[英]Need to restrict the access for staff users to view and edit only their inputted data in django admin
[英]How to test that a view is only accessed by staff users in Django
我正在Django中学习测试,并且有一个要测试的视图。 此视图只能由工作人员用户访问。 假设视图是:
def staff_users(request):
....
# some logic
return HttpResponseRedirect('/repositories/')
如果请求来自工作人员用户,则应将其重定向到存储库,否则我应该会得到诸如permission denied
。 我从tests.py
类的东西开始。
def test_request_object(self):
self.user = User.objects.create_user(
username='abc', email='abc@gmail.com', password='1234')
request = HttpRequest()
# User send a request to access repositories
response = staff_users(request)
self.assertIsNone(response)
问题出在这里,我没有将我的请求对象与任何用户相关联,我也from django.contrib.admin.views.decorators import staff_member_required
了解了from django.contrib.admin.views.decorators import staff_member_required
但不确定如何在这里使用它们。 谁能告诉我该如何测试我的view
仅应由staff users
?
您需要做的就是decorate
您要保护的视图,如下所示:
@staff_member_required
def staff_users(request):
....
# some logic
return HttpResponseRedirect('/repositories/')
如果您想使用自定义逻辑进行测试而不是使用django装饰器,则也可以编写自己的装饰器。
def staff_users_only(function):
def wrap(request, *args, **kwargs):
profile = request.session['user_profile']
if profile is True: #then its a staff member
return function(request, *args, **kwargs)
else:
return HttpResponseRedirect('/')
wrap.__doc__=function.__doc__
wrap.__name__=function.__name__
return wrap
并将其用作:
@staff_users_only
def staff_users(request):
....
# some logic
return HttpResponseRedirect('/repositories/')
编辑
可以按以下方式完成请求对象上会话的关联:
def test_request_object(self):
self.user = User.objects.create_user(
username='abc', email='abc@gmail.com', password='1234')
request = HttpRequest()
#create a session which will hold the user profile that will be used in by our custom decorator
request.session = {} #Session middleware is not available in UnitTest hence create a blank dictionary for testing purpose
request.session['user_profile'] = self.user.is_staff #assuming its django user.
# User send a request to access repositories
response = staff_users(request)
#Check the response type for appropriate action
self.assertIsNone(response)
编辑2
使用django Client
库进行测试也是一个更好的主意:
>>> from django.test import Client
>>> c = Client()
>>> response = c.post('/login/', {'username': 'abc', 'password': '1234'})
>>> response.status_code
200
>>> response = c.get('/user/protected-page/')
>>> response.content
b'<!DOCTYPE html...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.