From 6fbd2917a1595008048bb427c6d03b641306aecf Mon Sep 17 00:00:00 2001
From: "robinwilliam.hundt" <robinwilliam.hundt@stud.uni-goettingen.de>
Date: Sun, 26 Nov 2017 23:44:01 +0100
Subject: [PATCH] Added currently failing tests for access-rights

Currently students and tutors have access to the /tutor/ endpoint in the browsable api and at least get a 200 response in the tests for the /student/ endpoint however can not access this one in the browsable api.
---
 backend/core/tests/test_access_rights.py | 76 ++++++++++++++++++++++--
 backend/core/tests/test_student_page.py  |  3 +-
 2 files changed, 73 insertions(+), 6 deletions(-)

diff --git a/backend/core/tests/test_access_rights.py b/backend/core/tests/test_access_rights.py
index bd4627be..51987f53 100644
--- a/backend/core/tests/test_access_rights.py
+++ b/backend/core/tests/test_access_rights.py
@@ -3,13 +3,12 @@ from rest_framework import status
 from rest_framework.test import (APIRequestFactory, APITestCase,
                                  force_authenticate)
 
-from core.models import Reviewer
-from core.views import StudentSelfApiViewSet
+from core.views import StudentSelfApiViewSet, TutorApiViewSet
 from util.factories import GradyUserFactory
 
 
 class AccessRightsOfStudentAPIViewTests(APITestCase):
-    """ All tests that enshure that only students can see what students
+    """ All tests that ensure that only students can see what students
     should see belong here """
 
     @classmethod
@@ -24,7 +23,7 @@ class AccessRightsOfStudentAPIViewTests(APITestCase):
         self.request = self.factory.get(reverse('student_page-list'))
         self.view = StudentSelfApiViewSet.as_view({'get': 'retrieve'})
 
-    def test_unauthorized_access_denied(self):
+    def test_unauthenticated_access_denied(self):
         response = self.view(self.request)
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
 
@@ -42,3 +41,72 @@ class AccessRightsOfStudentAPIViewTests(APITestCase):
         force_authenticate(self.request, user=self.student.user)
         response = self.view(self.request)
         self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+
+class AccessRightsOfTutorAPIViewTests(APITestCase):
+    """ Tests to ensure that only Reviewers have access to the TutorList information"""
+    @classmethod
+    def setUpTestData(cls):
+        cls.factory = APIRequestFactory()
+        cls.user_factory = GradyUserFactory()
+
+    def setUp(self):
+        self.student = self.user_factory.make_student()
+        self.tutor = self.user_factory.make_tutor()
+        self.reviewer = self.user_factory.make_reviewer()
+        self.request = self.factory.get(reverse('tutor-list'))
+        self.view = TutorApiViewSet.as_view({'get': 'list'})
+
+    def test_unauthenticated_access_denied(self):
+        response = self.view(self.request)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    def test_student_has_no_access(self):
+        force_authenticate(self.request, user=self.student.user)
+        response = self.view(self.request)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_tutor_has_no_access(self):
+        force_authenticate(self.request, user=self.tutor.user)
+        response = self.view(self.request)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_reviewer_has_access(self):
+        force_authenticate(self.request, user=self.reviewer.user)
+        response = self.view(self.request)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+
+class AccessRightsOfStudentReviewerAPIViewTest(APITestCase):
+    """ Tests to ensure that only Reviewers have access to the StudentReviewerApi endpoint information"""
+
+    @classmethod
+    def setUpTestData(cls):
+        cls.factory = APIRequestFactory()
+        cls.user_factory = GradyUserFactory()
+
+    def setUp(self):
+        self.student = self.user_factory.make_student()
+        self.tutor = self.user_factory.make_tutor()
+        self.reviewer = self.user_factory.make_reviewer()
+        self.request = self.factory.get(reverse('student-list'))
+        self.view = TutorApiViewSet.as_view({'get': 'list'})
+
+    def test_unauthenticated_access_denied(self):
+        response = self.view(self.request)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    def test_student_has_no_access(self):
+        force_authenticate(self.request, user=self.student.user)
+        response = self.view(self.request)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_tutor_has_no_access(self):
+        force_authenticate(self.request, user=self.tutor.user)
+        response = self.view(self.request)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_reviewer_has_access(self):
+        force_authenticate(self.request, user=self.reviewer.user)
+        response = self.view(self.request)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
diff --git a/backend/core/tests/test_student_page.py b/backend/core/tests/test_student_page.py
index 166583ad..930163ad 100644
--- a/backend/core/tests/test_student_page.py
+++ b/backend/core/tests/test_student_page.py
@@ -1,5 +1,4 @@
 from django.urls import reverse
-from rest_framework import status
 from rest_framework.test import (APIRequestFactory, APITestCase,
                                  force_authenticate)
 
@@ -87,5 +86,5 @@ class StudentPageTests(APITestCase):
             self.student.submissions.first().type.full_score)
 
     # We don't want a matriculation number here
-    def test_matriculation_number_is_not_senf(self):
+    def test_matriculation_number_is_not_send(self):
         self.assertNotIn('matrikel_no', self.submission_list_first_entry)
-- 
GitLab