# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1525646984 -7200
# Node ID 8f0589bcbb15094421ba1297cb2e81217b7eeb74
# Parent  ef8d19a299c72eb8611e009a8e911717354ceabd
tests: add tests that exercise some missing repo permission access control checks

diff -r ef8d19a299c7 -r 8f0589bcbb15 kallithea/tests/functional/test_admin_permissions.py
--- a/kallithea/tests/functional/test_admin_permissions.py	Mon May 21 14:55:35 2018 +0200
+++ b/kallithea/tests/functional/test_admin_permissions.py	Mon May 07 00:49:44 2018 +0200
@@ -78,3 +78,52 @@
         self.log_user()
         response = self.app.get(url('admin_permissions_perms'))
         # Test response...
+
+    def test_edit_permissions_permissions(self):
+        user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
+
+        # Test unauthenticated access
+        # FIXME: access without authentication
+        response = self.app.post(
+            url('edit_repo_perms_update', repo_name=HG_REPO),
+            params=dict(
+                perm_new_member_1='repository.read',
+                perm_new_member_name_1=user.username,
+                perm_new_member_type_1='user',
+                _authentication_token=self.authentication_token()),
+            status=302)
+
+        assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))
+
+        # FIXME: access without authentication
+        response = self.app.post(
+            url('edit_repo_perms_revoke', repo_name=HG_REPO),
+            params=dict(
+                obj_type='user',
+                user_id=user.user_id,
+                _authentication_token=self.authentication_token()),
+            status=204) # success has no content
+        assert not response.body
+
+        # Test authenticated access
+        self.log_user()
+
+        response = self.app.post(
+            url('edit_repo_perms_update', repo_name=HG_REPO),
+            params=dict(
+                perm_new_member_1='repository.read',
+                perm_new_member_name_1=user.username,
+                perm_new_member_type_1='user',
+                _authentication_token=self.authentication_token()),
+            status=302)
+
+        assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))
+
+        response = self.app.post(
+            url('edit_repo_perms_revoke', repo_name=HG_REPO),
+            params=dict(
+                obj_type='user',
+                user_id=user.user_id,
+                _authentication_token=self.authentication_token()),
+            status=204) # success has no content
+        assert not response.body