From c14c2d54a588db362c62025e7aebaa759048fc87 Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Sat, 20 Feb 2021 19:18:21 +0100 Subject: [PATCH] More general forbidden test --- kfet/tests/testcases.py | 11 +++++--- kfet/views.py | 58 ++++++++++++++++++++++++++++++----------- 2 files changed, 51 insertions(+), 18 deletions(-) diff --git a/kfet/tests/testcases.py b/kfet/tests/testcases.py index 4912023e..16ccb186 100644 --- a/kfet/tests/testcases.py +++ b/kfet/tests/testcases.py @@ -79,10 +79,15 @@ class TestCaseMixin: self.assertEqual(response.status_code, 200) try: form = response.context[form_ctx] - self.assertIn("Permission refusée", form.non_field_errors()) + errors = [y for x in form.errors.as_data().values() for y in x] + self.assertTrue(any(e.code == "permission-denied" for e in errors)) except (AssertionError, AttributeError, KeyError): - messages = [str(msg) for msg in response.context["messages"]] - self.assertIn("Permission refusée", messages) + self.assertTrue( + any( + "permission-denied" in msg.tags + for msg in response.context["messages"] + ) + ) except AssertionError: request = response.wsgi_request raise AssertionError( diff --git a/kfet/views.py b/kfet/views.py index 992db0ec..0423be07 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -12,7 +12,7 @@ from django.contrib.auth.decorators import login_required, permission_required from django.contrib.auth.mixins import PermissionRequiredMixin from django.contrib.auth.models import Permission, User from django.contrib.messages.views import SuccessMessageMixin -from django.core.exceptions import SuspiciousOperation +from django.core.exceptions import SuspiciousOperation, ValidationError from django.db import transaction from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum from django.forms import formset_factory @@ -160,7 +160,9 @@ def account_create(request): ): # Checking permission if not request.user.has_perm("kfet.add_account"): - messages.error(request, "Permission refusée") + messages.error( + request, "Permission refusée", extra_tags="permission-denied" + ) else: data = {} # Fill data for Account.save() @@ -393,7 +395,9 @@ def account_update(request, trigramme): # Updating account info if forms == []: messages.error( - request, "Informations non mises à jour : permission refusée" + request, + "Informations non mises à jour : permission refusée", + extra_tags="permission-denied", ) else: if all(form.is_valid() for form in forms): @@ -513,7 +517,9 @@ class CheckoutCreate(SuccessMessageMixin, CreateView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.add_checkout"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) # Creating @@ -551,7 +557,9 @@ class CheckoutUpdate(SuccessMessageMixin, UpdateView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.change_checkout"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) # Updating return super().form_valid(form) @@ -641,7 +649,9 @@ class CheckoutStatementCreate(SuccessMessageMixin, CreateView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.add_checkoutstatement"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) # Creating form.instance.amount_taken = getAmountTaken(form.instance) @@ -673,7 +683,9 @@ class CheckoutStatementUpdate(SuccessMessageMixin, UpdateView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.change_checkoutstatement"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) # Updating form.instance.amount_taken = getAmountTaken(form.instance) @@ -705,7 +717,9 @@ class CategoryUpdate(SuccessMessageMixin, UpdateView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.change_articlecategory"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) # Updating @@ -754,7 +768,9 @@ class ArticleCreate(SuccessMessageMixin, CreateView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.add_article"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) # Save ici pour save le manytomany suppliers @@ -820,7 +836,9 @@ class ArticleUpdate(SuccessMessageMixin, UpdateView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.change_article"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) # Save ici pour save le manytomany suppliers @@ -1599,7 +1617,9 @@ class SettingsUpdate(SuccessMessageMixin, FormView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.change_config"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) form.save() return super().form_valid(form) @@ -1836,7 +1856,9 @@ def inventory_create(request): formset = cls_formset(request.POST, initial=initial) if not request.user.has_perm("kfet.add_inventory"): - messages.error(request, "Permission refusée") + messages.error( + request, "Permission refusée", extra_tags="permission-denied" + ) elif formset.is_valid(): with transaction.atomic(): @@ -2007,7 +2029,9 @@ def order_create(request, pk): formset = cls_formset(request.POST, initial=initial) if not request.user.has_perm("kfet.add_order"): - messages.error(request, "Permission refusée") + messages.error( + request, "Permission refusée", extra_tags="permission-denied" + ) elif formset.is_valid(): order = Order() order.supplier = supplier @@ -2131,7 +2155,9 @@ def order_to_inventory(request, pk): formset = cls_formset(request.POST, initial=initial) if not request.user.has_perm("kfet.order_to_inventory"): - messages.error(request, "Permission refusée") + messages.error( + request, "Permission refusée", extra_tags="permission-denied" + ) elif formset.is_valid(): with transaction.atomic(): inventory = Inventory.objects.create( @@ -2206,7 +2232,9 @@ class SupplierUpdate(SuccessMessageMixin, UpdateView): def form_valid(self, form): # Checking permission if not self.request.user.has_perm("kfet.change_supplier"): - form.add_error(None, "Permission refusée") + form.add_error( + None, ValidationError("Permission refusée", code="permission-denied") + ) return self.form_invalid(form) # Updating return super().form_valid(form)