from datetime import timedelta from django.urls import reverse from django.utils import timezone from misago.threads import test from misago.threads.models import Post, Thread from misago.threads.test import patch_category_acl from .test_threads_api import ThreadsApiTestCase class PostDeleteApiTests(ThreadsApiTestCase): def setUp(self): super().setUp() self.post = test.reply_thread(self.thread, poster=self.user) self.api_link = reverse( "misago:api:thread-post-detail", kwargs={"thread_pk": self.thread.pk, "pk": self.post.pk}, ) def test_delete_anonymous(self): """api validates if deleting user is authenticated""" self.logout_user() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "This action is not available to guests."} ) @patch_category_acl({"can_hide_posts": 1, "can_hide_own_posts": 1}) def test_no_permission(self): """api validates permission to delete post""" response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "You can't delete posts in this category."} ) @patch_category_acl( {"can_hide_posts": 1, "can_hide_own_posts": 2, "post_edit_time": 0} ) def test_delete_other_user_post_no_permission(self): """api valdiates if user can delete other users posts""" self.post.poster = None self.post.save() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "You can't delete other users posts in this category."}, ) @patch_category_acl( {"can_hide_posts": 1, "can_hide_own_posts": 2, "post_edit_time": 0} ) def test_delete_protected_post_no_permission(self): """api validates if user can delete protected post""" self.post.is_protected = True self.post.save() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "This post is protected. You can't delete it."} ) @patch_category_acl( {"can_hide_posts": 1, "can_hide_own_posts": 2, "post_edit_time": 1} ) def test_delete_protected_post_after_edit_time(self): """api validates if user can delete delete post after edit time""" self.post.posted_on = timezone.now() - timedelta(minutes=10) self.post.save() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "You can't delete posts that are older than 1 minute."}, ) @patch_category_acl( { "can_hide_posts": 0, "can_hide_own_posts": 2, "post_edit_time": 0, "can_close_threads": False, } ) def test_delete_post_closed_thread_no_permission(self): """api valdiates if user can delete posts in closed threads""" self.thread.is_closed = True self.thread.save() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "This thread is closed. You can't delete posts in it."}, ) @patch_category_acl( { "can_hide_posts": 0, "can_hide_own_posts": 2, "post_edit_time": 0, "can_close_threads": False, } ) def test_delete_post_closed_category_no_permission(self): """api valdiates if user can delete posts in closed categories""" self.category.is_closed = True self.category.save() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "This category is closed. You can't delete posts in it."}, ) @patch_category_acl({"can_hide_posts": 2, "can_hide_own_posts": 2}) def test_delete_first_post(self): """api disallows first post deletion""" api_link = reverse( "misago:api:thread-post-detail", kwargs={"thread_pk": self.thread.pk, "pk": self.thread.first_post_id}, ) response = self.client.delete(api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "You can't delete thread's first post."} ) @patch_category_acl({"can_hide_posts": 2, "can_hide_own_posts": 2}) def test_delete_best_answer(self): """api disallows best answer deletion""" self.thread.set_best_answer(self.user, self.post) self.thread.save() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "You can't delete this post because its marked as best answer."}, ) @patch_category_acl( {"can_hide_posts": 0, "can_hide_own_posts": 2, "post_edit_time": 0} ) def test_delete_owned_post(self): """api deletes owned thread post""" response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 200) self.thread = Thread.objects.get(pk=self.thread.pk) self.assertNotEqual(self.thread.last_post_id, self.post.pk) with self.assertRaises(Post.DoesNotExist): self.thread.post_set.get(pk=self.post.pk) @patch_category_acl({"can_hide_posts": 2, "can_hide_own_posts": 0}) def test_delete_post(self): """api deletes thread post""" response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 200) self.thread = Thread.objects.get(pk=self.thread.pk) self.assertNotEqual(self.thread.last_post_id, self.post.pk) with self.assertRaises(Post.DoesNotExist): self.thread.post_set.get(pk=self.post.pk) class EventDeleteApiTests(ThreadsApiTestCase): def setUp(self): super().setUp() self.event = test.reply_thread( self.thread, poster=self.user, is_event=True ) self.api_link = reverse( "misago:api:thread-post-detail", kwargs={"thread_pk": self.thread.pk, "pk": self.event.pk}, ) def test_delete_anonymous(self): """api validates if deleting user is authenticated""" self.logout_user() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "This action is not available to guests."} ) @patch_category_acl( {"can_hide_posts": 2, "can_hide_own_posts": 0, "can_hide_events": 0} ) def test_no_permission(self): """api validates permission to delete event""" response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "You can't delete events in this category."} ) @patch_category_acl( { "can_hide_posts": 2, "can_hide_own_posts": 0, "can_hide_events": 2, "can_close_threads": False, } ) def test_delete_event_closed_thread_no_permission(self): """api valdiates if user can delete events in closed threads""" self.thread.is_closed = True self.thread.save() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "This thread is closed. You can't delete events in it."}, ) @patch_category_acl( {"can_hide_posts": 2, "can_hide_events": 2, "can_close_threads": False} ) def test_delete_event_closed_category_no_permission(self): """api valdiates if user can delete events in closed categories""" self.category.is_closed = True self.category.save() response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 403) self.assertEqual( response.json(), {"detail": "This category is closed. You can't delete events in it."}, ) @patch_category_acl({"can_hide_posts": 0, "can_hide_events": 2}) def test_delete_event(self): """api differs posts from events""" response = self.client.delete(self.api_link) self.assertEqual(response.status_code, 200) self.thread = Thread.objects.get(pk=self.thread.pk) self.assertNotEqual(self.thread.last_post_id, self.event.pk) with self.assertRaises(Post.DoesNotExist): self.thread.post_set.get(pk=self.event.pk)