Add a very simplistic Pin access control for the API

As pointed in issue #75 we should get away with just checking if the pin submitter is the currently logged in user. Assuming that we can implement authorization for updating and deleting pins rather easily by subclassing DjangoAuthorization so it passes the object to the Authorization backend.
2025-11-13 16:45:41 +01:00 · 2013-03-02 17:00:58 -08:00
parent a0e11a949e
commit cf86da266a
3 changed files with 72 additions and 15 deletions
--- a/pinry/core/tests.py
+++ b/pinry/core/tests.py
@@ -37,7 +37,6 @@ class ImageResourceTest(ResourceTestCase):
        self.client = Client()

    def test_list_detail(self):
-        self.maxDiff = None
        image = Image.objects.get(pk=1)
        thumbnail = filter_generator_for('thumbnail')(image)
        standard = filter_generator_for('standard')(image)
@@ -107,28 +106,44 @@ class PinResourceTest(ResourceTestCase):
        self.assertEqual(Pin.objects.count(), 3)
        self.assertEquals(Tag.objects.count(), 4)

-    def test_put_details_unauthenticated(self):
+    def test_put_detail_unauthenticated(self):
+        self.api_client.client.logout()
        uri = '/api/v1/pin/{}/'.format(self.pin_1.pk)
        response = self.api_client.put(uri, format='json', data={})
        self.assertHttpUnauthorized(response)

-    def test_put_details_unauthorized(self):
+    def test_put_detail_unauthorized(self):
        uri = '/api/v1/pin/{}/'.format(self.pin_1.pk)
        User.objects.create_user('test', 'test@example.com', 'test')
        self.api_client.client.login(username='test', password='test')
        response = self.api_client.put(uri, format='json', data={})
        self.assertHttpUnauthorized(response)

-    # def test_put_details(self):
-    #     uri = '/api/v1/pin/{}/'.format(self.pin_1.pk)
-    #     original = self.deserialize(self.api_client.get(uri, format='json'))
-    #     new = original.copy()
-    #     new['description'] = 'Updated description'
-    #
-    #     self.assertEqual(Pin.objects.count(), 2)
-    #     response = self.api_client.put(uri, format='json', data=new)
-    #     self.assertHttpAccepted(response)
-    #     self.assertEqual(Pin.objects.count(), 2)
+    def test_put_detail(self):
+        uri = '/api/v1/pin/{}/'.format(self.pin_1.pk)
+        original = self.deserialize(self.api_client.get(uri, format='json'))
+        new = {'description': 'Updated description'}
+
+        response = self.api_client.put(uri, format='json', data=new)
+        self.assertHttpAccepted(response)
+        self.assertEqual(Pin.objects.count(), 2)
+        self.assertEqual(Pin.objects.get(pk=self.pin_1.pk).description, new['description'])
+
+    def test_delete_detail_unauthenticated(self):
+        uri = '/api/v1/pin/{}/'.format(self.pin_1.pk)
+        self.api_client.client.logout()
+        self.assertHttpUnauthorized(self.api_client.delete(uri))
+
+    def test_delete_detail_unauthorized(self):
+        uri = '/api/v1/pin/{}/'.format(self.pin_1.pk)
+        User.objects.create_user('test', 'test@example.com', 'test')
+        self.api_client.client.login(username='test', password='test')
+        self.assertHttpUnauthorized(self.api_client.delete(uri))
+
+    def test_delete_detail(self):
+        uri = '/api/v1/pin/{}/'.format(self.pin_1.pk)
+        self.assertHttpAccepted(self.api_client.delete(uri))
+        self.assertEqual(Pin.objects.count(), 1)

    def test_get_list_json_ordered(self):
        pin = Pin.objects.latest('id')