Merge pull request #1090 from ae-utbm/fix-album-upload

fix sas album creation rights
2025-10-31 09:03:06 +00:00 · 2025-04-21 01:01:36 +02:00
parent da56a7f651 e9c956e08c
commit 7296640a8d
2 changed files with 47 additions and 1 deletions
--- a/sas/forms.py
+++ b/sas/forms.py
@@ -27,7 +27,9 @@ class AlbumCreateForm(forms.ModelForm):
            self.instance.moderator = owner

    def clean(self):
-        if not self.instance.owner.can_edit(self.instance.parent):
+        parent = self.cleaned_data["parent"]
+        parent.__class__ = Album  # by default, parent is a SithFile
+        if not self.instance.owner.can_edit(parent):
            raise ValidationError(_("You do not have the permission to do that"))
        return super().clean()

--- a/sas/tests/test_views.py
+++ b/sas/tests/test_views.py
@@ -89,6 +89,50 @@ def test_album_access_non_subscriber(client: Client):
    assert res.status_code == 200


+@pytest.mark.django_db
+class TestAlbumUpload:
+    @staticmethod
+    def assert_album_created(response, name, parent):
+        assert response.headers.get("HX-Redirect", "") == parent.get_absolute_url()
+        children = list(Album.objects.filter(parent=parent))
+        assert len(children) == 1
+        assert children[0].name == name
+
+    def test_sas_admin(self, client: Client):
+        user = baker.make(
+            User, groups=[Group.objects.get(id=settings.SITH_GROUP_SAS_ADMIN_ID)]
+        )
+        album = baker.make(Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID)
+        client.force_login(user)
+        response = client.post(
+            reverse("sas:album_create"), {"name": "new", "parent": album.id}
+        )
+        self.assert_album_created(response, "new", album)
+
+    def test_non_admin_user_with_edit_rights_on_parent(self, client: Client):
+        group = baker.make(Group)
+        user = subscriber_user.make(groups=[group])
+        album = baker.make(
+            Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID, edit_groups=[group]
+        )
+        client.force_login(user)
+        response = client.post(
+            reverse("sas:album_create"), {"name": "new", "parent": album.id}
+        )
+        self.assert_album_created(response, "new", album)
+
+    def test_permission_denied(self, client: Client):
+        album = baker.make(Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID)
+        client.force_login(subscriber_user.make())
+        response = client.post(
+            reverse("sas:album_create"), {"name": "new", "parent": album.id}
+        )
+        errors = BeautifulSoup(response.text, "lxml").find_all(class_="errorlist")
+        assert len(errors) == 1
+        assert errors[0].text == "Vous n'avez pas la permission de faire cela"
+        assert not album.children.exists()
+
+
 class TestSasModeration(TestCase):
    @classmethod
    def setUpTestData(cls):