Commit 2d2cc4f7 authored by Roberto Rosario's avatar Roberto Rosario

Fix document check in via the API

- Closes GitLab issue #688. Thanks to inam ul haq (@inam.sys)
  for the report.
- Improve existing tests and add additional check in override tests.
Signed-off-by: Roberto Rosario's avatarRoberto Rosario <[email protected]>
parent 21196832
Pipeline #99132153 skipped with stage
......@@ -18,6 +18,8 @@
- Remove index create permission as an ACL permission
for indexes.
- Fix API example.
- Fix document check in via the API. GitLab issue #688.
Thanks to inam ul haq (@inam.sys) for the report.
3.2.10 (2019-11-19)
===================
......
......@@ -77,7 +77,7 @@ class APICheckedoutDocumentView(generics.RetrieveDestroyAPIView):
def delete(self, request, *args, **kwargs):
document = self.get_object().document
if document.checkout_info().user == request.user:
if document.get_check_out_info().user == request.user:
AccessControlList.objects.check_access(
obj=document, permissions=(permission_document_check_in,),
user=request.user
......
......@@ -10,13 +10,7 @@ from ..models import DocumentCheckout
class DocumentCheckoutsAPIViewTestMixin(object):
def _request_checkedout_document_view(self):
return self.get(
viewname='rest_api:checkedout-document-view',
kwargs={'pk': self.test_check_out.pk}
)
def _request_test_document_check_out_view(self):
def _request_test_document_check_out_create_api_view(self):
return self.post(
viewname='rest_api:checkout-document-list', data={
'document_pk': self.test_document.pk,
......@@ -24,7 +18,19 @@ class DocumentCheckoutsAPIViewTestMixin(object):
}
)
def _request_checkout_list_view(self):
def _request_test_document_check_out_delete_api_view(self):
return self.delete(
viewname='rest_api:checkedout-document-view',
kwargs={'pk': self.test_check_out.pk}
)
def _request_test_document_check_out_detail_api_view(self):
return self.get(
viewname='rest_api:checkedout-document-view',
kwargs={'pk': self.test_check_out.pk}
)
def _request_test_document_check_out_list_api_view(self):
return self.get(viewname='rest_api:checkout-document-list')
......
......@@ -8,8 +8,8 @@ from mayan.apps.documents.tests import DocumentTestMixin
from mayan.apps.documents.permissions import permission_document_view
from mayan.apps.rest_api.tests import BaseAPITestCase
from ..models import DocumentCheckout
from ..permissions import (
permission_document_check_in, permission_document_check_in_override,
permission_document_check_out, permission_document_check_out_detail_view
)
......@@ -22,32 +22,95 @@ class CheckoutsAPITestCase(
DocumentCheckoutsAPIViewTestMixin, DocumentCheckoutTestMixin,
DocumentTestMixin, BaseAPITestCase
):
def test_checkedout_document_view_no_access(self):
def test_document_check_out_create_api_view_no_permission(self):
response = self._request_test_document_check_out_create_api_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertFalse(self.test_document.is_checked_out())
def test_document_check_out_create_api_view_with_access(self):
self.grant_access(
obj=self.test_document, permission=permission_document_check_out
)
response = self._request_test_document_check_out_create_api_view()
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertTrue(self.test_document.is_checked_out())
def test_document_check_out_delete_api_view_no_permission(self):
self._check_out_test_document()
response = self._request_test_document_check_out_delete_api_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertTrue(self.test_document.is_checked_out())
def test_document_check_out_delete_api_view_with_access(self):
self._check_out_test_document()
self.grant_access(
obj=self.test_document, permission=permission_document_check_in
)
response = self._request_test_document_check_out_delete_api_view()
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
self.assertFalse(self.test_document.is_checked_out())
def test_document_check_in_forcefull_api_view_no_permission(self):
self._create_test_user()
self._check_out_test_document(user=self.test_user)
self.grant_access(
obj=self.test_document, permission=permission_document_check_in
)
response = self._request_test_document_check_out_delete_api_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertTrue(self.test_document.is_checked_out())
def test_document_check_in_forcefull_api_view_with_access(self):
self._create_test_user()
self._check_out_test_document(user=self.test_user)
self.grant_access(
obj=self.test_document,
permission=permission_document_check_in_override
)
response = self._request_test_document_check_out_delete_api_view()
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
self.assertFalse(self.test_document.is_checked_out())
def test_document_check_out_detail_api_view_no_permission(self):
self._check_out_test_document()
response = self._request_checkedout_document_view()
response = self._request_test_document_check_out_detail_api_view()
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
def test_checkedout_document_view_with_checkout_access(self):
def test_document_check_out_detail_api_view_with_check_out_detail_access(self):
self._check_out_test_document()
self.grant_access(
obj=self.test_document,
permission=permission_document_check_out_detail_view
)
response = self._request_checkedout_document_view()
response = self._request_test_document_check_out_detail_api_view()
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
def test_checkedout_document_view_with_document_access(self):
def test_document_check_out_detail_api_view_with_document_access(self):
self._check_out_test_document()
self.grant_access(
obj=self.test_document, permission=permission_document_view
)
response = self._request_checkedout_document_view()
response = self._request_test_document_check_out_detail_api_view()
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
def test_checkedout_document_view_with_access(self):
def test_document_check_out_detail_api_view_with_full_access(self):
self._check_out_test_document()
self.grant_access(
obj=self.test_document, permission=permission_document_view
......@@ -57,58 +120,48 @@ class CheckoutsAPITestCase(
permission=permission_document_check_out_detail_view
)
response = self._request_checkedout_document_view()
response = self._request_test_document_check_out_detail_api_view()
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(
response.data['document']['uuid'],
force_text(self.test_document.uuid)
)
def test_document_checkout_no_access(self):
response = self._request_test_document_check_out_view()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(DocumentCheckout.objects.count(), 0)
def test_document_checkout_with_access(self):
self.grant_access(permission=permission_document_check_out, obj=self.test_document)
response = self._request_test_document_check_out_view()
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertEqual(
DocumentCheckout.objects.first().document, self.test_document
)
def test_checkout_list_view_no_access(self):
def test_document_check_out_list_api_view_no_permission(self):
self._check_out_test_document()
response = self._request_checkout_list_view()
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertNotContains(response=response, text=self.test_document.uuid)
response = self._request_test_document_check_out_list_api_view()
self.assertNotContains(
response=response, text=self.test_document.uuid,
status_code=status.HTTP_200_OK
)
def test_checkout_list_view_with_document_access(self):
def test_document_check_out_list_api_view_with_document_access(self):
self._check_out_test_document()
self.grant_access(
permission=permission_document_view, obj=self.test_document
)
response = self._request_checkout_list_view()
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertNotContains(response=response, text=self.test_document.uuid)
response = self._request_test_document_check_out_list_api_view()
self.assertNotContains(
response=response, text=self.test_document.uuid,
status_code=status.HTTP_200_OK
)
def test_checkout_list_view_with_checkout_access(self):
def test_document_check_out_list_api_view_with_check_out_detail_access(self):
self._check_out_test_document()
self.grant_access(
obj=self.test_document,
permission=permission_document_check_out_detail_view
)
response = self._request_checkout_list_view()
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertNotContains(response=response, text=self.test_document.uuid)
response = self._request_test_document_check_out_list_api_view()
self.assertNotContains(
response=response, text=self.test_document.uuid,
status_code=status.HTTP_200_OK
)
def test_checkout_list_view_with_access(self):
def test_document_check_out_list_api_view_with_full_access(self):
self._check_out_test_document()
self.grant_access(
......@@ -119,6 +172,8 @@ class CheckoutsAPITestCase(
permission=permission_document_check_out_detail_view
)
response = self._request_checkout_list_view()
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertContains(response=response, text=self.test_document.uuid)
response = self._request_test_document_check_out_list_api_view()
self.assertContains(
response=response, text=self.test_document.uuid,
status_code=status.HTTP_200_OK
)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment