Summary

Often, we’ll have unit tests that need to ensure proper access to models/resources. Some examples include:

• API unit tests
• Model manager unit tests
• View unit tests

In order to ensure we don’t unintentionally introduce a security vulnerability, it’s crucial that we have clear, documented, comprehensive test coverage any time access control plays a role in functionality.

This guide covers the ways in which we offer access control and how to incorporate those into unit tests.

Access Control Concepts

Access is governed by the following:

Global Access Policies

• Site-wide access policies
  • Can a thing be read by anonymous users, or is a login required?
  • This can be configured per-installation in the Admin UI → Authentication Settings.
• User.is_active state
  • This indicates if a user is allowed to log in. It’s used for disabling users who are no longer with an organization or no longer need access to the server.
• User access roles
  • There are four overall types of global access roles:
    • Anonymous
    • Standard user
    • Staff user (rarely used today — this is in-between a standard user and a superuser)
    • Superuser (administrator)