Mercurial > kallithea

changeset 7289:8f0589bcbb15

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests: add tests that exercise some missing repo permission access control checks
author Mads Kiilerich <mads@kiilerich.com>
date Mon, 07 May 2018 00:49:44 +0200
parents ef8d19a299c7
children c0c8d12dc032
files kallithea/tests/functional/test_admin_permissions.py
diffstat 1 files changed, 49 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/tests/functional/test_admin_permissions.py	Mon May 21 14:55:35 2018 +0200
+++ b/kallithea/tests/functional/test_admin_permissions.py	Mon May 07 00:49:44 2018 +0200
@@ -78,3 +78,52 @@
         self.log_user()
         response = self.app.get(url('admin_permissions_perms'))
         # Test response...
+
+    def test_edit_permissions_permissions(self):
+        user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
+
+        # Test unauthenticated access
+        # FIXME: access without authentication
+        response = self.app.post(
+            url('edit_repo_perms_update', repo_name=HG_REPO),
+            params=dict(
+                perm_new_member_1='repository.read',
+                perm_new_member_name_1=user.username,
+                perm_new_member_type_1='user',
+                _authentication_token=self.authentication_token()),
+            status=302)
+
+        assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))
+
+        # FIXME: access without authentication
+        response = self.app.post(
+            url('edit_repo_perms_revoke', repo_name=HG_REPO),
+            params=dict(
+                obj_type='user',
+                user_id=user.user_id,
+                _authentication_token=self.authentication_token()),
+            status=204) # success has no content
+        assert not response.body
+
+        # Test authenticated access
+        self.log_user()
+
+        response = self.app.post(
+            url('edit_repo_perms_update', repo_name=HG_REPO),
+            params=dict(
+                perm_new_member_1='repository.read',
+                perm_new_member_name_1=user.username,
+                perm_new_member_type_1='user',
+                _authentication_token=self.authentication_token()),
+            status=302)
+
+        assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))
+
+        response = self.app.post(
+            url('edit_repo_perms_revoke', repo_name=HG_REPO),
+            params=dict(
+                obj_type='user',
+                user_id=user.user_id,
+                _authentication_token=self.authentication_token()),
+            status=204) # success has no content
+        assert not response.body