def test_update_forbidden_condition(self): """ Ensure a user cannot update another's condition """ another_user = Patient.objects.create(email='*****@*****.**') dummy_condition = { 'name': 'Condition 2', 'description': 'Some other description', 'date_of_diagnosis': '2017-12-20', 'background_subtype': 3 } serializer = ConditionSerializer(data=dummy_condition) serializer.is_valid() condition = serializer.save(patient=another_user) data = { 'name': 'Condition 2', 'description': 'Some updated description', 'date_of_diagnosis': '2017-01-18', 'background_subtype': 3 } response = self.client.put( reverse('condition', kwargs={'condition_id': condition.id}), data) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def setUp(self): self.user = Patient.objects.create(email='*****@*****.**') self.token = Token.objects.get(user=self.user) self.client = APIClient() authenticate(self.client, self.token.key) dummy_condition = { 'name': 'Condition 1', 'description': 'Some description', 'date_of_diagnosis': '2017-01-18', 'background_subtype': 2 } serializer = ConditionSerializer(data=dummy_condition) serializer.is_valid() condition = serializer.save(patient=self.user) self.url = reverse('condition', kwargs={'condition_id': condition.id})
def test_retrieve_forbidden_condition(self): """ Ensure it can only retrieve own conditions """ another_user = Patient.objects.create(email='*****@*****.**') dummy_condition = { 'name': 'Condition 2', 'description': 'Some other description', 'date_of_diagnosis': '2017-12-20', 'background_subtype': 3 } serializer = ConditionSerializer(data=dummy_condition) serializer.is_valid() serializer.save(patient=another_user) response = self.client.get( reverse('condition', kwargs={'condition_id': 2})) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_delete_forbidden_condition(self): """ Ensure a condition cannot be deleted by a user different from the owner """ another_user = Patient.objects.create(email='*****@*****.**') dummy_condition = { 'name': 'Condition 2', 'description': 'Some other description', 'date_of_diagnosis': '2017-12-20', 'background_subtype': 3 } serializer = ConditionSerializer(data=dummy_condition) serializer.is_valid() condition = serializer.save(patient=another_user) response = self.client.delete( reverse('condition', kwargs={'condition_id': condition.id})) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def post(self, request): """ Creates new condition for a user and returns it """ serializer = ConditionSerializer(data=request.data) if serializer.is_valid(): patient = Patient.objects.get(email=request.user.email) serializer.save(patient=patient) res = standard_response(data=serializer.data) return Response(res, status=status.HTTP_201_CREATED) res = standard_response(errors=serializer.errors) return Response(res, status=status.HTTP_400_BAD_REQUEST)
def put(self, request, condition_id): try: patient = Patient.objects.get(email=request.user.email) condition = Condition.objects.get(id=condition_id, patient=request.user) serializer = ConditionSerializer(condition, data=request.data) if serializer.is_valid(): serializer.save(patient=patient) res = standard_response(data=serializer.data) return Response(res) res = standard_response(errors=serializer.errors) return Response(res, status=status.HTTP_400_BAD_REQUEST) except Condition.DoesNotExist: res = standard_response( errors={ 'forbidden': 'You are not the owner of this condition' }) return Response(res, status=status.HTTP_403_FORBIDDEN)