APIJSON
diff --git a/‎tests/README.md
Lines changed: 6 additions & 0 deletions b/‎tests/README.md
Lines changed: 6 additions & 0 deletions
diff --git a/‎tests/demo/apps/apijson_demo/dbinit.py
Lines changed: 5 additions & 3 deletions b/‎tests/demo/apps/apijson_demo/dbinit.py
Lines changed: 5 additions & 3 deletions
diff --git a/‎tests/demo/apps/apijson_demo/models.py
Lines changed: 7 additions & 0 deletions b/‎tests/demo/apps/apijson_demo/models.py
Lines changed: 7 additions & 0 deletions
diff --git a/‎tests/demo/apps/apijson_demo/settings.ini
Lines changed: 30 additions & 0 deletions b/‎tests/demo/apps/apijson_demo/settings.ini
Lines changed: 30 additions & 0 deletions
diff --git a/‎tests/test.py
Lines changed: 113 additions & 6 deletions b/‎tests/test.py
Lines changed: 113 additions & 6 deletions
@@ -0,0 +1,6 @@
+commands to run the tests:
+
+```
+cd tests
+nosetests --with-doctest
+```
@@ -7,6 +7,7 @@
 User = models.user
 Privacy = models.privacy
 Comment = models.comment
+Comment2 = models.comment2
 Moment = models.moment
 PublicNotice = models.publicnotice
 
@@ -95,21 +96,21 @@
         "to_username" : "userb",
         "moment_id" : 1,
         "date" : "2018-12-1",
-        "content" : "comment haha",
+        "content" : "comment from usera to userb",
     },
     {
         "username" : "userb",
         "to_username" : "usera",
         "moment_id" : 2,
         "date" : "2018-12-2",
-        "content" : "comment xixi",
+        "content" : "comment from userb to usera",
     },
     {
         "username" : "userc",
         "to_username" : "usera",
         "moment_id" : 3,
         "date" : "2018-12-9",
-        "content" : "comment hoho",
+        "content" : "comment from userc to usera",
     },
 ]
 
@@ -158,6 +159,7 @@
         d["to_id"] = User.get(User.c.username==d["to_username"]).id
         print("create comment record for user '%s'"%(d["username"]))
         Comment(**d).save()
+        Comment2(**d).save()
     else:
         print("error: unknown user '%s'"%(d["username"]))
 
 
@@ -28,6 +28,13 @@ class Comment(Model):
     date = Field(datetime.datetime, auto_now_add=True)
     content = Field(TEXT)
 
+class Comment2(Model):
+    user_id = Reference("user")
+    to_id = Reference("user")
+    moment_id = Reference("moment")
+    date = Field(datetime.datetime, auto_now_add=True)
+    content = Field(TEXT)
+
 class PublicNotice(Model):
     date = Field(datetime.datetime, auto_now_add=True)
     content = Field(TEXT)
 
@@ -1,10 +1,18 @@
 [MODELS]
 privacy = 'apijson_demo.models.Privacy'
 comment = 'apijson_demo.models.Comment'
+comment2 = 'apijson_demo.models.Comment2'
 moment = 'apijson_demo.models.Moment'
 publicnotice = 'apijson_demo.models.PublicNotice'
 norequesttag = 'apijson_demo.models.NoRequestTag'
 
+[PERMISSIONS]
+get_comment2 = "get comment2", ["OWNER", "ADMIN"], ""
+head_comment2 = "head comment2", ["OWNER", "ADMIN"], ""
+post_comment2 = "post comment2", ["OWNER", "ADMIN"], ""
+put_comment2 = "put comment2", ["OWNER", "ADMIN"], ""
+delete_comment2 = "delete comment2", ["OWNER", "ADMIN"], ""
+
 [APIJSON_MODELS]
 user = {
     "user_id_field" : "id",
@@ -39,6 +47,15 @@ comment = {
     "PUT" : { "roles" : ["OWNER","ADMIN"] },
     "DELETE" : { "roles" : ["OWNER","ADMIN"] },
 }
+# only define permissions, no roles
+comment2 = {
+    "user_id_field" : "user_id",
+    "GET" : { "permissions":["get_comment2"] },
+    "HEAD" : { "permissions":["head_comment2"] },
+    "POST" : { "permissions":["post_comment2"] },
+    "PUT" : { "permissions":["put_comment2"]},
+    "DELETE" : {"permissions":["delete_comment2"]},
+}
 publicnotice = {
     "GET" : { "roles" : ["OWNER","LOGIN","ADMIN","UNKNOWN"] },
     "HEAD" : { "roles" : ["OWNER","LOGIN","ADMIN","UNKNOWN"] },
@@ -73,6 +90,19 @@ comment = {
     },
 }
 
+comment2 = {
+    "POST" :{
+        "ADD" :{"@role": "OWNER"},
+        "DISALLOW" : ["id"],
+        "NECESSARY" : ["moment_id","content"]
+    },
+    "PUT" :{
+        "ADD":{"@role": "OWNER"},
+        "NECESSARY" : ["id","content"],
+        "DISALLOW" : ["user_id","to_id"],
+    },
+}
+
 publicnotice = {
     "PUT" :{
         "NECESSARY" : ["id","content"],
 
@@ -1153,7 +1153,7 @@ def test_apijson_head():
     >>> r = handler.post('/apijson/head', data=data, middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': "no login user for role 'ADMIN'"}
+    {'code': 400, 'msg': "user doesn't have role 'ADMIN'"}
 
     >>> #apijson head, without user and @role
     >>> data ='''{
@@ -1581,7 +1581,7 @@ def test_apijson_delete():
     >>> print(d)
     {'code': 400, 'msg': "model 'nonexist' not found"}
 
-    >>> #apijson delete, default to OWNER and delete other's record
+    >>> #apijson delete, try to delete other's moment
     >>> data ='''{
     ...     "moment": {
     ...         "id": 2
@@ -1591,7 +1591,7 @@ def test_apijson_delete():
     >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("usera"), middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': 'no permission'}
+    {'code': 400, 'msg': 'no role to access the data'}
 
     >>> #apijson delete, without id
     >>> data ='''{
@@ -1647,7 +1647,7 @@ def test_apijson_delete():
     >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("usera"), middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': "'moment' not accessible by role 'UNKNOWN'"}
+    {'code': 400, 'msg': "role 'UNKNOWN' has no permission to access the data"}
 
     >>> #apijson delete, with OWNER but not login
     >>> data ='''{
@@ -1667,7 +1667,7 @@ def test_apijson_delete():
     >>> r = handler.post('/apijson/delete', data=data, middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': 'need login user'}
+    {'code': 400, 'msg': 'no role to access the data'}
 
     >>> #apijson delete, with UNKNOWN role
     >>> data ='''{
@@ -1701,5 +1701,112 @@ def test_apijson_delete():
     >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("admin"), middlewares=[])
     >>> d = json_loads(r.data)
     >>> print(d)
-    {'code': 400, 'msg': "'moment' not accessible by role 'superuser'"}
+    {'code': 400, 'msg': "role 'superuser' has no permission to access the data"}
+    """
+
+def test_apijson_permission():
+    """
+    >>> application = make_simple_application(project_dir='.')
+    >>> handler = application.handler()
+
+    >>> #apijson get, query with id, access with owner
+    >>> data ='''{
+    ... "comment2":{
+    ...         "id": 1
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'user_id': 1, 'to_id': 3, 'moment_id': 1, 'date': '2018-11-01 00:00:00', 'content': 'comment from admin', 'id': 1}}
+
+    >>> #apijson get, query with id, access other's comment, expect empty result
+    >>> data ='''{
+    ... "comment2":{
+    ...         "id": 1
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("userb"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': None}
+
+    >>> #apijson get, query array
+    >>> data ='''{
+    ... "comment2":{
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("usera"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'user_id': 2, 'to_id': 3, 'moment_id': 1, 'date': '2018-12-01 00:00:00', 'content': 'comment from usera to userb', 'id': 2}}
+
+    >>> #apijson get, query one with admin as OWNER
+    >>> data ='''{
+    ... "comment2":{
+    ...        "@role":"OWNER"
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'user_id': 1, 'to_id': 3, 'moment_id': 1, 'date': '2018-11-01 00:00:00', 'content': 'comment from admin', 'id': 1}}
+
+    >>> #apijson get, query one with admin as ADMIN
+    >>> data ='''{
+    ... "comment2":{
+    ...        "@role":"ADMIN",
+    ...        "user_id": 2
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'user_id': 2, 'to_id': 3, 'moment_id': 1, 'date': '2018-12-01 00:00:00', 'content': 'comment from usera to userb', 'id': 2}}
+
+    >>> #apijson get, query array
+    >>> data ='''{
+    ... "[]":{
+    ...         "comment2": {"@role":"ADMIN"}
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/get', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', '[]': [{'comment2': {'user_id': 1, 'to_id': 3, 'moment_id': 1, 'date': '2018-11-01 00:00:00', 'content': 'comment from admin', 'id': 1}}, {'comment2': {'user_id': 2, 'to_id': 3, 'moment_id': 1, 'date': '2018-12-01 00:00:00', 'content': 'comment from usera to userb', 'id': 2}}, {'comment2': {'user_id': 3, 'to_id': 2, 'moment_id': 2, 'date': '2018-12-02 00:00:00', 'content': 'comment from userb to usera', 'id': 3}}, {'comment2': {'user_id': 4, 'to_id': 2, 'moment_id': 3, 'date': '2018-12-09 00:00:00', 'content': 'comment from userc to usera', 'id': 4}}]}
+
+    >>> #apijson head
+    >>> data ='''{
+    ...     "comment2": {
+    ...         "user_id": 1
+    ...     }
+    ... }'''
+    >>> r = handler.post('/apijson/head', data=data, pre_call=pre_call_as("userc"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'code': 200, 'msg': 'success', 'count': 0}}
+
+    >>> #apijson delete with a user which have no permission
+    >>> data ='''{
+    ...     "comment2": {
+    ...         "id": 1
+    ...     },
+    ...     "@tag": "comment2"
+    ... }'''
+    >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("userc"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 400, 'msg': 'no permission'}
+
+    >>> #apijson delete with permission, ADMIN
+    >>> data ='''{
+    ...     "comment2": {
+    ...         "id": 1
+    ...     },
+    ...     "@tag": "comment2"
+    ... }'''
+    >>> r = handler.post('/apijson/delete', data=data, pre_call=pre_call_as("admin"), middlewares=[])
+    >>> d = json_loads(r.data)
+    >>> print(d)
+    {'code': 200, 'msg': 'success', 'comment2': {'id': 1, 'code': 200, 'message': 'success', 'count': 1}}
     """