def test_remove_attachment_by_referral_linked_unit_members(self, _):
"""
Other unit members who are not the author cannot remove attachments from answers to
a referral their unit is linked with.
"""
user = factories.UserFactory()
answer = factories.ReferralAnswerFactory(
state=models.ReferralAnswerState.DRAFT)
answer.referral.units.get().members.add(user)
attachment = factories.ReferralAnswerAttachmentFactory()
attachment.referral_answers.add(answer)
answer.refresh_from_db()
self.assertEqual(answer.attachments.count(), 1)
response = self.client.post(
f"/api/referralanswers/{answer.id}/remove_attachment/",
{"attachment": attachment.id},
content_type="application/json",
HTTP_AUTHORIZATION=
f"Token {Token.objects.get_or_create(user=user)[0]}",
)
self.assertEqual(response.status_code, 403)
answer.refresh_from_db()
self.assertEqual(answer.attachments.count(), 1)
def test_remove_non_linked_attachment(self, _):
"""
An appropriate error is returned when a user attempts to remove an attachment from
an answer that does not exist.
"""
user = factories.UserFactory()
nonexistent_answer_id = uuid.uuid4()
attachment = factories.ReferralAnswerAttachmentFactory()
response = self.client.post(
f"/api/referralanswers/{nonexistent_answer_id}/remove_attachment/",
{"attachment": attachment.id},
content_type="application/json",
HTTP_AUTHORIZATION=
f"Token {Token.objects.get_or_create(user=user)[0]}",
)
self.assertEqual(response.status_code, 404)
def test_remove_attachment_by_anonymous_user(self, _):
"""
Anonymous users cannot remove attachments from answers.
"""
answer = factories.ReferralAnswerFactory(
state=models.ReferralAnswerState.DRAFT)
attachment = factories.ReferralAnswerAttachmentFactory()
attachment.referral_answers.add(answer)
answer.refresh_from_db()
self.assertEqual(answer.attachments.count(), 1)
response = self.client.post(
f"/api/referralanswers/{answer.id}/remove_attachment/",
{"attachment": attachment.id},
content_type="application/json",
)
self.assertEqual(response.status_code, 401)
answer.refresh_from_db()
self.assertEqual(answer.attachments.count(), 1)
def test_remove_attachment_by_referral_linked_user(self, _):
"""
A given referral's linked user cannot remove attachments from answers to their referral.
"""
answer = factories.ReferralAnswerFactory(
state=models.ReferralAnswerState.DRAFT)
user = answer.referral.users.first()
attachment = factories.ReferralAnswerAttachmentFactory()
attachment.referral_answers.add(answer)
answer.refresh_from_db()
self.assertEqual(answer.attachments.count(), 1)
response = self.client.post(
f"/api/referralanswers/{answer.id}/remove_attachment/",
{"attachment": attachment.id},
content_type="application/json",
HTTP_AUTHORIZATION=
f"Token {Token.objects.get_or_create(user=user)[0]}",
)
self.assertEqual(response.status_code, 403)
answer.refresh_from_db()
self.assertEqual(answer.attachments.count(), 1)
def test_remove_attachment_by_random_logged_in_user(self, _):
"""
Random logged-in users cannot remove attachments from answers they did not author.
"""
user = factories.UserFactory()
answer = factories.ReferralAnswerFactory(
state=models.ReferralAnswerState.DRAFT)
attachment = factories.ReferralAnswerAttachmentFactory()
attachment.referral_answers.add(answer)
answer.refresh_from_db()
self.assertEqual(answer.attachments.count(), 1)
response = self.client.post(
f"/api/referralanswers/{answer.id}/remove_attachment/",
{"attachment": attachment.id},
content_type="application/json",
HTTP_AUTHORIZATION=
f"Token {Token.objects.get_or_create(user=user)[0]}",
)
self.assertEqual(response.status_code, 403)
answer.refresh_from_db()
self.assertEqual(answer.attachments.count(), 1)