Merge branch 'corpus-roles-permissions' into 'master'

Add IsVerifiedOrReadnly permission on CorpusRoles class Closes #547 See merge request !1164

Merge branch 'corpus-roles-permissions' into 'master'
eaf0e45e · Erwan Rouchet · 23bc698b · 23d74b37 · eaf0e45e · eaf0e45e
Commit eaf0e45e authored 4 years ago by Erwan Rouchet
--- a/arkindex/documents/api/entities.py
+++ b/arkindex/documents/api/entities.py
@@ -49,6 +49,7 @@ class CorpusRoles(CorpusACLMixin, ListCreateAPIView):
    """
    List all roles in a corpus
    """
+    permission_classes = (IsVerifiedOrReadOnly, )
    serializer_class = EntityRoleSerializer
    openapi_overrides = {
        'tags': ['entities']

--- a/arkindex/documents/tests/test_entities_api.py
+++ b/arkindex/documents/tests/test_entities_api.py
@@ -206,7 +206,7 @@ class TestEntitiesAPI(FixtureAPITestCase):
            'id': str(self.corpus.id)
        })

-    def test_create_role_not_verified(self):
+    def test_create_role_requires_login(self):
        data = {
            'parent_name': 'other parent',
            'child_name': 'other child',
@@ -214,11 +214,38 @@ class TestEntitiesAPI(FixtureAPITestCase):
            'child_type': EntityType.Location.value
        }
        response = self.client.post(reverse('api:corpus-roles', kwargs={'pk': str(self.corpus.id)}), data=data)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_create_role_requires_verified(self):
+        self.user.verified_email = False
+        self.user.save()
+        self.client.force_login(self.user)
+
+        data = {
+            'parent_name': 'other parent',
+            'child_name': 'other child',
+            'parent_type': EntityType.Organization.value,
+            'child_type': EntityType.Location.value
+        }
+        response = self.client.post(reverse('api:corpus-roles', kwargs={'pk': str(self.corpus.id)}), data=data)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_create_role_no_corpus_rights(self):
+        self.client.force_login(self.user)
+
+        private_corpus = Corpus.objects.create(name='private')
+        data = {
+            'parent_name': 'other parent',
+            'child_name': 'other child',
+            'parent_type': EntityType.Organization.value,
+            'child_type': EntityType.Location.value
+        }
+        response = self.client.post(reverse('api:corpus-roles', kwargs={'pk': str(private_corpus.id)}), data=data)
        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
        data = response.json()
        self.assertEqual(data, {
            'corpus': ['You do not have write access to this corpus'],
-            'id': [str(self.corpus.id)]
+            'id': [str(private_corpus.id)]
        })

    @patch('arkindex.project.triggers.tasks.reindex_start.delay')