| 19 | super().tearDown() |
| 20 | |
| 21 | def test_project(self): |
| 22 | client = APIClient() |
| 23 | |
| 24 | user = User.objects.get(username="testuser") |
| 25 | project = Project.objects.create( |
| 26 | owner=user, |
| 27 | name="test project" |
| 28 | ) |
| 29 | |
| 30 | # Cannot edit project (anonymous) |
| 31 | res = client.post("/api/projects/{}/edit/".format(project.id), { |
| 32 | 'name': 'edited' |
| 33 | }) |
| 34 | self.assertEqual(res.status_code, status.HTTP_403_FORBIDDEN) |
| 35 | |
| 36 | client.login(username="testuser", password="test1234") |
| 37 | |
| 38 | # Can edit project |
| 39 | res = client.post("/api/projects/{}/edit/".format(project.id), { |
| 40 | 'name': 'edited' |
| 41 | }) |
| 42 | self.assertEqual(res.status_code, status.HTTP_200_OK) |
| 43 | project.refresh_from_db() |
| 44 | |
| 45 | self.assertEqual(project.name, 'edited') |
| 46 | self.assertEqual(project.description, '') |
| 47 | |
| 48 | other_user = User.objects.get(username="testuser2") |
| 49 | |
| 50 | other_client = APIClient() |
| 51 | other_client.login(username="testuser2", password="test1234") |
| 52 | |
| 53 | # Other user cannot edit project |
| 54 | res = other_client.post("/api/projects/{}/edit/".format(project.id), { |
| 55 | 'name': 'edited2' |
| 56 | }) |
| 57 | self.assertEqual(res.status_code, status.HTTP_404_NOT_FOUND) |
| 58 | |
| 59 | # Other user cannot see project |
| 60 | res = other_client.get("/api/projects/{}/".format(project.id)) |
| 61 | self.assertEqual(res.status_code, status.HTTP_404_NOT_FOUND) |
| 62 | |
| 63 | # Change permissions via API |
| 64 | res = client.post("/api/projects/{}/edit/".format(project.id), { |
| 65 | 'permissions': [{'username': 'testuser2', 'permissions': ['view']}] |
| 66 | }, format="json") |
| 67 | self.assertEqual(res.status_code, status.HTTP_200_OK) |
| 68 | |
| 69 | # Other user can see project |
| 70 | res = other_client.get("/api/projects/{}/".format(project.id)) |
| 71 | self.assertEqual(res.status_code, status.HTTP_200_OK) |
| 72 | |
| 73 | # Other user does not own the project |
| 74 | self.assertFalse(res.data['owned']) |
| 75 | |
| 76 | # Other user still cannot edit project |
| 77 | res = other_client.post("/api/projects/{}/edit/".format(project.id), { |
| 78 | 'name': 'edited2' |