API: only an admin can modify sports
This commit is contained in:
parent
bd013deeaf
commit
728bb506fb
@ -2,7 +2,7 @@ from flask import Blueprint, jsonify, request
|
||||
from mpwo_api import appLog, db
|
||||
from sqlalchemy import exc
|
||||
|
||||
from ..users.utils import authenticate
|
||||
from ..users.utils import authenticate, is_admin
|
||||
from .models import Activity, Sport
|
||||
|
||||
activities_blueprint = Blueprint('activities', __name__)
|
||||
@ -62,6 +62,13 @@ def get_sport(auth_user_id, sport_id):
|
||||
@authenticate
|
||||
def post_sport(auth_user_id):
|
||||
"""Post a sport"""
|
||||
if not is_admin(auth_user_id):
|
||||
response_object = {
|
||||
'status': 'error',
|
||||
'message': 'You do not have permissions.'
|
||||
}
|
||||
return jsonify(response_object), 401
|
||||
|
||||
sport_data = request.get_json()
|
||||
if not sport_data or sport_data.get('label') is None:
|
||||
response_object = {
|
||||
@ -101,6 +108,13 @@ def post_sport(auth_user_id):
|
||||
@authenticate
|
||||
def update_sport(auth_user_id, sport_id):
|
||||
"""Update a sport"""
|
||||
if not is_admin(auth_user_id):
|
||||
response_object = {
|
||||
'status': 'error',
|
||||
'message': 'You do not have permissions.'
|
||||
}
|
||||
return jsonify(response_object), 401
|
||||
|
||||
sport_data = request.get_json()
|
||||
if not sport_data or sport_data.get('label') is None:
|
||||
response_object = {
|
||||
@ -149,6 +163,13 @@ def update_sport(auth_user_id, sport_id):
|
||||
@authenticate
|
||||
def delete_sport(auth_user_id, sport_id):
|
||||
"""Delete a sport"""
|
||||
if not is_admin(auth_user_id):
|
||||
response_object = {
|
||||
'status': 'error',
|
||||
'message': 'You do not have permissions.'
|
||||
}
|
||||
return jsonify(response_object), 401
|
||||
|
||||
sports_list = []
|
||||
try:
|
||||
sport = Sport.query.filter_by(id=sport_id).first()
|
||||
|
@ -150,6 +150,38 @@ def test_add_a_sport(app):
|
||||
assert 'surfing' in data['data']['sports'][0]['label']
|
||||
|
||||
|
||||
def test_add_a_sport_not_admin(app):
|
||||
add_user('test', 'test@test.com', '12345678')
|
||||
|
||||
client = app.test_client()
|
||||
resp_login = client.post(
|
||||
'/api/auth/login',
|
||||
data=json.dumps(dict(
|
||||
email='test@test.com',
|
||||
password='12345678'
|
||||
)),
|
||||
content_type='application/json'
|
||||
)
|
||||
response = client.post(
|
||||
'/api/sports',
|
||||
content_type='application/json',
|
||||
data=json.dumps(dict(
|
||||
label='surfing'
|
||||
)),
|
||||
headers=dict(
|
||||
Authorization='Bearer ' + json.loads(
|
||||
resp_login.data.decode()
|
||||
)['auth_token']
|
||||
)
|
||||
)
|
||||
data = json.loads(response.data.decode())
|
||||
|
||||
assert response.status_code == 401
|
||||
assert 'created' not in data['status']
|
||||
assert 'error' in data['status']
|
||||
assert 'You do not have permissions.' in data['message']
|
||||
|
||||
|
||||
def test_update_a_sport(app):
|
||||
add_admin()
|
||||
add_sport('cycling')
|
||||
@ -184,6 +216,39 @@ def test_update_a_sport(app):
|
||||
assert 'cycling updated' in data['data']['sports'][0]['label']
|
||||
|
||||
|
||||
def test_update_a_sport_not_admin(app):
|
||||
add_user('test', 'test@test.com', '12345678')
|
||||
add_sport('cycling')
|
||||
|
||||
client = app.test_client()
|
||||
resp_login = client.post(
|
||||
'/api/auth/login',
|
||||
data=json.dumps(dict(
|
||||
email='test@test.com',
|
||||
password='12345678'
|
||||
)),
|
||||
content_type='application/json'
|
||||
)
|
||||
response = client.patch(
|
||||
'/api/sports/1',
|
||||
content_type='application/json',
|
||||
data=json.dumps(dict(
|
||||
label='cycling updated'
|
||||
)),
|
||||
headers=dict(
|
||||
Authorization='Bearer ' + json.loads(
|
||||
resp_login.data.decode()
|
||||
)['auth_token']
|
||||
)
|
||||
)
|
||||
data = json.loads(response.data.decode())
|
||||
|
||||
assert response.status_code == 401
|
||||
assert 'success' not in data['status']
|
||||
assert 'error' in data['status']
|
||||
assert 'You do not have permissions.' in data['message']
|
||||
|
||||
|
||||
def test_delete_a_sport(app):
|
||||
add_admin()
|
||||
add_sport('cycling')
|
||||
@ -207,3 +272,32 @@ def test_delete_a_sport(app):
|
||||
)
|
||||
)
|
||||
assert response.status_code == 204
|
||||
|
||||
|
||||
def test_delete_a_sport_not_admin(app):
|
||||
add_user('test', 'test@test.com', '12345678')
|
||||
add_sport('cycling')
|
||||
|
||||
client = app.test_client()
|
||||
resp_login = client.post(
|
||||
'/api/auth/login',
|
||||
data=json.dumps(dict(
|
||||
email='test@test.com',
|
||||
password='12345678'
|
||||
)),
|
||||
content_type='application/json'
|
||||
)
|
||||
response = client.delete(
|
||||
'/api/sports/1',
|
||||
content_type='application/json',
|
||||
headers=dict(
|
||||
Authorization='Bearer ' + json.loads(
|
||||
resp_login.data.decode()
|
||||
)['auth_token']
|
||||
)
|
||||
)
|
||||
|
||||
data = json.loads(response.data.decode())
|
||||
assert response.status_code == 401
|
||||
assert 'error' in data['status']
|
||||
assert 'You do not have permissions.' in data['message']
|
||||
|
Loading…
Reference in New Issue
Block a user