def test_companies_update(employment: Employment):
assert employment.role == Employment.ROLE_ADMIN
user = employment.user
company = employment.company
client = APIClient()
client.force_authenticate(user)
other_company = CompanyFactory.create()
patch_data = {
"data": {
"type": "company",
"id": str(company.id),
"attributes": {},
},
}
# Part one - update the company where the user is admin
new_name = 'new name'
updated = company.updated
assert company.name != new_name
patch_data['data']['attributes'] = {'name': new_name}
resp = client.patch(client.reverse('company-detail', pk=company.pk),
patch_data)
validate_jsonapi_detail_response(
resp,
expected_attributes=ATTRIBUTES_FULL,
expected_relationships=RELATIONSHIPS_FULL,
)
refreshed_company = Company.objects.get(id=company.id)
assert refreshed_company.name == new_name
assert refreshed_company.updated > updated
# Part two - PUT should not be allowed
resp = client.put(client.reverse('company-detail', pk=company.pk),
patch_data)
validate_jsonapi_error_response(resp, expected_status_code=405)
# Part three - updating is only allowed for admins, so it should fail after user is demoted to non-admin
employment.role = Employment.ROLE_NORMAL
employment.save()
resp = client.patch(client.reverse('company-detail', pk=company.pk),
patch_data)
validate_jsonapi_error_response(resp, expected_status_code=403)
# Part four - try to patch company where we don't have permissions
patch_data['data']['id'] = str(other_company.id)
resp = client.patch(client.reverse('company-detail', pk=other_company.pk))
validate_jsonapi_error_response(resp, expected_status_code=403)
def test_employments_update(employment: Employment, other_user: User):
""" Admins should be able to update employment info (= role) of companies where they are admins.
"""
assert employment.role == Employment.ROLE_ADMIN
user = employment.user
company = employment.company
other_employment = Employment.objects.create(company=company,
user=other_user,
role=Employment.ROLE_NORMAL)
client = APIClient()
client.force_authenticate(user)
patch_data = {
"data": {
"type": "employment",
"id": str(other_employment.id),
"attributes": {},
},
}
# Part one - update the employment, changing role to admin
updated = other_employment.updated
patch_data['data']['attributes'] = {'role': Employment.ROLE_ADMIN}
resp = client.patch(
client.reverse('employment-detail', pk=other_employment.pk),
patch_data)
validate_jsonapi_detail_response(
resp,
expected_attributes=ATTRIBUTES_FULL,
expected_relationships=RELATIONSHIPS_FULL,
)
refreshed_employment = Employment.objects.get(id=other_employment.id)
assert refreshed_employment.role == Employment.ROLE_ADMIN
assert refreshed_employment.updated > updated
# Part two - PUT should not be allowed
resp = client.put(
client.reverse('employment-detail', pk=other_employment.pk),
patch_data)
validate_jsonapi_error_response(resp, expected_status_code=405)
# Part three - updating is only allowed for admins, so it should fail after user is demoted to non-admin
employment.role = Employment.ROLE_NORMAL
employment.save()
resp = client.patch(
client.reverse('employment-detail', pk=other_employment.pk),
patch_data)
validate_jsonapi_error_response(resp, expected_status_code=403)
