diff --git a/terraso_backend/apps/graphql/schema/story_maps.py b/terraso_backend/apps/graphql/schema/story_maps.py index a1a0cc4bd..327f9fc7e 100644 --- a/terraso_backend/apps/graphql/schema/story_maps.py +++ b/terraso_backend/apps/graphql/schema/story_maps.py @@ -13,6 +13,8 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see https://www.gnu.org/licenses/. +from datetime import datetime + import django_filters import graphene import rules @@ -345,11 +347,20 @@ def mutate_and_get_payload(cls, root, info, **kwargs): "Attempt to approve a Membership, but user has no permission", extra=kwargs, ) - raise GraphQLNotAllowedException( + error = GraphQLNotAllowedException( model_name=Membership.__name__, operation=MutationTypes.UPDATE, message="permissions_validation", ) + return cls( + errors=[{"message": str(error)}], + story_map=StoryMap( + id="", + title=story_map.title, + created_at=datetime.now(), + updated_at=datetime.now(), + ), + ) try: membership.membership_list.approve_membership( diff --git a/terraso_backend/apps/story_map/permission_rules.py b/terraso_backend/apps/story_map/permission_rules.py index c337950ed..28eb2aa71 100644 --- a/terraso_backend/apps/story_map/permission_rules.py +++ b/terraso_backend/apps/story_map/permission_rules.py @@ -79,8 +79,9 @@ def allowed_to_approve_story_map_membership(user, obj): @rules.predicate def allowed_to_approve_story_map_membership_with_token(user, obj): membership = obj.get("membership") - request_user = user - return request_user.id == membership.user.id + if not membership.user: + return False + return user.id == membership.user.id @rules.predicate diff --git a/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py b/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py index 9c3cf38ba..d3446ebe5 100644 --- a/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py +++ b/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py @@ -459,7 +459,7 @@ def test_story_map_approve_membership_with_token_for_unregistered_user( def test_story_map_approve_membership_with_token_for_registered_user_fails_due_user_mismatch( - client_query, story_map_user_memberships_approve_tokens + client_query, story_map_user_memberships_approve_tokens, story_maps ): token = story_map_user_memberships_approve_tokens[1] @@ -469,6 +469,12 @@ def test_story_map_approve_membership_with_token_for_registered_user_fails_due_u $input: StoryMapMembershipApproveTokenMutationInput! ){ approveStoryMapMembershipToken(input: $input) { + storyMap { + title + id + createdAt + updatedAt + } membership { id membershipStatus @@ -485,7 +491,14 @@ def test_story_map_approve_membership_with_token_for_registered_user_fails_due_u ) json_response = response.json() + print(json_response) + assert "errors" in json_response["data"]["approveStoryMapMembershipToken"] error_result = json_response["data"]["approveStoryMapMembershipToken"]["errors"][0]["message"] json_error = json.loads(error_result) assert json_error[0]["code"] == "update_not_allowed" + assert ( + json_response["data"]["approveStoryMapMembershipToken"]["storyMap"]["title"] + == story_maps[0].title + ) + assert json_response["data"]["approveStoryMapMembershipToken"]["storyMap"]["id"] == ""