diff options
Diffstat (limited to 'tests/activities/views')
-rw-r--r-- | tests/activities/views/test_posts.py | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/tests/activities/views/test_posts.py b/tests/activities/views/test_posts.py index b04c30f..c73dcd6 100644 --- a/tests/activities/views/test_posts.py +++ b/tests/activities/views/test_posts.py @@ -2,8 +2,10 @@ import re import mock import pytest +from django.core.exceptions import PermissionDenied -from activities.views.posts import Compose +from activities.models import Post +from activities.views.posts import Compose, Delete @pytest.mark.django_db @@ -22,3 +24,43 @@ def test_content_warning_text(identity, user, rf, config_system): assert re.search( r"<label.*>\s*Content Summary\s*</label>", content, flags=re.MULTILINE ) + + +@pytest.mark.django_db +def test_post_delete_security(identity, user, rf, other_identity): + # Create post + other_post = Post.objects.create( + content="<p>OTHER POST!</p>", + author=other_identity, + local=True, + visibility=Post.Visibilities.public, + ) + + request = rf.post(other_post.get_absolute_url() + "delete/") + request.user = user + request.identity = identity + + view = Delete.as_view() + with pytest.raises(PermissionDenied) as ex: + view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id) + assert str(ex.value) == "Post author is not requestor" + + +@pytest.mark.django_db +def test_post_edit_security(identity, user, rf, other_identity): + # Create post + other_post = Post.objects.create( + content="<p>OTHER POST!</p>", + author=other_identity, + local=True, + visibility=Post.Visibilities.public, + ) + + request = rf.get(other_post.get_absolute_url() + "edit/") + request.user = user + request.identity = identity + + view = Compose.as_view() + with pytest.raises(PermissionDenied) as ex: + view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id) + assert str(ex.value) == "Post author is not requestor" |