Skip to content

Commit

Permalink
✅(backend) test interference btw documents permissions and filtering
Browse files Browse the repository at this point in the history
We want to make sure that applying filters on the document view list
does not interfere with permissions.
  • Loading branch information
sampaccoud authored and AntoLC committed Nov 28, 2024
1 parent b5c159b commit 1af7b79
Showing 1 changed file with 94 additions and 0 deletions.
94 changes: 94 additions & 0 deletions src/backend/core/tests/documents/test_api_documents_list.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
"""

import operator
import random
from unittest import mock
from urllib.parse import urlencode

import pytest
from faker import Faker
Expand Down Expand Up @@ -314,6 +316,98 @@ def test_api_documents_list_favorites_no_extra_queries(django_assert_num_queries
assert result["is_favorite"] is False


def test_api_documents_list_filter_and_access_rights():
"""Filtering on querystring parameters should respect access rights."""
user = factories.UserFactory()
client = APIClient()
client.force_login(user)

other_user = factories.UserFactory()

def random_favorited_by():
return random.choice([[], [user], [other_user]])

# Documents that should be listed to this user
listed_documents = [
factories.DocumentFactory(
link_reach="public",
link_traces=[user],
favorited_by=random_favorited_by(),
creator=random.choice([user, other_user]),
),
factories.DocumentFactory(
link_reach="authenticated",
link_traces=[user],
favorited_by=random_favorited_by(),
creator=random.choice([user, other_user]),
),
factories.DocumentFactory(
link_reach="restricted",
users=[user],
favorited_by=random_favorited_by(),
creator=random.choice([user, other_user]),
),
]
listed_ids = [str(doc.id) for doc in listed_documents]
word_list = [word for doc in listed_documents for word in doc.title.split(" ")]

# Documents that should not be listed to this user
factories.DocumentFactory(
link_reach="public",
favorited_by=random_favorited_by(),
creator=random.choice([user, other_user]),
)
factories.DocumentFactory(
link_reach="authenticated",
favorited_by=random_favorited_by(),
creator=random.choice([user, other_user]),
)
factories.DocumentFactory(
link_reach="restricted",
favorited_by=random_favorited_by(),
creator=random.choice([user, other_user]),
)
factories.DocumentFactory(
link_reach="restricted",
link_traces=[user],
favorited_by=random_favorited_by(),
creator=random.choice([user, other_user]),
)

filters = {
"link_reach": random.choice([None, *models.LinkReachChoices.values]),
"title": random.choice([None, *word_list]),
"favorite": random.choice([None, True, False]),
"creator": random.choice([None, user, other_user]),
"ordering": random.choice(
[
None,
"created_at",
"-created_at",
"is_favorite",
"-is_favorite",
"nb_accesses",
"-nb_accesses",
"title",
"-title",
"updated_at",
"-updated_at",
]
),
}
query_params = {key: value for key, value in filters.items() if value is not None}
querystring = urlencode(query_params)

response = client.get(f"/api/v1.0/documents/?{querystring:s}")

assert response.status_code == 200
results = response.json()["results"]

# Ensure all documents in results respect expected access rights
for result in results:
assert result["id"] in listed_ids


# Filters: ordering


Expand Down

0 comments on commit 1af7b79

Please sign in to comment.