diff --git a/openlobby/core/api/types.py b/openlobby/core/api/types.py index a6e9c6e805e7cd6c10300748b1f88242f211da6c..b777ba263ef20dd397133bdfe1fc3221206ce0cd 100644 --- a/openlobby/core/api/types.py +++ b/openlobby/core/api/types.py @@ -71,6 +71,12 @@ class Report(graphene.ObjectType): except NotFoundError: return None + if report.is_draft: + if not info.context.user.is_authenticated: + return None + if report.author_id != info.context.user.id: + return None + author_type = cls._meta.fields['author'].type author = author_type.get_node(info, report.author_id) return cls.from_es(report, author) diff --git a/tests/mutations/test_create_report.py b/tests/mutations/test_create_report.py index f2121dabc7b6d65338f3c906b868dc2925af0f52..433a72babe837cee6e8354d1d5e7932ef3eaa1e6 100644 --- a/tests/mutations/test_create_report.py +++ b/tests/mutations/test_create_report.py @@ -1,11 +1,11 @@ import pytest import arrow -import json import re -from openlobby.core.auth import create_access_token from openlobby.core.models import User, Report +from ..utils import call_api + pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures('django_es')] @@ -16,18 +16,6 @@ def setup(): first_name='Winston', last_name='Wolfe', email='winston@wolfe.com') -def call_api(client, query, input, username=None): - variables = json.dumps({'input': input}) - if username is None: - res = client.post('/graphql', {'query': query, 'variables': variables}) - else: - token = create_access_token(username) - auth_header = 'Bearer {}'.format(token) - res = client.post('/graphql', {'query': query, 'variables': variables}, - HTTP_AUTHORIZATION=auth_header) - return res.json() - - def test_unauthorized(client, snapshot): query = """ mutation createReport ($input: CreateReportInput!) { diff --git a/tests/schema/snapshots/snap_test_node.py b/tests/schema/snapshots/snap_test_node.py index 7b2e280583c22c9959e64beb5d12cd060d42af8b..52ce304f3feb1f476ba57268face7f251975445d 100644 --- a/tests/schema/snapshots/snap_test_node.py +++ b/tests/schema/snapshots/snap_test_node.py @@ -85,3 +85,24 @@ snapshots['test_user 1'] = { } } } + +snapshots['test_report__is_draft__unauthorized_viewer 1'] = { + 'data': { + 'node': None + } +} + +snapshots['test_report__is_draft__viewer_is_not_author 1'] = { + 'data': { + 'node': None + } +} + +snapshots['test_report__is_draft 1'] = { + 'data': { + 'node': { + 'id': 'UmVwb3J0OjQ=', + 'title': 'The Silmarillion' + } + } +} diff --git a/tests/schema/test_node.py b/tests/schema/test_node.py index c1ccbf1f934e0af7771576264ba486ff5fc3fd5b..0ffa6374ee85f373a1d7604039833f6d22805c39 100644 --- a/tests/schema/test_node.py +++ b/tests/schema/test_node.py @@ -5,6 +5,7 @@ from openlobby.core.auth import create_access_token from openlobby.core.models import OpenIdClient, User from ..dummy import prepare_reports +from ..utils import call_api pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures('django_es')] @@ -89,6 +90,51 @@ def test_report(client, snapshot): snapshot.assert_match(res.json()) +def test_report__is_draft(client, snapshot): + prepare_reports() + query = """ + query {{ + node (id:"{id}") {{ + ... on Report {{ + id + title + }} + }} + }} + """.format(id=to_global_id('Report', 4)) + snapshot.assert_match(call_api(client, query, username='Wolf')) + + +def test_report__is_draft__unauthorized_viewer(client, snapshot): + prepare_reports() + query = """ + query {{ + node (id:"{id}") {{ + ... on Report {{ + id + title + }} + }} + }} + """.format(id=to_global_id('Report', 4)) + snapshot.assert_match(call_api(client, query)) + + +def test_report__is_draft__viewer_is_not_author(client, snapshot): + prepare_reports() + query = """ + query {{ + node (id:"{id}") {{ + ... on Report {{ + id + title + }} + }} + }} + """.format(id=to_global_id('Report', 4)) + snapshot.assert_match(call_api(client, query)) + + def test_user__unauthorized(client, snapshot): User.objects.create(id=8, username='albert', openid_uid='albert@einstein.id', first_name='Albert', last_name='Einstein', extra={'e': 'mc2'}) diff --git a/tests/utils.py b/tests/utils.py new file mode 100644 index 0000000000000000000000000000000000000000..f807f170442aaa9d0e52c81a94c8898505ee6e37 --- /dev/null +++ b/tests/utils.py @@ -0,0 +1,15 @@ +import json + +from openlobby.core.auth import create_access_token + + +def call_api(client, query, input=None, username=None): + variables = json.dumps({'input': input or {}}) + if username is None: + res = client.post('/graphql', {'query': query, 'variables': variables}) + else: + token = create_access_token(username) + auth_header = 'Bearer {}'.format(token) + res = client.post('/graphql', {'query': query, 'variables': variables}, + HTTP_AUTHORIZATION=auth_header) + return res.json()