From e9c956e08c05dadcb1b37d8a9bdc19f8ff8c6295 Mon Sep 17 00:00:00 2001
From: imperosol <thgirod@hotmail.com>
Date: Sat, 19 Apr 2025 16:49:40 +0200
Subject: [PATCH] fix sas album creation rights

---
 sas/forms.py            |  4 +++-
 sas/tests/test_views.py | 44 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/sas/forms.py b/sas/forms.py
index 71dedd7d..af3547c8 100644
--- a/sas/forms.py
+++ b/sas/forms.py
@@ -27,7 +27,9 @@ class AlbumCreateForm(forms.ModelForm):
             self.instance.moderator = owner
 
     def clean(self):
-        if not self.instance.owner.can_edit(self.instance.parent):
+        parent = self.cleaned_data["parent"]
+        parent.__class__ = Album  # by default, parent is a SithFile
+        if not self.instance.owner.can_edit(parent):
             raise ValidationError(_("You do not have the permission to do that"))
         return super().clean()
 
diff --git a/sas/tests/test_views.py b/sas/tests/test_views.py
index 80e4557f..f085f202 100644
--- a/sas/tests/test_views.py
+++ b/sas/tests/test_views.py
@@ -89,6 +89,50 @@ def test_album_access_non_subscriber(client: Client):
     assert res.status_code == 200
 
 
+@pytest.mark.django_db
+class TestAlbumUpload:
+    @staticmethod
+    def assert_album_created(response, name, parent):
+        assert response.headers.get("HX-Redirect", "") == parent.get_absolute_url()
+        children = list(Album.objects.filter(parent=parent))
+        assert len(children) == 1
+        assert children[0].name == name
+
+    def test_sas_admin(self, client: Client):
+        user = baker.make(
+            User, groups=[Group.objects.get(id=settings.SITH_GROUP_SAS_ADMIN_ID)]
+        )
+        album = baker.make(Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID)
+        client.force_login(user)
+        response = client.post(
+            reverse("sas:album_create"), {"name": "new", "parent": album.id}
+        )
+        self.assert_album_created(response, "new", album)
+
+    def test_non_admin_user_with_edit_rights_on_parent(self, client: Client):
+        group = baker.make(Group)
+        user = subscriber_user.make(groups=[group])
+        album = baker.make(
+            Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID, edit_groups=[group]
+        )
+        client.force_login(user)
+        response = client.post(
+            reverse("sas:album_create"), {"name": "new", "parent": album.id}
+        )
+        self.assert_album_created(response, "new", album)
+
+    def test_permission_denied(self, client: Client):
+        album = baker.make(Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID)
+        client.force_login(subscriber_user.make())
+        response = client.post(
+            reverse("sas:album_create"), {"name": "new", "parent": album.id}
+        )
+        errors = BeautifulSoup(response.text, "lxml").find_all(class_="errorlist")
+        assert len(errors) == 1
+        assert errors[0].text == "Vous n'avez pas la permission de faire cela"
+        assert not album.children.exists()
+
+
 class TestSasModeration(TestCase):
     @classmethod
     def setUpTestData(cls):