From ddb4b3352c348211d3c7eb268db91cbae2d801a0 Mon Sep 17 00:00:00 2001 From: Dominik Bruhn Date: Fri, 7 Jun 2024 16:51:18 +0200 Subject: [PATCH] Add permission test for merging with deletion --- src/documents/tests/test_api_bulk_edit.py | 46 +++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/src/documents/tests/test_api_bulk_edit.py b/src/documents/tests/test_api_bulk_edit.py index 7078aca12..1645a4df1 100644 --- a/src/documents/tests/test_api_bulk_edit.py +++ b/src/documents/tests/test_api_bulk_edit.py @@ -994,6 +994,52 @@ class TestBulkEditAPI(DirectoriesMixin, APITestCase): self.assertCountEqual(args[0], [self.doc2.id, self.doc3.id]) self.assertEqual(kwargs["metadata_document_id"], self.doc3.id) + @mock.patch("documents.serialisers.bulk_edit.merge") + def test_merge_and_delete_insufficient_permissions(self, m): + self.doc1.owner = User.objects.get(username="temp_admin") + self.doc1.save() + user1 = User.objects.create(username="user1") + self.client.force_authenticate(user=user1) + + m.return_value = "OK" + + response = self.client.post( + "/api/documents/bulk_edit/", + json.dumps( + { + "documents": [self.doc1.id, self.doc2.id], + "method": "merge", + "parameters": { + "metadata_document_id": self.doc2.id, + "delete_originals": True, + }, + }, + ), + content_type="application/json", + ) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + m.assert_not_called() + self.assertEqual(response.content, b"Insufficient permissions") + + response = self.client.post( + "/api/documents/bulk_edit/", + json.dumps( + { + "documents": [self.doc2.id, self.doc3.id], + "method": "merge", + "parameters": { + "metadata_document_id": self.doc2.id, + "delete_originals": True, + }, + }, + ), + content_type="application/json", + ) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + m.assert_called_once() + @mock.patch("documents.serialisers.bulk_edit.split") def test_split(self, m): m.return_value = "OK"