wutta/wuttaweb
3
0
Fork 0
Code Issues Activity

fix: prevent delete for built-in roles

Browse source
This commit is contained in:
Lance Edgar 2024-08-14 16:58:08 -05:00
parent 330ee324ba
commit bc49392140
8 changed files with 106 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

42
tests/views/test_master.py
View file

@ -22,9 +22,8 @@ class TestMasterView(WebTestCase):
def test_defaults(self):
with patch.multiple(master.MasterView, create=True,
model_name='Widget',
viewable=False,
editable=False,
deletable=False):
model_key='uuid',
configurable=True):
master.MasterView.defaults(self.pyramid_config)
##############################
@ -392,6 +391,13 @@ class TestMasterView(WebTestCase):
model = self.app.model
self.app.save_setting(self.session, 'foo', 'bar')
self.session.commit()
setting = self.session.query(model.Setting).one()
view = self.make_view()
# empty by default
self.assertFalse(hasattr(master.MasterView, 'model_class'))
data = view.get_grid_data(session=self.session)
self.assertEqual(data, [])
# basic logic with Setting model
with patch.multiple(master.MasterView, create=True,
@ -399,16 +405,7 @@ class TestMasterView(WebTestCase):
view = master.MasterView(self.request)
data = view.get_grid_data(session=self.session)
self.assertEqual(len(data), 1)
self.assertEqual(data[0], {'name': 'foo', 'value': 'bar'})
# error if model not known
view = master.MasterView(self.request)
self.assertFalse(hasattr(master.MasterView, 'model_class'))
def get_query(session=None):
session = session or self.session
return session.query(model.Setting)
with patch.object(view, 'get_query', new=get_query):
self.assertRaises(ValueError, view.get_grid_data, session=self.session)
self.assertIs(data[0], setting)
def test_configure_grid(self):
model = self.app.model
@ -754,15 +751,24 @@ class TestMasterView(WebTestCase):
def delete_instance(setting):
self.app.delete_setting(self.session, setting['name'])
# post request to save settings
self.request.method = 'POST'
self.request.POST = {}
with patch.object(view, 'delete_instance', new=delete_instance):
# enforces "instance not deletable" rules
with patch.object(view, 'is_deletable', return_value=False):
response = view.delete()
# nb. should get redirect back to view page
self.assertEqual(response.status_code, 302)
# setting remains in DB
self.assertEqual(self.session.query(model.Setting).count(), 1)
# post request to delete setting
response = view.delete()
# nb. should get redirect back to view page
self.assertEqual(response.status_code, 302)
# setting should be gone from DB
self.assertEqual(self.session.query(model.Setting).count(), 0)
# nb. should get redirect back to view page
self.assertEqual(response.status_code, 302)
# setting should be gone from DB
self.assertEqual(self.session.query(model.Setting).count(), 0)
def test_delete_instance(self):
model = self.app.model

16
tests/views/test_roles.py
View file

@ -31,6 +31,22 @@ class TestRoleView(WebTestCase):
view.configure_grid(grid)
self.assertTrue(grid.is_linked('name'))
def test_is_deletable(self):
model = self.app.model
auth = self.app.get_auth_handler()
blokes = model.Role(name="Blokes")
self.session.add(blokes)
self.session.commit()
view = self.make_view()
# deletable by default
self.assertTrue(view.is_deletable(blokes))
# built-in roles not deletable
self.assertFalse(view.is_deletable(auth.get_role_administrator(self.session)))
self.assertFalse(view.is_deletable(auth.get_role_authenticated(self.session)))
self.assertFalse(view.is_deletable(auth.get_role_anonymous(self.session)))
def test_configure_form(self):
model = self.app.model
role = model.Role(name="Foo")