mirror of
https://github.com/pretix/pretix.git
synced 2026-05-05 15:14:04 +00:00
370 lines
15 KiB
Python
370 lines
15 KiB
Python
#
|
|
# This file is part of pretix (Community Edition).
|
|
#
|
|
# Copyright (C) 2014-2020 Raphael Michel and contributors
|
|
# Copyright (C) 2020-today pretix GmbH and contributors
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
|
|
# Public License as published by the Free Software Foundation in version 3 of the License.
|
|
#
|
|
# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
|
|
# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
|
|
# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
|
|
# this file, see <https://pretix.eu/about/en/license>.
|
|
#
|
|
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
|
|
# details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
|
|
# <https://www.gnu.org/licenses/>.
|
|
#
|
|
import pytest
|
|
from django.test import RequestFactory
|
|
from django.utils.timezone import now
|
|
from django_scopes import scope
|
|
|
|
from pretix.base.models import Event, Organizer, Team, User
|
|
from pretix.multidomain.middlewares import SessionMiddleware
|
|
|
|
|
|
@pytest.fixture
|
|
def organizer():
|
|
o = Organizer.objects.create(name='Dummy', slug='dummy')
|
|
with scope(organizer=o):
|
|
yield o
|
|
|
|
|
|
@pytest.fixture
|
|
def event(organizer):
|
|
event = Event.objects.create(
|
|
organizer=organizer, name='Dummy', slug='dummy',
|
|
date_from=now()
|
|
)
|
|
return event
|
|
|
|
|
|
@pytest.fixture
|
|
def user():
|
|
return User.objects.create_user('dummy@dummy.dummy', 'dummy')
|
|
|
|
|
|
@pytest.fixture
|
|
def admin():
|
|
u = User.objects.create_user('admin@dummy.dummy', 'dummy', is_staff=True)
|
|
return u
|
|
|
|
|
|
@pytest.fixture
|
|
def admin_request(admin, client):
|
|
factory = RequestFactory()
|
|
r = factory.get('/')
|
|
SessionMiddleware(NotImplementedError).process_request(r)
|
|
r.session.save()
|
|
admin.staffsession_set.create(date_start=now(), session_key=r.session.session_key)
|
|
admin.staffsession_set.create(date_start=now(), session_key=client.session.session_key)
|
|
return r
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_any_event_permission_limited(event, user):
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event)
|
|
|
|
team = Team.objects.create(organizer=event.organizer)
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event)
|
|
|
|
team.members.add(user)
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event)
|
|
assert not team.permission_for_event(event)
|
|
|
|
team.limit_events.add(event)
|
|
user._teamcache = {}
|
|
assert team.permission_for_event(event)
|
|
assert user.has_event_permission(event.organizer, event)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_any_event_permission_all(event, user):
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event)
|
|
|
|
team = Team.objects.create(organizer=event.organizer)
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event)
|
|
|
|
team.members.add(user)
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event)
|
|
assert not team.permission_for_event(event)
|
|
|
|
team.all_events = True
|
|
team.save()
|
|
user._teamcache = {}
|
|
assert team.permission_for_event(event)
|
|
assert user.has_event_permission(event.organizer, event)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_specific_event_permission_limited(event, user):
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
team = Team.objects.create(organizer=event.organizer, limit_event_permissions={"event.orders:write": True})
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
team.members.add(user)
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
team.limit_events.add(event)
|
|
user._teamcache = {}
|
|
assert user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
assert not user.has_event_permission(event.organizer, event, 'event.settings.general:write')
|
|
|
|
assert user.has_event_permission(event.organizer, event, ('event.orders:write', 'event.settings.general:write'))
|
|
assert not user.has_event_permission(event.organizer, event, ('organizer.teams:write', 'event.settings.general:write'))
|
|
|
|
team.limit_event_permissions = {}
|
|
team.save()
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_specific_event_permission_all(event, user):
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
team = Team.objects.create(organizer=event.organizer, limit_event_permissions={"event.orders:write": True})
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
team.members.add(user)
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
team.all_events = True
|
|
team.save()
|
|
user._teamcache = {}
|
|
assert user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
team.limit_event_permissions = {}
|
|
team.save()
|
|
user._teamcache = {}
|
|
assert not user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_event_permissions_multiple_teams(event, user):
|
|
team1 = Team.objects.create(organizer=event.organizer, limit_event_permissions={"event.orders:write": True}, all_events=True)
|
|
team2 = Team.objects.create(organizer=event.organizer, limit_event_permissions={"event.vouchers:write": True})
|
|
team3 = Team.objects.create(organizer=event.organizer, limit_event_permissions={"event.settings.general:write": True})
|
|
event2 = Event.objects.create(
|
|
organizer=event.organizer, name='Dummy', slug='dummy2',
|
|
date_from=now()
|
|
)
|
|
team1.members.add(user)
|
|
team2.members.add(user)
|
|
team3.members.add(user)
|
|
team2.limit_events.add(event)
|
|
team3.limit_events.add(event2)
|
|
|
|
assert user.has_event_permission(event.organizer, event, 'event.orders:write')
|
|
assert user.has_event_permission(event.organizer, event, 'event.vouchers:write')
|
|
assert not user.has_event_permission(event.organizer, event, 'event.settings.general:write')
|
|
assert user.get_event_permission_set(event.organizer, event) == {
|
|
'event.orders:write', 'event.vouchers:write',
|
|
'can_change_orders', 'can_change_vouchers',
|
|
}
|
|
assert user.get_event_permission_set(event.organizer, event2) == {
|
|
'event.orders:write', 'event.settings.general:write', 'event.settings.general:write',
|
|
'can_change_orders', 'can_change_event_settings',
|
|
}
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_any_organizer_permission(event, user):
|
|
user._teamcache = {}
|
|
assert not user.has_organizer_permission(event.organizer)
|
|
|
|
team = Team.objects.create(organizer=event.organizer)
|
|
user._teamcache = {}
|
|
assert not user.has_organizer_permission(event.organizer)
|
|
|
|
team.members.add(user)
|
|
user._teamcache = {}
|
|
assert user.has_organizer_permission(event.organizer)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_specific_organizer_permission(event, user):
|
|
user._teamcache = {}
|
|
assert not user.has_organizer_permission(event.organizer, 'organizer.events:create')
|
|
|
|
team = Team.objects.create(organizer=event.organizer, limit_organizer_permissions={"organizer.events:create": True})
|
|
user._teamcache = {}
|
|
assert not user.has_organizer_permission(event.organizer, 'organizer.events:create')
|
|
|
|
team.members.add(user)
|
|
user._teamcache = {}
|
|
assert user.has_organizer_permission(event.organizer, 'organizer.events:create')
|
|
assert user.has_organizer_permission(event.organizer, ('organizer.events:create', 'organizer.settings.general:write'))
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_organizer_permissions_multiple_teams(event, user):
|
|
team1 = Team.objects.create(organizer=event.organizer, limit_organizer_permissions={"organizer.settings.general:write": True})
|
|
team2 = Team.objects.create(organizer=event.organizer, limit_organizer_permissions={"organizer.events:create": True})
|
|
team1.members.add(user)
|
|
team2.members.add(user)
|
|
orga2 = Organizer.objects.create(slug='d2', name='d2')
|
|
team3 = Team.objects.create(organizer=orga2, limit_organizer_permissions={"organizer.teams:write": True})
|
|
team3.members.add(user)
|
|
|
|
assert user.has_organizer_permission(event.organizer, 'organizer.events:create')
|
|
assert user.has_organizer_permission(event.organizer, 'organizer.settings.general:write')
|
|
assert not user.has_organizer_permission(event.organizer, 'organizer.teams:write')
|
|
assert user.get_organizer_permission_set(event.organizer) == {
|
|
'organizer.events:create', 'organizer.settings.general:write',
|
|
'can_create_events', 'can_change_organizer_settings',
|
|
}
|
|
assert user.get_organizer_permission_set(orga2) == {
|
|
'organizer.teams:write',
|
|
'can_change_teams',
|
|
}
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_superuser(event, admin, admin_request):
|
|
assert admin.has_organizer_permission(event.organizer, request=admin_request)
|
|
assert admin.has_organizer_permission(event.organizer, 'organizer.events:create', request=admin_request)
|
|
assert admin.has_event_permission(event.organizer, event, request=admin_request)
|
|
assert admin.has_event_permission(event.organizer, event, 'event.settings.general:write', request=admin_request)
|
|
|
|
assert 'arbitrary' not in admin.get_event_permission_set(event.organizer, event)
|
|
assert 'arbitrary' not in admin.get_organizer_permission_set(event.organizer)
|
|
|
|
assert event in admin.get_events_with_any_permission(request=admin_request)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_list_of_events(event, user, admin, admin_request):
|
|
orga2 = Organizer.objects.create(slug='d2', name='d2')
|
|
event2 = Event.objects.create(
|
|
organizer=event.organizer, name='Dummy', slug='dummy2',
|
|
date_from=now()
|
|
)
|
|
event3 = Event.objects.create(
|
|
organizer=orga2, name='Dummy', slug='dummy3',
|
|
date_from=now()
|
|
)
|
|
event4 = Event.objects.create(
|
|
organizer=orga2, name='Dummy', slug='dummy4',
|
|
date_from=now()
|
|
)
|
|
User.objects.filter(email="admin@localhost").delete()
|
|
|
|
assert not user.get_events_with_any_permission()
|
|
|
|
team1 = Team.objects.create(organizer=event.organizer, limit_event_permissions={"event.orders:write": True}, all_events=True)
|
|
team2 = Team.objects.create(organizer=event.organizer, limit_event_permissions={"event.vouchers:write": True})
|
|
team3 = Team.objects.create(organizer=orga2, limit_event_permissions={"event.settings.general:write": True})
|
|
team1.members.add(user)
|
|
team2.members.add(user)
|
|
team3.members.add(user)
|
|
team2.limit_events.add(event)
|
|
team3.limit_events.add(event3)
|
|
|
|
with scope(organizer=[event.organizer, orga2]):
|
|
events = list(user.get_events_with_any_permission(request=admin_request))
|
|
assert event in events
|
|
assert event2 in events
|
|
assert event3 in events
|
|
assert event4 not in events
|
|
|
|
events = list(user.get_events_with_permission('event.settings.general:write', request=admin_request))
|
|
assert event not in events
|
|
assert event2 not in events
|
|
assert event3 in events
|
|
assert event4 not in events
|
|
|
|
assert set(event.get_users_with_any_permission()) == {user}
|
|
assert set(event2.get_users_with_any_permission()) == {user}
|
|
assert set(event3.get_users_with_any_permission()) == {user}
|
|
assert set(event4.get_users_with_any_permission()) == set()
|
|
|
|
assert set(event.get_users_with_permission('event.settings.general:write')) == set()
|
|
assert set(event2.get_users_with_permission('event.settings.general:write')) == set()
|
|
assert set(event3.get_users_with_permission('event.settings.general:write')) == {user}
|
|
assert set(event4.get_users_with_permission('event.settings.general:write')) == set()
|
|
assert set(event.get_users_with_permission('event.orders:write')) == {user}
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.filterwarnings("ignore")
|
|
def test_check_with_legacy_permission_names(event, user):
|
|
team1 = Team.objects.create(
|
|
organizer=event.organizer,
|
|
limit_event_permissions={"event.settings.general:write": True},
|
|
limit_organizer_permissions={
|
|
"organizer.giftcards:read": True,
|
|
"organizer.giftcards:write": True,
|
|
"organizer.reusablemedia:write": True,
|
|
},
|
|
all_events=True
|
|
)
|
|
team1.members.add(user)
|
|
|
|
# Team methods
|
|
assert team1.has_event_permission('can_change_event_settings')
|
|
assert team1.has_event_permission('can_change_settings')
|
|
assert not team1.has_event_permission('can_view_orders')
|
|
assert team1.has_organizer_permission('can_manage_gift_cards')
|
|
assert not team1.has_organizer_permission('can_manage_reusable_media')
|
|
assert team1.organizer_permission_set() == {
|
|
"organizer.giftcards:read",
|
|
"organizer.giftcards:write",
|
|
"organizer.reusablemedia:write",
|
|
"can_manage_gift_cards",
|
|
}
|
|
assert team1.organizer_permission_set(include_legacy=False) == {
|
|
"organizer.giftcards:read",
|
|
"organizer.giftcards:write",
|
|
"organizer.reusablemedia:write",
|
|
}
|
|
assert team1.event_permission_set() == {
|
|
"event.settings.general:write", "can_change_event_settings",
|
|
}
|
|
assert team1.event_permission_set(include_legacy=False) == {
|
|
"event.settings.general:write",
|
|
}
|
|
|
|
# User methods
|
|
user._teamcache = {}
|
|
assert user.get_event_permission_set(event.organizer, event) == {
|
|
"event.settings.general:write", "can_change_event_settings",
|
|
}
|
|
assert user.get_organizer_permission_set(event.organizer) == {
|
|
"organizer.giftcards:read",
|
|
"organizer.giftcards:write",
|
|
"organizer.reusablemedia:write",
|
|
"can_manage_gift_cards",
|
|
}
|
|
assert user.has_event_permission(event.organizer, event, 'can_change_event_settings')
|
|
assert user.has_event_permission(event.organizer, event, 'can_change_settings')
|
|
assert not user.has_event_permission(event.organizer, event, 'can_view_orders')
|
|
assert user.has_organizer_permission(event.organizer, 'can_manage_gift_cards')
|
|
assert not user.has_organizer_permission(event.organizer, 'can_manage_reusable_media')
|
|
assert user.get_events_with_permission("can_change_event_settings").get() == event
|
|
assert not user.get_events_with_permission("can_view_orders").exists()
|
|
assert user.get_organizers_with_permission("can_manage_gift_cards").get() == event.organizer
|
|
assert not user.get_organizers_with_permission("can_manage_reusable_media").exists()
|
|
|
|
# Event methods
|
|
assert event.get_users_with_permission("can_change_event_settings").get() == user
|
|
assert not event.get_users_with_permission("can_view_orders").exists()
|