Add a test to ensure that api key permissions are working.

openplans · Apr 2, 2015 · c28a4f3 · c28a4f3
1 parent c0b8ade
commit c28a4f3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/src/sa_api_v2/models/data_permissions.py b/src/sa_api_v2/models/data_permissions.py
@@ -12,6 +12,16 @@ class DataPermissionManager (models.Manager):
     def all_permissions(self):
         return self.all()
 
+    def add_permission(self, submission_set, can_create, can_retrieve, can_update, can_destroy, priority=None):
+        PermModel = self.model
+        return self.add(PermModel(
+            submission_set=submission_set,
+            can_create=can_create,
+            can_retrieve=can_retrieve,
+            can_update=can_update,
+            can_destroy=can_destroy,
+            priority=priority))
+
 
 class DataPermission (CloneableModelMixin, CacheClearingModel, models.Model):
     """

diff --git a/src/sa_api_v2/tests/test_views.py b/src/sa_api_v2/tests/test_views.py
@@ -1305,6 +1305,8 @@ def test_POST_response(self):
         #
         request = self.factory.post(self.path, data=place_data, content_type='application/json')
         request.META[KEY_HEADER] = self.apikey.key
+        self.apikey.permissions.all().delete()
+        self.apikey.permissions.add_permission('places', True, True, False, False)
 
         response = self.view(request, **self.request_kwargs)
 
@@ -1335,6 +1337,19 @@ def test_POST_response(self):
         final_num_places = Place.objects.all().count()
         self.assertEqual(final_num_places, start_num_places + 1)
 
+        #
+        # View should 401 when api key does not have enough permission
+        #
+        request = self.factory.post(self.path, data=place_data, content_type='application/json')
+        request.META[KEY_HEADER] = self.apikey.key
+        self.apikey.permissions.all().delete()
+        self.apikey.permissions.add_permission('places', False, True, False, False)
+        self.apikey.permissions.add_permission('comments', True, True, False, False)
+
+        response = self.view(request, **self.request_kwargs)
+        self.assertStatusCode(response, 403)
+
+
     def test_PUT_creates_in_bulk(self):
         # Create a couple bogus places so that we can be sure we're not
         # inadvertantly deleting them