From 9c0afffc7c1df3db1f3a3f71b1cda74c81ad62f4 Mon Sep 17 00:00:00 2001 From: Christian Cueni Date: Tue, 18 May 2021 15:14:14 +0200 Subject: [PATCH] Fix middleware tests --- server/core/utils.py | 4 ++-- server/users/middleware.py | 10 +++++----- server/{core => users}/tests/test_middleware.py | 16 +++++++++++++--- 3 files changed, 20 insertions(+), 10 deletions(-) rename server/{core => users}/tests/test_middleware.py (78%) diff --git a/server/core/utils.py b/server/core/utils.py index 1d4b7405..d27b8ca3 100644 --- a/server/core/utils.py +++ b/server/core/utils.py @@ -32,9 +32,9 @@ def is_private_api_call_allowed(user, body): try: if not user.hep_id: - return True + return False except AttributeError: - return True + return False # logout, me and coupon resources are always allowed. Even if the user has no valid license if re.search(r"mutation\s*.*\s*logout\s*{", body_unicode) or re.search(r"query\s*.*\s*me\s*{", body_unicode) \ diff --git a/server/users/middleware.py b/server/users/middleware.py index 3131174a..b4968b67 100644 --- a/server/users/middleware.py +++ b/server/users/middleware.py @@ -1,16 +1,16 @@ import json from django.http import HttpResponse -from django.utils.deprecation import MiddlewareMixin - from core.utils import is_private_api_call_allowed -class UserHasLicenseMiddleWare(MiddlewareMixin): +def user_has_license_middleware(get_response): - def process_response(self, request, response): + def middleware(request): if request.path == '/api/graphql/': if not is_private_api_call_allowed(request.user, request.body): return HttpResponse(json.dumps({'errors': ['no active license']}), status=402) - return response + return get_response(request) + + return middleware diff --git a/server/core/tests/test_middleware.py b/server/users/tests/test_middleware.py similarity index 78% rename from server/core/tests/test_middleware.py rename to server/users/tests/test_middleware.py index 095b0f5a..f3092a1c 100644 --- a/server/core/tests/test_middleware.py +++ b/server/users/tests/test_middleware.py @@ -8,7 +8,7 @@ from core.utils import is_private_api_call_allowed class MiddlewareTestCase(TestCase): - def test_user_with_license_can_see_private_api(self): + def test_user_without_hep_id_cannot_see_private_api(self): tomorrow = timezone.now() + timedelta(1) user = UserFactory(username='aschiman@ch.ch') @@ -16,6 +16,16 @@ class MiddlewareTestCase(TestCase): body = b'"{mutation {\\n addRoom}"' + self.assertFalse(is_private_api_call_allowed(user, body)) + + def test_user_with_license_can_see_private_api(self): + + tomorrow = timezone.now() + timedelta(1) + user = UserFactory(username='aschiman@ch.ch', hep_id=23) + user.license_expiry_date = tomorrow.date() + + body = b'"{mutation {\\n addRoom}"' + self.assertTrue(is_private_api_call_allowed(user, body)) def test_user_with_expired_license_can_see_private_api(self): @@ -39,7 +49,7 @@ class MiddlewareTestCase(TestCase): def test_logout_is_allowed_without_valid_license(self): yesterday = timezone.now() - timedelta(1) - user = UserFactory(username='aschiman@ch.ch') + user = UserFactory(username='aschiman@ch.ch', hep_id=34) user.license_expiry_date = yesterday.date() body = b'"{mutation { logout {"' @@ -49,7 +59,7 @@ class MiddlewareTestCase(TestCase): def test_me_query_is_allowed_without_valid_license(self): yesterday = timezone.now() - timedelta(1) - user = UserFactory(username='aschiman@ch.ch') + user = UserFactory(username='aschiman@ch.ch', hep_id=34) user.license_expiry_date = yesterday body = b'"{query { me {"'