More general forbidden test

This commit is contained in:
Ludovic Stephan 2021-02-20 19:18:21 +01:00
parent 6adfaba8e9
commit c14c2d54a5
2 changed files with 51 additions and 18 deletions

View file

@ -79,10 +79,15 @@ class TestCaseMixin:
self.assertEqual(response.status_code, 200)
try:
form = response.context[form_ctx]
self.assertIn("Permission refusée", form.non_field_errors())
errors = [y for x in form.errors.as_data().values() for y in x]
self.assertTrue(any(e.code == "permission-denied" for e in errors))
except (AssertionError, AttributeError, KeyError):
messages = [str(msg) for msg in response.context["messages"]]
self.assertIn("Permission refusée", messages)
self.assertTrue(
any(
"permission-denied" in msg.tags
for msg in response.context["messages"]
)
)
except AssertionError:
request = response.wsgi_request
raise AssertionError(

View file

@ -12,7 +12,7 @@ from django.contrib.auth.decorators import login_required, permission_required
from django.contrib.auth.mixins import PermissionRequiredMixin
from django.contrib.auth.models import Permission, User
from django.contrib.messages.views import SuccessMessageMixin
from django.core.exceptions import SuspiciousOperation
from django.core.exceptions import SuspiciousOperation, ValidationError
from django.db import transaction
from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum
from django.forms import formset_factory
@ -160,7 +160,9 @@ def account_create(request):
):
# Checking permission
if not request.user.has_perm("kfet.add_account"):
messages.error(request, "Permission refusée")
messages.error(
request, "Permission refusée", extra_tags="permission-denied"
)
else:
data = {}
# Fill data for Account.save()
@ -393,7 +395,9 @@ def account_update(request, trigramme):
# Updating account info
if forms == []:
messages.error(
request, "Informations non mises à jour : permission refusée"
request,
"Informations non mises à jour : permission refusée",
extra_tags="permission-denied",
)
else:
if all(form.is_valid() for form in forms):
@ -513,7 +517,9 @@ class CheckoutCreate(SuccessMessageMixin, CreateView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.add_checkout"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
# Creating
@ -551,7 +557,9 @@ class CheckoutUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.change_checkout"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
# Updating
return super().form_valid(form)
@ -641,7 +649,9 @@ class CheckoutStatementCreate(SuccessMessageMixin, CreateView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.add_checkoutstatement"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
# Creating
form.instance.amount_taken = getAmountTaken(form.instance)
@ -673,7 +683,9 @@ class CheckoutStatementUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.change_checkoutstatement"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
# Updating
form.instance.amount_taken = getAmountTaken(form.instance)
@ -705,7 +717,9 @@ class CategoryUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.change_articlecategory"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
# Updating
@ -754,7 +768,9 @@ class ArticleCreate(SuccessMessageMixin, CreateView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.add_article"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
# Save ici pour save le manytomany suppliers
@ -820,7 +836,9 @@ class ArticleUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.change_article"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
# Save ici pour save le manytomany suppliers
@ -1599,7 +1617,9 @@ class SettingsUpdate(SuccessMessageMixin, FormView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.change_config"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
form.save()
return super().form_valid(form)
@ -1836,7 +1856,9 @@ def inventory_create(request):
formset = cls_formset(request.POST, initial=initial)
if not request.user.has_perm("kfet.add_inventory"):
messages.error(request, "Permission refusée")
messages.error(
request, "Permission refusée", extra_tags="permission-denied"
)
elif formset.is_valid():
with transaction.atomic():
@ -2007,7 +2029,9 @@ def order_create(request, pk):
formset = cls_formset(request.POST, initial=initial)
if not request.user.has_perm("kfet.add_order"):
messages.error(request, "Permission refusée")
messages.error(
request, "Permission refusée", extra_tags="permission-denied"
)
elif formset.is_valid():
order = Order()
order.supplier = supplier
@ -2131,7 +2155,9 @@ def order_to_inventory(request, pk):
formset = cls_formset(request.POST, initial=initial)
if not request.user.has_perm("kfet.order_to_inventory"):
messages.error(request, "Permission refusée")
messages.error(
request, "Permission refusée", extra_tags="permission-denied"
)
elif formset.is_valid():
with transaction.atomic():
inventory = Inventory.objects.create(
@ -2206,7 +2232,9 @@ class SupplierUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form):
# Checking permission
if not self.request.user.has_perm("kfet.change_supplier"):
form.add_error(None, "Permission refusée")
form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form)
# Updating
return super().form_valid(form)