entrouvert
/
passerelle
15
0
Fork 0
Code Issues Pull Requests 14 Releases Activity

WP: toulouse-maelis: ajouter une permission spécial pour les endpoints du panier. (#74152) #81

Closed
nroche wants to merge 3 commits from wip/74152-parsifal-manage-basket-permission into main
pull from: wip/74152-parsifal-manage-basket-permission
merge into: entrouvert:main
Conversation 1 Commits 3 Files Changed 2 +48 -13
2 changed files with 48 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
passerelle/contrib/toulouse_maelis/models.py
View File

@ -62,6 +62,8 @@ class ToulouseMaelis(BaseResource, HTTPResource):
category = 'Connecteurs métiers'
_category_ordering = ['Famille', 'Activités']
_can_manage_basket_description = "La gestion du panier est limitée aux comptes dAPI suivants :"
class Meta:
verbose_name = 'Toulouse Maelis'
@ -2599,6 +2601,7 @@ class ToulouseMaelis(BaseResource, HTTPResource):
display_category='Inscriptions',
description="Ajoute au panier une inscription extra-scolaire ou loisir",
name='add-person-basket-subscription',
perm='can_access',
post={
'request_body': {
'schema': {
@ -2670,7 +2673,7 @@ class ToulouseMaelis(BaseResource, HTTPResource):
display_category='Inscriptions',
description="Suppression d'une ligne du panier",
name='delete-basket-line',
perm='can_access',
perm='can_manage_basket',
parameters={
'NameID': {'description': 'Publik NameID'},
'family_id': {'description': 'Numéro de DUI'},
@ -2702,7 +2705,7 @@ class ToulouseMaelis(BaseResource, HTTPResource):
display_category='Inscriptions',
description="Suppression du panier de la famille",
name='delete-basket',
perm='can_access',
perm='can_manage_basket',
parameters={
'NameID': {'description': 'Publik NameID'},
'family_id': {'description': 'Numéro de DUI'},
@ -2729,7 +2732,7 @@ class ToulouseMaelis(BaseResource, HTTPResource):
display_category='Inscriptions',
description="Validation du panier de la famille",
name='validate-basket',
perm='can_access',
perm='can_manage_basket',
parameters={
'NameID': {'description': 'Publik NameID'},
'family_id': {'description': 'Numéro de DUI'},

52
tests/test_toulouse_maelis.py
View File

@ -21,10 +21,12 @@ from unittest import mock
import pytest
import responses
from django.contrib.contenttypes.models import ContentType
from django.utils.dateparse import parse_date
from requests.exceptions import ConnectionError
from zeep import Settings
from passerelle.base.models import AccessRight, ApiUser
from passerelle.contrib.toulouse_maelis.models import Link, Referential, ToulouseMaelis
from passerelle.contrib.toulouse_maelis.utils import get_public_criterias, json_date_format
from passerelle.utils.jsonresponse import APIError
@ -206,6 +208,15 @@ def con(db):
return ToulouseMaelis.objects.get()
@pytest.fixture()
def manage_basket_access(con):
api = ApiUser.objects.get()
obj_type = ContentType.objects.get_for_model(con)
AccessRight.objects.create(
codename='can_manage_basket', apiuser=api, resource_type=obj_type, resource_pk=con.pk
)
@mock.patch('passerelle.utils.Request.get')
def test_call_with_wrong_wsdl_url(mocked_get, con):
mocked_get.side_effect = CONNECTION_ERROR
@ -5923,7 +5934,7 @@ def test_update_basket_time_basket_not_found(activity_service, con, app):
assert resp.json['err_desc'] == "no basket on '311352' family"
def test_delete_basket_line(activity_service, con, app):
def test_delete_basket_line(activity_service, con, app, manage_basket_access):
activity_service.add_soap_response('getFamilyBasket', get_xml_file('R_get_family_basket.xml'))
activity_service.add_soap_response(
'deletePersonUnitBasket', get_xml_file('R_delete_person_unit_basket.xml')
@ -5940,14 +5951,21 @@ def test_delete_basket_line(activity_service, con, app):
assert 'S10053203120' not in [x['id'] for x in resp.json['data']['lignes']]
def test_delete_basket_line_not_linked_error(con, app):
def test_delete_basket_line_api_access(con, app):
url = get_endpoint('delete-basket-line')
resp = app.post(url + '?family_id=311352&line_id=S10053203120', status=403)
assert resp.json['err'] == 1
assert 'PermissionDenied' in resp.json['err_class']
def test_delete_basket_line_not_linked_error(con, app, manage_basket_access):
url = get_endpoint('delete-basket-line')
resp = app.post(url + '?NameID=local&line_id=S10053203120')
assert resp.json['err'] == 1
assert resp.json['err_desc'] == 'User not linked to family'
def test_update_basket_line_basket_not_found(activity_service, con, app):
def test_delete_basket_line_basket_not_found(activity_service, con, app, manage_basket_access):
activity_service.add_soap_response('getFamilyBasket', get_xml_file('R_get_family_basket_empty.xml'))
url = get_endpoint('delete-basket-line')
resp = app.post(url + '?family_id=311352&line_id=S10053203120')
@ -5955,7 +5973,7 @@ def test_update_basket_line_basket_not_found(activity_service, con, app):
assert resp.json['err_desc'] == "no basket on '311352' family"
def test_delete_basket_line_line_not_found(activity_service, con, app):
def test_delete_basket_line_line_not_found(activity_service, con, app, manage_basket_access):
activity_service.add_soap_response('getFamilyBasket', get_xml_file('R_get_family_basket.xml'))
url = get_endpoint('delete-basket-line')
resp = app.post(url + '?family_id=311352&line_id=plop')
@ -5963,7 +5981,7 @@ def test_delete_basket_line_line_not_found(activity_service, con, app):
assert resp.json['err_desc'] == "no 'plop' basket line on '311352' family"
def test_delete_basket(activity_service, con, app):
def test_delete_basket(activity_service, con, app, manage_basket_access):
def request_check(request):
assert request.idUtilisat in ('local', 'Middle-office')
@ -5984,14 +6002,21 @@ def test_delete_basket(activity_service, con, app):
assert resp.json['data'] == 'ok'
def test_delete_basket_not_linked_error(con, app):
def test_delete_basket_api_access(con, app):
url = get_endpoint('delete-basket')
resp = app.post(url + '?family_id=311352', status=403)
assert resp.json['err'] == 1
assert 'PermissionDenied' in resp.json['err_class']
def test_delete_basket_not_linked_error(con, app, manage_basket_access):
url = get_endpoint('delete-basket')
resp = app.post(url + '?NameID=local')
assert resp.json['err'] == 1
assert resp.json['err_desc'] == 'User not linked to family'
def test_delete_basket_not_found(activity_service, con, app):
def test_delete_basket_not_found(activity_service, con, app, manage_basket_access):
activity_service.add_soap_response('getFamilyBasket', get_xml_file('R_get_family_basket_empty.xml'))
url = get_endpoint('delete-basket')
resp = app.post(url + '?family_id=311352')
@ -5999,7 +6024,7 @@ def test_delete_basket_not_found(activity_service, con, app):
assert resp.json['err_desc'] == "no basket on '311352' family"
def test_validate_basket(activity_service, con, app):
def test_validate_basket(activity_service, con, app, manage_basket_access):
activity_service.add_soap_response('getFamilyBasket', get_xml_file('R_get_family_basket.xml'))
activity_service.add_soap_response('validateBasket', get_xml_file('R_validate_basket.xml'))
url = get_endpoint('validate-basket')
@ -6018,14 +6043,21 @@ def test_validate_basket(activity_service, con, app):
}
def test_validate_basket_not_linked_error(con, app):
def test_validate_basket_api_access(con, app):
url = get_endpoint('validate-basket')
resp = app.post(url + '?family_id=311352', status=403)
assert resp.json['err'] == 1
assert 'PermissionDenied' in resp.json['err_class']
def test_validate_basket_not_linked_error(con, app, manage_basket_access):
url = get_endpoint('validate-basket')
resp = app.post(url + '?NameID=local')
assert resp.json['err'] == 1
assert resp.json['err_desc'] == 'User not linked to family'
def test_validate_basket_not_found(activity_service, con, app):
def test_validate_basket_not_found(activity_service, con, app, manage_basket_access):
activity_service.add_soap_response('getFamilyBasket', get_xml_file('R_get_family_basket_empty.xml'))
url = get_endpoint('validate-basket')
resp = app.post(url + '?family_id=311352')