More general forbidden test

This commit is contained in:
Ludovic Stephan 2021-02-20 19:18:21 +01:00
parent 6adfaba8e9
commit c14c2d54a5
2 changed files with 51 additions and 18 deletions

View file

@ -79,10 +79,15 @@ class TestCaseMixin:
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
try: try:
form = response.context[form_ctx] form = response.context[form_ctx]
self.assertIn("Permission refusée", form.non_field_errors()) errors = [y for x in form.errors.as_data().values() for y in x]
self.assertTrue(any(e.code == "permission-denied" for e in errors))
except (AssertionError, AttributeError, KeyError): except (AssertionError, AttributeError, KeyError):
messages = [str(msg) for msg in response.context["messages"]] self.assertTrue(
self.assertIn("Permission refusée", messages) any(
"permission-denied" in msg.tags
for msg in response.context["messages"]
)
)
except AssertionError: except AssertionError:
request = response.wsgi_request request = response.wsgi_request
raise AssertionError( raise AssertionError(

View file

@ -12,7 +12,7 @@ from django.contrib.auth.decorators import login_required, permission_required
from django.contrib.auth.mixins import PermissionRequiredMixin from django.contrib.auth.mixins import PermissionRequiredMixin
from django.contrib.auth.models import Permission, User from django.contrib.auth.models import Permission, User
from django.contrib.messages.views import SuccessMessageMixin from django.contrib.messages.views import SuccessMessageMixin
from django.core.exceptions import SuspiciousOperation from django.core.exceptions import SuspiciousOperation, ValidationError
from django.db import transaction from django.db import transaction
from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery, Sum
from django.forms import formset_factory from django.forms import formset_factory
@ -160,7 +160,9 @@ def account_create(request):
): ):
# Checking permission # Checking permission
if not request.user.has_perm("kfet.add_account"): if not request.user.has_perm("kfet.add_account"):
messages.error(request, "Permission refusée") messages.error(
request, "Permission refusée", extra_tags="permission-denied"
)
else: else:
data = {} data = {}
# Fill data for Account.save() # Fill data for Account.save()
@ -393,7 +395,9 @@ def account_update(request, trigramme):
# Updating account info # Updating account info
if forms == []: if forms == []:
messages.error( messages.error(
request, "Informations non mises à jour : permission refusée" request,
"Informations non mises à jour : permission refusée",
extra_tags="permission-denied",
) )
else: else:
if all(form.is_valid() for form in forms): if all(form.is_valid() for form in forms):
@ -513,7 +517,9 @@ class CheckoutCreate(SuccessMessageMixin, CreateView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.add_checkout"): if not self.request.user.has_perm("kfet.add_checkout"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
# Creating # Creating
@ -551,7 +557,9 @@ class CheckoutUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.change_checkout"): if not self.request.user.has_perm("kfet.change_checkout"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
# Updating # Updating
return super().form_valid(form) return super().form_valid(form)
@ -641,7 +649,9 @@ class CheckoutStatementCreate(SuccessMessageMixin, CreateView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.add_checkoutstatement"): if not self.request.user.has_perm("kfet.add_checkoutstatement"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
# Creating # Creating
form.instance.amount_taken = getAmountTaken(form.instance) form.instance.amount_taken = getAmountTaken(form.instance)
@ -673,7 +683,9 @@ class CheckoutStatementUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.change_checkoutstatement"): if not self.request.user.has_perm("kfet.change_checkoutstatement"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
# Updating # Updating
form.instance.amount_taken = getAmountTaken(form.instance) form.instance.amount_taken = getAmountTaken(form.instance)
@ -705,7 +717,9 @@ class CategoryUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.change_articlecategory"): if not self.request.user.has_perm("kfet.change_articlecategory"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
# Updating # Updating
@ -754,7 +768,9 @@ class ArticleCreate(SuccessMessageMixin, CreateView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.add_article"): if not self.request.user.has_perm("kfet.add_article"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
# Save ici pour save le manytomany suppliers # Save ici pour save le manytomany suppliers
@ -820,7 +836,9 @@ class ArticleUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.change_article"): if not self.request.user.has_perm("kfet.change_article"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
# Save ici pour save le manytomany suppliers # Save ici pour save le manytomany suppliers
@ -1599,7 +1617,9 @@ class SettingsUpdate(SuccessMessageMixin, FormView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.change_config"): if not self.request.user.has_perm("kfet.change_config"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
form.save() form.save()
return super().form_valid(form) return super().form_valid(form)
@ -1836,7 +1856,9 @@ def inventory_create(request):
formset = cls_formset(request.POST, initial=initial) formset = cls_formset(request.POST, initial=initial)
if not request.user.has_perm("kfet.add_inventory"): if not request.user.has_perm("kfet.add_inventory"):
messages.error(request, "Permission refusée") messages.error(
request, "Permission refusée", extra_tags="permission-denied"
)
elif formset.is_valid(): elif formset.is_valid():
with transaction.atomic(): with transaction.atomic():
@ -2007,7 +2029,9 @@ def order_create(request, pk):
formset = cls_formset(request.POST, initial=initial) formset = cls_formset(request.POST, initial=initial)
if not request.user.has_perm("kfet.add_order"): if not request.user.has_perm("kfet.add_order"):
messages.error(request, "Permission refusée") messages.error(
request, "Permission refusée", extra_tags="permission-denied"
)
elif formset.is_valid(): elif formset.is_valid():
order = Order() order = Order()
order.supplier = supplier order.supplier = supplier
@ -2131,7 +2155,9 @@ def order_to_inventory(request, pk):
formset = cls_formset(request.POST, initial=initial) formset = cls_formset(request.POST, initial=initial)
if not request.user.has_perm("kfet.order_to_inventory"): if not request.user.has_perm("kfet.order_to_inventory"):
messages.error(request, "Permission refusée") messages.error(
request, "Permission refusée", extra_tags="permission-denied"
)
elif formset.is_valid(): elif formset.is_valid():
with transaction.atomic(): with transaction.atomic():
inventory = Inventory.objects.create( inventory = Inventory.objects.create(
@ -2206,7 +2232,9 @@ class SupplierUpdate(SuccessMessageMixin, UpdateView):
def form_valid(self, form): def form_valid(self, form):
# Checking permission # Checking permission
if not self.request.user.has_perm("kfet.change_supplier"): if not self.request.user.has_perm("kfet.change_supplier"):
form.add_error(None, "Permission refusée") form.add_error(
None, ValidationError("Permission refusée", code="permission-denied")
)
return self.form_invalid(form) return self.form_invalid(form)
# Updating # Updating
return super().form_valid(form) return super().form_valid(form)