Mercurial Repository: p/roundup/code: test/rest

comparison test/rest_common.py @ 5705:457fc482e6b1

Method PUT: ignore specification of protected properties which can not be set. Filtering them out of the payload list. This lets the result of a get using: class/id?@protected=true&@verbose=0 be used as input to a PUT operation without having to strip the protected properties. Note this does not raise an error if the PUT protected property is different from the value in the db. If the property is different but the etag/if-match passes, the user attempted to set the protected property and this should result in an error, but will not with this patch. Method DELETE class/id/attribute: raise error when trying to delete protected or required attribute/property. Raise UsageError when attribute doesn't exist. Method PATCH class/id: raise error when trying to replace/remove protected attribute/property raise error when trying to remove required attribute/property Catch KeyError at top level and turn into 400 error. If payload has an attribute/property that does not exist, raise UsageError which becomes a 400 error.

author	John Rouillard <rouilj@ieee.org>
date	Thu, 11 Apr 2019 20:54:39 -0400
parents	4aae822e2cb4
children	dfca6136dd7b

comparison

equal deleted inserted replaced

-:aa13a517cc63
+:457fc482e6b1
 import os
 import shutil
 import errno
 from roundup.cgi.exceptions import *
+from roundup.exceptions import *
 from roundup import password, hyperdb
 from roundup.rest import RestfulInstance, calculate_etag
 from roundup.backends import list_backends
 from roundup.cgi import client
 from roundup.anypy.strings import b2s, s2b
 self.db.issue.addprop(tx_Source=hyperdb.String())
 self.db.issue.addprop(anint=hyperdb.Integer())
 self.db.issue.addprop(afloat=hyperdb.Number())
 self.db.issue.addprop(abool=hyperdb.Boolean())
+self.db.issue.addprop(requireme=hyperdb.String(required=True))
 self.db.msg.addprop(tx_Source=hyperdb.String())
 self.db.post_init()
 thisdir = os.path.dirname(__file__)
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['data']['data'], 'joe')
 def testOutputFormat(self):
 """ test of @fields and @verbose implementation """
-from roundup.exceptions import UsageError
 self.maxDiff = 4000
 # create sample data
 try:
 self.db.status.create(name='open')
 def notestEtagGeneration(self):
 ''' Make sure etag generation is stable
 FIXME need to mock somehow date.Date() when creating
-the target to be mocked. The differening dates makes
+the target to be mocked. The differing dates makes
 this test impossible.
 '''
 newuser = self.db.user.create(
 username='john',
 password=password.Password('random1'),
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['data']['attributes']['title'],
 'foo bar')
 del(self.headers)
-def testPut(self):
+def testPutElement(self):
 """
 Change joe's 'realname'
 Check if we can't change admin's detail
 """
 # fail to change Joe's realname via attribute uri
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['data']['data'], 'Joe Doe Doe')
 del(self.headers)
 # Reset joe's 'realname'. etag in body
+# Also try to set protected items. The protected items should
+# be ignored on put_element to make it easy to get the item
+# with all fields, change one field and put the result without
+# having to filter out protected items.
 form = cgi.FieldStorage()
 etag = calculate_etag(self.db.user.getnode(self.joeid))
 form.list = [
+cgi.MiniFieldStorage('creator', '3'),
 cgi.MiniFieldStorage('realname', 'Joe Doe'),
 cgi.MiniFieldStorage('@etag', etag)
 ]
 results = self.server.put_element('user', self.joeid, form)
 self.assertEqual(self.dummy_client.response_code, 200)
 results = self.server.get_element('user', self.joeid, self.empty_form)
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['data']['attributes']['realname'], 'Joe Doe')
-# check we can't change admin's details
+# We are joe, so check we can't change admin's details
 results = self.server.put_element('user', '1', form)
 self.assertEqual(self.dummy_client.response_code, 403)
 self.assertEqual(results['error']['status'], 403)
+# Try to reset joe's 'realname' and add a broken prop.
+# This should result in no change to the name and
+# a 400 UsageError stating prop does not exist.
+form = cgi.FieldStorage()
+etag = calculate_etag(self.db.user.getnode(self.joeid))
+form.list = [
+cgi.MiniFieldStorage('JustKidding', '3'),
+cgi.MiniFieldStorage('realname', 'Joe Doe'),
+cgi.MiniFieldStorage('@etag', etag)
+]
+results = self.server.put_element('user', self.joeid, form)
+expected= {'error': {'status': 400,
+'msg': UsageError('Property JustKidding not '
+'found in class user')}}
+self.assertEqual(results['error']['status'],
+expected['error']['status'])
+self.assertEqual(type(results['error']['msg']),
+type(expected['error']['msg']))
+self.assertEqual(self.dummy_client.response_code, 400)
+results = self.server.get_element('user', self.joeid, self.empty_form)
+self.assertEqual(self.dummy_client.response_code, 200)
+self.assertEqual(results['data']['attributes']['realname'], 'Joe Doe')
+def testPutAttribute(self):
+# put protected property
+# make sure we don't have permission issues
+self.db.setCurrentUser('admin')
+form = cgi.FieldStorage()
+etag = calculate_etag(self.db.user.getnode(self.joeid))
+form.list = [
+cgi.MiniFieldStorage('data', '3'),
+cgi.MiniFieldStorage('@etag', etag)
+]
+results = self.server.put_attribute(
+'user', self.joeid, 'creator', form
+)
+expected= {'error': {'status': 400, 'msg':
+UsageError('\'"creator", "actor", "creation" and '
+'"activity" are reserved\'')}}
+print(results)
+self.assertEqual(results['error']['status'],
+expected['error']['status'])
+self.assertEqual(type(results['error']['msg']),
+type(expected['error']['msg']))
+self.assertEqual(self.dummy_client.response_code, 400)
+# put invalid property
+# make sure we don't have permission issues
+self.db.setCurrentUser('admin')
+form = cgi.FieldStorage()
+etag = calculate_etag(self.db.user.getnode(self.joeid))
+form.list = [
+cgi.MiniFieldStorage('data', '3'),
+cgi.MiniFieldStorage('@etag', etag)
+]
+results = self.server.put_attribute(
+'user', self.joeid, 'youMustBeKiddingMe', form
+)
+expected= {'error': {'status': 400,
+'msg': UsageError("'youMustBeKiddingMe' "
+"is not a property of user")}}
+print(results)
+self.assertEqual(results['error']['status'],
+expected['error']['status'])
+self.assertEqual(type(results['error']['msg']),
+type(expected['error']['msg']))
+self.assertEqual(self.dummy_client.response_code, 400)
 def testPost(self):
 """
 Post a new issue with title: foo
 Verify the information of the created issue
 def testDeleteAttributeUri(self):
 """
 Test Delete an attribute
 """
+self.maxDiff = 4000
 # create a new issue with userid 1 in the nosy list
 issue_id = self.db.issue.create(title='foo', nosy=['1'])
 # No etag, so this should return 412 - Precondition Failed
 # With no changes
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(len(results['attributes']['nosy']), 0)
 self.assertListEqual(results['attributes']['nosy'], [])
 self.assertEqual(results['attributes']['title'], None)
+# delete protected property
+etag = calculate_etag(self.db.issue.getnode(issue_id))
+form.list.append(cgi.MiniFieldStorage('@etag', etag))
+results = self.server.delete_attribute(
+'issue', issue_id, 'creator', form
+)
+expected= {'error': {
+'status': 400,
+'msg': UsageError("Attribute 'creator' can not be updated for class issue.")
+}}
+self.assertEqual(results['error']['status'],
+expected['error']['status'])
+self.assertEqual(type(results['error']['msg']),
+type(expected['error']['msg']))
+self.assertEqual(self.dummy_client.response_code, 400)
+# delete required property
+etag = calculate_etag(self.db.issue.getnode(issue_id))
+form.list.append(cgi.MiniFieldStorage('@etag', etag))
+results = self.server.delete_attribute(
+'issue', issue_id, 'requireme', form
+)
+expected= {'error': {'status': 400,
+'msg': UsageError("Attribute 'requireme' is "
+"required by class issue and can not be deleted.")}}
+print(results)
+self.assertEqual(results['error']['status'],
+expected['error']['status'])
+self.assertEqual(type(results['error']['msg']),
+type(expected['error']['msg']))
+self.assertEqual(self.dummy_client.response_code, 400)
 def testPatchAdd(self):
 """
 Test Patch op 'Add'
 """
 # create a new issue with userid 1 in the nosy list
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['attributes']['status'], '3')
 self.assertEqual(len(results['attributes']['nosy']), 1)
 self.assertListEqual(results['attributes']['nosy'], ['2'])
+# try to set a protected prop. It should fail.
+etag = calculate_etag(self.db.issue.getnode(issue_id))
+form = cgi.FieldStorage()
+form.list = [
+cgi.MiniFieldStorage('@op', 'replace'),
+cgi.MiniFieldStorage('creator', '2'),
+cgi.MiniFieldStorage('@etag', etag)
+]
+results = self.server.patch_element('issue', issue_id, form)
+expected= {'error': {'status': 400,
+'msg': KeyError('"creator", "actor", "creation" and "activity" are reserved',)}}
+print(results)
+self.assertEqual(results['error']['status'],
+expected['error']['status'])
+self.assertEqual(type(results['error']['msg']),
+type(expected['error']['msg']))
+self.assertEqual(str(results['error']['msg']),
+str(expected['error']['msg']))
+self.assertEqual(self.dummy_client.response_code, 400)
 def testPatchRemoveAll(self):
 """
 Test Patch Action 'Remove'
 """
 # create a new issue with userid 1 and 2 in the nosy list
 results = results['data']
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['attributes']['title'], None)
 self.assertEqual(len(results['attributes']['nosy']), 0)
 self.assertEqual(results['attributes']['nosy'], [])
+# try to remove a protected prop. It should fail.
+etag = calculate_etag(self.db.issue.getnode(issue_id))
+form = cgi.FieldStorage()
+form.list = [
+cgi.MiniFieldStorage('@op', 'remove'),
+cgi.MiniFieldStorage('creator', '2'),
+cgi.MiniFieldStorage('@etag', etag)
+]
+results = self.server.patch_element('issue', issue_id, form)
+expected= {'error': {'status': 400,
+'msg': KeyError('"creator", "actor", "creation" and "activity" are reserved',)}}
+print(results)
+self.assertEqual(results['error']['status'],
+expected['error']['status'])
+self.assertEqual(type(results['error']['msg']),
+type(expected['error']['msg']))
+self.assertEqual(str(results['error']['msg']),
+str(expected['error']['msg']))
+self.assertEqual(self.dummy_client.response_code, 400)
+# try to remove a required prop. it should fail
+etag = calculate_etag(self.db.issue.getnode(issue_id))
+form.list = [
+cgi.MiniFieldStorage('@op', 'remove'),
+cgi.MiniFieldStorage('requireme', ''),
+cgi.MiniFieldStorage('@etag', etag)
+]
+results = self.server.patch_element('issue', issue_id, form)
+expected= {'error': {'status': 400,
+'msg': UsageError("Attribute 'requireme' is required by class issue and can not be removed.")
+}}
+print(results)
+self.assertEqual(results['error']['status'],
+expected['error']['status'])
+self.assertEqual(type(results['error']['msg']),
+type(expected['error']['msg']))
+self.assertEqual(str(results['error']['msg']),
+str(expected['error']['msg']))
+self.assertEqual(self.dummy_client.response_code, 400)
 def testPatchAction(self):
 """
 Test Patch Action 'Action'
 """

Mercurial > p > roundup > code

comparison test/rest_common.py @ 5705:457fc482e6b1