Merge pull request #860 from ae-utbm/fix-sas-owner

Fix sas owner
2024-10-18 12:58:06 +00:00 · 2024-10-05 21:44:21 +02:00 · 2024-10-05 21:44:21 +02:00 · cacdf600f4
commit cacdf600f4
parent f6be360eab 5ee0ee8efb
2 changed files with 53 additions and 4 deletions
--- a/core/models.py
+++ b/core/models.py
@ -991,8 +991,8 @@ class SithFile(models.Model):
            return user.is_board_member
        if user.is_com_admin:
            return True
-        if self.is_in_sas:
-            return user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
+        if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
+            return True
        return user.id == self.owner_id

    def can_be_viewed_by(self, user):
--- a/core/tests/test_files.py
+++ b/core/tests/test_files.py
@ -13,8 +13,57 @@ from model_bakery.recipe import Recipe, foreign_key
 from PIL import Image
 from pytest_django.asserts import assertNumQueries

-from core.baker_recipes import board_user, subscriber_user
-from core.models import Group, SithFile, User
+from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
+from core.models import Group, RealGroup, SithFile, User
+from sas.models import Picture
+from sith import settings
+
+
+@pytest.mark.django_db
+class TestImageAccess:
+    @pytest.mark.parametrize(
+        "user_factory",
+        [
+            lambda: baker.make(User, is_superuser=True),
+            lambda: baker.make(
+                User,
+                groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)],
+            ),
+            lambda: baker.make(
+                User,
+                groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)],
+            ),
+        ],
+    )
+    def test_sas_image_access(self, user_factory: Callable[[], User]):
+        """Test that only authorized users can access the sas image."""
+        user = user_factory()
+        picture: SithFile = baker.make(
+            Picture, parent=SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
+        )
+        assert picture.is_owned_by(user)
+
+    def test_sas_image_access_owner(self):
+        """Test that the owner of the image can access it."""
+        user = baker.make(User)
+        picture: Picture = baker.make(Picture, owner=user)
+        assert picture.is_owned_by(user)
+
+    @pytest.mark.parametrize(
+        "user_factory",
+        [
+            lambda: baker.make(User),
+            subscriber_user.make,
+            old_subscriber_user.make,
+            board_user.make,
+        ],
+    )
+    def test_sas_image_access_forbidden(self, user_factory: Callable[[], User]):
+        cache.clear()
+        user = user_factory()
+        owner = baker.make(User)
+        picture: Picture = baker.make(Picture, owner=owner)
+        assert not picture.is_owned_by(user)


@pytest.mark.django_db