GH-27: Fix the skills execution order

Author: ArtyomVancyan

src/django_forbid/middleware.py

@@ -3,9 +3,9 @@
 from .skills.forbid_network import ForbidNetworkMiddleware
 
 __skills__ = (
-    ForbidDeviceMiddleware,
-    ForbidLocationMiddleware,
     ForbidNetworkMiddleware,
+    ForbidLocationMiddleware,
+    ForbidDeviceMiddleware,
 )
 
 

tests/test_network_middleware.py

@@ -12,19 +12,16 @@ def skips(get_response, ip_address, ajax=False):
     return response.status_code == 200
 
 
-def forbids(get_response, ip_address):
-    detector = Detector(get_response)
+def forbids_shared_session(detector, ip_address):
     response = detector.request_resource(ip_address)
-    assert response.status_code == 302
-    response = detector.request_access()
+    if response.status_code == 302:
+        response = detector.request_access(ip_address)
     return response.status_code == 403
 
 
-def forbids_shared_session(detector, ip_address):
-    response = detector.request_resource(ip_address)
-    assert response.status_code == 302
-    response = detector.request_access()
-    return response.status_code == 403
+def forbids(get_response, ip_address):
+    detector = Detector(get_response)
+    return forbids_shared_session(detector, ip_address)
 
 
 class Detector:
@@ -36,13 +33,15 @@ def request_resource(self, ip_address=""):
         """Sends a request to the server to access a resource"""
         request = self.request.get()
         request.META["HTTP_X_FORWARDED_FOR"] = ip_address
-        get_response = ForbidLocationMiddleware(self.get_response)
-        return ForbidNetworkMiddleware(get_response)(request)
+        get_response = ForbidNetworkMiddleware(self.get_response)
+        return ForbidLocationMiddleware(get_response)(request)
 
-    def request_access(self):
+    def request_access(self, ip_address=""):
         """Simulates the request sent by the user browser to the server"""
         request = self.request.post({"CLIENT_TZ": "Europe/London"})
-        return ForbidNetworkMiddleware(self.get_response)(request)
+        request.META["HTTP_X_FORWARDED_FOR"] = ip_address
+        get_response = ForbidNetworkMiddleware(self.get_response)
+        return ForbidLocationMiddleware(get_response)(request)
 
 
 def test_should_allow_all_when_no_config_provided(get_response):

tests/test_primary_middleware.py

@@ -11,8 +11,10 @@
 
 def forbids(get_response, request):
     response = ForbidMiddleware(get_response)(request)
+    client_ip = request.META["HTTP_X_FORWARDED_FOR"]
     if response.status_code == 302:
         request = wsgi.post({"CLIENT_TZ": "Europe/London"})
+        request.META["HTTP_X_FORWARDED_FOR"] = client_ip
         response = ForbidMiddleware(get_response)(request)
     return response.status_code == 403
 
@@ -49,9 +51,32 @@ def test_should_forbid_users_when_country_in_territories_blacklist(get_response)
 
 @override_settings(DJANGO_FORBID={"COUNTRIES": ["GB"], "OPTIONS": {"VPN": True}})
 def test_should_allow_users_when_country_in_countries_whitelist(get_response):
+    """Should allow access to users from countries in whitelist."""
     for ip_address in IP.all:
         request.META["HTTP_X_FORWARDED_FOR"] = ip_address
         if ip_address == IP.ip_london:
             assert not forbids(get_response, request)
             continue
         assert forbids(get_response, request)
+
+
+@override_settings(DJANGO_FORBID={"OPTIONS": {"VPN": True}})
+def test_should_allow_users_only_from_great_britain_with_shared_session(get_response):
+    """It should give access to the user from Great Britain when session is shared"""
+    # Get access from London
+    request.META["HTTP_X_FORWARDED_FOR"] = IP.ip_london
+    assert not forbids(get_response, request)
+    # Turn on VPN temporary
+    request.META["HTTP_X_FORWARDED_FOR"] = IP.ip_zurich
+    assert forbids(get_response, request)
+    request.META["HTTP_X_FORWARDED_FOR"] = IP.ip_cobain
+    assert forbids(get_response, request)
+    # Turn off VPN - back to London
+    request.META["HTTP_X_FORWARDED_FOR"] = IP.ip_london
+    assert not forbids(get_response, request)
+    # Turn on VPN temporary
+    request.META["HTTP_X_FORWARDED_FOR"] = IP.ip_cobain
+    assert forbids(get_response, request)
+    # Turn off VPN - back to London
+    request.META["HTTP_X_FORWARDED_FOR"] = IP.ip_london
+    assert not forbids(get_response, request)