def test_update_forbidden_condition(self): """ Ensure a user cannot update another's condition """ another_user = Patient.objects.create(email='*****@*****.**') dummy_condition = { 'name': 'Condition 2', 'description': 'Some other description', 'date_of_diagnosis': '2017-12-20', 'background_subtype': 3 } serializer = ConditionSerializer(data=dummy_condition) serializer.is_valid() condition = serializer.save(patient=another_user) data = { 'name': 'Condition 2', 'description': 'Some updated description', 'date_of_diagnosis': '2017-01-18', 'background_subtype': 3 } response = self.client.put( reverse('condition', kwargs={'condition_id': condition.id}), data) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def post(self, request): """ Creates new condition for a user and returns it """ serializer = ConditionSerializer(data=request.data) if serializer.is_valid(): patient = Patient.objects.get(email=request.user.email) serializer.save(patient=patient) res = standard_response(data=serializer.data) return Response(res, status=status.HTTP_201_CREATED) res = standard_response(errors=serializer.errors) return Response(res, status=status.HTTP_400_BAD_REQUEST)
def setUp(self): self.user = Patient.objects.create(email='*****@*****.**') self.token = Token.objects.get(user=self.user) self.client = APIClient() authenticate(self.client, self.token.key) dummy_condition = { 'name': 'Condition 1', 'description': 'Some description', 'date_of_diagnosis': '2017-01-18', 'background_subtype': 2 } serializer = ConditionSerializer(data=dummy_condition) serializer.is_valid() condition = serializer.save(patient=self.user) self.url = reverse('condition', kwargs={'condition_id': condition.id})
def put(self, request, condition_id): try: patient = Patient.objects.get(email=request.user.email) condition = Condition.objects.get(id=condition_id, patient=request.user) serializer = ConditionSerializer(condition, data=request.data) if serializer.is_valid(): serializer.save(patient=patient) res = standard_response(data=serializer.data) return Response(res) res = standard_response(errors=serializer.errors) return Response(res, status=status.HTTP_400_BAD_REQUEST) except Condition.DoesNotExist: res = standard_response( errors={ 'forbidden': 'You are not the owner of this condition' }) return Response(res, status=status.HTTP_403_FORBIDDEN)
def test_delete_forbidden_condition(self): """ Ensure a condition cannot be deleted by a user different from the owner """ another_user = Patient.objects.create(email='*****@*****.**') dummy_condition = { 'name': 'Condition 2', 'description': 'Some other description', 'date_of_diagnosis': '2017-12-20', 'background_subtype': 3 } serializer = ConditionSerializer(data=dummy_condition) serializer.is_valid() condition = serializer.save(patient=another_user) response = self.client.delete( reverse('condition', kwargs={'condition_id': condition.id})) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def get(self, request, condition_id): try: patient = Patient.objects.get(email=request.user.email) condition = Condition.objects.get(id=condition_id, patient=patient) res = standard_response(data=ConditionSerializer(condition).data) return Response(res) except Condition.DoesNotExist: res = standard_response( errors={ 'forbidden': 'You are not the owner of this condition' }) return Response(res, status=status.HTTP_403_FORBIDDEN)
def test_create_condition(self): """ Ensure it can create a new condition object. """ data = { 'name': 'Diabetes', 'description': 'Diabetes type 2', 'date_of_diagnosis': '2017-01-18', 'background_subtype': 2 } response = self.client.post(self.url, data) created_condition = self.user.conditions.last() self.assertEqual(response.status_code, status.HTTP_201_CREATED) self.assertEqual( ConditionSerializer(created_condition).data, response.data['data'])
def get(self, request): """ Return a list of all conditions of patient """ user = request.user if 'patient_id' in request.query_params: patient_id = request.query_params['patient_id'] try: medic = Medic.objects.get(email=request.user.email) patient_medic = PatientMedic.objects.get( medic=medic, patient__id=patient_id) except PatientMedic.DoesNotExist: res = standard_response( errors={ 'patient': 'This user has no access to the patient\'s information' }) return Response(res, status=status.HTTP_404_NOT_FOUND) user = patient_medic.patient patient_conditions = Condition.objects.filter( patient=user).order_by('-date_of_diagnosis') conditions = ConditionSerializer(patient_conditions, many=True) res = standard_response(data=conditions.data) return Response(res)
def test_retrieve_forbidden_condition(self): """ Ensure it can only retrieve own conditions """ another_user = Patient.objects.create(email='*****@*****.**') dummy_condition = { 'name': 'Condition 2', 'description': 'Some other description', 'date_of_diagnosis': '2017-12-20', 'background_subtype': 3 } serializer = ConditionSerializer(data=dummy_condition) serializer.is_valid() serializer.save(patient=another_user) response = self.client.get( reverse('condition', kwargs={'condition_id': 2})) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)