Opened 16 years ago
Closed 16 years ago
#9887 closed (wontfix)
Testclient user have not enough permissions to create another users.
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Testing framework | Version: | 1.0 |
| Severity: | Keywords: | ||
| Cc: | alex.slesarev@… | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
During Django unit-testing the testclient user is creating another users, and if someone (like we are) added security checks like one below, tests will fail.
Sample code:
def check_change_permissions(sender, instance, **kwargs):
user = get_current_user()
# WARNING! This is used for passing Django unit-testing.
if not user:
return
#WARNING! For successful login.
if user.is_anonymous():
return
if user.is_superuser:
return
if user != instance:
raise PermissionDenied
pre_save.connect(check_change_permissions, sender = User)
The fix is trivial - add superuser permissions to the testclient user. Patch is included.
Attachments (1)
Change History (5)
by , 16 years ago
| Attachment: | authtestdata.json.patch added |
|---|
comment:1 by , 16 years ago
| Cc: | added |
|---|
comment:2 by , 16 years ago
follow-up: 4 comment:3 by , 16 years ago
Of course, let me describe an issue more detailed:
- we have strict security policy in our application - only superusers or users with special permissions can create another users, and a usual user can modify only its own account with few restrictions;
- automated admin sites in Django is not flexible enough - we can't allow user to modify only its own account without access to other accounts;
- so we added pre_save handler for User model, and after that internal Django tests fails (because testclient user do not have superuser status, and it creates another users during these tests).
The simple way to fix it - check if pre_save handler works in test environment and disable it during tests. But we didn't find a way how to do it correctly. Our study shows that a more clear way to fix it - give testclient user a superuser status. Of course, we didn't modify Django core in our case, and just add required fixture in our project. But I'm worry that this situation can happen with other Django developers.
comment:4 by , 16 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Replying to nuald <alex.slesarev@gmail.com>:
- automated admin sites in Django is not flexible enough - we can't allow user to modify only its own account without access to other accounts;
You most certainly can set that up, by unregstering the default ModelAdmin for the User class, then registering your own with an overridden has_change_permission that implements your custom logic.
At any rate, this seems like a case where your specific needs will require you to come up with specific workarounds rather than ask Django to work around things for you.
Could you describe the problem a bit more, please? Are you saying that the auth tests fail in some way without this patch? If it's your own tests that are failing, this is not the solution. The solution is to create an initial user for your tests that has the appropriate permissions. I.e., set up the preconditions for your test appropriately, rather than hoping some other test has done it for you.
You haven't really explained how to recreate the problem, just what you have to done to "solve" it, whatever the issue may happen to be. So it's tricky to evaluate the proposed solution at the moment.