diff --git a/HISTORY.rst b/HISTORY.rst index 101c0a2a38..65defdd65e 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -18,6 +18,8 @@ - Remove index create permission as an ACL permission for indexes. - Fix API example. +- Fix document check in via the API. GitLab issue #688. + Thanks to inam ul haq (@inam.sys) for the report. 3.2.10 (2019-11-19) =================== diff --git a/mayan/apps/checkouts/api_views.py b/mayan/apps/checkouts/api_views.py index 3207502700..c6148077ba 100644 --- a/mayan/apps/checkouts/api_views.py +++ b/mayan/apps/checkouts/api_views.py @@ -77,7 +77,7 @@ class APICheckedoutDocumentView(generics.RetrieveDestroyAPIView): def delete(self, request, *args, **kwargs): document = self.get_object().document - if document.checkout_info().user == request.user: + if document.get_check_out_info().user == request.user: AccessControlList.objects.check_access( obj=document, permissions=(permission_document_check_in,), user=request.user diff --git a/mayan/apps/checkouts/tests/mixins.py b/mayan/apps/checkouts/tests/mixins.py index 731506a8c2..745d5ce6aa 100644 --- a/mayan/apps/checkouts/tests/mixins.py +++ b/mayan/apps/checkouts/tests/mixins.py @@ -10,13 +10,7 @@ from ..models import DocumentCheckout class DocumentCheckoutsAPIViewTestMixin(object): - def _request_checkedout_document_view(self): - return self.get( - viewname='rest_api:checkedout-document-view', - kwargs={'pk': self.test_check_out.pk} - ) - - def _request_test_document_check_out_view(self): + def _request_test_document_check_out_create_api_view(self): return self.post( viewname='rest_api:checkout-document-list', data={ 'document_pk': self.test_document.pk, @@ -24,7 +18,19 @@ class DocumentCheckoutsAPIViewTestMixin(object): } ) - def _request_checkout_list_view(self): + def _request_test_document_check_out_delete_api_view(self): + return self.delete( + viewname='rest_api:checkedout-document-view', + kwargs={'pk': self.test_check_out.pk} + ) + + def _request_test_document_check_out_detail_api_view(self): + return self.get( + viewname='rest_api:checkedout-document-view', + kwargs={'pk': self.test_check_out.pk} + ) + + def _request_test_document_check_out_list_api_view(self): return self.get(viewname='rest_api:checkout-document-list') diff --git a/mayan/apps/checkouts/tests/test_api.py b/mayan/apps/checkouts/tests/test_api.py index ad475f5c4d..b87af58efa 100644 --- a/mayan/apps/checkouts/tests/test_api.py +++ b/mayan/apps/checkouts/tests/test_api.py @@ -8,8 +8,8 @@ from mayan.apps.documents.tests import DocumentTestMixin from mayan.apps.documents.permissions import permission_document_view from mayan.apps.rest_api.tests import BaseAPITestCase -from ..models import DocumentCheckout from ..permissions import ( + permission_document_check_in, permission_document_check_in_override, permission_document_check_out, permission_document_check_out_detail_view ) @@ -22,32 +22,95 @@ class CheckoutsAPITestCase( DocumentCheckoutsAPIViewTestMixin, DocumentCheckoutTestMixin, DocumentTestMixin, BaseAPITestCase ): - def test_checkedout_document_view_no_access(self): + def test_document_check_out_create_api_view_no_permission(self): + response = self._request_test_document_check_out_create_api_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + self.assertFalse(self.test_document.is_checked_out()) + + def test_document_check_out_create_api_view_with_access(self): + self.grant_access( + obj=self.test_document, permission=permission_document_check_out + ) + + response = self._request_test_document_check_out_create_api_view() + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + + self.assertTrue(self.test_document.is_checked_out()) + + def test_document_check_out_delete_api_view_no_permission(self): self._check_out_test_document() - response = self._request_checkedout_document_view() + response = self._request_test_document_check_out_delete_api_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + self.assertTrue(self.test_document.is_checked_out()) + + def test_document_check_out_delete_api_view_with_access(self): + self._check_out_test_document() + + self.grant_access( + obj=self.test_document, permission=permission_document_check_in + ) + + response = self._request_test_document_check_out_delete_api_view() + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + + self.assertFalse(self.test_document.is_checked_out()) + + def test_document_check_in_forcefull_api_view_no_permission(self): + self._create_test_user() + self._check_out_test_document(user=self.test_user) + + self.grant_access( + obj=self.test_document, permission=permission_document_check_in + ) + + response = self._request_test_document_check_out_delete_api_view() + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + self.assertTrue(self.test_document.is_checked_out()) + + def test_document_check_in_forcefull_api_view_with_access(self): + self._create_test_user() + self._check_out_test_document(user=self.test_user) + + self.grant_access( + obj=self.test_document, + permission=permission_document_check_in_override + ) + + response = self._request_test_document_check_out_delete_api_view() + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + + self.assertFalse(self.test_document.is_checked_out()) + + def test_document_check_out_detail_api_view_no_permission(self): + self._check_out_test_document() + + response = self._request_test_document_check_out_detail_api_view() self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) - def test_checkedout_document_view_with_checkout_access(self): + def test_document_check_out_detail_api_view_with_check_out_detail_access(self): self._check_out_test_document() self.grant_access( obj=self.test_document, permission=permission_document_check_out_detail_view ) - response = self._request_checkedout_document_view() + response = self._request_test_document_check_out_detail_api_view() self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) - def test_checkedout_document_view_with_document_access(self): + def test_document_check_out_detail_api_view_with_document_access(self): self._check_out_test_document() self.grant_access( obj=self.test_document, permission=permission_document_view ) - response = self._request_checkedout_document_view() + response = self._request_test_document_check_out_detail_api_view() self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) - def test_checkedout_document_view_with_access(self): + def test_document_check_out_detail_api_view_with_full_access(self): self._check_out_test_document() self.grant_access( obj=self.test_document, permission=permission_document_view @@ -57,58 +120,48 @@ class CheckoutsAPITestCase( permission=permission_document_check_out_detail_view ) - response = self._request_checkedout_document_view() + response = self._request_test_document_check_out_detail_api_view() self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual( response.data['document']['uuid'], force_text(self.test_document.uuid) ) - def test_document_checkout_no_access(self): - response = self._request_test_document_check_out_view() - - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - self.assertEqual(DocumentCheckout.objects.count(), 0) - - def test_document_checkout_with_access(self): - self.grant_access(permission=permission_document_check_out, obj=self.test_document) - - response = self._request_test_document_check_out_view() - self.assertEqual(response.status_code, status.HTTP_201_CREATED) - - self.assertEqual( - DocumentCheckout.objects.first().document, self.test_document - ) - - def test_checkout_list_view_no_access(self): + def test_document_check_out_list_api_view_no_permission(self): self._check_out_test_document() - response = self._request_checkout_list_view() - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertNotContains(response=response, text=self.test_document.uuid) + response = self._request_test_document_check_out_list_api_view() + self.assertNotContains( + response=response, text=self.test_document.uuid, + status_code=status.HTTP_200_OK + ) - def test_checkout_list_view_with_document_access(self): + def test_document_check_out_list_api_view_with_document_access(self): self._check_out_test_document() self.grant_access( permission=permission_document_view, obj=self.test_document ) - response = self._request_checkout_list_view() - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertNotContains(response=response, text=self.test_document.uuid) + response = self._request_test_document_check_out_list_api_view() + self.assertNotContains( + response=response, text=self.test_document.uuid, + status_code=status.HTTP_200_OK + ) - def test_checkout_list_view_with_checkout_access(self): + def test_document_check_out_list_api_view_with_check_out_detail_access(self): self._check_out_test_document() self.grant_access( obj=self.test_document, permission=permission_document_check_out_detail_view ) - response = self._request_checkout_list_view() - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertNotContains(response=response, text=self.test_document.uuid) + response = self._request_test_document_check_out_list_api_view() + self.assertNotContains( + response=response, text=self.test_document.uuid, + status_code=status.HTTP_200_OK + ) - def test_checkout_list_view_with_access(self): + def test_document_check_out_list_api_view_with_full_access(self): self._check_out_test_document() self.grant_access( @@ -119,6 +172,8 @@ class CheckoutsAPITestCase( permission=permission_document_check_out_detail_view ) - response = self._request_checkout_list_view() - self.assertEqual(response.status_code, status.HTTP_200_OK) - self.assertContains(response=response, text=self.test_document.uuid) + response = self._request_test_document_check_out_list_api_view() + self.assertContains( + response=response, text=self.test_document.uuid, + status_code=status.HTTP_200_OK + )