klmp200/Sith
1
0
Fork 0
mirror of https://github.com/ae-utbm/sith.git synced 2025-04-29 12:56:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix sas album creation rights

Browse Source
This commit is contained in:
imperosol 2025-04-19 16:49:40 +02:00
parent da56a7f651
commit e9c956e08c
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sas/forms.py
View File

@ -27,7 +27,9 @@ class AlbumCreateForm(forms.ModelForm):
self.instance.moderator = owner self.instance.moderator = owner
def clean(self): def clean(self):
if not self.instance.owner.can_edit(self.instance.parent): parent = self.cleaned_data["parent"]
parent.__class__ = Album # by default, parent is a SithFile
if not self.instance.owner.can_edit(parent):
raise ValidationError(_("You do not have the permission to do that")) raise ValidationError(_("You do not have the permission to do that"))
return super().clean() return super().clean()

44
sas/tests/test_views.py
View File

@ -89,6 +89,50 @@ def test_album_access_non_subscriber(client: Client):
assert res.status_code == 200 assert res.status_code == 200
@pytest.mark.django_db
class TestAlbumUpload:
@staticmethod
def assert_album_created(response, name, parent):
assert response.headers.get("HX-Redirect", "") == parent.get_absolute_url()
children = list(Album.objects.filter(parent=parent))
assert len(children) == 1
assert children[0].name == name
def test_sas_admin(self, client: Client):
user = baker.make(
User, groups=[Group.objects.get(id=settings.SITH_GROUP_SAS_ADMIN_ID)]
)
album = baker.make(Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID)
client.force_login(user)
response = client.post(
reverse("sas:album_create"), {"name": "new", "parent": album.id}
)
self.assert_album_created(response, "new", album)
def test_non_admin_user_with_edit_rights_on_parent(self, client: Client):
group = baker.make(Group)
user = subscriber_user.make(groups=[group])
album = baker.make(
Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID, edit_groups=[group]
)
client.force_login(user)
response = client.post(
reverse("sas:album_create"), {"name": "new", "parent": album.id}
)
self.assert_album_created(response, "new", album)
def test_permission_denied(self, client: Client):
album = baker.make(Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID)
client.force_login(subscriber_user.make())
response = client.post(
reverse("sas:album_create"), {"name": "new", "parent": album.id}
)
errors = BeautifulSoup(response.text, "lxml").find_all(class_="errorlist")
assert len(errors) == 1
assert errors[0].text == "Vous n'avez pas la permission de faire cela"
assert not album.children.exists()
class TestSasModeration(TestCase): class TestSasModeration(TestCase):
@classmethod @classmethod
def setUpTestData(cls): def setUpTestData(cls):