| 1 |
1 |
import pytest
|
|
2 |
import contextlib
|
|
3 |
import re
|
| 2 |
4 |
|
|
5 |
from wcs import fields
|
| 3 |
6 |
from wcs.formdef import FormDef
|
|
7 |
from wcs.qommon.ident.password_accounts import PasswordAccount
|
|
8 |
from wcs.roles import Role
|
|
9 |
|
|
10 |
from utilities import get_app, login, create_temporary_pub, clean_temporary_pub
|
|
11 |
|
| 4 |
12 |
|
| 5 |
|
from utilities import create_temporary_pub, clean_temporary_pub
|
| 6 |
13 |
|
| 7 |
14 |
def pytest_generate_tests(metafunc):
|
| 8 |
15 |
if 'pub' in metafunc.fixturenames:
|
| ... | ... | |
| 10 |
17 |
|
| 11 |
18 |
@pytest.fixture
|
| 12 |
19 |
def pub(request):
|
| 13 |
|
return create_temporary_pub(sql_mode=(request.param == 'sql'))
|
|
20 |
pub = create_temporary_pub(sql_mode=(request.param == 'sql'))
|
|
21 |
pub.cfg['identification'] = {'methods': ['password']}
|
|
22 |
pub.cfg['language'] = {'language': 'en'}
|
|
23 |
pub.write_cfg()
|
|
24 |
return pub
|
| 14 |
25 |
|
| 15 |
26 |
def teardown_module(module):
|
| 16 |
27 |
clean_temporary_pub()
|
| 17 |
28 |
|
|
29 |
def create_formdef():
|
|
30 |
FormDef.wipe()
|
|
31 |
formdef = FormDef()
|
|
32 |
formdef.name = 'test'
|
|
33 |
formdef.fields = []
|
|
34 |
formdef.store()
|
|
35 |
return formdef
|
|
36 |
|
|
37 |
def create_users(pub):
|
|
38 |
def create_user(name):
|
|
39 |
user = pub.user_class()
|
|
40 |
user.email = '%s@localhost' % name
|
|
41 |
user.name = name
|
|
42 |
user.store()
|
|
43 |
account = PasswordAccount(id=name)
|
|
44 |
account.set_password(name)
|
|
45 |
account.user_id = user.id
|
|
46 |
account.store()
|
|
47 |
return user
|
|
48 |
|
|
49 |
pub.user_class.wipe()
|
|
50 |
PasswordAccount.wipe()
|
|
51 |
user1 = create_user('user1')
|
|
52 |
user2 = create_user('user2')
|
|
53 |
agent1 = create_user('agent1')
|
|
54 |
agent2 = create_user('agent2')
|
|
55 |
admin1 = create_user('admin1')
|
|
56 |
Role.wipe()
|
|
57 |
role1 = Role(name='Submiters')
|
|
58 |
role1.allows_backoffice_access = True
|
|
59 |
role1.store()
|
|
60 |
role2 = Role(name='Receivers')
|
|
61 |
role2.store()
|
|
62 |
agent1.roles = [role1.id]
|
|
63 |
agent1.store()
|
|
64 |
agent2.roles = [role2.id]
|
|
65 |
agent2.store()
|
|
66 |
admin1.is_admin = True
|
|
67 |
admin1.store()
|
|
68 |
return None, user1, user2, agent1, agent2, admin1 # None for anonymous
|
|
69 |
|
|
70 |
def get_displayed_tracking_code(resp):
|
|
71 |
tracking_code = None
|
|
72 |
if 'Forms - test' in resp.text:
|
|
73 |
# frontoffice
|
|
74 |
for a_tag in resp.html.findAll('a'):
|
|
75 |
if 'code/' in a_tag['href']:
|
|
76 |
tracking_code = a_tag.text
|
|
77 |
break
|
|
78 |
elif 'Back Office of wcs - test' in resp.text:
|
|
79 |
# backoffice
|
|
80 |
for h3_tag in resp.html.findAll('h3'):
|
|
81 |
if h3_tag.text == 'Tracking Code':
|
|
82 |
tracking_code = h3_tag.next_sibling.next_element
|
|
83 |
break
|
|
84 |
assert tracking_code
|
|
85 |
return tracking_code
|
|
86 |
|
| 18 |
87 |
def test_tracking_code(pub):
|
| 19 |
88 |
klass = pub.tracking_code_class
|
| 20 |
89 |
klass.wipe()
|
| ... | ... | |
| 74 |
143 |
|
| 75 |
144 |
assert marker.get('done') # makes sure we got to the real new id code
|
| 76 |
145 |
assert klass.count() == 2
|
|
146 |
|
|
147 |
def test_access_to_formdata(pub, nocache):
|
|
148 |
"""
|
|
149 |
1- Direct access to ressources :
|
|
150 |
|
|
151 |
| sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 |
|
|
152 |
+---------------------+-----------+-------+-------+--------+--------+--------+
|
|
153 |
| anonymous | login | deny | deny | deny | (*) | (*) |
|
|
154 |
| agent1 (submiter)) | login | deny | deny | deny | (*) | (*) |
|
|
155 |
| user1 | login | allow | deny | deny | (*) | (*) |
|
|
156 |
|
|
157 |
(*) Agent2 is the receiver.
|
|
158 |
Redirected into backoffice for demands.
|
|
159 |
Access denied for drafts.
|
|
160 |
|
|
161 |
2- Access using tracking code :
|
|
162 |
|
|
163 |
All access is granted,
|
|
164 |
On restoring draft, the logged user become the new draft owner,
|
|
165 |
this affect the computed and prefill fields.
|
|
166 |
"""
|
|
167 |
users = create_users(pub)
|
|
168 |
(anonymous, user1, user2, agent1, agent2, admin1) = users
|
|
169 |
tracking_code = None
|
|
170 |
formdata_id = None
|
|
171 |
is_draft = None
|
|
172 |
formdef = create_formdef()
|
|
173 |
formdef.fields = [
|
|
174 |
fields.StringField(id='0', label='submiter', varname='submiter'),
|
|
175 |
fields.CommentField(id='1', type='comment',
|
|
176 |
display_locations=['validation', 'summary'],
|
|
177 |
label='label1: {{form_user_display_name}}'),
|
|
178 |
fields.StringField(id='2', label='string1',
|
|
179 |
prefill={'type': 'string',
|
|
180 |
'value': 'label2: {{form_user_display_name}}'}),
|
|
181 |
fields.StringField(id='3', label='string2', required=False,
|
|
182 |
prefill={'type': 'string',
|
|
183 |
'value': 'label3: {{form_user_display_name}}'}),
|
|
184 |
]
|
|
185 |
formdef.backoffice_submission_roles = agent1.roles[:]
|
|
186 |
formdef.workflow_roles = {'_receiver': agent2.roles[0]}
|
|
187 |
formdef.enable_tracking_codes = True
|
|
188 |
formdef.store()
|
|
189 |
|
|
190 |
@contextlib.contextmanager
|
|
191 |
def submission(user, is_frontoffice=True):
|
|
192 |
pub.session_manager.session_class.wipe()
|
|
193 |
app = get_app(pub)
|
|
194 |
|
|
195 |
if user:
|
|
196 |
app = login(app, username=user.name, password=user.name)
|
|
197 |
user_label = user.name
|
|
198 |
else:
|
|
199 |
user_label = 'anonymous'
|
|
200 |
if is_frontoffice:
|
|
201 |
resp = app.get('/test/')
|
|
202 |
assert '<h3>Tracking code</h3>' in resp.text
|
|
203 |
else:
|
|
204 |
resp = app.get('/backoffice/submission/test/')
|
|
205 |
assert '<h3>Tracking Code</h3>' in resp.text
|
|
206 |
|
|
207 |
formdef.data_class().wipe()
|
|
208 |
resp.form['f0'] = user_label
|
|
209 |
resp.form['f3'] = '' # to check new prefilled value on retored draft
|
|
210 |
resp = resp.form.submit('submit')
|
|
211 |
|
|
212 |
tracking_code = get_displayed_tracking_code(resp)
|
|
213 |
assert 'Check values then click submit.' in resp.text
|
|
214 |
if not is_draft:
|
|
215 |
resp = resp.form.submit('submit')
|
|
216 |
assert formdef.data_class().count() == 1
|
|
217 |
formdata = formdef.data_class().select()[0]
|
|
218 |
assert formdata.is_draft() == is_draft
|
|
219 |
assert formdata.tracking_code == tracking_code
|
|
220 |
assert user_label in formdata.data['0']
|
|
221 |
yield (tracking_code, formdata.id)
|
|
222 |
|
|
223 |
def check_direct_access(user, expected=None):
|
|
224 |
"""direct access from the URLs"""
|
|
225 |
pub.session_manager.session_class.wipe()
|
|
226 |
app = get_app(pub)
|
|
227 |
if user:
|
|
228 |
app = login(app, username=user.name, password=user.name)
|
|
229 |
|
|
230 |
if is_draft:
|
|
231 |
if expected == 'forbidden':
|
|
232 |
resp = app.get('/test/%s' % formdata_id, status=403)
|
|
233 |
return
|
|
234 |
resp = app.get('/test/%s' % formdata_id)
|
|
235 |
if expected == 'login':
|
|
236 |
assert resp.location.startswith('http://example.net/login/?next=')
|
|
237 |
elif expected == 'frontoffice':
|
|
238 |
assert 'http://example.net/test/?mt=' in resp.location
|
|
239 |
resp = resp.follow()
|
|
240 |
assert '<title>Forms - test</title>' in resp.text
|
|
241 |
assert get_displayed_tracking_code(resp) == tracking_code
|
|
242 |
else:
|
|
243 |
assert expected in ('login', 'forbidden', 'frontoffice')
|
|
244 |
else:
|
|
245 |
resp = app.get('/test/%s' % formdata_id)
|
|
246 |
assert resp.location == 'http://example.net/test/%s/' % formdata_id
|
|
247 |
if expected == 'forbidden':
|
|
248 |
resp = resp.follow(status=403)
|
|
249 |
elif expected == 'login':
|
|
250 |
resp = resp.follow()
|
|
251 |
assert resp.location.startswith('http://example.net/login/?next=')
|
|
252 |
elif expected == 'frontoffice':
|
|
253 |
resp = resp.follow()
|
|
254 |
assert '<title>Forms - test</title>' in resp.text
|
|
255 |
assert get_displayed_tracking_code(resp) == tracking_code
|
|
256 |
elif expected == 'backoffice':
|
|
257 |
resp = resp.follow()
|
|
258 |
assert resp.location == 'http://example.net/backoffice/management/test/%s/' % formdata_id
|
|
259 |
resp = resp.follow()
|
|
260 |
assert ' <title>Back Office of wcs - test - %s</title>' % formdata_id in resp.text
|
|
261 |
else:
|
|
262 |
assert expected in ('login', 'forbidden', 'frontoffice', 'backoffice')
|
|
263 |
|
|
264 |
def check_tracking_code_access(user, owner=None, new_owner=None):
|
|
265 |
"""load the formdata using the tracking code"""
|
|
266 |
pub.session_manager.session_class.wipe()
|
|
267 |
app = get_app(pub)
|
|
268 |
if user:
|
|
269 |
app = login(app, username=user.name, password=user.name)
|
|
270 |
resp = app.get('/')
|
|
271 |
resp.forms[0]['code'] = tracking_code
|
|
272 |
resp = resp.forms[0].submit()
|
|
273 |
assert resp.location == 'http://example.net/code/%s/load' % tracking_code
|
|
274 |
resp = resp.follow()
|
|
275 |
assert resp.location == 'http://example.net/test/%s' % formdata_id
|
|
276 |
resp = resp.follow()
|
|
277 |
if is_draft:
|
|
278 |
assert 'http://example.net/test/?mt=' in resp.location
|
|
279 |
resp = resp.follow()
|
|
280 |
assert 'Check values then click submit.' in resp.text
|
|
281 |
else:
|
|
282 |
assert resp.location == 'http://example.net/test/%s/' % formdata_id
|
|
283 |
resp = resp.follow()
|
|
284 |
assert 'The form has been recorded' in resp.text
|
|
285 |
assert '<title>Forms - test</title>' in resp.text
|
|
286 |
|
|
287 |
if is_draft:
|
|
288 |
resp = resp.forms[1].submit('previous')
|
|
289 |
resp = resp.forms[1].submit('submit')
|
|
290 |
assert 'Check values then click submit.' in resp.text
|
|
291 |
|
|
292 |
regex1 = re.search('[>"]label1: ([^<"]*)', resp.text) # comment
|
|
293 |
regex2 = re.search('[>"]label2: ([^<"]*)', resp.text) # prefilled
|
|
294 |
regex3 = re.search('[>"]label3: ([^<"]*)', resp.text) # prefill updated
|
|
295 |
|
|
296 |
formdata = formdef.data_class().select()[0]
|
|
297 |
formdata_user = getattr(formdata.user, 'name', '')
|
|
298 |
expected_owner = getattr(owner, 'name', '')
|
|
299 |
expected_new_owner = getattr(new_owner, 'name', '')
|
|
300 |
if is_draft:
|
|
301 |
if new_owner:
|
|
302 |
assert formdata_user == expected_new_owner
|
|
303 |
else:
|
|
304 |
assert formdata_user == expected_owner
|
|
305 |
assert regex1.group(1) == expected_new_owner
|
|
306 |
assert regex2.group(1) == expected_owner
|
|
307 |
assert regex3.group(1) == expected_new_owner
|
|
308 |
else:
|
|
309 |
assert formdata_user == expected_owner
|
|
310 |
assert regex1.group(1) == expected_owner
|
|
311 |
assert regex2.group(1) == expected_owner
|
|
312 |
|
|
313 |
# direct access to formdata
|
|
314 |
is_draft = False # demands
|
|
315 |
with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):
|
|
316 |
expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
|
|
317 |
for i in range(len(users)):
|
|
318 |
check_direct_access(users[i], expected[i])
|
|
319 |
with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id):
|
|
320 |
expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
|
|
321 |
for i in range(len(users)):
|
|
322 |
check_direct_access(users[i], expected[i])
|
|
323 |
with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id):
|
|
324 |
expected = ('login', 'frontoffice', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
|
|
325 |
for i in range(len(users)):
|
|
326 |
check_direct_access(users[i], expected[i])
|
|
327 |
|
|
328 |
is_draft = True # drafts
|
|
329 |
with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):
|
|
330 |
expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
|
|
331 |
for i in range(len(users)):
|
|
332 |
check_direct_access(users[i], expected[i])
|
|
333 |
with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id):
|
|
334 |
expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
|
|
335 |
for i in range(len(users)):
|
|
336 |
check_direct_access(users[i], expected[i])
|
|
337 |
with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id):
|
|
338 |
expected = ('login', 'frontoffice', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
|
|
339 |
for i in range(len(users)):
|
|
340 |
check_direct_access(users[i], expected[i])
|
|
341 |
|
|
342 |
# access to formdata using the tracking code
|
|
343 |
is_draft = False # demands
|
|
344 |
for user in users:
|
|
345 |
with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):
|
|
346 |
check_tracking_code_access(user, owner=anonymous)
|
|
347 |
with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id):
|
|
348 |
check_tracking_code_access(user, owner=anonymous)
|
|
349 |
with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id):
|
|
350 |
check_tracking_code_access(user, owner=user1)
|
|
351 |
|
|
352 |
is_draft = True # drafts
|
|
353 |
for user in users:
|
|
354 |
with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):
|
|
355 |
check_tracking_code_access(user, owner=anonymous, new_owner=user)
|
|
356 |
with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id):
|
|
357 |
check_tracking_code_access(user, owner=anonymous, new_owner=user)
|
|
358 |
with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id):
|
|
359 |
check_tracking_code_access(user, owner=user1, new_owner=user)
|
| 77 |
|
-
|