Fix PHEP-7 (user can add room entry at other school)

2021-11-09 09:09:27 +01:00 · 2021-11-09 09:09:27 +01:00 · ee05ee79ba
parent 338e4cfcfc
commit ee05ee79ba
2 changed files with 25 additions and 13 deletions
--- a/server/rooms/mutations.py
+++ b/server/rooms/mutations.py
@ -85,12 +85,26 @@ class MutateRoomEntry(relay.ClientIDMutation):
    @classmethod
    def mutate_and_get_payload(cls, root, info, **kwargs):
        room_entry_data = kwargs.get('room_entry')
+        room = None

        if room_entry_data.get('room') is not None:
-            room_entry_data['room'] = get_object(Room, room_entry_data.get('room')).id
+            room = get_object(Room, room_entry_data.get('room'))
+            room_entry_data['room'] = room.id

        if room_entry_data.get('id') is not None:
-            # update path
+            serializer = cls.update_path(info, room_entry_data)
+        else:
+            serializer = cls.add_path(info, room_entry_data, room)
+
+        if serializer.is_valid():
+            serializer.save()
+
+            return cls(room_entry=serializer.instance)
+
+        return cls(room_entry=None, errors=['{}: {}'.format(key, value) for key, value in serializer.errors.items()])
+
+    @classmethod
+    def update_path(cls, info, room_entry_data):
            instance = get_object(RoomEntry, room_entry_data.get('id'))

            if not instance.room.school_class.is_user_in_schoolclass(info.context.user):
@ -99,18 +113,16 @@ class MutateRoomEntry(relay.ClientIDMutation):
            if instance.author.pk != info.context.user.pk:
                raise Exception('You are not the author')

-            serializer = RoomEntrySerializer(instance, data=room_entry_data, partial=True)
-        else:
-            # add path
-            room_entry_data['author'] = info.context.user.pk
-            serializer = RoomEntrySerializer(data=room_entry_data)
+            return RoomEntrySerializer(instance, data=room_entry_data, partial=True)

-        if serializer.is_valid():
-            serializer.save()
+    @classmethod
+    def add_path(cls, info, room_entry_data, room):

-            return cls(room_entry=serializer.instance)
+        if not room or not room.school_class.is_user_in_schoolclass(info.context.user):
+            raise PermissionDenied('You are in the wrong class')

-        return cls(room_entry=None, errors=['{}: {}'.format(key, value) for key, value in serializer.errors.items()])
+        room_entry_data['author'] = info.context.user.pk
+        return RoomEntrySerializer(data=room_entry_data)


 class AddRoomEntry(MutateRoomEntry):
@ -165,7 +177,6 @@ class UpdateRoomVisibility(relay.ClientIDMutation):
        return cls(success=True, room=room)


-
 class AddComment(relay.ClientIDMutation):
    class Input:
        comment = graphene.String(required=True)
--- a/server/rooms/tests/test_room_entry_mutations.py
+++ b/server/rooms/tests/test_room_entry_mutations.py
@ -181,4 +181,5 @@ mutation AddRoomEntry($input: AddRoomEntryInput!){
            }
        })
        self.assertIsNotNone(result.errors)
-        self.assertTrue('Permission' in result.errors)
+        self.assertTrue('message' in result.errors[0])
+        self.assertEqual(result.errors[0]['message'], 'You are in the wrong class')