Sith/sas/tests/test_api.py

from django.conf import settings
from django.db import transaction
from django.test import TestCase
from django.urls import reverse
from model_bakery import baker
from model_bakery.recipe import Recipe
from pytest_django.asserts import assertNumQueries

from core.baker_recipes import old_subscriber_user, subscriber_user
from core.models import RealGroup, SithFile, User
from sas.baker_recipes import picture_recipe
from sas.models import Album, PeoplePictureRelation, Picture, PictureModerationRequest


class TestSas(TestCase):
    @classmethod
    def setUpTestData(cls):
        sas = SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)

        Picture.objects.exclude(id=sas.id).delete()
        owner = User.objects.get(username="root")

        cls.user_a = old_subscriber_user.make()
        cls.user_b, cls.user_c = subscriber_user.make(_quantity=2)

        picture = picture_recipe.extend(owner=owner)
        cls.album_a = baker.make(Album, is_in_sas=True, parent=sas)
        cls.album_b = baker.make(Album, is_in_sas=True, parent=sas)
        relation_recipe = Recipe(PeoplePictureRelation)
        relations = []
        for album in cls.album_a, cls.album_b:
            pictures = picture.make(parent=album, _quantity=5, _bulk_create=True)
            relations.extend(
                [
                    relation_recipe.prepare(picture=pictures[1], user=cls.user_a),
                    relation_recipe.prepare(picture=pictures[2], user=cls.user_a),
                    relation_recipe.prepare(picture=pictures[2], user=cls.user_b),
                    relation_recipe.prepare(picture=pictures[3], user=cls.user_b),
                    relation_recipe.prepare(picture=pictures[4], user=cls.user_a),
                    relation_recipe.prepare(picture=pictures[4], user=cls.user_b),
                    relation_recipe.prepare(picture=pictures[4], user=cls.user_c),
                ]
            )
        PeoplePictureRelation.objects.bulk_create(relations)


class TestPictureSearch(TestSas):
    @classmethod
    def setUpTestData(cls):
        super().setUpTestData()
        cls.url = reverse("api:pictures")

    def test_anonymous_user_forbidden(self):
        res = self.client.get(self.url)
        assert res.status_code == 403

    def test_filter_by_album(self):
        self.client.force_login(self.user_b)
        res = self.client.get(self.url + f"?album_id={self.album_a.id}")
        assert res.status_code == 200
        expected = list(self.album_a.children_pictures.values_list("id", flat=True))
        assert [i["id"] for i in res.json()["results"]] == expected

    def test_filter_by_user(self):
        self.client.force_login(self.user_b)
        res = self.client.get(self.url + f"?users_identified={self.user_a.id}")
        assert res.status_code == 200
        expected = list(
            self.user_a.pictures.order_by(
                "-picture__parent__date", "picture__date"
            ).values_list("picture_id", flat=True)
        )
        assert [i["id"] for i in res.json()["results"]] == expected

    def test_filter_by_multiple_user(self):
        self.client.force_login(self.user_b)
        res = self.client.get(
            self.url
            + f"?users_identified={self.user_a.id}&users_identified={self.user_b.id}"
        )
        assert res.status_code == 200
        expected = list(
            self.user_a.pictures.union(self.user_b.pictures.all())
            .order_by("-picture__parent__date", "picture__date")
            .values_list("picture_id", flat=True)
        )
        assert [i["id"] for i in res.json()["results"]] == expected

    def test_not_subscribed_user(self):
        """Test that a user that never subscribed can only its own pictures."""
        self.user_a.subscriptions.all().delete()
        self.client.force_login(self.user_a)
        res = self.client.get(f"{self.url}?users_identified={self.user_a.id}")
        assert res.status_code == 200
        expected = list(
            self.user_a.pictures.order_by(
                "-picture__parent__date", "picture__date"
            ).values_list("picture_id", flat=True)
        )
        assert [i["id"] for i in res.json()["results"]] == expected

        # trying to access the pictures of someone else mixed with owned pictures
        # should return only owned pictures
        res = self.client.get(
            self.url
            + f"?users_identified={self.user_a.id}&users_identified={self.user_b.id}"
        )
        assert res.status_code == 200
        assert [i["id"] for i in res.json()["results"]] == expected

        # trying to fetch everything should be the same
        # as fetching its own pictures for a non-subscriber
        res = self.client.get(self.url)
        assert res.status_code == 200
        assert [i["id"] for i in res.json()["results"]] == expected

        # trying to access the pictures of someone else should return only
        # the ones where the non-subscribed user is identified too
        res = self.client.get(f"{self.url}?users_identified={self.user_b.id}")
        assert res.status_code == 200
        expected = list(
            self.user_b.pictures.intersection(self.user_a.pictures.all())
            .order_by("-picture__parent__date", "picture__date")
            .values_list("picture_id", flat=True)
        )
        assert [i["id"] for i in res.json()["results"]] == expected

    def test_num_queries(self):
        """Test that the number of queries is stable."""
        self.client.force_login(subscriber_user.make())
        with assertNumQueries(5):
            # 1 request to fetch the user from the db
            # 2 requests to check the user permissions
            # 1 request to fetch the pictures
            # 1 request to count the total number of items in the pagination
            self.client.get(self.url)


class TestPictureRelation(TestSas):
    def test_delete_relation_route_forbidden(self):
        """Test that unauthorized users are properly 403ed"""
        # take a picture where user_a isn't identified
        relation = PeoplePictureRelation.objects.exclude(user=self.user_a).first()

        res = self.client.delete(f"/api/sas/relation/{relation.id}")
        assert res.status_code == 403

        for user in baker.make(User), self.user_a:
            self.client.force_login(user)
            res = self.client.delete(f"/api/sas/relation/{relation.id}")
            assert res.status_code == 403

    def test_delete_relation_with_authorized_users(self):
        """Test that deletion works as intended when called by an authorized user."""
        relation: PeoplePictureRelation = self.user_a.pictures.first()
        sas_admin_group = RealGroup.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
        sas_admin = baker.make(User, groups=[sas_admin_group])
        root = baker.make(User, is_superuser=True)
        for user in sas_admin, root, self.user_a:
            with transaction.atomic():
                self.client.force_login(user)
                res = self.client.delete(f"/api/sas/relation/{relation.id}")
                assert res.status_code == 200
                assert not PeoplePictureRelation.objects.filter(pk=relation.id).exists()
                transaction.set_rollback(True)
        public = baker.make(User)
        relation = public.pictures.create(picture=relation.picture)
        self.client.force_login(public)
        res = self.client.delete(f"/api/sas/relation/{relation.id}")
        assert res.status_code == 200
        assert not PeoplePictureRelation.objects.filter(pk=relation.id).exists()

    def test_delete_twice(self):
        """Test a duplicate call on the delete route."""
        self.client.force_login(baker.make(User, is_superuser=True))
        relation = PeoplePictureRelation.objects.first()
        res = self.client.delete(f"/api/sas/relation/{relation.id}")
        assert res.status_code == 200
        relation_count = PeoplePictureRelation.objects.count()
        res = self.client.delete(f"/api/sas/relation/{relation.id}")
        assert res.status_code == 404
        assert PeoplePictureRelation.objects.count() == relation_count


class TestPictureModeration(TestSas):
    @classmethod
    def setUpTestData(cls):
        super().setUpTestData()
        cls.sas_admin = baker.make(
            User, groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]
        )
        cls.picture = Picture.objects.filter(parent=cls.album_a)[0]
        cls.picture.is_moderated = False
        cls.picture.asked_for_removal = True
        cls.picture.save()
        cls.url = reverse("api:picture_moderate", kwargs={"picture_id": cls.picture.id})
        baker.make(PictureModerationRequest, picture=cls.picture, author=cls.user_a)

    def test_moderation_route_forbidden(self):
        """Test that basic users (even if owner) cannot moderate a picture."""
        self.picture.owner = self.user_b

        for user in baker.make(User), subscriber_user.make(), self.user_b:
            self.client.force_login(user)
            res = self.client.patch(self.url)
            assert res.status_code == 403

    def test_moderation_route_authorized(self):
        """Test that sas admins can moderate a picture."""
        self.client.force_login(self.sas_admin)
        res = self.client.patch(self.url)
        assert res.status_code == 200
        self.picture.refresh_from_db()
        assert self.picture.is_moderated
        assert not self.picture.asked_for_removal
        assert not self.picture.moderation_requests.exists()

    def test_get_moderation_requests(self):
        """Test that fetching moderation requests work."""

        url = reverse(
            "api:picture_moderation_requests", kwargs={"picture_id": self.picture.id}
        )
        self.client.force_login(self.sas_admin)
        res = self.client.get(url)
        assert res.status_code == 200
        assert len(res.json()) == 1
        assert res.json()[0]["author"]["id"] == self.user_a.id
add tests 2024-07-26 12:25:26 +00:00			`from django.conf import settings`
			`from django.db import transaction`
add tests 2024-07-22 17:12:03 +00:00			`from django.test import TestCase`
			`from django.urls import reverse`
			`from model_bakery import baker`
feat: display moderation requests to moderators 2024-10-13 22:45:31 +00:00			`from model_bakery.recipe import Recipe`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`from pytest_django.asserts import assertNumQueries`
add tests 2024-07-22 17:12:03 +00:00
			`from core.baker_recipes import old_subscriber_user, subscriber_user`
feat: display moderation requests to moderators 2024-10-13 22:45:31 +00:00			`from core.models import RealGroup, SithFile, User`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`from sas.baker_recipes import picture_recipe`
feat: display moderation requests to moderators 2024-10-13 22:45:31 +00:00			`from sas.models import Album, PeoplePictureRelation, Picture, PictureModerationRequest`
add tests 2024-07-22 17:12:03 +00:00

Harmonize test names 2024-07-23 22:39:26 +00:00			`class TestSas(TestCase):`
add tests 2024-07-22 17:12:03 +00:00			`@classmethod`
			`def setUpTestData(cls):`
feat: display moderation requests to moderators 2024-10-13 22:45:31 +00:00			`sas = SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)`

			`Picture.objects.exclude(id=sas.id).delete()`
add tests 2024-07-22 17:12:03 +00:00			`owner = User.objects.get(username="root")`

			`cls.user_a = old_subscriber_user.make()`
			`cls.user_b, cls.user_c = subscriber_user.make(_quantity=2)`

fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`picture = picture_recipe.extend(owner=owner)`
feat: display moderation requests to moderators 2024-10-13 22:45:31 +00:00			`cls.album_a = baker.make(Album, is_in_sas=True, parent=sas)`
			`cls.album_b = baker.make(Album, is_in_sas=True, parent=sas)`
			`relation_recipe = Recipe(PeoplePictureRelation)`
			`relations = []`
add tests 2024-07-22 17:12:03 +00:00			`for album in cls.album_a, cls.album_b:`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`pictures = picture.make(parent=album, _quantity=5, _bulk_create=True)`
feat: display moderation requests to moderators 2024-10-13 22:45:31 +00:00			`relations.extend(`
			`[`
			`relation_recipe.prepare(picture=pictures[1], user=cls.user_a),`
			`relation_recipe.prepare(picture=pictures[2], user=cls.user_a),`
			`relation_recipe.prepare(picture=pictures[2], user=cls.user_b),`
			`relation_recipe.prepare(picture=pictures[3], user=cls.user_b),`
			`relation_recipe.prepare(picture=pictures[4], user=cls.user_a),`
			`relation_recipe.prepare(picture=pictures[4], user=cls.user_b),`
			`relation_recipe.prepare(picture=pictures[4], user=cls.user_c),`
			`]`
			`)`
			`PeoplePictureRelation.objects.bulk_create(relations)`
add tests 2024-07-22 17:12:03 +00:00
add tests 2024-07-26 12:25:26 +00:00
			`class TestPictureSearch(TestSas):`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`@classmethod`
			`def setUpTestData(cls):`
			`super().setUpTestData()`
			`cls.url = reverse("api:pictures")`

add tests 2024-07-22 17:12:03 +00:00			`def test_anonymous_user_forbidden(self):`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`res = self.client.get(self.url)`
add tests 2024-07-22 17:12:03 +00:00			`assert res.status_code == 403`

			`def test_filter_by_album(self):`
			`self.client.force_login(self.user_b)`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`res = self.client.get(self.url + f"?album_id={self.album_a.id}")`
add tests 2024-07-22 17:12:03 +00:00			`assert res.status_code == 200`
paginate GET /api/sas/picture 2024-08-05 17:25:30 +00:00			`expected = list(self.album_a.children_pictures.values_list("id", flat=True))`
			`assert [i["id"] for i in res.json()["results"]] == expected`
add tests 2024-07-22 17:12:03 +00:00
			`def test_filter_by_user(self):`
			`self.client.force_login(self.user_b)`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`res = self.client.get(self.url + f"?users_identified={self.user_a.id}")`
add tests 2024-07-22 17:12:03 +00:00			`assert res.status_code == 200`
			`expected = list(`
paginate GET /api/sas/picture 2024-08-05 17:25:30 +00:00			`self.user_a.pictures.order_by(`
			`"-picture__parent__date", "picture__date"`
			`).values_list("picture_id", flat=True)`
add tests 2024-07-22 17:12:03 +00:00			`)`
paginate GET /api/sas/picture 2024-08-05 17:25:30 +00:00			`assert [i["id"] for i in res.json()["results"]] == expected`
add tests 2024-07-22 17:12:03 +00:00
			`def test_filter_by_multiple_user(self):`
			`self.client.force_login(self.user_b)`
			`res = self.client.get(`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`self.url`
add tests 2024-07-22 17:12:03 +00:00			`+ f"?users_identified={self.user_a.id}&users_identified={self.user_b.id}"`
			`)`
			`assert res.status_code == 200`
			`expected = list(`
			`self.user_a.pictures.union(self.user_b.pictures.all())`
paginate GET /api/sas/picture 2024-08-05 17:25:30 +00:00			`.order_by("-picture__parent__date", "picture__date")`
add tests 2024-07-22 17:12:03 +00:00			`.values_list("picture_id", flat=True)`
			`)`
paginate GET /api/sas/picture 2024-08-05 17:25:30 +00:00			`assert [i["id"] for i in res.json()["results"]] == expected`
add tests 2024-07-22 17:12:03 +00:00
			`def test_not_subscribed_user(self):`
add `PictureQuerySet.viewable_by(user)` method 2024-08-06 10:37:50 +00:00			`"""Test that a user that never subscribed can only its own pictures."""`
			`self.user_a.subscriptions.all().delete()`
add tests 2024-07-22 17:12:03 +00:00			`self.client.force_login(self.user_a)`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`res = self.client.get(f"{self.url}?users_identified={self.user_a.id}")`
add tests 2024-07-22 17:12:03 +00:00			`assert res.status_code == 200`
			`expected = list(`
paginate GET /api/sas/picture 2024-08-05 17:25:30 +00:00			`self.user_a.pictures.order_by(`
			`"-picture__parent__date", "picture__date"`
			`).values_list("picture_id", flat=True)`
add tests 2024-07-22 17:12:03 +00:00			`)`
paginate GET /api/sas/picture 2024-08-05 17:25:30 +00:00			`assert [i["id"] for i in res.json()["results"]] == expected`
add tests 2024-07-22 17:12:03 +00:00
fix rights on albums and next/previous pictures 2024-08-08 11:15:19 +00:00			`# trying to access the pictures of someone else mixed with owned pictures`
			`# should return only owned pictures`
add tests 2024-07-22 17:12:03 +00:00			`res = self.client.get(`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`self.url`
fix rights on albums and next/previous pictures 2024-08-08 11:15:19 +00:00			`+ f"?users_identified={self.user_a.id}&users_identified={self.user_b.id}"`
add tests 2024-07-22 17:12:03 +00:00			`)`
fix rights on albums and next/previous pictures 2024-08-08 11:15:19 +00:00			`assert res.status_code == 200`
			`assert [i["id"] for i in res.json()["results"]] == expected`

			`# trying to fetch everything should be the same`
			`# as fetching its own pictures for a non-subscriber`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`res = self.client.get(self.url)`
fix rights on albums and next/previous pictures 2024-08-08 11:15:19 +00:00			`assert res.status_code == 200`
			`assert [i["id"] for i in res.json()["results"]] == expected`
add tests 2024-07-22 17:12:03 +00:00
fix rights on albums and next/previous pictures 2024-08-08 11:15:19 +00:00			`# trying to access the pictures of someone else should return only`
			`# the ones where the non-subscribed user is identified too`
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`res = self.client.get(f"{self.url}?users_identified={self.user_b.id}")`
fix rights on albums and next/previous pictures 2024-08-08 11:15:19 +00:00			`assert res.status_code == 200`
			`expected = list(`
			`self.user_b.pictures.intersection(self.user_a.pictures.all())`
			`.order_by("-picture__parent__date", "picture__date")`
			`.values_list("picture_id", flat=True)`
			`)`
			`assert [i["id"] for i in res.json()["results"]] == expected`
add tests 2024-07-26 12:25:26 +00:00
fix crash on album fetch & test 2024-08-09 22:43:15 +00:00			`def test_num_queries(self):`
			`"""Test that the number of queries is stable."""`
			`self.client.force_login(subscriber_user.make())`
			`with assertNumQueries(5):`
			`# 1 request to fetch the user from the db`
			`# 2 requests to check the user permissions`
			`# 1 request to fetch the pictures`
			`# 1 request to count the total number of items in the pagination`
			`self.client.get(self.url)`

add tests 2024-07-26 12:25:26 +00:00
			`class TestPictureRelation(TestSas):`
			`def test_delete_relation_route_forbidden(self):`
			`"""Test that unauthorized users are properly 403ed"""`
			`# take a picture where user_a isn't identified`
			`relation = PeoplePictureRelation.objects.exclude(user=self.user_a).first()`

			`res = self.client.delete(f"/api/sas/relation/{relation.id}")`
			`assert res.status_code == 403`

			`for user in baker.make(User), self.user_a:`
			`self.client.force_login(user)`
			`res = self.client.delete(f"/api/sas/relation/{relation.id}")`
			`assert res.status_code == 403`

			`def test_delete_relation_with_authorized_users(self):`
			`"""Test that deletion works as intended when called by an authorized user."""`
			`relation: PeoplePictureRelation = self.user_a.pictures.first()`
			`sas_admin_group = RealGroup.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)`
			`sas_admin = baker.make(User, groups=[sas_admin_group])`
			`root = baker.make(User, is_superuser=True)`
			`for user in sas_admin, root, self.user_a:`
			`with transaction.atomic():`
			`self.client.force_login(user)`
			`res = self.client.delete(f"/api/sas/relation/{relation.id}")`
			`assert res.status_code == 200`
			`assert not PeoplePictureRelation.objects.filter(pk=relation.id).exists()`
			`transaction.set_rollback(True)`
			`public = baker.make(User)`
			`relation = public.pictures.create(picture=relation.picture)`
			`self.client.force_login(public)`
			`res = self.client.delete(f"/api/sas/relation/{relation.id}")`
			`assert res.status_code == 200`
			`assert not PeoplePictureRelation.objects.filter(pk=relation.id).exists()`

			`def test_delete_twice(self):`
			`"""Test a duplicate call on the delete route."""`
			`self.client.force_login(baker.make(User, is_superuser=True))`
			`relation = PeoplePictureRelation.objects.first()`
			`res = self.client.delete(f"/api/sas/relation/{relation.id}")`
			`assert res.status_code == 200`
			`relation_count = PeoplePictureRelation.objects.count()`
			`res = self.client.delete(f"/api/sas/relation/{relation.id}")`
			`assert res.status_code == 404`
			`assert PeoplePictureRelation.objects.count() == relation_count`
feat: display moderation requests to moderators 2024-10-13 22:45:31 +00:00

			`class TestPictureModeration(TestSas):`
			`@classmethod`
			`def setUpTestData(cls):`
			`super().setUpTestData()`
			`cls.sas_admin = baker.make(`
			`User, groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]`
			`)`
			`cls.picture = Picture.objects.filter(parent=cls.album_a)[0]`
			`cls.picture.is_moderated = False`
			`cls.picture.asked_for_removal = True`
			`cls.picture.save()`
			`cls.url = reverse("api:picture_moderate", kwargs={"picture_id": cls.picture.id})`
			`baker.make(PictureModerationRequest, picture=cls.picture, author=cls.user_a)`

			`def test_moderation_route_forbidden(self):`
			`"""Test that basic users (even if owner) cannot moderate a picture."""`
			`self.picture.owner = self.user_b`

			`for user in baker.make(User), subscriber_user.make(), self.user_b:`
			`self.client.force_login(user)`
			`res = self.client.patch(self.url)`
			`assert res.status_code == 403`

			`def test_moderation_route_authorized(self):`
			`"""Test that sas admins can moderate a picture."""`
			`self.client.force_login(self.sas_admin)`
			`res = self.client.patch(self.url)`
			`assert res.status_code == 200`
			`self.picture.refresh_from_db()`
			`assert self.picture.is_moderated`
			`assert not self.picture.asked_for_removal`
			`assert not self.picture.moderation_requests.exists()`

			`def test_get_moderation_requests(self):`
			`"""Test that fetching moderation requests work."""`

			`url = reverse(`
			`"api:picture_moderation_requests", kwargs={"picture_id": self.picture.id}`
			`)`
			`self.client.force_login(self.sas_admin)`
			`res = self.client.get(url)`
			`assert res.status_code == 200`
			`assert len(res.json()) == 1`
			`assert res.json()[0]["author"]["id"] == self.user_a.id`