mirror of
https://github.com/pretix/pretix.git
synced 2026-05-03 14:54:04 +00:00
8eaada992f
* MKBDIGI-184: Basic create added for API items endpoint * MKBDIGI-184: Starting endpoint for GET /api/v1/organizers/(organizer)/events/(event)/items/(id)/variations/ * MKBDIGI-184: endpoint for GET /api/v1/organizers/(organizer)/events/(event)/items/(id)/variations/ * MKBDIGI-184: Completed endpoint for variations * MKBDIGI-184: Added endpoint for addons * MKBDIGI-184: Added Item validation * MKBDIGI-184: Added check for order/cart positions on item variation destroy. * MKBDIGI-184: Fixed check for order/cart positions on item variation destroy. * MKBDIGI-184: Updated tests, validation for addons * MKBDIGI-184: Documentation feedback corrections * MKBDIGI-184: Added documentation for item add-ons * MKBDIGI-184: Code formatting fixes * MKBDIGI-184: Feedback fixes * MKBDIGI-184: Updated tests for delete item * MKBDIGI-184: Cleaned up tests * MKBDIGI-184: Added additional test URLs * MKBDIGI-184: Documentation fixes * MKBDIGI-184: Fixed read-only fields/Documentation * MKBDIGI-184: Documentation fixes * MKBDIGI-184: Added helper for dict merge for 3.4 compatibility * MKBDIGI-184: Validation updates * MKBDIGI-184: Fixed permissions test error. Changed to HTTP 404 for POST to addons endpoint * MKBDIGI-184: Implemented nested variations and add-ons for POST on the item endpoint.
254 lines
9.5 KiB
Python
254 lines
9.5 KiB
Python
import time
|
|
|
|
import pytest
|
|
from django.test import override_settings
|
|
|
|
from pretix.base.models import Organizer
|
|
|
|
event_urls = [
|
|
'categories/',
|
|
'invoices/',
|
|
'items/',
|
|
'orders/',
|
|
'orderpositions/',
|
|
'questions/',
|
|
'quotas/',
|
|
'vouchers/',
|
|
'subevents/',
|
|
'taxrules/',
|
|
'waitinglistentries/',
|
|
'checkinlists/',
|
|
]
|
|
|
|
event_permission_urls = [
|
|
('get', 'can_view_orders', 'orders/', 200),
|
|
('get', 'can_view_orders', 'orderpositions/', 200),
|
|
('get', 'can_view_vouchers', 'vouchers/', 200),
|
|
('get', 'can_view_orders', 'invoices/', 200),
|
|
('get', 'can_view_orders', 'waitinglistentries/', 200),
|
|
('get', 'can_change_items', 'categories/', 200),
|
|
('get', 'can_change_items', 'items/', 200),
|
|
('get', 'can_change_items', 'questions/', 200),
|
|
('get', 'can_change_items', 'quotas/', 200),
|
|
('post', 'can_change_items', 'items/', 400),
|
|
('put', 'can_change_items', 'items/1/', 404),
|
|
('patch', 'can_change_items', 'items/1/', 404),
|
|
('delete', 'can_change_items', 'items/1/', 404),
|
|
('post', 'can_change_items', 'items/1/variations/', 404),
|
|
('put', 'can_change_items', 'items/1/variations/1/', 404),
|
|
('patch', 'can_change_items', 'items/1/variations/1/', 404),
|
|
('delete', 'can_change_items', 'items/1/variations/1/', 404),
|
|
('post', 'can_change_items', 'items/1/addons/', 404),
|
|
('put', 'can_change_items', 'items/1/addons/1/', 404),
|
|
('patch', 'can_change_items', 'items/1/addons/1/', 404),
|
|
('delete', 'can_change_items', 'items/1/addons/1/', 404),
|
|
('post', 'can_change_event_settings', 'taxrules/', 400),
|
|
('put', 'can_change_event_settings', 'taxrules/1/', 404),
|
|
('patch', 'can_change_event_settings', 'taxrules/1/', 404),
|
|
('delete', 'can_change_event_settings', 'taxrules/1/', 404),
|
|
('post', 'can_change_vouchers', 'vouchers/', 400),
|
|
('put', 'can_change_vouchers', 'vouchers/1/', 404),
|
|
('patch', 'can_change_vouchers', 'vouchers/1/', 404),
|
|
('delete', 'can_change_vouchers', 'vouchers/1/', 404),
|
|
('post', 'can_change_items', 'quotas/', 400),
|
|
('put', 'can_change_items', 'quotas/1/', 404),
|
|
('patch', 'can_change_items', 'quotas/1/', 404),
|
|
('delete', 'can_change_items', 'quotas/1/', 404),
|
|
('post', 'can_change_orders', 'orders/ABC12/mark_paid/', 404),
|
|
('post', 'can_change_orders', 'orders/ABC12/mark_pending/', 404),
|
|
('post', 'can_change_orders', 'orders/ABC12/mark_expired/', 404),
|
|
('post', 'can_change_orders', 'orders/ABC12/mark_canceled/', 404),
|
|
('post', 'can_change_orders', 'orders/ABC12/extend/', 400),
|
|
('get', 'can_view_orders', 'checkinlists/', 200),
|
|
('post', 'can_change_event_settings', 'checkinlists/', 400),
|
|
('put', 'can_change_event_settings', 'checkinlists/1/', 404),
|
|
('patch', 'can_change_event_settings', 'checkinlists/1/', 404),
|
|
('delete', 'can_change_event_settings', 'checkinlists/1/', 404),
|
|
]
|
|
|
|
|
|
@pytest.fixture
|
|
def token_client(client, team):
|
|
team.can_view_orders = True
|
|
team.can_view_vouchers = True
|
|
team.can_change_items = True
|
|
team.save()
|
|
t = team.tokens.create(name='Foo')
|
|
client.credentials(HTTP_AUTHORIZATION='Token ' + t.token)
|
|
return client
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_organizer_allowed(token_client, organizer):
|
|
resp = token_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert resp.status_code == 200
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_organizer_not_allowed(token_client, organizer):
|
|
o2 = Organizer.objects.create(slug='o2', name='Organizer 2')
|
|
resp = token_client.get('/api/v1/organizers/{}/events/'.format(o2.slug))
|
|
assert resp.status_code == 403
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_organizer_not_existing(token_client, organizer):
|
|
resp = token_client.get('/api/v1/organizers/{}/events/'.format('o2'))
|
|
assert resp.status_code == 403
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("url", event_urls)
|
|
def test_event_allowed_all_events(token_client, team, organizer, event, url):
|
|
team.all_events = True
|
|
team.save()
|
|
resp = token_client.get('/api/v1/organizers/{}/events/{}/{}'.format(organizer.slug, event.slug, url))
|
|
assert resp.status_code == 200
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("url", event_urls)
|
|
def test_event_allowed_limit_events(token_client, organizer, team, event, url):
|
|
team.all_events = False
|
|
team.save()
|
|
team.limit_events.add(event)
|
|
resp = token_client.get('/api/v1/organizers/{}/events/{}/{}'.format(organizer.slug, event.slug, url))
|
|
assert resp.status_code == 200
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("url", event_urls)
|
|
def test_event_not_allowed(token_client, organizer, team, event, url):
|
|
team.all_events = False
|
|
team.save()
|
|
resp = token_client.get('/api/v1/organizers/{}/events/{}/{}'.format(organizer.slug, event.slug, url))
|
|
assert resp.status_code == 403
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("url", event_urls)
|
|
def test_event_not_existing(token_client, organizer, url, event):
|
|
resp = token_client.get('/api/v1/organizers/{}/events/{}/{}'.format(organizer.slug, event.slug, url))
|
|
assert resp.status_code == 403
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("urlset", event_permission_urls)
|
|
def test_token_event_permission_allowed(token_client, team, organizer, event, urlset):
|
|
team.all_events = True
|
|
setattr(team, urlset[1], True)
|
|
team.save()
|
|
resp = getattr(token_client, urlset[0])('/api/v1/organizers/{}/events/{}/{}'.format(
|
|
organizer.slug, event.slug, urlset[2]))
|
|
assert resp.status_code == urlset[3]
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("urlset", event_permission_urls)
|
|
def test_token_event_permission_not_allowed(token_client, team, organizer, event, urlset):
|
|
team.all_events = True
|
|
setattr(team, urlset[1], False)
|
|
team.save()
|
|
resp = getattr(token_client, urlset[0])('/api/v1/organizers/{}/events/{}/{}'.format(
|
|
organizer.slug, event.slug, urlset[2]))
|
|
if urlset[3] == 404:
|
|
assert resp.status_code == 403
|
|
else:
|
|
assert resp.status_code in (404, 403)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_log_out_after_absolute_timeout(user_client, team, organizer, event):
|
|
session = user_client.session
|
|
session['pretix_auth_long_session'] = False
|
|
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 - 60
|
|
session.save()
|
|
|
|
response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert response.status_code == 403
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_dont_logout_before_absolute_timeout(user_client, team, organizer, event):
|
|
session = user_client.session
|
|
session['pretix_auth_long_session'] = True
|
|
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 + 60
|
|
session.save()
|
|
|
|
response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@override_settings(PRETIX_LONG_SESSIONS=False)
|
|
def test_ignore_long_session_if_disabled_in_config(user_client, team, organizer, event):
|
|
session = user_client.session
|
|
session['pretix_auth_long_session'] = True
|
|
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 - 60
|
|
session.save()
|
|
|
|
response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert response.status_code == 403
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_dont_logout_in_long_session(user_client, team, organizer, event):
|
|
session = user_client.session
|
|
session['pretix_auth_long_session'] = True
|
|
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 - 60
|
|
session.save()
|
|
|
|
response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_log_out_after_relative_timeout(user_client, team, organizer, event):
|
|
session = user_client.session
|
|
session['pretix_auth_long_session'] = False
|
|
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 6
|
|
session['pretix_auth_last_used'] = int(time.time()) - 3600 * 3 - 60
|
|
session.save()
|
|
|
|
response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert response.status_code == 403
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_dont_logout_before_relative_timeout(user_client, team, organizer, event):
|
|
session = user_client.session
|
|
session['pretix_auth_long_session'] = True
|
|
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 6
|
|
session['pretix_auth_last_used'] = int(time.time()) - 3600 * 3 + 60
|
|
session.save()
|
|
|
|
response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_dont_logout_by_relative_in_long_session(user_client, team, organizer, event):
|
|
session = user_client.session
|
|
session['pretix_auth_long_session'] = True
|
|
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 5
|
|
session['pretix_auth_last_used'] = int(time.time()) - 3600 * 3 - 60
|
|
session.save()
|
|
|
|
response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_update_session_activity(user_client, team, organizer, event):
|
|
t1 = int(time.time()) - 5
|
|
session = user_client.session
|
|
session['pretix_auth_long_session'] = False
|
|
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 5
|
|
session['pretix_auth_last_used'] = t1
|
|
session.save()
|
|
|
|
response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
|
|
assert response.status_code == 200
|
|
|
|
assert user_client.session['pretix_auth_last_used'] > t1
|