diff options
| author | Eleni Lixourioti | 2014-11-15 14:27:41 +0000 |
|---|---|---|
| committer | Eleni Lixourioti | 2014-11-15 14:27:41 +0000 |
| commit | 1aa77830955dcdf829f65a9001b6b8900dfc8755 (patch) | |
| tree | 1f6d0bea3c0fe720a298b2da177bb91e8a74a19c /tests/test_permissions.py | |
| parent | afaa52a378705b7f0475d5ece04a2cf49af4b7c2 (diff) | |
| parent | 88008c0a687219e3104d548196915b1068536d74 (diff) | |
| download | django-rest-framework-1aa77830955dcdf829f65a9001b6b8900dfc8755.tar.bz2 | |
Merge branch 'version-3.1' of github.com:tomchristie/django-rest-framework into oauth_as_package
Conflicts:
.travis.yml
Diffstat (limited to 'tests/test_permissions.py')
| -rw-r--r-- | tests/test_permissions.py | 143 |
1 files changed, 72 insertions, 71 deletions
diff --git a/tests/test_permissions.py b/tests/test_permissions.py index 93f8020f..ac398f80 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -3,7 +3,7 @@ from django.contrib.auth.models import User, Permission, Group from django.db import models from django.test import TestCase from django.utils import unittest -from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING +from rest_framework import generics, serializers, status, permissions, authentication, HTTP_HEADER_ENCODING from rest_framework.compat import guardian, get_model_name from rest_framework.filters import DjangoObjectPermissionsFilter from rest_framework.test import APIRequestFactory @@ -13,14 +13,21 @@ import base64 factory = APIRequestFactory() +class BasicSerializer(serializers.ModelSerializer): + class Meta: + model = BasicModel + + class RootView(generics.ListCreateAPIView): - model = BasicModel + queryset = BasicModel.objects.all() + serializer_class = BasicSerializer authentication_classes = [authentication.BasicAuthentication] permission_classes = [permissions.DjangoModelPermissions] class InstanceView(generics.RetrieveUpdateDestroyAPIView): - model = BasicModel + queryset = BasicModel.objects.all() + serializer_class = BasicSerializer authentication_classes = [authentication.BasicAuthentication] permission_classes = [permissions.DjangoModelPermissions] @@ -88,72 +95,59 @@ class ModelPermissionsIntegrationTests(TestCase): response = instance_view(request, pk=1) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - def test_has_put_as_create_permissions(self): - # User only has update permissions - should be able to update an entity. - request = factory.put('/1', {'text': 'foobar'}, format='json', - HTTP_AUTHORIZATION=self.updateonly_credentials) - response = instance_view(request, pk='1') - self.assertEqual(response.status_code, status.HTTP_200_OK) - - # But if PUTing to a new entity, permission should be denied. - request = factory.put('/2', {'text': 'foobar'}, format='json', - HTTP_AUTHORIZATION=self.updateonly_credentials) - response = instance_view(request, pk='2') - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - - def test_options_permitted(self): - request = factory.options( - '/', - HTTP_AUTHORIZATION=self.permitted_credentials - ) - response = root_view(request, pk='1') - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertIn('actions', response.data) - self.assertEqual(list(response.data['actions'].keys()), ['POST']) - - request = factory.options( - '/1', - HTTP_AUTHORIZATION=self.permitted_credentials - ) - response = instance_view(request, pk='1') - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertIn('actions', response.data) - self.assertEqual(list(response.data['actions'].keys()), ['PUT']) - - def test_options_disallowed(self): - request = factory.options( - '/', - HTTP_AUTHORIZATION=self.disallowed_credentials - ) - response = root_view(request, pk='1') - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertNotIn('actions', response.data) - - request = factory.options( - '/1', - HTTP_AUTHORIZATION=self.disallowed_credentials - ) - response = instance_view(request, pk='1') - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertNotIn('actions', response.data) - - def test_options_updateonly(self): - request = factory.options( - '/', - HTTP_AUTHORIZATION=self.updateonly_credentials - ) - response = root_view(request, pk='1') - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertNotIn('actions', response.data) - - request = factory.options( - '/1', - HTTP_AUTHORIZATION=self.updateonly_credentials - ) - response = instance_view(request, pk='1') - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertIn('actions', response.data) - self.assertEqual(list(response.data['actions'].keys()), ['PUT']) + # def test_options_permitted(self): + # request = factory.options( + # '/', + # HTTP_AUTHORIZATION=self.permitted_credentials + # ) + # response = root_view(request, pk='1') + # self.assertEqual(response.status_code, status.HTTP_200_OK) + # self.assertIn('actions', response.data) + # self.assertEqual(list(response.data['actions'].keys()), ['POST']) + + # request = factory.options( + # '/1', + # HTTP_AUTHORIZATION=self.permitted_credentials + # ) + # response = instance_view(request, pk='1') + # self.assertEqual(response.status_code, status.HTTP_200_OK) + # self.assertIn('actions', response.data) + # self.assertEqual(list(response.data['actions'].keys()), ['PUT']) + + # def test_options_disallowed(self): + # request = factory.options( + # '/', + # HTTP_AUTHORIZATION=self.disallowed_credentials + # ) + # response = root_view(request, pk='1') + # self.assertEqual(response.status_code, status.HTTP_200_OK) + # self.assertNotIn('actions', response.data) + + # request = factory.options( + # '/1', + # HTTP_AUTHORIZATION=self.disallowed_credentials + # ) + # response = instance_view(request, pk='1') + # self.assertEqual(response.status_code, status.HTTP_200_OK) + # self.assertNotIn('actions', response.data) + + # def test_options_updateonly(self): + # request = factory.options( + # '/', + # HTTP_AUTHORIZATION=self.updateonly_credentials + # ) + # response = root_view(request, pk='1') + # self.assertEqual(response.status_code, status.HTTP_200_OK) + # self.assertNotIn('actions', response.data) + + # request = factory.options( + # '/1', + # HTTP_AUTHORIZATION=self.updateonly_credentials + # ) + # response = instance_view(request, pk='1') + # self.assertEqual(response.status_code, status.HTTP_200_OK) + # self.assertIn('actions', response.data) + # self.assertEqual(list(response.data['actions'].keys()), ['PUT']) class BasicPermModel(models.Model): @@ -167,6 +161,11 @@ class BasicPermModel(models.Model): ) +class BasicPermSerializer(serializers.ModelSerializer): + class Meta: + model = BasicPermModel + + # Custom object-level permission, that includes 'view' permissions class ViewObjectPermissions(permissions.DjangoObjectPermissions): perms_map = { @@ -181,7 +180,8 @@ class ViewObjectPermissions(permissions.DjangoObjectPermissions): class ObjectPermissionInstanceView(generics.RetrieveUpdateDestroyAPIView): - model = BasicPermModel + queryset = BasicPermModel.objects.all() + serializer_class = BasicPermSerializer authentication_classes = [authentication.BasicAuthentication] permission_classes = [ViewObjectPermissions] @@ -189,7 +189,8 @@ object_permissions_view = ObjectPermissionInstanceView.as_view() class ObjectPermissionListView(generics.ListAPIView): - model = BasicPermModel + queryset = BasicPermModel.objects.all() + serializer_class = BasicPermSerializer authentication_classes = [authentication.BasicAuthentication] permission_classes = [ViewObjectPermissions] |