Changeset - 92c573bd63cb
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich - 8 years ago 2018-05-07 00:49:44
mads@kiilerich.com
tests: add tests that exercise some missing repo permission access control checks
1 file changed with 53 insertions and 0 deletions:
kallithea/tests/functional/test_admin_permissions.py
53
0 comments (0 inline, 0 general)
kallithea/tests/functional/test_admin_permissions.py
Show inline comments
 
@@ -45,3 +45,56 @@ class TestAdminPermissionsController(Tes
 
        self.log_user()
 
        response = self.app.get(url('admin_permissions_perms'))
 
        # Test response...
 

			




	
	
	
		
 
    def test_edit_permissions_permissions(self):

			




	
	
	
		
 
        user = User.get_by_username(TEST_USER_REGULAR_LOGIN)

			




	
	
	
		
 

			




	
	
	
		
 
        # Test unauthenticated access

			




	
	
	
		
 
        # FIXME: access without authentication

			




	
	
	
		
 
        response = self.app.post(

			




	
	
	
		
 
            url('edit_repo_perms_update', repo_name=HG_REPO),

			




	
	
	
		
 
            params=dict(

			




	
	
	
		
 
                _method='put',

			




	
	
	
		
 
                perm_new_member_1='repository.read',

			




	
	
	
		
 
                perm_new_member_name_1=user.username,

			




	
	
	
		
 
                perm_new_member_type_1='user',

			




	
	
	
		
 
                _authentication_token=self.authentication_token()),

			




	
	
	
		
 
            status=302)

			




	
	
	
		
 

			




	
	
	
		
 
        assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))

			




	
	
	
		
 

			




	
	
	
		
 
        # FIXME: access without authentication

			




	
	
	
		
 
        response = self.app.post(

			




	
	
	
		
 
            url('edit_repo_perms_revoke', repo_name=HG_REPO),

			




	
	
	
		
 
            params=dict(

			




	
	
	
		
 
                _method='delete',

			




	
	
	
		
 
                obj_type='user',

			




	
	
	
		
 
                user_id=user.user_id,

			




	
	
	
		
 
                _authentication_token=self.authentication_token()),

			




	
	
	
		
 
            status=200) # success has no content

			




	
	
	
		
 
        assert not response.body

			




	
	
	
		
 

			




	
	
	
		
 
        # Test authenticated access

			




	
	
	
		
 
        self.log_user()

			




	
	
	
		
 

			




	
	
	
		
 
        response = self.app.post(

			




	
	
	
		
 
            url('edit_repo_perms_update', repo_name=HG_REPO),

			




	
	
	
		
 
            params=dict(

			




	
	
	
		
 
                _method='put',

			




	
	
	
		
 
                perm_new_member_1='repository.read',

			




	
	
	
		
 
                perm_new_member_name_1=user.username,

			




	
	
	
		
 
                perm_new_member_type_1='user',

			




	
	
	
		
 
                _authentication_token=self.authentication_token()),

			




	
	
	
		
 
            status=302)

			




	
	
	
		
 

			




	
	
	
		
 
        assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))

			




	
	
	
		
 

			




	
	
	
		
 
        response = self.app.post(

			




	
	
	
		
 
            url('edit_repo_perms_revoke', repo_name=HG_REPO),

			




	
	
	
		
 
            params=dict(

			




	
	
	
		
 
                _method='delete',

			




	
	
	
		
 
                obj_type='user',

			




	
	
	
		
 
                user_id=user.user_id,

			




	
	
	
		
 
                _authentication_token=self.authentication_token()),

			




	
	
	
		
 
            status=200) # success has no content

			




	
	
	
		
 
        assert not response.body

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.