Commit ec80d4da authored by Erlend Ydse's avatar Erlend Ydse
Browse files

Fix bugs revealed by offers and comments tests

parent 89fada6a
from django.db.models import Q
from rest_framework import generics, mixins, permissions
from rest_framework.filters import OrderingFilter
from rest_framework.response import Response
from rest_framework.status import HTTP_400_BAD_REQUEST
from comments.models import Comment
from comments.permissions import IsCommentVisibleToUser
from comments.serializers import CommentSerializer
from workouts.models import Workout
from workouts.permissions import IsOwner, IsReadOnly
......@@ -21,6 +24,17 @@ class CommentList(
return self.list(request, *args, **kwargs)
def post(self, request, *args, **kwargs):
workout_id = request.data["workout"].split("/")[-2]
workout = Workout.objects.get(pk=workout_id)
owns_workout = False
if workout:
owns_workout = workout.owner == request.user
is_public = workout.visibility == "PU"
can_access_as_coach = workout.owner.coach == request.user and (
workout.visibility == "PU" or workout.visibility == "CO"
)
if not (owns_workout or is_public or can_access_as_coach):
return Response(status=HTTP_400_BAD_REQUEST)
return self.create(request, *args, **kwargs)
def perform_create(self, serializer):
......
......@@ -13,14 +13,22 @@ class CommentAPITests(APITestCase):
"username": "alice",
"email": "aa@aa.aa",
"password": "aliceisok",
"password1": "aliceisok"}
"password1": "aliceisok",
"phone_number": "12345678",
"country": "",
"city": "",
"street_address": ""}
response = self.client.post(path="/api/users/", data=self.alice_r_data)
self.alice_data = response.data
self.bob_r_data = {
"username": "bob",
"email": "aa@aa.aa",
"password": "aliceisok",
"password1": "aliceisok"}
"password1": "aliceisok",
"phone_number": "12345678",
"country": "",
"city": "",
"street_address": ""}
response = self.client.post(path="/api/users/", data=self.bob_r_data)
self.bob_data = response.data
......
......@@ -16,7 +16,11 @@ class OffersAPITests(APITestCase):
"username": "alice",
"email": "aa@aa.aa",
"password": "aliceisok",
"password1": "aliceisok"}
"password1": "aliceisok",
"phone_number": "12345678",
"country": "",
"city": "",
"street_address": ""}
response = self.client.post(path="/api/users/", data=self.alice_r_data)
self.alice_data = response.data
......@@ -24,7 +28,11 @@ class OffersAPITests(APITestCase):
"username": "bob",
"email": "aa@aa.aa",
"password": "aliceisok",
"password1": "aliceisok"}
"password1": "aliceisok",
"phone_number": "12345678",
"country": "",
"city": "",
"street_address": ""}
response = self.client.post(path="/api/users/", data=self.bob_r_data)
self.bob_data = response.data
......@@ -32,7 +40,11 @@ class OffersAPITests(APITestCase):
"username": "clair",
"email": "aa@aa.aa",
"password": "aliceisok",
"password1": "aliceisok"}
"password1": "aliceisok",
"phone_number": "12345678",
"country": "",
"city": "",
"street_address": ""}
response = self.client.post(path="/api/users/", data=self.clair_r_data)
self.clair_data = response.data
......
......@@ -20,6 +20,8 @@ from users.serializers import (AthleteFileSerializer, OfferSerializer,
from workouts.mixins import CreateListModelMixin
from workouts.parsers import MultipartJsonParser
from workouts.permissions import IsOwner, IsReadOnly
from rest_framework.response import Response
from rest_framework.status import HTTP_400_BAD_REQUEST
class UserList(mixins.ListModelMixin, mixins.CreateModelMixin, generics.GenericAPIView):
......@@ -183,15 +185,53 @@ class OfferDetail(
serializer_class = OfferSerializer
def get(self, request, *args, **kwargs):
if not request.user:
return Response(status=HTTP_400_BAD_REQUEST)
if request.user:
user_id = request.user.id
offer = super().get_object()
if user_id != offer.recipient_id and user_id != offer.owner_id:
return Response(
status=HTTP_400_BAD_REQUEST,
data={
"Error": "Only the owner or recipient may view the offer"
})
return self.retrieve(request, *args, **kwargs)
def put(self, request, *args, **kwargs):
if not request.user:
return Response(status=HTTP_400_BAD_REQUEST)
if request.user:
user_id = request.user.id
offer = super().get_object()
if user_id != offer.recipient_id:
return Response(
status=HTTP_400_BAD_REQUEST,
data={"Error": "Only the recipient may modify an offer"})
return self.update(request, *args, **kwargs)
def patch(self, request, *args, **kwargs):
if not request.user:
return Response(status=HTTP_400_BAD_REQUEST)
if request.user:
user_id = request.user.id
offer = super().get_object()
if user_id != offer.recipient_id:
return Response(
status=HTTP_400_BAD_REQUEST,
data={"Error": "Only the recipient may modify an offer"})
return self.partial_update(request, *args, **kwargs)
def delete(self, request, *args, **kwargs):
if not request.user:
return Response(status=HTTP_400_BAD_REQUEST)
if request.user:
user_id = request.user.id
offer = super().get_object()
if user_id != offer.owner_id:
return Response(
status=HTTP_400_BAD_REQUEST,
data={"Error": "Only the owner may delete an offer"})
return self.destroy(request, *args, **kwargs)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment