more transition permission tests

002737f0 · Timm Fitschen · d3f8c7bb · 002737f0
Verified Commit 002737f0 authored 4 years ago by Timm Fitschen
--- a/tests/test_state.py
+++ b/tests/test_state.py
@@ -55,7 +55,7 @@ def setup_users():
            db.administration.PermissionRule(
                "Grant", "TRANSACTION:*"),
            db.administration.PermissionRule(
-                "Grant", "STATE:TRANSITION:*"),
+                "Grant", "STATE:*"),
        ])


@@ -701,3 +701,63 @@ def test_automatic_record_state():

    rec_retrieve = db.Record(id=rec.id).retrieve()
    assert rec_retrieve.state == db.State(model="Model1", name="State1")
+
+
+def test_unauthorized_final():
+    rec = db.Record().add_parent("TestRT")
+    rec.state = db.State(model="Model1", name="State1")
+    rec.insert()
+
+    switch_to_test_user("normal")
+    rec.state = None
+    with pytest.raises(db.TransactionError) as exc:
+        rec.update(sync = False)
+    assert "You are not allowed to do this." in str(exc.value)
+
+    rec_retrieve = db.Record(id=rec.id).retrieve()
+    assert rec_retrieve.state == db.State(model="Model1", name="State1")
+
+    switch_to_test_user("team-leader")
+    rec.update()
+
+    assert rec.state is None
+
+    rec_retrieve = db.Record(id=rec.id).retrieve()
+    assert rec_retrieve.state is None
+
+
+def test_unauthorized_initial():
+    rec = db.Record().add_parent("TestRT")
+    rec.insert()
+
+    switch_to_test_user("normal")
+    rec.state = db.State(model="Model1", name="State1")
+    with pytest.raises(db.TransactionError) as exc:
+        # normal user lacks the permission for the initial state
+        rec.update(sync = False)
+    assert "You are not allowed to do this." in str(exc.value)
+    rec_retrieve = db.Record(id=rec.id).retrieve()
+    assert rec_retrieve.state is None
+
+    switch_to_test_user("team-leader")
+    with pytest.raises(db.TransactionError) as exc:
+        # it is not allowed to "steal" the entity with the state feature
+        rec.update(sync = False)
+    assert "You are not allowed to do this." in str(exc.value)
+    rec_retrieve = db.Record(id=rec.id).retrieve(flags={"ACL": None})
+    assert rec_retrieve.state is None
+
+    # we need to give ownership to "team-leader"
+    switch_to_admin_user()
+    rec_update = rec_retrieve
+    print(rec_update.acl)
+    rec_update.acl.grant(role="team-leader", permission="EDIT:ACL")
+    print(rec_update.acl)
+    rec_update.update_acl()
+
+    switch_to_test_user("team-leader")
+    rec.update(sync = False)
+    assert rec.state == db.State(model="Model1", name="State1")
+
+    rec_retrieve = db.Record(id=rec.id).retrieve()
+    assert rec_retrieve.state == db.State(model="Model1", name="State1")