From 0b1e833c92d8ce7403877c5cc866aadc308973d7 Mon Sep 17 00:00:00 2001
From: Josue Kouka <jkouka@entrouvert.com>
Date: Tue, 1 Dec 2015 10:00:01 +0100
Subject: [PATCH 2/2] improving role api tests #8234

---
 src/authentic2/api_views.py |  5 ++---
 tests/conftest.py           | 13 +++++++++----
 tests/test_api.py           | 18 +++++++++++-------
 3 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/src/authentic2/api_views.py b/src/authentic2/api_views.py
index 7b14dbf..bb0a69e 100644
--- a/src/authentic2/api_views.py
+++ b/src/authentic2/api_views.py
@@ -330,13 +330,12 @@ router.register(r'users', UsersAPI, base_name='a2-api-users')
 
 class RolesAPI(APIView):
     authentication_class = (authentication.BasicAuthentication)
-    permission_classes = (permissions.IsAuthenticated, HasUserAddPermission)
+    permission_classes = (permissions.IsAuthenticated,)
 
     def initial(self, request, *args, **kwargs):
         super(RolesAPI, self).initial(request, *args, **kwargs)
-        Role = get_role_model()
         perm = 'a2_rbac.change_role'
-        authorized = request.user.has_perm(perm, obj=Role)
+        authorized = request.user.has_perm(perm, obj=self.role)
         if not authorized:
             raise PermissionDenied(u'User not allowed to change role') 
 
diff --git a/tests/conftest.py b/tests/conftest.py
index 6f0c05f..d02b849 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -35,6 +35,11 @@ def ou2(db):
     OU = get_ou_model()
     return OU.objects.create(name='OU2', slug='ou2')
 
+@pytest.fixture
+def ou_rando(db):
+    OU = get_ou_model()
+    return OU.objects.create(name='ou_rando', slug='ou_rando')
+
 def create_user(**kwargs):
     User = get_user_model()
     password = kwargs.pop('password', None) or kwargs['username']
@@ -80,9 +85,9 @@ def admin_ou2(db, ou2):
     return user
 
 @pytest.fixture
-def admin_rando_role(db, role_random):
+def admin_rando_role(db, role_random, ou_rando):
     user = create_user(username='admin_rando', first_name='admin', last_name='rando',
-           email='admin.rando@weird.com')
+           email='admin.rando@weird.com', ou=ou_rando)
     user.roles.add(role_random.get_admin_role())
     return user
 
@@ -95,8 +100,8 @@ def logged_app(app, user):
     return utils.login(app, user)
 
 @pytest.fixture
-def role_random(db):
-    return Role.objects.create(name='rando', slug='rando')
+def role_random(db, ou_rando):
+    return Role.objects.create(name='rando', slug='rando',  ou=ou_rando)
 
 @pytest.fixture
 def role_ou1(db, ou1):
diff --git a/tests/test_api.py b/tests/test_api.py
index 76e668f..76c4ea8 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -17,7 +17,7 @@ def test_api_users_list(app, user):
     assert resp.json['previous'] is None
     assert resp.json['next'] is None
     if user.is_superuser:
-        count = 5
+        count = 6
     elif user.roles.exists():
         count = 2
     else:
@@ -77,9 +77,11 @@ def test_api_role_add_member(app, user, role, member):
         'role_member': member.uuid
     }
 
+    authorized = user.is_superuser or user.has_perm('a2_rbac.change_role', role)
+
     if member.username == 'fake' or role.name == 'fake':
         status = 404
-    elif user.is_superuser or role.members.filter(uuid=member.uuid):
+    elif authorized :
         status = 201
     else:
         status = 403
@@ -87,17 +89,19 @@ def test_api_role_add_member(app, user, role, member):
     resp = app.post_json('/api/roles/{0}/members/{1}/'.format(role.uuid, member.uuid), payload, status=status)
     if status == 404:
         pass
-    elif user.is_superuser:
+    elif authorized :
         assert resp.json['detail'] == 'User successfully added to role'
     else:
-        assert resp.json['detail'] == 'Vous n\'avez pas la permission d\'effectuer cette action.' or resp.json['detail'] == 'User not allowed to change role'
+        assert resp.json['detail'] == 'User not allowed to change role'
 
 def test_api_role_remove_member(app, user, role, member):
     app.authorization = ('Basic', (user.username, user.username))
 
+    authorized = user.is_superuser or user.has_perm('a2_rbac.change_role', role)
+    
     if member.username == 'fake' or role.name == 'fake':
         status = 404
-    elif user.is_superuser or role.members.filter(uuid=member.uuid):
+    elif authorized :
         status = 200
     else:
         status = 403
@@ -106,7 +110,7 @@ def test_api_role_remove_member(app, user, role, member):
   
     if status == 404:
         pass
-    elif user.is_superuser:
+    elif authorized :
         assert resp.json['detail'] == 'User successfully removed from role'
     else:
-        assert (resp.json['detail'] == 'Vous n\'avez pas la permission d\'effectuer cette action.' or resp.json['detail'] == 'User not allowed to change role')
+        assert resp.json['detail'] == 'User not allowed to change role'
-- 
2.6.2