404 tests and test that everything requires authentication

assets/tests/test_assets.py

@@ -7,7 +7,7 @@ from django.urls import reverse
 from urllib.parse import urlparse
 from RIGS import models as rigsmodels
 from PyRIGS.tests.base import BaseTest, AutoLoginTest
-from assets import models
+from assets import models, urls
 from reversion import revisions as reversion
 from selenium.webdriver.common.keys import Keys
 import datetime
@@ -264,6 +264,24 @@ class TestSupplierValidation(TestCase):
         self.assertFormError(response, 'form', 'name', 'This field is required.')
 
 
+class Test404(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.profile = rigsmodels.Profile.objects.create(username="404Test", email="404@test.com", is_superuser=True, is_active=True, is_staff=True)
+
+    def setUp(self):
+        self.profile.set_password('testuser')
+        self.profile.save()
+        self.assertTrue(self.client.login(username=self.profile.username, password='testuser'))
+
+    def test(self):
+        urls = {'asset_detail', 'asset_update', 'asset_duplicate', 'supplier_detail', 'supplier_update',}
+        for url_name in urls:
+            request_url = reverse(url_name, kwargs={'pk': "0000"})
+            response = self.client.get(request_url, follow=True)
+            self.assertEqual(response.status_code, 404)
+
+
 # @tag('slow') TODO: req. Django 3.0
 class TestAccessLevels(TestCase):
     @override_settings(DEBUG=True)
@@ -272,6 +290,24 @@ class TestAccessLevels(TestCase):
         # Shortcut to create the levels - bonus side effect of testing the command (hopefully) matches production
         call_command('generateSampleData')
 
+    # Nothing should be available to the unauthenticated
+    def test_unauthenticated(self):
+        for url in urls.urlpatterns:
+            if url.name is not None:
+                pattern = str(url.pattern)
+                if "json" in url.name or pattern:
+                    # TODO
+                    pass
+                elif ":pk>" in pattern:
+                    request_url = reverse(url.name, kwargs={'pk': 9})
+                else:
+                    request_url = reverse(url.name)
+                response = self.client.get(request_url, HTTP_HOST='example.com')
+                self.assertEqual(response.status_code, 302)
+                response = self.client.get(request_url, follow=True, HTTP_HOST='example.com')
+                self.assertEqual(response.status_code, 200)
+                self.assertContains(response, 'login')
+
     def test_basic_access(self):
         self.assertTrue(self.client.login(username="basic", password="basic"))
 
@@ -286,17 +322,11 @@ class TestAccessLevels(TestCase):
         self.assertNotContains(response, 'Purchase Details')
         self.assertNotContains(response, 'View Revision History')
 
-        request_url = reverse('asset_update', kwargs={'pk': "9000"})
+        urls = {'asset_history', 'asset_update', 'asset_duplicate'}
-        response = self.client.get(request_url, follow=True)
+        for url_name in urls:
-        self.assertEqual(response.status_code, 403)
+            request_url = reverse(url_name, kwargs={'pk': "9000"})
-
+            response = self.client.get(request_url, follow=True)
-        request_url = reverse('asset_duplicate', kwargs={'pk': "9000"})
+            self.assertEqual(response.status_code, 403)
-        response = self.client.get(request_url, follow=True)
-        self.assertEqual(response.status_code, 403)
-
-        request_url = reverse('asset_history', kwargs={'pk': "9000"})
-        response = self.client.get(request_url, follow=True)
-        self.assertEqual(response.status_code, 403)
 
         request_url = reverse('supplier_create')
         response = self.client.get(request_url, follow=True)

assets/urls.py

@@ -8,9 +8,8 @@ from django.views.decorators.clickjacking import xframe_options_exempt
 from PyRIGS.decorators import has_oembed, permission_required_with_403
 
 urlpatterns = [
-    path('', views.AssetList.as_view(), name='asset_index'),
+    path('', login_required(views.AssetList.as_view()), name='asset_index'),
-    path('asset/list/', views.AssetList.as_view(), name='asset_list'),
+    path('asset/list/', login_required(views.AssetList.as_view()), name='asset_list'),
-    # Lazy way to enable the oembed redirect...
     path('asset/id/<str:pk>/', has_oembed(oembed_view="asset_oembed")(views.AssetDetail.as_view()), name='asset_detail'),
     path('asset/create/', permission_required_with_403('assets.add_asset')
          (views.AssetCreate.as_view()), name='asset_create'),
@@ -38,7 +37,7 @@ urlpatterns = [
          (views.SupplierCreate.as_view()), name='supplier_create'),
     path('supplier/<int:pk>/edit', permission_required_with_403('assets.change_supplier')
          (views.SupplierUpdate.as_view()), name='supplier_update'),
-    path('supplier/<str:pk>/history/', views.SupplierVersionHistory.as_view(),
+    path('supplier/<int:pk>/history/', views.SupplierVersionHistory.as_view(),
          name='supplier_history', kwargs={'model': models.Supplier}),
 
     path('supplier/search/', views.SupplierSearch.as_view(), name='supplier_search_json'),

assets/views.py

@@ -212,8 +212,6 @@ class SupplierSearch(SupplierList):
 
         for supplier in context["object_list"]:
             result.append({"id": supplier.pk, "name": supplier.name})
-        import pdb
-        pdb.set_trace()
         return JsonResponse(result, safe=False)