[IMP] survey: add access rights tests

Purpose of this commit is to improve test coverage of survey module. This commit adds tests related to current access and serve as a base for future modification. Some tests are commented as access will evolve for this application. This commit is linked to task ID 1911586 and PR #28986.

[IMP] survey: add access rights tests
66e00f64 · Thibault Delavallée · dfc37ece · 66e00f64 · 66e00f64
Commit 66e00f64 authored 6 years ago by Thibault Delavallée
--- a/addons/survey/tests/__init__.py
+++ b/addons/survey/tests/__init__.py
@@ -5,4 +5,5 @@ from . import common
 from . import test_survey
 from . import test_survey_flow
 from . import test_survey_invite
+from . import test_survey_security
 from . import test_survey_ui
--- a/addons/survey/tests/test_survey_security.py
+++ b/addons/survey/tests/test_survey_security.py
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from odoo.addons.survey.tests import common
+from odoo.exceptions import AccessError, UserError
+from odoo.tests import tagged
+from odoo.tests.common import users
+from odoo.tools import mute_logger
+
+
+@tagged('security')
+class TestAccess(common.SurveyCase):
+
+    def setUp(self):
+        super(TestAccess, self).setUp()
+
+        self.answer_0 = self._add_answer(self.survey, self.customer)
+        self.answer_0_0 = self._add_answer_line(self.question_ft, self.answer_0, 'Test Answer')
+        self.answer_0_1 = self._add_answer_line(self.question_num, self.answer_0, 5)
+
+    @mute_logger('odoo.addons.base.models.ir_model')
+    @users('user_emp')
+    def test_access_survey_employee(self):
+        # Create: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.survey'].create({'title': 'Test Survey 2'})
+        with self.assertRaises(AccessError):
+            self.env['survey.page'].create({'title': 'My Page', 'survey_id': self.survey.id})
+        with self.assertRaises(AccessError):
+            self.env['survey.question'].create({'question': 'My Question', 'page_id': self.page_0.id})
+
+        # Read: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.survey'].search([('title', 'ilike', 'Test')])
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).read(['title'])
+
+        # Write: nope
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).write({'title': 'New Title'})
+        with self.assertRaises(AccessError):
+            self.page_0.sudo(self.env.user).write({'title': 'New Title'})
+        with self.assertRaises(AccessError):
+            self.question_ft.sudo(self.env.user).write({'question': 'New Title'})
+
+        # Unlink: nope
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.page_0.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.question_ft.sudo(self.env.user).unlink()
+
+    @mute_logger('odoo.addons.base.models.ir_model')
+    @users('user_portal')
+    def test_access_survey_portal(self):
+        # Create: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.survey'].create({'title': 'Test Survey 2'})
+        with self.assertRaises(AccessError):
+            self.env['survey.page'].create({'title': 'My Page', 'survey_id': self.survey.id})
+        with self.assertRaises(AccessError):
+            self.env['survey.question'].create({'question': 'My Question', 'page_id': self.page_0.id})
+
+        # Read: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.survey'].search([('title', 'ilike', 'Test')])
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).read(['title'])
+
+        # Write: nope
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).write({'title': 'New Title'})
+        with self.assertRaises(AccessError):
+            self.page_0.sudo(self.env.user).write({'title': 'New Title'})
+        with self.assertRaises(AccessError):
+            self.question_ft.sudo(self.env.user).write({'question': 'New Title'})
+
+        # Unlink: nope
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.page_0.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.question_ft.sudo(self.env.user).unlink()
+
+    @mute_logger('odoo.addons.base.models.ir_model')
+    @users('user_public')
+    def test_access_survey_public(self):
+        # Create: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.survey'].create({'title': 'Test Survey 2'})
+        with self.assertRaises(AccessError):
+            self.env['survey.page'].create({'title': 'My Page', 'survey_id': self.survey.id})
+        with self.assertRaises(AccessError):
+            self.env['survey.question'].create({'question': 'My Question', 'page_id': self.page_0.id})
+
+        # Read: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.survey'].search([('title', 'ilike', 'Test')])
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).read(['title'])
+
+        # Write: nope
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).write({'title': 'New Title'})
+        with self.assertRaises(AccessError):
+            self.page_0.sudo(self.env.user).write({'title': 'New Title'})
+        with self.assertRaises(AccessError):
+            self.question_ft.sudo(self.env.user).write({'question': 'New Title'})
+
+        # Unlink: nope
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.page_0.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.question_ft.sudo(self.env.user).unlink()
+
+    @users('survey_manager')
+    def test_access_survey_survey_manager(self):
+        # Create: all
+        survey = self.env['survey.survey'].create({'title': 'Test Survey 2'})
+        page = self.env['survey.page'].create({'title': 'My Page', 'survey_id': survey.id})
+        self.env['survey.question'].create({'question': 'My Question', 'page_id': page.id})
+
+        # Read: all
+        surveys = self.env['survey.survey'].search([('title', 'ilike', 'Test')])
+        self.assertEqual(surveys, self.survey | survey)
+        surveys.read(['title'])
+
+        # Write: all
+        (self.survey | survey).write({'title': 'New Title'})
+
+        # Unlink: all
+        (self.survey | survey).unlink()
+
+    @mute_logger('odoo.addons.base.models.ir_model')
+    @users('survey_user')
+    def test_access_survey_survey_user(self):
+        # Create: own only
+        survey = self.env['survey.survey'].create({'title': 'Test Survey 2'})
+        page = self.env['survey.page'].create({'title': 'My Page', 'survey_id': survey.id})
+        self.env['survey.question'].create({'question': 'My Question', 'page_id': page.id})
+
+        # Read: all
+        surveys = self.env['survey.survey'].search([('title', 'ilike', 'Test')])
+        self.assertEqual(surveys, self.survey | survey)
+        surveys.read(['title'])
+
+        # Write: own only
+        survey.write({'title': 'New Title'})
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).write({'title': 'New Title'})
+
+        # Unlink: own only
+        survey.unlink()
+        with self.assertRaises(AccessError):
+            self.survey.sudo(self.env.user).unlink()
+
+    @mute_logger('odoo.addons.base.models.ir_model')
+    @users('user_emp')
+    def test_access_answers_employee(self):
+        # Create: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].create({'survey_id': self.survey.id})
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].create({'question_id': self.question_num.id, 'answer_type': 'number', 'value_number': 3, 'user_input_id': self.answer_0.id})
+
+        # Read: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].search([('survey_id', 'in', [self.survey.id])])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].search([('survey_id', 'in', [self.survey.id])])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].browse(self.answer_0.ids).read(['state'])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].browse(self.answer_0_0.ids).read(['value_number'])
+
+        # Write: nope
+        with self.assertRaises(AccessError):
+            self.answer_0.sudo(self.env.user).write({'state': 'done'})
+
+        # Unlink: nope
+        with self.assertRaises(AccessError):
+            self.answer_0.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.answer_0_0.sudo(self.env.user).unlink()
+
+    @mute_logger('odoo.addons.base.models.ir_model')
+    @users('user_portal')
+    def test_access_answers_portal(self):
+        # Create: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].create({'survey_id': self.survey.id})
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].create({'question_id': self.question_num.id, 'answer_type': 'number', 'value_number': 3, 'user_input_id': self.answer_0.id})
+
+        # Read: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].search([('survey_id', 'in', [self.survey.id])])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].search([('survey_id', 'in', [self.survey.id])])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].browse(self.answer_0.ids).read(['state'])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].browse(self.answer_0_0.ids).read(['value_number'])
+
+        # Write: nope
+        with self.assertRaises(AccessError):
+            self.answer_0.sudo(self.env.user).write({'state': 'done'})
+
+        # Unlink: nope
+        with self.assertRaises(AccessError):
+            self.answer_0.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.answer_0_0.sudo(self.env.user).unlink()
+
+    @mute_logger('odoo.addons.base.models.ir_model')
+    @users('user_public')
+    def test_access_answers_public(self):
+        # Create: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].create({'survey_id': self.survey.id})
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].create({'question_id': self.question_num.id, 'answer_type': 'number', 'value_number': 3, 'user_input_id': self.answer_0.id})
+
+        # Read: nope
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].search([('survey_id', 'in', [self.survey.id])])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].search([('survey_id', 'in', [self.survey.id])])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input'].browse(self.answer_0.ids).read(['state'])
+        with self.assertRaises(AccessError):
+            self.env['survey.user_input_line'].browse(self.answer_0_0.ids).read(['value_number'])
+
+        # Write: nope
+        with self.assertRaises(AccessError):
+            self.answer_0.sudo(self.env.user).write({'state': 'done'})
+
+        # Unlink: nope
+        with self.assertRaises(AccessError):
+            self.answer_0.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.answer_0_0.sudo(self.env.user).unlink()
+
+    @mute_logger('odoo.addons.base.models.ir_model')
+    @users('survey_user')
+    def test_access_answers_survey_user(self):
+        survey_own = self.env['survey.survey'].create({'title': 'Other'})
+        page_own = self.env['survey.page'].create({'title': 'Other', 'survey_id': survey_own.id})
+        question_own = self.env['survey.question'].create({'question': 'Other Question', 'page_id': page_own.id})
+
+        # Create: own survey only
+        answer_own = self.env['survey.user_input'].create({'survey_id': survey_own.id})
+        answer_line_own = self.env['survey.user_input_line'].create({'question_id': question_own.id, 'answer_type': 'number', 'value_number': 3, 'user_input_id': answer_own.id})
+
+        # Read: always
+        answers = self.env['survey.user_input'].search([('survey_id', 'in', [survey_own.id, self.survey.id])])
+        self.assertEqual(answers, answer_own | self.answer_0)
+
+        answer_lines = self.env['survey.user_input_line'].search([('survey_id', 'in', [survey_own.id, self.survey.id])])
+        self.assertEqual(answer_lines, answer_line_own | self.answer_0_0 | self.answer_0_1)
+
+        self.env['survey.user_input'].browse(answer_own.ids).read(['state'])
+        self.env['survey.user_input'].browse(self.answer_0.ids).read(['state'])
+
+        self.env['survey.user_input_line'].browse(answer_line_own.ids).read(['value_number'])
+        self.env['survey.user_input_line'].browse(self.answer_0_0.ids).read(['value_number'])
+
+        # Create: own survey only (moved after read because DB not correctly rollbacked with assertRaises)
+        with self.assertRaises(AccessError):
+            answer_other = self.env['survey.user_input'].create({'survey_id': self.survey.id})
+        with self.assertRaises(AccessError):
+            answer_line_other = self.env['survey.user_input_line'].create({'question_id': self.question_num.id, 'answer_type': 'number', 'value_number': 3, 'user_input_id': self.answer_0.id})
+
+        # Write: own survey only
+        answer_own.write({'state': 'done'})
+        with self.assertRaises(AccessError):
+            self.answer_0.sudo(self.env.user).write({'state': 'done'})
+
+        # Unlink: own survey only
+        answer_own.unlink()
+        answer_line_own.unlink()
+        with self.assertRaises(AccessError):
+            self.answer_0.sudo(self.env.user).unlink()
+        with self.assertRaises(AccessError):
+            self.answer_0_0.sudo(self.env.user).unlink()
+
+    @users('survey_manager')
+    def test_access_answers_survey_manager(self):
+        admin = self.env.ref('base.user_admin')
+        with self.sudo(admin):
+            survey_other = self.env['survey.survey'].create({'title': 'Other'})
+            page_other = self.env['survey.page'].create({'title': 'Other', 'survey_id': survey_other.id})
+            question_other = self.env['survey.question'].create({'question': 'Other Question', 'page_id': page_other.id})
+            self.assertEqual(survey_other.create_uid, admin)
+            self.assertEqual(question_other.create_uid, admin)
+
+        # Create: always
+        answer_own = self.env['survey.user_input'].create({'survey_id': self.survey.id})
+        answer_other = self.env['survey.user_input'].create({'survey_id': survey_other.id})
+        answer_line_own = self.env['survey.user_input_line'].create({'question_id': self.question_num.id, 'answer_type': 'number', 'value_number': 3, 'user_input_id': answer_own.id})
+        answer_line_other = self.env['survey.user_input_line'].create({'question_id': question_other.id, 'answer_type': 'number', 'value_number': 3, 'user_input_id': answer_other.id})
+
+        # Read: always
+        answers = self.env['survey.user_input'].search([('survey_id', 'in', [survey_other.id, self.survey.id])])
+        self.assertEqual(answers, answer_own | answer_other | self.answer_0)
+
+        answer_lines = self.env['survey.user_input_line'].search([('survey_id', 'in', [survey_other.id, self.survey.id])])
+        self.assertEqual(answer_lines, answer_line_own | answer_line_other | self.answer_0_0 | self.answer_0_1)
+
+        self.env['survey.user_input'].browse(answer_own.ids).read(['state'])
+        self.env['survey.user_input'].browse(self.answer_0.ids).read(['state'])
+
+        self.env['survey.user_input_line'].browse(answer_line_own.ids).read(['value_number'])
+        self.env['survey.user_input_line'].browse(self.answer_0_0.ids).read(['value_number'])
+
+        # Write: always
+        answer_own.write({'state': 'done'})
+        answer_other.write({'partner_id': self.env.user.partner_id.id})
+
+        # Unlink: always
+        (answer_own | answer_other | self.answer_0).unlink()