nautobot 2.2.1__py3-none-any.whl → 2.2.3__py3-none-any.whl

nautobot/core/testing/api.py

@@ -13,12 +13,11 @@ from rest_framework import status
 from rest_framework.relations import ManyRelatedField
 from rest_framework.test import APITransactionTestCase as _APITransactionTestCase
 
-from nautobot.core import testing
 from nautobot.core.api.utils import get_serializer_for_model
 from nautobot.core.models import fields as core_fields
 from nautobot.core.models.tree_queries import TreeModel
 from nautobot.core.templatetags.helpers import bettertitle
-from nautobot.core.testing import mixins, views
+from nautobot.core.testing import mixins, utils, views
 from nautobot.core.utils import lookup
 from nautobot.core.utils.data import is_uuid
 from nautobot.extras import choices as extras_choices, models as extras_models, registry
@@ -111,7 +110,7 @@ class APIViewTestCases:
                 self.model._meta.model_name,
             ) in settings.EXEMPT_EXCLUDE_MODELS:
                 # Models listed in EXEMPT_EXCLUDE_MODELS should not be accessible to anonymous users
-                with testing.disable_warnings("django.request"):
+                with utils.disable_warnings("django.request"):
                     self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)
             else:
                 response = self.client.get(url, **self.header)
@@ -125,7 +124,7 @@ class APIViewTestCases:
             url = self._get_detail_url(self._get_queryset().first())
 
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
@@ -303,7 +302,7 @@ class APIViewTestCases:
                 self.model._meta.model_name,
             ) in settings.EXEMPT_EXCLUDE_MODELS:
                 # Models listed in EXEMPT_EXCLUDE_MODELS should not be accessible to anonymous users
-                with testing.disable_warnings("django.request"):
+                with utils.disable_warnings("django.request"):
                     self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)
             else:
                 # TODO(Glenn): if we're passing **self.header, we are *by definition* **NOT** anonymous!!
@@ -389,7 +388,7 @@ class APIViewTestCases:
             url = self._get_list_url()
 
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
@@ -490,7 +489,7 @@ class APIViewTestCases:
             GET a list of objects with an unknown filter parameter and strict filtering, expect a 400 response.
             """
             self.add_permissions(f"{self.model._meta.app_label}.view_{self.model._meta.model_name}")
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 response = self.client.get(f"{self._get_list_url()}?ice_cream_flavor=rocky-road", **self.header)
             self.assertHttpStatus(response, status.HTTP_400_BAD_REQUEST)
             self.assertIsInstance(response.data, dict)
@@ -606,7 +605,7 @@ class APIViewTestCases:
             url = self._get_list_url()
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 response = self.client.post(url, self.create_data[0], format="json", **self.header)
                 self.assertHttpStatus(response, status.HTTP_403_FORBIDDEN)
 
@@ -679,7 +678,7 @@ class APIViewTestCases:
                 instance = self.get_deletable_object()
             else:
                 # try to do it ourselves
-                instance = testing.get_deletable_objects(self.model, self._get_queryset()).first()
+                instance = utils.get_deletable_objects(self.model, self._get_queryset()).first()
             if instance is None:
                 self.fail("Couldn't find a single deletable object!")
 
@@ -776,7 +775,7 @@ class APIViewTestCases:
             update_data = self.update_data or getattr(self, "create_data")[0]
 
             # Try PATCH without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 response = self.client.patch(url, update_data, format="json", **self.header)
                 self.assertHttpStatus(response, status.HTTP_403_FORBIDDEN)
 
@@ -983,7 +982,7 @@ class APIViewTestCases:
             For some models this may just be any random object, but when we have FKs with `on_delete=models.PROTECT`
             (as is often the case) we need to find or create an instance that doesn't have such entanglements.
             """
-            instance = testing.get_deletable_objects(self.model, self._get_queryset()).first()
+            instance = utils.get_deletable_objects(self.model, self._get_queryset()).first()
             if instance is None:
                 self.fail("Couldn't find a single deletable object!")
             return instance
@@ -995,7 +994,7 @@ class APIViewTestCases:
             For some models this may just be any random objects, but when we have FKs with `on_delete=models.PROTECT`
             (as is often the case) we need to find or create an instance that doesn't have such entanglements.
             """
-            instances = testing.get_deletable_objects(self.model, self._get_queryset()).values_list("pk", flat=True)[:3]
+            instances = utils.get_deletable_objects(self.model, self._get_queryset()).values_list("pk", flat=True)[:3]
             if len(instances) < 3:
                 self.fail(f"Couldn't find 3 deletable objects, only found {len(instances)}!")
             return instances
@@ -1007,7 +1006,7 @@ class APIViewTestCases:
             url = self._get_detail_url(self.get_deletable_object())
 
             # Try DELETE without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 response = self.client.delete(url, **self.header)
                 self.assertHttpStatus(response, status.HTTP_403_FORBIDDEN)
 

nautobot/core/testing/mixins.py

@@ -11,8 +11,8 @@ from django.forms.models import model_to_dict
 from netaddr import IPNetwork
 from rest_framework.test import APIClient, APIRequestFactory
 
-from nautobot.core import testing
 from nautobot.core.models import fields as core_fields
+from nautobot.core.testing import utils
 from nautobot.core.utils import permissions
 from nautobot.extras import management, models as extras_models
 from nautobot.users import models as users_models
@@ -169,7 +169,7 @@ class NautobotTestCaseMixin:
                 # REST API response; pass the response data through directly
                 err_message += f"\n{response.data}"
             # Attempt to extract form validation errors from the response HTML
-            form_errors = testing.extract_form_failures(response.content.decode(response.charset))
+            form_errors = utils.extract_form_failures(response.content.decode(response.charset))
             err_message += "\n" + str(form_errors or response.content.decode(response.charset) or "No data")
             if msg:
                 err_message = f"{msg}\n{err_message}"

nautobot/core/testing/views.py

@@ -15,11 +15,10 @@ from django.utils.http import urlencode
 from django.utils.text import slugify
 from tree_queries.models import TreeNode
 
-from nautobot.core import testing
 from nautobot.core.models.generics import PrimaryModel
 from nautobot.core.models.tree_queries import TreeModel
 from nautobot.core.templatetags import helpers
-from nautobot.core.testing import mixins
+from nautobot.core.testing import mixins, utils
 from nautobot.core.utils import lookup
 from nautobot.extras import choices as extras_choices, models as extras_models, querysets as extras_querysets
 from nautobot.extras.forms import CustomFieldModelFormMixin, RelationshipModelFormMixin
@@ -152,7 +151,7 @@ class ViewTestCases:
 
             # The "Change Log" tab should appear in the response since we have all exempt permissions
             if issubclass(self.model, extras_models.ChangeLoggedModel):
-                response_body = testing.extract_page_body(response.content.decode(response.charset))
+                response_body = utils.extract_page_body(response.content.decode(response.charset))
                 self.assertIn("Change Log", response_body, msg=response_body)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
@@ -160,7 +159,7 @@ class ViewTestCases:
             instance = self._get_queryset().first()
 
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 response = self.client.get(instance.get_absolute_url())
                 self.assertHttpStatus(response, [403, 404])
                 response_body = response.content.decode(response.charset)
@@ -180,7 +179,7 @@ class ViewTestCases:
             response = self.client.get(instance.get_absolute_url())
             self.assertHttpStatus(response, 200)
 
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
 
             # The object's display name or string representation should appear in the response
             self.assertIn(escape(getattr(instance, "display", str(instance))), response_body, msg=response_body)
@@ -247,7 +246,7 @@ class ViewTestCases:
             obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
 
             response = self.client.get(instance.get_absolute_url())
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             advanced_tab_href = f"{instance.get_absolute_url()}#advanced"
 
             self.assertIn(advanced_tab_href, response_body)
@@ -304,16 +303,16 @@ class ViewTestCases:
 
         def test_create_object_without_permission(self):
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(self._get_url("add")), 403)
 
             # Try POST without permission
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             response = self.client.post(**request)
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(response, 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -332,7 +331,7 @@ class ViewTestCases:
             # Try POST with model-level permission
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             self.assertEqual(initial_count + 1, self._get_queryset().count())
@@ -362,7 +361,7 @@ class ViewTestCases:
                     detail_url = instance.get_absolute_url()
                     validate(detail_url)
                     response = self.client.get(detail_url)
-                    response_body = testing.extract_page_body(response.content.decode(response.charset))
+                    response_body = utils.extract_page_body(response.content.decode(response.charset))
                     advanced_tab_href = f"{detail_url}#advanced"
                     self.assertIn(advanced_tab_href, response_body)
                     self.assertIn("<td>Created By</td>", response_body)
@@ -391,7 +390,7 @@ class ViewTestCases:
             # Try to create an object (not permitted)
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 200)
             self.assertEqual(initial_count, self._get_queryset().count())  # Check that no object was created
@@ -403,7 +402,7 @@ class ViewTestCases:
             # Try to create an object (permitted)
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             self.assertEqual(initial_count + 1, self._get_queryset().count())
@@ -472,15 +471,15 @@ class ViewTestCases:
             instance = self._get_queryset().first()
 
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(self._get_url("edit", instance)), [403, 404])
 
             # Try POST without permission
             request = {
                 "path": self._get_url("edit", instance),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(**request), [403, 404])
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -499,7 +498,7 @@ class ViewTestCases:
             # Try POST with model-level permission
             request = {
                 "path": self._get_url("edit", instance),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             self.assertInstanceEqual(self._get_queryset().get(pk=instance.pk), self.form_data)
@@ -515,7 +514,7 @@ class ViewTestCases:
                     detail_url = instance.get_absolute_url()
                     validate(detail_url)
                     response = self.client.get(detail_url)
-                    response_body = testing.extract_page_body(response.content.decode(response.charset))
+                    response_body = utils.extract_page_body(response.content.decode(response.charset))
                     advanced_tab_href = f"{detail_url}#advanced"
                     self.assertIn(advanced_tab_href, response_body)
                     self.assertIn("<td>Last Updated By</td>", response_body)
@@ -547,7 +546,7 @@ class ViewTestCases:
             # Try to edit a permitted object
             request = {
                 "path": self._get_url("edit", instance1),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             self.assertInstanceEqual(self._get_queryset().get(pk=instance1.pk), self.form_data)
@@ -555,7 +554,7 @@ class ViewTestCases:
             # Try to edit a non-permitted object
             request = {
                 "path": self._get_url("edit", instance2),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 404)
 
@@ -571,7 +570,7 @@ class ViewTestCases:
             For some models this may just be any random object, but when we have FKs with `on_delete=models.PROTECT`
             (as is often the case) we need to find or create an instance that doesn't have such entanglements.
             """
-            instance = testing.get_deletable_objects(self.model, self._get_queryset()).first()
+            instance = utils.get_deletable_objects(self.model, self._get_queryset()).first()
             if instance is None:
                 self.fail("Couldn't find a single deletable object!")
             return instance
@@ -580,15 +579,15 @@ class ViewTestCases:
             instance = self.get_deletable_object()
 
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(self._get_url("delete", instance)), [403, 404])
 
             # Try POST without permission
             request = {
                 "path": self._get_url("delete", instance),
-                "data": testing.post_data({"confirm": True}),
+                "data": utils.post_data({"confirm": True}),
             }
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(**request), [403, 404])
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -624,7 +623,7 @@ class ViewTestCases:
             # Try POST with model-level permission
             request = {
                 "path": self._get_url("delete", instance),
-                "data": testing.post_data({"confirm": True}),
+                "data": utils.post_data({"confirm": True}),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             with self.assertRaises(ObjectDoesNotExist):
@@ -701,7 +700,7 @@ class ViewTestCases:
             # Try to delete a permitted object
             request = {
                 "path": self._get_url("delete", instance1),
-                "data": testing.post_data({"confirm": True}),
+                "data": utils.post_data({"confirm": True}),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             with self.assertRaises(ObjectDoesNotExist):
@@ -713,7 +712,7 @@ class ViewTestCases:
             instance3 = self._get_queryset().first()
             request = {
                 "path": self._get_url("delete", instance3),
-                "data": testing.post_data({"confirm": True}),
+                "data": utils.post_data({"confirm": True}),
             }
             self.assertHttpStatus(self.client.post(**request), 404)
             self.assertTrue(self._get_queryset().filter(pk=instance3.pk).exists())
@@ -781,7 +780,7 @@ class ViewTestCases:
             instance1, instance2 = self._get_queryset().all()[:2]
             response = self.client.get(f"{self._get_url('list')}?id={instance1.pk}")
             self.assertHttpStatus(response, 200)
-            content = testing.extract_page_body(response.content.decode(response.charset))
+            content = utils.extract_page_body(response.content.decode(response.charset))
             # TODO: it'd make test failures more readable if we strip the page headers/footers from the content
             if hasattr(self.model, "name"):
                 self.assertRegex(content, r">\s*" + re.escape(escape(instance1.name)) + r"\s*<", msg=content)
@@ -794,7 +793,7 @@ class ViewTestCases:
             """Verify that with STRICT_FILTERING, an unknown filter results in an error message and no matches."""
             response = self.client.get(f"{self._get_url('list')}?ice_cream_flavor=chocolate")
             self.assertHttpStatus(response, 200)
-            content = testing.extract_page_body(response.content.decode(response.charset))
+            content = utils.extract_page_body(response.content.decode(response.charset))
             # TODO: it'd make test failures more readable if we strip the page headers/footers from the content
             self.assertIn("Unknown filter field", content, msg=content)
             # There should be no table rows displayed except for the empty results row
@@ -820,7 +819,7 @@ class ViewTestCases:
                 ],
             )
             self.assertHttpStatus(response, 200)
-            content = testing.extract_page_body(response.content.decode(response.charset))
+            content = utils.extract_page_body(response.content.decode(response.charset))
             # TODO: it'd make test failures more readable if we strip the page headers/footers from the content
             self.assertNotIn("Unknown filter field", content, msg=content)
             self.assertIn("None", content, msg=content)
@@ -833,7 +832,7 @@ class ViewTestCases:
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
         def test_list_objects_without_permission(self):
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 response = self.client.get(self._get_url("list"))
                 self.assertHttpStatus(response, 403)
                 response_body = response.content.decode(response.charset)
@@ -884,7 +883,7 @@ class ViewTestCases:
             # Try GET with object-level permission
             response = self.client.get(self._get_url("list"))
             self.assertHttpStatus(response, 200)
-            content = testing.extract_page_body(response.content.decode(response.charset))
+            content = utils.extract_page_body(response.content.decode(response.charset))
             # TODO: it'd make test failures more readable if we strip the page headers/footers from the content
             if hasattr(self.model, "name"):
                 self.assertRegex(content, r">\s*" + re.escape(escape(instance1.name)) + r"\s*<", msg=content)
@@ -952,11 +951,11 @@ class ViewTestCases:
         def test_create_multiple_objects_without_permission(self):
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.bulk_create_data),
+                "data": utils.post_data(self.bulk_create_data),
             }
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(**request), 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
@@ -964,7 +963,7 @@ class ViewTestCases:
             initial_count = self._get_queryset().count()
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.bulk_create_data),
+                "data": utils.post_data(self.bulk_create_data),
             }
 
             # Assign non-constrained permission
@@ -994,7 +993,7 @@ class ViewTestCases:
             initial_count = self._get_queryset().count()
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.bulk_create_data),
+                "data": utils.post_data(self.bulk_create_data),
             }
 
             # Assign constrained permission
@@ -1078,7 +1077,7 @@ class ViewTestCases:
             }
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(self._get_url("bulk_edit"), data), 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -1090,7 +1089,7 @@ class ViewTestCases:
             }
 
             # Append the form data to the request
-            data.update(testing.post_data(self.bulk_edit_data))
+            data.update(utils.post_data(self.bulk_edit_data))
 
             # Assign model-level permission
             obj_perm = users_models.ObjectPermission(name="Test permission", actions=["change"])
@@ -1124,7 +1123,7 @@ class ViewTestCases:
             # Expect a 200 status cause we are only rendering the bulk edit table.
             # after pressing Edit Selected button.
             self.assertHttpStatus(response, 200)
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             # Check if all the pks are passed into the BulkEditForm/BulkUpdateForm
             for pk in pk_list:
                 self.assertIn(f'<input type="hidden" name="pk" value="{pk}"', response_body)
@@ -1143,7 +1142,7 @@ class ViewTestCases:
             except StopIteration:
                 self.fail(f"Test requires at least three instances of {self.model._meta.model_name} to be defined.")
 
-            post_data = testing.post_data(self.bulk_edit_data)
+            post_data = utils.post_data(self.bulk_edit_data)
 
             # Open bulk update form with first two objects
             selected_data = {
@@ -1155,7 +1154,7 @@ class ViewTestCases:
             response = self.client.post(f"{self._get_url('bulk_edit')}?{query_string}", selected_data)
             # Expect a 200 status cause we are only rendering the bulk edit table after pressing Edit Selected button.
             self.assertHttpStatus(response, 200)
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             # Check if the first and second pk is passed into the form.
             self.assertIn(f'<input type="hidden" name="pk" value="{first_pk}"', response_body)
             self.assertIn(f'<input type="hidden" name="pk" value="{second_pk}"', response_body)
@@ -1195,7 +1194,7 @@ class ViewTestCases:
                 "pk": pk_list,
                 "_apply": True,  # Form button
             }
-            data.update(testing.post_data(self.bulk_edit_data))
+            data.update(utils.post_data(self.bulk_edit_data))
 
             # Attempt to bulk edit permitted objects into a non-permitted state
             response = self.client.post(self._get_url("bulk_edit"), data)
@@ -1227,7 +1226,7 @@ class ViewTestCases:
             For some models this may just be any random objects, but when we have FKs with `on_delete=models.PROTECT`
             (as is often the case) we need to find or create an instance that doesn't have such entanglements.
             """
-            return testing.get_deletable_objects(self.model, self._get_queryset()).values_list("pk", flat=True)[:3]
+            return utils.get_deletable_objects(self.model, self._get_queryset()).values_list("pk", flat=True)[:3]
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
         def test_bulk_delete_objects_without_permission(self):
@@ -1239,7 +1238,7 @@ class ViewTestCases:
             }
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(self._get_url("bulk_delete"), data), 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
@@ -1284,7 +1283,7 @@ class ViewTestCases:
             # Try POST with the selected data first. Emulating selecting all -> pressing Delete Selected button.
             response = self.client.post(self._get_url("bulk_delete"), selected_data)
             self.assertHttpStatus(response, 200)
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             # Check if all the pks are passed into the BulkDeleteForm/BulkDestroyForm
             for pk in pk_list:
                 self.assertIn(f'<input type="hidden" name="pk" value="{pk}"', response_body)
@@ -1312,7 +1311,7 @@ class ViewTestCases:
             response = self.client.post(f"{self._get_url('bulk_delete')}?{query_string}", selected_data)
             # Expect a 200 status cause we are only rendering the bulk delete table after pressing Delete Selected button.
             self.assertHttpStatus(response, 200)
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             # Check if the first and second pk is passed into the form.
             self.assertIn(f'<input type="hidden" name="pk" value="{first_pk}"', response_body)
             self.assertIn(f'<input type="hidden" name="pk" value="{second_pk}"', response_body)
@@ -1372,11 +1371,11 @@ class ViewTestCases:
             data.update(self.rename_data)
 
             # Test GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(self._get_url("bulk_rename")), 403)
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(self._get_url("bulk_rename"), data), 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -1517,13 +1516,13 @@ class ViewTestCases:
                 url = reverse(f"dcim:device_bulk_add_{self.model._meta.model_name}")
                 request = {
                     "path": url,
-                    "data": testing.post_data({"pk": data["device"]}),
+                    "data": utils.post_data({"pk": data["device"]}),
                 }
             else:
                 url = reverse(f"virtualization:virtualmachine_bulk_add_{self.model._meta.model_name}")
                 request = {
                     "path": url,
-                    "data": testing.post_data({"pk": data["virtual_machine"]}),
+                    "data": utils.post_data({"pk": data["virtual_machine"]}),
                 }
             self.assertHttpStatus(self.client.post(**request), 200)
 
@@ -1533,7 +1532,7 @@ class ViewTestCases:
             else:
                 data["pk"] = data.pop("virtual_machine")
             data["_create"] = ""
-            request["data"] = testing.post_data(data)
+            request["data"] = utils.post_data(data)
             self.assertHttpStatus(self.client.post(**request), 302)
 
             updated_count = self._get_queryset().count()

nautobot/core/tests/test_api.py

@@ -20,7 +20,7 @@ from nautobot.circuits.models import Provider
 from nautobot.core import testing
 from nautobot.core.api.parsers import NautobotCSVParser
 from nautobot.core.api.renderers import NautobotCSVRenderer
-from nautobot.core.api.utils import get_serializer_for_model
+from nautobot.core.api.utils import get_serializer_for_model, get_view_name
 from nautobot.core.api.versioning import NautobotAPIVersioning
 from nautobot.core.constants import COMPOSITE_KEY_SEPARATOR
 from nautobot.core.utils.lookup import get_route_for_model
@@ -28,7 +28,7 @@ from nautobot.dcim import models as dcim_models
 from nautobot.dcim.api import serializers as dcim_serializers
 from nautobot.extras import choices, models as extras_models
 from nautobot.ipam import models as ipam_models
-from nautobot.ipam.api import serializers as ipam_serializers
+from nautobot.ipam.api import serializers as ipam_serializers, views as ipam_api_views
 from nautobot.tenancy import models as tenancy_models
 
 User = get_user_model()
@@ -997,3 +997,24 @@ class NewUIGetMenuAPIViewTestCase(testing.APITestCase):
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.data, expected_response)
+
+
+class NautobotGetViewNameTest(TestCase):
+    """
+    Some unit tests for the get_view_name() functionality.
+    """
+
+    @override_settings(ALLOWED_HOSTS=["*"])
+    def test_get(self):
+        """Assert that the proper view name is displayed for the correct view."""
+        viewset = ipam_api_views.PrefixViewSet
+        # We need to get a specific view, so we need to set the class kwargs
+        view_kwargs = {
+            "Prefixes": {"suffix": "List", "basename": "prefix", "detail": False},
+            "Prefix": {"suffix": "Instance", "basename": "prefix", "detail": True},
+            "Available IPs": {"name": "Available IPs"},
+            "Available Prefixes": {"name": "Available Prefixes"},
+            "Notes": {"name": "Notes"},
+        }
+        for view_name, view_kwarg in view_kwargs.items():
+            self.assertEqual(view_name, get_view_name(viewset(**view_kwarg)))

nautobot/core/tests/test_templatetags_helpers.py

@@ -283,3 +283,35 @@ class NautobotTemplatetagsHelperTest(TestCase):
                     helpers.support_message(),
                     "<p>Settings <strong>support</strong> message:</p><ul><li>Item 1</li><li>Item 2</li></ul>",
                 )
+
+    def test_hyperlinked_object_target_new_tab(self):
+        # None gives a placeholder
+        self.assertEqual(helpers.hyperlinked_object_target_new_tab(None), helpers.placeholder(None))
+        # An object without get_absolute_url gives a string
+        self.assertEqual(helpers.hyperlinked_object_target_new_tab("hello"), "hello")
+        # An object with get_absolute_url gives a hyperlink
+        location = models.Location.objects.first()
+        # Initially remove description if any
+        location.description = ""
+        location.save()
+        self.assertEqual(
+            helpers.hyperlinked_object_target_new_tab(location),
+            f'<a href="/dcim/locations/{location.pk}/" target="_blank" rel="noreferrer">{location.name}</a>',
+        )
+        # An object with get_absolute_url and a description gives a titled hyperlink
+        location.description = "An important location"
+        location.save()
+        self.assertEqual(
+            helpers.hyperlinked_object_target_new_tab(location),
+            f'<a href="/dcim/locations/{location.pk}/" title="An important location" target="_blank" rel="noreferrer">{location.name}</a>',
+        )
+        # Optionally you can request a field other than the object's display string
+        self.assertEqual(
+            helpers.hyperlinked_object_target_new_tab(location, "name"),
+            f'<a href="/dcim/locations/{location.pk}/" title="An important location" target="_blank" rel="noreferrer">{location.name}</a>',
+        )
+        # If you request a nonexistent field, it defaults to the string representation
+        self.assertEqual(
+            helpers.hyperlinked_object_target_new_tab(location, "foo"),
+            f'<a href="/dcim/locations/{location.pk}/" title="An important location" target="_blank" rel="noreferrer">{location!s}</a>',
+        )

nautobot/core/tests/test_views.py

@@ -90,7 +90,8 @@ class HomeViewTestCase(TestCase):
         difference = [model for model in existing_models if model not in global_searchable_models]
         if difference:
             self.fail(
-                f'Existing model/models {",".join(difference)} are not included in the searchable_models attribute of the app config.\nIf you do not want the models to be searchable, please include them in the GLOBAL_SEARCH_EXCLUDE_LIST constant in nautobot.core.constants.'
+                f'Existing model/models {",".join(difference)} are not included in the searchable_models attribute of the app config.\n'
+                'If you do not want the models to be searchable, please include them in the GLOBAL_SEARCH_EXCLUDE_LIST constant in nautobot.core.constants.'
             )
 
     def make_request(self):
@@ -241,6 +242,25 @@ class FilterFormsTestCase(TestCase):
         self.assertInHTML(locations[0].name, response_content)
         self.assertInHTML(locations[1].name, response_content)
 
+    def test_filtering_crafted_query_params(self):
+        """Test for reflected-XSS vulnerability GHSA-jxgr-gcj5-cqqg."""
+        self.add_permissions("dcim.view_location")
+        query_param = "?location_type=1 onmouseover=alert('hi') foo=bar"
+        url = reverse("dcim:location_list") + query_param
+        response = self.client.get(url)
+        self.assertHttpStatus(response, 200)
+        response_content = response.content.decode(response.charset)
+        # The important thing here is that the data-field-parent and data-field-value are correctly quoted
+        self.assertInHTML(
+            """
+<span class="filter-selection-choice-remove remove-filter-param"
+      data-field-type="child"
+      data-field-parent="location_type"
+      data-field-value="1 onmouseover=alert(&#x27;hi&#x27;) foo=bar"
+>×</span>""",  # noqa: RUF001 - ambiguous-unicode-character-string
+            response_content,
+        )
+
 
 class ForceScriptNameTestcase(TestCase):
     """Basic test to assert that `settings.FORCE_SCRIPT_NAME` works as intended."""