From ee05ee79ba061ccf841cd8d81eecf665dcfd1e50 Mon Sep 17 00:00:00 2001
From: Christian Cueni <christian.cueni@iterativ.ch>
Date: Tue, 9 Nov 2021 09:09:27 +0100
Subject: [PATCH] Fix PHEP-7 (user can add room entry at other school)

---
 server/rooms/mutations.py                     | 35 ++++++++++++-------
 .../rooms/tests/test_room_entry_mutations.py  |  3 +-
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/server/rooms/mutations.py b/server/rooms/mutations.py
index 91401fc5..6c4f9d37 100644
--- a/server/rooms/mutations.py
+++ b/server/rooms/mutations.py
@@ -85,12 +85,26 @@ class MutateRoomEntry(relay.ClientIDMutation):
     @classmethod
     def mutate_and_get_payload(cls, root, info, **kwargs):
         room_entry_data = kwargs.get('room_entry')
+        room = None
 
         if room_entry_data.get('room') is not None:
-            room_entry_data['room'] = get_object(Room, room_entry_data.get('room')).id
+            room = get_object(Room, room_entry_data.get('room'))
+            room_entry_data['room'] = room.id
 
         if room_entry_data.get('id') is not None:
-            # update path
+            serializer = cls.update_path(info, room_entry_data)
+        else:
+            serializer = cls.add_path(info, room_entry_data, room)
+
+        if serializer.is_valid():
+            serializer.save()
+
+            return cls(room_entry=serializer.instance)
+
+        return cls(room_entry=None, errors=['{}: {}'.format(key, value) for key, value in serializer.errors.items()])
+
+    @classmethod
+    def update_path(cls, info, room_entry_data):
             instance = get_object(RoomEntry, room_entry_data.get('id'))
 
             if not instance.room.school_class.is_user_in_schoolclass(info.context.user):
@@ -99,18 +113,16 @@ class MutateRoomEntry(relay.ClientIDMutation):
             if instance.author.pk != info.context.user.pk:
                 raise Exception('You are not the author')
 
-            serializer = RoomEntrySerializer(instance, data=room_entry_data, partial=True)
-        else:
-            # add path
-            room_entry_data['author'] = info.context.user.pk
-            serializer = RoomEntrySerializer(data=room_entry_data)
+            return RoomEntrySerializer(instance, data=room_entry_data, partial=True)
 
-        if serializer.is_valid():
-            serializer.save()
+    @classmethod
+    def add_path(cls, info, room_entry_data, room):
 
-            return cls(room_entry=serializer.instance)
+        if not room or not room.school_class.is_user_in_schoolclass(info.context.user):
+            raise PermissionDenied('You are in the wrong class')
 
-        return cls(room_entry=None, errors=['{}: {}'.format(key, value) for key, value in serializer.errors.items()])
+        room_entry_data['author'] = info.context.user.pk
+        return RoomEntrySerializer(data=room_entry_data)
 
 
 class AddRoomEntry(MutateRoomEntry):
@@ -165,7 +177,6 @@ class UpdateRoomVisibility(relay.ClientIDMutation):
         return cls(success=True, room=room)
 
 
-
 class AddComment(relay.ClientIDMutation):
     class Input:
         comment = graphene.String(required=True)
diff --git a/server/rooms/tests/test_room_entry_mutations.py b/server/rooms/tests/test_room_entry_mutations.py
index e7b9f426..76128b68 100644
--- a/server/rooms/tests/test_room_entry_mutations.py
+++ b/server/rooms/tests/test_room_entry_mutations.py
@@ -181,4 +181,5 @@ mutation AddRoomEntry($input: AddRoomEntryInput!){
             }
         })
         self.assertIsNotNone(result.errors)
-        self.assertTrue('Permission' in result.errors)
+        self.assertTrue('message' in result.errors[0])
+        self.assertEqual(result.errors[0]['message'], 'You are in the wrong class')