Fix middleware tests

2021-05-18 15:14:14 +02:00 · 2021-05-18 15:14:14 +02:00 · 9c0afffc7c
parent 861c276960
commit 9c0afffc7c
3 changed files with 20 additions and 10 deletions
--- a/server/core/utils.py
+++ b/server/core/utils.py
@ -32,9 +32,9 @@ def is_private_api_call_allowed(user, body):

    try:
        if not user.hep_id:
-            return True
+            return False
    except AttributeError:
-        return True
+        return False

    # logout, me and coupon resources are always allowed. Even if the user has no valid license
    if re.search(r"mutation\s*.*\s*logout\s*{", body_unicode) or re.search(r"query\s*.*\s*me\s*{", body_unicode) \
--- a/server/users/middleware.py
+++ b/server/users/middleware.py
@ -1,16 +1,16 @@
 import json

 from django.http import HttpResponse
-from django.utils.deprecation import MiddlewareMixin
-
 from core.utils import is_private_api_call_allowed


-class UserHasLicenseMiddleWare(MiddlewareMixin):
+def user_has_license_middleware(get_response):

-    def process_response(self, request, response):
+    def middleware(request):
        if request.path == '/api/graphql/':
            if not is_private_api_call_allowed(request.user, request.body):
                return HttpResponse(json.dumps({'errors': ['no active license']}), status=402)

-        return response
+        return get_response(request)
+
+    return middleware
--- a/server/users/tests/test_middleware.py
+++ b/server/users/tests/test_middleware.py
@ -8,7 +8,7 @@ from core.utils import is_private_api_call_allowed


 class MiddlewareTestCase(TestCase):
-    def test_user_with_license_can_see_private_api(self):
+    def test_user_without_hep_id_cannot_see_private_api(self):

        tomorrow = timezone.now() + timedelta(1)
        user = UserFactory(username='aschiman@ch.ch')
@ -16,6 +16,16 @@ class MiddlewareTestCase(TestCase):

        body = b'"{mutation {\\n addRoom}"'

+        self.assertFalse(is_private_api_call_allowed(user, body))
+
+    def test_user_with_license_can_see_private_api(self):
+
+        tomorrow = timezone.now() + timedelta(1)
+        user = UserFactory(username='aschiman@ch.ch', hep_id=23)
+        user.license_expiry_date = tomorrow.date()
+
+        body = b'"{mutation {\\n addRoom}"'
+
        self.assertTrue(is_private_api_call_allowed(user, body))

    def test_user_with_expired_license_can_see_private_api(self):
@ -39,7 +49,7 @@ class MiddlewareTestCase(TestCase):
    def test_logout_is_allowed_without_valid_license(self):

        yesterday = timezone.now() - timedelta(1)
-        user = UserFactory(username='aschiman@ch.ch')
+        user = UserFactory(username='aschiman@ch.ch', hep_id=34)
        user.license_expiry_date = yesterday.date()

        body = b'"{mutation { logout  {"'
@ -49,7 +59,7 @@ class MiddlewareTestCase(TestCase):
    def test_me_query_is_allowed_without_valid_license(self):

        yesterday = timezone.now() - timedelta(1)
-        user = UserFactory(username='aschiman@ch.ch')
+        user = UserFactory(username='aschiman@ch.ch', hep_id=34)
        user.license_expiry_date = yesterday

        body = b'"{query { me  {"'