Tests for DjangoModelPermissions.

author: Tom Christie 2013-02-10 16:42:24 +0000
committer: Tom Christie 2013-02-10 16:42:24 +0000
commit: 4c8bd40465a79679b0db26277b59448db63d09d0 (patch)
tree: 80a9b3ebb3cbd2a5eaf24fcaa4e874861e3c75ab /rest_framework
parent: fd57978cb757597b82b58df78c52dc98eaed875e (diff)
download: django-rest-framework-4c8bd40465a79679b0db26277b59448db63d09d0.tar.bz2
1 files changed, 89 insertions, 0 deletions
diff --git a/rest_framework/tests/permissions.py b/rest_framework/tests/permissions.py
new file mode 100644
index 00000000..c04d2110
--- /dev/null
+++ b/rest_framework/tests/permissions.py
@@ -0,0 +1,89 @@
+from __future__ import unicode_literals
+from django.contrib.auth.models import User, Permission
+from django.db import models
+from django.test import TestCase
+from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING
+from rest_framework.tests.utils import RequestFactory
+import base64
+import json
+
+factory = RequestFactory()
+
+
+class BasicModel(models.Model):
+    text = models.CharField(max_length=100)
+
+
+class RootView(generics.ListCreateAPIView):
+    model = BasicModel
+    authentication_classes = [authentication.BasicAuthentication]
+    permission_classes = [permissions.DjangoModelPermissions]
+
+
+class InstanceView(generics.RetrieveUpdateDestroyAPIView):
+    model = BasicModel
+    authentication_classes = [authentication.BasicAuthentication]
+    permission_classes = [permissions.DjangoModelPermissions]
+
+root_view = RootView.as_view()
+instance_view = InstanceView.as_view()
+
+
+def basic_auth_header(username, password):
+    credentials = ('%s:%s' % (username, password))
+    base64_credentials = base64.b64encode(credentials.encode(HTTP_HEADER_ENCODING)).decode(HTTP_HEADER_ENCODING)
+    return 'Basic %s' % base64_credentials
+
+
+class ModelPermissionsIntegrationTests(TestCase):
+    def setUp(self):
+        User.objects.create_user('disallowed', 'disallowed@example.com', 'password')
+        user = User.objects.create_user('permitted', 'permitted@example.com', 'password')
+        user.user_permissions = [
+            Permission.objects.get(codename='add_basicmodel'),
+            Permission.objects.get(codename='change_basicmodel'),
+            Permission.objects.get(codename='delete_basicmodel')
+        ]
+
+        self.permitted_credentials = basic_auth_header('permitted', 'password')
+        self.disallowed_credentials = basic_auth_header('disallowed', 'password')
+
+        BasicModel(text='foo').save()
+
+    def test_has_create_permissions(self):
+        request = factory.post('/', json.dumps({'text': 'foobar'}),
+                               content_type='application/json',
+                               HTTP_AUTHORIZATION=self.permitted_credentials)
+        response = root_view(request, pk=1)
+        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
+
+    def test_has_put_permissions(self):
+        request = factory.put('/1', json.dumps({'text': 'foobar'}),
+                              content_type='application/json',
+                              HTTP_AUTHORIZATION=self.permitted_credentials)
+        response = instance_view(request, pk='1')
+        self.assertEquals(response.status_code, status.HTTP_200_OK)
+
+    def test_has_delete_permissions(self):
+        request = factory.delete('/1', HTTP_AUTHORIZATION=self.permitted_credentials)
+        response = instance_view(request, pk=1)
+        self.assertEquals(response.status_code, status.HTTP_204_NO_CONTENT)
+
+    def test_does_not_have_create_permissions(self):
+        request = factory.post('/', json.dumps({'text': 'foobar'}),
+                               content_type='application/json',
+                               HTTP_AUTHORIZATION=self.disallowed_credentials)
+        response = root_view(request, pk=1)
+        self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_does_not_have_put_permissions(self):
+        request = factory.put('/1', json.dumps({'text': 'foobar'}),
+                              content_type='application/json',
+                              HTTP_AUTHORIZATION=self.disallowed_credentials)
+        response = instance_view(request, pk='1')
+        self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_does_not_have_delete_permissions(self):
+        request = factory.delete('/1', HTTP_AUTHORIZATION=self.disallowed_credentials)
+        response = instance_view(request, pk=1)
+        self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN)
author	Tom Christie	2013-02-10 16:42:24 +0000
committer	Tom Christie	2013-02-10 16:42:24 +0000
commit	4c8bd40465a79679b0db26277b59448db63d09d0 (patch)
tree	80a9b3ebb3cbd2a5eaf24fcaa4e874861e3c75ab /rest_framework
parent	fd57978cb757597b82b58df78c52dc98eaed875e (diff)
download	django-rest-framework-4c8bd40465a79679b0db26277b59448db63d09d0.tar.bz2