Add IsVerified permission on Validate/RejectClassification endpoints

eb673df2 · Eva Bardou · f798bfe6 · eb673df2 · eb673df2
Commit eb673df2 authored 4 years ago by Eva Bardou
--- a/arkindex/documents/api/ml.py
+++ b/arkindex/documents/api/ml.py
@@ -478,6 +478,7 @@ class ManageClassificationsSelection(SelectionMixin, CorpusACLMixin, CreateAPIVi


 class ClassificationModerationActionsMixin(GenericAPIView):
+    permission_classes = (IsVerified, )
    serializer_class = ClassificationSerializer

    def get_queryset(self):

--- a/arkindex/documents/tests/test_moderation.py
+++ b/arkindex/documents/tests/test_moderation.py
@@ -260,14 +260,27 @@ class TestClasses(FixtureAPITestCase):
        classification.refresh_from_db()
        self.assertEqual(classification.moderator, self.user)

-    def test_classification_validate_without_permissions(self):
+    def test_classification_validate_requires_login(self):
        classification = self.element.classifications.create(
            ml_class=self.text,
            confidence=.5,
        )
        with self.assertNumQueries(0):
            response = self.client.put(reverse('api:classification-validate', kwargs={'pk': classification.id}))
-            self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_classification_validate_requires_verified(self):
+        self.user.verified_email = False
+        self.user.save()
+        self.client.force_login(self.user)
+
+        classification = self.element.classifications.create(
+            ml_class=self.text,
+            confidence=.5,
+        )
+        with self.assertNumQueries(2):
+            response = self.client.put(reverse('api:classification-validate', kwargs={'pk': classification.id}))
+            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

    def test_worker_classification_reject(self):
        self.client.force_login(self.user)
@@ -311,11 +324,21 @@ class TestClasses(FixtureAPITestCase):
        with self.assertRaises(Classification.DoesNotExist):
            classification.refresh_from_db()

-    def test_classification_reject_without_permissions(self):
+    def test_classification_reject_requires_login(self):
        classification = self.element.classifications.create(ml_class=self.text, confidence=.42)
        with self.assertNumQueries(0):
            response = self.client.put(reverse('api:classification-reject', kwargs={'pk': classification.id}))
-            self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_classification_reject_requires_verified(self):
+        self.user.verified_email = False
+        self.user.save()
+        self.client.force_login(self.user)
+
+        classification = self.element.classifications.create(ml_class=self.text, confidence=.42)
+        with self.assertNumQueries(2):
+            response = self.client.put(reverse('api:classification-reject', kwargs={'pk': classification.id}))
+            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

    def test_classification_can_still_be_moderated(self):
        self.client.force_login(self.user)