Ensure that a user can't see what he can't see

2024-12-05 02:06:52 +00:00 · 2020-11-02 11:44:53 +01:00 · 2020-11-02 11:44:53 +01:00 · 5fc46e74d2
commit 5fc46e74d2
parent 61719cae1c
1 changed files with 38 additions and 0 deletions
--- a/apps/registration/tests.py
+++ b/apps/registration/tests.py
@ -1,3 +1,5 @@
+import os
+
 from corres2math.tokens import email_validation_token
 from django.contrib.auth.models import User
 from django.test import TestCase
@ -215,8 +217,44 @@ class TestRegistration(TestCase):
        self.assertEqual(response.status_code, 200)
        self.assertEqual(response["content-type"], "application/zip")

+        # Do it twice, ensure that the previous authorization got deleted
+        old_authoratization = self.student.registration.photo_authorization.path
+        response = self.client.post(reverse("registration:upload_user_photo_authorization",
+                                            args=(self.student.registration.pk,)), data=dict(
+            photo_authorization=open("corres2math/static/Autorisation de droit à l'image - majeur.pdf", "rb"),
+        ))
+        self.assertRedirects(response, reverse("registration:user_detail", args=(self.student.pk,)), 302, 200)
+        self.assertFalse(os.path.isfile(old_authoratization))
+
+        self.student.registration.refresh_from_db()
        self.student.registration.photo_authorization.delete()

+    def test_user_detail_forbidden(self):
+        """
+        Create a new user and ensure that it can't see the detail of another user.
+        """
+        self.client.force_login(self.coach)
+
+        response = self.client.get(reverse("registration:user_detail", args=(self.user.pk,)))
+        self.assertEqual(response.status_code, 403)
+
+        response = self.client.get(reverse("registration:update_user", args=(self.user.pk,)))
+        self.assertEqual(response.status_code, 403)
+
+        response = self.client.get(reverse("registration:upload_user_photo_authorization", args=(self.user.pk,)))
+        self.assertEqual(response.status_code, 403)
+
+        response = self.client.get(reverse("photo_authorization", args=("inexisting-authorization",)))
+        self.assertEqual(response.status_code, 404)
+
+        with open("media/authorization/photo/example", "w") as f:
+            f.write("I lost the game.")
+        self.student.registration.photo_authorization = "authorization/photo/example"
+        self.student.registration.save()
+        response = self.client.get(reverse("photo_authorization", args=("example",)))
+        self.assertEqual(response.status_code, 403)
+        os.remove("media/authorization/photo/example")
+
    def test_string_render(self):
        # TODO These string field tests will be removed when used in a template
        self.assertRaises(NotImplementedError, lambda: Registration().type)