API: only an admin can modify sports

2018-05-01 13:18:37 +02:00 · 2018-05-01 13:18:37 +02:00 · 728bb506fb
commit 728bb506fb
parent bd013deeaf
2 changed files with 116 additions and 1 deletions
--- a/mpwo_api/mpwo_api/activities/activities.py
+++ b/mpwo_api/mpwo_api/activities/activities.py
@ -2,7 +2,7 @@ from flask import Blueprint, jsonify, request
 from mpwo_api import appLog, db
 from sqlalchemy import exc

-from ..users.utils import authenticate
+from ..users.utils import authenticate, is_admin
 from .models import Activity, Sport

 activities_blueprint = Blueprint('activities', __name__)
@ -62,6 +62,13 @@ def get_sport(auth_user_id, sport_id):
@authenticate
 def post_sport(auth_user_id):
    """Post a sport"""
+    if not is_admin(auth_user_id):
+        response_object = {
+            'status': 'error',
+            'message': 'You do not have permissions.'
+        }
+        return jsonify(response_object), 401
+
    sport_data = request.get_json()
    if not sport_data or sport_data.get('label') is None:
        response_object = {
@ -101,6 +108,13 @@ def post_sport(auth_user_id):
@authenticate
 def update_sport(auth_user_id, sport_id):
    """Update a sport"""
+    if not is_admin(auth_user_id):
+        response_object = {
+            'status': 'error',
+            'message': 'You do not have permissions.'
+        }
+        return jsonify(response_object), 401
+
    sport_data = request.get_json()
    if not sport_data or sport_data.get('label') is None:
        response_object = {
@ -149,6 +163,13 @@ def update_sport(auth_user_id, sport_id):
@authenticate
 def delete_sport(auth_user_id, sport_id):
    """Delete a sport"""
+    if not is_admin(auth_user_id):
+        response_object = {
+            'status': 'error',
+            'message': 'You do not have permissions.'
+        }
+        return jsonify(response_object), 401
+
    sports_list = []
    try:
        sport = Sport.query.filter_by(id=sport_id).first()
--- a/mpwo_api/mpwo_api/tests/test_activities.py
+++ b/mpwo_api/mpwo_api/tests/test_activities.py
@ -150,6 +150,38 @@ def test_add_a_sport(app):
    assert 'surfing' in data['data']['sports'][0]['label']


+def test_add_a_sport_not_admin(app):
+    add_user('test', 'test@test.com', '12345678')
+
+    client = app.test_client()
+    resp_login = client.post(
+        '/api/auth/login',
+        data=json.dumps(dict(
+            email='test@test.com',
+            password='12345678'
+        )),
+        content_type='application/json'
+    )
+    response = client.post(
+        '/api/sports',
+        content_type='application/json',
+        data=json.dumps(dict(
+            label='surfing'
+        )),
+        headers=dict(
+            Authorization='Bearer ' + json.loads(
+                resp_login.data.decode()
+            )['auth_token']
+        )
+    )
+    data = json.loads(response.data.decode())
+
+    assert response.status_code == 401
+    assert 'created' not in data['status']
+    assert 'error' in data['status']
+    assert 'You do not have permissions.' in data['message']
+
+
 def test_update_a_sport(app):
    add_admin()
    add_sport('cycling')
@ -184,6 +216,39 @@ def test_update_a_sport(app):
    assert 'cycling updated' in data['data']['sports'][0]['label']


+def test_update_a_sport_not_admin(app):
+    add_user('test', 'test@test.com', '12345678')
+    add_sport('cycling')
+
+    client = app.test_client()
+    resp_login = client.post(
+        '/api/auth/login',
+        data=json.dumps(dict(
+            email='test@test.com',
+            password='12345678'
+        )),
+        content_type='application/json'
+    )
+    response = client.patch(
+        '/api/sports/1',
+        content_type='application/json',
+        data=json.dumps(dict(
+            label='cycling updated'
+        )),
+        headers=dict(
+            Authorization='Bearer ' + json.loads(
+                resp_login.data.decode()
+            )['auth_token']
+        )
+    )
+    data = json.loads(response.data.decode())
+
+    assert response.status_code == 401
+    assert 'success' not in data['status']
+    assert 'error' in data['status']
+    assert 'You do not have permissions.' in data['message']
+
+
 def test_delete_a_sport(app):
    add_admin()
    add_sport('cycling')
@ -207,3 +272,32 @@ def test_delete_a_sport(app):
        )
    )
    assert response.status_code == 204
+
+
+def test_delete_a_sport_not_admin(app):
+    add_user('test', 'test@test.com', '12345678')
+    add_sport('cycling')
+
+    client = app.test_client()
+    resp_login = client.post(
+        '/api/auth/login',
+        data=json.dumps(dict(
+            email='test@test.com',
+            password='12345678'
+        )),
+        content_type='application/json'
+    )
+    response = client.delete(
+        '/api/sports/1',
+        content_type='application/json',
+        headers=dict(
+            Authorization='Bearer ' + json.loads(
+                resp_login.data.decode()
+            )['auth_token']
+        )
+    )
+
+    data = json.loads(response.data.decode())
+    assert response.status_code == 401
+    assert 'error' in data['status']
+    assert 'You do not have permissions.' in data['message']