Merge branch 'image-elements-permissions' into 'master'

Restrict ListImageElements to authenticated users See merge request !1326

Merge branch 'image-elements-permissions' into 'master'
30fb3a2e · Bastien Abadie · b948554f · 830fa421 · 30fb3a2e · 30fb3a2e
Commit 30fb3a2e authored 3 years ago by Bastien Abadie
--- a/arkindex/images/api.py
+++ b/arkindex/images/api.py
@@ -158,6 +158,7 @@ class ImageElements(ListAPIView):
    """
    # For OpenAPI type discovery: an image's ID is in the path
    queryset = Image.objects.none()
+    permission_classes = (IsVerified, )
    serializer_class = ElementSlimSerializer

    def get_queryset(self):

--- a/arkindex/images/tests/test_image_elements.py
+++ b/arkindex/images/tests/test_image_elements.py
@@ -13,7 +13,8 @@ class TestImageElements(FixtureTestCase):
        cls.img1 = cls.imgsrv.images.get(path='img1')

    def test_image_elements(self):
-        with self.assertNumQueries(7):
+        self.client.force_login(self.user)
+        with self.assertNumQueries(11):
            response = self.client.get(reverse('api:image-elements', kwargs={'pk': self.img1.id}))
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        data = response.json()
@@ -22,10 +23,16 @@ class TestImageElements(FixtureTestCase):
            ['Volume 1, page 1r', 'Surface A', 'Surface B', 'Text line', 'DATUM', 'PARIS', 'ROY'],
        )

+    def test_image_elements_requires_login(self):
+        with self.assertNumQueries(0):
+            response = self.client.get(reverse('api:image-elements', kwargs={'pk': self.img1.id}))
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
    def test_image_elements_acl(self):
        """
        A user cannot list elements on corpus they have no guest access
        """
+        self.client.force_login(self.user)
        private_corpus = Corpus.objects.create(name="Private", public=False)
        private_type = private_corpus.types.create(slug='cake', display_name='Cake')
        private_elt = private_corpus.elements.create(
@@ -33,7 +40,7 @@ class TestImageElements(FixtureTestCase):
            type=private_type,
            zone=self.img1.zones.create(polygon=[(100, 100), (142, 142), (133, 337), (100, 100)])
        )
-        with self.assertNumQueries(7):
+        with self.assertNumQueries(11):
            response = self.client.get(reverse('api:image-elements', kwargs={'pk': self.img1.id}))
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        results = response.json()['results']
@@ -43,6 +50,7 @@ class TestImageElements(FixtureTestCase):
        self.assertFalse(private_elt.name in response_names)

    def test_image_elements_type_filter(self):
+        self.client.force_login(self.user)
        # Create an element of a different type with a zone
        cake_type = self.corpus.types.create(slug='cake', display_name='Cake')
        self.corpus.elements.create(
@@ -51,7 +59,7 @@ class TestImageElements(FixtureTestCase):
            zone=self.img1.zones.create(polygon=[(0, 0), (42, 42), (13, 37), (0, 0)]),
        )

-        with self.assertNumQueries(7):
+        with self.assertNumQueries(11):
            response = self.client.get(reverse('api:image-elements', kwargs={'pk': self.img1.id}) + '?type=cake')
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        data = response.json()
@@ -61,13 +69,14 @@ class TestImageElements(FixtureTestCase):
        )

    def test_image_elements_folder_filter(self):
+        self.client.force_login(self.user)
        # Add a zone on a folder
        vol = self.corpus.elements.get(name='Volume 1')
        self.assertTrue(vol.type.folder)
        vol.zone = self.img1.zones.create(polygon=[(0, 0), (0, 1), (1, 1), (0, 0)])
        vol.save()

-        with self.assertNumQueries(7):
+        with self.assertNumQueries(11):
            response = self.client.get(reverse('api:image-elements', kwargs={'pk': self.img1.id}) + '?folder')
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        data = response.json()
@@ -80,6 +89,7 @@ class TestImageElements(FixtureTestCase):
        """
        Elements with the same type and name should be ordered by ID
        """
+        self.client.force_login(self.user)
        elt_type = self.corpus.types.create(slug='duplicated', display_name='Duplicated')
        elts = Element.objects.bulk_create([
            Element(
@@ -89,7 +99,7 @@ class TestImageElements(FixtureTestCase):
                zone=self.img1.zones.create(polygon=[(i, i), (i, 200), (200, 200), (200, i), (i, i)])
            ) for i in range(40)
        ])
-        with self.assertNumQueries(7):
+        with self.assertNumQueries(11):
            response = self.client.get(reverse('api:image-elements', kwargs={'pk': self.img1.id}), {'type': 'duplicated'})
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        data = response.json()