make blacklist endpoints accessible for any authenticated user

OSMCha · Nov 29, 2018 · 3de61ac · 3de61ac
1 parent dd77bdd
commit 3de61ac
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 19 deletions.
diff --git a/osmchadjango/supervise/tests/test_views.py b/osmchadjango/supervise/tests/test_views.py
@@ -844,6 +844,11 @@ def setUp(self):
             uid='3435',
             added_by=self.staff_user,
             )
+        BlacklistedUser.objects.create(
+            username='New bad user',
+            uid='9888',
+            added_by=self.user,
+            )
         self.url = reverse('supervise:blacklist-list-create')
 
     def test_list_view_unauthenticated(self):
@@ -853,7 +858,8 @@ def test_list_view_unauthenticated(self):
     def test_list_view_normal_user(self):
         self.client.login(username=self.user.username, password='password')
         response = self.client.get(self.url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data.get('results')), 1)
 
     def test_list_view_staff_user(self):
         self.client.login(username=self.staff_user.username, password='password')
@@ -896,8 +902,8 @@ def test_create_view_unauthenticated(self):
     def test_create_view_normal_user(self):
         self.client.login(username=self.user.username, password='password')
         response = self.client.post(self.url, self.data)
-        self.assertEqual(response.status_code, 403)
-        self.assertEqual(BlacklistedUser.objects.count(), 0)
+        self.assertEqual(response.status_code, 201)
+        self.assertEqual(BlacklistedUser.objects.count(), 1)
 
     def test_create_view_staff_user(self):
         self.client.login(username=self.staff_user.username, password='password')
@@ -935,6 +941,11 @@ def setUp(self):
             uid='3434',
             added_by=self.staff_user,
             )
+        self.blacklisted_2 = BlacklistedUser.objects.create(
+            username='Bad User',
+            uid='3434',
+            added_by=self.user,
+            )
         self.url = reverse(
             'supervise:blacklist-detail', args=[self.blacklisted.uid]
             )
@@ -946,7 +957,23 @@ def test_unauthenticated_get(self):
     def test_normal_user_get(self):
         self.client.login(username=self.user.username, password='password')
         response = self.client.get(self.url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data.get('username'), 'Bad User')
+        self.assertEqual(response.data.get('added_by'), 'test_user')
+        self.assertIsNotNone(response.data.get('uid'))
+        self.assertIn('date', response.data.keys())
+
+    def test_normal_user_getting_staff_user_blacklist(self):
+        blacklisted = BlacklistedUser.objects.create(
+            username='Bad User',
+            uid='4999',
+            added_by=self.staff_user,
+            )
+        self.client.login(username=self.user.username, password='password')
+        response = self.client.get(
+            reverse('supervise:blacklist-detail', args=[4999])
+            )
+        self.assertEqual(response.status_code, 404)
 
     def test_staff_user_get(self):
         self.client.login(username=self.staff_user.username, password='password')
@@ -960,19 +987,19 @@ def test_staff_user_get(self):
     def test_unauthenticated_delete(self):
         response = self.client.delete(self.url)
         self.assertEqual(response.status_code, 401)
-        self.assertEqual(BlacklistedUser.objects.count(), 1)
+        self.assertEqual(BlacklistedUser.objects.count(), 2)
 
     def test_normal_user_delete(self):
         self.client.login(username=self.user.username, password='password')
         response = self.client.delete(self.url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 204)
         self.assertEqual(BlacklistedUser.objects.count(), 1)
 
     def test_staff_user_delete(self):
         self.client.login(username=self.staff_user.username, password='password')
         response = self.client.delete(self.url)
         self.assertEqual(response.status_code, 204)
-        self.assertEqual(BlacklistedUser.objects.count(), 0)
+        self.assertEqual(BlacklistedUser.objects.count(), 1)
 
     def test_unauthenticated_patch(self):
         response = self.client.patch(self.url, {'username': 'other_user'})
@@ -982,8 +1009,9 @@ def test_unauthenticated_patch(self):
     def test_normal_user_patch(self):
         self.client.login(username=self.user.username, password='password')
         response = self.client.patch(self.url, {'username': 'other_user'})
-        self.assertEqual(response.status_code, 403)
-        self.assertEqual(self.blacklisted.username, 'Bad User')
+        self.assertEqual(response.status_code, 200)
+        self.blacklisted_2.refresh_from_db()
+        self.assertEqual(self.blacklisted_2.username, 'other_user')
 
     def test_staff_user_patch(self):
         self.client.login(username=self.staff_user.username, password='password')

diff --git a/osmchadjango/supervise/views.py b/osmchadjango/supervise/views.py
@@ -5,7 +5,7 @@
 from django.urls import reverse
 
 from rest_framework.generics import (
-    ListCreateAPIView, ListAPIView, RetrieveUpdateDestroyAPIView
+    ListCreateAPIView, ListAPIView, RetrieveUpdateDestroyAPIView, get_object_or_404
     )
 from rest_framework.response import Response
 from rest_framework.filters import OrderingFilter
@@ -222,7 +222,13 @@ class BlacklistedUserListCreateAPIView(ListCreateAPIView):
     """
     queryset = BlacklistedUser.objects.all()
     serializer_class = BlacklistSerializer
-    permission_classes = (IsAdminUser,)
+    permission_classes = (IsAuthenticated,)
+
+    def get_queryset(self):
+        if self.request:
+            return BlacklistedUser.objects.filter(added_by=self.request.user)
+        else:
+            BlacklistedUser.objects.none()
 
     def perform_create(self, serializer):
         serializer.save(added_by=self.request.user)
@@ -234,21 +240,25 @@ class BlacklistedUserDetailAPIView(RetrieveUpdateDestroyAPIView):
     Get details about a BlacklistedUser.
     Access restricted to staff users.
     delete:
-    Delete a User from the Blacklist.
-    Only staff users can use this method.
+    Delete a User from your Blacklist.
     patch:
     Update a BlacklistedUser.
-    It's useful if you need to update the username of a User. Only staff users
-    can use this method.
+    It's useful if you need to update the username of a User.
     put:
     Update a BlacklistedUser.
-    It's useful if you need to update the username of a User. Only staff users
-    can use this method.
+    It's useful if you need to update the username of a User.
     """
     queryset = BlacklistedUser.objects.all()
     serializer_class = BlacklistSerializer
-    permission_classes = (IsAdminUser,)
-    lookup_field = 'uid'
+    permission_classes = (IsAuthenticated, IsOwnerOrReadOnly)
 
     def perform_update(self, serializer):
         serializer.save(added_by=self.request.user)
+
+    def get_object(self):
+        queryset = self.get_queryset()
+        return get_object_or_404(
+            queryset,
+            added_by=self.request.user,
+            uid=self.kwargs['uid']
+            )