ynerant/plateforme-corres2math
1
0
Fork 0
mirror of https://gitlab.com/animath/si/plateforme-corres2math.git synced 2025-03-16 07:27:33 +00:00
Code Issues Releases Wiki Activity

Ensure that a user can't see what he can't see

Browse Source
This commit is contained in:
Yohann D'ANELLO 2020-11-02 11:44:53 +01:00
parent 61719cae1c
commit 5fc46e74d2
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
apps/registration/tests.py
View File

@ -1,3 +1,5 @@
import os
from corres2math.tokens import email_validation_token from corres2math.tokens import email_validation_token
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.test import TestCase from django.test import TestCase
@ -215,8 +217,44 @@ class TestRegistration(TestCase):
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
self.assertEqual(response["content-type"], "application/zip") self.assertEqual(response["content-type"], "application/zip")
# Do it twice, ensure that the previous authorization got deleted
old_authoratization = self.student.registration.photo_authorization.path
response = self.client.post(reverse("registration:upload_user_photo_authorization",
args=(self.student.registration.pk,)), data=dict(
photo_authorization=open("corres2math/static/Autorisation de droit à l'image - majeur.pdf", "rb"),
))
self.assertRedirects(response, reverse("registration:user_detail", args=(self.student.pk,)), 302, 200)
self.assertFalse(os.path.isfile(old_authoratization))
self.student.registration.refresh_from_db()
self.student.registration.photo_authorization.delete() self.student.registration.photo_authorization.delete()
def test_user_detail_forbidden(self):
"""
Create a new user and ensure that it can't see the detail of another user.
"""
self.client.force_login(self.coach)
response = self.client.get(reverse("registration:user_detail", args=(self.user.pk,)))
self.assertEqual(response.status_code, 403)
response = self.client.get(reverse("registration:update_user", args=(self.user.pk,)))
self.assertEqual(response.status_code, 403)
response = self.client.get(reverse("registration:upload_user_photo_authorization", args=(self.user.pk,)))
self.assertEqual(response.status_code, 403)
response = self.client.get(reverse("photo_authorization", args=("inexisting-authorization",)))
self.assertEqual(response.status_code, 404)
with open("media/authorization/photo/example", "w") as f:
f.write("I lost the game.")
self.student.registration.photo_authorization = "authorization/photo/example"
self.student.registration.save()
response = self.client.get(reverse("photo_authorization", args=("example",)))
self.assertEqual(response.status_code, 403)
os.remove("media/authorization/photo/example")
def test_string_render(self): def test_string_render(self):
# TODO These string field tests will be removed when used in a template # TODO These string field tests will be removed when used in a template
self.assertRaises(NotImplementedError, lambda: Registration().type) self.assertRaises(NotImplementedError, lambda: Registration().type)