Merge branch 'restrict-update-corpus' into 'master'

Restrict access on corpus edition to its admins See merge request !1192

Merge branch 'restrict-update-corpus' into 'master'
edff9684 · Bastien Abadie · 23733921 · 42d03169 · edff9684 · edff9684
Commit edff9684 authored 4 years ago by Bastien Abadie
--- a/arkindex/documents/api/elements.py
+++ b/arkindex/documents/api/elements.py
@@ -871,9 +871,7 @@ class CorpusRetrieve(ACLMixin, RetrieveUpdateDestroyAPIView):

        if self.request.method in permissions.SAFE_METHODS:
            return
-        role = Role.Contributor
-        if request.method == 'DELETE':
-            role = Role.Admin
+        role = Role.Admin
        if not self.has_access(obj, role.value):
            access_repr = 'admin' if role == Role.Admin else 'write'
            raise PermissionDenied(detail=f'You do not have {access_repr} access to this corpus.')

--- a/arkindex/documents/tests/test_corpus.py
+++ b/arkindex/documents/tests/test_corpus.py
@@ -8,7 +8,7 @@ from rest_framework import status
 from arkindex.documents.models import Corpus, Element
 from arkindex.project.default_corpus import DEFAULT_CORPUS_TYPES
 from arkindex.project.tests import FixtureAPITestCase
-from arkindex.users.models import Role
+from arkindex.users.models import Role, User

 FAKE_NOW = datetime.datetime.now()
 # Fake DB fixtures creation date
@@ -60,6 +60,8 @@ class TestCorpus(FixtureAPITestCase):
            mock_now.return_value = FAKE_NOW
            cls.corpus_private = Corpus.objects.create(name='B Private')
        cls.corpus_private.memberships.create(user=cls.user, level=Role.Contributor.value)
+        cls.corpus_admin = User.objects.create(email='another_user@user.fr', verified_email=True)
+        cls.corpus_private.memberships.create(user=cls.corpus_admin, level=Role.Admin.value)
        with patch('django.utils.timezone.now') as mock_now:
            mock_now.return_value = FAKE_NOW
            cls.corpus_hidden = Corpus.objects.create(name='C Hidden')
@@ -116,7 +118,7 @@ class TestCorpus(FixtureAPITestCase):
                    'name': 'B Private',
                    'description': '',
                    'created': str(FAKE_NOW).replace(' ', 'T') + 'Z',
-                    'authorized_users': 1,
+                    'authorized_users': 2,
                },
                {
                    'id': str(self.corpus_public.id),
@@ -156,7 +158,7 @@ class TestCorpus(FixtureAPITestCase):
                    'name': 'B Private',
                    'description': '',
                    'created': str(FAKE_NOW).replace(' ', 'T') + 'Z',
-                    'authorized_users': 1,
+                    'authorized_users': 2,
                },
                {
                    'id': str(self.corpus_hidden.id),
@@ -295,7 +297,7 @@ class TestCorpus(FixtureAPITestCase):
            'rights': ['read', 'write'],
            'types': [],
            'created': str(FAKE_NOW).replace(' ', 'T') + 'Z',
-            'authorized_users': 1,
+            'authorized_users': 2,
        })

    def test_retrieve_requires_login(self):
@@ -303,7 +305,7 @@ class TestCorpus(FixtureAPITestCase):
        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)

    def test_update(self):
-        self.client.force_login(self.user)
+        self.client.force_login(self.corpus_admin)
        response = self.client.patch(reverse('api:corpus-retrieve', kwargs={'pk': self.corpus_private.id}), {
            'name': 'new name',
            'description': 'new description',
@@ -317,7 +319,7 @@ class TestCorpus(FixtureAPITestCase):
        """
        A normal user should not be able to make a private corpus public
        """
-        self.client.force_login(self.user)
+        self.client.force_login(self.corpus_admin)
        response = self.client.patch(reverse('api:corpus-retrieve', kwargs={'pk': self.corpus_private.id}), {
            'public': True
        })
@@ -352,7 +354,7 @@ class TestCorpus(FixtureAPITestCase):
            'description': 'Bla bla bla'
        })
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-        self.assertDictEqual(response.json(), {'detail': 'You do not have write access to this corpus.'})
+        self.assertDictEqual(response.json(), {'detail': 'You do not have admin access to this corpus.'})

    def test_update_requires_login(self):
        response = self.client.patch(reverse('api:corpus-retrieve', kwargs={'pk': self.corpus_private.id}), {
@@ -361,6 +363,15 @@ class TestCorpus(FixtureAPITestCase):
        })
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

+    def test_update_requires_admin_right_on_corpus(self):
+        self.client.force_login(self.user)
+        response = self.client.patch(reverse('api:corpus-retrieve', kwargs={'pk': self.corpus_private.id}), {
+            'name': 'new name',
+            'description': 'new description',
+        })
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertDictEqual(response.json(), {'detail': 'You do not have admin access to this corpus.'})
+
    def test_delete_requires_login(self):
        response = self.client.delete(reverse('api:corpus-retrieve', kwargs={'pk': self.corpus_private.id}))
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)