|
13 | 13 | import ddt |
14 | 14 | from django.contrib.auth import get_user_model |
15 | 15 | from django.core.files.uploadedfile import SimpleUploadedFile |
| 16 | +from django.urls import reverse |
16 | 17 | from edx_django_utils.cache import RequestCache |
17 | 18 | from opaque_keys.edx.locator import BlockUsageLocator, CourseLocator, LibraryCollectionLocator, LibraryContainerLocator |
18 | 19 | from openedx_authz.constants.roles import COURSE_STAFF |
|
24 | 25 | from rest_framework.test import APITestCase, APIClient |
25 | 26 |
|
26 | 27 |
|
27 | | -from cms.djangoapps.contentstore.api.tests.base import BaseCourseViewTest |
28 | 28 | from common.djangoapps.student.auth import add_users, update_org_role |
29 | 29 | from common.djangoapps.student.roles import ( |
30 | 30 | CourseInstructorRole, |
|
34 | 34 | OrgLibraryUserRole, |
35 | 35 | OrgStaffRole |
36 | 36 | ) |
37 | | -from common.djangoapps.student.tests.factories import UserFactory |
| 37 | +from common.djangoapps.student.tests.factories import StaffFactory, UserFactory |
38 | 38 | from openedx.core.djangoapps.authz.tests.mixins import CourseAuthzTestMixin |
| 39 | +from xmodule.modulestore.tests.django_utils import SharedModuleStoreTestCase |
| 40 | +from xmodule.modulestore.tests.factories import CourseFactory |
39 | 41 | from openedx.core.djangoapps.content_libraries.api import AccessLevel, create_library, set_library_user_permissions |
40 | 42 | from openedx.core.djangoapps.content_tagging import api as tagging_api |
41 | 43 | from openedx.core.djangoapps.content_tagging.models import TaxonomyOrg |
@@ -2056,51 +2058,52 @@ def test_export_course_invalid_id(self) -> None: |
2056 | 2058 | assert response.status_code == status.HTTP_403_FORBIDDEN |
2057 | 2059 |
|
2058 | 2060 | @skip_unless_cms |
2059 | | -class TestContentObjectChildrenExportViewWithAuthz(CourseAuthzTestMixin, BaseCourseViewTest): |
| 2061 | +class TestContentObjectChildrenExportViewWithAuthz(CourseAuthzTestMixin, SharedModuleStoreTestCase, APITestCase): |
2060 | 2062 | """ |
2061 | 2063 | Tests Tags Export in Course authorization using openedx-authz. |
2062 | 2064 | """ |
2063 | 2065 |
|
2064 | | - view_name = 'content_tagging:taxonomy-object-tag-export' |
2065 | | - course_key_arg_name = 'context_id' |
2066 | 2066 | authz_roles_to_assign = [COURSE_STAFF.external_key] |
2067 | 2067 |
|
| 2068 | + @classmethod |
| 2069 | + def setUpClass(cls): |
| 2070 | + super().setUpClass() |
| 2071 | + cls.password = 'test' |
| 2072 | + cls.course = CourseFactory.create() |
| 2073 | + cls.course_key = cls.course.id |
| 2074 | + cls.staff = StaffFactory(course_key=cls.course_key, password=cls.password) |
| 2075 | + |
| 2076 | + def get_url(self, course_key): |
| 2077 | + return reverse('content_tagging:taxonomy-object-tag-export', kwargs={'context_id': course_key}) |
| 2078 | + |
2068 | 2079 | def test_authorized_user_can_access(self): |
2069 | 2080 | """User with COURSE_STAFF role can access.""" |
2070 | | - self.authorized_client.login(username=self.authorized_user.username, password=self.password) |
2071 | 2081 | resp = self.authorized_client.get(self.get_url(self.course_key)) |
2072 | 2082 | self.assertEqual(resp.status_code, status.HTTP_200_OK) |
2073 | 2083 |
|
2074 | 2084 | def test_unauthorized_user_cannot_access(self): |
2075 | 2085 | """User without role cannot access.""" |
2076 | | - self.unauthorized_client.login(username=self.unauthorized_user.username, password=self.password) |
2077 | 2086 | resp = self.unauthorized_client.get(self.get_url(self.course_key)) |
2078 | 2087 | self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN) |
2079 | 2088 |
|
2080 | 2089 | def test_role_scoped_to_course(self): |
2081 | 2090 | """Authorization should only apply to the assigned course.""" |
2082 | 2091 | other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.staff.id) |
2083 | 2092 |
|
2084 | | - self.authorized_client.login(username=self.authorized_user.username, password=self.password) |
2085 | 2093 | resp = self.authorized_client.get(self.get_url(other_course.id)) |
2086 | 2094 | self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN) |
2087 | 2095 |
|
2088 | 2096 | def test_staff_user_allowed_via_legacy(self): |
2089 | | - """ |
2090 | | - Staff users should still pass through legacy fallback. |
2091 | | - """ |
2092 | | - self.client.login(username=self.staff.username, password=self.password) |
2093 | | - |
| 2097 | + """Staff users should still pass through legacy fallback.""" |
| 2098 | + self.client.force_authenticate(user=self.staff) |
2094 | 2099 | resp = self.client.get(self.get_url(self.course_key)) |
2095 | 2100 | self.assertEqual(resp.status_code, status.HTTP_200_OK) |
2096 | 2101 |
|
2097 | 2102 | def test_superuser_allowed(self): |
2098 | 2103 | """Superusers should always be allowed.""" |
2099 | | - superuser = UserFactory(is_superuser=True, username='superuser', password=self.password) |
2100 | | - |
| 2104 | + superuser = UserFactory(is_superuser=True) |
2101 | 2105 | client = APIClient() |
2102 | | - client.login(username=superuser.username, password=self.password) |
2103 | | - |
| 2106 | + client.force_authenticate(user=superuser) |
2104 | 2107 | resp = client.get(self.get_url(self.course_key)) |
2105 | 2108 | self.assertEqual(resp.status_code, status.HTTP_200_OK) |
2106 | 2109 |
|
|
0 commit comments