mirror of
https://gitlab.com/animath/si/plateforme-corres2math.git
synced 2025-03-16 15:27:31 +00:00
Ensure that a user can't see what he can't see
This commit is contained in:
parent
61719cae1c
commit
5fc46e74d2
@ -1,3 +1,5 @@
|
|||||||
|
import os
|
||||||
|
|
||||||
from corres2math.tokens import email_validation_token
|
from corres2math.tokens import email_validation_token
|
||||||
from django.contrib.auth.models import User
|
from django.contrib.auth.models import User
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
@ -215,8 +217,44 @@ class TestRegistration(TestCase):
|
|||||||
self.assertEqual(response.status_code, 200)
|
self.assertEqual(response.status_code, 200)
|
||||||
self.assertEqual(response["content-type"], "application/zip")
|
self.assertEqual(response["content-type"], "application/zip")
|
||||||
|
|
||||||
|
# Do it twice, ensure that the previous authorization got deleted
|
||||||
|
old_authoratization = self.student.registration.photo_authorization.path
|
||||||
|
response = self.client.post(reverse("registration:upload_user_photo_authorization",
|
||||||
|
args=(self.student.registration.pk,)), data=dict(
|
||||||
|
photo_authorization=open("corres2math/static/Autorisation de droit à l'image - majeur.pdf", "rb"),
|
||||||
|
))
|
||||||
|
self.assertRedirects(response, reverse("registration:user_detail", args=(self.student.pk,)), 302, 200)
|
||||||
|
self.assertFalse(os.path.isfile(old_authoratization))
|
||||||
|
|
||||||
|
self.student.registration.refresh_from_db()
|
||||||
self.student.registration.photo_authorization.delete()
|
self.student.registration.photo_authorization.delete()
|
||||||
|
|
||||||
|
def test_user_detail_forbidden(self):
|
||||||
|
"""
|
||||||
|
Create a new user and ensure that it can't see the detail of another user.
|
||||||
|
"""
|
||||||
|
self.client.force_login(self.coach)
|
||||||
|
|
||||||
|
response = self.client.get(reverse("registration:user_detail", args=(self.user.pk,)))
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
|
||||||
|
response = self.client.get(reverse("registration:update_user", args=(self.user.pk,)))
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
|
||||||
|
response = self.client.get(reverse("registration:upload_user_photo_authorization", args=(self.user.pk,)))
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
|
||||||
|
response = self.client.get(reverse("photo_authorization", args=("inexisting-authorization",)))
|
||||||
|
self.assertEqual(response.status_code, 404)
|
||||||
|
|
||||||
|
with open("media/authorization/photo/example", "w") as f:
|
||||||
|
f.write("I lost the game.")
|
||||||
|
self.student.registration.photo_authorization = "authorization/photo/example"
|
||||||
|
self.student.registration.save()
|
||||||
|
response = self.client.get(reverse("photo_authorization", args=("example",)))
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
os.remove("media/authorization/photo/example")
|
||||||
|
|
||||||
def test_string_render(self):
|
def test_string_render(self):
|
||||||
# TODO These string field tests will be removed when used in a template
|
# TODO These string field tests will be removed when used in a template
|
||||||
self.assertRaises(NotImplementedError, lambda: Registration().type)
|
self.assertRaises(NotImplementedError, lambda: Registration().type)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user