add tests

2025-07-11 04:19:25 +00:00 · 2024-07-26 14:25:26 +02:00
parent 191b05c305
commit 043dcfb283
2 changed files with 68 additions and 13 deletions
--- a/sas/api.py
+++ b/sas/api.py
@ -5,13 +5,9 @@ from ninja_extra.exceptions import PermissionDenied
 from ninja_extra.permissions import IsAuthenticated
 from pydantic import NonNegativeInt

-from core.api_permissions import IsOldSubscriber
 from core.models import User
 from sas.models import PeoplePictureRelation, Picture
-from sas.schemas import (
-    PictureFilterSchema,
-    PictureSchema,
-)
+from sas.schemas import PictureFilterSchema, PictureSchema


@api_controller("/sas/picture")
@ -28,11 +24,17 @@ class PicturesController(ControllerBase):
        A user with an active subscription can see any picture, as long
        as it has been moderated and not asked for removal.
        An unsubscribed user can see the pictures he has been identified on
-        (only the moderated ones, too)
+        (only the moderated ones, too).

        Notes:
            Trying to fetch the pictures of another user with this route
            while being unsubscribed will just result in an empty response.
+
+        Notes:
+            Unsubscribed users who are identified is not a rare case.
+            They can be UTT students, faluchards from other schools,
+            or even Richard Stallman (that ain't no joke,
+            cf. https://ae.utbm.fr/user/32663/pictures/)
        """
        user: User = self.context.request.user
        if not user.is_subscribed and filters.users_identified != {user.id}:
@ -53,14 +55,17 @@ class PicturesController(ControllerBase):
        return pictures


-@api_controller("/sas/relation")
+@api_controller("/sas/relation", tags="User identification on SAS pictures")
 class UsersIdentifiedController(ControllerBase):
-    @route.delete("/{relation_id}", permissions=[IsOldSubscriber])
+    @route.delete("/{relation_id}", permissions=[IsAuthenticated])
    def delete_relation(self, relation_id: NonNegativeInt):
-        relation: PeoplePictureRelation = self.get_object_or_exception(
-            PeoplePictureRelation, pk=relation_id
-        )
-        user = self.context.request.user
+        """Untag a user from a SAS picture.
+
+        Root and SAS admins can delete any picture identification.
+        All other users can delete their own identification.
+        """
+        relation = self.get_object_or_exception(PeoplePictureRelation, pk=relation_id)
+        user: User = self.context.request.user
        if (
            relation.user_id != user.id
            and not user.is_root