mirror of
https://github.com/ae-utbm/sith.git
synced 2024-11-21 21:53:30 +00:00
commit
cacdf600f4
@ -991,8 +991,8 @@ class SithFile(models.Model):
|
|||||||
return user.is_board_member
|
return user.is_board_member
|
||||||
if user.is_com_admin:
|
if user.is_com_admin:
|
||||||
return True
|
return True
|
||||||
if self.is_in_sas:
|
if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
|
||||||
return user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
|
return True
|
||||||
return user.id == self.owner_id
|
return user.id == self.owner_id
|
||||||
|
|
||||||
def can_be_viewed_by(self, user):
|
def can_be_viewed_by(self, user):
|
||||||
|
@ -13,8 +13,57 @@ from model_bakery.recipe import Recipe, foreign_key
|
|||||||
from PIL import Image
|
from PIL import Image
|
||||||
from pytest_django.asserts import assertNumQueries
|
from pytest_django.asserts import assertNumQueries
|
||||||
|
|
||||||
from core.baker_recipes import board_user, subscriber_user
|
from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
|
||||||
from core.models import Group, SithFile, User
|
from core.models import Group, RealGroup, SithFile, User
|
||||||
|
from sas.models import Picture
|
||||||
|
from sith import settings
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.django_db
|
||||||
|
class TestImageAccess:
|
||||||
|
@pytest.mark.parametrize(
|
||||||
|
"user_factory",
|
||||||
|
[
|
||||||
|
lambda: baker.make(User, is_superuser=True),
|
||||||
|
lambda: baker.make(
|
||||||
|
User,
|
||||||
|
groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)],
|
||||||
|
),
|
||||||
|
lambda: baker.make(
|
||||||
|
User,
|
||||||
|
groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)],
|
||||||
|
),
|
||||||
|
],
|
||||||
|
)
|
||||||
|
def test_sas_image_access(self, user_factory: Callable[[], User]):
|
||||||
|
"""Test that only authorized users can access the sas image."""
|
||||||
|
user = user_factory()
|
||||||
|
picture: SithFile = baker.make(
|
||||||
|
Picture, parent=SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
|
||||||
|
)
|
||||||
|
assert picture.is_owned_by(user)
|
||||||
|
|
||||||
|
def test_sas_image_access_owner(self):
|
||||||
|
"""Test that the owner of the image can access it."""
|
||||||
|
user = baker.make(User)
|
||||||
|
picture: Picture = baker.make(Picture, owner=user)
|
||||||
|
assert picture.is_owned_by(user)
|
||||||
|
|
||||||
|
@pytest.mark.parametrize(
|
||||||
|
"user_factory",
|
||||||
|
[
|
||||||
|
lambda: baker.make(User),
|
||||||
|
subscriber_user.make,
|
||||||
|
old_subscriber_user.make,
|
||||||
|
board_user.make,
|
||||||
|
],
|
||||||
|
)
|
||||||
|
def test_sas_image_access_forbidden(self, user_factory: Callable[[], User]):
|
||||||
|
cache.clear()
|
||||||
|
user = user_factory()
|
||||||
|
owner = baker.make(User)
|
||||||
|
picture: Picture = baker.make(Picture, owner=owner)
|
||||||
|
assert not picture.is_owned_by(user)
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.django_db
|
@pytest.mark.django_db
|
||||||
|
Loading…
Reference in New Issue
Block a user