Test forbidden accesses

2025-11-04 05:02:22 +01:00 · 2020-11-02 18:19:53 +01:00
parent 4c25ae2928
commit 25756fb2ef
2 changed files with 33 additions and 1 deletions
--- a/apps/participation/tests.py
+++ b/apps/participation/tests.py
@@ -439,6 +439,36 @@ class TestStudentParticipation(TestCase):
        response = self.client.get(reverse("participation:participation_detail", args=(self.team.participation.pk,)))
        self.assertEqual(response.status_code, 200)

+    def test_forbidden_access(self):
+        """
+        Load personnal pages and ensure that these are protected.
+        """
+        self.user.registration.team = self.team
+        self.user.registration.save()
+
+        resp = self.client.get(reverse("participation:team_detail", args=(self.second_team.pk,)))
+        self.assertEqual(resp.status_code, 403)
+        resp = self.client.get(reverse("participation:update_team", args=(self.second_team.pk,)))
+        self.assertEqual(resp.status_code, 403)
+        resp = self.client.get(reverse("participation:team_authorizations", args=(self.second_team.pk,)))
+        self.assertEqual(resp.status_code, 403)
+        resp = self.client.get(reverse("participation:participation_detail", args=(self.second_team.pk,)))
+        self.assertEqual(resp.status_code, 403)
+        resp = self.client.get(reverse("participation:upload_video",
+                                       args=(self.second_team.participation.solution.pk,)))
+        self.assertEqual(resp.status_code, 403)
+        resp = self.client.get(reverse("participation:upload_video",
+                                       args=(self.second_team.participation.synthesis.pk,)))
+        self.assertEqual(resp.status_code, 403)
+        resp = self.client.get(reverse("participation:add_question", args=(self.second_team.pk,)))
+        self.assertEqual(resp.status_code, 403)
+        question = Question.objects.create(participation=self.second_team.participation,
+                                           question=self.question.question)
+        resp = self.client.get(reverse("participation:update_question", args=(question.pk,)))
+        self.assertEqual(resp.status_code, 403)
+        resp = self.client.get(reverse("participation:delete_question", args=(question.pk,)))
+        self.assertEqual(resp.status_code, 403)
+

 class TestAdminForbidden(TestCase):
    def setUp(self) -> None:
--- a/apps/participation/views.py
+++ b/apps/participation/views.py
@@ -241,7 +241,9 @@ class TeamUpdateView(LoginRequiredMixin, UpdateView):

    def dispatch(self, request, *args, **kwargs):
        user = request.user
-        if user.registration.is_admin or user.registration.participates and user.registration.team.pk == kwargs["pk"]:
+        if user.registration.is_admin or user.registration.participates and \
+                user.registration.team and \
+                user.registration.team.pk == kwargs["pk"]:
            return super().dispatch(request, *args, **kwargs)
        raise PermissionDenied