def test_redaction_private_user_level(self):
team_id = self.response_params['team_id']
user = User.create(email='*****@*****.**')
own_params = dict(
self.response_params,
type=Response.USER_LEVEL_SYMBOL,
private=True,
user_id=user.uid,
)
own_private_response = Response.create(**own_params)
own_private_response.put()
other_params = dict(
self.response_params,
type=Response.USER_LEVEL_SYMBOL,
private=True,
user_id='User_other',
)
other_private_response = Response.create(**other_params)
other_private_response.put()
responses = Response.get_for_teams(user, [team_id])
self.assertEqual(len(responses), 2)
own_fetched = next(r for r in responses if r.user_id == user.uid)
other_fetched = next(r for r in responses if r.user_id != user.uid)
# Own response is not redacted, despite being private.
self.assertGreater(len(own_fetched.body), 0)
# Other's private response is redacted.
self.assertEqual(len(other_fetched.body), 0)
def test_redaction_public_team_level(self):
user = User.create(email='*****@*****.**')
team_params = dict(
self.response_params,
type=Response.TEAM_LEVEL_SYMBOL,
private=False,
)
r = Response.create(**team_params)
r.put()
responses = Response.get_for_teams(user, [team_params['team_id']])
# Not redacted.
self.assertGreater(len(responses[0].body), 0)
def test_redaction_public_user_level(self):
user = User.create(email='*****@*****.**')
user_params = dict(
self.response_params,
type=Response.USER_LEVEL_SYMBOL,
private=False,
user_id='User_foo',
)
r = Response.create(**user_params)
r.put()
responses = Response.get_for_teams(user, [user_params['team_id']])
# Not redacted, even though user doesn't own the response.
self.assertGreater(len(responses[0].body), 0)
def get(self, parent_type, rel_id):
user = self.get_current_user()
team = Team.get_by_id(rel_id)
if not team:
return self.http_not_found()
if not owns(user, team) and not has_captain_permission(user, team):
return self.http_forbidden("Only team members can get responses.")
parent_id = self.get_param('parent_id', str, None)
# We return empty dictionaries for the `body` property of some
# responses (private responses belonging to other users).
responses = Response.get_for_teams(user, [team.uid], parent_id)
self.write(responses)
def get(self, org_id):
user = self.get_current_user()
org = Organization.get_by_id(org_id)
if not org:
return self.http_not_found()
if not owns(user, org):
return self.http_forbidden()
teams = Team.query_by_organization(org_id)
team_ids = [t.uid for t in teams]
classrooms = Classroom.query_by_teams(team_ids)
cycles = Cycle.query_by_teams(team_ids)
responses = Response.get_for_teams(user, team_ids)
users = User.query_by_team(team_ids)
self.write({
'classrooms': [e.to_client_dict() for e in classrooms],
'cycles': [e.to_client_dict() for e in cycles],
'teams': [e.to_client_dict() for e in teams],
'responses': [e.to_client_dict() for e in responses],
'users': [e.to_client_dict() for e in users],
})