fix api get for non-unique slugs across users

mataroa-blog · Oct 18, 2023 · 1abd88e · 1abd88e
1 parent c8080c8
commit 1abd88e
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 15 deletions.
diff --git a/main/tests/test_api.py b/main/tests/test_api.py
@@ -45,7 +45,7 @@ def test_api_key_reset_post(self):
         self.assertNotEqual(self.api_key, new_api_key)
 
 
-class APIPostListAnonTestCase(TestCase):
+class APIListAnonTestCase(TestCase):
     """Test cases for anonymous POST / GET / PATCH / DELETE on /api/posts/."""
 
     def test_posts_get(self):
@@ -65,7 +65,7 @@ def test_posts_delete(self):
         self.assertEqual(response.status_code, 405)
 
 
-class APIPostAnonTestCase(TestCase):
+class APISingleAnonTestCase(TestCase):
     """Test cases for anonymous GET / PATCH / DELETE on /api/posts/<post-slug>/."""
 
     def setUp(self):
@@ -108,7 +108,7 @@ def test_post_delete(self):
         self.assertEqual(response.status_code, 403)
 
 
-class APIPostListPostAuthTestCase(TestCase):
+class APIListPostAuthTestCase(TestCase):
     """Test cases for auth-related POST /api/posts/ aka post creation."""
 
     def setUp(self):
@@ -138,7 +138,7 @@ def test_posts_post_good_auth(self):
         self.assertEqual(response.status_code, 400)
 
 
-class APIPostListPostTestCase(TestCase):
+class APIListPostTestCase(TestCase):
     """Test cases for POST /api/posts/ aka post creation."""
 
     def setUp(self):
@@ -251,7 +251,7 @@ def test_posts_post(self):
         models.Post.objects.all().first().delete()
 
 
-class APIPostListPatchAuthTestCase(TestCase):
+class APIListPatchAuthTestCase(TestCase):
     """Test cases for auth-related PATCH /api/posts/<post-slug>/ aka post update."""
 
     def setUp(self):
@@ -290,7 +290,7 @@ def test_post_patch_wrong_auth(self):
         self.assertEqual(response.status_code, 403)
 
 
-class APIPostListPatchTestCase(TestCase):
+class APIListPatchTestCase(TestCase):
     """Test cases for PATCH /api/posts/<post-slug>/ aka post update."""
 
     def setUp(self):
@@ -474,13 +474,13 @@ def test_post_patch_other_user_post(self):
                 "title": "Hi Bob, it's Alice",
             },
         )
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 404)
         self.assertEqual(models.Post.objects.all().count(), 1)
         self.assertEqual(models.Post.objects.all().first().title, data["title"])
         models.Post.objects.all().first().delete()
 
 
-class APIPostGetAuthTestCase(TestCase):
+class APIGetAuthTestCase(TestCase):
     """Test cases for auth-related GET /api/posts/<post-slug>/ aka post retrieve."""
 
     def setUp(self):
@@ -514,7 +514,7 @@ def test_post_get_wrong_auth(self):
         self.assertEqual(response.json(), {"ok": False, "error": "Not authorized."})
 
 
-class APIPostGetTestCase(TestCase):
+class APIGetTestCase(TestCase):
     """Test cases for GET /api/posts/<post-slug>/ aka post retrieve."""
 
     def setUp(self):
@@ -561,7 +561,7 @@ def test_post_get_nonexistent(self):
         self.assertFalse(response.json()["ok"])
 
 
-class APIPostDeleteAuthTestCase(TestCase):
+class APIDeleteAuthTestCase(TestCase):
     """Test cases for auth-related DELETE /api/posts/<post-slug>/ aka post retrieve."""
 
     def setUp(self):
@@ -600,11 +600,10 @@ def test_post_delete_other_user(self):
             reverse("api_post", args=(self.post.slug,)),
             HTTP_AUTHORIZATION=f"Bearer {user_b.api_key}",
         )
-        self.assertEqual(response.status_code, 403)
-        self.assertEqual(response.json(), {"ok": False, "error": "Not allowed."})
+        self.assertEqual(response.status_code, 404)
 
 
-class APIPostDeleteTestCase(TestCase):
+class APIDeleteTestCase(TestCase):
     """Test cases for DELETE /api/posts/<post-slug>/ aka post retrieve."""
 
     def setUp(self):
@@ -639,7 +638,7 @@ def test_post_get_nonexistent(self):
         self.assertFalse(response.json()["ok"])
 
 
-class APIPostListGetTestCase(TestCase):
+class APIListGetTestCase(TestCase):
     """Test cases for GET /api/posts/ aka post list."""
 
     def setUp(self):
@@ -690,3 +689,57 @@ def test_posts_get(self):
             },
             post_list,
         )
+
+
+class APISingleGetTestCase(TestCase):
+    """Test posts with the same slug return across different users."""
+
+    def setUp(self):
+        # user 1
+        self.user1 = models.User.objects.create(username="alice")
+        self.data = {
+            "title": "Test 1",
+            "published_at": "2021-06-01",
+        }
+        response = self.client.post(
+            reverse("api_posts"),
+            HTTP_AUTHORIZATION=f"Bearer {self.user1.api_key}",
+            content_type="application/json",
+            data=self.data,
+        )
+        self.assertEqual(response.status_code, 200)
+        # user 2, same post
+        self.user2 = models.User.objects.create(username="bob")
+        self.data = {
+            "title": "Test 1",
+            "published_at": "2021-06-02",
+        }
+        response = self.client.post(
+            reverse("api_posts"),
+            HTTP_AUTHORIZATION=f"Bearer {self.user2.api_key}",
+            content_type="application/json",
+            data=self.data,
+        )
+        self.assertEqual(response.status_code, 200)
+        # verify objects
+        self.assertEqual(models.Post.objects.all().count(), 2)
+        self.assertEqual(models.Post.objects.all()[0].slug, "test-1")
+        self.assertEqual(models.Post.objects.all()[1].slug, "test-1")
+
+    def test_get(self):
+        # user 1
+        response = self.client.get(
+            reverse("api_post", args=("test-1",)),
+            HTTP_AUTHORIZATION=f"Bearer {self.user1.api_key}",
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["published_at"], "2021-06-01")
+        # user 2
+        response = self.client.get(
+            reverse("api_post", args=("test-1",)),
+            HTTP_AUTHORIZATION=f"Bearer {self.user2.api_key}",
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["published_at"], "2021-06-02")
diff --git a/main/views/api.py b/main/views/api.py
@@ -136,7 +136,7 @@ def api_post(request, slug):
             )
 
     # get post
-    post_list = models.Post.objects.filter(slug=slug)
+    post_list = models.Post.objects.filter(slug=slug, owner=user)
     if not post_list:
         return JsonResponse({"ok": False, "error": "Not found."}, status=404)
     post = post_list.first()