1 files changed, 68 insertions, 0 deletions

diff --git a/archaeological_operations/tests.py b/archaeological_operations/tests.py
index e70b701c4..58915dce9 100644
--- a/archaeological_operations/tests.py
+++ b/archaeological_operations/tests.py
@@ -39,6 +39,9 @@ from django.utils.text import slugify
 from django.contrib.auth.models import User, Permission
 from django.utils.translation import ugettext_lazy as _, pgettext, pgettext_lazy
 
+from rest_framework.test import APITestCase
+from rest_framework.authtoken.models import Token
+
 from . import models
 
 from ishtar_common.views import document_deletion_steps
@@ -77,6 +80,8 @@ from ishtar_common.models import (
     Document,
     ValueFormater,
     Regexp,
+    ApiUser,
+    ApiSearchModel,
 )
 from ishtar_common.models_imports import ImporterDefault, ImporterDefaultValues
 from archaeological_files.models import File, FileType
@@ -4419,3 +4424,66 @@ class SeleniumTestsOperations(SeleniumTests):
         for pk, xpath in from_table:
             slug_pk = slug + "-" + str(pk)
             self._test_operation(xpath, slug_pk, copy.deepcopy(geojsons))
+
+
+class ApiTest(OperationInitTest, APITestCase):
+    fixtures = FILE_FIXTURES
+
+    def setUp(self):
+        IshtarSiteProfile.objects.get_or_create(slug="default", active=True)
+        self.username, self.password, self.user = create_superuser()
+        self.orgas = self.create_orgas(self.user)
+        self.create_operation(self.user, self.orgas[0])
+        self.create_operation(self.user, self.orgas[0])
+        self.create_operation(self.user, self.orgas[0])
+        self.create_operation(self.user, self.orgas[0])
+        self.auth_token = "Token " + Token.objects.create(user=self.user).key
+        self.api_user = ApiUser.objects.create(user_ptr=self.user, ip="127.0.0.1")
+
+    def create_api_search_model(self):
+        return ApiSearchModel.objects.create(
+            user=self.api_user,
+            content_type=ContentType.objects.get(
+                app_label="archaeological_operations",
+                model="operation"
+            ))
+
+    def test_permissions(self):
+        url = reverse("api-search-operation")
+        response = self.client.get(url, format="json")
+        # nothing OK
+        self.assertEqual(response.status_code, 401)
+        # token + IP
+        response = self.client.get(
+            url, format="json", HTTP_AUTHORIZATION=self.auth_token
+        )
+        self.assertEqual(response.status_code, 403)
+        api_search_model = self.create_api_search_model()
+        content_type_id = api_search_model.content_type.id
+        api_search_model.content_type = ContentType.objects.get(
+                app_label="archaeological_operations",
+                model="archaeologicalsite"
+            )
+        api_search_model.save()
+        # token + IP + bad model
+        response = self.client.get(
+            url, format="json", HTTP_AUTHORIZATION=self.auth_token
+        )
+        self.assertEqual(response.status_code, 403)
+        api_search_model.content_type_id = content_type_id
+        api_search_model.save()
+        # token + IP + good model
+        response = self.client.get(
+            url, format="json", HTTP_AUTHORIZATION=self.auth_token
+        )
+        self.assertEqual(response.status_code, 200)
+        # token + bad IP + good model
+        self.api_user.ip = "8.8.8.8"
+        self.api_user.save()
+        response = self.client.get(
+            url, format="json", HTTP_AUTHORIZATION=self.auth_token
+        )
+        self.assertEqual(response.status_code, 403)
+        self.api_user.ip = "127.0.0.1"
+        self.api_user.save()
+