tests/activities/views/test_posts.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

import pytest
from django.core.exceptions import PermissionDenied

from activities.models import Post
from activities.views.posts import Delete


@pytest.mark.django_db
def test_post_delete_security(identity, user, rf, other_identity):
    # Create post
    other_post = Post.objects.create(
        content="<p>OTHER POST!</p>",
        author=other_identity,
        local=True,
        visibility=Post.Visibilities.public,
    )

    request = rf.post(other_post.get_absolute_url() + "delete/")
    request.user = user
    request.identity = identity

    view = Delete.as_view()
    with pytest.raises(PermissionDenied) as ex:
        view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id)
    assert str(ex.value) == "Post author is not requestor"