From 3e16075b3418347cc00de0ee3f13cb38987fff22 Mon Sep 17 00:00:00 2001 From: FreneticScribbler Date: Fri, 7 Feb 2020 21:36:08 +0000 Subject: [PATCH] 404 tests and test that everything requires authentication --- assets/tests/test_assets.py | 54 ++++++++++++++++++++++++++++--------- assets/urls.py | 7 +++-- assets/views.py | 2 -- 3 files changed, 45 insertions(+), 18 deletions(-) diff --git a/assets/tests/test_assets.py b/assets/tests/test_assets.py index 685d86fe..6c7ea293 100644 --- a/assets/tests/test_assets.py +++ b/assets/tests/test_assets.py @@ -7,7 +7,7 @@ from django.urls import reverse from urllib.parse import urlparse from RIGS import models as rigsmodels from PyRIGS.tests.base import BaseTest, AutoLoginTest -from assets import models +from assets import models, urls from reversion import revisions as reversion from selenium.webdriver.common.keys import Keys import datetime @@ -264,6 +264,24 @@ class TestSupplierValidation(TestCase): self.assertFormError(response, 'form', 'name', 'This field is required.') +class Test404(TestCase): + @classmethod + def setUpTestData(cls): + cls.profile = rigsmodels.Profile.objects.create(username="404Test", email="404@test.com", is_superuser=True, is_active=True, is_staff=True) + + def setUp(self): + self.profile.set_password('testuser') + self.profile.save() + self.assertTrue(self.client.login(username=self.profile.username, password='testuser')) + + def test(self): + urls = {'asset_detail', 'asset_update', 'asset_duplicate', 'supplier_detail', 'supplier_update',} + for url_name in urls: + request_url = reverse(url_name, kwargs={'pk': "0000"}) + response = self.client.get(request_url, follow=True) + self.assertEqual(response.status_code, 404) + + # @tag('slow') TODO: req. Django 3.0 class TestAccessLevels(TestCase): @override_settings(DEBUG=True) @@ -272,6 +290,24 @@ class TestAccessLevels(TestCase): # Shortcut to create the levels - bonus side effect of testing the command (hopefully) matches production call_command('generateSampleData') + # Nothing should be available to the unauthenticated + def test_unauthenticated(self): + for url in urls.urlpatterns: + if url.name is not None: + pattern = str(url.pattern) + if "json" in url.name or pattern: + # TODO + pass + elif ":pk>" in pattern: + request_url = reverse(url.name, kwargs={'pk': 9}) + else: + request_url = reverse(url.name) + response = self.client.get(request_url, HTTP_HOST='example.com') + self.assertEqual(response.status_code, 302) + response = self.client.get(request_url, follow=True, HTTP_HOST='example.com') + self.assertEqual(response.status_code, 200) + self.assertContains(response, 'login') + def test_basic_access(self): self.assertTrue(self.client.login(username="basic", password="basic")) @@ -286,17 +322,11 @@ class TestAccessLevels(TestCase): self.assertNotContains(response, 'Purchase Details') self.assertNotContains(response, 'View Revision History') - request_url = reverse('asset_update', kwargs={'pk': "9000"}) - response = self.client.get(request_url, follow=True) - self.assertEqual(response.status_code, 403) - - request_url = reverse('asset_duplicate', kwargs={'pk': "9000"}) - response = self.client.get(request_url, follow=True) - self.assertEqual(response.status_code, 403) - - request_url = reverse('asset_history', kwargs={'pk': "9000"}) - response = self.client.get(request_url, follow=True) - self.assertEqual(response.status_code, 403) + urls = {'asset_history', 'asset_update', 'asset_duplicate'} + for url_name in urls: + request_url = reverse(url_name, kwargs={'pk': "9000"}) + response = self.client.get(request_url, follow=True) + self.assertEqual(response.status_code, 403) request_url = reverse('supplier_create') response = self.client.get(request_url, follow=True) diff --git a/assets/urls.py b/assets/urls.py index 78e60592..dc8e021c 100644 --- a/assets/urls.py +++ b/assets/urls.py @@ -8,9 +8,8 @@ from django.views.decorators.clickjacking import xframe_options_exempt from PyRIGS.decorators import has_oembed, permission_required_with_403 urlpatterns = [ - path('', views.AssetList.as_view(), name='asset_index'), - path('asset/list/', views.AssetList.as_view(), name='asset_list'), - # Lazy way to enable the oembed redirect... + path('', login_required(views.AssetList.as_view()), name='asset_index'), + path('asset/list/', login_required(views.AssetList.as_view()), name='asset_list'), path('asset/id//', has_oembed(oembed_view="asset_oembed")(views.AssetDetail.as_view()), name='asset_detail'), path('asset/create/', permission_required_with_403('assets.add_asset') (views.AssetCreate.as_view()), name='asset_create'), @@ -38,7 +37,7 @@ urlpatterns = [ (views.SupplierCreate.as_view()), name='supplier_create'), path('supplier//edit', permission_required_with_403('assets.change_supplier') (views.SupplierUpdate.as_view()), name='supplier_update'), - path('supplier//history/', views.SupplierVersionHistory.as_view(), + path('supplier//history/', views.SupplierVersionHistory.as_view(), name='supplier_history', kwargs={'model': models.Supplier}), path('supplier/search/', views.SupplierSearch.as_view(), name='supplier_search_json'), diff --git a/assets/views.py b/assets/views.py index 1bc597a3..29eaa7aa 100644 --- a/assets/views.py +++ b/assets/views.py @@ -212,8 +212,6 @@ class SupplierSearch(SupplierList): for supplier in context["object_list"]: result.append({"id": supplier.pk, "name": supplier.name}) - import pdb - pdb.set_trace() return JsonResponse(result, safe=False)