Fixed issue 40

outsbart · outsbart · commit 91d12c6db54b · 2015-11-23T20:51:08.000+01:00
diff --git a/oauth2_provider/models.py b/oauth2_provider/models.py
@@ -221,6 +221,13 @@ def revoke(self):
         """
         self.delete()
 
+    @property
+    def scopes(self):
+        """
+        Returns a dictionary of allowed scope names (as keys) with their descriptions (as values)
+        """
+        return {name: desc for name, desc in oauth2_settings.SCOPES.items() if name in self.scope.split()}
+
     def __str__(self):
         return self.token
 
diff --git a/oauth2_provider/templates/oauth2_provider/authorized-token-delete.html b/oauth2_provider/templates/oauth2_provider/authorized-token-delete.html
@@ -0,0 +1,9 @@
+{% extends "oauth2_provider/base.html" %}
+
+{% load i18n %}
+{% block content %}
+    <form action="" method="post">{% csrf_token %}
+        <p>{% trans "Are you sure you want to delete this token?" %}</p>
+        <input type="submit" value="{% trans "Delete" %}" />
+    </form>
+{% endblock %}
diff --git a/oauth2_provider/templates/oauth2_provider/authorized-tokens.html b/oauth2_provider/templates/oauth2_provider/authorized-tokens.html
@@ -0,0 +1,24 @@
+{% extends "oauth2_provider/base.html" %}
+
+{% load i18n %}
+{% load url from compat %}
+{% block content %}
+    <div class="block-center">
+    <h1>{% trans "Tokens" %}</h1>
+        <ul>
+        {% for authorized_token in authorized_tokens %}
+            <li>
+                {{ authorized_token.application }}
+                (<a href="{% url 'oauth2_provider:authorized-token-delete' authorized_token.pk %}">revoke</a>)
+            </li>
+            <ul>
+            {% for scope_name, scope_description in authorized_token.scopes.items %}
+                <li>{{ scope_name }}: {{ scope_description }}</li>
+            {% endfor %}
+            </ul>
+        {% empty %}
+            <li>{% trans "There are no authorized tokens yet." %}</li>
+        {% endfor %}
+        </ul>
+    </div>
+{% endblock %}
diff --git a/oauth2_provider/tests/test_application_views.py b/oauth2_provider/tests/test_application_views.py
@@ -99,3 +99,10 @@ def test_application_detail_not_owner(self):
 
         response = self.client.get(reverse('oauth2_provider:detail', args=(self.app_bar_1.pk,)))
         self.assertEqual(response.status_code, 404)
+
+    def test_delete_view_deletes(self):
+        self.client.login(username="foo_user", password="123456")
+        response = self.client.post(reverse('oauth2_provider:delete', args=(self.app_foo_1.pk,)))
+
+        self.assertFalse(Application.objects.filter(pk=self.app_foo_1.pk).exists())
+        self.assertRedirects(response, reverse('oauth2_provider:list'))
diff --git a/oauth2_provider/tests/test_models.py b/oauth2_provider/tests/test_models.py
@@ -81,6 +81,36 @@ def test_str(self):
         app.name = "test_app"
         self.assertEqual("%s" % app, "test_app")
 
+    def test_scopes_property(self):
+        self.client.login(username="test_user", password="123456")
+
+        app = Application.objects.create(
+            name="test_app",
+            redirect_uris="http://localhost http://example.com http://example.it",
+            user=self.user,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+        )
+
+        access_token = AccessToken(
+            user=self.user,
+            scope='read write',
+            expires=0,
+            token='',
+            application=app
+        )
+
+        access_token2 = AccessToken(
+            user=self.user,
+            scope='write',
+            expires=0,
+            token='',
+            application=app
+        )
+
+        self.assertEqual(access_token.scopes, {'read': 'Reading scope', 'write': 'Writing scope'})
+        self.assertEqual(access_token2.scopes, {'write': 'Writing scope'})
+
 
 @skipIf(django.VERSION < (1, 5), "Behavior is broken on 1.4 and there is no solution")
 @override_settings(OAUTH2_PROVIDER_APPLICATION_MODEL='tests.TestApplication')
diff --git a/oauth2_provider/tests/test_token_view.py b/oauth2_provider/tests/test_token_view.py
@@ -0,0 +1,166 @@
+from __future__ import unicode_literals
+
+import datetime
+
+from django.core.urlresolvers import reverse
+from django.test import TestCase
+from django.utils import timezone
+
+from ..models import get_application_model, AccessToken
+from ..compat import get_user_model
+
+Application = get_application_model()
+UserModel = get_user_model()
+
+
+class TestAuthorizedTokenViews(TestCase):
+    def setUp(self):
+        self.foo_user = UserModel.objects.create_user("foo_user", "test@user.com", "123456")
+        self.bar_user = UserModel.objects.create_user("bar_user", "dev@user.com", "123456")
+
+        self.application = Application(
+            name="Test Application",
+            redirect_uris="http://localhost http://example.com http://example.it",
+            user=self.bar_user,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+        )
+        self.application.save()
+
+    def tearDown(self):
+        self.foo_user.delete()
+        self.bar_user.delete()
+
+    def test_list_view_authorization_required(self):
+        """
+        Test that the view redirects to login page if user is not logged-in.
+        """
+        response = self.client.get(reverse('oauth2_provider:authorized-token-list'))
+        self.assertEqual(response.status_code, 302)
+        self.assertTrue('/accounts/login/?next=' in response['Location'])
+
+    def test_empty_list_view(self):
+        """
+        Test that when you have no tokens, an appropriate message is shown
+        """
+        self.client.login(username="foo_user", password="123456")
+
+        response = self.client.get(reverse('oauth2_provider:authorized-token-list'))
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(b'There are no authorized tokens yet.', response.content)
+
+    def test_list_view_one_token(self):
+        """
+        Test that the view shows your token
+        """
+        self.client.login(username="bar_user", password="123456")
+        AccessToken.objects.create(user=self.bar_user, token='1234567890',
+                                   application=self.application,
+                                   expires=timezone.now() + datetime.timedelta(days=1),
+                                   scope='read write')
+
+        response = self.client.get(reverse('oauth2_provider:authorized-token-list'))
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(b'read', response.content)
+        self.assertIn(b'write', response.content)
+        self.assertNotIn(b'There are no authorized tokens yet.', response.content)
+
+    def test_list_view_two_tokens(self):
+        """
+        Test that the view shows your tokens
+        """
+        self.client.login(username="bar_user", password="123456")
+        AccessToken.objects.create(user=self.bar_user, token='1234567890',
+                                   application=self.application,
+                                   expires=timezone.now() + datetime.timedelta(days=1),
+                                   scope='read write')
+        AccessToken.objects.create(user=self.bar_user, token='0123456789',
+                                   application=self.application,
+                                   expires=timezone.now() + datetime.timedelta(days=1),
+                                   scope='read write')
+
+        response = self.client.get(reverse('oauth2_provider:authorized-token-list'))
+        self.assertEqual(response.status_code, 200)
+        print(response.content.decode())
+        self.assertNotIn(b'There are no authorized tokens yet.', response.content)
+
+    def test_list_view_shows_correct_user_token(self):
+        """
+        Test that only currently logged-in user's tokens are shown
+        """
+        self.client.login(username="bar_user", password="123456")
+        AccessToken.objects.create(user=self.foo_user, token='1234567890',
+                                   application=self.application,
+                                   expires=timezone.now() + datetime.timedelta(days=1),
+                                   scope='read write')
+
+        response = self.client.get(reverse('oauth2_provider:authorized-token-list'))
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(b'There are no authorized tokens yet.', response.content)
+
+    def test_delete_view_authorization_required(self):
+        """
+        Test that the view redirects to login page if user is not logged-in.
+        """
+        self.token = AccessToken.objects.create(user=self.foo_user, token='1234567890',
+                                                application=self.application,
+                                                expires=timezone.now() + datetime.timedelta(days=1),
+                                                scope='read write')
+
+        response = self.client.get(reverse('oauth2_provider:authorized-token-delete', kwargs={'pk': self.token.pk}))
+        self.assertEqual(response.status_code, 302)
+        self.assertTrue('/accounts/login/?next=' in response['Location'])
+
+    def test_delete_view_works(self):
+        """
+        Test that a GET on this view returns 200 if the token belongs to the logged-in user.
+        """
+        self.token = AccessToken.objects.create(user=self.foo_user, token='1234567890',
+                                                application=self.application,
+                                                expires=timezone.now() + datetime.timedelta(days=1),
+                                                scope='read write')
+
+        self.client.login(username="foo_user", password="123456")
+        response = self.client.get(reverse('oauth2_provider:authorized-token-delete', kwargs={'pk': self.token.pk}))
+        self.assertEqual(response.status_code, 200)
+
+    def test_delete_view_token_belongs_to_user(self):
+        """
+        Test that a 404 is returned when trying to GET this view with someone else's tokens.
+        """
+        self.token = AccessToken.objects.create(user=self.foo_user, token='1234567890',
+                                                application=self.application,
+                                                expires=timezone.now() + datetime.timedelta(days=1),
+                                                scope='read write')
+
+        self.client.login(username="bar_user", password="123456")
+        response = self.client.get(reverse('oauth2_provider:authorized-token-delete', kwargs={'pk': self.token.pk}))
+        self.assertEqual(response.status_code, 404)
+
+    def test_delete_view_post_actually_deletes(self):
+        """
+        Test that a POST on this view works if the token belongs to the logged-in user.
+        """
+        self.token = AccessToken.objects.create(user=self.foo_user, token='1234567890',
+                                                application=self.application,
+                                                expires=timezone.now() + datetime.timedelta(days=1),
+                                                scope='read write')
+
+        self.client.login(username="foo_user", password="123456")
+        response = self.client.post(reverse('oauth2_provider:authorized-token-delete', kwargs={'pk': self.token.pk}))
+        self.assertFalse(AccessToken.objects.exists())
+        self.assertRedirects(response, reverse('oauth2_provider:authorized-token-list'))
+
+    def test_delete_view_only_deletes_user_own_token(self):
+        """
+        Test that a 404 is returned when trying to POST on this view with someone else's tokens.
+        """
+        self.token = AccessToken.objects.create(user=self.foo_user, token='1234567890',
+                                                application=self.application,
+                                                expires=timezone.now() + datetime.timedelta(days=1),
+                                                scope='read write')
+
+        self.client.login(username="bar_user", password="123456")
+        response = self.client.post(reverse('oauth2_provider:authorized-token-delete', kwargs={'pk': self.token.pk}))
+        self.assertTrue(AccessToken.objects.exists())
+        self.assertEqual(response.status_code, 404)
diff --git a/oauth2_provider/urls.py b/oauth2_provider/urls.py
@@ -17,3 +17,9 @@
     url(r'^applications/(?P<pk>\d+)/delete/$', views.ApplicationDelete.as_view(), name="delete"),
     url(r'^applications/(?P<pk>\d+)/update/$', views.ApplicationUpdate.as_view(), name="update"),
 )
+
+urlpatterns += (
+    url(r'^authorized_tokens/$', views.AuthorizedTokensListView.as_view(), name="authorized-token-list"),
+    url(r'^authorized_tokens/(?P<pk>\d+)/delete/$', views.AuthorizedTokenDeleteView.as_view(),
+        name="authorized-token-delete"),
+)
diff --git a/oauth2_provider/views/__init__.py b/oauth2_provider/views/__init__.py
@@ -2,3 +2,4 @@
 from .application import ApplicationRegistration, ApplicationDetail, ApplicationList, \
     ApplicationDelete, ApplicationUpdate
 from .generic import ProtectedResourceView, ScopedProtectedResourceView, ReadWriteScopedResourceView
+from .token import AuthorizedTokensListView, AuthorizedTokenDeleteView
diff --git a/oauth2_provider/views/application.py b/oauth2_provider/views/application.py
@@ -1,4 +1,4 @@
-from django.core.urlresolvers import reverse_lazy
+from django.core.urlresolvers import reverse
 from django.forms.models import modelform_factory
 from django.views.generic import CreateView, DetailView, DeleteView, ListView, UpdateView
 
@@ -59,9 +59,11 @@ class ApplicationDelete(ApplicationOwnerIsUserMixin, DeleteView):
     View used to delete an application owned by the request.user
     """
     context_object_name = 'application'
-    success_url = reverse_lazy('oauth2_provider:list')
     template_name = "oauth2_provider/application_confirm_delete.html"
 
+    def get_success_url(self):
+        return reverse('oauth2_provider:list')
+
 
 class ApplicationUpdate(ApplicationOwnerIsUserMixin, UpdateView):
     """
diff --git a/oauth2_provider/views/token.py b/oauth2_provider/views/token.py
@@ -0,0 +1,37 @@
+from __future__ import absolute_import, unicode_literals
+
+from django.core.urlresolvers import reverse
+from django.views.generic import ListView, DeleteView
+from braces.views import LoginRequiredMixin
+
+from ..models import AccessToken
+
+
+class AuthorizedTokensListView(LoginRequiredMixin, ListView):
+    """
+    Show a page where the current logged-in user can see his tokens so they can revoke them
+    """
+    context_object_name = 'authorized_tokens'
+    template_name = 'oauth2_provider/authorized-tokens.html'
+    model = AccessToken
+
+    def get_queryset(self):
+        """
+        Show only user's tokens
+        """
+        return super(AuthorizedTokensListView, self).get_queryset()\
+            .select_related('application').filter(user=self.request.user)
+
+
+class AuthorizedTokenDeleteView(LoginRequiredMixin, DeleteView):
+    """
+    View for revoking a specific token
+    """
+    template_name = 'oauth2_provider/authorized-token-delete.html'
+    model = AccessToken
+
+    def get_success_url(self):
+        return reverse('oauth2_provider:authorized-token-list')
+
+    def get_queryset(self):
+        return super(AuthorizedTokenDeleteView, self).get_queryset().filter(user=self.request.user)
