From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Date: Thu, 25 May 2017 07:38:05 +0000 (+1000)
Subject: tests: Add tests for viewing private bundles
X-Git-Tag: v2.0.0-rc3~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3285634ab37eb1f1f6dd95e671281ad7c6beca54;p=thirdparty%2Fpatchwork.git

tests: Add tests for viewing private bundles

Add some tests to check that owners can view their private bundles while
other authenticated users can't.

Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Stephen Finucane <stephen@that.guru>
---

diff --git a/patchwork/tests/test_bundles.py b/patchwork/tests/test_bundles.py
index 0dc9165b..cdc7ee08 100644
--- a/patchwork/tests/test_bundles.py
+++ b/patchwork/tests/test_bundles.py
@@ -19,6 +19,7 @@
 
 from __future__ import absolute_import
 
+import base64
 import datetime
 import unittest
 
@@ -283,6 +284,65 @@ class BundlePublicModifyTest(BundleTestBase):
         self.assertNotEqual(self.bundle.name, newname)
 
 
+class BundlePrivateViewTest(BundleTestBase):
+
+    """Ensure that non-owners can't view private bundles"""
+
+    def setUp(self):
+        super(BundlePrivateViewTest, self).setUp()
+        self.bundle.public = False
+        self.bundle.save()
+        self.bundle.append_patch(self.patches[0])
+        self.url = bundle_url(self.bundle)
+        self.other_user = create_user()
+
+    def test_private_bundle(self):
+        # Check we can view as owner
+        self.client.login(username=self.user.username,
+                          password=self.user.username)
+        response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, self.patches[0].name)
+
+        # Check we can't view as another user
+        self.client.login(username=self.other_user.username,
+                          password=self.other_user.username)
+        response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 404)
+
+
+class BundlePrivateViewMboxTest(BundlePrivateViewTest):
+
+    """Ensure that non-owners can't view private bundle mboxes"""
+
+    def setUp(self):
+        super(BundlePrivateViewMboxTest, self).setUp()
+        self.url = reverse('bundle-mbox', kwargs={
+            'username': self.bundle.owner.username,
+            'bundlename': self.bundle.name})
+
+    def test_private_bundle_mbox_basic_auth(self):
+        self.client.logout()
+
+        def _get_auth_string(user):
+            return 'Basic ' + base64.b64encode(b':'.join((
+                user.username.encode(),
+                user.username.encode()))
+            ).strip().decode()
+
+        # Check we can view as owner
+        auth_string = _get_auth_string(self.user)
+        response = self.client.get(self.url, HTTP_AUTHORIZATION=auth_string)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, self.patches[0].name)
+
+        # Check we can't view as another user
+        auth_string = _get_auth_string(self.other_user)
+        response = self.client.get(self.url, HTTP_AUTHORIZATION=auth_string)
+        self.assertEqual(response.status_code, 404)
+
+
 class BundleCreateFromListTest(BundleTestBase):
 
     def test_create_empty_bundle(self):