udata 14.0.3.dev1__py3-none-any.whl → 14.7.3.dev4__py3-none-any.whl

udata/tests/test_legal_mails.py

@@ -0,0 +1,359 @@
+import pytest
+from flask import url_for
+
+from udata.core.dataservices.factories import DataserviceFactory
+from udata.core.dataset.factories import DatasetFactory
+from udata.core.discussions.factories import DiscussionFactory, MessageDiscussionFactory
+from udata.core.organization.factories import OrganizationFactory
+from udata.core.reuse.factories import ReuseFactory
+from udata.core.user.factories import AdminFactory, UserFactory
+from udata.tests.api import APITestCase
+from udata.tests.helpers import capture_mails
+
+
+class AdminMailsOnDeleteTest(APITestCase):
+    """Test admin mails are sent on delete when send_legal_notice=True and user is sysadmin"""
+
+    modules = []
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_dataset_delete_with_mail_as_admin(self):
+        """Admin deleting dataset with send_legal_notice=True should send email to owner"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        dataset = DatasetFactory(owner=owner)
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 1
+        assert mails[0].recipients[0] == owner.email
+        assert "deletion" in mails[0].subject.lower()
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_dataset_delete_without_mail_as_admin(self):
+        """Admin deleting dataset without send_mail should not send email"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        dataset = DatasetFactory(owner=owner)
+
+        with capture_mails() as mails:
+            response = self.delete(url_for("api.dataset", dataset=dataset))
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 0
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_dataset_delete_with_mail_as_non_admin(self):
+        """Non-admin deleting their dataset with send_legal_notice=True should not send email"""
+        owner = self.login()
+        dataset = DatasetFactory(owner=owner)
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 0
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_dataset_delete_with_org_owner_sends_to_admins(self):
+        """Deleting org-owned dataset should send email to org admins"""
+        self.login(AdminFactory())
+        org_admin = UserFactory()
+        org = OrganizationFactory(members=[{"user": org_admin, "role": "admin"}])
+        dataset = DatasetFactory(organization=org)
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 1
+        assert mails[0].recipients[0] == org_admin.email
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_reuse_delete_with_mail_as_admin(self):
+        """Admin deleting reuse with send_legal_notice=True should send email to owner"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        reuse = ReuseFactory(owner=owner)
+
+        with capture_mails() as mails:
+            response = self.delete(url_for("api.reuse", reuse=reuse) + "?send_legal_notice=true")
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 1
+        assert mails[0].recipients[0] == owner.email
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_reuse_delete_without_mail_as_admin(self):
+        """Admin deleting reuse without send_mail should not send email"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        reuse = ReuseFactory(owner=owner)
+
+        with capture_mails() as mails:
+            response = self.delete(url_for("api.reuse", reuse=reuse))
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 0
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_dataservice_delete_with_mail_as_admin(self):
+        """Admin deleting dataservice with send_legal_notice=True should send email to owner"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        dataservice = DataserviceFactory(owner=owner)
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.dataservice", dataservice=dataservice) + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 1
+        assert mails[0].recipients[0] == owner.email
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_organization_delete_with_mail_as_admin(self):
+        """Admin deleting organization with send_legal_notice=True should send email to org admins"""
+        self.login(AdminFactory())
+        org_admin = UserFactory()
+        org = OrganizationFactory(members=[{"user": org_admin, "role": "admin"}])
+
+        with capture_mails() as mails:
+            response = self.delete(url_for("api.organization", org=org) + "?send_legal_notice=true")
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 1
+        assert mails[0].recipients[0] == org_admin.email
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_user_delete_with_legal_notice_skips_simple_notification(self):
+        """Admin deleting user with send_legal_notice=True automatically skips simple notification"""
+        self.login(AdminFactory())
+        user_to_delete = UserFactory()
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.user", user=user_to_delete) + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        # Only legal notice mail, simple notification is automatically skipped
+        assert len(mails) == 1
+        assert mails[0].recipients[0] == user_to_delete.email
+        # Verify it's the legal notice (with appeal info), not the simple notification
+        assert "Deletion of your" in mails[0].subject  # Legal notice subject
+        assert "contest this decision" in mails[0].body  # Legal notice contains appeal info
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_discussion_delete_with_mail_as_admin(self):
+        """Admin deleting discussion with send_legal_notice=True should send email to author"""
+        self.login(AdminFactory())
+        author = UserFactory()
+        dataset = DatasetFactory()
+        discussion = DiscussionFactory(subject=dataset, user=author)
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.discussion", id=discussion.id) + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 1
+        assert mails[0].recipients[0] == author.email
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_message_delete_with_mail_as_admin(self):
+        """Admin deleting message with send_legal_notice=True should send email to author"""
+        self.login(AdminFactory())
+        author = UserFactory()
+        message_author = UserFactory()
+        dataset = DatasetFactory()
+        discussion = DiscussionFactory(
+            subject=dataset,
+            user=author,
+            discussion=[
+                MessageDiscussionFactory(posted_by=author),
+                MessageDiscussionFactory(posted_by=message_author),
+            ],
+        )
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.discussion_comment", id=discussion.id, cidx=1)
+                + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 1
+        assert mails[0].recipients[0] == message_author.email
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_dataset_delete_without_owner_no_mail_sent(self):
+        """Deleting dataset without owner or organization should not send email"""
+        self.login(AdminFactory())
+        dataset = DatasetFactory(owner=None, organization=None)
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 0
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_reuse_delete_without_owner_no_mail_sent(self):
+        """Deleting reuse without owner or organization should not send email"""
+        self.login(AdminFactory())
+        reuse = ReuseFactory(owner=None, organization=None)
+
+        with capture_mails() as mails:
+            response = self.delete(url_for("api.reuse", reuse=reuse) + "?send_legal_notice=true")
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 0
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_dataservice_delete_without_owner_no_mail_sent(self):
+        """Deleting dataservice without owner or organization should not send email"""
+        self.login(AdminFactory())
+        dataservice = DataserviceFactory(owner=None, organization=None)
+
+        with capture_mails() as mails:
+            response = self.delete(
+                url_for("api.dataservice", dataservice=dataservice) + "?send_legal_notice=true"
+            )
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 0
+
+    @pytest.mark.options(DEFAULT_LANGUAGE="en")
+    def test_organization_delete_without_admins_no_mail_sent(self):
+        """Deleting organization without admin members should not send email"""
+        self.login(AdminFactory())
+        editor = UserFactory()
+        org = OrganizationFactory(members=[{"user": editor, "role": "editor"}])
+
+        with capture_mails() as mails:
+            response = self.delete(url_for("api.organization", org=org) + "?send_legal_notice=true")
+
+        self.assertStatus(response, 204)
+        assert len(mails) == 0
+
+
+class MailContentVariantsTest(APITestCase):
+    """Test mail content varies based on settings"""
+
+    modules = []
+
+    @pytest.mark.options(
+        DEFAULT_LANGUAGE="en",
+        TERMS_OF_USE_URL="https://example.com/terms",
+        TERMS_OF_USE_DELETION_ARTICLE="5.1.2",
+        TELERECOURS_URL="https://telerecours.fr",
+    )
+    def test_mail_with_all_settings(self):
+        """Mail should contain terms of use reference and telerecours when all settings defined"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        dataset = DatasetFactory(owner=owner)
+
+        with capture_mails() as mails:
+            self.delete(url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true")
+
+        assert len(mails) == 1
+        body = mails[0].body
+        assert "Our terms of use specify" in body
+        assert "5.1.2" in body
+        assert "Télérecours" in body
+
+    @pytest.mark.options(
+        DEFAULT_LANGUAGE="en",
+        TERMS_OF_USE_DELETION_ARTICLE=None,
+        TELERECOURS_URL=None,
+    )
+    def test_mail_without_settings(self):
+        """Mail should use generic text when settings are not defined"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        dataset = DatasetFactory(owner=owner)
+
+        with capture_mails() as mails:
+            self.delete(url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true")
+
+        assert len(mails) == 1
+        body = mails[0].body
+        assert "Our terms of use specify" not in body
+        assert "Télérecours" not in body
+        assert "contacting us" in body
+
+    @pytest.mark.options(
+        DEFAULT_LANGUAGE="en",
+        TERMS_OF_USE_URL="https://example.com/terms",
+        TERMS_OF_USE_DELETION_ARTICLE="3.2",
+        TELERECOURS_URL=None,
+    )
+    def test_mail_with_terms_only(self):
+        """Mail should contain terms of use but generic appeal when only terms defined"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        dataset = DatasetFactory(owner=owner)
+
+        with capture_mails() as mails:
+            self.delete(url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true")
+
+        assert len(mails) == 1
+        body = mails[0].body
+        assert "Our terms of use specify" in body
+        assert "3.2" in body
+        assert "Télérecours" not in body
+        assert "contacting us" in body
+
+    @pytest.mark.options(
+        DEFAULT_LANGUAGE="en",
+        TERMS_OF_USE_DELETION_ARTICLE=None,
+        TELERECOURS_URL="https://telerecours.fr",
+    )
+    def test_mail_with_telerecours_only(self):
+        """Mail should contain telerecours but generic terms when only telerecours defined"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        dataset = DatasetFactory(owner=owner)
+
+        with capture_mails() as mails:
+            self.delete(url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true")
+
+        assert len(mails) == 1
+        body = mails[0].body
+        assert "Our terms of use specify" not in body
+        assert "Télérecours" in body
+        assert "contacting us" not in body
+
+    @pytest.mark.options(
+        DEFAULT_LANGUAGE="en",
+        TERMS_OF_USE_URL=None,
+        TERMS_OF_USE_DELETION_ARTICLE="5.1.2",
+        TELERECOURS_URL=None,
+    )
+    def test_mail_with_article_but_no_url(self):
+        """Mail should use generic terms when article is defined but URL is missing"""
+        self.login(AdminFactory())
+        owner = UserFactory()
+        dataset = DatasetFactory(owner=owner)
+
+        with capture_mails() as mails:
+            self.delete(url_for("api.dataset", dataset=dataset) + "?send_legal_notice=true")
+
+        assert len(mails) == 1
+        body = mails[0].body
+        assert "Our terms of use specify" not in body
+        assert "5.1.2" not in body

udata/tests/test_notifications.py

@@ -1,75 +1,33 @@
-from datetime import datetime
-
-import pytz
 from flask import url_for
 
-from udata.core.user.factories import UserFactory
-from udata.features.notifications import actions
-
-from .api import APITestCase, DBTestCase
-
-
-class NotificationsMixin(object):
-    def setUp(self):
-        actions._providers = {}
-
-
-class NotificationsActionsTest(NotificationsMixin, DBTestCase):
-    def test_registered_provider_is_listed(self):
-        def fake_provider(user):
-            return []
-
-        actions.register_provider("fake", fake_provider)
-
-        self.assertIn("fake", actions.list_providers())
+from udata.core.organization.factories import OrganizationFactory
+from udata.core.organization.models import Member
 
-    def test_registered_provider_with_decorator_is_listed(self):
-        @actions.notifier("fake")
-        def fake_provider(user):
-            return []
+from .api import APITestCase
 
-        self.assertIn("fake", actions.list_providers())
 
-    def test_registered_provider_provide_values(self):
-        dt = datetime.utcnow()
-
-        def fake_provider(user):
-            return [(dt, {"some": "value"})]
-
-        actions.register_provider("fake", fake_provider)
-
-        user = UserFactory()
-        notifs = actions.get_notifications(user)
-
-        self.assertEqual(len(notifs), 1)
-        self.assertEqual(notifs[0]["type"], "fake")
-        self.assertEqual(notifs[0]["details"], {"some": "value"})
-        self.assertEqualDates(notifs[0]["created_on"], dt)
-
-
-class NotificationsAPITest(NotificationsMixin, APITestCase):
+class NotificationsAPITest(APITestCase):
     def test_no_notifications(self):
         self.login()
         response = self.get(url_for("api.notifications"))
         self.assert200(response)
 
-        self.assertEqual(len(response.json), 0)
+        self.assertEqual(response.json["total"], 0)
 
     def test_has_notifications(self):
+        admin = self.login()
         self.login()
-        dt = datetime.utcnow()
+        organization = OrganizationFactory(members=[Member(user=admin, role="admin")])
+        data = {"comment": "a comment"}
 
-        @actions.notifier("fake")
-        def fake_notifier(user):
-            return [(dt, {"some": "value"}), (dt, {"another": "value"})]
+        response = self.post(url_for("api.request_membership", org=organization), data)
+        self.assert201(response)
 
+        self.login(admin)
         response = self.get(url_for("api.notifications"))
         self.assert200(response)
 
-        self.assertEqual(len(response.json), 2)
-
-        for notification in response.json:
-            self.assertEqual(notification["created_on"], pytz.utc.localize(dt).isoformat())
-            self.assertEqual(notification["type"], "fake")
-        self.assertEqual(response.json[0]["details"], {"some": "value"})
-        self.assertEqual(response.json[1]["details"], {"another": "value"})
+        self.assertEqual(response.json["total"], 1)
+        self.assertEqual(
+            response.json["data"][0]["details"]["request_organization"]["id"], str(organization.id)
+        )

udata/tests/test_notifications_task.py

@@ -0,0 +1,43 @@
+from datetime import datetime, timedelta
+
+import pytest
+from flask import current_app
+
+from udata.core.organization.models import Member, MembershipRequest, Organization
+from udata.core.user.factories import UserFactory
+from udata.features.notifications import tasks
+from udata.features.notifications.models import Notification
+from udata.tests.api import APITestCase
+
+
+class UserTasksTest(APITestCase):
+    @pytest.mark.options(DAYS_AFTER_NOTIFICATION_EXPIRED=3)
+    def test_notify_inactive_users(self):
+        self.login()
+        member = Member(user=self.user, role="admin")
+        org = Organization.objects.create(
+            name="with transfert", description="XXX", members=[member]
+        )
+
+        notification_handled_date = (
+            datetime.utcnow()
+            - timedelta(days=current_app.config["DAYS_AFTER_NOTIFICATION_EXPIRED"])
+            - timedelta(days=1)  # add margin
+        )
+
+        applicant = UserFactory()
+
+        request = MembershipRequest(user=applicant, comment="test")
+        org.add_membership_request(request)
+
+        assert Notification.objects.count() == 1
+
+        request.status = "accepted"
+        request.handled_by = self.user
+        request.handled_on = notification_handled_date
+        org.save()
+        MembershipRequest.after_handle.send(request, org=org)
+
+        tasks.delete_expired_notifications()
+
+        assert Notification.objects.count() == 0

udata/tests/test_owned.py

@@ -1,13 +1,14 @@
 from mongoengine import post_save
 
 import udata.core.owned as owned
+from udata.core.dataset.permissions import OwnableReadPermission
 from udata.core.organization.factories import OrganizationFactory
 from udata.core.organization.models import Organization
 from udata.core.user.factories import AdminFactory, UserFactory
 from udata.core.user.models import User
 from udata.models import Member
 from udata.mongo import db
-from udata.tests.api import DBTestCase
+from udata.tests.api import APITestCase, DBTestCase
 
 
 class CustomQuerySet(owned.OwnedQuerySet):
@@ -265,3 +266,82 @@ class OwnedQuerysetTest(DBTestCase):
             name="private_owned_by_other_user"
         )
         self.assertEqual(len(result), 0)
+
+
+class OwnableReadPermissionTest(APITestCase):
+    def setUp(self):
+        super().setUp()
+        from flask import g
+        from flask_principal import AnonymousIdentity
+
+        g.identity = AnonymousIdentity()
+
+    def test_public_object_visible_by_anonymous(self):
+        """Public objects should be visible by anonymous users."""
+        obj = Owned.objects.create(owner=UserFactory(), private=False)
+        assert OwnableReadPermission(obj).can() is True
+
+    def test_public_object_visible_by_authenticated(self):
+        """Public objects should be visible by authenticated users."""
+        obj = Owned.objects.create(owner=UserFactory(), private=False)
+        self.login()
+        assert OwnableReadPermission(obj).can() is True
+
+    def test_private_object_not_visible_by_anonymous(self):
+        """Private objects should not be visible by anonymous users."""
+        obj = Owned.objects.create(owner=UserFactory(), private=True)
+        assert OwnableReadPermission(obj).can() is False
+
+    def test_private_object_not_visible_by_other_user(self):
+        """Private objects should not be visible by other users."""
+        obj = Owned.objects.create(owner=UserFactory(), private=True)
+        self.login()
+        assert OwnableReadPermission(obj).can() is False
+
+    def test_private_object_visible_by_owner(self):
+        """Private objects should be visible by their owner."""
+        owner = UserFactory()
+        obj = Owned.objects.create(owner=owner, private=True)
+        self.login(owner)
+        assert OwnableReadPermission(obj).can() is True
+
+    def test_private_object_visible_by_org_admin(self):
+        """Private objects should be visible by organization admins."""
+        admin = UserFactory()
+        org = OrganizationFactory(members=[Member(user=admin, role="admin")])
+        obj = Owned.objects.create(organization=org, private=True)
+        self.login(admin)
+        assert OwnableReadPermission(obj).can() is True
+
+    def test_private_object_visible_by_org_editor(self):
+        """Private objects should be visible by organization editors."""
+        editor = UserFactory()
+        org = OrganizationFactory(members=[Member(user=editor, role="editor")])
+        obj = Owned.objects.create(organization=org, private=True)
+        self.login(editor)
+        assert OwnableReadPermission(obj).can() is True
+
+    def test_private_object_not_visible_by_other_org_member(self):
+        """Private objects should not be visible by members of other organizations."""
+        member = UserFactory()
+        OrganizationFactory(members=[Member(user=member, role="admin")])
+        org = OrganizationFactory()
+        obj = Owned.objects.create(organization=org, private=True)
+        self.login(member)
+        assert OwnableReadPermission(obj).can() is False
+
+    def test_private_object_visible_by_admin(self):
+        """Private objects should be visible by sysadmins."""
+        admin = AdminFactory()
+        obj = Owned.objects.create(owner=UserFactory(), private=True)
+        self.login(admin)
+        assert OwnableReadPermission(obj).can() is True
+
+    def test_object_without_private_attribute(self):
+        """Objects without private attribute should be visible by everyone."""
+
+        class OwnedWithoutPrivate(owned.Owned, db.Document):
+            name = db.StringField()
+
+        obj = OwnedWithoutPrivate.objects.create(owner=UserFactory())
+        assert OwnableReadPermission(obj).can() is True