api: limit export/import APIs to admin users (#88439)
gitea/chrono/pipeline/head This commit looks good
Details
gitea/chrono/pipeline/head This commit looks good
Details
This commit is contained in:
parent
2576350aae
commit
07512150e8
|
@ -43,7 +43,7 @@ klasses_translation_reverse = {v: k for k, v in klasses_translation.items()}
|
|||
|
||||
|
||||
class Index(GenericAPIView):
|
||||
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
|
||||
permission_classes = (permissions.IsAdminUser,)
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
data = []
|
||||
|
@ -137,7 +137,7 @@ def get_component_bundle_entry(request, component):
|
|||
|
||||
|
||||
class ListComponents(GenericAPIView):
|
||||
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
|
||||
permission_classes = (permissions.IsAdminUser,)
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
klass = klasses[kwargs['component_type']]
|
||||
|
@ -152,7 +152,7 @@ list_components = ListComponents.as_view()
|
|||
|
||||
|
||||
class ExportComponent(GenericAPIView):
|
||||
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
|
||||
permission_classes = (permissions.IsAdminUser,)
|
||||
|
||||
def get(self, request, slug, *args, **kwargs):
|
||||
klass = klasses[kwargs['component_type']]
|
||||
|
@ -164,7 +164,7 @@ export_component = ExportComponent.as_view()
|
|||
|
||||
|
||||
class ComponentDependencies(GenericAPIView):
|
||||
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
|
||||
permission_classes = (permissions.IsAdminUser,)
|
||||
|
||||
def get(self, request, slug, *args, **kwargs):
|
||||
klass = klasses[kwargs['component_type']]
|
||||
|
@ -197,7 +197,7 @@ def component_redirect(request, component_type, slug):
|
|||
|
||||
|
||||
class BundleCheck(GenericAPIView):
|
||||
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
|
||||
permission_classes = (permissions.IsAdminUser,)
|
||||
|
||||
def put(self, request, *args, **kwargs):
|
||||
return Response({'err': 0, 'data': {}})
|
||||
|
@ -207,7 +207,7 @@ bundle_check = BundleCheck.as_view()
|
|||
|
||||
|
||||
class BundleImport(GenericAPIView):
|
||||
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
|
||||
permission_classes = (permissions.IsAdminUser,)
|
||||
install = True
|
||||
|
||||
def put(self, request, *args, **kwargs):
|
||||
|
@ -283,7 +283,7 @@ bundle_declare = BundleDeclare.as_view()
|
|||
|
||||
|
||||
class BundleUnlink(GenericAPIView):
|
||||
permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
|
||||
permission_classes = (permissions.IsAdminUser,)
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
if request.POST.get('application'):
|
||||
|
|
|
@ -13,8 +13,11 @@ from chrono.apps.export_import.models import Application, ApplicationElement
|
|||
pytestmark = pytest.mark.django_db
|
||||
|
||||
|
||||
def test_object_types(app, user):
|
||||
def test_object_types(app, user, admin_user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
app.get('/api/export-import/', status=403)
|
||||
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
resp = app.get('/api/export-import/')
|
||||
assert resp.json == {
|
||||
'data': [
|
||||
|
@ -63,8 +66,8 @@ def test_object_types(app, user):
|
|||
}
|
||||
|
||||
|
||||
def test_list(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_list(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings')
|
||||
Agenda.objects.create(label='Event', slug='event', kind='events')
|
||||
Category.objects.create(slug='cat', label='Category')
|
||||
|
@ -163,8 +166,8 @@ def test_list(app, user):
|
|||
}
|
||||
|
||||
|
||||
def test_export_agenda(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_export_agenda(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
group1 = Group.objects.create(name='group1')
|
||||
group2 = Group.objects.create(name='group2')
|
||||
Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings', edit_role=group1, view_role=group2)
|
||||
|
@ -173,8 +176,8 @@ def test_export_agenda(app, user):
|
|||
assert resp.json['data']['permissions'] == {'view': 'group2', 'edit': 'group1'}
|
||||
|
||||
|
||||
def test_export_minor_components(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_export_minor_components(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
Category.objects.create(slug='cat', label='Category')
|
||||
Resource.objects.create(slug='foo', label='Foo')
|
||||
EventsType.objects.create(slug='foo', label='Foo')
|
||||
|
@ -193,8 +196,8 @@ def test_export_minor_components(app, user):
|
|||
app.get('/api/export-import/agendas/foo/', status=404)
|
||||
|
||||
|
||||
def test_agenda_dependencies_category(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_agenda_dependencies_category(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
category = Category.objects.create(slug='cat', label='Category')
|
||||
Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings', category=category)
|
||||
resp = app.get('/api/export-import/agendas/rdv/dependencies/')
|
||||
|
@ -215,8 +218,8 @@ def test_agenda_dependencies_category(app, user):
|
|||
}
|
||||
|
||||
|
||||
def test_agenda_dependencies_resources(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_agenda_dependencies_resources(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
meetings_agenda = Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings')
|
||||
meetings_agenda.resources.add(Resource.objects.create(slug='foo', label='Foo'))
|
||||
resp = app.get('/api/export-import/agendas/rdv/dependencies/')
|
||||
|
@ -237,8 +240,8 @@ def test_agenda_dependencies_resources(app, user):
|
|||
}
|
||||
|
||||
|
||||
def test_agenda_dependencies_unavailability_calendars(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_agenda_dependencies_unavailability_calendars(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
meetings_agenda = Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings')
|
||||
desk = Desk.objects.create(slug='foo', label='Foo', agenda=meetings_agenda)
|
||||
unavailability_calendar = UnavailabilityCalendar.objects.create(slug='foo', label='Foo')
|
||||
|
@ -280,8 +283,8 @@ def test_agenda_dependencies_unavailability_calendars(app, user):
|
|||
}
|
||||
|
||||
|
||||
def test_agenda_dependencies_groups(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_agenda_dependencies_groups(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
group1 = Group.objects.create(name='group1')
|
||||
group2 = Group.objects.create(name='group2')
|
||||
Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings', edit_role=group1, view_role=group2)
|
||||
|
@ -297,8 +300,8 @@ def test_agenda_dependencies_groups(app, user):
|
|||
}
|
||||
|
||||
|
||||
def test_agenda_dependencies_virtual_agendas(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_agenda_dependencies_virtual_agendas(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
rdv1 = Agenda.objects.create(label='Rdv1', slug='rdv1', kind='meetings')
|
||||
rdv2 = Agenda.objects.create(label='Rdv2', slug='rdv2', kind='meetings')
|
||||
virt = Agenda.objects.create(label='Virt', slug='virt', kind='virtual')
|
||||
|
@ -332,8 +335,8 @@ def test_agenda_dependencies_virtual_agendas(app, user):
|
|||
}
|
||||
|
||||
|
||||
def test_agenda_dependencies_events_type(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_agenda_dependencies_events_type(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
events_type = EventsType.objects.create(slug='foo', label='Foo')
|
||||
events_agenda = Agenda.objects.create(label='Evt', slug='evt', kind='events', events_type=events_type)
|
||||
Desk.objects.create(agenda=events_agenda, slug='_exceptions_holder')
|
||||
|
@ -355,13 +358,13 @@ def test_agenda_dependencies_events_type(app, user):
|
|||
}
|
||||
|
||||
|
||||
def test_unknown_compoment_dependencies(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_unknown_compoment_dependencies(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
app.get('/api/export-import/agendas/foo/dependencies/', status=404)
|
||||
|
||||
|
||||
def test_redirect(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
app.authorization = ('Basic', ('john', 'doe'))
|
||||
agenda = Agenda.objects.create(label='Rdv', slug='rdv', kind='meetings')
|
||||
category = Category.objects.create(slug='cat', label='Category')
|
||||
resource = Resource.objects.create(slug='foo', label='Foo')
|
||||
|
@ -389,8 +392,8 @@ def test_redirect(app, user):
|
|||
assert resp.location == f'/manage/unavailability-calendar/{unavailability_calendar.pk}/'
|
||||
|
||||
|
||||
def create_bundle(app, user, visible=True, version_number='42.0'):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def create_bundle(app, admin_user, visible=True, version_number='42.0'):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
|
||||
group, _ = Group.objects.get_or_create(name='plop')
|
||||
category, _ = Category.objects.get_or_create(slug='foo', label='Foo')
|
||||
|
@ -475,12 +478,12 @@ def bundle(app, user):
|
|||
return create_bundle(app, user)
|
||||
|
||||
|
||||
def test_bundle_import(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_bundle_import(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
|
||||
bundles = []
|
||||
for version_number in ['42.0', '42.1']:
|
||||
bundles.append(create_bundle(app, user, version_number=version_number))
|
||||
bundles.append(create_bundle(app, admin_user, version_number=version_number))
|
||||
|
||||
Agenda.objects.all().delete()
|
||||
Category.objects.all().delete()
|
||||
|
@ -534,10 +537,10 @@ def test_bundle_import(app, user):
|
|||
)
|
||||
|
||||
|
||||
def test_bundle_declare(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_bundle_declare(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
|
||||
bundle = create_bundle(app, user, visible=False)
|
||||
bundle = create_bundle(app, admin_user, visible=False)
|
||||
resp = app.put('/api/export-import/bundle-declare/', bundle)
|
||||
assert Agenda.objects.all().count() == 4
|
||||
assert resp.json['err'] == 0
|
||||
|
@ -554,7 +557,7 @@ def test_bundle_declare(app, user):
|
|||
assert application.visible is False
|
||||
assert ApplicationElement.objects.count() == 8
|
||||
|
||||
bundle = create_bundle(app, user, visible=True)
|
||||
bundle = create_bundle(app, admin_user, visible=True)
|
||||
# create link to element not present in manifest: it should be unlinked
|
||||
last_page = Agenda.objects.latest('pk')
|
||||
ApplicationElement.objects.create(
|
||||
|
@ -572,8 +575,8 @@ def test_bundle_declare(app, user):
|
|||
assert ApplicationElement.objects.count() == 4 # category, events_type, unavailability_calendar, resource
|
||||
|
||||
|
||||
def test_bundle_unlink(app, user, bundle):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_bundle_unlink(app, admin_user, bundle):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
|
||||
application = Application.objects.create(
|
||||
name='Test',
|
||||
|
@ -627,6 +630,6 @@ def test_bundle_unlink(app, user, bundle):
|
|||
assert ApplicationElement.objects.count() == 2
|
||||
|
||||
|
||||
def test_bundle_check(app, user):
|
||||
app.authorization = ('Basic', ('john.doe', 'password'))
|
||||
def test_bundle_check(app, admin_user):
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
assert app.put('/api/export-import/bundle-check/').json == {'err': 0, 'data': {}}
|
||||
|
|
Loading…
Reference in New Issue