From 5fc46e74d227c62add716ca34194eb7a9e7f6c16 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <yohann.danello@gmail.com>
Date: Mon, 2 Nov 2020 11:44:53 +0100
Subject: [PATCH] Ensure that a user can't see what he can't see

---
 apps/registration/tests.py | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/apps/registration/tests.py b/apps/registration/tests.py
index 18e5ff4..c364802 100644
--- a/apps/registration/tests.py
+++ b/apps/registration/tests.py
@@ -1,3 +1,5 @@
+import os
+
 from corres2math.tokens import email_validation_token
 from django.contrib.auth.models import User
 from django.test import TestCase
@@ -215,8 +217,44 @@ class TestRegistration(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response["content-type"], "application/zip")
 
+        # Do it twice, ensure that the previous authorization got deleted
+        old_authoratization = self.student.registration.photo_authorization.path
+        response = self.client.post(reverse("registration:upload_user_photo_authorization",
+                                            args=(self.student.registration.pk,)), data=dict(
+            photo_authorization=open("corres2math/static/Autorisation de droit à l'image - majeur.pdf", "rb"),
+        ))
+        self.assertRedirects(response, reverse("registration:user_detail", args=(self.student.pk,)), 302, 200)
+        self.assertFalse(os.path.isfile(old_authoratization))
+
+        self.student.registration.refresh_from_db()
         self.student.registration.photo_authorization.delete()
 
+    def test_user_detail_forbidden(self):
+        """
+        Create a new user and ensure that it can't see the detail of another user.
+        """
+        self.client.force_login(self.coach)
+
+        response = self.client.get(reverse("registration:user_detail", args=(self.user.pk,)))
+        self.assertEqual(response.status_code, 403)
+
+        response = self.client.get(reverse("registration:update_user", args=(self.user.pk,)))
+        self.assertEqual(response.status_code, 403)
+
+        response = self.client.get(reverse("registration:upload_user_photo_authorization", args=(self.user.pk,)))
+        self.assertEqual(response.status_code, 403)
+
+        response = self.client.get(reverse("photo_authorization", args=("inexisting-authorization",)))
+        self.assertEqual(response.status_code, 404)
+
+        with open("media/authorization/photo/example", "w") as f:
+            f.write("I lost the game.")
+        self.student.registration.photo_authorization = "authorization/photo/example"
+        self.student.registration.save()
+        response = self.client.get(reverse("photo_authorization", args=("example",)))
+        self.assertEqual(response.status_code, 403)
+        os.remove("media/authorization/photo/example")
+
     def test_string_render(self):
         # TODO These string field tests will be removed when used in a template
         self.assertRaises(NotImplementedError, lambda: Registration().type)