Valentin Rigal
--- a/arkindex/project/tests/test_acl_mixin.py 0 → 100644

+ 102

− 0
+++ b/arkindex/project/tests/test_acl_mixin.py 0 → 100644

+ 102

− 0
+from django.contrib.contenttypes.models import ContentType
+
+from arkindex.dataimport.models import Repository, RepositoryType
+from arkindex.documents.models import Corpus
+from arkindex.project.mixins import ACLMixin
+from arkindex.project.tests import FixtureTestCase
+from arkindex.users.models import Group, Right, User
+
+
+class TestACLMixin(FixtureTestCase):
+
+    @classmethod
+    def setUpClass(cls):
+        r"""
+        Create user and groups with rights on a Corpus and a Repository
+        We use a simple rights configuration for those tests
+
+        User1  User2      User3
+          |    |  |       /  |
+         100   10 |     80   |
+           \  /   90    |    75
+         Group1   |   Group2 |
+           / \    |    /\    |
+         100  75  |  100 50  |
+          |    \  |  /    \  |
+         Repo1  Corpus1  Corpus2
+        """
+
+        super().setUpClass()
+        cls.user1 = User.objects.create_user('user1@test.test', display_name='User1')
+        cls.user2 = User.objects.create_user('user2@test.test', display_name='User2')
+        cls.user3 = User.objects.create_user('user3@test.test', display_name='User3')
+
+        cls.group1 = Group.objects.create(name='Group1')
+        cls.group2 = Group.objects.create(name='Group2')
+
+        cls.repo1 = Repository.objects.create(type=RepositoryType.Worker, url='http://repo1')
+        cls.corpus1 = Corpus.objects.create(name="Corpus1")
+        cls.corpus2 = Corpus.objects.create(name="Corpus2")
+
+        Right.objects.bulk_create([
+            Right(user=cls.user1, content_object=cls.group1, level=100),
+            Right(user=cls.user2, content_object=cls.group1, level=10),
+            Right(user=cls.user3, content_object=cls.group2, level=80),
+            Right(user=cls.user2, content_object=cls.corpus1, level=90),
+            Right(user=cls.user3, content_object=cls.corpus2, level=75),
+            Right(group=cls.group1, content_object=cls.repo1, level=100),
+            Right(group=cls.group1, content_object=cls.corpus1, level=75),
+            Right(group=cls.group2, content_object=cls.corpus1, level=100),
+            Right(group=cls.group2, content_object=cls.corpus2, level=50),
+        ])
+        cls.corpus_type = ContentType.objects.get_for_model(Corpus)
+        cls.group_type = ContentType.objects.get_for_model(Group)
+
+    def test_right_via_group_restriction(self):
+        # User rights on corpora via a group are restricted to the group level
+        acl_mixin = ACLMixin(self.user3)
+        params = {
+            'user_id': self.user3.id,
+            'group_id': self.group2.id,
+            'group_type_id': self.group_type.id,
+            'corpus_type_id': self.corpus_type.id,
+            'level': 80,
+        }
+        with self.assertExactQueries('rights_filter.sql', params=params):
+            # List to queryset to fire the DB request
+            queryset_list = list(acl_mixin.rights_filter(Corpus, 80))
+        self.assertCountEqual(
+            queryset_list,
+            [self.corpus1]
+        )
+
+    def test_right_direct_access(self):
+        # User 2 has a direct access to the above corpus with a level of 90
+        acl_mixin = ACLMixin(self.user2)
+        params = {
+            'user_id': self.user2.id,
+            'group_id': self.group2.id,
+            'corpus_id': self.corpus1.id,
+            'group_type_id': self.group_type.id,
+            'corpus_type_id': self.corpus_type.id,
+            'level': 80,
+        }
+        with self.assertExactQueries('right_access.sql', params=params):
+            has_access = acl_mixin.has_access(self.corpus1, 80)
+        self.assertTrue(has_access)
+
+    def test_right_group_members_restriction(self):
+        # User rights on corpora via a group are restricted to user level inside the group
+        acl_mixin = ACLMixin(self.user1)
+        self.assertFalse(
+            acl_mixin.has_access(self.corpus1, 80)
+        )
+
+    def test_has_read_access_null(self):
+        # Only instances with defined level may pass mixin acces check
+        acl_mixin = ACLMixin(self.user1)
+        # User1 has the maximun level on the repository but write access level is not declared
+        self.assertFalse(hasattr(self.repo1, 'WRITE_LEVEL'))
+        self.assertFalse(acl_mixin.has_write_access(self.repo1))
+        # However he has an execute privilege for this repository
+        self.assertTrue(acl_mixin.has_execute_access(self.repo1))