From f90715e541191b942b68f0122c037f4f706c0718 Mon Sep 17 00:00:00 2001 From: Fabian Braun Date: Sat, 10 Jun 2023 21:18:59 +0200 Subject: [PATCH] fix: respect upload and directory listing permissions (#1352) * fix: respect `can_use_directory_listing`, `change_folder`, `add_folder`, `add_file` permissions * Update tests * fix flake8 error * Close files in tests * Add test for has_... permissions of File and Folder class * Remove unused variables from tests * Remove unnecessary noqa --- filer/admin/clipboardadmin.py | 15 +- filer/admin/folderadmin.py | 2 + filer/models/filemodels.py | 4 +- filer/models/foldermodels.py | 4 +- tests/test_admin.py | 370 +++++++++++++++++++++------------- tests/test_dump.py | 18 +- tests/test_permissions.py | 5 +- tests/test_tools.py | 1 + 8 files changed, 264 insertions(+), 155 deletions(-) diff --git a/filer/admin/clipboardadmin.py b/filer/admin/clipboardadmin.py index 3a727a4a5..76428ff35 100644 --- a/filer/admin/clipboardadmin.py +++ b/filer/admin/clipboardadmin.py @@ -1,7 +1,8 @@ -from django.contrib import admin +from django.contrib import admin, messages from django.forms.models import modelform_factory from django.http import JsonResponse from django.urls import re_path +from django.utils.translation import gettext_lazy as _ from django.views.decorators.csrf import csrf_exempt from .. import settings as filer_settings @@ -11,8 +12,9 @@ from . import views -NO_FOLDER_ERROR = "Can't find folder to upload. Please refresh and try again" -NO_PERMISSIONS_FOR_FOLDER = ( +NO_PERMISSIONS = _("You do not have permission to upload files.") +NO_FOLDER_ERROR = _("Can't find folder to upload. Please refresh and try again") +NO_PERMISSIONS_FOR_FOLDER = _( "Can't use this folder, Permission Denied. Please select another folder." ) @@ -68,17 +70,24 @@ def ajax_upload(request, folder_id=None): """ Receives an upload from the uploader. Receives only one file at a time. """ + + if not request.user.has_perm("filer.add_file"): + messages.error(request, NO_PERMISSIONS) + return JsonResponse({'error': NO_PERMISSIONS}) + if folder_id: try: # Get folder folder = Folder.objects.get(pk=folder_id) except Folder.DoesNotExist: + messages.error(request, NO_FOLDER_ERROR) return JsonResponse({'error': NO_FOLDER_ERROR}) else: folder = Folder.objects.filter(pk=request.session.get('filer_last_folder_id', 0)).first() # check permissions if folder and not folder.has_add_children_permission(request): + messages.error(request, NO_PERMISSIONS_FOR_FOLDER) return JsonResponse({'error': NO_PERMISSIONS_FOR_FOLDER}) if len(request.FILES) == 1: diff --git a/filer/admin/folderadmin.py b/filer/admin/folderadmin.py index 884a55477..de9ce1fab 100644 --- a/filer/admin/folderadmin.py +++ b/filer/admin/folderadmin.py @@ -234,6 +234,8 @@ def get_urls(self): # custom views def directory_listing(self, request, folder_id=None, viewtype=None): + if not request.user.has_perm("filer.can_use_directory_listing"): + raise PermissionDenied() clipboard = tools.get_user_clipboard(request.user) if viewtype == 'images_with_missing_data': folder = ImagesWithMissingData() diff --git a/filer/models/filemodels.py b/filer/models/filemodels.py index 61f5c7516..f188c707f 100644 --- a/filer/models/filemodels.py +++ b/filer/models/filemodels.py @@ -300,13 +300,13 @@ def __lt__(self, other): return self.label.lower() < other.label.lower() def has_edit_permission(self, request): - return self.has_generic_permission(request, 'edit') + return request.user.has_perm("filer.change_file") and self.has_generic_permission(request, 'edit') def has_read_permission(self, request): return self.has_generic_permission(request, 'read') def has_add_children_permission(self, request): - return self.has_generic_permission(request, 'add_children') + return request.user.has_perm("filer.add_file") and self.has_generic_permission(request, 'add_children') def has_generic_permission(self, request, permission_type): """ diff --git a/filer/models/foldermodels.py b/filer/models/foldermodels.py index d89a69b62..904b23498 100644 --- a/filer/models/foldermodels.py +++ b/filer/models/foldermodels.py @@ -200,13 +200,13 @@ def quoted_logical_path(self): return urlquote(self.pretty_logical_path) def has_edit_permission(self, request): - return self.has_generic_permission(request, 'edit') + return request.user.has_perm("filer.change_folder") and self.has_generic_permission(request, 'edit') def has_read_permission(self, request): return self.has_generic_permission(request, 'read') def has_add_children_permission(self, request): - return self.has_generic_permission(request, 'add_children') + return request.user.has_perm("filer.change_folder") and self.has_generic_permission(request, 'add_children') def has_generic_permission(self, request, permission_type): """ diff --git a/tests/test_admin.py b/tests/test_admin.py index c329d57a7..9be82ca88 100644 --- a/tests/test_admin.py +++ b/tests/test_admin.py @@ -6,7 +6,9 @@ from django.contrib import admin from django.contrib.admin import helpers from django.contrib.auth import get_user_model +from django.contrib.auth.models import Permission from django.forms.models import model_to_dict as model_to_dict_django +from django.http import HttpResponseForbidden, HttpRequest from django.test import TestCase from django.urls import reverse @@ -249,14 +251,16 @@ def tearDown(self): def test_filer_upload_file(self, extra_headers={}): self.assertEqual(Image.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.filename, 'rb')) - url = reverse('admin:filer-ajax_upload', kwargs={'folder_id': folder.pk}) - post_data = { - 'Filename': self.image_name, - 'Filedata': file_obj, - 'jsessionid': self.client.session.session_key - } - response = self.client.post(url, post_data, **extra_headers) # noqa + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse('admin:filer-ajax_upload', kwargs={'folder_id': folder.pk}) + post_data = { + 'Filename': self.image_name, + 'Filedata': file_obj, + 'jsessionid': self.client.session.session_key + } + self.client.post(url, post_data, **extra_headers) + self.assertEqual(Image.objects.count(), 1) self.assertEqual(Image.objects.all()[0].original_filename, self.image_name) @@ -270,14 +274,16 @@ def test_filer_upload_video(self, extra_headers={}): )): self.assertEqual(Video.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.video_filename, 'rb')) - url = reverse('admin:filer-ajax_upload', kwargs={'folder_id': folder.pk}) - post_data = { - 'Filename': self.video_name, - 'Filedata': file_obj, - 'jsessionid': self.client.session.session_key - } - response = self.client.post(url, post_data, **extra_headers) # noqa + with open(self.video_filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse('admin:filer-ajax_upload', kwargs={'folder_id': folder.pk}) + post_data = { + 'Filename': self.video_name, + 'Filedata': file_obj, + 'jsessionid': self.client.session.session_key + } + self.client.post(url, post_data, **extra_headers) + self.assertEqual(Video.objects.count(), 1) self.assertEqual(Video.objects.all()[0].original_filename, self.video_name) @@ -290,62 +296,67 @@ def test_filer_upload_extimage(self, extra_headers={}): )): self.assertEqual(ExtImage.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.filename, 'rb')) - url = reverse('admin:filer-ajax_upload', kwargs={'folder_id': folder.pk}) + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse('admin:filer-ajax_upload', kwargs={'folder_id': folder.pk}) + post_data = { + 'Filename': self.image_name, + 'Filedata': file_obj, + 'jsessionid': self.client.session.session_key + } + self.client.post(url, post_data, **extra_headers) + + self.assertEqual(ExtImage.objects.count(), 1) + self.assertEqual(ExtImage.objects.all()[0].original_filename, self.image_name) + + def test_filer_upload_file_no_folder(self, extra_headers={}): + self.assertEqual(Image.objects.count(), 0) + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse('admin:filer-ajax_upload') post_data = { 'Filename': self.image_name, 'Filedata': file_obj, 'jsessionid': self.client.session.session_key } response = self.client.post(url, post_data, **extra_headers) # noqa - self.assertEqual(ExtImage.objects.count(), 1) - self.assertEqual(ExtImage.objects.all()[0].original_filename, self.image_name) - - def test_filer_upload_file_no_folder(self, extra_headers={}): - self.assertEqual(Image.objects.count(), 0) - file_obj = django.core.files.File(open(self.filename, 'rb')) - url = reverse('admin:filer-ajax_upload') - post_data = { - 'Filename': self.image_name, - 'Filedata': file_obj, - 'jsessionid': self.client.session.session_key - } - response = self.client.post(url, post_data, **extra_headers) # noqa - self.assertEqual(Image.objects.count(), 1) - stored_image = Image.objects.first() - self.assertEqual(stored_image.original_filename, self.image_name) - self.assertEqual(stored_image.mime_type, 'image/jpeg') + self.assertEqual(Image.objects.count(), 1) + stored_image = Image.objects.first() + self.assertEqual(stored_image.original_filename, self.image_name) + self.assertEqual(stored_image.mime_type, 'image/jpeg') def test_filer_upload_binary_data(self, extra_headers={}): self.assertEqual(File.objects.count(), 0) - file_obj = django.core.files.File(open(self.binary_filename, 'rb')) - url = reverse('admin:filer-ajax_upload') - post_data = { - 'Filename': self.binary_name, - 'Filedata': file_obj, - 'jsessionid': self.client.session.session_key - } - response = self.client.post(url, post_data, **extra_headers) # noqa - self.assertEqual(Image.objects.count(), 0) - self.assertEqual(File.objects.count(), 1) - stored_file = File.objects.first() - self.assertEqual(stored_file.original_filename, self.binary_name) - self.assertEqual(stored_file.mime_type, 'application/octet-stream') + with open(self.binary_filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse('admin:filer-ajax_upload') + post_data = { + 'Filename': self.binary_name, + 'Filedata': file_obj, + 'jsessionid': self.client.session.session_key + } + self.client.post(url, post_data, **extra_headers) + self.assertEqual(Image.objects.count(), 0) + self.assertEqual(File.objects.count(), 1) + stored_file = File.objects.first() + self.assertEqual(stored_file.original_filename, self.binary_name) + self.assertEqual(stored_file.mime_type, 'application/octet-stream') def test_filer_ajax_upload_file(self): self.assertEqual(Image.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.filename, 'rb')) - url = reverse( - 'admin:filer-ajax_upload', - kwargs={'folder_id': folder.pk} - ) + '?filename=%s' % self.image_name - response = self.client.post( # noqa - url, - data=file_obj.read(), - content_type='image/jpeg', - **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} - ) + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse( + 'admin:filer-ajax_upload', + kwargs={'folder_id': folder.pk} + ) + '?filename=%s' % self.image_name + response = self.client.post( # noqa + url, + data=file_obj.read(), + content_type='image/jpeg', + **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} + ) self.assertEqual(Image.objects.count(), 1) stored_image = Image.objects.first() self.assertEqual(stored_image.original_filename, self.image_name) @@ -354,17 +365,18 @@ def test_filer_ajax_upload_file(self): def test_filer_ajax_upload_file_using_content_type(self): self.assertEqual(Image.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.binary_filename, 'rb')) - url = reverse( - 'admin:filer-ajax_upload', - kwargs={'folder_id': folder.pk} - ) + '?filename=renamed.pdf' - response = self.client.post( # noqa - url, - data=file_obj.read(), - content_type='application/pdf', - **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} - ) + with open(self.binary_filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse( + 'admin:filer-ajax_upload', + kwargs={'folder_id': folder.pk} + ) + '?filename=renamed.pdf' + self.client.post( + url, + data=file_obj.read(), + content_type='application/pdf', + **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} + ) self.assertEqual(Image.objects.count(), 0) self.assertEqual(File.objects.count(), 1) stored_file = File.objects.first() @@ -373,16 +385,17 @@ def test_filer_ajax_upload_file_using_content_type(self): def test_filer_ajax_upload_file_no_folder(self): self.assertEqual(Image.objects.count(), 0) - file_obj = django.core.files.File(open(self.filename, 'rb')) - url = reverse( - 'admin:filer-ajax_upload' - ) + '?filename=%s' % self.image_name - response = self.client.post( # noqa - url, - data=file_obj.read(), - content_type='image/jpeg', - **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} - ) + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse( + 'admin:filer-ajax_upload' + ) + '?filename=%s' % self.image_name + self.client.post( + url, + data=file_obj.read(), + content_type='image/jpeg', + **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} + ) self.assertEqual(Image.objects.count(), 1) stored_image = Image.objects.first() self.assertEqual(stored_image.original_filename, self.image_name) @@ -391,15 +404,16 @@ def test_filer_ajax_upload_file_no_folder(self): def test_filer_upload_file_error(self, extra_headers={}): self.assertEqual(Image.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.filename, 'rb')) - url = reverse('admin:filer-ajax_upload', - kwargs={'folder_id': folder.pk + 1}) - post_data = { - 'Filename': self.image_name, - 'Filedata': file_obj, - 'jsessionid': self.client.session.session_key - } - response = self.client.post(url, post_data, **extra_headers) + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse('admin:filer-ajax_upload', + kwargs={'folder_id': folder.pk + 1}) + post_data = { + 'Filename': self.image_name, + 'Filedata': file_obj, + 'jsessionid': self.client.session.session_key + } + response = self.client.post(url, post_data, **extra_headers) from filer.admin.clipboardadmin import NO_FOLDER_ERROR self.assertContains(response, NO_FOLDER_ERROR) self.assertEqual(Image.objects.count(), 0) @@ -407,18 +421,19 @@ def test_filer_upload_file_error(self, extra_headers={}): def test_filer_ajax_upload_file_error(self): self.assertEqual(Image.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.filename, 'rb')) - url = reverse( - 'admin:filer-ajax_upload', - kwargs={ - 'folder_id': folder.pk + 1} - ) + '?filename={0}'.format(self.image_name) - response = self.client.post( - url, - data=file_obj.read(), - content_type='application/octet-stream', - **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} - ) + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + url = reverse( + 'admin:filer-ajax_upload', + kwargs={ + 'folder_id': folder.pk + 1} + ) + '?filename={0}'.format(self.image_name) + response = self.client.post( + url, + data=file_obj.read(), + content_type='application/octet-stream', + **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} + ) from filer.admin.clipboardadmin import NO_FOLDER_ERROR self.assertContains(response, NO_FOLDER_ERROR) self.assertEqual(Image.objects.count(), 0) @@ -429,35 +444,38 @@ def test_filer_upload_permissions_error(self, extra_headers={}): username='joe_new', password='x', email='joe@mata.com') staff_user.is_staff = True staff_user.save() + staff_user.user_permissions.add(*Permission.objects.filter(codename="add_file")) self.client.login(username='joe_new', password='x') self.assertEqual(Image.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.filename, 'rb')) - - with SettingsOverride(filer_settings, FILER_ENABLE_PERMISSIONS=True): - - # give permissions over BAR - FolderPermission.objects.create( - folder=folder, - user=staff_user, - type=FolderPermission.THIS, - can_edit=FolderPermission.DENY, - can_read=FolderPermission.ALLOW, - can_add_children=FolderPermission.DENY) - url = reverse('admin:filer-ajax_upload', - kwargs={'folder_id': folder.pk}) - post_data = { - 'Filename': self.image_name, - 'Filedata': file_obj, - 'jsessionid': self.client.session.session_key - } - response = self.client.post(url, post_data, **extra_headers) + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + + with SettingsOverride(filer_settings, FILER_ENABLE_PERMISSIONS=True): + + # give permissions over BAR + FolderPermission.objects.create( + folder=folder, + user=staff_user, + type=FolderPermission.THIS, + can_edit=FolderPermission.DENY, + can_read=FolderPermission.ALLOW, + can_add_children=FolderPermission.DENY) + url = reverse('admin:filer-ajax_upload', + kwargs={'folder_id': folder.pk}) + post_data = { + 'Filename': self.image_name, + 'Filedata': file_obj, + 'jsessionid': self.client.session.session_key + } + response = self.client.post(url, post_data, **extra_headers) from filer.admin.clipboardadmin import NO_PERMISSIONS_FOR_FOLDER self.assertContains(response, NO_PERMISSIONS_FOR_FOLDER) self.assertEqual(Image.objects.count(), 0) - def test_filer_ajax_upload_permissions_error(self, extra_headers={}): + def test_filer_ajax_upload_without_permissions_error(self, extra_headers={}): + """User without add_file permission cannot upload""" self.client.logout() staff_user = User.objects.create_user( username='joe_new', password='x', email='joe@mata.com') @@ -466,18 +484,9 @@ def test_filer_ajax_upload_permissions_error(self, extra_headers={}): self.client.login(username='joe_new', password='x') self.assertEqual(Image.objects.count(), 0) folder = Folder.objects.create(name='foo') - file_obj = django.core.files.File(open(self.filename, 'rb')) - - with SettingsOverride(filer_settings, FILER_ENABLE_PERMISSIONS=True): + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) - # give permissions over BAR - FolderPermission.objects.create( - folder=folder, - user=staff_user, - type=FolderPermission.THIS, - can_edit=FolderPermission.DENY, - can_read=FolderPermission.ALLOW, - can_add_children=FolderPermission.DENY) url = reverse( 'admin:filer-ajax_upload', kwargs={ @@ -489,6 +498,73 @@ def test_filer_ajax_upload_permissions_error(self, extra_headers={}): content_type='application/octet-stream', **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} ) + + from filer.admin.clipboardadmin import NO_PERMISSIONS + + self.assertContains(response, NO_PERMISSIONS) + self.assertEqual(Image.objects.count(), 0) + + def test_filer_add_file_permissions(self, extra_headers={}): + """Add_file permissions reflect in has_... methods of File and Folder classes""" + self.client.logout() + staff_user = User.objects.create_user( + username='joe_new', password='x', email='joe@mata.com') + staff_user.is_staff = True + staff_user.save() + self.client.login(username='joe_new', password='x') + self.assertEqual(Image.objects.count(), 0) + folder = Folder.objects.create(name='foo') + + file_data = django.core.files.base.ContentFile('some data') + file_data.name = self.filename + file = File.objects.create( + owner=self.superuser, + original_filename=self.filename, + file=file_data, + folder=folder + ) + file.save() + request = HttpRequest() + setattr(request, "user", staff_user) + + self.assertEqual(folder.has_add_children_permission(request), False) + self.assertEqual(file.has_add_children_permission(request), False) + + def test_filer_ajax_upload_permissions_error(self, extra_headers={}): + self.client.logout() + staff_user = User.objects.create_user( + username='joe_new', password='x', email='joe@mata.com') + staff_user.is_staff = True + staff_user.save() + staff_user.user_permissions.add(*Permission.objects.filter(codename="add_file")) + self.client.login(username='joe_new', password='x') + self.assertEqual(Image.objects.count(), 0) + folder = Folder.objects.create(name='foo') + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh) + + with SettingsOverride(filer_settings, FILER_ENABLE_PERMISSIONS=True): + + # give permissions over BAR + FolderPermission.objects.create( + folder=folder, + user=staff_user, + type=FolderPermission.THIS, + can_edit=FolderPermission.DENY, + can_read=FolderPermission.ALLOW, + can_add_children=FolderPermission.DENY) + url = reverse( + 'admin:filer-ajax_upload', + kwargs={ + 'folder_id': folder.pk} + ) + '?filename={0}'.format(self.image_name) + response = self.client.post( + url, + data=file_obj.read(), + content_type='application/octet-stream', + **{'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} + ) + from filer.admin.clipboardadmin import NO_PERMISSIONS_FOR_FOLDER self.assertContains(response, NO_PERMISSIONS_FOR_FOLDER) self.assertEqual(Image.objects.count(), 0) @@ -497,9 +573,10 @@ def test_templatetag_file_icon_url(self): filename = os.path.join(settings.FILE_UPLOAD_TEMP_DIR, 'invalid.svg') with open(filename, 'wb') as fh: fh.write(b'') - file_obj = django.core.files.File(open(filename, 'rb'), name=filename) - image_obj = Image.objects.create(owner=self.superuser, original_filename=self.image_name, file=file_obj, mime_type='image/svg+xml') - image_obj.save() + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh, name=filename) + image_obj = Image.objects.create(owner=self.superuser, original_filename=self.image_name, file=file_obj, mime_type='image/svg+xml') + image_obj.save() url = file_icon_url(image_obj) self.assertEqual(url, '/static/filer/icons/file\\u002Dunknown.svg') @@ -543,9 +620,10 @@ def create_src_and_dst_folders(self): def create_image(self, folder, filename=None): filename = filename or 'test_image.jpg' - file_obj = django.core.files.File(open(self.filename, 'rb'), name=filename) - image_obj = Image.objects.create(owner=self.superuser, original_filename=self.image_name, file=file_obj, folder=folder, mime_type='image/jpeg') - image_obj.save() + with open(self.filename, 'rb') as fh: + file_obj = django.core.files.File(fh, name=filename) + image_obj = Image.objects.create(owner=self.superuser, original_filename=self.image_name, file=file_obj, folder=folder, mime_type='image/jpeg') + image_obj.save() return image_obj def create_file(self, folder, filename=None): @@ -895,6 +973,8 @@ def setUp(self): username='joe', password='x', email='joe@mata.com') self.staff_user.is_staff = True self.staff_user.save() + perms = Permission.objects.filter(codename__in=["view_folder", "add_file", "add_folder", "can_use_directory_listing"]) + self.staff_user.user_permissions.add(*perms) self.parent = Folder.objects.create(name='bar', parent=None, owner=superuser) self.foo_folder = Folder.objects.create(name='foo', parent=self.parent, owner=self.staff_user) @@ -908,6 +988,18 @@ def setUp(self): file=file_data, folder=self.parent) self.client.login(username='joe', password='x') + def test_with_without_permissions(self): + staff_user_wo_permissions = User.objects.create_user( + username='joemata', password='x', email='joe@mata.com') + staff_user_wo_permissions.is_staff = True + staff_user_wo_permissions.save() + self.client.login(username='joemata', password='x') + with SettingsOverride(filer_settings, FILER_ENABLE_PERMISSIONS=False): + response = self.client.get( + reverse('admin:filer-directory_listing', + kwargs={'folder_id': self.parent.id})) + self.assertIsInstance(response, HttpResponseForbidden) + def test_with_permissions_disabled(self): with SettingsOverride(filer_settings, FILER_ENABLE_PERMISSIONS=False): response = self.client.get( diff --git a/tests/test_dump.py b/tests/test_dump.py index 9121ef184..d8295ddfd 100644 --- a/tests/test_dump.py +++ b/tests/test_dump.py @@ -35,17 +35,19 @@ def tearDown(self): pass def create_filer_image(self, folder=None): - file_obj = DjangoFile(open(self.filename, 'rb'), name=self.image_name) - image = Image.objects.create(owner=self.superuser, - original_filename=self.image_name, - file=file_obj, folder=folder) + with open(self.filename, 'rb') as file: + file_obj = DjangoFile(file, name=self.image_name) + image = Image.objects.create(owner=self.superuser, + original_filename=self.image_name, + file=file_obj, folder=folder) return image def create_filer_file(self, folder=None): - file_obj = DjangoFile(open(self.filename, 'rb'), name=self.image_name) - fileobj = File.objects.create(owner=self.superuser, - original_filename=self.image_name, - file=file_obj, folder=folder) + with open(self.filename, 'rb') as file: + file_obj = DjangoFile(file, name=self.image_name) + fileobj = File.objects.create(owner=self.superuser, + original_filename=self.image_name, + file=file_obj, folder=folder) return fileobj def test_dump_data_base(self): diff --git a/tests/test_permissions.py b/tests/test_permissions.py index 23e7d93bc..1dacb2a38 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -1,7 +1,7 @@ import os from django.conf import settings -from django.contrib.auth.models import Group +from django.contrib.auth.models import Group, Permission from django.core.files import File as DjangoFile from django.test.testcases import TestCase @@ -33,8 +33,11 @@ def setUp(self): self.owner = User.objects.create(username='owner') + perms = Permission.objects.filter(codename="change_folder") self.test_user1 = User.objects.create(username='test1', password='secret') self.test_user2 = User.objects.create(username='test2', password='secret') + self.test_user1.user_permissions.add(*perms) + self.test_user2.user_permissions.add(*perms) self.group1 = Group.objects.create(name='name1') self.group2 = Group.objects.create(name='name2') diff --git a/tests/test_tools.py b/tests/test_tools.py index 2b548597a..914aabd4c 100644 --- a/tests/test_tools.py +++ b/tests/test_tools.py @@ -35,6 +35,7 @@ def setUp(self): self.folder = Folder.objects.create(name='test_folder') def tearDown(self): + self.file.close() self.client.logout() os.remove(self.filename) for img in Image.objects.all():