[2/2] tests: Add tests for viewing private bundles

Message ID	20170525073805.30513-2-andrew.donnellan@au1.ibm.com
State	Accepted
Headers	show Return-Path: <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> Gateway: Authorized Use Only! Violators will be prosecuted for <patchwork@lists.ozlabs.org> from <andrew.donnellan@au1.ibm.com>; Thu, 25 May 2017 17:39:27 +1000 Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 25 May 2017 17:39:25 +1000 From: Andrew Donnellan <andrew.donnellan@au1.ibm.com> To: patchwork@lists.ozlabs.org Subject: [PATCH 2/2] tests: Add tests for viewing private bundles Date: Thu, 25 May 2017 17:38:05 +1000 In-Reply-To: <20170525073805.30513-1-andrew.donnellan@au1.ibm.com> References: <20170525073805.30513-1-andrew.donnellan@au1.ibm.com> Message-Id: <20170525073805.30513-2-andrew.donnellan@au1.ibm.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Message ID

20170525073805.30513-2-andrew.donnellan@au1.ibm.com

State

Accepted

Headers

From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
To: patchwork@lists.ozlabs.org
Subject: [PATCH 2/2] tests: Add tests for viewing private bundles
Date: Thu, 25 May 2017 17:38:05 +1000
In-Reply-To: <20170525073805.30513-1-andrew.donnellan@au1.ibm.com>
References: <20170525073805.30513-1-andrew.donnellan@au1.ibm.com>
Message-Id: <20170525073805.30513-2-andrew.donnellan@au1.ibm.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Patchwork"
	<patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Commit Message

Andrew Donnellan May 25, 2017, 7:38 a.m. UTC

Add some tests to check that owners can view their private bundles while
other authenticated users can't.

Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>

---

I'm not very familiar with writing Django tests, please flame away
---
 patchwork/tests/test_bundles.py | 58 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

Comments

Stephen Finucane May 26, 2017, 8:49 a.m. UTC | #1

On Thu, 2017-05-25 at 17:38 +1000, Andrew Donnellan wrote:
> Add some tests to check that owners can view their private bundles
> while
> other authenticated users can't.
> 
> Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
> 
> ---
> 
> I'm not very familiar with writing Django tests, please flame away

For both of these:

Reviewed-by: Stephen Finucane <stephen@that.guru>

and applied. Sorry for missing this. I think I added tests but they
clearly weren't up to scratch. I guess these will all be replaced if we
switch to token auth?

Stephen

Andrew Donnellan May 29, 2017, 12:38 a.m. UTC | #2

On 26/05/17 18:49, Stephen Finucane wrote:
> For both of these:
>
> Reviewed-by: Stephen Finucane <stephen@that.guru>
>
> and applied. Sorry for missing this. I think I added tests but they
> clearly weren't up to scratch. I guess these will all be replaced if we
> switch to token auth?

Thanks!

Yeah, the tests will need some adjustments if we switch to token auth.

diff --git a/patchwork/tests/test_bundles.py b/patchwork/tests/test_bundles.py
index 0dc9165..e4082b2 100644
--- a/patchwork/tests/test_bundles.py
+++ b/patchwork/tests/test_bundles.py
@@ -19,6 +19,7 @@ 
 
 from __future__ import absolute_import
 
+import base64
 import datetime
 import unittest
 
@@ -283,6 +284,63 @@  class BundlePublicModifyTest(BundleTestBase):
         self.assertNotEqual(self.bundle.name, newname)
 
 
+class BundlePrivateViewTest(BundleTestBase):
+
+    """Ensure that non-owners can't view private bundles"""
+
+    def setUp(self):
+        super(BundlePrivateViewTest, self).setUp()
+        self.bundle.public = False
+        self.bundle.save()
+        self.bundle.append_patch(self.patches[0])
+        self.url = bundle_url(self.bundle)
+        self.other_user = create_user()
+
+    def test_private_bundle(self):
+        # Check we can view as owner
+        self.client.login(username=self.user.username,
+                          password=self.user.username)
+        response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, self.patches[0].name)
+
+        # Check we can't view as another user
+        self.client.login(username=self.other_user.username,
+                          password=self.other_user.username)
+        response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 404)
+
+
+class BundlePrivateViewMboxTest(BundlePrivateViewTest):
+
+    """Ensure that non-owners can't view private bundle mboxes"""
+
+    def setUp(self):
+        super(BundlePrivateViewMboxTest, self).setUp()
+        self.url = reverse('bundle-mbox', kwargs={
+            'username': self.bundle.owner.username,
+            'bundlename': self.bundle.name})
+
+    def test_private_bundle_mbox_basic_auth(self):
+        self.client.logout()
+
+        # Check we can view as owner
+        auth_string = 'Basic ' + base64.b64encode('%s:%s' %
+                                                  (self.user.username,
+                                                   self.user.username))
+        response = self.client.get(self.url, HTTP_AUTHORIZATION=auth_string)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, self.patches[0].name)
+
+        # Check we can't view as another user
+        auth_string = 'Basic ' + base64.b64encode('%s:%s' %
+                                                  (self.other_user.username,
+                                                   self.other_user.username))
+        response = self.client.get(self.url, HTTP_AUTHORIZATION=auth_string)
+        self.assertEqual(response.status_code, 404)
+
+
 class BundleCreateFromListTest(BundleTestBase):
 
     def test_create_empty_bundle(self):