Fix bugs revealed by offers and comments tests

ec80d4da · Erlend Ydse · 89fada6a · ec80d4da · ec80d4da · ec80d4da
Commit ec80d4da authored Apr 15, 2021 by Erlend Ydse
--- a/backend/secfit/comments/views.py
+++ b/backend/secfit/comments/views.py
 from django.db.models import Q
 from rest_framework import generics, mixins, permissions
 from rest_framework.filters import OrderingFilter
+from rest_framework.response import Response
+from rest_framework.status import HTTP_400_BAD_REQUEST

 from comments.models import Comment
 from comments.permissions import IsCommentVisibleToUser
 from comments.serializers import CommentSerializer
+from workouts.models import Workout
 from workouts.permissions import IsOwner, IsReadOnly


@@ -21,6 +24,17 @@ class CommentList(
        return self.list(request, *args, **kwargs)

    def post(self, request, *args, **kwargs):
+        workout_id = request.data["workout"].split("/")[-2]
+        workout = Workout.objects.get(pk=workout_id)
+        owns_workout = False
+        if workout:
+            owns_workout = workout.owner == request.user
+        is_public = workout.visibility == "PU"
+        can_access_as_coach = workout.owner.coach == request.user and (
+            workout.visibility == "PU" or workout.visibility == "CO"
+        )
+        if not (owns_workout or is_public or can_access_as_coach):
+            return Response(status=HTTP_400_BAD_REQUEST)
        return self.create(request, *args, **kwargs)

    def perform_create(self, serializer):

--- a/backend/secfit/tests/tests_comments.py
+++ b/backend/secfit/tests/tests_comments.py
@@ -13,14 +13,22 @@ class CommentAPITests(APITestCase):
      "username": "alice", 
      "email": "aa@aa.aa", 
      "password": "aliceisok", 
-      "password1": "aliceisok"}
+      "password1": "aliceisok",
+      "phone_number": "12345678",
+      "country": "",
+      "city": "",
+      "street_address": ""}
    response = self.client.post(path="/api/users/", data=self.alice_r_data)
    self.alice_data = response.data
    self.bob_r_data = {
      "username": "bob", 
      "email": "aa@aa.aa", 
      "password": "aliceisok", 
-      "password1": "aliceisok"}
+      "password1": "aliceisok",
+      "phone_number": "12345678",
+      "country": "",
+      "city": "",
+      "street_address": ""}
    response = self.client.post(path="/api/users/", data=self.bob_r_data)
    self.bob_data = response.data


--- a/backend/secfit/tests/tests_offers.py
+++ b/backend/secfit/tests/tests_offers.py
@@ -16,7 +16,11 @@ class OffersAPITests(APITestCase):
      "username": "alice", 
      "email": "aa@aa.aa", 
      "password": "aliceisok", 
-      "password1": "aliceisok"}
+      "password1": "aliceisok",
+      "phone_number": "12345678",
+      "country": "",
+      "city": "",
+      "street_address": ""}
    response = self.client.post(path="/api/users/", data=self.alice_r_data)
    self.alice_data = response.data

@@ -24,7 +28,11 @@ class OffersAPITests(APITestCase):
      "username": "bob", 
      "email": "aa@aa.aa", 
      "password": "aliceisok", 
-      "password1": "aliceisok"}
+      "password1": "aliceisok",
+      "phone_number": "12345678",
+      "country": "",
+      "city": "",
+      "street_address": ""}
    response = self.client.post(path="/api/users/", data=self.bob_r_data)
    self.bob_data = response.data

@@ -32,7 +40,11 @@ class OffersAPITests(APITestCase):
      "username": "clair", 
      "email": "aa@aa.aa", 
      "password": "aliceisok", 
-      "password1": "aliceisok"}
+      "password1": "aliceisok",
+      "phone_number": "12345678",
+      "country": "",
+      "city": "",
+      "street_address": ""}
    response = self.client.post(path="/api/users/", data=self.clair_r_data)
    self.clair_data = response.data


--- a/backend/secfit/users/views.py
+++ b/backend/secfit/users/views.py
@@ -20,6 +20,8 @@ from users.serializers import (AthleteFileSerializer, OfferSerializer,
 from workouts.mixins import CreateListModelMixin
 from workouts.parsers import MultipartJsonParser
 from workouts.permissions import IsOwner, IsReadOnly
+from rest_framework.response import Response
+from rest_framework.status import HTTP_400_BAD_REQUEST


 class UserList(mixins.ListModelMixin, mixins.CreateModelMixin, generics.GenericAPIView):
@@ -183,15 +185,53 @@ class OfferDetail(
    serializer_class = OfferSerializer

    def get(self, request, *args, **kwargs):
+        if not request.user:
+            return Response(status=HTTP_400_BAD_REQUEST)
+        if request.user:
+            user_id = request.user.id
+            offer = super().get_object()
+            if user_id != offer.recipient_id and user_id != offer.owner_id:
+                return Response(
+                status=HTTP_400_BAD_REQUEST,
+                data={
+                    "Error": "Only the owner or recipient may view the offer"
+                    })
        return self.retrieve(request, *args, **kwargs)

    def put(self, request, *args, **kwargs):
+        if not request.user:
+            return Response(status=HTTP_400_BAD_REQUEST)
+        if request.user:
+            user_id = request.user.id
+            offer = super().get_object()
+            if user_id != offer.recipient_id:
+                return Response(
+                status=HTTP_400_BAD_REQUEST,
+                data={"Error": "Only the recipient may modify an offer"})
        return self.update(request, *args, **kwargs)

    def patch(self, request, *args, **kwargs):
+        if not request.user:
+            return Response(status=HTTP_400_BAD_REQUEST)
+        if request.user:
+            user_id = request.user.id
+            offer = super().get_object()
+            if user_id != offer.recipient_id:
+                return Response(
+                status=HTTP_400_BAD_REQUEST,
+                data={"Error": "Only the recipient may modify an offer"})
        return self.partial_update(request, *args, **kwargs)

    def delete(self, request, *args, **kwargs):
+        if not request.user:
+            return Response(status=HTTP_400_BAD_REQUEST)
+        if request.user:
+            user_id = request.user.id
+            offer = super().get_object()
+            if user_id != offer.owner_id:
+                return Response(
+                status=HTTP_400_BAD_REQUEST,
+                data={"Error": "Only the owner may delete an offer"})
        return self.destroy(request, *args, **kwargs)