diff --git a/api/main/tests.py b/api/main/tests.py index 274389b8a..2bb489c5e 100644 --- a/api/main/tests.py +++ b/api/main/tests.py @@ -7341,6 +7341,7 @@ def test_crud(self): format="json", ) assertResponse(self, resp, status.HTTP_201_CREATED) + engi_rp_id = resp.data["id"] # Get all row protections for engineering resp = self.client.get(f"/rest/RowProtections?section={section_id}") @@ -7358,6 +7359,10 @@ def test_crud(self): assertResponse(self, resp, status.HTTP_200_OK) self.assertEqual(len(resp.data), 1) + # redshirt cannot get row protections for engineering + resp = self.client.get(f"/rest/RowProtections?section={section_id}") + assertResponse(self, resp, status.HTTP_403_FORBIDDEN) + # Go back to kirk self.client.force_authenticate(user=self.kirk) @@ -7439,8 +7444,11 @@ def test_crud(self): assertResponse(self, resp, status.HTTP_200_OK) self.assertEqual(len(resp.data), 1) - self.client.force_authenticate(user=self.kirk) + # redshirt cannot delete the row protection of engineering + resp = self.client.delete(f"/rest/RowProtection/{engi_rp_id}") + assertResponse(self, resp, status.HTTP_403_FORBIDDEN) + self.client.force_authenticate(user=self.kirk) # Add a row protection to allow the commandant to see the warp core resp = self.client.post( f"/rest/RowProtections", @@ -7464,3 +7472,14 @@ def test_crud(self): # Pull the value and make sure it was set to 0 rp = RowProtection.objects.get(pk=rp_id) self.assertEqual(rp.permission, 0) + + # kirk delete the row protection of engineering + self.client.force_authenticate(user=self.kirk) + resp = self.client.delete(f"/rest/RowProtection/{engi_rp_id}") + assertResponse(self, resp, status.HTTP_200_OK) + + # Now switch to the redshirt and verify they can't see the engineering section + self.client.force_authenticate(user=self.red_shirt) + resp = self.client.get(f"/rest/Medias/{self.project.pk}") + assertResponse(self, resp, status.HTTP_200_OK) + self.assertEqual(len(resp.data), 0)