Skip to content

Commit

Permalink
fix: Fix bug in project permission logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@jjnesbitt
jjnesbitt committed Nov 7, 2024
1 parent 18fa882 commit 8dcd62b
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 15 deletions.
10 changes: 10 additions & 0 deletions uvdat/core/rest/project.py
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import typing
from typing import Any

from django.contrib.auth.models import User
Expand Down Expand Up @@ -29,6 +30,15 @@ def perform_create(self, serializer):
@swagger_auto_schema(method='PUT', request_body=ProjectPermissionsSerializer)
@action(detail=True, methods=['PUT'])
def permissions(self, request: Request, *args: Any, **kwargs: Any):
if request.user.is_anonymous:
raise Exception('Anonymous user received after guardian filter')
user = typing.cast(User, request.user)

# Only the owner can modify project permissions
project: Project = self.get_object()
if not user.has_perm('owner', project): # type: ignore
return Response(status=403)

serializer = ProjectPermissionsSerializer(data=request.data)
serializer.is_valid(raise_exception=True)

Expand Down
29 changes: 14 additions & 15 deletions uvdat/core/tests/test_project.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,21 +118,20 @@ def test_rest_project_set_permissions_not_allowed(authenticated_api_client, user
assert resp.status_code == 403


# TODO: Fix code, test is correct
# @pytest.mark.django_db
# def test_rest_project_set_permissions_change_owner_collaborator(
# authenticated_api_client, user, project: Project
# ):
# project.add_collaborators([user])
# resp = authenticated_api_client.put(
# f'/api/v1/projects/{project.id}/permissions/',
# {
# 'owner_id': user.id,
# 'collaborator_ids': [],
# 'follower_ids': [],
# },
# )
# assert resp.status_code == 400
@pytest.mark.django_db
def test_rest_project_set_permissions_change_owner_collaborator(
authenticated_api_client, user, project: Project
):
project.add_collaborators([user])
resp = authenticated_api_client.put(
f'/api/v1/projects/{project.id}/permissions/',
{
'owner_id': user.id,
'collaborator_ids': [],
'follower_ids': [],
},
)
assert resp.status_code == 403


@pytest.mark.django_db
Expand Down

0 comments on commit 8dcd62b

Please sign in to comment.