tests: add checks for formdef access

2015-05-21 15:38:27 +02:00 · 2015-05-21 15:38:27 +02:00 · f4f804f13d
parent a1ce36d3e5
commit f4f804f13d
1 changed files with 49 additions and 0 deletions
--- a/tests/test_form_pages.py
+++ b/tests/test_form_pages.py
@ -6,6 +6,7 @@ from wcs.formdef import FormDef
 from wcs.workflows import Workflow, EditableWorkflowStatusItem
 from wcs.wf.jump import JumpWorkflowStatusItem
 from wcs.categories import Category
+from wcs.roles import Role, logged_users_role
 from wcs.tracking_code import TrackingCode
 from wcs import fields
 from wcs.sessions import BasicSession
@ -94,6 +95,54 @@ def test_home_always_advertise(pub):
    assert '<a href="test/">test</a>' in home.body
    assert '<a href="test/">test</a><span> (authentication required)</span>' in home.body

+def test_form_access(pub):
+    formdef = create_formdef()
+    get_app(pub).get('/test/', status=200)
+
+    Role.wipe()
+    role = Role(name='xxx')
+    role.store()
+
+    # check a formdef protected by a role cannot be accessed
+    formdef.roles = [role.id]
+    formdef.store()
+    # an unlogged user will ge ta redirect to login
+    resp = get_app(pub).get('/test/', status=302)
+    assert '/login' in resp.location
+
+    # while a logged-in user will get a 403
+    user = create_user(pub)
+    login(get_app(pub), username='foo', password='foo').get('/test/', status=403)
+
+    # unless the user has the right role
+    user = create_user(pub)
+    user.roles = [role.id]
+    user.store()
+    login(get_app(pub), username='foo', password='foo').get('/test/', status=200)
+
+    # check admin has access, even without specific roles
+    user = create_user(pub)
+    user.roles = []
+    user.is_admin = True
+    user.store()
+    login(get_app(pub), username='foo', password='foo').get('/test/', status=200)
+
+    # check special "logged users" role
+    formdef.roles = [logged_users_role()]
+    formdef.store()
+    user = create_user(pub)
+    login(get_app(pub), username='foo', password='foo').get('/test/', status=403)
+    resp = get_app(pub).get('/test/', status=302) # redirect to login
+
+    # check "receiver" can also access the formdef
+    formdef = create_formdef()
+    formdef.workflow_roles = {'_receiver': role.id}
+    formdef.store()
+    user = create_user(pub)
+    user.roles = [role.id]
+    user.store()
+    login(get_app(pub), username='foo', password='foo').get('/test/', status=200)
+
 def test_form_submit(pub):
    formdef = create_formdef()
    formdef.data_class().wipe()