#280 Add tests for anonymous user to download attachment

martinmacko47 · Apr 27, 2022 · d85f9b2 · d85f9b2
1 parent fd1704c
commit d85f9b2
Showing 1 changed file with 83 additions and 12 deletions.
diff --git a/chcemvediet/apps/inforequests/tests/test_views/test_attachments.py b/chcemvediet/apps/inforequests/tests/test_views/test_attachments.py
@@ -2,10 +2,10 @@
 # -*- coding: utf-8 -*-
 import json
 import datetime
-import unittest
 
 from django.core.files.base import ContentFile
 from django.http import JsonResponse
+from django.test import Client
 
 from poleno.attachments.models import Attachment
 from poleno.utils.date import utc_now
@@ -88,16 +88,14 @@ def test_allowed_http_methods(self):
         allowed = [u'HEAD', u'GET']
         self.assert_allowed_http_methods(allowed, url)
 
-    @unittest.skip(u'FIXME')
-    def test_anonymous_user_gets_403_forbidden(self):
+    def test_anonymous_user_gets_404_not_found(self):
         self._login_user()
         attachment = self._create_attachment()
-        self._logout_user()
 
+        client2 = Client()
         url = reverse(u'inforequests:download_attachment', args=(attachment.pk,))
-
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, 403)
+        response = client2.get(url)
+        self.assertEqual(response.status_code, 404)
 
     def test_authenticated_user_gets_200_ok(self):
         self._login_user()
@@ -114,6 +112,42 @@ def test_invalid_attachment_returns_404_not_found(self):
         response = self.client.get(url)
         self.assertEqual(response.status_code, 404)
 
+    def test_attachment_assigned_to_action_of_published_and_non_anonymized_inforequest_returns_to_anonymous_user_200_ok(self):
+        self._login_user(self.user1)
+        self.user1.profile.anonymize_inforequests = False
+        self.user1.profile.save()
+        _, _, (request,) = self._create_inforequest_scenario(self.user1, dict(published=True))
+        attachment = self._create_attachment(generic_object=request)
+
+        client2 = Client()
+        url = reverse(u'inforequests:download_attachment', args=(attachment.pk,))
+        response = client2.get(url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_attachment_assigned_to_action_of_non_published_or_anonymized_inforequest_returns_to_anonymous_user_404_not_found(self):
+        self._login_user(self.user1)
+        self.user1.profile.anonymize_inforequests = False
+        self.user1.profile.save()
+        _, _, (request1,) = self._create_inforequest_scenario(self.user1, dict(published=False))
+        self.user1.profile.anonymize_inforequests = True
+        self.user1.profile.save()
+        _, _, (request2,) = self._create_inforequest_scenario(self.user1, dict(published=True))
+        _, _, (request3,) = self._create_inforequest_scenario(self.user1, dict(published=False))
+        attachment1 = self._create_attachment(generic_object=request1)
+        attachment2 = self._create_attachment(generic_object=request2)
+        attachment3 = self._create_attachment(generic_object=request3)
+
+        client2 = Client()
+        url1 = reverse(u'inforequests:download_attachment', args=(attachment1.pk,))
+        url2 = reverse(u'inforequests:download_attachment', args=(attachment2.pk,))
+        url3 = reverse(u'inforequests:download_attachment', args=(attachment3.pk,))
+        response1 = client2.get(url1)
+        response2 = client2.get(url2)
+        response3 = client2.get(url3)
+        self.assertEqual(response1.status_code, 404)
+        self.assertEqual(response2.status_code, 404)
+        self.assertEqual(response3.status_code, 404)
+
     def test_attachment_owned_by_user_returns_404_not_found(self):
         self._login_user(self.user1)
         attachment = self._create_attachment(generic_object=self.user1)
@@ -122,16 +156,15 @@ def test_attachment_owned_by_user_returns_404_not_found(self):
         response = self.client.get(url)
         self.assertEqual(response.status_code, 404)
 
-    @unittest.skip(u'FIXME')
     def test_attachment_owned_by_another_session_returns_404_not_found(self):
-        self._login_user()
+        self._login_user(self.user)
         attachment = self._create_attachment()
-        self._logout_user()
 
-        self._login_user()
+        client2 = Client()
+        client2.login(username=self.user.username, password=u'default_testing_secret')
         url = reverse(u'inforequests:download_attachment', args=(attachment.pk,))
 
-        response = self.client.get(url)
+        response = client2.get(url)
         self.assertEqual(response.status_code, 404)
 
     def test_attachment_owned_by_session_returns_200_ok(self):
@@ -180,6 +213,44 @@ def test_attachment_assigned_to_inforequest_draft_owned_by_user_returns_200_ok(s
         response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
 
+    def test_attachment_assigned_to_action_of_published_and_non_anonymized_inforequest_owned_by_another_user_returns_200_ok(self):
+        self._login_user(self.user1)
+        self.user1.profile.anonymize_inforequests = False
+        self.user1.profile.save()
+        _, _, (request,) = self._create_inforequest_scenario(self.user1, dict(published=True))
+        attachment = self._create_attachment(generic_object=request)
+
+        client2 = Client()
+        client2.login(username=self.user2.username, password=u'default_testing_secret')
+        url = reverse(u'inforequests:download_attachment', args=(attachment.pk,))
+        response = client2.get(url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_attachment_assigned_to_action_of_non_published_or_anonymized_inforequest_owned_by_another_user_returns_404_not_found(self):
+        self._login_user(self.user1)
+        self.user1.profile.anonymize_inforequests = False
+        self.user1.profile.save()
+        _, _, (request1,) = self._create_inforequest_scenario(self.user1, dict(published=False))
+        self.user1.profile.anonymize_inforequests = True
+        self.user1.profile.save()
+        _, _, (request2,) = self._create_inforequest_scenario(self.user1, dict(published=True))
+        _, _, (request3,) = self._create_inforequest_scenario(self.user1, dict(published=False))
+        attachment1 = self._create_attachment(generic_object=request1)
+        attachment2 = self._create_attachment(generic_object=request2)
+        attachment3 = self._create_attachment(generic_object=request3)
+
+        client2 = Client()
+        client2.login(username=self.user2.username, password=u'default_testing_secret')
+        url1 = reverse(u'inforequests:download_attachment', args=(attachment1.pk,))
+        url2 = reverse(u'inforequests:download_attachment', args=(attachment2.pk,))
+        url3 = reverse(u'inforequests:download_attachment', args=(attachment3.pk,))
+        response1 = client2.get(url1)
+        response2 = client2.get(url2)
+        response3 = client2.get(url3)
+        self.assertEqual(response1.status_code, 404)
+        self.assertEqual(response2.status_code, 404)
+        self.assertEqual(response3.status_code, 404)
+
     def test_attachment_assigned_to_action_of_inforequest_owned_by_another_user_returns_404_not_found(self):
         self._login_user(self.user1)
         _, _, (request,) = self._create_inforequest_scenario(self.user2)