From 21fb5e59d82f8b3097552574953b539d82ee0945 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Bedna=C5=99=C3=ADk?= <jan.bednarik@gmail.com> Date: Tue, 27 Feb 2018 20:46:20 +0100 Subject: [PATCH] Return Report draft only for author from Node interface. --- openlobby/core/api/types.py | 6 ++++ tests/mutations/test_create_report.py | 16 ++------- tests/schema/snapshots/snap_test_node.py | 21 +++++++++++ tests/schema/test_node.py | 46 ++++++++++++++++++++++++ tests/utils.py | 15 ++++++++ 5 files changed, 90 insertions(+), 14 deletions(-) create mode 100644 tests/utils.py diff --git a/openlobby/core/api/types.py b/openlobby/core/api/types.py index a6e9c6e..b777ba2 100644 --- a/openlobby/core/api/types.py +++ b/openlobby/core/api/types.py @@ -71,6 +71,12 @@ class Report(graphene.ObjectType): except NotFoundError: return None + if report.is_draft: + if not info.context.user.is_authenticated: + return None + if report.author_id != info.context.user.id: + return None + author_type = cls._meta.fields['author'].type author = author_type.get_node(info, report.author_id) return cls.from_es(report, author) diff --git a/tests/mutations/test_create_report.py b/tests/mutations/test_create_report.py index f2121da..433a72b 100644 --- a/tests/mutations/test_create_report.py +++ b/tests/mutations/test_create_report.py @@ -1,11 +1,11 @@ import pytest import arrow -import json import re -from openlobby.core.auth import create_access_token from openlobby.core.models import User, Report +from ..utils import call_api + pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures('django_es')] @@ -16,18 +16,6 @@ def setup(): first_name='Winston', last_name='Wolfe', email='winston@wolfe.com') -def call_api(client, query, input, username=None): - variables = json.dumps({'input': input}) - if username is None: - res = client.post('/graphql', {'query': query, 'variables': variables}) - else: - token = create_access_token(username) - auth_header = 'Bearer {}'.format(token) - res = client.post('/graphql', {'query': query, 'variables': variables}, - HTTP_AUTHORIZATION=auth_header) - return res.json() - - def test_unauthorized(client, snapshot): query = """ mutation createReport ($input: CreateReportInput!) { diff --git a/tests/schema/snapshots/snap_test_node.py b/tests/schema/snapshots/snap_test_node.py index 7b2e280..52ce304 100644 --- a/tests/schema/snapshots/snap_test_node.py +++ b/tests/schema/snapshots/snap_test_node.py @@ -85,3 +85,24 @@ snapshots['test_user 1'] = { } } } + +snapshots['test_report__is_draft__unauthorized_viewer 1'] = { + 'data': { + 'node': None + } +} + +snapshots['test_report__is_draft__viewer_is_not_author 1'] = { + 'data': { + 'node': None + } +} + +snapshots['test_report__is_draft 1'] = { + 'data': { + 'node': { + 'id': 'UmVwb3J0OjQ=', + 'title': 'The Silmarillion' + } + } +} diff --git a/tests/schema/test_node.py b/tests/schema/test_node.py index c1ccbf1..0ffa637 100644 --- a/tests/schema/test_node.py +++ b/tests/schema/test_node.py @@ -5,6 +5,7 @@ from openlobby.core.auth import create_access_token from openlobby.core.models import OpenIdClient, User from ..dummy import prepare_reports +from ..utils import call_api pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures('django_es')] @@ -89,6 +90,51 @@ def test_report(client, snapshot): snapshot.assert_match(res.json()) +def test_report__is_draft(client, snapshot): + prepare_reports() + query = """ + query {{ + node (id:"{id}") {{ + ... on Report {{ + id + title + }} + }} + }} + """.format(id=to_global_id('Report', 4)) + snapshot.assert_match(call_api(client, query, username='Wolf')) + + +def test_report__is_draft__unauthorized_viewer(client, snapshot): + prepare_reports() + query = """ + query {{ + node (id:"{id}") {{ + ... on Report {{ + id + title + }} + }} + }} + """.format(id=to_global_id('Report', 4)) + snapshot.assert_match(call_api(client, query)) + + +def test_report__is_draft__viewer_is_not_author(client, snapshot): + prepare_reports() + query = """ + query {{ + node (id:"{id}") {{ + ... on Report {{ + id + title + }} + }} + }} + """.format(id=to_global_id('Report', 4)) + snapshot.assert_match(call_api(client, query)) + + def test_user__unauthorized(client, snapshot): User.objects.create(id=8, username='albert', openid_uid='albert@einstein.id', first_name='Albert', last_name='Einstein', extra={'e': 'mc2'}) diff --git a/tests/utils.py b/tests/utils.py new file mode 100644 index 0000000..f807f17 --- /dev/null +++ b/tests/utils.py @@ -0,0 +1,15 @@ +import json + +from openlobby.core.auth import create_access_token + + +def call_api(client, query, input=None, username=None): + variables = json.dumps({'input': input or {}}) + if username is None: + res = client.post('/graphql', {'query': query, 'variables': variables}) + else: + token = create_access_token(username) + auth_header = 'Bearer {}'.format(token) + res = client.post('/graphql', {'query': query, 'variables': variables}, + HTTP_AUTHORIZATION=auth_header) + return res.json() -- GitLab