diff --git a/core/tests/api.py b/core/tests/api.py index fa93080..ce10819 100644 --- a/core/tests/api.py +++ b/core/tests/api.py @@ -5,11 +5,17 @@ import mock from rest_framework import status from rest_framework.test import APITestCase -from django_images.models import Thumbnail from taggit.models import Tag from .helpers import create_image, create_user, create_pin -from core.models import Pin, Image +from core.models import Pin, Image, Board + + +def _teardown_models(): + Pin.objects.all().delete() + Image.objects.all().delete() + Tag.objects.all().delete() + Board.objects.all().delete() def mock_requests_get(url, **kwargs): @@ -29,6 +35,73 @@ class ImageTests(APITestCase): self.assertEqual(response.status_code, 403, response.data) +class PrivacyTests(APITestCase): + _JSON_TYPE = "application/json" + + def setUp(self): + super(PrivacyTests, self).setUp() + self.owner = create_user("default") + self.non_owner = create_user("non_owner") + + with mock.patch('requests.get', mock_requests_get): + image = Image.objects.create_for_url('http://a.com/b.png') + self.private_pin = Pin.objects.create( + submitter=self.owner, + image=image, + private=True, + ) + self.private_pin_url = reverse("pin-detail", kwargs={"pk": self.private_pin.pk}) + + self.board = Board.objects.create(name="test_board", submitter=self.owner) + self.board.pins.add(self.private_pin) + self.board.save() + self.board_url = reverse("board-detail", kwargs={"pk": self.board.pk}) + + def tearDown(self): + _teardown_models() + + def test_should_non_owner_and_anonymous_user_has_no_permission_to_list_private_pin(self): + resp = self.client.get(reverse("pin-list")) + self.assertEqual(len(resp.data['results']), 0, resp.data) + + self.client.login(username=self.non_owner.username, password='password') + resp = self.client.get(reverse("pin-list")) + self.assertEqual(len(resp.data['results']), 0, resp.data) + + def test_should_non_owner_and_anonymous_user_has_no_permission_to_list_private_pin_in_board(self): + resp = self.client.get(self.board_url) + self.assertEqual(len(resp.data['pins_detail']), 0, resp.data) + self.client.login(username=self.non_owner.username, password='password') + + resp = self.client.get(self.board_url) + self.assertEqual(len(resp.data['pins_detail']), 0, resp.data) + + def test_should_owner_user_has_permission_to_list_private_pin_in_board(self): + self.client.login(username=self.owner.username, password='password') + resp = self.client.get(self.board_url) + self.assertEqual(len(resp.data['pins_detail']), 1, resp.data) + + def test_should_owner_user_has_permission_to_list_private_pin(self): + self.client.login(username=self.owner.username, password='password') + resp = self.client.get(reverse("pin-list")) + self.assertEqual(len(resp.data['results']), 1, resp.data) + + def test_should_owner_has_permission_to_view_private_pin(self): + self.client.login(username=self.owner.username, password='password') + resp = self.client.get(self.private_pin_url) + self.assertEqual(resp.status_code, 200) + self.assertEqual(resp.data['id'], self.private_pin.id) + + def test_should_anonymous_user_has_no_permission_to_view_private_pin(self): + resp = self.client.get(self.private_pin_url) + self.assertEqual(resp.status_code, 404) + + def test_should_non_owner_has_no_permission_to_view_private_pin(self): + self.client.login(username=self.non_owner.username, password='password') + resp = self.client.get(self.private_pin_url) + self.assertEqual(resp.status_code, 404) + + class PinTests(APITestCase): _JSON_TYPE = "application/json" @@ -38,9 +111,7 @@ class PinTests(APITestCase): self.client.login(username=self.user.username, password='password') def tearDown(self): - Pin.objects.all().delete() - Image.objects.all().delete() - Tag.objects.all().delete() + _teardown_models() @mock.patch('requests.get', mock_requests_get) def test_should_create_pin(self): @@ -49,6 +120,7 @@ class PinTests(APITestCase): referer = 'http://testserver.com/' post_data = { 'url': url, + 'private': False, 'referer': referer, 'description': 'That\'s an Apple!' }