Add IsVerifiedOrReadOnly permission on EntityDetails class

292aae37 · Eva Bardou · fb55e78b · 292aae37 · 292aae37
Commit 292aae37 authored 4 years ago by Eva Bardou
--- a/arkindex/documents/api/entities.py
+++ b/arkindex/documents/api/entities.py
@@ -38,7 +38,7 @@ from arkindex.documents.serializers.entities import (
 )
 from arkindex.project.elastic import ESEntity
 from arkindex.project.mixins import ACLMixin, CorpusACLMixin
-from arkindex.project.permissions import IsVerified
+from arkindex.project.permissions import IsVerified, IsVerifiedOrReadOnly
 from arkindex.project.triggers import reindex_start
 from arkindex.users.models import Role

@@ -79,6 +79,7 @@ class EntityDetails(ACLMixin, RetrieveUpdateDestroyAPIView):
    """
    Get all information about an entity
    """
+    permission_classes = (IsVerifiedOrReadOnly, )
    serializer_class = EntitySerializer
    openapi_overrides = {
        'tags': ['entities'],

--- a/arkindex/documents/tests/test_entities_api.py
+++ b/arkindex/documents/tests/test_entities_api.py
@@ -745,7 +745,14 @@ class TestEntitiesAPI(FixtureAPITestCase):
            Entity.objects.get(id=self.entity.id)
        self.assertFalse(entity_mock.get.called)

-    def test_delete_entity_not_verified(self):
+    def test_delete_entity_requires_login(self):
+        response = self.client.delete(reverse('api:entity-details', kwargs={'pk': str(self.entity_bis.id)}))
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_delete_entity_requires_verified(self):
+        self.user.verified_email = False
+        self.user.save()
+        self.client.force_login(self.user)
        response = self.client.delete(reverse('api:entity-details', kwargs={'pk': str(self.entity_bis.id)}))
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

@@ -797,14 +804,34 @@ class TestEntitiesAPI(FixtureAPITestCase):
            description=f'Indexation of entity {self.entity_bis.id}',
        ))

-    def test_validated_entity_not_verified(self):
+    def test_validated_entity_requires_login(self):
+        response = self.client.patch(
+            reverse('api:entity-details', kwargs={'pk': self.entity_bis.id}),
+            {'validated': True},
+        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_unvalidated_entity_requires_login(self):
+        response = self.client.patch(
+            reverse('api:entity-details', kwargs={'pk': self.entity_bis.id}),
+            {'validated': False},
+        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_validated_entity_requires_verified(self):
+        self.user.verified_email = False
+        self.user.save()
+        self.client.force_login(self.user)
        response = self.client.patch(
            reverse('api:entity-details', kwargs={'pk': self.entity_bis.id}),
            {'validated': True},
        )
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

-    def test_unvalidated_entity_not_verified(self):
+    def test_unvalidated_entity_requires_verified(self):
+        self.user.verified_email = False
+        self.user.save()
+        self.client.force_login(self.user)
        response = self.client.patch(
            reverse('api:entity-details', kwargs={'pk': self.entity_bis.id}),
            {'validated': False},