authentik.enterprise.reports.tests.test_permissions
1from django.urls import reverse 2from rest_framework.test import APITestCase 3 4from authentik.core.tests.utils import create_test_user 5from authentik.enterprise.reports.tests.utils import patch_license 6 7 8@patch_license 9class TestExportPermissions(APITestCase): 10 def setUp(self) -> None: 11 self.user = create_test_user() 12 self.client.force_login(self.user) 13 14 def test_export_without_permission(self): 15 """Test User export endpoint without permission""" 16 response = self.client.post(reverse("authentik_api:user-export")) 17 self.assertEqual(response.status_code, 403) 18 19 def test_export_only_user_permission(self): 20 """Test User export endpoint with only view_user permission""" 21 self.user.assign_perms_to_managed_role("authentik_core.view_user") 22 response = self.client.post(reverse("authentik_api:user-export")) 23 self.assertEqual(response.status_code, 403) 24 25 def test_export_with_permission(self): 26 """Test User export endpoint with view_user and add_dataexport permission""" 27 self.user.assign_perms_to_managed_role("authentik_core.view_user") 28 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 29 response = self.client.post(reverse("authentik_api:user-export")) 30 self.assertEqual(response.status_code, 201) 31 32 def test_export_access(self): 33 """Test that data export access is restricted to the user who created it""" 34 self.user.assign_perms_to_managed_role("authentik_core.view_user") 35 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 36 response = self.client.post(reverse("authentik_api:user-export")) 37 self.assertEqual(response.status_code, 201) 38 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 39 response = self.client.get(export_url) 40 self.assertEqual(response.status_code, 200) 41 other_user = create_test_user() 42 other_user.assign_perms_to_managed_role("authentik_core.view_user") 43 other_user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 44 self.client.logout() 45 self.client.force_login(other_user) 46 response = self.client.get(export_url) 47 self.assertEqual(response.status_code, 404) 48 49 def test_export_access_no_datatype_permission(self): 50 """Test that data export access requires view permission on the data type""" 51 self.user.assign_perms_to_managed_role("authentik_core.view_user") 52 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 53 self.user.assign_perms_to_managed_role("authentik_reports.view_dataexport") 54 response = self.client.post(reverse("authentik_api:user-export")) 55 self.assertEqual(response.status_code, 201) 56 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 57 58 response = self.client.get(export_url) 59 self.assertEqual(response.status_code, 200) 60 61 self.user.remove_perms_from_managed_role("authentik_core.view_user") 62 response = self.client.get(export_url) 63 self.assertEqual(response.status_code, 404) 64 65 response = self.client.get(reverse("authentik_api:dataexport-list")) 66 self.assertEqual(response.status_code, 200) 67 self.assertEqual(len(response.data["results"]), 0) 68 69 def test_export_access_owner(self): 70 self.user.assign_perms_to_managed_role("authentik_core.view_user") 71 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 72 response = self.client.post(reverse("authentik_api:user-export")) 73 self.assertEqual(response.status_code, 201) 74 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 75 response = self.client.get(export_url) 76 self.assertEqual(response.status_code, 200) 77 78 self.user.remove_perms_from_managed_role("authentik_core.view_user") 79 response = self.client.get(export_url) 80 self.assertEqual(response.status_code, 404)
@patch_license
class
TestExportPermissions9@patch_license 10class TestExportPermissions(APITestCase): 11 def setUp(self) -> None: 12 self.user = create_test_user() 13 self.client.force_login(self.user) 14 15 def test_export_without_permission(self): 16 """Test User export endpoint without permission""" 17 response = self.client.post(reverse("authentik_api:user-export")) 18 self.assertEqual(response.status_code, 403) 19 20 def test_export_only_user_permission(self): 21 """Test User export endpoint with only view_user permission""" 22 self.user.assign_perms_to_managed_role("authentik_core.view_user") 23 response = self.client.post(reverse("authentik_api:user-export")) 24 self.assertEqual(response.status_code, 403) 25 26 def test_export_with_permission(self): 27 """Test User export endpoint with view_user and add_dataexport permission""" 28 self.user.assign_perms_to_managed_role("authentik_core.view_user") 29 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 30 response = self.client.post(reverse("authentik_api:user-export")) 31 self.assertEqual(response.status_code, 201) 32 33 def test_export_access(self): 34 """Test that data export access is restricted to the user who created it""" 35 self.user.assign_perms_to_managed_role("authentik_core.view_user") 36 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 37 response = self.client.post(reverse("authentik_api:user-export")) 38 self.assertEqual(response.status_code, 201) 39 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 40 response = self.client.get(export_url) 41 self.assertEqual(response.status_code, 200) 42 other_user = create_test_user() 43 other_user.assign_perms_to_managed_role("authentik_core.view_user") 44 other_user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 45 self.client.logout() 46 self.client.force_login(other_user) 47 response = self.client.get(export_url) 48 self.assertEqual(response.status_code, 404) 49 50 def test_export_access_no_datatype_permission(self): 51 """Test that data export access requires view permission on the data type""" 52 self.user.assign_perms_to_managed_role("authentik_core.view_user") 53 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 54 self.user.assign_perms_to_managed_role("authentik_reports.view_dataexport") 55 response = self.client.post(reverse("authentik_api:user-export")) 56 self.assertEqual(response.status_code, 201) 57 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 58 59 response = self.client.get(export_url) 60 self.assertEqual(response.status_code, 200) 61 62 self.user.remove_perms_from_managed_role("authentik_core.view_user") 63 response = self.client.get(export_url) 64 self.assertEqual(response.status_code, 404) 65 66 response = self.client.get(reverse("authentik_api:dataexport-list")) 67 self.assertEqual(response.status_code, 200) 68 self.assertEqual(len(response.data["results"]), 0) 69 70 def test_export_access_owner(self): 71 self.user.assign_perms_to_managed_role("authentik_core.view_user") 72 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 73 response = self.client.post(reverse("authentik_api:user-export")) 74 self.assertEqual(response.status_code, 201) 75 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 76 response = self.client.get(export_url) 77 self.assertEqual(response.status_code, 200) 78 79 self.user.remove_perms_from_managed_role("authentik_core.view_user") 80 response = self.client.get(export_url) 81 self.assertEqual(response.status_code, 404)
Similar to TransactionTestCase, but use transaction.atomic() to achieve
test isolation.
In most situations, TestCase should be preferred to TransactionTestCase as it allows faster execution. However, there are some situations where using TransactionTestCase might be necessary (e.g. testing some transactional behavior).
On database backends with no transaction support, TestCase behaves as TransactionTestCase.
def
test_export_without_permission(self):
15 def test_export_without_permission(self): 16 """Test User export endpoint without permission""" 17 response = self.client.post(reverse("authentik_api:user-export")) 18 self.assertEqual(response.status_code, 403)
Test User export endpoint without permission
def
test_export_only_user_permission(self):
20 def test_export_only_user_permission(self): 21 """Test User export endpoint with only view_user permission""" 22 self.user.assign_perms_to_managed_role("authentik_core.view_user") 23 response = self.client.post(reverse("authentik_api:user-export")) 24 self.assertEqual(response.status_code, 403)
Test User export endpoint with only view_user permission
def
test_export_with_permission(self):
26 def test_export_with_permission(self): 27 """Test User export endpoint with view_user and add_dataexport permission""" 28 self.user.assign_perms_to_managed_role("authentik_core.view_user") 29 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 30 response = self.client.post(reverse("authentik_api:user-export")) 31 self.assertEqual(response.status_code, 201)
Test User export endpoint with view_user and add_dataexport permission
def
test_export_access(self):
33 def test_export_access(self): 34 """Test that data export access is restricted to the user who created it""" 35 self.user.assign_perms_to_managed_role("authentik_core.view_user") 36 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 37 response = self.client.post(reverse("authentik_api:user-export")) 38 self.assertEqual(response.status_code, 201) 39 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 40 response = self.client.get(export_url) 41 self.assertEqual(response.status_code, 200) 42 other_user = create_test_user() 43 other_user.assign_perms_to_managed_role("authentik_core.view_user") 44 other_user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 45 self.client.logout() 46 self.client.force_login(other_user) 47 response = self.client.get(export_url) 48 self.assertEqual(response.status_code, 404)
Test that data export access is restricted to the user who created it
def
test_export_access_no_datatype_permission(self):
50 def test_export_access_no_datatype_permission(self): 51 """Test that data export access requires view permission on the data type""" 52 self.user.assign_perms_to_managed_role("authentik_core.view_user") 53 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 54 self.user.assign_perms_to_managed_role("authentik_reports.view_dataexport") 55 response = self.client.post(reverse("authentik_api:user-export")) 56 self.assertEqual(response.status_code, 201) 57 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 58 59 response = self.client.get(export_url) 60 self.assertEqual(response.status_code, 200) 61 62 self.user.remove_perms_from_managed_role("authentik_core.view_user") 63 response = self.client.get(export_url) 64 self.assertEqual(response.status_code, 404) 65 66 response = self.client.get(reverse("authentik_api:dataexport-list")) 67 self.assertEqual(response.status_code, 200) 68 self.assertEqual(len(response.data["results"]), 0)
Test that data export access requires view permission on the data type
def
test_export_access_owner(self):
70 def test_export_access_owner(self): 71 self.user.assign_perms_to_managed_role("authentik_core.view_user") 72 self.user.assign_perms_to_managed_role("authentik_reports.add_dataexport") 73 response = self.client.post(reverse("authentik_api:user-export")) 74 self.assertEqual(response.status_code, 201) 75 export_url = reverse("authentik_api:dataexport-detail", kwargs={"pk": response.data["id"]}) 76 response = self.client.get(export_url) 77 self.assertEqual(response.status_code, 200) 78 79 self.user.remove_perms_from_managed_role("authentik_core.view_user") 80 response = self.client.get(export_url) 81 self.assertEqual(response.status_code, 404)