Manage own permissions with areas for context records (refs #4060)

1 files changed, 111 insertions, 6 deletions

diff --git a/archaeological_context_records/tests.py b/archaeological_context_records/tests.py
index 78d21dd90..aad8b8b6d 100644
--- a/archaeological_context_records/tests.py
+++ b/archaeological_context_records/tests.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
-# Copyright (C) 2015-2017 Étienne Loks  <etienne.loks_AT_peacefrogsDOTnet>
+# Copyright (C) 2015-2018 Étienne Loks  <etienne.loks_AT_peacefrogsDOTnet>
 
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as
@@ -22,11 +22,13 @@ import json
 from StringIO import StringIO
 
 from django.conf import settings
+from django.contrib.auth.models import Permission
 from django.core.exceptions import ValidationError, ImproperlyConfigured
 from django.core.urlresolvers import reverse
 from django.test.client import Client
 
-from ishtar_common.models import IshtarSiteProfile, ImporterModel
+from ishtar_common.models import IshtarSiteProfile, ImporterModel, \
+    UserProfile, ProfileType, Town, Area
 
 from archaeological_operations.tests import OperationInitTest, \
     ImportTest, FILE_TOWNS_FIXTURES, FILE_FIXTURES, OPERATION_TOWNS_FIXTURES
@@ -34,7 +36,7 @@ from archaeological_operations import models as models_ope
 from archaeological_context_records import models
 
 from ishtar_common.tests import WizardTest, WizardTestFormData as FormData, \
-    create_superuser, TestCase
+    create_superuser, create_user, TestCase
 
 from archaeological_context_records import views
 
@@ -167,19 +169,26 @@ class ImportContextRecordTest(ImportTest, TestCase):
 
 
 class ContextRecordInit(OperationInitTest):
-    def create_context_record(self, user=None, data={}, force=False):
+    def create_context_record(self, data=None, user=None, force=False):
+        if not data:
+            data = {}
+
         if not getattr(self, 'context_records', None):
             self.context_records = []
+
         default = {'label': "Context record"}
         if force or not data.get('operation') \
                 or not models.Operation.objects.filter(
                     pk=data['operation'].pk).count():
-            data['operation'] = self.get_default_operation(force=force)
+            data['operation'] = self.get_default_operation(force=force,
+                                                           user=user)
         if not data.get('parcel') or not data['parcel'].pk \
             or not models.Parcel.objects.filter(
                 pk=data['parcel'].pk).count():
             data['parcel'] = self.get_default_parcel(force=force)
-        if not data.get('history_modifier'):
+        if user:
+            data['history_modifier'] = user
+        elif not data.get('history_modifier'):
             data['history_modifier'] = self.get_default_user()
 
         default.update(data)
@@ -580,6 +589,102 @@ class ContextRecordSearchTest(ContextRecordInit, TestCase):
         self.assertEqual(json.loads(response.content)['recordsTotal'], 1)
 
 
+class ContextRecordPermissionTest(ContextRecordInit, TestCase):
+    fixtures = CONTEXT_RECORD_TOWNS_FIXTURES
+
+    def setUp(self):
+        IshtarSiteProfile.objects.create()
+        self.username, self.password, self.user = create_superuser()
+        self.alt_username, self.alt_password, self.alt_user = create_user()
+        self.alt_user.user_permissions.add(Permission.objects.get(
+            codename='view_own_contextrecord'))
+        self.alt_user.user_permissions.add(Permission.objects.get(
+            codename='change_own_contextrecord'))
+        self.alt_username2, self.alt_password2, self.alt_user2 = create_user(
+            username='luke', password='iamyourfather'
+        )
+        profile = UserProfile.objects.create(
+            profile_type=ProfileType.objects.get(txt_idx='collaborator'),
+            person=self.alt_user2.ishtaruser.person,
+            current=True
+        )
+
+        town = Town.objects.create(name='Tatouine', numero_insee='66000')
+        area = Area.objects.create(label='Galaxie', txt_idx='galaxie')
+        area.towns.add(town)
+
+        self.orgas = self.create_orgas(self.user)
+        self.operations = self.create_operation(self.user, self.orgas[0])
+        self.operations += self.create_operation(self.alt_user, self.orgas[0])
+        self.operations[1].towns.add(town)
+
+        self.create_context_record(user=self.user, data={"label": u"CR 1",
+                                         "operation": self.operations[0]})
+        self.create_context_record(
+            user=self.alt_user,
+            data={"label": u"CR 2", "operation": self.operations[1]})
+        self.cr_1 = self.context_records[0]
+        self.cr_2 = self.context_records[1]
+
+
+        profile.areas.add(area)
+
+    def test_own_search(self):
+        # no result when no authentification
+        c = Client()
+        response = c.get(reverse('get-contextrecord'))
+        self.assertTrue(not json.loads(response.content))
+
+        # possession
+        c = Client()
+        c.login(username=self.alt_username, password=self.alt_password)
+        response = c.get(reverse('get-contextrecord'))
+        # only one "own" context record available
+        self.assertTrue(json.loads(response.content))
+        self.assertEqual(json.loads(response.content)['recordsTotal'], 1)
+
+        # area filter
+        c = Client()
+        c.login(username=self.alt_username2, password=self.alt_password2)
+        response = c.get(reverse('get-contextrecord'))
+        # only one "own" operation available
+        self.assertTrue(json.loads(response.content))
+        self.assertEqual(json.loads(response.content)['recordsTotal'], 1)
+
+    def test_own_modify(self):
+        # no result when no authentification
+        c = Client()
+        response = c.get(reverse('record_modify', args=[self.cr_2.pk]))
+        self.assertRedirects(response, "/")
+
+        modif_url = '/record_modification/operation-record_modification'
+
+        # possession
+        c = Client()
+        c.login(username=self.alt_username, password=self.alt_password)
+        response = c.get(reverse('record_modify', args=[self.cr_2.pk]),
+                         follow=True)
+        self.assertRedirects(response, modif_url)
+        response = c.get(modif_url)
+
+        self.assertEqual(response.status_code, 200)
+        response = c.get(reverse('record_modify', args=[self.cr_1.pk]),
+                         follow=True)
+        self.assertRedirects(response, "/")
+
+        # area filter
+        c = Client()
+        c.login(username=self.alt_username2, password=self.alt_password2)
+        response = c.get(reverse('record_modify', args=[self.cr_2.pk]),
+                         follow=True)
+        self.assertRedirects(response, modif_url)
+        response = c.get(modif_url)
+        self.assertEqual(response.status_code, 200)
+        response = c.get(reverse('record_modify', args=[self.cr_1.pk]),
+                         follow=True)
+        self.assertRedirects(response, "/")
+
+
 class RecordRelationsTest(ContextRecordInit, TestCase):
     fixtures = OPERATION_TOWNS_FIXTURES
     model = models.ContextRecord