Bugfix/review permissions (#121)

* added missing migrations * removal of the filter queryset as it is redundant with permission * linting applied * added tests and fix * flake8 fix
uwasystemhealth · Oct 30, 2022 · ee3ce6a · ee3ce6a
1 parent abcc256
commit ee3ce6a
Show file tree

Hide file tree

Showing 4 changed files with 106 additions and 2 deletions.
diff --git a/...urse_evaluations/migrations/0005_alter_courseevaluationjustification_development_level.py b/...urse_evaluations/migrations/0005_alter_courseevaluationjustification_development_level.py
@@ -0,0 +1,20 @@
+# Generated by Django 3.2.15 on 2022-10-30 01:11
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("course_evaluations", "0004_auto_20220906_1818"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="courseevaluationjustification",
+            name="development_level",
+            field=models.IntegerField(
+                choices=[(1, "Engineering Fundamentals"), (2, "Engineering Applications And Analysis"), (3, "Engineering Practice")]
+            ),
+        ),
+    ]
diff --git a/backend/reviews/migrations/0005_alter_revieweocspecific_development_level.py b/backend/reviews/migrations/0005_alter_revieweocspecific_development_level.py
@@ -0,0 +1,20 @@
+# Generated by Django 3.2.15 on 2022-10-30 01:11
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("reviews", "0004_alter_review_course_evaluation"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="revieweocspecific",
+            name="development_level",
+            field=models.IntegerField(
+                choices=[(1, "Engineering Fundamentals"), (2, "Engineering Applications And Analysis"), (3, "Engineering Practice")]
+            ),
+        ),
+    ]
diff --git a/backend/reviews/tests/test_permisions.py b/backend/reviews/tests/test_permisions.py
@@ -0,0 +1,64 @@
+from django.urls import reverse
+from rest_framework import status
+
+
+def test_coordinators_get_method(api_client_with_credentials_return_user, make_course_evaluation, make_course_review):
+    """
+    GIVEN: A course evaluation and a review is created
+    WHEN:  A coordinator tries to query a GET method (LIST or DETAIL)
+    THEN:  It succeeds
+    """
+    api_client, user = api_client_with_credentials_return_user()
+
+    course_evaluation = make_course_evaluation(coordinators=[user])
+
+    course_review = make_course_review(course_evaluation=course_evaluation)
+
+    # Check the list view
+    url = reverse("api-v1:reviews:reviews-list")
+    response = api_client.get(url)
+
+    assert response.status_code == status.HTTP_200_OK
+    data = response.data["results"]
+    # The coordinator cannot see the review on the list (because this is not their own review)
+    assert len(data) == 0
+
+    review_ids = [review["id"] for review in data]
+    assert str(course_review.id) not in review_ids
+
+    # Check the detail view
+    url = reverse("api-v1:reviews:reviews-detail", kwargs={"pk": course_review.id})
+    response = api_client.get(url)
+
+    assert response.status_code == status.HTTP_200_OK
+
+
+def test_other_users_get_method(api_client_with_credentials_return_user, make_course_evaluation, make_course_review):
+    """
+    GIVEN: A course evaluation and a review is created
+    WHEN:  A user tries to query a GET method (LIST or DETAIL)
+    THEN:  It fails
+    """
+
+    api_client, user = api_client_with_credentials_return_user()
+
+    course_evaluation = make_course_evaluation()
+
+    course_review = make_course_review(course_evaluation=course_evaluation)
+
+    # Check the list view
+    url = reverse("api-v1:reviews:reviews-list")
+    response = api_client.get(url)
+
+    assert response.status_code == status.HTTP_200_OK
+    data = response.data["results"]
+    assert len(data) == 0
+
+    review_ids = [review["id"] for review in data]
+    assert str(course_review.id) not in review_ids
+
+    # Check the detail view
+    url = reverse("api-v1:reviews:reviews-detail", kwargs={"pk": course_review.id})
+    response = api_client.get(url)
+
+    assert response.status_code == status.HTTP_403_FORBIDDEN
diff --git a/backend/reviews/views.py b/backend/reviews/views.py
@@ -33,9 +33,9 @@ def filter_queryset(self, queryset):
         """
         List only the reviews that the user is the reviewer of
 
-        Note: For coordinators, they still need to use this view (not the detail or list views)
+        Note: For coordinators, they still need to use this view (not the list one)
         """
-        if self.request.method == "GET":
+        if self.action == "list":
             return super().filter_queryset(queryset).filter(reviewer=self.request.user)
         else:
             return super().filter_queryset(queryset)