Skip to content
Snippets Groups Projects
Commit 48cd35e6 authored by Christian Boettcher's avatar Christian Boettcher
Browse files

test acess denied for users without access rights

parent cecf7f59
Branches
No related tags found
No related merge requests found
......@@ -11,6 +11,9 @@ proper_uuid = "3a33262e-276e-4de8-87bc-f2d5a0195faf"
def myfunc():
return User(username='secret_foo', email='secret_bar', has_secrets_access=True)
def non_access_user():
return User(username='secret_foo', email='secret_bar', has_secrets_access=False)
class UserTests(TestCase):
def setUp(self):
......@@ -98,4 +101,25 @@ class UserTests(TestCase):
key = element['key']
rsp = self.client.delete(f'/dataset/{self.dummy_oid}/secrets/{key}')
def test_secrets_without_access(self):
# override with non_access user
apiserver.app.dependency_overrides[apiserver.main.my_auth] = non_access_user
apiserver.app.dependency_overrides[apiserver.main.my_user] = non_access_user
# check if access for all secrets endpoints failed with 401 Auth required
# list secrets, add secret, get secret, delete secret
rsp = self.client.get(f'/dataset/{proper_uuid}/secrets')
self.assertEqual(403, rsp.status_code)
rsp = self.client.get(f'/dataset/{proper_uuid}/secrets/somespecificsecret')
self.assertEqual(403, rsp.status_code)
rsp = self.client.post(f'/dataset/{proper_uuid}/secrets', json={'key' : "somekey", "secret" : "somesecret"})
self.assertEqual(403, rsp.status_code)
rsp = self.client.delete(f'/dataset/{proper_uuid}/secrets/somespecificsecret')
self.assertEqual(403, rsp.status_code)
# TODO test delete object, DO secrets disappear too? (currently they don't)
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment