entrouvert
/
chrono
14
1
Fork 0
Code Issues Pull Requests 4 Releases Wiki Activity

api: limit export/import APIs to admin users (#88439)
gitea/chrono/pipeline/head This commit looks good Details

This commit is contained in:
Frédéric Péters 2024-03-21 09:50:18 +01:00
parent 2576350aae
commit 07512150e8
2 changed files with 45 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
chrono/apps/export_import/api_views.py
View File

@ -43,7 +43,7 @@ klasses_translation_reverse = {v: k for k, v in klasses_translation.items()}
class Index(GenericAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
permission_classes = (permissions.IsAdminUser,)
def get(self, request, *args, **kwargs):
data = []
@ -137,7 +137,7 @@ def get_component_bundle_entry(request, component):
class ListComponents(GenericAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
permission_classes = (permissions.IsAdminUser,)
def get(self, request, *args, **kwargs):
klass = klasses[kwargs['component_type']]
@ -152,7 +152,7 @@ list_components = ListComponents.as_view()
class ExportComponent(GenericAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
permission_classes = (permissions.IsAdminUser,)
def get(self, request, slug, *args, **kwargs):
klass = klasses[kwargs['component_type']]
@ -164,7 +164,7 @@ export_component = ExportComponent.as_view()
class ComponentDependencies(GenericAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
permission_classes = (permissions.IsAdminUser,)
def get(self, request, slug, *args, **kwargs):
klass = klasses[kwargs['component_type']]
@ -197,7 +197,7 @@ def component_redirect(request, component_type, slug):
class BundleCheck(GenericAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
permission_classes = (permissions.IsAdminUser,)
def put(self, request, *args, **kwargs):
return Response({'err': 0, 'data': {}})
@ -207,7 +207,7 @@ bundle_check = BundleCheck.as_view()
class BundleImport(GenericAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
permission_classes = (permissions.IsAdminUser,)
install = True
def put(self, request, *args, **kwargs):
@ -283,7 +283,7 @@ bundle_declare = BundleDeclare.as_view()
class BundleUnlink(GenericAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
permission_classes = (permissions.IsAdminUser,)
def post(self, request, *args, **kwargs):
if request.POST.get('application'):

73
tests/api/test_applification_api.py
View File

@ -13,8 +13,11 @@ from chrono.apps.export_import.models import Application, ApplicationElement
pytestmark = pytest.mark.django_db
def test_object_types(app, user):
def test_object_types(app, user, admin_user):
app.authorization = ('Basic', ('john.doe', 'password'))
app.get('/api/export-import/', status=403)
app.authorization = ('Basic', ('admin', 'admin'))
resp = app.get('/api/export-import/')
assert resp.json == {
'data': [
@ -63,8 +66,8 @@ def test_object_types(app, user):
}
def test_list(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_list(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings')
Agenda.objects.create(label='Event', slug='event', kind='events')
Category.objects.create(slug='cat', label='Category')
@ -163,8 +166,8 @@ def test_list(app, user):
}
def test_export_agenda(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_export_agenda(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
group1 = Group.objects.create(name='group1')
group2 = Group.objects.create(name='group2')
Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings', edit_role=group1, view_role=group2)
@ -173,8 +176,8 @@ def test_export_agenda(app, user):
assert resp.json['data']['permissions'] == {'view': 'group2', 'edit': 'group1'}
def test_export_minor_components(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_export_minor_components(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
Category.objects.create(slug='cat', label='Category')
Resource.objects.create(slug='foo', label='Foo')
EventsType.objects.create(slug='foo', label='Foo')
@ -193,8 +196,8 @@ def test_export_minor_components(app, user):
app.get('/api/export-import/agendas/foo/', status=404)
def test_agenda_dependencies_category(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_agenda_dependencies_category(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
category = Category.objects.create(slug='cat', label='Category')
Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings', category=category)
resp = app.get('/api/export-import/agendas/rdv/dependencies/')
@ -215,8 +218,8 @@ def test_agenda_dependencies_category(app, user):
}
def test_agenda_dependencies_resources(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_agenda_dependencies_resources(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
meetings_agenda = Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings')
meetings_agenda.resources.add(Resource.objects.create(slug='foo', label='Foo'))
resp = app.get('/api/export-import/agendas/rdv/dependencies/')
@ -237,8 +240,8 @@ def test_agenda_dependencies_resources(app, user):
}
def test_agenda_dependencies_unavailability_calendars(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_agenda_dependencies_unavailability_calendars(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
meetings_agenda = Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings')
desk = Desk.objects.create(slug='foo', label='Foo', agenda=meetings_agenda)
unavailability_calendar = UnavailabilityCalendar.objects.create(slug='foo', label='Foo')
@ -280,8 +283,8 @@ def test_agenda_dependencies_unavailability_calendars(app, user):
}
def test_agenda_dependencies_groups(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_agenda_dependencies_groups(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
group1 = Group.objects.create(name='group1')
group2 = Group.objects.create(name='group2')
Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings', edit_role=group1, view_role=group2)
@ -297,8 +300,8 @@ def test_agenda_dependencies_groups(app, user):
}
def test_agenda_dependencies_virtual_agendas(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_agenda_dependencies_virtual_agendas(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
rdv1 = Agenda.objects.create(label='Rdv1', slug='rdv1', kind='meetings')
rdv2 = Agenda.objects.create(label='Rdv2', slug='rdv2', kind='meetings')
virt = Agenda.objects.create(label='Virt', slug='virt', kind='virtual')
@ -332,8 +335,8 @@ def test_agenda_dependencies_virtual_agendas(app, user):
}
def test_agenda_dependencies_events_type(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_agenda_dependencies_events_type(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
events_type = EventsType.objects.create(slug='foo', label='Foo')
events_agenda = Agenda.objects.create(label='Evt', slug='evt', kind='events', events_type=events_type)
Desk.objects.create(agenda=events_agenda, slug='_exceptions_holder')
@ -355,13 +358,13 @@ def test_agenda_dependencies_events_type(app, user):
}
def test_unknown_compoment_dependencies(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_unknown_compoment_dependencies(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
app.get('/api/export-import/agendas/foo/dependencies/', status=404)
def test_redirect(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
app.authorization = ('Basic', ('john', 'doe'))
agenda = Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings')
category = Category.objects.create(slug='cat', label='Category')
resource = Resource.objects.create(slug='foo', label='Foo')
@ -389,8 +392,8 @@ def test_redirect(app, user):
assert resp.location == f'/manage/unavailability-calendar/{unavailability_calendar.pk}/'
def create_bundle(app, user, visible=True, version_number='42.0'):
app.authorization = ('Basic', ('john.doe', 'password'))
def create_bundle(app, admin_user, visible=True, version_number='42.0'):
app.authorization = ('Basic', ('admin', 'admin'))
group, _ = Group.objects.get_or_create(name='plop')
category, _ = Category.objects.get_or_create(slug='foo', label='Foo')
@ -475,12 +478,12 @@ def bundle(app, user):
return create_bundle(app, user)
def test_bundle_import(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_bundle_import(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
bundles = []
for version_number in ['42.0', '42.1']:
bundles.append(create_bundle(app, user, version_number=version_number))
bundles.append(create_bundle(app, admin_user, version_number=version_number))
Agenda.objects.all().delete()
Category.objects.all().delete()
@ -534,10 +537,10 @@ def test_bundle_import(app, user):
)
def test_bundle_declare(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_bundle_declare(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
bundle = create_bundle(app, user, visible=False)
bundle = create_bundle(app, admin_user, visible=False)
resp = app.put('/api/export-import/bundle-declare/', bundle)
assert Agenda.objects.all().count() == 4
assert resp.json['err'] == 0
@ -554,7 +557,7 @@ def test_bundle_declare(app, user):
assert application.visible is False
assert ApplicationElement.objects.count() == 8
bundle = create_bundle(app, user, visible=True)
bundle = create_bundle(app, admin_user, visible=True)
# create link to element not present in manifest: it should be unlinked
last_page = Agenda.objects.latest('pk')
ApplicationElement.objects.create(
@ -572,8 +575,8 @@ def test_bundle_declare(app, user):
assert ApplicationElement.objects.count() == 4 # category, events_type, unavailability_calendar, resource
def test_bundle_unlink(app, user, bundle):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_bundle_unlink(app, admin_user, bundle):
app.authorization = ('Basic', ('admin', 'admin'))
application = Application.objects.create(
name='Test',
@ -627,6 +630,6 @@ def test_bundle_unlink(app, user, bundle):
assert ApplicationElement.objects.count() == 2
def test_bundle_check(app, user):
app.authorization = ('Basic', ('john.doe', 'password'))
def test_bundle_check(app, admin_user):
app.authorization = ('Basic', ('admin', 'admin'))
assert app.put('/api/export-import/bundle-check/').json == {'err': 0, 'data': {}}