| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241 |
- from datetime import timedelta
- from django.urls import reverse
- from django.utils import timezone
- from misago.threads import testutils
- from misago.threads.models import Post, Thread
- from .test_threads_api import ThreadsApiTestCase
- class PostDeleteApiTests(ThreadsApiTestCase):
- def setUp(self):
- super(PostDeleteApiTests, self).setUp()
- self.post = testutils.reply_thread(self.thread, poster=self.user)
- self.api_link = reverse(
- 'misago:api:thread-post-detail',
- kwargs={
- 'thread_pk': self.thread.pk,
- 'pk': self.post.pk,
- }
- )
- def test_delete_anonymous(self):
- """api validates if deleting user is authenticated"""
- self.logout_user()
- response = self.client.delete(self.api_link)
- self.assertContains(response, "This action is not available to guests.", status_code=403)
- def test_no_permission(self):
- """api validates permission to delete post"""
- self.override_acl({'can_hide_own_posts': 1, 'can_hide_posts': 1})
- response = self.client.delete(self.api_link)
- self.assertContains(response, "You can't delete posts in this category.", status_code=403)
- def test_delete_other_user_post_no_permission(self):
- """api valdiates if user can delete other users posts"""
- self.override_acl({
- 'post_edit_time': 0,
- 'can_hide_own_posts': 2,
- 'can_hide_posts': 0,
- })
- self.post.poster = None
- self.post.save()
- response = self.client.delete(self.api_link)
- self.assertContains(
- response, "You can't delete other users posts in this category", status_code=403
- )
- def test_delete_protected_post_no_permission(self):
- """api validates if user can delete protected post"""
- self.override_acl({
- 'can_protect_posts': 0,
- 'can_hide_own_posts': 2,
- 'can_hide_posts': 0,
- })
- self.post.is_protected = True
- self.post.save()
- response = self.client.delete(self.api_link)
- self.assertContains(
- response, "This post is protected. You can't delete it.", status_code=403
- )
- def test_delete_protected_post_after_edit_time(self):
- """api validates if user can delete delete post after edit time"""
- self.override_acl({
- 'post_edit_time': 1,
- 'can_hide_own_posts': 2,
- 'can_hide_posts': 0,
- })
- self.post.posted_on = timezone.now() - timedelta(minutes=10)
- self.post.save()
- response = self.client.delete(self.api_link)
- self.assertContains(
- response, "You can't delete posts that are older than 1 minute.", status_code=403
- )
- def test_delete_post_closed_thread_no_permission(self):
- """api valdiates if user can delete posts in closed threads"""
- self.override_acl({
- 'can_hide_own_posts': 2,
- 'can_hide_posts': 0,
- })
- self.thread.is_closed = True
- self.thread.save()
- response = self.client.delete(self.api_link)
- self.assertContains(
- response, "This thread is closed. You can't delete posts in it.", status_code=403
- )
- def test_delete_post_closed_category_no_permission(self):
- """api valdiates if user can delete posts in closed categories"""
- self.override_acl({
- 'can_hide_own_posts': 2,
- 'can_hide_posts': 0,
- })
- self.category.is_closed = True
- self.category.save()
- response = self.client.delete(self.api_link)
- self.assertContains(
- response, "This category is closed. You can't delete posts in it.", status_code=403
- )
- def test_delete_first_post(self):
- """api disallows first post's deletion"""
- self.override_acl({'can_hide_own_posts': 2, 'can_hide_posts': 2})
- api_link = reverse(
- 'misago:api:thread-post-detail',
- kwargs={
- 'thread_pk': self.thread.pk,
- 'pk': self.thread.first_post_id,
- }
- )
- response = self.client.delete(api_link)
- self.assertContains(response, "You can't delete thread's first post.", status_code=403)
- def test_delete_owned_post(self):
- """api deletes owned thread post"""
- self.override_acl({
- 'post_edit_time': 0,
- 'can_hide_own_posts': 2,
- 'can_hide_posts': 0,
- })
- response = self.client.delete(self.api_link)
- self.assertEqual(response.status_code, 200)
- self.thread = Thread.objects.get(pk=self.thread.pk)
- self.assertNotEqual(self.thread.last_post_id, self.post.pk)
- with self.assertRaises(Post.DoesNotExist):
- self.thread.post_set.get(pk=self.post.pk)
- def test_delete_post(self):
- """api deletes thread post"""
- self.override_acl({'can_hide_own_posts': 0, 'can_hide_posts': 2})
- response = self.client.delete(self.api_link)
- self.assertEqual(response.status_code, 200)
- self.thread = Thread.objects.get(pk=self.thread.pk)
- self.assertNotEqual(self.thread.last_post_id, self.post.pk)
- with self.assertRaises(Post.DoesNotExist):
- self.thread.post_set.get(pk=self.post.pk)
- class EventDeleteApiTests(ThreadsApiTestCase):
- def setUp(self):
- super(EventDeleteApiTests, self).setUp()
- self.event = testutils.reply_thread(self.thread, poster=self.user, is_event=True)
- self.api_link = reverse(
- 'misago:api:thread-post-detail',
- kwargs={
- 'thread_pk': self.thread.pk,
- 'pk': self.event.pk,
- }
- )
- def test_delete_anonymous(self):
- """api validates if deleting user is authenticated"""
- self.logout_user()
- response = self.client.delete(self.api_link)
- self.assertContains(response, "This action is not available to guests.", status_code=403)
- def test_no_permission(self):
- """api validates permission to delete event"""
- self.override_acl({
- 'can_hide_own_posts': 2,
- 'can_hide_posts': 2,
- 'can_hide_events': 0,
- })
- response = self.client.delete(self.api_link)
- self.assertContains(response, "You can't delete events in this category.", status_code=403)
- def test_delete_event_closed_thread_no_permission(self):
- """api valdiates if user can delete events in closed threads"""
- self.override_acl({
- 'can_hide_events': 2,
- 'can_close_threads': 0,
- })
- self.thread.is_closed = True
- self.thread.save()
- response = self.client.delete(self.api_link)
- self.assertContains(
- response, "This thread is closed. You can't delete events in it.", status_code=403
- )
- def test_delete_event_closed_category_no_permission(self):
- """api valdiates if user can delete events in closed categories"""
- self.override_acl({
- 'can_hide_events': 2,
- 'can_close_threads': 0,
- })
- self.category.is_closed = True
- self.category.save()
- response = self.client.delete(self.api_link)
- self.assertContains(
- response, "This category is closed. You can't delete events in it.", status_code=403
- )
- def test_delete_event(self):
- """api differs posts from events"""
- self.override_acl({
- 'can_hide_own_posts': 0,
- 'can_hide_posts': 0,
- 'can_hide_events': 2,
- })
- response = self.client.delete(self.api_link)
- self.assertEqual(response.status_code, 200)
- self.thread = Thread.objects.get(pk=self.thread.pk)
- self.assertNotEqual(self.thread.last_post_id, self.event.pk)
- with self.assertRaises(Post.DoesNotExist):
- self.thread.post_set.get(pk=self.event.pk)
|
