From 21fb5e59d82f8b3097552574953b539d82ee0945 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Bedna=C5=99=C3=ADk?= <jan.bednarik@gmail.com>
Date: Tue, 27 Feb 2018 20:46:20 +0100
Subject: [PATCH] Return Report draft only for author from Node interface.

---
 openlobby/core/api/types.py              |  6 ++++
 tests/mutations/test_create_report.py    | 16 ++-------
 tests/schema/snapshots/snap_test_node.py | 21 +++++++++++
 tests/schema/test_node.py                | 46 ++++++++++++++++++++++++
 tests/utils.py                           | 15 ++++++++
 5 files changed, 90 insertions(+), 14 deletions(-)
 create mode 100644 tests/utils.py

diff --git a/openlobby/core/api/types.py b/openlobby/core/api/types.py
index a6e9c6e..b777ba2 100644
--- a/openlobby/core/api/types.py
+++ b/openlobby/core/api/types.py
@@ -71,6 +71,12 @@ class Report(graphene.ObjectType):
         except NotFoundError:
             return None
 
+        if report.is_draft:
+            if not info.context.user.is_authenticated:
+                return None
+            if report.author_id != info.context.user.id:
+                return None
+
         author_type = cls._meta.fields['author'].type
         author = author_type.get_node(info, report.author_id)
         return cls.from_es(report, author)
diff --git a/tests/mutations/test_create_report.py b/tests/mutations/test_create_report.py
index f2121da..433a72b 100644
--- a/tests/mutations/test_create_report.py
+++ b/tests/mutations/test_create_report.py
@@ -1,11 +1,11 @@
 import pytest
 import arrow
-import json
 import re
 
-from openlobby.core.auth import create_access_token
 from openlobby.core.models import User, Report
 
+from ..utils import call_api
+
 
 pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures('django_es')]
 
@@ -16,18 +16,6 @@ def setup():
         first_name='Winston', last_name='Wolfe', email='winston@wolfe.com')
 
 
-def call_api(client, query, input, username=None):
-    variables = json.dumps({'input': input})
-    if username is None:
-        res = client.post('/graphql', {'query': query, 'variables': variables})
-    else:
-        token = create_access_token(username)
-        auth_header = 'Bearer {}'.format(token)
-        res = client.post('/graphql', {'query': query, 'variables': variables},
-            HTTP_AUTHORIZATION=auth_header)
-    return res.json()
-
-
 def test_unauthorized(client, snapshot):
     query = """
     mutation createReport ($input: CreateReportInput!) {
diff --git a/tests/schema/snapshots/snap_test_node.py b/tests/schema/snapshots/snap_test_node.py
index 7b2e280..52ce304 100644
--- a/tests/schema/snapshots/snap_test_node.py
+++ b/tests/schema/snapshots/snap_test_node.py
@@ -85,3 +85,24 @@ snapshots['test_user 1'] = {
         }
     }
 }
+
+snapshots['test_report__is_draft__unauthorized_viewer 1'] = {
+    'data': {
+        'node': None
+    }
+}
+
+snapshots['test_report__is_draft__viewer_is_not_author 1'] = {
+    'data': {
+        'node': None
+    }
+}
+
+snapshots['test_report__is_draft 1'] = {
+    'data': {
+        'node': {
+            'id': 'UmVwb3J0OjQ=',
+            'title': 'The Silmarillion'
+        }
+    }
+}
diff --git a/tests/schema/test_node.py b/tests/schema/test_node.py
index c1ccbf1..0ffa637 100644
--- a/tests/schema/test_node.py
+++ b/tests/schema/test_node.py
@@ -5,6 +5,7 @@ from openlobby.core.auth import create_access_token
 from openlobby.core.models import OpenIdClient, User
 
 from ..dummy import prepare_reports
+from ..utils import call_api
 
 
 pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures('django_es')]
@@ -89,6 +90,51 @@ def test_report(client, snapshot):
     snapshot.assert_match(res.json())
 
 
+def test_report__is_draft(client, snapshot):
+    prepare_reports()
+    query = """
+    query {{
+        node (id:"{id}") {{
+            ... on Report {{
+                id
+                title
+            }}
+        }}
+    }}
+    """.format(id=to_global_id('Report', 4))
+    snapshot.assert_match(call_api(client, query, username='Wolf'))
+
+
+def test_report__is_draft__unauthorized_viewer(client, snapshot):
+    prepare_reports()
+    query = """
+    query {{
+        node (id:"{id}") {{
+            ... on Report {{
+                id
+                title
+            }}
+        }}
+    }}
+    """.format(id=to_global_id('Report', 4))
+    snapshot.assert_match(call_api(client, query))
+
+
+def test_report__is_draft__viewer_is_not_author(client, snapshot):
+    prepare_reports()
+    query = """
+    query {{
+        node (id:"{id}") {{
+            ... on Report {{
+                id
+                title
+            }}
+        }}
+    }}
+    """.format(id=to_global_id('Report', 4))
+    snapshot.assert_match(call_api(client, query))
+
+
 def test_user__unauthorized(client, snapshot):
     User.objects.create(id=8, username='albert', openid_uid='albert@einstein.id',
         first_name='Albert', last_name='Einstein', extra={'e': 'mc2'})
diff --git a/tests/utils.py b/tests/utils.py
new file mode 100644
index 0000000..f807f17
--- /dev/null
+++ b/tests/utils.py
@@ -0,0 +1,15 @@
+import json
+
+from openlobby.core.auth import create_access_token
+
+
+def call_api(client, query, input=None, username=None):
+    variables = json.dumps({'input': input or {}})
+    if username is None:
+        res = client.post('/graphql', {'query': query, 'variables': variables})
+    else:
+        token = create_access_token(username)
+        auth_header = 'Bearer {}'.format(token)
+        res = client.post('/graphql', {'query': query, 'variables': variables},
+            HTTP_AUTHORIZATION=auth_header)
+    return res.json()
-- 
GitLab