API: only an admin can modify sports

This commit is contained in:
Sam 2018-05-01 13:18:37 +02:00
parent bd013deeaf
commit 728bb506fb
2 changed files with 116 additions and 1 deletions

View File

@ -2,7 +2,7 @@ from flask import Blueprint, jsonify, request
from mpwo_api import appLog, db from mpwo_api import appLog, db
from sqlalchemy import exc from sqlalchemy import exc
from ..users.utils import authenticate from ..users.utils import authenticate, is_admin
from .models import Activity, Sport from .models import Activity, Sport
activities_blueprint = Blueprint('activities', __name__) activities_blueprint = Blueprint('activities', __name__)
@ -62,6 +62,13 @@ def get_sport(auth_user_id, sport_id):
@authenticate @authenticate
def post_sport(auth_user_id): def post_sport(auth_user_id):
"""Post a sport""" """Post a sport"""
if not is_admin(auth_user_id):
response_object = {
'status': 'error',
'message': 'You do not have permissions.'
}
return jsonify(response_object), 401
sport_data = request.get_json() sport_data = request.get_json()
if not sport_data or sport_data.get('label') is None: if not sport_data or sport_data.get('label') is None:
response_object = { response_object = {
@ -101,6 +108,13 @@ def post_sport(auth_user_id):
@authenticate @authenticate
def update_sport(auth_user_id, sport_id): def update_sport(auth_user_id, sport_id):
"""Update a sport""" """Update a sport"""
if not is_admin(auth_user_id):
response_object = {
'status': 'error',
'message': 'You do not have permissions.'
}
return jsonify(response_object), 401
sport_data = request.get_json() sport_data = request.get_json()
if not sport_data or sport_data.get('label') is None: if not sport_data or sport_data.get('label') is None:
response_object = { response_object = {
@ -149,6 +163,13 @@ def update_sport(auth_user_id, sport_id):
@authenticate @authenticate
def delete_sport(auth_user_id, sport_id): def delete_sport(auth_user_id, sport_id):
"""Delete a sport""" """Delete a sport"""
if not is_admin(auth_user_id):
response_object = {
'status': 'error',
'message': 'You do not have permissions.'
}
return jsonify(response_object), 401
sports_list = [] sports_list = []
try: try:
sport = Sport.query.filter_by(id=sport_id).first() sport = Sport.query.filter_by(id=sport_id).first()

View File

@ -150,6 +150,38 @@ def test_add_a_sport(app):
assert 'surfing' in data['data']['sports'][0]['label'] assert 'surfing' in data['data']['sports'][0]['label']
def test_add_a_sport_not_admin(app):
add_user('test', 'test@test.com', '12345678')
client = app.test_client()
resp_login = client.post(
'/api/auth/login',
data=json.dumps(dict(
email='test@test.com',
password='12345678'
)),
content_type='application/json'
)
response = client.post(
'/api/sports',
content_type='application/json',
data=json.dumps(dict(
label='surfing'
)),
headers=dict(
Authorization='Bearer ' + json.loads(
resp_login.data.decode()
)['auth_token']
)
)
data = json.loads(response.data.decode())
assert response.status_code == 401
assert 'created' not in data['status']
assert 'error' in data['status']
assert 'You do not have permissions.' in data['message']
def test_update_a_sport(app): def test_update_a_sport(app):
add_admin() add_admin()
add_sport('cycling') add_sport('cycling')
@ -184,6 +216,39 @@ def test_update_a_sport(app):
assert 'cycling updated' in data['data']['sports'][0]['label'] assert 'cycling updated' in data['data']['sports'][0]['label']
def test_update_a_sport_not_admin(app):
add_user('test', 'test@test.com', '12345678')
add_sport('cycling')
client = app.test_client()
resp_login = client.post(
'/api/auth/login',
data=json.dumps(dict(
email='test@test.com',
password='12345678'
)),
content_type='application/json'
)
response = client.patch(
'/api/sports/1',
content_type='application/json',
data=json.dumps(dict(
label='cycling updated'
)),
headers=dict(
Authorization='Bearer ' + json.loads(
resp_login.data.decode()
)['auth_token']
)
)
data = json.loads(response.data.decode())
assert response.status_code == 401
assert 'success' not in data['status']
assert 'error' in data['status']
assert 'You do not have permissions.' in data['message']
def test_delete_a_sport(app): def test_delete_a_sport(app):
add_admin() add_admin()
add_sport('cycling') add_sport('cycling')
@ -207,3 +272,32 @@ def test_delete_a_sport(app):
) )
) )
assert response.status_code == 204 assert response.status_code == 204
def test_delete_a_sport_not_admin(app):
add_user('test', 'test@test.com', '12345678')
add_sport('cycling')
client = app.test_client()
resp_login = client.post(
'/api/auth/login',
data=json.dumps(dict(
email='test@test.com',
password='12345678'
)),
content_type='application/json'
)
response = client.delete(
'/api/sports/1',
content_type='application/json',
headers=dict(
Authorization='Bearer ' + json.loads(
resp_login.data.decode()
)['auth_token']
)
)
data = json.loads(response.data.decode())
assert response.status_code == 401
assert 'error' in data['status']
assert 'You do not have permissions.' in data['message']