protect updates on room entries, add tests

server/objectives/schema.py

@@ -26,7 +26,6 @@ class ObjectiveGroupNode(DjangoObjectType):
         return self.owner is not None and self.owner.pk == info.context.user.pk
 
 
-
 class ObjectiveNode(DjangoObjectType):
     pk = graphene.Int()
 

server/rooms/mutations.py

@@ -84,14 +84,24 @@ class MutateRoomEntry(relay.ClientIDMutation):
     @classmethod
     def mutate_and_get_payload(cls, root, info, **kwargs):
         room_entry_data = kwargs.get('room_entry')
+
         if room_entry_data.get('room') is not None:
             room_entry_data['room'] = get_object(Room, room_entry_data.get('room')).id
-        room_entry_data['author'] = info.context.user.pk
 
         if room_entry_data.get('id') is not None:
+            # update path
             instance = get_object(RoomEntry, room_entry_data.get('id'))
+
+            if not instance.room.school_class.is_user_in_schoolclass(info.context.user):
+                raise Exception('You are in the wrong class')
+
+            if instance.author.pk != info.context.user.pk:
+                raise Exception('You are not the author')
+
             serializer = RoomEntrySerializer(instance, data=room_entry_data, partial=True)
         else:
+            # add path
+            room_entry_data['author'] = info.context.user.pk
             serializer = RoomEntrySerializer(data=room_entry_data)
 
         if serializer.is_valid():

server/rooms/tests/test_room_entry_mutations.py

@@ -14,7 +14,9 @@ class RoomEntryMutationsTestCase(TestCase):
     def setUp(self):
         self.user = UserFactory(username='aschi')
         self.another_user = UserFactory(username='pesche')
+        self.yet_another_user = UserFactory(username='hansueli')
         s = SchoolClassFactory(users=[self.user, self.another_user])
+        s2 = SchoolClassFactory(users=[self.yet_another_user])
         self.room_entry = RoomEntryFactory(author=self.user, room=RoomFactory(school_class=s))
 
         request = RequestFactory().get('/')
@@ -64,3 +66,73 @@ class RoomEntryMutationsTestCase(TestCase):
 
         self.assertIsNotNone(result.get('errors'))
         self.assertEqual(RoomEntry.objects.count(), 1)
+
+    def test_update_room_entry_not_owner_but_same_class(self):
+        self.assertEqual(RoomEntry.objects.count(), 1)
+        mutation = '''
+                mutation UpdateRoomEntry($input: UpdateRoomEntryInput!){
+                  updateRoomEntry(input: $input) {
+                    roomEntry {
+                      title
+                      author {
+                        firstName
+                      }
+                    }
+                    errors
+                  }
+                }
+                '''
+
+        request = RequestFactory().get('/')
+        request.user = self.another_user
+        client = Client(schema=schema, context_value=request)
+
+        new_title = 'new title, Alte!'
+
+        result = client.execute(mutation, variables={
+            'input': {
+                'roomEntry': {
+                    'id': to_global_id('RoomEntryNode', self.room_entry.pk),
+                    'title': new_title
+                }
+            }
+        })
+
+        entry = RoomEntry.objects.get(pk=self.room_entry.pk)
+        self.assertIsNotNone(result.get('errors'))
+        self.assertEqual(entry.title, self.room_entry.title)
+
+    def test_update_room_entry_not_owner_from_other_class(self):
+        self.assertEqual(RoomEntry.objects.count(), 1)
+        mutation = '''
+                mutation UpdateRoomEntry($input: UpdateRoomEntryInput!){
+                  updateRoomEntry(input: $input) {
+                    roomEntry {
+                      title
+                      author {
+                        firstName
+                      }
+                    }
+                    errors
+                  }
+                }
+                '''
+
+        request = RequestFactory().get('/')
+        request.user = self.yet_another_user
+        client = Client(schema=schema, context_value=request)
+
+        new_title = 'new title, Alte!'
+
+        result = client.execute(mutation, variables={
+            'input': {
+                'roomEntry': {
+                    'id': to_global_id('RoomEntryNode', self.room_entry.pk),
+                    'title': new_title
+                }
+            }
+        })
+
+        entry = RoomEntry.objects.get(pk=self.room_entry.pk)
+        self.assertIsNotNone(result.get('errors'))
+        self.assertEqual(entry.title, self.room_entry.title)