From 728bb506fbef9b6cee0baf226fd1d35ae243cb51 Mon Sep 17 00:00:00 2001
From: Sam <sam@samr1.net>
Date: Tue, 1 May 2018 13:18:37 +0200
Subject: [PATCH] API: only an admin can modify sports

---
 mpwo_api/mpwo_api/activities/activities.py | 23 +++++-
 mpwo_api/mpwo_api/tests/test_activities.py | 94 ++++++++++++++++++++++
 2 files changed, 116 insertions(+), 1 deletion(-)

diff --git a/mpwo_api/mpwo_api/activities/activities.py b/mpwo_api/mpwo_api/activities/activities.py
index e14f10c6..0f9740dd 100644
--- a/mpwo_api/mpwo_api/activities/activities.py
+++ b/mpwo_api/mpwo_api/activities/activities.py
@@ -2,7 +2,7 @@ from flask import Blueprint, jsonify, request
 from mpwo_api import appLog, db
 from sqlalchemy import exc
 
-from ..users.utils import authenticate
+from ..users.utils import authenticate, is_admin
 from .models import Activity, Sport
 
 activities_blueprint = Blueprint('activities', __name__)
@@ -62,6 +62,13 @@ def get_sport(auth_user_id, sport_id):
 @authenticate
 def post_sport(auth_user_id):
     """Post a sport"""
+    if not is_admin(auth_user_id):
+        response_object = {
+            'status': 'error',
+            'message': 'You do not have permissions.'
+        }
+        return jsonify(response_object), 401
+
     sport_data = request.get_json()
     if not sport_data or sport_data.get('label') is None:
         response_object = {
@@ -101,6 +108,13 @@ def post_sport(auth_user_id):
 @authenticate
 def update_sport(auth_user_id, sport_id):
     """Update a sport"""
+    if not is_admin(auth_user_id):
+        response_object = {
+            'status': 'error',
+            'message': 'You do not have permissions.'
+        }
+        return jsonify(response_object), 401
+
     sport_data = request.get_json()
     if not sport_data or sport_data.get('label') is None:
         response_object = {
@@ -149,6 +163,13 @@ def update_sport(auth_user_id, sport_id):
 @authenticate
 def delete_sport(auth_user_id, sport_id):
     """Delete a sport"""
+    if not is_admin(auth_user_id):
+        response_object = {
+            'status': 'error',
+            'message': 'You do not have permissions.'
+        }
+        return jsonify(response_object), 401
+
     sports_list = []
     try:
         sport = Sport.query.filter_by(id=sport_id).first()
diff --git a/mpwo_api/mpwo_api/tests/test_activities.py b/mpwo_api/mpwo_api/tests/test_activities.py
index bc40bc09..b97cc5ca 100644
--- a/mpwo_api/mpwo_api/tests/test_activities.py
+++ b/mpwo_api/mpwo_api/tests/test_activities.py
@@ -150,6 +150,38 @@ def test_add_a_sport(app):
     assert 'surfing' in data['data']['sports'][0]['label']
 
 
+def test_add_a_sport_not_admin(app):
+    add_user('test', 'test@test.com', '12345678')
+
+    client = app.test_client()
+    resp_login = client.post(
+        '/api/auth/login',
+        data=json.dumps(dict(
+            email='test@test.com',
+            password='12345678'
+        )),
+        content_type='application/json'
+    )
+    response = client.post(
+        '/api/sports',
+        content_type='application/json',
+        data=json.dumps(dict(
+            label='surfing'
+        )),
+        headers=dict(
+            Authorization='Bearer ' + json.loads(
+                resp_login.data.decode()
+            )['auth_token']
+        )
+    )
+    data = json.loads(response.data.decode())
+
+    assert response.status_code == 401
+    assert 'created' not in data['status']
+    assert 'error' in data['status']
+    assert 'You do not have permissions.' in data['message']
+
+
 def test_update_a_sport(app):
     add_admin()
     add_sport('cycling')
@@ -184,6 +216,39 @@ def test_update_a_sport(app):
     assert 'cycling updated' in data['data']['sports'][0]['label']
 
 
+def test_update_a_sport_not_admin(app):
+    add_user('test', 'test@test.com', '12345678')
+    add_sport('cycling')
+
+    client = app.test_client()
+    resp_login = client.post(
+        '/api/auth/login',
+        data=json.dumps(dict(
+            email='test@test.com',
+            password='12345678'
+        )),
+        content_type='application/json'
+    )
+    response = client.patch(
+        '/api/sports/1',
+        content_type='application/json',
+        data=json.dumps(dict(
+            label='cycling updated'
+        )),
+        headers=dict(
+            Authorization='Bearer ' + json.loads(
+                resp_login.data.decode()
+            )['auth_token']
+        )
+    )
+    data = json.loads(response.data.decode())
+
+    assert response.status_code == 401
+    assert 'success' not in data['status']
+    assert 'error' in data['status']
+    assert 'You do not have permissions.' in data['message']
+
+
 def test_delete_a_sport(app):
     add_admin()
     add_sport('cycling')
@@ -207,3 +272,32 @@ def test_delete_a_sport(app):
         )
     )
     assert response.status_code == 204
+
+
+def test_delete_a_sport_not_admin(app):
+    add_user('test', 'test@test.com', '12345678')
+    add_sport('cycling')
+
+    client = app.test_client()
+    resp_login = client.post(
+        '/api/auth/login',
+        data=json.dumps(dict(
+            email='test@test.com',
+            password='12345678'
+        )),
+        content_type='application/json'
+    )
+    response = client.delete(
+        '/api/sports/1',
+        content_type='application/json',
+        headers=dict(
+            Authorization='Bearer ' + json.loads(
+                resp_login.data.decode()
+            )['auth_token']
+        )
+    )
+
+    data = json.loads(response.data.decode())
+    assert response.status_code == 401
+    assert 'error' in data['status']
+    assert 'You do not have permissions.' in data['message']