Fix permission assignment in tests

netbox/extras/tests/test_customfields.py

@@ -1,7 +1,6 @@
 from datetime import date
 
 from django.contrib.contenttypes.models import ContentType
-from django.test import Client, TestCase
 from django.urls import reverse
 from rest_framework import status
 
@@ -9,7 +8,7 @@ from dcim.forms import SiteCSVForm
 from dcim.models import Site
 from extras.choices import *
 from extras.models import CustomField, CustomFieldValue, CustomFieldChoice
-from utilities.testing import APITestCase, create_test_user
+from utilities.testing import APITestCase, TestCase
 from virtualization.models import VirtualMachine
 
 
@@ -470,17 +469,10 @@ class CustomFieldChoiceAPITest(APITestCase):
 
 
 class CustomFieldImportTest(TestCase):
-
-    def setUp(self):
-
-        user = create_test_user(
-            permissions=[
-                'dcim.view_site',
-                'dcim.add_site',
-            ]
-        )
-        self.client = Client()
-        self.client.force_login(user)
+    user_permissions = (
+        'dcim.view_site',
+        'dcim.add_site',
+    )
 
     @classmethod
     def setUpTestData(cls):

netbox/netbox/settings.py

@@ -338,8 +338,8 @@ TEMPLATES = [
 
 # Set up authentication backends
 AUTHENTICATION_BACKENDS = [
-    'utilities.auth_backends.ObjectPermissionBackend',
     REMOTE_AUTH_BACKEND,
+    'utilities.auth_backends.ObjectPermissionBackend',
 ]
 
 # Internationalization

netbox/utilities/auth_backends.py

@@ -1,7 +1,7 @@
 import logging
 
 from django.conf import settings
-from django.contrib.auth.backends import BaseBackend, ModelBackend
+from django.contrib.auth.backends import ModelBackend, RemoteUserBackend as _RemoteUserBackend
 from django.contrib.auth.models import Group, Permission
 from django.db.models import Q
 
@@ -88,7 +88,7 @@ class ObjectPermissionBackend(ModelBackend):
         return model.objects.filter(attrs, pk=obj.pk).exists()
 
 
-class RemoteUserBackend(BaseBackend):
+class RemoteUserBackend(_RemoteUserBackend):
     """
     Custom implementation of Django's RemoteUserBackend which provides configuration hooks for basic customization.
     """
@@ -124,7 +124,11 @@ class RemoteUserBackend(BaseBackend):
                     "<app>.<action>_<model>. (Example: dcim.add_site)"
                 )
         if permissions_list:
+            # TODO: Create an ObjectPermission
             user.user_permissions.add(*permissions_list)
             logger.debug(f"Assigned permissions to remotely-authenticated user {user}: {permissions_list}")
 
         return user
+
+    def has_perm(self, user_obj, perm, obj=None):
+        return False

netbox/utilities/testing/testcases.py

@@ -33,18 +33,31 @@ class TestCase(_TestCase):
         Assign a set of permissions to the test user. Accepts permission names in the form <app>.<action>_<model>.
         """
         for name in names:
-            app, codename = name.split('.')
-            perm = Permission.objects.get(content_type__app_label=app, codename=codename)
-            self.user.user_permissions.add(perm)
+            app_label, codename = name.split('.')
+            action, model_name = codename.split('_')
+
+            kwargs = {
+                'model': ContentType.objects.get(app_label=app_label, model=model_name),
+                f'can_{action}': True
+            }
+            obj_perm = ObjectPermission(**kwargs)
+            obj_perm.save()
+            obj_perm.users.add(self.user)
 
     def remove_permissions(self, *names):
         """
         Remove a set of permissions from the test user, if assigned.
         """
         for name in names:
-            app, codename = name.split('.')
-            perm = Permission.objects.get(content_type__app_label=app, codename=codename)
-            self.user.user_permissions.remove(perm)
+            app_label, codename = name.split('.')
+            action, model_name = codename.split('_')
+
+            kwargs = {
+                'user': self.user,
+                'model': ContentType.objects.get(app_label=app_label, model=model_name),
+                f'can_{action}': True
+            }
+            ObjectPermission.objects.filter(**kwargs).delete()
 
     #
     # Convenience methods
@@ -493,10 +506,14 @@ class ViewTestCases:
             with disable_warnings('django.request'):
                 self.assertHttpStatus(self.client.post(**request), 403)
 
-            # Assign the required permission and submit again
-            self.add_permissions(
-                '{}.add_{}'.format(self.model._meta.app_label, self.model._meta.model_name)
+            # Assign object-level permission
+            obj_perm = ObjectPermission(
+                model=ContentType.objects.get_for_model(self.model),
+                can_add=True
             )
+            obj_perm.save()
+            obj_perm.users.add(self.user)
+
             response = self.client.post(**request)
             self.assertHttpStatus(response, 302)