Fix test failures from RBAC refactoring

Maffooch · claude · Maffooch · commit 0608331d8691 · 2026-03-30T23:54:00.000-06:00
Update @patch targets in test files to point to new module locations: - queries.get_current_user → query_registrations.get_current_user - authorization_tags.user_has_permission → template_filters.user_has_permission Convert test_apply_finding_template tests from direct view calls to Django test client requests so middleware authorization runs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/unittests/authorization/test_authorization_tags.py b/unittests/authorization/test_authorization_tags.py
@@ -28,7 +28,7 @@ def setUp(self):
         self.permission_c = Permission()
         self.permission_c.codename = "c"
 
-    @patch("dojo.templatetags.authorization_tags.user_has_permission")
+    @patch("dojo.authorization.template_filters.user_has_permission")
     def test_has_object_permission_no_permission(self, mock_has_permission):
         mock_has_permission.return_value = False
 
@@ -37,7 +37,7 @@ def test_has_object_permission_no_permission(self, mock_has_permission):
         self.assertFalse(result)
         mock_has_permission.assert_called_with(None, self.product_type, Permissions.Product_Type_View)
 
-    @patch("dojo.templatetags.authorization_tags.user_has_permission")
+    @patch("dojo.authorization.template_filters.user_has_permission")
     @patch("crum.get_current_user")
     def test_has_object_permission_has_permission(self, mock_current_user, mock_has_permission):
         mock_has_permission.return_value = True
@@ -54,7 +54,7 @@ def test_has_object_permission_wrong_permission(self):
         with self.assertRaises(KeyError):
             has_object_permission(self.product_type, "Test")
 
-    @patch("dojo.templatetags.authorization_tags.configuration_permission")
+    @patch("dojo.authorization.template_filters.configuration_permission")
     @patch("crum.get_current_user")
     def test_has_configuration_permission(self, mock_current_user, mock_configuration_permission):
         mock_configuration_permission.return_value = True
diff --git a/unittests/test_apply_finding_template.py b/unittests/test_apply_finding_template.py
@@ -209,32 +209,35 @@ def test_apply_template_to_finding_with_data_saves_success(self):
 
     def test_unauthorized_apply_template_to_finding_fails(self):
         """Test that a non-superuser without permissions cannot apply template"""
-        with self.assertRaises(PermissionDenied):
-            self.make_request(user_is_staff=False, finding_id=self.finding.id, template_id=self.template.id,
-                                   data={"title": "Finding for Testing Apply Template functionality",
-                                    "cwe": "89",
-                                    "severity": "High",
-                                    "description": "Finding for Testing Apply Template Functionality",
-                                    "mitigation": "template mitigation",
-                                    "impact": "template impact"},
-                                   )
+        user = FindingTemplateTestUtil.create_user(is_staff=False)
+        self.client.force_login(user)
+        url = f"/finding/{self.finding.id}/{self.template.id}/apply_template_to_finding"
+        response = self.client.post(url, data={
+            "title": "Finding for Testing Apply Template functionality",
+            "cwe": "89",
+            "severity": "High",
+            "description": "Finding for Testing Apply Template Functionality",
+            "mitigation": "template mitigation",
+            "impact": "template impact",
+        })
+        self.assertEqual(response.status_code, 403)
 
     def test_reader_role_cannot_apply_template(self):
         """Test that a Reader role user (read-only) cannot apply template"""
         reader_user = FindingTemplateTestUtil.create_user_with_role(
             self.finding.test.engagement.product, "Reader", is_staff=False,
         )
-        request = FindingTemplateTestUtil.create_post_request(
-            reader_user, self.apply_template_url,
-            data={"title": "Finding for Testing Apply Template functionality",
-                  "cwe": "89",
-                  "severity": "High",
-                  "description": "Finding for Testing Apply Template Functionality",
-                  "mitigation": "template mitigation",
-                  "impact": "template impact"},
-        )
-        with impersonate(reader_user), self.assertRaises(PermissionDenied):
-            views.apply_template_to_finding(request, fid=self.finding.id, tid=self.template.id)
+        self.client.force_login(reader_user)
+        url = f"/finding/{self.finding.id}/{self.template.id}/apply_template_to_finding"
+        response = self.client.post(url, data={
+            "title": "Finding for Testing Apply Template functionality",
+            "cwe": "89",
+            "severity": "High",
+            "description": "Finding for Testing Apply Template Functionality",
+            "mitigation": "template mitigation",
+            "impact": "template impact",
+        })
+        self.assertEqual(response.status_code, 403)
 
     def test_writer_role_can_apply_template(self):
         """Test that a Writer role user (non-staff) can apply template"""
@@ -348,8 +351,11 @@ def make_request(self, user_is_staff, finding_id, template_id, data=None):
             return views.choose_finding_template_options(request, tid=template_id, fid=finding_id)
 
     def test_unauthorized_choose_finding_template_options_fails(self):
-        with self.assertRaises(PermissionDenied):
-            self.make_request(user_is_staff=False, finding_id=self.finding.id, template_id=self.template.id)
+        user = FindingTemplateTestUtil.create_user(is_staff=False)
+        self.client.force_login(user)
+        url = f"/finding/{self.template.id}/{self.finding.id}/choose_finding_template_options"
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
 
     def test_authorized_choose_finding_template_options_success(self):
         result = self.make_request(user_is_staff=True, finding_id=self.finding.id, template_id=self.template.id)
@@ -440,9 +446,10 @@ def test_mktemplate_requires_permission(self):
         user.is_superuser = False
         user.save()
 
-        # Should raise PermissionDenied
-        with self.assertRaises(PermissionDenied):
-            self.make_request(user, self.finding.id)
+        self.client.force_login(user)
+        url = f"/finding/{self.finding.id}/mktemplate"
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
 
 
 @versioned_fixtures
@@ -589,9 +596,10 @@ def test_add_finding_from_template_requires_permission(self):
         unauthorized_user.is_superuser = False
         unauthorized_user.save()
 
-        # Should raise PermissionDenied
-        with self.assertRaises(PermissionDenied):
-            self.make_get_request(unauthorized_user, self.test.id, self.template.id)
+        self.client.force_login(unauthorized_user)
+        url = f"/test/{self.test.id}/add_findings/{self.template.id}"
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
 
     def test_add_finding_from_template_updates_template_last_used(self):
         """Test that template.last_used is updated when creating finding"""
diff --git a/unittests/test_authorization_queries.py b/unittests/test_authorization_queries.py
@@ -362,7 +362,7 @@ def test_queryset_parameter_filters_correctly(self):
 
     def test_none_user_returns_empty(self):
         """None user should return empty queryset"""
-        with patch("dojo.finding.queries.get_current_user", return_value=None):
+        with patch("dojo.authorization.query_registrations.get_current_user", return_value=None):
             findings = get_authorized_findings(Permissions.Finding_View)
             self.assertEqual(findings.count(), 0)
 
@@ -371,23 +371,23 @@ class TestGetAuthorizedStubFindings(AuthorizationQueriesTestBase):
 
     """Tests for get_authorized_stub_findings() - uses get_current_user()"""
 
-    @patch("dojo.finding.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_superuser_gets_all_stub_findings(self, mock_get_current_user):
         """Superuser should get all stub findings"""
         mock_get_current_user.return_value = self.superuser
         stub_findings = get_authorized_stub_findings(Permissions.Finding_View)
         self.assertIn(self.stub_finding_1, stub_findings)
         self.assertIn(self.stub_finding_2, stub_findings)
 
-    @patch("dojo.finding.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_no_permissions_gets_empty(self, mock_get_current_user):
         """User with no permissions should not get test stub findings"""
         mock_get_current_user.return_value = self.user_no_perms
         stub_findings = get_authorized_stub_findings(Permissions.Finding_View)
         self.assertNotIn(self.stub_finding_1, stub_findings)
         self.assertNotIn(self.stub_finding_2, stub_findings)
 
-    @patch("dojo.finding.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_product_member_gets_product_stub_findings(self, mock_get_current_user):
         """User with product membership should get only that product's stub findings"""
         mock_get_current_user.return_value = self.user_product_member
@@ -470,39 +470,39 @@ class TestGetAuthorizedProductTypes(AuthorizationQueriesTestBase):
 
     """Tests for get_authorized_product_types() - uses get_current_user()"""
 
-    @patch("dojo.product_type.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_superuser_gets_all_product_types(self, mock_get_current_user):
         """Superuser should get all product types"""
         mock_get_current_user.return_value = self.superuser
         product_types = get_authorized_product_types(Permissions.Product_Type_View)
         self.assertIn(self.product_type_1, product_types)
         self.assertIn(self.product_type_2, product_types)
 
-    @patch("dojo.product_type.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_no_permissions_gets_empty(self, mock_get_current_user):
         """User with no permissions should not get test product types"""
         mock_get_current_user.return_value = self.user_no_perms
         product_types = get_authorized_product_types(Permissions.Product_Type_View)
         self.assertNotIn(self.product_type_1, product_types)
         self.assertNotIn(self.product_type_2, product_types)
 
-    @patch("dojo.product_type.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_global_reader_gets_all(self, mock_get_current_user):
         """User with global reader role should get all product types"""
         mock_get_current_user.return_value = self.user_global_reader
         product_types = get_authorized_product_types(Permissions.Product_Type_View)
         self.assertIn(self.product_type_1, product_types)
         self.assertIn(self.product_type_2, product_types)
 
-    @patch("dojo.product_type.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_product_type_member_gets_own_types(self, mock_get_current_user):
         """User with product type membership should get only that type"""
         mock_get_current_user.return_value = self.user_product_type_member
         product_types = get_authorized_product_types(Permissions.Product_Type_View)
         self.assertIn(self.product_type_1, product_types)
         self.assertNotIn(self.product_type_2, product_types)
 
-    @patch("dojo.product_type.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_group_product_type_member_gets_group_types(self, mock_get_current_user):
         """User in group with product type access should get that type"""
         mock_get_current_user.return_value = self.user_group_product_type_member
@@ -515,39 +515,39 @@ class TestGetAuthorizedEngagements(AuthorizationQueriesTestBase):
 
     """Tests for get_authorized_engagements() - uses get_current_user()"""
 
-    @patch("dojo.engagement.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_superuser_gets_all_engagements(self, mock_get_current_user):
         """Superuser should get all engagements"""
         mock_get_current_user.return_value = self.superuser
         engagements = get_authorized_engagements(Permissions.Engagement_View)
         self.assertIn(self.engagement_1, engagements)
         self.assertIn(self.engagement_2, engagements)
 
-    @patch("dojo.engagement.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_no_permissions_gets_empty(self, mock_get_current_user):
         """User with no permissions should not get test engagements"""
         mock_get_current_user.return_value = self.user_no_perms
         engagements = get_authorized_engagements(Permissions.Engagement_View)
         self.assertNotIn(self.engagement_1, engagements)
         self.assertNotIn(self.engagement_2, engagements)
 
-    @patch("dojo.engagement.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_global_reader_gets_all(self, mock_get_current_user):
         """User with global reader role should get all engagements"""
         mock_get_current_user.return_value = self.user_global_reader
         engagements = get_authorized_engagements(Permissions.Engagement_View)
         self.assertIn(self.engagement_1, engagements)
         self.assertIn(self.engagement_2, engagements)
 
-    @patch("dojo.engagement.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_product_member_gets_product_engagements(self, mock_get_current_user):
         """User with product membership should get only that product's engagements"""
         mock_get_current_user.return_value = self.user_product_member
         engagements = get_authorized_engagements(Permissions.Engagement_View)
         self.assertIn(self.engagement_1, engagements)
         self.assertNotIn(self.engagement_2, engagements)
 
-    @patch("dojo.engagement.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_product_type_member_gets_product_type_engagements(self, mock_get_current_user):
         """User with product type membership should get engagements in that type"""
         mock_get_current_user.return_value = self.user_product_type_member
@@ -560,23 +560,23 @@ class TestGetAuthorizedTests(AuthorizationQueriesTestBase):
 
     """Tests for get_authorized_tests() - uses get_current_user()"""
 
-    @patch("dojo.test.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_superuser_gets_all_tests(self, mock_get_current_user):
         """Superuser should get all tests"""
         mock_get_current_user.return_value = self.superuser
         tests = get_authorized_tests(Permissions.Test_View)
         self.assertIn(self.test_1, tests)
         self.assertIn(self.test_2, tests)
 
-    @patch("dojo.test.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_no_permissions_gets_empty(self, mock_get_current_user):
         """User with no permissions should not get test tests"""
         mock_get_current_user.return_value = self.user_no_perms
         tests = get_authorized_tests(Permissions.Test_View)
         self.assertNotIn(self.test_1, tests)
         self.assertNotIn(self.test_2, tests)
 
-    @patch("dojo.test.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_product_member_gets_product_tests(self, mock_get_current_user):
         """User with product membership should get only that product's tests"""
         mock_get_current_user.return_value = self.user_product_member
@@ -711,15 +711,15 @@ class TestGetAuthorizedGroups(AuthorizationQueriesTestBase):
 
     """Tests for get_authorized_groups() - uses get_current_user()"""
 
-    @patch("dojo.group.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_superuser_gets_all_groups(self, mock_get_current_user):
         """Superuser should get all groups"""
         mock_get_current_user.return_value = self.superuser
         groups = get_authorized_groups(Permissions.Group_View)
         self.assertIn(self.group_product, groups)
         self.assertIn(self.group_product_type, groups)
 
-    @patch("dojo.group.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_group_member_gets_own_groups(self, mock_get_current_user):
         """User who is a group member should get that group"""
         mock_get_current_user.return_value = self.user_group_product_member
diff --git a/unittests/test_user_queries.py b/unittests/test_user_queries.py
@@ -73,31 +73,29 @@ def tearDown(self):
         self.product_type_user.delete()
         self.invisible_user.delete()
 
-    @patch("dojo.user.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_none(self, mock_current_user):
         mock_current_user.return_value = None
 
         self.assertQuerySetEqual(Dojo_User.objects.none(), get_authorized_users(Permissions.Product_View))
 
-    @patch("dojo.user.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_admin(self, mock_current_user):
         mock_current_user.return_value = self.admin_user
 
         users = Dojo_User.objects.all().order_by("first_name", "last_name", "username")
         self.assertQuerySetEqual(users, get_authorized_users(Permissions.Product_View))
 
-    @patch("dojo.user.queries.get_current_user")
+    @patch("dojo.authorization.query_registrations.get_current_user")
     def test_user_global_permission(self, mock_current_user):
         mock_current_user.return_value = self.global_permission_user
 
         users = Dojo_User.objects.all().order_by("first_name", "last_name", "username")
         self.assertQuerySetEqual(users, get_authorized_users(Permissions.Product_View))
 
-    @patch("dojo.user.queries.get_current_user")
-    @patch("dojo.product.queries.get_current_user")
-    def test_user_regular(self, mock_current_user_1, mock_current_user_2):
-        mock_current_user_1.return_value = self.regular_user
-        mock_current_user_2.return_value = self.regular_user
+    @patch("dojo.authorization.query_registrations.get_current_user")
+    def test_user_regular(self, mock_current_user):
+        mock_current_user.return_value = self.regular_user
 
         users = Dojo_User.objects.exclude(username="invisible_user").order_by("first_name", "last_name", "username")
         self.assertQuerySetEqual(users, get_authorized_users(Permissions.Product_View))
