diff options
| author | Nikolaus Schlemm | 2013-05-18 18:29:51 +0200 |
|---|---|---|
| committer | Nikolaus Schlemm | 2013-05-18 18:29:51 +0200 |
| commit | 7f1cc82f96c2ba4064b28957a8b2d5b313be3c40 (patch) | |
| tree | e34c2450d188d66756534c9fb631c56d888ce902 | |
| parent | 5ab7cc6e6be5445bc0d4ccc26f1ec84239af74d5 (diff) | |
| download | django-rest-framework-7f1cc82f96c2ba4064b28957a8b2d5b313be3c40.tar.bz2 | |
added unittests for permission check of exposing actions via OPTIONS
| -rw-r--r-- | rest_framework/tests/permissions.py | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/rest_framework/tests/permissions.py b/rest_framework/tests/permissions.py index b3993be5..5a18182b 100644 --- a/rest_framework/tests/permissions.py +++ b/rest_framework/tests/permissions.py @@ -108,6 +108,51 @@ class ModelPermissionsIntegrationTests(TestCase): response = instance_view(request, pk='2') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + def test_options_permitted(self): + request = factory.options('/', content_type='application/json', + HTTP_AUTHORIZATION=self.permitted_credentials) + response = root_view(request, pk='1') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn('actions', response.data) + self.assertEquals(response.data['actions'].keys(), ['POST', 'GET',]) + + request = factory.options('/1', content_type='application/json', + HTTP_AUTHORIZATION=self.permitted_credentials) + response = instance_view(request, pk='1') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn('actions', response.data) + self.assertEquals(response.data['actions'].keys(), ['PUT', 'PATCH', 'DELETE', 'GET',]) + + def test_options_disallowed(self): + request = factory.options('/', content_type='application/json', + HTTP_AUTHORIZATION=self.disallowed_credentials) + response = root_view(request, pk='1') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn('actions', response.data) + self.assertEquals(response.data['actions'].keys(), ['GET',]) + + request = factory.options('/1', content_type='application/json', + HTTP_AUTHORIZATION=self.disallowed_credentials) + response = instance_view(request, pk='1') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn('actions', response.data) + self.assertEquals(response.data['actions'].keys(), ['GET',]) + + def test_options_updateonly(self): + request = factory.options('/', content_type='application/json', + HTTP_AUTHORIZATION=self.updateonly_credentials) + response = root_view(request, pk='1') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn('actions', response.data) + self.assertEquals(response.data['actions'].keys(), ['GET',]) + + request = factory.options('/1', content_type='application/json', + HTTP_AUTHORIZATION=self.updateonly_credentials) + response = instance_view(request, pk='1') + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn('actions', response.data) + self.assertEquals(response.data['actions'].keys(), ['PUT', 'PATCH', 'GET',]) + class OwnerModel(models.Model): text = models.CharField(max_length=100) |