Skip to content

[tests] Non-superuser can view shared objects #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pandafy wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[tests] Non-superuser can view shared objects #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
118b445
[tests] Non-superuser can view shared objects
pandafy Jul 9, 2025
cf33a08
[temp] Upgraded openwisp-users
pandafy Jul 9, 2025
d16456a
[tests] Fixed failing test
pandafy Aug 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Caches downloaded .deb packages to speed up future installations
- name: Cache APT packages
uses: actions/cache@v4
Expand All @@ -51,7 +51,7 @@ jobs:
restore-keys: |
apt-${{ runner.os }}-
# Disables man-db auto-update to prevent delays during package installation
# Disables man-db auto-update to prevent delays during package installation
- name: Disable man page auto-update
run: |
echo 'set man-db/auto-update false' | sudo debconf-communicate >/dev/null
Expand All @@ -71,6 +71,7 @@ jobs:
pip install -U pip wheel setuptools
pip install -U -r requirements-test.txt
pip install -U -e .
pip install -UI "openwisp-users @ https://github.com/openwisp/openwisp-users/tarball/issues/238-view-shared-objects" "cryptography~=43.0.3"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Do not merge with a feature-branch dependency.

Installing openwisp-users from a feature branch (issues/238-view-shared-objects) is not suitable for merging to master:

  1. The branch can be deleted, force-pushed, or renamed, breaking CI unpredictably.
  2. Tarball URLs are not version-pinned—the content changes with every commit to that branch.
  3. This creates a dependency on unreleased, potentially unreviewed code.

The commit message [temp] Upgraded openwisp-users and the PR description's reference to blocker openwisp/openwisp-users#444 confirm this is a temporary workaround.

Before merging, either:

  • Wait for the upstream PR to be merged and released, then pin to a stable version.
  • Or, if this PR must proceed, add a prominent # TODO: comment explaining the temporary dependency and linking to the blocker issue so it's not forgotten.

Additionally, the cryptography~=43.0.3 pin is unexplained—please add a comment documenting why this specific version constraint is required.

🤖 Prompt for AI Agents 
In @.github/workflows/ci.yml at line 74, The CI pip install line that pins
openwisp-users to a feature-branch tarball ("openwisp-users @
https://github.com/openwisp/openwisp-users/tarball/issues/238-view-shared-objects")
must not be merged as-is; either replace it with the released package version
once upstream PR is merged (pin to a stable semver) or, if you must keep it
temporarily, add a prominent "# TODO: temporary dependency - link to
openwisp/openwisp-users#444" comment immediately above that pip install entry so
reviewers know it's temporary, and likewise add a short comment explaining why
"cryptography~=43.0.3" is pinned (linking to the rationale/issue/commit). Ensure
the change targets the pip install line text so CI no longer depends on an
unmerged branch or is clearly annotated as temporary.

pip install ${{ matrix.django-version }}
sudo npm install -g prettier
Expand Down
2 changes: 2 additions & 0 deletions openwisp_ipam/api/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,8 @@ class IpAddressListCreateView(IpAddressOrgMixin, ProtectedAPIMixin, ListCreateAP
subnet_model = Subnet
serializer_class = IpAddressSerializer
pagination_class = ListViewPagination
organization_field = "subnet__organization"
organization_lookup = "organization__in"

def get_queryset(self):
subnet = get_object_or_404(self.subnet_model, pk=self.kwargs["subnet_id"])
Expand Down
3 changes: 3 additions & 0 deletions openwisp_ipam/static/openwisp-ipam/css/admin.css
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ section.subnet-visual {
background: rgba(149, 10, 10, 1);
border: 1px solid rgba(0, 0, 0, 0.4);
}
.subnet-visual a.disabled {
cursor: not-allowed;
}

.subnet-visual .page {
display: inline;
Expand Down
29 changes: 15 additions & 14 deletions openwisp_ipam/static/openwisp-ipam/js/subnet.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,20 +71,21 @@ function initHostsInfiniteScroll(
"</a>"
);
}
return (
'<a href=\"' +
address_add_url +
"?_to_field=id&amp;_popup=1&amp;ip_address=" +
addr.address +
"&amp;subnet=" +
current_subnet +
'"onclick="return showAddAnotherPopup(this);" ' +
'id="addr_' +
id +
'">' +
addr.address +
"</a>"
);
var anchorAttributes = 'class="disabled"';
if (hasSubnetChangePermission === "true") {
anchorAttributes =
'href=\"' +
address_add_url +
"?_to_field=id&amp;_popup=1&amp;ip_address=" +
addr.address +
"&amp;subnet=" +
current_subnet +
'"onclick="return showAddAnotherPopup(this);" ' +
'id="addr_' +
id +
'"';
}
return "<a " + anchorAttributes + " >" + addr.address + "</a>";
Comment on lines +74 to +88
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fix boolean comparison so authorized users keep links.

hasSubnetChangePermission is rendered as a boolean, but Line 75 compares against a string. This keeps links disabled even when permission is granted.

🛠️ Proposed fix 
-    if (hasSubnetChangePermission === "true") {
+    if (hasSubnetChangePermission) {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
var anchorAttributes = 'class="disabled"';
if (hasSubnetChangePermission === "true") {
anchorAttributes =
'href=\"' +
address_add_url +
"?_to_field=id&amp;_popup=1&amp;ip_address=" +
addr.address +
"&amp;subnet=" +
current_subnet +
'"onclick="return showAddAnotherPopup(this);" ' +
'id="addr_' +
id +
'"';
}
return "<a " + anchorAttributes + " >" + addr.address + "</a>";
var anchorAttributes = 'class="disabled"';
if (hasSubnetChangePermission) {
anchorAttributes =
'href=\"' +
address_add_url +
"?_to_field=id&amp;_popup=1&amp;ip_address=" +
addr.address +
"&amp;subnet=" +
current_subnet +
'"onclick="return showAddAnotherPopup(this);" ' +
'id="addr_' +
id +
'"';
}
return "<a " + anchorAttributes + " >" + addr.address + "</a>";
🤖 Prompt for AI Agents 
In `@openwisp_ipam/static/openwisp-ipam/js/subnet.js` around lines 74 - 88, The
conditional is comparing hasSubnetChangePermission to the string "true", so
authorized users rendered with a boolean true never get the link; update the
check in the subnet rendering logic (the block that sets anchorAttributes used
to build the "<a ...>" output) to test the boolean value (e.g.,
hasSubnetChangePermission === true or simply if (hasSubnetChangePermission)) so
the href using address_add_url, addr.address, current_subnet, id and
showAddAnotherPopup is applied when permission is granted.

}
function pageContainer(page) {
var div = $('<div class="page"></div>');
Expand Down
1 change: 1 addition & 0 deletions openwisp_ipam/templates/admin/openwisp-ipam/subnet/change_form.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ <h3 class="subnet-visual">{% trans 'Subnet Visual Display' %}</h3>
var current_subnet = '{{ original.pk }}';
var ipAddUrl = '{% url ipaddress_add_url %}'
var ipChangeUrl = '{% url ipaddress_change_url "1234" %}'
var hasSubnetChangePermission = {{ has_change_permission|yesno:"true,false" }};
django.jQuery(document).ready(function () {
initHostsInfiniteScroll(django.jQuery, current_subnet, ipAddUrl, ipChangeUrl, {{ ip_uuid| safe}})
});
Expand Down
77 changes: 76 additions & 1 deletion openwisp_ipam/tests/test_admin.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
import json

import django
from django.contrib.auth import get_user_model
from django.contrib.auth.models import Group
from django.core.files.uploadedfile import SimpleUploadedFile
from django.test import TestCase
from django.urls import reverse
from openwisp_users.tests.utils import TestMultitenantAdminMixin
from swapper import load_model

from . import CreateModelsMixin, PostDataMixin
Expand All @@ -14,7 +16,7 @@
IpAddress = load_model("openwisp_ipam", "IpAddress")


class TestAdmin(CreateModelsMixin, PostDataMixin, TestCase):
class TestAdmin(TestMultitenantAdminMixin, CreateModelsMixin, PostDataMixin, TestCase):
app_label = "openwisp_ipam"

def setUp(self):
Expand Down Expand Up @@ -438,3 +440,76 @@ def assert_response(response):
reverse("admin:ipam_export_subnet", args=[subnet.id]), follow=True
)
assert_response(response)

def test_superuser_create_shared_subnet(self):
admin = self._get_admin()
self.client.force_login(admin)
response = self.client.post(
reverse(f"admin:{self.app_label}_subnet_add"),
data={
"name": "test-subnet",
"subnet": "10.0.0.0/24",
"organization": "",
},
follow=True,
)
self.assertEqual(response.status_code, 200)
self.assertEqual(Subnet.objects.count(), 1)

def test_org_admin_view_shared_subnet(self):
subnet = self._create_subnet(organization=None, subnet="10.8.0.0/24")
self._test_org_admin_view_shareable_object(
reverse(f"admin:{self.app_label}_subnet_change", args=(subnet.id,)),
)

def test_org_admin_create_shared_subnet(self):
self._test_org_admin_create_shareable_object(
reverse(f"admin:{self.app_label}_subnet_add"),
payload={
"name": "test-subnet",
"subnet": "10.0.0.0/24",
"organization": "",
},
model=Subnet,
)

def test_superuser_create_shared_ip(self):
admin = self._get_admin()
self.client.force_login(admin)
shared_subnet = self._create_subnet(subnet="10.0.0.0/24", organization=None)
response = self.client.post(
reverse(f"admin:{self.app_label}_ipaddress_add"),
data={
"subnet": str(shared_subnet.id),
},
follow=True,
)
self.assertEqual(response.status_code, 200)
self.assertEqual(Subnet.objects.count(), 1)

Comment on lines +476 to +489
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Test doesn’t prove IP creation.

test_superuser_create_shared_ip posts without ip_address, and the only assertion checks Subnet.objects.count(), which remains 1 even if the IP isn’t created. Either assert the validation error or include an IP and assert IpAddress creation.

✅ Example fix (assert creation) 
         response = self.client.post(
             reverse(f"admin:{self.app_label}_ipaddress_add"),
             data={
                 "subnet": str(shared_subnet.id),
+                "ip_address": "10.0.0.1",
             },
             follow=True,
         )
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(Subnet.objects.count(), 1)
+        self.assertEqual(IpAddress.objects.count(), 1)
🤖 Prompt for AI Agents 
In `@openwisp_ipam/tests/test_admin.py` around lines 476 - 489, The
test_superuser_create_shared_ip currently posts only "subnet" so it can't prove
an IP was created; update the test to either include a valid "ip_address" in the
POST payload (e.g., use the _create_subnet result and provide a free address)
and then assert IpAddress.objects.count() == 1 (or assert an IpAddress exists
for the created subnet), or change the assertion to check for the form
validation error returned in response.context if testing missing-ip validation;
reference test_superuser_create_shared_ip, the client.post call to
admin:{app_label}_ipaddress_add, Subnet and IpAddress models and the
_create_subnet helper to locate and implement the fix.

def test_org_admin_view_shared_ip(self):
shared_subnet = self._create_subnet(subnet="10.0.0.0/24", organization=None)
ip = shared_subnet.request_ip()
self._test_org_admin_view_shareable_object(
reverse(f"admin:{self.app_label}_ipaddress_change", args=(ip.id,)),
expected_element=(
'<div class="form-row field-ip_address">\n\n\n<div>\n\n'
'<div class="flex-container">\n\n'
"<label>Ip address:</label>\n\n"
'<div class="readonly">10.0.0.1</div>\n\n\n'
"</div>\n\n</div>\n\n\n</div>"
),
)

def test_org_admin_create_shared_ip(self):
shared_subnet = self._create_subnet(subnet="10.0.0.0/24", organization=None)
self._test_org_admin_create_shareable_object(
reverse(f"admin:{self.app_label}_ipaddress_add"),
payload={
"subnet": str(shared_subnet.id),
},
model=IpAddress,
error_message=(
'<ul class="errorlist"{}><li>This field is required.</li></ul>'
).format(' id="id_ip_address_error"' if django.VERSION >= (5, 2) else ""),
)
85 changes: 82 additions & 3 deletions openwisp_ipam/tests/test_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,8 @@

from django.contrib.auth import get_user_model
from django.core.files.uploadedfile import SimpleUploadedFile
from django.test import TestCase
from django.urls import reverse
from openwisp_users.tests.utils import TestMultitenantAdminMixin
from openwisp_users.tests.test_api import APITestCase
from swapper import load_model

from . import CreateModelsMixin, PostDataMixin
Expand All @@ -14,7 +13,7 @@
IpAddress = load_model("openwisp_ipam", "IpAddress")


class TestApi(TestMultitenantAdminMixin, CreateModelsMixin, PostDataMixin, TestCase):
class TestApi(CreateModelsMixin, PostDataMixin, APITestCase):
def setUp(self):
super().setUp()
self._login()
Expand Down Expand Up @@ -351,3 +350,83 @@ def test_subnet_single_hosts_first_address(self):
host_address_32 = response.data["results"][0]["address"]
self.assertEqual(host_address_128, "2001:db00::")
self.assertEqual(host_address_32, "192.168.0.0")

def test_superuser_access_shared_subnet(self):
self._logout()
self._test_superuser_access_shared_object(
token=None,
listview_name="ipam:subnet_list_create",
detailview_name="ipam:subnet",
create_payload={
"name": "test-subnet",
"subnet": "10.0.0.0/24",
"description": "Test Subnet",
"organization": None,
},
update_payload={
"name": "updated-subnet",
"subnet": "10.0.0.0/24",
},
expected_count=1,
)

def test_org_manager_access_shared_subnet(self):
self._logout()
shared_subnet = self._create_subnet(organization=None, subnet="10.0.0.0/24")
self._test_org_user_access_shared_object(
listview_path=reverse("ipam:subnet_list_create"),
detailview_path=reverse("ipam:subnet", args=[shared_subnet.pk]),
create_payload={
"name": "test-subnet",
"subnet": "10.0.0.0/24",
"description": "Test Subnet",
"organization": None,
},
update_payload={
"name": "updated-subnet",
"subnet": "10.0.0.0/24",
},
expected_count=1,
)

def test_superuser_access_shared_ip(self):
self._logout()
subnet = self._create_subnet(subnet="10.0.0.0/24", organization=None)
self._test_superuser_access_shared_object(
token=None,
listview_path=reverse("ipam:list_create_ip_address", args=[subnet.id]),
detailview_name="ipam:ip_address",
create_payload={
"ip_address": "10.0.0.1",
"subnet": str(subnet.id),
"description": "Test IP",
},
update_payload={
"description": "updated-ip",
"ip_address": "10.0.0.1",
"subnet": str(subnet.id),
},
expected_count=1,
)

def test_org_manager_access_shared_ip(self):
self._logout()
shared_subnet = self._create_subnet(subnet="10.0.0.0/24", organization=None)
shared_ip = shared_subnet.request_ip()
self._test_org_user_access_shared_object(
listview_path=reverse(
"ipam:list_create_ip_address", args=[shared_subnet.id]
),
detailview_path=reverse("ipam:ip_address", args=[shared_ip.id]),
create_payload={
"ip_address": "10.0.0.2",
"subnet": str(shared_subnet.id),
"description": "Test IP",
},
update_payload={
"description": "updated-ip",
"ip_address": "10.0.0.1",
"subnet": str(shared_subnet.id),
},
expected_count=1,
)
Comment on lines +354 to +432
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

rg -n "def _test_superuser_access_shared_object" -A 10

Repository: openwisp/openwisp-ipam

Length of output: 48

🏁 Script executed:

rg -n "def _test_org_user_access_shared_object" -A 10

Repository: openwisp/openwisp-ipam

Length of output: 48

🏁 Script executed:

rg -n "def _test_superuser_access_shared_object|def _test_org_user_access_shared_object" -B 2 -A 10

Repository: openwisp/openwisp-ipam

Length of output: 48

🏁 Script executed:

# Find the test class definition and parent classes
rg -n "class.*Test.*:" openwisp_ipam/tests/test_api.py -A 2 | head -20

Repository: openwisp/openwisp-ipam

Length of output: 181

🏁 Script executed:

# Find where the mixins are defined
fd -e "py" -x grep -l "class CreateModelsMixin\|class PostDataMixin" {} \;

Repository: openwisp/openwisp-ipam

Length of output: 99

🏁 Script executed:

# Look for _test_superuser_access_shared_object in the entire codebase
find . -name "*.py" -type f -exec grep -l "_test_superuser_access_shared_object" {} \;

Repository: openwisp/openwisp-ipam

Length of output: 99

🏁 Script executed:

# Find the helper function definitions in test_api.py
rg -n "_test_superuser_access_shared_object|_test_org_user_access_shared_object" openwisp_ipam/tests/test_api.py | head -30

Repository: openwisp/openwisp-ipam

Length of output: 283

🏁 Script executed:

# Get line count to understand file size
wc -l openwisp_ipam/tests/test_api.py

Repository: openwisp/openwisp-ipam

Length of output: 101

🏁 Script executed:

# Get the helper function definitions from __init__.py
cat -n openwisp_ipam/tests/__init__.py | grep -A 15 "_test_superuser_access_shared_object"

Repository: openwisp/openwisp-ipam

Length of output: 48

🏁 Script executed:

# Also check for _test_org_user_access_shared_object
cat -n openwisp_ipam/tests/__init__.py | grep -A 15 "_test_org_user_access_shared_object"

Repository: openwisp/openwisp-ipam

Length of output: 48

🏁 Script executed:

# Check size of __init__.py
wc -l openwisp_ipam/tests/__init__.py

Repository: openwisp/openwisp-ipam

Length of output: 100

🏁 Script executed:

# Look for openwisp_users package
find . -type d -name "openwisp_users" | head -5

Repository: openwisp/openwisp-ipam

Length of output: 48

🏁 Script executed:

# Search more broadly for the helper functions
grep -r "_test_superuser_access_shared_object" . --include="*.py" 2>/dev/null

Repository: openwisp/openwisp-ipam

Length of output: 235

🏁 Script executed:

# Read the __init__.py to understand imports and class hierarchy
cat -n openwisp_ipam/tests/__init__.py

Repository: openwisp/openwisp-ipam

Length of output: 1944

🏁 Script executed:

# Check if there's any openwisp_users available in the repo or requirements
find . -name "*requirements*" -o -name "setup.py" -o -name "pyproject.toml" | xargs grep -l "openwisp_users" 2>/dev/null

Repository: openwisp/openwisp-ipam

Length of output: 50

🏁 Script executed:

# Search in site-packages or installed packages (if available)
python3 -c "import openwisp_users.tests.utils; import inspect; print(inspect.getfile(openwisp_users.tests.utils.TestOrganizationMixin))" 2>/dev/null || echo "Not installed"

Repository: openwisp/openwisp-ipam

Length of output: 79

🌐 Web query:

openwisp_users TestOrganizationMixin _test_superuser_access_shared_object helper function signature

💡 Result:

I can't find that helper in the public OpenWISP repos. Can you paste the test file or a link to the repository/commit where TestOrganizationMixin._test_superuser_access_shared_object is defined?

🏁 Script executed:

# Check setup.py or pyproject.toml for openwisp_users URL/version
find . -name "setup.py" -o -name "setup.cfg" -o -name "pyproject.toml" | xargs cat 2>/dev/null | grep -A 5 -B 5 "openwisp_users" || echo "Not found"

Repository: openwisp/openwisp-ipam

Length of output: 75

🏁 Script executed:

# Check git log for clues about these test methods
git log -p --all -S "_test_superuser_access_shared_object" -- openwisp_ipam/tests/test_api.py 2>/dev/null | head -100 || echo "Git not available"

Repository: openwisp/openwisp-ipam

Length of output: 48

🏁 Script executed:

# Extract the exact helper calls to see all argument names used
sed -n '356,373p' openwisp_ipam/tests/test_api.py

Repository: openwisp/openwisp-ipam

Length of output: 665

🏁 Script executed:

# Extract the second call
sed -n '374,393p' openwisp_ipam/tests/test_api.py

Repository: openwisp/openwisp-ipam

Length of output: 808

🏁 Script executed:

# Extract the third call
sed -n '394,414p' openwisp_ipam/tests/test_api.py

Repository: openwisp/openwisp-ipam

Length of output: 890

🏁 Script executed:

# Extract the fourth call
sed -n '415,432p' openwisp_ipam/tests/test_api.py

Repository: openwisp/openwisp-ipam

Length of output: 757

Fix inconsistent parameter names in _test_superuser_access_shared_object calls.

The first call (line 356) uses listview_name and detailview_name, while the second call (line 395) uses listview_path and detailview_name. Additionally, _test_org_user_access_shared_object consistently uses listview_path and detailview_path. Standardize all calls to use the same parameter names as expected by the helper method signature.

🤖 Prompt for AI Agents 
In `@openwisp_ipam/tests/test_api.py` around lines 354 - 432, The
_test_superuser_access_shared_object call uses incorrect parameter names
(listview_name/detailview_name) which don't match the helper signature used
elsewhere (_test_org_user_access_shared_object); update the two
_test_superuser_access_shared_object invocations to use listview_path and
detailview_path (and keep token and payload names unchanged) so they match
_test_org_user_access_shared_object and the helper method signature.

Loading