |
| | 40 | |
| | 41 | # login POST dicts |
| | 42 | self.super_login = {'post_data': _encode_post_data({}), |
| | 43 | LOGIN_FORM_KEY: 1, |
| | 44 | 'username': 'super', |
| | 45 | 'password': 'secret'} |
| | 46 | self.adduser_login = {'post_data': _encode_post_data({}), |
| | 47 | LOGIN_FORM_KEY: 1, |
| | 48 | 'username': 'adduser', |
| | 49 | 'password': 'secret'} |
| | 50 | self.changeuser_login = {'post_data': _encode_post_data({}), |
| | 51 | LOGIN_FORM_KEY: 1, |
| | 52 | 'username': 'changeuser', |
| | 53 | 'password': 'secret'} |
| | 54 | self.deleteuser_login = {'post_data': _encode_post_data({}), |
| | 55 | LOGIN_FORM_KEY: 1, |
| | 56 | 'username': 'deleteuser', |
| | 57 | 'password': 'secret'} |
| | 58 | self.joepublic_login = {'post_data': _encode_post_data({}), |
| | 59 | LOGIN_FORM_KEY: 1, |
| | 60 | 'username': 'joepublic', |
| | 61 | 'password': 'secret'} |
| | 62 | |
| | 63 | |
| | 64 | def testLogin(self): |
| | 65 | """Make sure only staff members can log in. |
| | 66 | |
| | 67 | Successful posts to the login page will redirect to the orignal url. |
| | 68 | Unsuccessfull attempts will continue to render the login page with |
| | 69 | a 200 status code. |
| | 70 | """ |
| | 71 | # Super User |
| | 72 | request = self.client.get('/test_admin/admin/') |
| | 73 | self.failUnlessEqual(request.status_code, 200) |
| | 74 | login = self.client.post('/test_admin/admin/', self.super_login) |
| | 75 | self.assertRedirects(login, '/test_admin/admin/') |
| | 76 | self.assertFalse(login.context) |
| | 77 | self.client.get('/test_admin/admin/logout/') |
| | 78 | |
| | 79 | # Add User |
| | 80 | request = self.client.get('/test_admin/admin/') |
| | 81 | self.failUnlessEqual(request.status_code, 200) |
| | 82 | login = self.client.post('/test_admin/admin/', self.adduser_login) |
| | 83 | self.assertRedirects(login, '/test_admin/admin/') |
| | 84 | self.assertFalse(login.context) |
| | 85 | self.client.get('/test_admin/admin/logout/') |
| | 86 | |
| | 87 | # Change User |
| | 88 | request = self.client.get('/test_admin/admin/') |
| | 89 | self.failUnlessEqual(request.status_code, 200) |
| | 90 | login = self.client.post('/test_admin/admin/', self.changeuser_login) |
| | 91 | self.assertRedirects(login, '/test_admin/admin/') |
| | 92 | self.assertFalse(login.context) |
| | 93 | self.client.get('/test_admin/admin/logout/') |
| | 94 | |
| | 95 | # Delete User |
| | 96 | request = self.client.get('/test_admin/admin/') |
| | 97 | self.failUnlessEqual(request.status_code, 200) |
| | 98 | login = self.client.post('/test_admin/admin/', self.deleteuser_login) |
| | 99 | self.assertRedirects(login, '/test_admin/admin/') |
| | 100 | self.assertFalse(login.context) |
| | 101 | self.client.get('/test_admin/admin/logout/') |
| | 102 | |
| | 103 | # Regular User should not be able to login. |
| | 104 | request = self.client.get('/test_admin/admin/') |
| | 105 | self.failUnlessEqual(request.status_code, 200) |
| | 106 | login = self.client.post('/test_admin/admin/', self.joepublic_login) |
| | 107 | self.failUnlessEqual(login.status_code, 200) |
| | 108 | # Login.context is a list of context dicts we just need to check the first one. |
| | 109 | self.assert_(login.context[0].get('error_message')) |
| | 110 | |
| | 111 | def testAddView(self): |
| | 112 | """Test add view restricts access and actually adds items.""" |
| | 113 | |
| | 114 | add_dict = {'content': '<p>great article</p>', |
| | 115 | 'date_0': '2008-03-18', 'date_1': '10:54:39'} |
| | 116 | |
| | 117 | # Change User should not have access to add articles |
| | 118 | self.client.get('/test_admin/admin/') |
| | 119 | self.client.post('/test_admin/admin/', self.changeuser_login) |
| | 120 | request = self.client.get('/test_admin/admin/admin_views/article/add/') |
| | 121 | self.failUnlessEqual(request.status_code, 403) |
| | 122 | # Try POST just to make sure |
| | 123 | post = self.client.post('/test_admin/admin/admin_views/article/add/', add_dict) |
| | 124 | self.failUnlessEqual(post.status_code, 403) |
| | 125 | self.failUnlessEqual(Article.objects.all().count(), 1) |
| | 126 | self.client.get('/test_admin/admin/logout/') |
| | 127 | |
| | 128 | # Add user may login and POST to add view, then redirect to admin root |
| | 129 | self.client.get('/test_admin/admin/') |
| | 130 | self.client.post('/test_admin/admin/', self.adduser_login) |
| | 131 | post = self.client.post('/test_admin/admin/admin_views/article/add/', add_dict) |
| | 132 | self.assertRedirects(post, '/test_admin/admin/') |
| | 133 | self.failUnlessEqual(Article.objects.all().count(), 2) |
| | 134 | self.client.get('/test_admin/admin/logout/') |
| | 135 | |
| | 136 | # Super can add too, but is redirected to the change list view |
| | 137 | self.client.get('/test_admin/admin/') |
| | 138 | self.client.post('/test_admin/admin/', self.super_login) |
| | 139 | post = self.client.post('/test_admin/admin/admin_views/article/add/', add_dict) |
| | 140 | self.assertRedirects(post, '/test_admin/admin/admin_views/article/') |
| | 141 | self.failUnlessEqual(Article.objects.all().count(), 3) |
| | 142 | self.client.get('/test_admin/admin/logout/') |
| | 143 | |
| | 144 | def testChangeView(self): |
| | 145 | """Change view should restrict access and allow users to edit items.""" |
| | 146 | |
| | 147 | change_dict = {'content': '<p>edited article</p>', |
| | 148 | 'date_0': '2008-03-18', 'date_1': '10:54:39'} |
| | 149 | |
| | 150 | # add user shoud not be able to view the list of article or change any of them |
| | 151 | self.client.get('/test_admin/admin/') |
| | 152 | self.client.post('/test_admin/admin/', self.adduser_login) |
| | 153 | request = self.client.get('/test_admin/admin/admin_views/article/') |
| | 154 | self.failUnlessEqual(request.status_code, 403) |
| | 155 | request = self.client.get('/test_admin/admin/admin_views/article/1/') |
| | 156 | self.failUnlessEqual(request.status_code, 403) |
| | 157 | post = self.client.post('/test_admin/admin/admin_views/article/1/', change_dict) |
| | 158 | self.failUnlessEqual(post.status_code, 403) |
| | 159 | self.client.get('/test_admin/admin/logout/') |
| | 160 | |
| | 161 | # change user can view all items and edit them |
| | 162 | self.client.get('/test_admin/admin/') |
| | 163 | self.client.post('/test_admin/admin/', self.changeuser_login) |
| | 164 | request = self.client.get('/test_admin/admin/admin_views/article/') |
| | 165 | self.failUnlessEqual(request.status_code, 200) |
| | 166 | request = self.client.get('/test_admin/admin/admin_views/article/1/') |
| | 167 | self.failUnlessEqual(request.status_code, 200) |
| | 168 | post = self.client.post('/test_admin/admin/admin_views/article/1/', change_dict) |
| | 169 | self.assertRedirects(post, '/test_admin/admin/admin_views/article/') |
| | 170 | self.failUnlessEqual(Article.objects.get(pk=1).content, '<p>edited article</p>') |
| | 171 | self.client.get('/test_admin/admin/logout/') |
| | 172 | |
| | 173 | def testDeleteView(self): |
| | 174 | """Delete view should restrict access and actually delete items.""" |
| | 175 | |
| | 176 | delete_dict = {'post': 'yes'} |
| | 177 | |
| | 178 | # add user shoud not be able to delete articles |
| | 179 | self.client.get('/test_admin/admin/') |
| | 180 | self.client.post('/test_admin/admin/', self.adduser_login) |
| | 181 | request = self.client.get('/test_admin/admin/admin_views/article/1/delete/') |
| | 182 | self.failUnlessEqual(request.status_code, 403) |
| | 183 | post = self.client.post('/test_admin/admin/admin_views/article/1/delete/', delete_dict) |
| | 184 | self.failUnlessEqual(post.status_code, 403) |
| | 185 | self.failUnlessEqual(Article.objects.all().count(), 1) |
| | 186 | self.client.get('/test_admin/admin/logout/') |
| | 187 | |
| | 188 | # Delete user can delete |
| | 189 | self.client.get('/test_admin/admin/') |
| | 190 | self.client.post('/test_admin/admin/', self.deleteuser_login) |
| | 191 | request = self.client.get('/test_admin/admin/admin_views/article/1/delete/') |
| | 192 | self.failUnlessEqual(request.status_code, 200) |
| | 193 | post = self.client.post('/test_admin/admin/admin_views/article/1/delete/', delete_dict) |
| | 194 | # TODO: http://code.djangoproject.com/ticket/6819 or the next line fails |
| | 195 | self.assertRedirects(post, '/test_admin/admin/') |
| | 196 | self.failUnlessEqual(Article.objects.all().count(), 0) |
| | 197 | self.client.get('/test_admin/admin/logout/') |
| | 198 | No newline at end of file |