def test_post_snapshot_other_users_deck(client: TestClient,
session: db.Session, user_token, deck):
"""Must not allow creating a snapshot from another user's deck"""
# Create a deck so that we can ensure no accidental ID collisions
user, _ = user_token
user2, token2 = create_user_token(session)
response = client.post(
f"/v2/decks/{deck.id}/snapshot",
headers={"Authorization": f"Bearer {token2}"},
)
assert response.status_code == status.HTTP_403_FORBIDDEN
def test_put_deck_others_id(client: TestClient, session: db.Session,
user_token):
"""Must not allow uploading a deck with an ID owned by another user"""
user, token = user_token
user2, _ = create_user_token(session)
deck = create_deck_for_user(session, user2)
valid_deck = _valid_deck_dict(session)
valid_deck["id"] = deck.id
response = client.put("/v2/decks",
json=valid_deck,
headers={"Authorization": f"Bearer {token}"})
assert response.status_code == status.HTTP_403_FORBIDDEN
def test_patch_release_non_admin(client: TestClient, session: db.Session):
"""Patching a release must require admin access"""
master_set = Release(name="Master Set")
session.add(master_set)
session.commit()
user, token = create_user_token(session)
response = client.patch(
f"/v2/releases/{master_set.stub}",
json={"is_public": True},
headers={"Authorization": f"Bearer {token}"},
)
assert response.status_code == status.HTTP_403_FORBIDDEN
def test_post_snapshot_precon_non_public(client: TestClient,
session: db.Session):
"""Must stop creation of preconstructed release if not a public snapshot"""
admin, token = create_user_token(session)
admin.is_admin = True
session.commit()
deck = create_deck_for_user(session, admin, release_stub="expansion")
response = client.post(
f"/v2/decks/{deck.id}/snapshot",
json={"preconstructed_release": "expansion"},
headers={"Authorization": f"Bearer {token}"},
)
assert response.status_code == status.HTTP_400_BAD_REQUEST
def test_put_releases_bad_release(client: TestClient, session: db.Session):
"""Putting a nonsense stub must work"""
master_set = Release(name="Master Set")
master_set.is_public = True
session.add(master_set)
session.commit()
user, token = create_user_token(session)
response = client.put(
"/v2/releases/mine",
json=["fake-set"],
headers={"Authorization": f"Bearer {token}"},
)
assert response.status_code == status.HTTP_200_OK
data = response.json()
assert data[0]["stub"] == master_set.stub
assert data[0]["is_mine"] == False
def test_get_releases_mine(client: TestClient, session: db.Session):
"""Releases list must mark which releases are in the user's collection"""
master_set = Release(name="Master Set")
master_set.is_public = True
session.add(master_set)
first_expansion = Release(name="First Expansion")
first_expansion.is_public = True
session.add(first_expansion)
session.commit()
user, token = create_user_token(session)
session.add(UserRelease(release_id=master_set.id, user_id=user.id))
session.commit()
response = client.get(
"/v2/releases",
headers={"Authorization": f"Bearer {token}"},
)
assert response.status_code == status.HTTP_200_OK
data = response.json()
assert data[0]["stub"] == master_set.stub
assert data[0]["is_mine"] == True
assert data[1]["is_mine"] == False
def test_put_releases(client: TestClient, session: db.Session):
"""Putting my releases must work"""
master_set = Release(name="Master Set")
master_set.is_public = True
session.add(master_set)
first_expansion = Release(name="First Expansion")
first_expansion.is_public = True
session.add(first_expansion)
session.commit()
user, token = create_user_token(session)
assert (session.query(UserRelease).filter(
UserRelease.user_id == user.id).count() == 0)
response = client.put(
"/v2/releases/mine",
json=[master_set.stub],
headers={"Authorization": f"Bearer {token}"},
)
assert response.status_code == status.HTTP_200_OK
data = response.json()
assert data[0]["stub"] == master_set.stub
assert data[0]["is_mine"] == True
assert data[1]["is_mine"] == False
def test_post_snapshot_precon_already_exists(client: TestClient,
session: db.Session):
"""Must not allow posting a precon snapshot if it already exists"""
admin, token = create_user_token(session)
admin.is_admin = True
session.commit()
release_id = session.query(
Release.id).filter(Release.stub == "expansion").scalar()
deck = create_deck_for_user(session, admin, release_stub="expansion")
snapshot = create_snapshot_for_deck(session,
admin,
deck,
is_public=True,
preconstructed_release_id=release_id)
response = client.post(
f"/v2/decks/{deck.id}/snapshot",
json={
"preconstructed_release": "expansion",
"is_public": True
},
headers={"Authorization": f"Bearer {token}"},
)
assert response.status_code == status.HTTP_400_BAD_REQUEST
def user_token(decks_session):
user, token = create_user_token(decks_session)
return user, token
def test_delete_deck_wrong_user(client: TestClient, session: db.Session, deck):
"""Requests to delete a deck by the wrong user must fail"""
user2, token = create_user_token(session)
response = client.delete(f"/v2/decks/{deck.id}",
headers={"Authorization": f"Bearer {token}"})
assert response.status_code == status.HTTP_403_FORBIDDEN