def test_employments_delete(employment: Employment, other_user: User,
other_employment: Employment):
""" Ensures admins can delete employments but non-admin employees cannot.
"""
assert employment.role == Employment.ROLE_ADMIN
user = employment.user
company = employment.company
target_employment = Employment.objects.create(company=company,
user=other_user,
role=Employment.ROLE_NORMAL)
client = APIClient()
client.force_authenticate(user)
# Part one - delete the company where the user is admin
resp = client.delete(
client.reverse('employment-detail', pk=target_employment.id))
validate_response_status_code(resp, 204)
assert not Employment.objects.filter(id=target_employment.id).exists()
# Part two - try to delete an unrelated company - this should not be allowed
resp = client.delete(
client.reverse('employment-detail', pk=other_employment.id))
validate_jsonapi_error_response(resp, expected_status_code=404)
assert Employment.objects.filter(id=other_employment.id).exists()
def test_companies_delete(employment: Employment, other_company: Company):
""" Ensures admins can delete companies but non-admin employees cannot.
"""
assert employment.role == Employment.ROLE_ADMIN
user = employment.user
company = employment.company
client = APIClient()
client.force_authenticate(user)
# Part one - delete the company where the user is admin
resp = client.delete(client.reverse('company-detail', pk=company.id))
validate_response_status_code(resp, 204)
assert not Company.objects.filter(id=company.id).exists()
# Part two - try to delete an unrelated company - this should not be allowed
resp = client.delete(client.reverse('company-detail', pk=other_company.id))
validate_jsonapi_error_response(resp, expected_status_code=403)
assert Company.objects.filter(id=other_company.id).exists()
