Merge pull request #1869 from cvisionai/bug/1868-delete-rowprotection

fix bug in deleting row protection endpoint
cvisionai · Nov 15, 2024 · 16a0dd0 · 16a0dd0
2 parents f040ec0 + 087e60f
commit 16a0dd0
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 7 deletions.
diff --git a/api/main/rest/rowprotection.py b/api/main/rest/rowprotection.py
@@ -182,18 +182,18 @@ class RowProtectionDetailAPI(BaseDetailView):
     http_method_names = ["get", "patch", "delete"]
 
     def _delete(self, params: dict) -> dict:
-        """
-        Deletes the provided group cluster
-        """
-
-        # Grab the job cluster's object and delete it from the database
+        """Retrieve the requested Row Protection by ID"""
         qs = self.get_queryset()
+        if not qs.exists():
+            raise Http404("RowProtection does not exist")
+
         if check_acl_permission_of_children(self.request.user, qs.first()) is False:
             raise PermissionDenied(
                 "User does not have permission to delete this row protection set"
             )
 
-        obj.delete()
+        rp = qs.first()
+        rp.delete()
 
         return {"message": "RowProtection deleted successfully!", "id": params["id"]}
 

diff --git a/api/main/tests.py b/api/main/tests.py
@@ -7341,6 +7341,7 @@ def test_crud(self):
                 format="json",
             )
             assertResponse(self, resp, status.HTTP_201_CREATED)
+            engi_rp_id = resp.data["id"]
 
             # Get all row protections for engineering
             resp = self.client.get(f"/rest/RowProtections?section={section_id}")
@@ -7358,6 +7359,10 @@ def test_crud(self):
             assertResponse(self, resp, status.HTTP_200_OK)
             self.assertEqual(len(resp.data), 1)
 
+            # redshirt cannot get row protections for engineering
+            resp = self.client.get(f"/rest/RowProtections?section={section_id}")
+            assertResponse(self, resp, status.HTTP_403_FORBIDDEN)
+
             # Go back to kirk
             self.client.force_authenticate(user=self.kirk)
 
@@ -7439,8 +7444,11 @@ def test_crud(self):
             assertResponse(self, resp, status.HTTP_200_OK)
             self.assertEqual(len(resp.data), 1)
 
-            self.client.force_authenticate(user=self.kirk)
+            # redshirt cannot delete the row protection of engineering
+            resp = self.client.delete(f"/rest/RowProtection/{engi_rp_id}")
+            assertResponse(self, resp, status.HTTP_403_FORBIDDEN)
 
+            self.client.force_authenticate(user=self.kirk)
             # Add a row protection to allow the commandant to see the warp core
             resp = self.client.post(
                 f"/rest/RowProtections",
@@ -7464,3 +7472,14 @@ def test_crud(self):
             # Pull the value and make sure it was set to 0
             rp = RowProtection.objects.get(pk=rp_id)
             self.assertEqual(rp.permission, 0)
+
+            # kirk delete the row protection of engineering
+            self.client.force_authenticate(user=self.kirk)
+            resp = self.client.delete(f"/rest/RowProtection/{engi_rp_id}")
+            assertResponse(self, resp, status.HTTP_200_OK)
+
+            # Now switch to the redshirt and verify they can't see the engineering section
+            self.client.force_authenticate(user=self.red_shirt)
+            resp = self.client.get(f"/rest/Medias/{self.project.pk}")
+            assertResponse(self, resp, status.HTTP_200_OK)
+            self.assertEqual(len(resp.data), 0)