Added change_is_reviewer API route

66bef095 · Thilo Wischmeyer · 6da131da · 66bef095 · 66bef095
Commit 66bef095 authored 3 years ago by Thilo Wischmeyer
--- a/core/tests/test_user_account_views.py
+++ b/core/tests/test_user_account_views.py
@@ -94,3 +94,67 @@ class TutorReviewerCanChangePasswordTests(APITestCase):
        self.client.force_authenticate(user=self.reviewer)
        res = self.client.patch(url, data)
        self.assertEqual(status.HTTP_403_FORBIDDEN, res.status_code)
+
+
+class ReviewerCanChangeCorrectorRoleTests(APITestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user_factory = GradyUserFactory()
+
+    def setUp(self):
+        self.reviewer1 = self.user_factory.make_reviewer()
+        self.client = APIClient()
+
+    def _set_reviewer_rights(self, new_value, changing_user, user_to_change):
+        self.client.force_authenticate(user=changing_user)
+        url = f"/api/user/{user_to_change.pk}/change_is_reviewer/"
+        return self.client.patch(url, data={'is_reviewer': new_value})
+
+    def _grant_reviewer_rights(self, changing_user, user_to_change):
+        return self._set_reviewer_rights(True, changing_user, user_to_change)
+
+    def _revoke_reviewer_rights(self, changing_user, user_to_change):
+        return self._set_reviewer_rights(False, changing_user, user_to_change)
+
+    def test_reviewer_can_promote_tutor_to_reviewer(self):
+        tutor = self.user_factory.make_tutor()
+        response = self._grant_reviewer_rights(self.reviewer1, tutor)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        tutor.refresh_from_db()
+        self.assertTrue(tutor.is_reviewer())
+
+    def test_reviewer_can_demote_other_reviewer_to_tutor(self):
+        reviewer2 = self.user_factory.make_reviewer()
+        response = self._revoke_reviewer_rights(self.reviewer1, reviewer2)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        reviewer2.refresh_from_db()
+        self.assertFalse(reviewer2.is_reviewer())
+
+    def test_reviewer_cannot_promote_student_to_reviewer(self):
+        exam = make_exams(exams=[{
+                'module_reference': 'Test Exam 01',
+                'total_score': 100,
+                'pass_score': 60,
+            }])[0]
+        student = self.user_factory.make_student(exam=exam)
+        response = self._grant_reviewer_rights(self.reviewer1, student)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_student_cannot_change_access_rights(self):
+        exam = make_exams(exams=[{
+                'module_reference': 'Test Exam 01',
+                'total_score': 100,
+                'pass_score': 60,
+            }])[0]
+        student = self.user_factory.make_student(exam=exam)
+        response = self._grant_reviewer_rights(student, self.reviewer1)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_tutor_cannot_change_access_rights(self):
+        tutor = self.user_factory.make_tutor()
+        response = self._grant_reviewer_rights(tutor, self.reviewer1)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_reviewer_cannot_demote_self_to_tutor(self):
+        response = self._revoke_reviewer_rights(self.reviewer1, self.reviewer1)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
--- a/core/views/common_views.py
+++ b/core/views/common_views.py
@@ -328,6 +328,29 @@ class UserAccountViewSet(viewsets.ReadOnlyModelViewSet):
        user.save()
        return Response(status.HTTP_200_OK)

+    @action(detail=True, methods=['patch'])
+    def change_is_reviewer(self, request, *args, **kwargs):
+        changing_to_reviewer = request.data.get('is_reviewer')
+        user = self.get_object()
+        if not request.user.is_reviewer():
+            error_msg = "Only reviewers can manage access rights."
+            return Response({'Error': error_msg}, status.HTTP_403_FORBIDDEN)
+        if changing_to_reviewer is None:
+            error_msg = "You need to provide an 'is_reviewer' field"
+            return Response({'Error': error_msg}, status.HTTP_400_BAD_REQUEST)
+        if user.is_student() and changing_to_reviewer:
+            error_msg = "Cannot promote a student to reviewer."
+            return Response({'Error': error_msg}, status.HTTP_403_FORBIDDEN)
+        if user == request.user and not changing_to_reviewer:
+            error_msg = "As a reviewer, you cannot demote yourself."
+            return Response({'Error': error_msg}, status.HTTP_403_FORBIDDEN)
+        if changing_to_reviewer:
+            user.role = models.UserAccount.REVIEWER
+        else:
+            user.role = models.UserAccount.STUDENT
+        user.save()
+        return Response(status.HTTP_200_OK)
+
    @action(detail=False)
    def me(self, request):
        serializer = self.get_serializer(request.user)