diff --git a/main/tests/test_api.py b/main/tests/test_api.py index ea2d0034..01ccffeb 100644 --- a/main/tests/test_api.py +++ b/main/tests/test_api.py @@ -45,7 +45,7 @@ def test_api_key_reset_post(self): self.assertNotEqual(self.api_key, new_api_key) -class APIPostListAnonTestCase(TestCase): +class APIListAnonTestCase(TestCase): """Test cases for anonymous POST / GET / PATCH / DELETE on /api/posts/.""" def test_posts_get(self): @@ -65,7 +65,7 @@ def test_posts_delete(self): self.assertEqual(response.status_code, 405) -class APIPostAnonTestCase(TestCase): +class APISingleAnonTestCase(TestCase): """Test cases for anonymous GET / PATCH / DELETE on /api/posts//.""" def setUp(self): @@ -108,7 +108,7 @@ def test_post_delete(self): self.assertEqual(response.status_code, 403) -class APIPostListPostAuthTestCase(TestCase): +class APIListPostAuthTestCase(TestCase): """Test cases for auth-related POST /api/posts/ aka post creation.""" def setUp(self): @@ -138,7 +138,7 @@ def test_posts_post_good_auth(self): self.assertEqual(response.status_code, 400) -class APIPostListPostTestCase(TestCase): +class APIListPostTestCase(TestCase): """Test cases for POST /api/posts/ aka post creation.""" def setUp(self): @@ -251,7 +251,7 @@ def test_posts_post(self): models.Post.objects.all().first().delete() -class APIPostListPatchAuthTestCase(TestCase): +class APIListPatchAuthTestCase(TestCase): """Test cases for auth-related PATCH /api/posts// aka post update.""" def setUp(self): @@ -290,7 +290,7 @@ def test_post_patch_wrong_auth(self): self.assertEqual(response.status_code, 403) -class APIPostListPatchTestCase(TestCase): +class APIListPatchTestCase(TestCase): """Test cases for PATCH /api/posts// aka post update.""" def setUp(self): @@ -474,13 +474,13 @@ def test_post_patch_other_user_post(self): "title": "Hi Bob, it's Alice", }, ) - self.assertEqual(response.status_code, 403) + self.assertEqual(response.status_code, 404) self.assertEqual(models.Post.objects.all().count(), 1) self.assertEqual(models.Post.objects.all().first().title, data["title"]) models.Post.objects.all().first().delete() -class APIPostGetAuthTestCase(TestCase): +class APIGetAuthTestCase(TestCase): """Test cases for auth-related GET /api/posts// aka post retrieve.""" def setUp(self): @@ -514,7 +514,7 @@ def test_post_get_wrong_auth(self): self.assertEqual(response.json(), {"ok": False, "error": "Not authorized."}) -class APIPostGetTestCase(TestCase): +class APIGetTestCase(TestCase): """Test cases for GET /api/posts// aka post retrieve.""" def setUp(self): @@ -561,7 +561,7 @@ def test_post_get_nonexistent(self): self.assertFalse(response.json()["ok"]) -class APIPostDeleteAuthTestCase(TestCase): +class APIDeleteAuthTestCase(TestCase): """Test cases for auth-related DELETE /api/posts// aka post retrieve.""" def setUp(self): @@ -600,11 +600,10 @@ def test_post_delete_other_user(self): reverse("api_post", args=(self.post.slug,)), HTTP_AUTHORIZATION=f"Bearer {user_b.api_key}", ) - self.assertEqual(response.status_code, 403) - self.assertEqual(response.json(), {"ok": False, "error": "Not allowed."}) + self.assertEqual(response.status_code, 404) -class APIPostDeleteTestCase(TestCase): +class APIDeleteTestCase(TestCase): """Test cases for DELETE /api/posts// aka post retrieve.""" def setUp(self): @@ -639,7 +638,7 @@ def test_post_get_nonexistent(self): self.assertFalse(response.json()["ok"]) -class APIPostListGetTestCase(TestCase): +class APIListGetTestCase(TestCase): """Test cases for GET /api/posts/ aka post list.""" def setUp(self): @@ -690,3 +689,57 @@ def test_posts_get(self): }, post_list, ) + + +class APISingleGetTestCase(TestCase): + """Test posts with the same slug return across different users.""" + + def setUp(self): + # user 1 + self.user1 = models.User.objects.create(username="alice") + self.data = { + "title": "Test 1", + "published_at": "2021-06-01", + } + response = self.client.post( + reverse("api_posts"), + HTTP_AUTHORIZATION=f"Bearer {self.user1.api_key}", + content_type="application/json", + data=self.data, + ) + self.assertEqual(response.status_code, 200) + # user 2, same post + self.user2 = models.User.objects.create(username="bob") + self.data = { + "title": "Test 1", + "published_at": "2021-06-02", + } + response = self.client.post( + reverse("api_posts"), + HTTP_AUTHORIZATION=f"Bearer {self.user2.api_key}", + content_type="application/json", + data=self.data, + ) + self.assertEqual(response.status_code, 200) + # verify objects + self.assertEqual(models.Post.objects.all().count(), 2) + self.assertEqual(models.Post.objects.all()[0].slug, "test-1") + self.assertEqual(models.Post.objects.all()[1].slug, "test-1") + + def test_get(self): + # user 1 + response = self.client.get( + reverse("api_post", args=("test-1",)), + HTTP_AUTHORIZATION=f"Bearer {self.user1.api_key}", + content_type="application/json", + ) + self.assertEqual(response.status_code, 200) + self.assertEqual(response.json()["published_at"], "2021-06-01") + # user 2 + response = self.client.get( + reverse("api_post", args=("test-1",)), + HTTP_AUTHORIZATION=f"Bearer {self.user2.api_key}", + content_type="application/json", + ) + self.assertEqual(response.status_code, 200) + self.assertEqual(response.json()["published_at"], "2021-06-02") diff --git a/main/views/api.py b/main/views/api.py index 62443858..824f0807 100644 --- a/main/views/api.py +++ b/main/views/api.py @@ -136,7 +136,7 @@ def api_post(request, slug): ) # get post - post_list = models.Post.objects.filter(slug=slug) + post_list = models.Post.objects.filter(slug=slug, owner=user) if not post_list: return JsonResponse({"ok": False, "error": "Not found."}, status=404) post = post_list.first()