Skip to content

Commit

Permalink
Merge pull request #261 from ita-social-projects/#260-AddCheckPasswor…
Browse files Browse the repository at this point in the history
…dWhenDeleteProfile

#260 add check password when delete profile
  • Loading branch information
Lvyshnevska authored Oct 10, 2023
2 parents 8a3a796 + 5e4d9de commit 93486c4
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 3 deletions.
34 changes: 31 additions & 3 deletions profiles/tests/test_crud_profile.py
Original file line number Diff line number Diff line change
Expand Up @@ -360,14 +360,16 @@ def test_delete_profile_unauthorized(self):
)
self.assertEqual(status.HTTP_401_UNAUTHORIZED, response.status_code)

def test_delete_profile_authorized(self):
def test_delete_profile_authorized_with_correct_password(self):
self.user.set_password("Test1234")
self.client.force_authenticate(self.user)

# del profile
response = self.client.delete(
path="/api/profiles/{profile_id}".format(
profile_id=self.profile.id
)
),
data={"password": "Test1234"},
)
self.assertEqual(204, response.status_code)

Expand All @@ -383,12 +385,38 @@ def test_delete_profile_authorized(self):
)
self.assertEqual(status.HTTP_404_NOT_FOUND, response.status_code)

def test_delete_profile_authorized_with_wrong_password(self):
self.user.set_password("Test1234")
self.client.force_authenticate(self.user)

# del profile
response = self.client.delete(
path="/api/profiles/{profile_id}".format(
profile_id=self.profile.id
),
data={"password": "Test5678"},
)
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)

def test_delete_profile_authorized_without_password(self):
self.client.force_authenticate(self.user)

# del profile
response = self.client.delete(
path="/api/profiles/{profile_id}".format(
profile_id=self.profile.id
)
)
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)

def test_delete_profile_of_other_user_authorized(self):
self.user.set_password("Test1234")
profile2 = ProfileStartupFactory()
self.client.force_authenticate(self.user)

response = self.client.delete(
path="/api/profiles/{profile_id}".format(profile_id=profile2.id)
path="/api/profiles/{profile_id}".format(profile_id=profile2.id),
data={"password": "Test1234"},
)
self.assertEqual(403, response.status_code)

Expand Down
12 changes: 12 additions & 0 deletions profiles/views.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
import stat
import django_filters
from django.shortcuts import get_object_or_404
from django.contrib.auth.hashers import check_password
from rest_framework import status
from rest_framework.generics import (
CreateAPIView,
Expand Down Expand Up @@ -174,6 +176,16 @@ def get_serializer_class(self):
else:
return ProfileOwnerDetailEditSerializer

def destroy(self, request, *args, **kwargs):
instance = self.get_object()
user = self.request.user
password = self.request.data.get("password")
if not password or not check_password(password, user.password):
return Response(status=status.HTTP_400_BAD_REQUEST)
else:
self.perform_destroy(instance)
return Response(status=status.HTTP_204_NO_CONTENT)

def perform_destroy(self, instance):
instance.is_deleted = True
instance.save()
Expand Down

0 comments on commit 93486c4

Please sign in to comment.