3 files changed, 80 insertions, 0 deletions

diff --git a/archaeological_operations/tests.py b/archaeological_operations/tests.py
index e70b701c4..58915dce9 100644
--- a/archaeological_operations/tests.py
+++ b/archaeological_operations/tests.py
@@ -39,6 +39,9 @@ from django.utils.text import slugify
 from django.contrib.auth.models import User, Permission
 from django.utils.translation import ugettext_lazy as _, pgettext, pgettext_lazy
 
+from rest_framework.test import APITestCase
+from rest_framework.authtoken.models import Token
+
 from . import models
 
 from ishtar_common.views import document_deletion_steps
@@ -77,6 +80,8 @@ from ishtar_common.models import (
     Document,
     ValueFormater,
     Regexp,
+    ApiUser,
+    ApiSearchModel,
 )
 from ishtar_common.models_imports import ImporterDefault, ImporterDefaultValues
 from archaeological_files.models import File, FileType
@@ -4419,3 +4424,66 @@ class SeleniumTestsOperations(SeleniumTests):
         for pk, xpath in from_table:
             slug_pk = slug + "-" + str(pk)
             self._test_operation(xpath, slug_pk, copy.deepcopy(geojsons))
+
+
+class ApiTest(OperationInitTest, APITestCase):
+    fixtures = FILE_FIXTURES
+
+    def setUp(self):
+        IshtarSiteProfile.objects.get_or_create(slug="default", active=True)
+        self.username, self.password, self.user = create_superuser()
+        self.orgas = self.create_orgas(self.user)
+        self.create_operation(self.user, self.orgas[0])
+        self.create_operation(self.user, self.orgas[0])
+        self.create_operation(self.user, self.orgas[0])
+        self.create_operation(self.user, self.orgas[0])
+        self.auth_token = "Token " + Token.objects.create(user=self.user).key
+        self.api_user = ApiUser.objects.create(user_ptr=self.user, ip="127.0.0.1")
+
+    def create_api_search_model(self):
+        return ApiSearchModel.objects.create(
+            user=self.api_user,
+            content_type=ContentType.objects.get(
+                app_label="archaeological_operations",
+                model="operation"
+            ))
+
+    def test_permissions(self):
+        url = reverse("api-search-operation")
+        response = self.client.get(url, format="json")
+        # nothing OK
+        self.assertEqual(response.status_code, 401)
+        # token + IP
+        response = self.client.get(
+            url, format="json", HTTP_AUTHORIZATION=self.auth_token
+        )
+        self.assertEqual(response.status_code, 403)
+        api_search_model = self.create_api_search_model()
+        content_type_id = api_search_model.content_type.id
+        api_search_model.content_type = ContentType.objects.get(
+                app_label="archaeological_operations",
+                model="archaeologicalsite"
+            )
+        api_search_model.save()
+        # token + IP + bad model
+        response = self.client.get(
+            url, format="json", HTTP_AUTHORIZATION=self.auth_token
+        )
+        self.assertEqual(response.status_code, 403)
+        api_search_model.content_type_id = content_type_id
+        api_search_model.save()
+        # token + IP + good model
+        response = self.client.get(
+            url, format="json", HTTP_AUTHORIZATION=self.auth_token
+        )
+        self.assertEqual(response.status_code, 200)
+        # token + bad IP + good model
+        self.api_user.ip = "8.8.8.8"
+        self.api_user.save()
+        response = self.client.get(
+            url, format="json", HTTP_AUTHORIZATION=self.auth_token
+        )
+        self.assertEqual(response.status_code, 403)
+        self.api_user.ip = "127.0.0.1"
+        self.api_user.save()
+
diff --git a/archaeological_operations/urls.py b/archaeological_operations/urls.py
index 85a650216..4aee195f4 100644
--- a/archaeological_operations/urls.py
+++ b/archaeological_operations/urls.py
@@ -21,6 +21,7 @@ from django.conf.urls import url
 
 from ishtar_common.utils import check_rights
 from archaeological_operations import views
+from archaeological_operations import views_api
 from archaeological_operations import models
 
 # be carreful: each check_rights must be relevant with ishtar_menu
@@ -356,4 +357,8 @@ urlpatterns = [
         views.GenerateStatsOperation.as_view(),
         name="generate-stats-operation",
     ),
+    url(
+        r"api/search/operation/$", views_api.SearchOperationAPI.as_view(),
+        name="api-search-operation"
+    ),
 ]
diff --git a/archaeological_operations/views_api.py b/archaeological_operations/views_api.py
new file mode 100644
index 000000000..48127ec4b
--- /dev/null
+++ b/archaeological_operations/views_api.py
@@ -0,0 +1,7 @@
+from ishtar_common.rest import SearchAPIView
+from archaeological_operations import models
+
+
+class SearchOperationAPI(SearchAPIView):
+    model = models.Operation
+