Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin can remove a course created by another admin #57

Open
LarisaTerenteva opened this issue Jun 29, 2022 · 0 comments
Open

Admin can remove a course created by another admin #57

LarisaTerenteva opened this issue Jun 29, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@LarisaTerenteva
Copy link

Description:
When admin user tries to remove the course, created by another admin, the course is successfully removed, no error messages are shown.

Pre-conditions:
There is at least two active users with admin role (here admin1 and admin2);

Steps to reproduce:

  1. Login to admin1;
  2. Save access token for admin1;
  3. Create a new category by POST request (http://qa-school-test.quantori.academy/api/v1/categories) using saved admin1 access token, input in request body is: {"title": "string"}, with 'title' being a string of valid length (3-100) and allowed characters (RU/EN alphabet, space, digits);
  4. Save the newly created category id to use in following request;
  5. Login to admin2 account;
  6. Save access token for admin2;
  7. Create a new course by POST request (http://qa-school-test.quantori.academy/api/v1/courses) using saved admin2 access token, input in request body is: {"title": "string", "description": "string", "visible": true, "categoryId": 0}, with 'title' being string of valid length (3-100) and allowed characters (RU/EN alphabet, space, digits), 'description' being string of valid length (3-255 as implemented at the moment), 'visible' being boolean, 'categoryId' being the id of the category created on the step 3;
  8. Save the newly created course id to use in following request as dynamic variable {{courseId}};
  9. Try making DELETE request (http://qa-school-test.quantori.academy/api/v1/courses/{{courseId}}), using saved admin1 access token and {{courseId}} variable.

Post-conditions:

  1. Delete the course created on step 7 by DELETE request (http://qa-school-test.quantori.academy/api/v1/courses/{courseId}) using admin2 access token;
  2. Make sure, course is deleted;
  3. Delete the category created on step 3 by DELETE request (http://qa-school-test.quantori.academy/api/v1/courses/{categoryId}) using admin1 access token;
  4. Make sure, category is deleted

Actual behavior:

  1. Response code is 200 Ok
  2. No error message is shown
  3. Following message is shown in response body: {"result": "Success: record was removed."}

Expected behavior:

  1. Code 403 Unauthorized
  2. Error message is shown: 'You're not owner of this course, you can't change/remove it'
  3. Course is not removed

Screenshots
admin_remove
@viraxslot viraxslot added the bug Something isn't working label Jul 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@viraxslot @LarisaTerenteva