from graphql_relay import to_global_id from core.tests.base_test import SkillboxTestCase from portfolio.factories import ProjectFactory from portfolio.models import Project from users.factories import SchoolClassFactory from users.models import User project_query = """ query ProjectQuery($id: ID!) { project(id: $id) { id } } """ class ProjectQueryTestCase(SkillboxTestCase): def _test_direct_project_access(self, user: User, should_have_access: bool): result = self.get_client(user).execute( project_query, variables={"id": self.project1.graphql_id} ) self.assertIsNone(result.errors) if should_have_access: self.assertEqual( result.data.get("project").get("id"), self.project1.graphql_id ) else: self.assertIsNone(result.data.get("project")) def setUp(self): self.createDefault() school_class1 = SchoolClassFactory(users=[self.teacher, self.student1]) school_class2 = SchoolClassFactory(users=[self.teacher2, self.student2]) self.project1 = ProjectFactory(student=self.student1) self.project1_id = to_global_id("ProjectNode", self.project1.id) self.query = """ query ProjectsQuery { projects { ...ProjectParts } } fragment ProjectParts on ProjectNode { id title appearance description slug objectives __typename } """ def test_should_see_own_projects(self): self.assertEqual(Project.objects.count(), 1) result = self.get_client(self.student1).execute(self.query) self.assertIsNone(result.errors) self.assertEqual( result.data.get("projects")[0].get("title"), self.project1.title ) def test_should_not_see_other_projects(self): self.assertEqual(Project.objects.count(), 1) result = self.get_client(self.student2).execute(self.query) self.assertIsNone(result.errors) self.assertEqual(len(result.data.get("projects")), 0) def test_teacher_should_not_see_unfinished_projects(self): result = self.get_client().execute(self.query) self.assertIsNone(result.errors) self.assertEqual(len(result.data.get("projects")), 0) def test_teacher_should_only_see_finished_projects(self): self.project1.final = True self.project1.save() self.assertEqual(Project.objects.count(), 1) result = self.get_client().execute(self.query) self.assertIsNone(result.errors) self.assertEqual( result.data.get("projects")[0].get("title"), self.project1.title ) def test_other_teacher_should_not_see_projects(self): self.project1.final = True self.project1.save() self.assertEqual(Project.objects.count(), 1) result = self.get_client(self.teacher2).execute(self.query) self.assertIsNone(result.errors) self.assertEqual(len(result.data.get("projects")), 0) def test_class_with_two_teachers_both_can_see_project(self): # create class with two teachers school_class3 = SchoolClassFactory( users=[self.teacher, self.teacher2, self.student1] ) self.project1.final = True self.project1.save() self.assertEqual(Project.objects.count(), 1) # teacher can see project result = self.get_client(self.teacher).execute(self.query) self.assertIsNone(result.errors) self.assertEqual(len(result.data.get("projects")), 1) # teacher2 can see project result = self.get_client(self.teacher2).execute(self.query) self.assertIsNone(result.errors) self.assertEqual(len(result.data.get("projects")), 1) def test_class_with_two_teachers_direct_final_project_access(self): # create class with two teachers school_class3 = SchoolClassFactory( users=[self.teacher, self.teacher2, self.student1] ) self.project1.final = True self.project1.save() # student can access own project directly self._test_direct_project_access(self.student1, True) # teacher of student can access project, as it's final self._test_direct_project_access(self.teacher, True) # other teacher can't access project, as it's not final self._test_direct_project_access(self.teacher2, True) # non-owner can't access project self._test_direct_project_access(self.student2, False) def test_direct_project_access(self): # student can access own project directly self._test_direct_project_access(self.student1, True) # teacher can't access project, as it's not final self._test_direct_project_access(self.teacher, False) self._test_direct_project_access(self.teacher2, False) # non-owner can't access project self._test_direct_project_access(self.student2, False) def test_direct_final_project_access(self): self.project1.final = True self.project1.save() # student can access own project directly self._test_direct_project_access(self.student1, True) # teacher of student can access project, as it's final self._test_direct_project_access(self.teacher, True) # other teacher can't access project, as it's not final self._test_direct_project_access(self.teacher2, False) # non-owner can't access project self._test_direct_project_access(self.student2, False) def test_project_owner_can_view(self): query = """ query ProjectQuery($id: ID!) { project(id: $id) { id student { fullName } } } """ result = self.get_client(self.student1).execute( query, variables={"id": self.project1.graphql_id} ) self.assertEqual( result.data["project"]["student"]["fullName"], self.student1.full_name )