add tests

dpgaspar · Dec 3, 2021 · 9932b64 · 9932b64
1 parent 1835929
commit 9932b64
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/flask_appbuilder/security/decorators.py b/flask_appbuilder/security/decorators.py
@@ -86,19 +86,25 @@ def wraps(self, *args, **kwargs):
                 if _permission_name:
                     permission_str = f"{PERMISSION_PREFIX}{_permission_name}"
             class_permission_name = self.class_permission_name
+            # Check if permission is allowed on the class
             if permission_str not in self.base_permissions:
                 return response_unauthorized(self)
+            # Check if the resource is public
             if current_app.appbuilder.sm.is_item_public(
                 permission_str, class_permission_name
             ):
                 return f(self, *args, **kwargs)
+            # if no browser login then verify JWT
             if not (self.allow_browser_login or allow_browser_login):
                 verify_jwt_in_request()
+            # Verify resource access
             if current_app.appbuilder.sm.has_access(
                 permission_str, class_permission_name
             ):
                 return f(self, *args, **kwargs)
+            # If browser login?
             elif self.allow_browser_login or allow_browser_login:
+                # no session cookie (but we allow it), then try JWT
                 if not current_user.is_authenticated:
                     verify_jwt_in_request()
                 if current_app.appbuilder.sm.has_access(

diff --git a/flask_appbuilder/tests/test_mvc.py b/flask_appbuilder/tests/test_mvc.py
@@ -1310,6 +1310,40 @@ def test_api_read(self):
         self.assertIn("pks", data)
         assert len(data.get("result")) > 10
 
+    def test_api_unauthenticated(self):
+        """
+        Testing unauthenticated access to MVC API
+        """
+        client = self.app.test_client()
+        self.app.config["AUTH_STRICT_RESPONSE_CODES"] = True
+        rv = client.get("/model1formattedview/api/read")
+        self.assertEqual(rv.status_code, 401)
+        self.app.config["AUTH_STRICT_RESPONSE_CODES"] = False
+        rv = client.get("/model1formattedview/api/read")
+        self.assertEqual(rv.status_code, 401)
+
+    def test_api_unauthorized(self):
+        """
+        Testing unauthorized access to MVC API
+        """
+        client = self.app.test_client()
+        self.browser_login(client, USERNAME_READONLY, PASSWORD_READONLY)
+        self.app.config["AUTH_STRICT_RESPONSE_CODES"] = True
+
+        rv = client.post(
+            "/model1view/api/create",
+            data=dict(field_string="zzz"),
+            follow_redirects=True,
+        )
+        self.assertEqual(rv.status_code, 403)
+        self.app.config["AUTH_STRICT_RESPONSE_CODES"] = False
+        rv = client.post(
+            "/model1view/api/create",
+            data=dict(field_string="zzz"),
+            follow_redirects=True,
+        )
+        self.assertEqual(rv.status_code, 401)
+
     def test_api_create(self):
         """
         Testing the api/create endpoint